红队 | 域渗透重要漏洞汇总
可直接拿域控
MS14-068
漏洞效果:
将任意域用户提升到域管权限
Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2012Windows Server 2012 (Server Core installation)Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1903 (Server Core installation)Windows Server, version 1909 (Server Core installation)Windows Server, version 2004 (Server Core installation)
准备工具:Impacket工具包:https://github.com/SecureAuthCorp/impacket.gitpoc:https://github.com/SecuraBV/CVE-2020-1472.gitexp:https://github.com/dirkjanm/CVE-2020-1472exp:https://github.com/risksense/zerologon
CVE-2021-42287&42278
Windows Server 2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2016 (Server Core installation)Windows Server 2016Windows Server, version 20H2 (Server Core Installation)Windows Server, version 2004 (Server Core installation)Windows Server 2022 (Server Core installation)Windows Server 2022Windows Server 2019 (Server Core installation)Windows Server 2019
https://github.com/WazeHell/sam-the-adminhttps://github.com/Ridter/noPac
Windows Server 2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for 32-bit Systems Service Pack 2Windows RT 8.1Windows 8.1 for x64-based systemsWindows 8.1 for 32-bit systemsWindows 7 for x64-based Systems Service Pack 1Windows 7 for 32-bit Systems Service Pack 1Windows Server 2016 (Server Core installation)Windows Server 2016Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server, version 2004 (Server Core installation)Windows 10 Version 2004 for x64-based SystemsWindows 10 Version 2004 for ARM64-based SystemsWindows 10 Version 2004 for 32-bit SystemsWindows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 1909 for ARM64-based SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for 32-bit SystemsWindows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
在工作组环境下,可通过该漏洞获取系统最高权限; 域环境下,直接攻击域控制器可以获取域控的SYSTEM权限,执行任意代码; 可用于持久化的操作,得到域控后,在有共享目录、能访问到域控的情况下,远程的加载共享目录下的DLL。
目标开启Spooler服务; 一个普通权限的域账户; 创建的smb服务允许匿名访问,即目标可以直接获取到文件。
https://github.com/cube0x0/CVE-2021-1675https://github.com/cube0x0/impackethttps://github.com/3gstudent/Invoke-BuildAnonymousSMBServerhttps://bewhale.github.io/posts/29501.html
CVE-2019-1040
https://github.com/SecureAuthCorp/impackethttps://github.com/dirkjanm/krbrelayxhttps://github.com/Ridter/CVE-2019-1040https://github.com/Ridter/CVE-2019-1040-dcpwn同一网段内:https://www.freebuf.com/vuls/274091.html
ADCS漏洞--ESC8(PetitPotam)(ADCS relay)
该提权漏洞适用于所有的Windows服务器活动目录版本,包含目前位于微软产品支持范围内的Windows Server 2012 R2到Windows Server 2022,以及超出产品支持范围的旧Windows服务器版本。 入侵者至少控制一个活动目录用户账户,该用户账户对于活动目录中至少一个计算机账户具有“Validated write to DNS host name”权限。默认情况下,单个活动目录普通域用户可以加入或创建(包含创建空账户)10个计算机账户到活动目录中,并对自己所加入/创建的计算机账户具有CREATOR OWNER管理权限(包含“Validated write to DNShost name”权限)。因此该权限较为容易获得。 在活动目录内部部署有企业证书服务,并允许上述被控制的计算机账户申请计算机身份验证证书。企业证书服务是活动目录中广泛部署的一种相关基础服务,并且默认情况下,与活动目录集成的企业证书服务默认即允许域内计算机申请计算机身份验证证书。
Exchange相关,可控制Exchange服务器
Exchange Server 2010
Exchange Server 2013
Exchange Server 2016
首先,Exchange 允许任意用户(只要是通过了认证的)通过 EWS 接口来创建一个推送订阅(Push Subscription),并可以指定任意 URL 作为通知推送的目的地; 其次,通知被订阅推送后,当触发推送时,Exchange 使用了 CredentialCache 类的 DefaultCredentials 属性,由于 EWS 以 SYSTEM 权限运行,当使用 DefaultCredentials 时发出的 HTTP 请求将使用该权限发起 NTLM 认证; 在 EWS 请求中,通过在 Header 中使用 SerializedSecurityContext,指定 SID 可以实现身份伪装,从而以指定用户身份进行 EWS 调用操作。
也就是说【我们可以控制Exchange服务器向我们发起HTTP 协议的NTLM 请求,这样我们就能拿到Exchange机器用户的 Net-Ntlm Hash】
https://github.com/Ridter/Exchange2domain#也可以使用 ntlmrelayx.py+privexchange.py+secretdump.pyhttps://github.com/dirkjanm/privexchangehttps://github.com/SecureAuthCorp/impacket复现可以参考这篇文章:
https://www.jianshu.com/p/e081082cbc73CVE-2020-0688 (RCE)
https://github.com/zcgonvh/CVE-2020-0688https://github.com/random-robbie/cve-2020-0688复现:
https://github.com/Airboi/CVE-2020-17144-EXP攻击脚本2:
https://github.com/zcgonvh/CVE-2020-17144
CVE-2020-17144 <target> <user> <pass>CVE-2020-16875 (RCE)
https://srcincite.io/pocs/cve-2020-16875.py.txt复现:https://cloud.tencent.com/developer/article/1704777 CVE-2021-26855/CVE-2021-27065(getshell)(SSRF+任意文件写入)
目标服务器存在漏洞 目标 exchange 服务器必须为负载均衡服务器,即同时使用两台及以上服务器 目标邮箱地址,注意,该地址需要为域内邮件地址而非邮箱地址,二者存在差异 攻击者还必须标识内部Exchange服务器的完全限定域名(FQDN)
利用CVE-2021-26855 SSRF漏洞枚举邮箱: (工具:https://github.com/charlottelatest/CVE-2021-26855) 因为我们通过nmap获取了域名。user.txt里面为我们加入的邮箱名字典 go run CVE-2021-26855.go -h 192.168.110.152 -U user.txt
https://github.com/hausec/ProxyLogon (一键利用)https://github.com/charlottelatest/CVE-2021-26855 (k)https://github.com/herwonowr/exprolog复现:
https://github.com/ktecv2000/ProxyShellhttps://github.com/Ridter/proxyshell_payloadhttps://github.com/dmaasland/proxyshell-poc复现:
CVE-2022-41028(RCE)
Microsoft Exchange Server 存在远程代码执行漏洞,经过身份验证的攻击者可利用此漏洞在目标系统上执行任意代码。
作者:HackingCost,文章转载于github