Tryhackme系列的 Blaster ,好像挺简单的。。

Blaster


*Mission Start!

那么,启动内网机和靶机。

据说这个会使用一些其他的工具。


*Activate Forward Scanners and Launch Proton Torpedoes

首先用nmap进行扫描:

nmap -T5 -A -p- 10.10.202.202 --script vuln

image-20200714111913183.png

可以看到开了80端口,那么就可以尝试用浏览器访问它:

image-20200714112055392.png

得到IIS服务器。

使用 dirb 工具进行目录扫描:

image-20200714112500619.png

尝试访问 /retro:

image-20200714112609281.png

看样子这是一个博客界面,用户名显然为 wade。

然后在博客的评论中得到了一个疑似密码的字符串:

image-20200714112851625.png

再结合 nmap 扫描到的3389端口,尝试使用 remmina 进行远程登录:

image-20200714113353937.png

得到flag。

问题答案:

#1How many ports are open on our target system?

2

#2Looks like there’s a web server running, what is the title of the page we discover when browsing to it?

IIS Windows Server

#3Interesting, let’s see if there’s anything else on this web server by fuzzing it. What hidden directory do we discover?

/retro

#4Navigate to our discovered hidden directory, what potential username do we discover?

wade

#5Crawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover?

parzival

#6Log into the machine via Microsoft Remote Desktop (MSRDP) and read user.txt. What are it’s contents?

THM{HACK_PLAYER_ONE}

*Breaching the Control Room

结合rdp看到的桌面上的 hhupd.exe 文件,以及 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1388 的 CVE-2019-1388 那就可以利用高权限了。

首先以管理员打开这个文件:

image-20200714113941934.png

得到这个界面:

image-20200714114002200.png

点击 Show more details:

image-20200714114023419.png

再点击 Show information about the publisher’s certificate:

image-20200714114047903.png

点击 VeriSiqn Commercial Software Publishers CA,这时会打开了一个网页,那么把这个除了这个网页的其他选择都退掉:

image-20200714114157217.png

浏览器→设置→文件→保存为:

image-20200714114235677.png

会出现以下情况:

image-20200714114252527.png

然后再 File name 内输入 C:\windows\system32*.*

image-20200714114447586.png

按回车,找到 cmd :

image-20200714114515149.png

右键,点击 open :

image-20200714114535423.png

得到了系统权限:

image-20200714114554927.png

在 administrator 用户的桌面拿到了flag:

image-20200714114652998.png

问题答案:

#1When enumerating a machine, it’s often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?

CVE-2019-1388

#2Looks like an executable file is necessary for exploitation of this vulnerability and the user didn’t really clean up very well after testing it. What is the name of this executable?

hhupd

#4Now that we’ve spawned a terminal, let’s go ahead and run the command ‘whoami’. What is the output of running this?

nt authority\system

#5Now that we’ve confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator’s desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four!

THM{COIN_OPERATED_EXPLOITATION}

*Adoption into the Collective

可以使用metasploit来做更深的一步操作,首先选择合适的shell传送模块:

image-20200714115727232.png

稍微设置一下:

image-20200714115830156.png

得到配置:

image-20200714115919336.png

最后设置一下payload,改成http型的:

image-20200714120237038.png

那么,run -j。

image-20200714122045970.png

在拥有系统权限的 cmd 输入生成的payload后,成功返回一个会话:

image-20200714122207527.png

成功得到shell:

image-20200714122237974.png

为了维持这个shell的持久性,可以用 persistence 来进行操作:

image-20200714122614155.png

问题答案:

#2First, let’s set the target to PSH (PowerShell). Which target number is PSH?

2

#6Last but certainly not least, let’s look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don’t include anything beyond the base command and the option for boot startup.

run persistence -X