This game is a pity. But fortunately, on the way back to school after the game, I met a few big guys, so this game is still worth it, let's take it as an accumulation of experience.
start text;
The enterprise competition is also a web question, but it is different from the online one. It is all CVE loopholes. It is more exciting, more real, and also the most honest.
This game allows Internet access, so this is the test experience.
In the enterprise competition, there is only an ip on the note, and no port is given. Then log in, it is an upload interface, (can't take screenshots here, because offline is all local)
The content is, please upload the working documents, there will be staff to check. Then there is the upload box, the following is (only txt doc can be uploaded)
At first I thought it was an upload vulnerability, then I tried to upload something, then the doc file was uploaded successfully, and then it returned a /upload
Teammates open the uploaded files and find that there are some doc files in it, and some open doc files (prefixed with ~), then try to download the doc files
But when it is opened, the antivirus software reports the virus, indicating the cve-2017-11882 vulnerability
Then I searched the Internet for this vulnerability, looked for pocs, read a lot of blogs, tried a lot, and failed a lot. I understand how to trigger this vulnerability.
At that time, the metasploit of my kali was not updated, and there was no exp for the vulnerability of cve-2017-11882. Then go to GitHub and find a blog to download
try to hit a wave,
Played it again according to the idea, and found that there was no response. At first, I thought the configuration was wrong, so I reconfigured it again, but after trying for an afternoon, it was still unsuccessful, and then it got cold. Doubt life. . .
After the game, I asked the boss how to do it. The boss also did cve-2017-11882, but he made a wave and took 4 flags.
When chatting with him, he said that he asked the staff that this bot will automatically open the submitted doc file, which further proves that the vulnerability is cve-2017-11882
He also said that he asked the staff to reset the bot, and then I thought, I have been unable to upload the doc in kali, whether it has something to do with the bot hanging up (this is a guess)
The front is through, and now it starts to reproduce once locally
Attacker: kali IP: 192.168.1.133
Target machine: win7 x64 IP: 192.168.1.138
Office version: 2010
Screenshot of the target drone:
Screenshot of the attack aircraft:
To play this vulnerability, first configure it in kali, then use poc to generate a doc with malicious code, send the doc to the target drone, then open the target drone, trigger the vulnerability, and kali obtains the meterpreter
kali settings, I use the GitHub download here
Download the required files (I am here to restore the situation I did the question, in fact, the rb of metasploit will be better)
The rb I downloaded at the beginning is here https://github.com/starnightcyber/CVE-2017-11882
The python file that generates the doc is here https://github.com/Ridter/CVE-2017-11882/ There are two python files here, I use 43b
Put the rb file under those modules in metasploit
Then start msfconsole
Use modules
set payload
show options
Just set URIPATH and LHOST here
set uripath
This path should be the same as the one we used to generate the doc. See the steps for generating the doc in detail.
set lhost
再show options
run
The above indicates that it is in the listening state, do not close the terminal, then generate the doc file and reopen a terminal
Use the python file you just downloaded, I use the 43b one
As you can see from the above figure, the ip address here is that of our attack machine, and then the port is the SRVPORT just now, and the test is the URIPATH.
Note that we don't need the ip of the target drone.
Then pull the generated doc file under win7, and then open it (I just pulled it directly here, which is equivalent to the automatic opening of the game)
open it, then go back to see kali
You can see that there has been a rebound
Type sessions -i 1
into the meterpreter,
At this point, it is getshell, and then it is to escalate rights, open remote connections and the like.
then it's over
It is recommended to use the official rb file of metasploit, which is more convenient
link (use wget, or copy it)
https://raw.githubusercontent.com/realoriginal/metasploit-framework/39a4d193a17c6f85846a58a429c0914f542bded2/modules/exploits/windows/fileformat/office_ms17_11882.rb