Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Tsclient Writeup

0x1 Info

Tag:

MSSQL, Privilege Escalation, Kerberos, Domain Penetration, RDP

Range address: https://yunjing.icunqiu.com/ranking/summary?id=BzMFNFpvUDU

0x2 Recon

Target external ip47.92.82.196nmap MSSQL Weak password blasting, valid credentials are blasting, and the permission is service account permission (MSSQLSERVER) sa:1qaz!QAZ

0x3 Entry Point MSSQL - 172.22.8.18

Preface, this machine is not directly in the domain MSSQL shell (I forgot to take a screenshot here.) escalation of power, here we directly obtain Clsid violently criticized potato (the first few clsids are not used)

Modify GetClsid.ps1, add execution potato

Potato and GetClsid.ps1

Execute GetClsid.ps1

Obtain valid clsid and command execution results Export SAM, SYSTEM, Security

Resolve the credentials, use administrator + psexec 139 horizontally (the external network does not open 445) to obtain flag01administrator 2caf35bb4c5059a3d50599844e2b9b1f qwinsta and port connection to see a machine rdp coming Use administrator psexec to go msf (system permission), use incognito module, simulate to john (I tested that only msf's incognito can complete the subsequent operations, and other simulation token tools such as f-secure lab failed) Use john's token to execute net use See \\tsclient\C Share to directly obtain the credential.txt below \\tsclient\C, and prompt hijack image (mirror hijacking)xiaorang.lab\Aldrich:Ald@rLMWuy7Z!# Fast forward, skip the CME scan of the agent construction process 172.22.8.0/24, three machines prompt that the password has expired. Test whether the DC01 port 88 is enabled (test whether the domain control is domain control), DC01 is domain control smbpasswd.py Remotely modify the expired password and change it to 111qqq.ldapshell.py Verification, the login domain is successful CME Enumeration RDP, showing that you can log in and enter 172.22.8.46 (use the official CME RDP module, you will not scan out valid RDP credentials. I wrote a CME module based on xfreerdp)

XiaoliChan/CrackMapExec-Extension

0x4 Domain Penetration - Entrance - 172.22.8.46

Log in and view xiaorang.lab\Aldrich is not the administrator of this machine, but just an ordinary user to increase the authority. Two methods

Priv-ESC1: Mirror Hijacking Elevation (General)

Get-ACL can write to the registry 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' and create the operation

Create a registry that hijacks magnify.exe (magnifying glass) and execute CMD.exe

Lock the user

Click the magnifying glass

Elevate authority to system

Priv-ESC2: krbrelayup's escalation

Domain ordinary permission users take the machine in the domain directly (unconventional, recommended) Fast forward mimikatz and get the machine account of the current machine win2016$xiaorang.lab\WIN2016$ 4ba974f170ab0fe1a8a1eb0ed8f6fe1a

0x5 Domain Penetration - DC Takeover

Two methods observe the group relationship of WIN2016$ and find that it is in the Domain Admins group. Use Dcsync to directly take away DC01 (the process is omitted) Constrained delegation (unconventional)

Bloodhound collects domain information, analyzes, and finds that there is a constraint delegation

Constrained delegation attacks using getST.py

Take away DC01

Original link: https://www.freebuf.com/articles/system/352237.html