HTB-Re 渗透全记录
来源:岁月联盟
时间:2020-03-16
Copy-Item -Destination {$_.fullname -replace ".ods", ".zip"}
Get-ChildItem $process_dir -Filter *.zip | ForEach-Object {
# unzip archive to get access to content
$unzipdir = Join-Path $_.directory $_.Basename
New-Item -Force -ItemType directory -Path $unzipdir | Out-Null
Expand-Archive $_.fullname -Force -ErrorAction SilentlyContinue -DestinationPath $unzipdir
# yara to look for known malware
$yara_out = & $yara -r $rule $unzipdir
$ods_name = $_.fullname -replace ".zip", ".ods"
if ($yara_out.length -gt 0) {
Remove-Item $ods_name
}
}
# if any ods files left, make sure they launch, and then archive:
$files = ls $process_dir*.ods
if ( $files.length -gt 0) {
# launch ods files
Invoke-Item "C:UserslukeDocumentsmalware_process*.ods"
Start-Sleep -s 5
# kill open office, sleep
Stop-Process -Name soffice*
Start-Sleep -s 5
#& 'C:Program Files (x86)WinRARRar.exe' a -ep $process_dirtemp.rar $process_dir*.ods 2>&1 | Out-Null
Compress-Archive -Path "$process_dir*.ods" -DestinationPath "$process_dirtemp.zip"
$hash = (Get-FileHash -Algorithm MD5 $process_dirtemp.zip).hash
# Upstream processing may expect rars. Rename to .rar
Move-Item -Force -Path $process_dirtemp.zip -Destination $files_to_analyze$hash.rar
}
Remove-Item -Recurse -force -Path $process_dir*
Start-Sleep -s 5
}
留意到脚本最后的部分,脚本会把通过检测的ods进行打包,文件名为md5的hash值,压缩格式为rar,看到rar很容易联想到去年爆出的目录穿越漏洞(CVE-2018-20250),具体可以查看以下这篇文章:
https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/
然后查看Program Files目录,靶机没有安装WinRAR,不过发现有PeaZip,这个软件比较陌生,查了一下存在一个命令注入漏洞:https://www.rapid7.com/db/modules/exploit/multi/fileformat/peazip_command_injection
但是靶机安装的版本不在影响范围:
VersionInfo : File: C:Program FilesPeaZippeazip.exe
InternalName: PeaZip
OriginalFilename: PeaZip
FileVersion: 6.7.0
FileDescription: PeaZip, file and archive manager
Product: PeaZip
ProductVersion: 6.7.0
Debug: False
Patched: False
PreRelease: False
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
