HTB Devel[Hack The Box HTB靶场]writeup系列3

最新推荐文章于 2022-10-28 22:27:22 发布

3riC5r

最新推荐文章于 2022-10-28 22:27:22 发布

阅读量2.7k

点赞数 1

分类专栏： HTB靶场文章标签：提权靶机

本文链接：https://blog.csdn.net/fastergohome/article/details/104135583

版权

本文详细记录了针对靶机Devel的渗透过程，包括端口扫描发现21、80端口开放，利用FTP匿名上传ASPx payload，获取Webshell，最终通过MSF模块进行提权至system用户权限。

摘要由CSDN通过智能技术生成

Retired Machines的第三台机器Devel

0x00 靶机情况

从靶机的情况来看，难度属于初级，基本上都是选择1、2、3分为主，操作系统是windows

0x01 端口扫描

看看靶机提供了哪些服务：

root@kali:~# nmap -T5 -A -v 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 01:51 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating Ping Scan at 01:51
Scanning 10.10.10.5 [4 ports]
Completed Ping Scan at 01:51, 0.41s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:51
Completed Parallel DNS resolution of 1 host. at 01:51, 0.10s elapsed
Initiating SYN Stealth Scan at 01:51
Scanning 10.10.10.5 [1000 ports]
Discovered open port 80/tcp on 10.10.10.5
Discovered open port 21/tcp on 10.10.10.5
Increasing send delay for 10.10.10.5 from 0 to 5 due to 11 out of 22 dropped probes since last increase.
SYN Stealth Scan Timing: About 19.77% done; ETC: 01:53 (0:02:06 remaining)
SYN Stealth Scan Timing: About 25.13% done; ETC: 01:55 (0:03:02 remaining)
SYN Stealth Scan Timing: About 30.50% done; ETC: 01:56 (0:03:27 remaining)
SYN Stealth Scan Timing: About 39.93% done; ETC: 01:57 (0:03:43 remaining)
Stats: 0:04:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 54.30% done; ETC: 01:59 (0:03:51 remaining)
SYN Stealth Scan Timing: About 60.33% done; ETC: 01:59 (0:03:22 remaining)
SYN Stealth Scan Timing: About 66.27% done; ETC: 01:59 (0:02:52 remaining)
SYN Stealth Scan Timing: About 72.27% done; ETC: 01:59 (0:02:21 remaining)
SYN Stealth Scan Timing: About 77.63% done; ETC: 01:59 (0:01:55 remaining)
SYN Stealth Scan Timing: About 83.00% done; ETC: 01:59 (0:01:28 remaining)
SYN Stealth Scan Timing: About 88.67% done; ETC: 01:59 (0:00:59 remaining)
Completed SYN Stealth Scan at 02:00, 518.03s elapsed (1000 total ports)
Initiating Service scan at 02:00
Scanning 2 services on 10.10.10.5
Completed Service scan at 02:00, 6.94s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.5
Retrying OS detection (try #2) against 10.10.10.5
Initiating Traceroute at 02:00
Completed Traceroute at 02:00, 1.52s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 02:00
Completed Parallel DNS resolution of 2 hosts. at 02:00, 0.86s elapsed
NSE: Script scanning 10.10.10.5.
Initiating NSE at 02:00
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 02:00, 12.19s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 1.91s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Nmap scan report for 10.10.10.5
Host is up (0.38s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.028 days (since Sat Feb  1 01:19:50 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   493.99 ms 10.10.14.1
2   494.71 ms 10.10.10.5

NSE: Script Post-scanning.
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 559.20 seconds
           Raw packets sent: 3366 (153.268KB) | Rcvd: 281 (14.268KB)
<