Hackthebox:Arctic Walkthrough

预备知识

使用了msfvenom，不想看的可以跳过

浏览器信息收集尤其是细节发现服务信息不能过度依赖工具

MS10-059、smbserver、jsp reverse shell

信息收集和获取立足点

不知道为什么，最近htb的靶机网络不太稳

先用nmap快速探测下开启端口，这里使用-Pn参数，非ping扫描,不执行主机发现,可以跳过防火墙

nmap -Pn 10.10.10.11

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-08 12:08 CST
Nmap scan report for 10.10.10.11
Host is up (0.29s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.83 seconds

再开启一个详细扫描，暂时也没什么别的信息，只能看nmap的详细输出了

nmap -sC -sV -Pn -p- 10.10.10.11

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

只能访问这几个端口看看有没有web服务了http://10.10.10.11:8500/ http://10.10.10.11:49154/

http://10.10.10.11:8500/上有web服务

看看是不是已知的cmd或者漏洞组件

whatweb -vv http://10.10.10.11:8500/

http://10.10.10.11:8500/ [200]
Identifying: http://10.10.10.11:8500/
HTTP-Status: 200
[["IP", [{:string=>"10.10.10.11", :certainty=>100}]],
 ["Title", [{:name=>"page title", :string=>"Index of /", :certainty=>100}]],
 ["Country", [{:string=>"RESERVED", :module=>"ZZ", :certainty=>100}]],
 ["Index-Of",
  [{:text=>"<title>Index of /",
    :regexp_compiled=>/<title>Index\ of\ \//,
    :certainty=>100}]],
 ["HTTPServer",
  [{:name=>"server string", :string=>"JRun Web Server", :certainty=>100}]]]

WhatWeb report for http://10.10.10.11:8500/
Status    : 200 OK
Title     : Index of /
IP        : 10.10.10.11
Country   : RESERVED, ZZ

Summary   : Index-Of, HTTPServer[JRun Web Server]

Detected Plugins:
[ HTTPServer ]
        HTTP server head