随便开个靶机玩玩啦。。。

Ice


*Recon

打开靶机和内网,然后使用以下命令从内网机使用nmap对靶机进行扫描:

nmap -T 5 -A -p- 10.10.152.190 --script vuln

得到结果:

image-20200714102457113.png

发现这玩意在3389端口开了rdp,8000端口开了Icecast,并且主机名为 DARK-PC。

问题答案:

#3Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?

3389

#4What service did nmap identify as running on port 8000? (First word of this service)

Icecast

#5What does Nmap identify as the hostname of the machine? (All caps for the answer)

DARK-PC

*Gain Access

那么实际上这个Icecast存在的漏洞的编号为 CVE-2004-1561。

image-20200714103341017.png

这里可以直接用 metasploit 来进行下一步操作:

image-20200714103723239.png

此时已经成功得到了meterpreter的shell了。

问题答案:

#4After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit‘ which is recommended to be completed prior to this room, although not entirely necessary.

exploit/windows/http/icecast_header

#6Following selecting our module, we now have to check what options we have to set. Run the command show options. What is the only required setting which currently is blank?

RHOSTSS

*Escalate

那么现在已经得到meterpreter的shell了,可以简单的看一下各个信息:

image-20200714104231839.png

这里可以简单做一些权限提升的检测:

image-20200714104429710.png

得到挺多的结果,可以使用下面的来尝试进行权限提升:

exploit/windows/local/bypassuac_eventvwr

步骤如下:

image-20200714104801846.png

看一下权限:

image-20200714105203748.png

还不少。

问题答案:

#1Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?

meterpreter

#2What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit‘ room.

Dark

#3What build of Windows is the system?

7601

#4Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?

x64

#6Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?

exploit/windows/local/bypassuac_eventvwr

#10Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?

LHOST

#14We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?

SeTakeOwnershipPrivilege

*Looting

下一步是迁徙到拥有系统权限的进程中了。

首先查看当前进程:

image-20200714105506416.png

发现一个似乎可用的打印机假脱机服务,那么可以尝试迁徙:

image-20200714105632405.png

迁徙成功,拿到了系统权限。

这里可以加载kiwi模块,方便对密码存储进行邪恶操作:

image-20200714105809454.png

查看命令帮助:

image-20200714105828920.png

查看所有凭证:

image-20200714105920655.png

可以得到Drak用户的密码。

问题答案:

#2In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.

spoolsv.exe

#4Let’s check what user we are now with the command getuid. What user is listed?

NT AUTHORITY\SYSTEM

#7Which command allows up to retrieve all credentials?

creds_all

#8Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)

Password01!

*Post-Exploitation

然后到后开发利用了。

可以先把所有用户密码的hash给dump一下:

image-20200714110125985.png

这里当然可以用john尝试爆破:

image-20200714110433960.png

也可以尝试截图当前靶机的界面:

image-20200714110530213.png

得到结果:

image-20200714110609877.png

问题答案:

#2What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)

hashdump

#3While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?

screenshare

#4How about if we wanted to record from a microphone attached to the system?

record_mic

#5To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.

timestomp

#6Mimikatz allows us to create what’s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.

golden_ticket_create