介绍
Hackthebox的resolute靶机操作系统为windows,之前没有接触过windows系统的渗透,不过在大佬的帮助和提示下还是拿到了flag,收获颇丰。
通过此次渗透可以学习到:
1.rpcclinet工具的使用
2.enum4linux工具的使用
3.windows系统渗透大体思路。
4.nc.exe工具的使用
5.msfvenom工具的使用,进而接触到了veil,veil生成的exe文件360有概率不报毒,拿到windows权限后可以在Kali上截屏拍照开启摄像头,专门对付骗子的社工神器有木有(此事以后再议)
6.DnsAdmin用户权限的漏洞
7.快速搭建smb服务器技能
8.hydra工具的使用
前期准备工作
1.改hosts文件,扫描端口,nmap -A resolute > port
,这里要注意,这是nmap快速扫描模式,有些端口可能扫不到,如果快速扫描扫出来的端口没有突破口,应尽量使用-p
参数。比如redis和winrm的端口有时是扫不到的,必须使用-p
参数进行指定端口扫描。
root@kali:~/Hackthebox/resolute# cat port
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 15:09 CST
Nmap scan report for resolute (10.10.10.169)
Host is up (0.17s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-14 07:17:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
smb(445端口)、winrm(5986端口)。
2.收集SMB服务的信息,使用enum4linux工具对SMB服务器收集信息。
-U
参数为枚举用户列表,并显示相关信息。
更多参数请使用enum4linux -h
查看。
root@kali:~# enum4linux -U resolute
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 18 18:50:20 2020
==========================
| Target Information |
==========================
Target ........... resolute
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
================================================
| Enumerating Workgroup/Domain on resolute |
================================================
[E] Can't find workgroup/domain
=================================
| Session Check on resolute |
=================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server resolute allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
=======================================
| Getting domain SID for resolute |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[+] Host is part of a domain (not a workgroup)
=========================
| Users on resolute |
=========================
Use of uninitialized value $global_workgro