有幸跟着X1cT34m的学长们京东总部打了京麒CTF的决赛,结果我盯着下面这道misc题看了一天,然后爆零了(T0T),队伍排名也不理想,给队里的师傅们磕一个了(T0T)。。。Orz

赛后我找了出题人,询问后发现,我最最开始得到的答案三问有两问是对的(这题总共有三个问题)。。。结果后面越改越离谱,错的那问仍然一直是错的。。。我还是再沉淀沉淀吧(

下面是对这题的复现

题目给了一个流量包kerberoasting.pcapng,要求找出以下三问的答案,拼起来求md5值就是flag:

1、总共枚举到了几个kerberoastable的用户

2、攻击者得到的kerberoastable的用户的密码

3、攻击者通过kerberoasting攻击得到权限后进行了约束委派攻击,找出与服务端存在委派关系的用户名称

首先过滤一下ldap流,可以看到其中有一条查询请求查询到了4个用户

image-20240808152623844

进一步展开可以看到,这些用户都设置了SPN,因此可以判定他们就是kerberoastable的用户

image-20240808152809412

接下来过滤一下krb5流翻找,很快就可以看到这四个用户返回的TGS-REP

image-20240808153013132

展开可以看到返回的票据,其中可以找到enc-part的cipher部分,这一部分其实就是用户密码的hash值

image-20240808163841079

但是直接用这个值肯定是不行的,需要爆破需要有一定的格式,我们可以用下面的脚本去生成正确的格式

1
2
3
4
5
6
7
8
encType = "23"
userName = ""
domain = ""
spn = ""
cipherText = ""
formatted_string = "$krb5tgs${0}$*{1}${2}${3}*${4}${5}".format(encType, userName, domain, spn, cipherText[:32],
                                                               cipherText[32:])
print(formatted_string)

对于用户VictoriaOrbit,我们可以得到如下的1.hash文件

1
$krb5tgs$23$*VictoriaOrbit$WHOAMIANONY.COM$whoamianony.com/VictoriaOrbit*$4f5376a8c1190acb1dfb054d25a6e75d$c7a192b7cf3277dff22d0580cb58ea74b6d329823b8e2f0b6eb6cf6b9da5b02e4eb2c4c3aee69dfaff8d7c6d6fa6a7790b565d360864049e647164c51ea1840e5a9a9d14e046848a7e406ec2d2b35966b515b1a18d2805207b3142b6e160884a99e4b823682759d69ad4d83ab5eb3112997507c3deb60e035091aecd215684a719796b87b430d79b47e93a6b205ee42d2a74f3f0a5d2266fb6bc081e346b2f1fc15dc07b1bec60b02d03e9bbc1db72c1c4baa2d16c4f2d001d4fb43f881d1d4d8f1b768c18e01b925fb034d86020380c2cebce4bd0486c223f7f5acb065272c1f7dad806f10f940fbf916861395f766fec9b018a5456cd6a236c314fb8691698dc2c8f41c4ba496a5c33b2dcc97223c6f067c0f10b890668921b34f5d53f42f768086cb2466bd2e15bf18859064d1e7f7282513f5ddefa4dc5e03e29b3f040b35c2342ca833108a3ead9a515a29fd515c63696caedad27ff3de3ead2dbd20619ca743f2797d91a3f4a77a763c9cabf09106887c0d9f02c8a572cb5763c3cbd10e026a69e25b8953dfec41320f42928ae79df79afb8031201264d9c4d22ecc2aaddda2a249ebd1deb89948deb39b485b7870c103ffc667e803a2a2ea99c549274baa3b68d59e6e4865302ed4cd78887255584b91453185aefa3f98e95107c83a9891fc26332e5f2ba71b3f48af6e698176fb7e1304406d10c76343e2e7bc72c948ca93da839629d4f107fad8bc7b5a062fae5ef4f7afbe46862c61b8113bc9ec844d8638c4cebc6b0609d3ad4fb70042b537dba62b58ade791629e342a634e6906711c6e64360ae36aa479a7fcfa6cb3ef7725a74620ddcec820bc56b8975943bb9b89d9dec3a85e2159e15b3dbccfe3d44ef9e6c690287af61271f3250b983f5c266a45444e228e1409c537bb8c00a2cb416597305a0f16443028e6bd35126d77a759b353b4a082810ba4f19b0981dd28aa185628b3a4756b2ec3a39adbc1db2c3d4667b98d306fe668a2316d21029e5070c67fea7737bf174b9dac48f8bd717685c9623f595b0201504b416285b333f073da88d47f7af8ab74b712c08073fc34dabfdaa5d952c070e93e4303287ae420752633d4115caf697eaf75b06277601961476ad0b05ff2679259443486512c90d032945a1f8a3e6707af0e23b6958ea758fbaf46034cddc42a9f38f213806d96aecf6868f0dde4acc3c522c2e337af2215d7eebe0792d4b8151a221e9465bd49058551dc8023a036448b43aab5b8afc7a3615b4d39e97c3efdb455f11c36ddc1172e51a6fabda60573452b23c338d335a7d5b3a6f8cced00b83232331add275432e837b197cee6d095f6ae95e95107c50c0e1532b4445db8395f08594c0e4682d521c2580cdf1452426af7278a4e0dbbbba0d87a926c16249a0ff5976eb65d0ee6603803e57b7621d632f048a4cd5852acdb3be2860806efca2fb616c609ff6e383289c1a232df775992edbe8c7ee2f6915ab8d807d41f00a6618062a2425b40421c45a1eae5d86af38b8

接下来就是经典操作,用工具john the ripper,字典rockyou.txt进行爆破,得到明文密码4xVictoriax4

image-20240809000422154

最后就是找存在委派关系的用户,当时比赛时我就是卡在这里了。。。然而事实上这很简单。。。

还是过滤ldap流,查看msDS-AllowedToDelegatedTo的部分,即可找到用户名WIN-CORP16

image-20240809001029442

所以最终答案是4_4xVictoriax4_WIN-CORP16